Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
1
Replies

8.4(2) avoid! Is there a stable release?

walter.holm
Level 1
Level 1

‎09-01-2011 05:51 AM - edited ‎03-11-2019 02:19 PM

1. During the upgrade, it modifies by nat statements by putting in no-proxy-arp's where I don't have unidirectional stated.  This causes me to reprogram the many firewalls I have...again (I get it that upgrading to 8.3(2) did the unidirectional because it did not exist, but now that you are going from 8.3(2) and above, please don't add this if I have 8.3(2) and above)

2. Site-to-Site routing no longer works.  It's not routing packets between tunnels or from the tunnel to the inside interface on the device.  Same thing for Remote VPN connected users (I am using AnyConnect SSL); 8.4(1) works

3. DHCPD has major issues. It will continously cycle through it's pool of addresses and creates IP conflicts on the network.  This doesn't always happen right away after an upgrade, but once it starts happening, no matter how many reboots or tweaks to DHCPD you make, nothing works.

Downgrade to 8.4(1) is straight forward but I have been expirencing other odd issues dealing with DNS lookups for the site-to-site IPSEC locations.  They seem to timeout or fail to the next DNS server and the way I have the DNS servers set, it looks home first then public second (in case there is a tunnel disconnect, they will still have Internet).  8.3(2) seemed the most stable for me.

Other expirences?  What are the most stable releases others have expirenced?

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎09-03-2011 01:54 PM

Hi Walter,

For issue #1: This is expected behavior and is documented in the release notes for 8.4(2) here (search in page for "proxy arp":

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp535067

For issue #2: This is caused by the following bug and is fixed in 8.4.2.5 and higher:

CSCtr16184 - To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2

For issue #3: If you have DDNS updates enabled as part of the DHCPD functionality, this may be caused by CSCtg06320 - DHCP ACK not sent by the firewall. However, you could open a TAC case to have this investigated further.

The most stable 8.4 release is currently 8.4.2.8 and is available on cisco.com. This release contains all of the current bug fixes that are available. As always, it is a good idea to review the release notes prior to upgrading to check the list of open caveats.

Hope that helps.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card