Cisco Firepower 4100/9300 FXOS Release Notes, 2.10(1)
This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.10(1).
Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:
 Note |
The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product. |
Introduction
The Cisco security appliance is a next-generation platform for network and content security solutions. The security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The security appliance provides the following features:
-
Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
-
Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
-
FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
-
FXOS REST API—Allows users to programmatically configure and manage their chassis.
What's New
Cisco FXOS 2.10.1 introduces the following:
New Features in FXOS 2.10.1.312
Fixes for various problems (see Resolved bugs in FXOS 2.10.1.312).
New Features in FXOS 2.10.1.271
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.271).
New Features in FXOS 2.10.1.245
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.245).
New Features in FXOS 2.10.1.234
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.234).New Features in FXOS 2.10.1.207
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.207).New Features in FXOS 2.10.1.179
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.179).New Features in FXOS 2.10.1.166
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.166).New Features in FXOS 2.10.1.159
Fixes for various problems (see Resolved Bugs in FXOS 2.10.1.159).New Features in FXOS 2.10.1.159
Cisco FXOS 2.10.1.159 has no new features:
Software Download
You can download software images for FXOS and supported applications from one of the following URLs:
-
Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
-
Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
Important Notes
-
In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.
-
For Firepower 4110, after upgrading FXOS from 2.3. to 2.10, the follwing error message appears during the start up of the upgraded version:
2023 May 9 17:28:38 fp4100 %$ VDC-1 %$ %FPRM-2-ERROR: IOAdaptorAbsent aInSwId = 1, aInChId = 1, aInSlot = 1, aInId = 2
This is an expected behaviour as the Firepower 4110 model has only one adapter and the error message appears only to report the availability of one adapter. You can ignore the error message.
-
When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application.
Note
This issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.
-
Firmware Upgrade—We recommend you to proactively upgrade your Firepower 4100/9300 security appliance firmware in order to prevent the occurrence of the following issues:
-
If you upgrade FXOS to 2.10 with a firmware version lower than 1.0.18, you will receive a warning message saying
FPGA version lower than 2.00 is detected. A critical upgrade from the firmware bundle version 1.0.18 or above is required. -
After 3.2 years of service, M500IT model solid state drives on Firepower 4100/9300 may become unresponsive. The SSD internal to the Firepower 9300 Supervisor module and Firepower 4100 Series security appliances will no longer react after about 3.2 years of cumulative operation due to a defect in SSD firmware. For more information, see FN - 72077.
-
If your firmware version is lower than 1.0.17, a vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.
For information about firmware upgrade process, downtime involved, and fixes in each update, see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
-
-
When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.
System Requirements
-
You can access the Firepower Chassis Manager using the following browsers:
-
Mozilla Firefox—Version 42 and later
-
Google Chrome—Version 47 and later
-
Microsoft Internet Explorer—Version 11 and later
We tested FXOS 2.10(1) using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.
-
Upgrade Instructions
FXOS upgrade—You can upgrade your Firepower 9300 or Firepower 4100 series security appliance directly to FXOS 2.10(1) if it is currently running FXOS version 2.2(2) or later. Before you upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.10(1), first upgrade to FXOS 2.2(2), or verify that you are currently running FXOS 2.2(2).
For instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.
Installation Notes
-
An upgrade to FXOS 2.10(1) can take up to 45 minutes. Plan your upgrade activity accordingly.
-
If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.
-
If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.
-
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Resolved and Open Bugs
The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can Cisco.com. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Resolved bugs in FXOS 2.10.1.312
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.312:
|
Caveat ID Number |
Description |
|---|---|
|
Revert CSCwh21772 - Upgrade FxOS CiscoSSL to version 1.1.1v |
|
|
KP/WM: Getting "RotatingLogProvider: Internal Error:" after login to the device |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
The fxos directory disappears after cancel show tech fprm detail command with Ctr+c is executed. |
|
|
WM1010: "Show techsupport fprm brief" is taking more time (approx 15 mins) than expected |
|
|
Upgrade Go to 1.19.4 in LTS18 branches |
|
|
FPR1k Switchport passing CDP traffic |
|
| Remove iotop.cfg from meta-local-dev linux-yocto.bbappend | |
