02-15-2016 02:54 AM - edited 03-20-2019 08:51 PM
So now Cisco calls "documentation bug" to a software regression. It's quite a coincidence that all the versions affected by this behavior, are the ones where CVE-2016-1287 is fixed.
Any ideas on how to configure proxy-arp on an interface then?
Has anyone tested 9.3(3.7) or 9.5(2.2) to see if they are also affected?
02-16-2016 11:42 PM
I agree that it's a shame that Cisco can't admit this is a bug rather than a feature enhancement. It would also greatly help if the bug details could clarify if this is the new expected behavior for future software releases from 9.1 going forward or if this behavior is temporary and will be reverted to the "old" interpretation in future releases.
02-17-2016 03:24 AM
We also had some serious issues with this after an upgrade from 9.1(6) to 9.1(7).
After opening a case last week, I received an update today that there is an interim software release in which only the IKE vulnerability is fixed and no other "features" were added.
Release notes can be found here: http://www.cisco.com/web/software/280775065/123352/ASA-916-Interim-Release-Notes.html
I've also asked the engineer to clarify if this is just a bug or expected behaviour in this and future releases. I'll keep you posted if I got an update on this.
02-17-2016 06:58 AM
Ditto for us, and not just 9.1(6) to 9.1(7) but 8.3 to 8.4(7)30 also.
You wouldn't believe the amount of new expletives that were made up last week.
02-17-2016 11:45 PM
So it seems like this is the expected behaviour for all the new releases:
In the old releases and in certain conditions, ASA doesn't check the source of the ARP request, please find the following software bug:
https://tools.cisco.com/bugsearch/bug/CSCuc11186/
This issue is fixed in the new releases, and the resolution of this defect introduces a change in the ASA behavior, which most probably is the reason for our issue in this case. You can avoid this behavior in 9.1.7 by modifying the NAT statements, especially with (any) keyword.
Also, as I mentioned earlier, our development team and in order to make things easier to the customer, they have implemented the fix for the vulnerability in 9.1.6.11 which was released yesterday and keep the same old behavior regarding the proxy arp.
02-18-2016 06:49 AM
They've just updated the bug report and the bug is supposed to be fixed in 9.1(7.2) and 9.4(2.7).
I'll test them whenever they become available for download.
02-18-2016 11:55 PM
Sounds interesting.
Could you give us an update whenever you were able to test this?
Thanks!
02-19-2016 06:15 AM
Those versions are not available for download yet.
02-23-2016 05:48 AM
We upgraded to 9.1(7)4, and it's working fine for us.
08-17-2017 09:27 AM
I appear to have this issue with 9.6(2)3 on a ASA 5525-x . Is this a permanent feature or enhancement? Where is the beef so to speak? Anyone know?
10-10-2017 07:07 AM
Any feedback or worksrounds to this bug? Can I re ip the arp interface to another subnet to get around the issue?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: