BugZero | Cisco BugID CSCwi95871 - SSH/SNMP connections to non-admin contexts fail af...

Cisco - Defect ID: CSCwi95871

SSH/SNMP connections to non-admin contexts fail after software upgrade

Cisco - Defect ID: CSCwi95871

SSH/SNMP connections to non-admin contexts fail after software upgrade

Last updated on 12/11/2024

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

After the software upgrade on Adaptive Security Appliance, SSH, and SNMP connections the non-admin connections fail. Interface packet captures show only packets in the ingress direction with no response from the firewall: # show capture capture CAPI type raw-data trace interface inside [Capturing - 540 bytes] match tcp any any match udp any any capture NLPCAP type raw-data interface nlp_int_tap [Capturing - 1508 bytes] # show cap CAPI 7 packets captured 1: 17:55:43.202199 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 2: 17:55:44.232135 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 3: 17:55:46.248125 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 4: 17:55:50.344159 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 <mss 1460,sackOK,timestamp 1888533499 0,nop,wscal Data interface packet capture traces show that packets are allowed via the internal egress interface nlp_int_tap: # show cap CAPI trace 4 packets captured 1: 17:55:43.202199 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Elapsed time: 12544 ns Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Elapsed time: 12544 ns Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Elapsed time: 19456 ns Config: nat (nlp_int_tap,inside) source static nlp_server__ssh_0.0.0.0_intf131075 interface destination static 2_0.0.0.0_4 2_0.0.0.0_4 Additional Information: NAT divert to egress interface nlp_int_tap Untranslate 192.0.2.2/22 to 169.254.2.3/4122 Phase: 4 Type: ACCESS-LIST Subtype: Result: ALLOW Elapsed time: 6348 ns Config: Implicit Rule Additional Information: Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Elapsed time: 6348 ns Config: Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Elapsed time: 6348 ns Config: nat (nlp_int_tap,inside) source static nlp_server__ssh_0.0.0.0_intf131075 interface destination static 2_0.0.0.0_4 2_0.0.0.0_4 Additional Information: Static translate 192.0.2.1/45918 to 192.0.2.1/45918 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 6348 ns Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Elapsed time: 6348 ns Config: Additional Information: Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Elapsed time: 47616 ns Config: nat (nlp_int_tap,inside) source static nlp_server__ssh_0.0.0.0_intf131075 interface destination static 2_0.0.0.0_4 2_0.0.0.0_4 Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 24064 ns Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Elapsed time: 25088 ns Config: Additional Information: New flow created with id 37, packet dispatched to next module Phase: 12 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Elapsed time: 23040 ns Config: Additional Information: Found next-hop 169.254.2.3 using egress ifc nlp_int_tap Result: input-interface: inside input-status: up input-line-status: up output-interface: nlp_int_tap output-status: up output-line-status: up Action: allow Time Taken: 196092 ns The nlp_int_tap interface packet capture shows ARP requests for the internal IP address, but not ARP replies: # show cap NLPCAP 12 packets captured 1: 17:55:43.202534 arp who-has 169.254.2.3 tell 169.254.2.1 2: 17:55:43.202610 arp who-has 169.254.2.3 tell 169.254.2.1 3: 17:55:44.511143 arp who-has 169.254.2.3 tell 169.254.2.1 4: 17:55:44.511204 arp who-has 169.254.2.3 tell 169.254.2.1 5: 17:55:45.511127 arp who-has 169.254.2.3 tell 169.254.2.1

Conditions

First seen after software upgrade from ASA version 9.14.4.x in multi-context mode, with active SSH or SNMP configuration in non-admin contexts. Other software versions may also be affected. This issue is not applicable on FPR4100 running 9.18.x

Workaround

SSH only - if accessible, connect to the admin context and change to user contexts.

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwi95871

SSH/SNMP connections to non-admin contexts fail after software upgrade

Cisco - Defect ID: CSCwi95871

SSH/SNMP connections to non-admin contexts fail after software upgrade

Last updated on 12/11/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?