|
CCM ID 53 - WR8, LTS18, LTS21 |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
|
ASA crashed with Saml scenarios |
|
|
Upgrade FxOS CiscoSSL to version 1.1.1v and FOM 7.3a |
|
|
CCM ID 54 - WR8, LTS18, LTS21 update -- (BREAKS LTS21 while WR8 and LTS18 are good) |
|
|
Jitterentropy changes in LTS18 and later branches causing FTD build failure |
|
|
A find core is generated on a FP4100 cluster's node while running longevity traffic |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
FTD+FDM App-instance stucked in started state in 92.16.0.212+7.6.0.1221 |
|
|
WM1010E standby fails to re-join HA with msg "CD App Sync error is SSP Config Generation Failure" |
|
|
Update CiscoSSH to address CVE-2023-48795 |
|
|
Entropy Mixing Breaks NPU Build |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
Install the 'perf' tool as part of the FXOS for FTD. |
|
|
FXOS - snmpwalk throwing Error: OID not increasing |
|
|
FXOS: need add tracefs into release build |
|
|
WM/TPK/WA "FTD only": Packet drops observed after removing PC member from Port-channel |
|
|
Add iotop to FXOS branches before FXOS 2.14 |
|
|
JENT: Expand JENT library support to CiscoSSL for all FXOS targets |
|
|
In Low End platforms - Expected timezone "AWST" is not found while executing "show clock" command |
|
|
FTD snmpd process traceback and restart |
|
|
Debug logs added for the Nd HBmiss Scenario in Ndmain Threads. |
|
|
Metadata corruption error when doing "erase secure all" |
|
|
Fxos.sh in branches before R2140 is missing the fxos-compat volume |
|
|
Remove old iotop 0.6 version |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
During secure erase reboot process, observed an ERROR : Timeout Waiting for fxos_log_shutdown. |
|
|
Upgrade to CiscoSSL 1.1.1v.7.3.338-fips in SSP MIO |
|
|
Upgrade to CiscoSSL FOM 7.3a in SSP MIO |
|
|
Add the jemalloc library to the FTD units |
|
|
FTD installation fails on FPR-2K "Error in App Instance FTD. Available memory not updated by blade" |
|
|
Default value of ssh server host key is out of configuable range |
|
|
CCM Seq 58 - LTS18 |
|
|
Remove Local HTMLDOC Recipe |
|
|
Enable entropy-mixing in ciscossl library in fxos |
|
|
Use kill tree function in SMA instead of SIGTERM |
|
|
Handle notification demon false positives |
|
|
CCM ID 62 - LTS18 |
|
|
Introduce the getOption Function in order to debug and check the setOption options set for channels. |
|
|
Proxy thread creation successful is presented as an Error in syslog messages, during bootup |
|
|
Update CIAM scripts to include CVE ID in arttributes and add WR_CASE_PENDING attribute |
|
|
Zmq_poll return 1 logs on the FTD console |
|
|
Update CCM Layer Infrastructure |
|
|
FXOS CIAM Bug Filling Script Fails to wait for Bug to be Filed |
|
|
Add support for 7zip into FMC |
|
|
Fix to make pre-LTS21 builds to work on CEL8 machines |
|
|
SSP MIO: Swims Token support in signing image |
|
|
Backout CL3419025 from fxplatform/liverpool/FXOS_2_10_1 |
|
|
DUALLINA: Code changes to notify NPU abot FIPS enable/disable config |
|
|
Timezone not working correctly on 9300/4100 platforms |
|
|
Unable to build 2.12.1.fcs-throtle |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
|
FTD: Messages file contains a flood of logs from "Ipc" |
|
|
WA MI 4245: Logrotate is broken |
|
|
CCM ID 63 - LTS18 |
Resolved bugs in FXOS 2.10.1.271
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.271:
|
Caveat ID Number |
Description |
|---|---|
|
Failing to set DNS, hostname and IP on TPK 3130. |
|
|
BS/QP: User password is displayed in plaintext in logs. |
|
|
Azure vFMC failed to boot after upgrade to 7.2.0 1259 tainting kernel. |
|
|
Duplicate log entry for /mnt/disk0/log/asa_snmp.log. |
|
|
fpis and cc mode oper-state is in enabled state even after disabled and mio reboot |
|
|
QP MI FTD HA pair goes to disabled state. |
|
|
Unable to configure domain\username under cfg-export-policy in FXOS. |
|
|
FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm |
|
|
Telemetry registration is failing in 2.13. |
|
|
30+ seconds data loss when unit re-join cluster. |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 42) |
|
| Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation problem. | |
|
The Standby Device going in failed state due to snort heartbeat failure. |
|
|
Link Up seen for a few seconds on FPR1010 during bootup. |
|
|
41xx: Blade does not capture or log a reboot signal. |
|
|
Supervisor does not reboot unresponsive module/blade due to CATERR with minor severity sensor ID 50. |
|
|
Application Instance fails to install sporadically. |
|
|
The standby device is going in failed state due to snort heartbeat failure ( Precommit Build Failure). |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 43) |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
FTD upgrade failure at "999_finish/999_zz_install_bundle.sh" due to bad key certificate. |
|
|
Workaround to set hwclock from ntp logs on low end platforms. |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79. |
|
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
|
FP1K/2K/3K devices unable to receive unicast traffic. |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 45). |
|
|
Unable to login to FTD using external authentication. |
|
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD. |
|
|
Notification Daemon false alarm of Service Down |
|
|
