cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1722
Views
5
Helpful
10
Replies
Highlighted

CSCuy28710 - DOC ARP source IP sanity check against proxy-arp list

So now Cisco calls "documentation bug" to a software regression. It's quite a coincidence that all the versions affected by this behavior, are the ones where CVE-2016-1287 is fixed.

Any ideas on how to configure proxy-arp on an interface then?

Has anyone tested 9.3(3.7) or 9.5(2.2) to see if they are also affected?

10 REPLIES 10
Highlighted
Beginner

I agree that it's a shame

I agree that it's a shame that Cisco can't admit this is a bug rather than a feature enhancement. It would also greatly help if the bug details could clarify if this is the new expected behavior for future software releases from 9.1 going forward or if this behavior is temporary and will be reverted to the "old" interpretation in future releases.

Highlighted
Beginner

We also had some serious

We also had some serious issues with this after an upgrade from 9.1(6) to 9.1(7).

After opening a case last week, I received an update today that there is an interim software release in which only the IKE vulnerability is fixed and no other "features" were added.

Release notes can be found here: http://www.cisco.com/web/software/280775065/123352/ASA-916-Interim-Release-Notes.html

I've also asked the engineer to clarify if this is just a bug or expected behaviour in this and future releases. I'll keep you posted if I got an update on this.

Highlighted
Beginner

Ditto for us, and not just 9

Ditto for us, and not just 9.1(6) to 9.1(7) but 8.3 to 8.4(7)30 also.

You wouldn't believe the amount of new expletives that were made up last week.

Highlighted
Beginner

So it seems like this is the

So it seems like this is the expected behaviour for all the new releases:

In the old releases and in certain conditions, ASA doesn't check the source of the ARP request, please find the following software bug:

https://tools.cisco.com/bugsearch/bug/CSCuc11186/

 

This issue is fixed in the new releases, and the resolution of this defect introduces a change in the ASA behavior, which most probably is the reason for our issue in this case. You can avoid this behavior in 9.1.7 by modifying the NAT statements, especially with (any) keyword.

 

Also, as I mentioned earlier, our development team and in order to make things easier to the customer, they have implemented the fix for the vulnerability  in 9.1.6.11 which was released yesterday and keep the same old behavior regarding the proxy arp.

Highlighted

They've just updated the bug

They've just updated the bug report and the bug is supposed to be fixed in 9.1(7.2) and 9.4(2.7).

I'll test them whenever they become available for download.

Source: https://tools.cisco.com/bugsearch/bug/CSCuy28710

Highlighted
Beginner

Sounds interesting.

Sounds interesting.

Could you give us an update whenever you were able to test this?

Thanks!

Highlighted

Those versions are not

Those versions are not available for download yet.

Highlighted

We upgraded to 9.1(7)4, and

We upgraded to 9.1(7)4, and it's working fine for us.

Highlighted
Beginner

I appear to have this issue

I appear to have this issue with 9.6(2)3 on a ASA 5525-x .  Is this a permanent feature or enhancement? Where is the beef so to speak? Anyone know?

Highlighted
Beginner

Re: I appear to have this issue

Any feedback or worksrounds to this bug? Can I re ip the arp interface to another subnet to get around the issue?