Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
5
Helpful
17
Replies

Cisco ASA 9.18.4.24: Don't install it !!! It's buggy !!!

Bernd Nies
Level 1
Level 1

‎06-02-2024 09:29 PM

Hi,

Last week we upgraded from ASA 9.18.4.22 to 9.18.4.24 running on Firepower2120 because the firewall reboots occasionaly since we upgraded from 9.18.3.56 due to VPN DDoS attacks.

ASA 9.18.4.24 introduces a new bug that kept me up all night to fix it: At boot time it delete all object-groups plus the associated access-lists and nat rules.

According to Cisco TAC it is this bug from 2023 that came back to latest suggested releas.

However, in our case we have not enabled ACL optimization in any of our ASA contexts:

 

# show running-config object-group-search
no object-group-search access-control

 

Is it just me that gets the impression that ASA software qualitiy decreases from relase to release? Not even the suggested tag in download portal can be trusted anymore.

Regards,

Bernd

17 Replies 17

Yordan Yordanov
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2024 02:53 PM

hi Marvin,

just updated the standby box to .29, unfortunately the problem is still there. the configuration is not complete on the standby box - objects, acl, nat rules are missing - checked with CLI and ASDM 

regards

 

Bernd Nies
Level 1
Level 1

‎06-11-2024 10:36 PM

Maybe we should create a dedicated thread for every ASA minor and interim release where everybody could post their experience. Each release is like a surprise egg. On our ASA 5516-X it usually ran fine, but same ASA version on Firepower 2120 usually had a surprise. I have the impression that multicontext setup with active contexts on primary and secondary device for load sharing causes additional issues.

0 Helpful

tvotna
Spotlight
Spotlight
In response to Bernd Nies

‎06-11-2024 11:51 PM

Well, A/A HA is rare nowdays, and I've never seen A/A HA with VPN in my
whole life. Less customers means less testers and hence more bugs. From my
experience clustering is much more stable than failover, because decades
have passed between developments, so failover lessons were learnt, and
multicontext works just fine there. For VPN another singlemode box can be
used or a singlemode load-balancing cluster. This leads to less painful
upgrades when new VPN PSIRT comes out, not touching other boxes.

In my opinion the problem is not bugs themselves, but rather the way how
they are documented. Bug toolkit is broken completely and doesn't match
internal Cisco bug tool. E.g. the "known fixed version" in it is not really
the version where the bug was fixed. Needless to say that bug descriptions
are almost always useless.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card