WR6, LTS18 and LTS21 commit id update in CCM layer (Seq 46). |
|
|
After ASA upgrade device going to failsafe with error"fxos_api_xml_decode: XML_Parse return error". |
|
|
Remove workaround for bad Wind River commit, and update libtiff version passed to IMS. |
|
|
Need to use CiscoSSL with FOM 7.3 for Intel Builds. |
|
|
Change readdir_r to readdir. |
|
|
Failsafe mode should allow user to configure mgmt interface IP address |
|
|
Failsafe mode should not ask user to change password after login. |
|
|
Non-zero input discards in MI CCL interface |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
interfaces show down/down on lina but up/up in FXOS. |
|
|
User password that contains " will bypass new password setup". |
|
|
No messages displayed on the console for any inserted SFP cable after removal. |
|
|
TPK: turn on retry for interfaceMappingConfigUpdate. |
|
|
In QP-C Blades went to offline state after mio reboot. |
|
|
MIO blade snmp unification: Rapid enabling/disabling unification can cause HAP_RESET. |
|
|
snmpwalk Error when unification feature is enabled. |
|
|
sspos_snmp_suba core seen during longevity test on FP1K. |
|
|
SA for msglyr and switch/src/HAL_Layer code. |
|
|
/opt/cisco/config/platform/logs/stdout_1block_process.log.1 is still open. |
|
|
Sometimes device goes for reboot, when powering on of alperton netmod in 4100 device |
|
|
MIO is not able to register. appAG process issue. |
|
|
CSSMGR_log core found while testing snmp trap on 2.8.1.184 |
|
|
Cache and dump last 20 rmu request response packets in case failures/delays while reading registers. |
|
|
FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports. |
|
|
Modify tech-support to capture additional debug info (show portmanager switch vlans). |
|
|
[IMS_7_3_0]REST_API:Network::getMTU [ERROR] when setting network information during firstboot. |
|
|
FXOS is not rotating log messages files for partition opt_cisco_platform_logs. |
|
|
FPR2140 ASA Clock Timezone reverts to UTC after appliance restart/reload. |
|
|
CIAM: zlib - CVE-2022-37434 |
|
|
Update Broadcom SDK patch for field alert notification for Trident2. |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices. |
|
|
Adding forceReboot option for bundle install REST API. |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
FXOS: memory leak in svc_sam_envAG process. |
|
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue. |
|
|
KP- FTP under local-mgmt not working. |
|
|
FXOS is not rotating PoE logs. |
|
|
MI FTD running 7.0.4 is on High disk utilization. |
|
|
FAN LED flashing amber on FPR2100 |
|
|
Audit log is missing for Mgmt port change. |
|
|
Improve CLI options for management IP with dhcp option. |
|
|
SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications. |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated. |
|
|
Refresh the ios.pem. |
|
|
stdout_00aa_ssp_syslog.log is full of crond is running messages. |
|
|
svc_sam_serviceOrchAG.log is filled with repeating worthless messages every minute. |
|
|
LTS18 CCM Sequence number 44 to update the libjitterentropy to version 3.4.1 |
|
|
SNMP on SFR module goes down and won't come back up. |
|
|
Workaround to fix build breakage introduced by Wind River CCM commit. |
|
|
Upgrade third-party component rng-tools to latest 6.16 version. |
|
|
logger.1: send message failed: Resource temporarily unavailable logs were seen after reload 7.2.4-94 |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa". |
|
|
portmanager.sh outputing continuous bash warnings to log files. |
|
|
Attempt go 1.19.4 in LTS18 Branches but go back to 1.12.12 release. |
|
|
rp_filter source validation is disabled (FTD). |
|
|
JENT: Add JENT library to fxos to support KP. |
|
|
Modify tech-support to capture additional debug info (control link register details). |
Resolved bugs in FXOS 2.10.1.245
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.245:
|
Caveat ID Number |
Description |
|---|---|
|
LTS18 and LTS21 commit id update in CCM layer (seq 39). |
|
|
WR6, WR8, LTS18, and LTS21 commit id update in CCM layer (seq 40). |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
WR6, WR8, LTS18, and LTS21 commit id update in CCM layer (seq 41). |
|
|
core.portmgr_ipc found on kp platform on ASA version 99.20.0.136 and 99.20.0.140 after upgrade. |
|
|
8x10Gb netmod fails to come online. |
|
|
For system processes, limit the CPUs used to the number of system CPUs. |
|
|
Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects allows authendicated local attacker to inject unauthorized commands. |
|
|
Platform faults related to management interface. |
Resolved bugs in FXOS 2.10.1.234
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.234:
|
Caveat ID Number |
Description |
|---|---|
|
Uploading firmware triggers data port-channel to flap |
|
|
CIAM: expat multiple Vulnerabilities |
|
|
CIAM: expat - CVE-2022-23852 |
|
|
FTD/FXOS - ASAconsole.log files fail to rotate causing excessive disk space used in /ngfw |
|
|
Chassis and application sets the time to Jan 1, 2010 after reboot |
|
|
Evaluation of Cisco Firepower 4100/9300 FXOS for Dirty Pipe vulnerability |
|
|
The smConLogger traceback is caused by memory leak. |
|
|
MIO: No blade reboot during CATERR if fault severity is non-Severe or CATERR sensor is different |
|
|
Cisco FXOS and NX-OS Software CDP DoS and Arbitrary Code Execution Vulnerability |
|
|
Firepower 9300 chassis troubleshoot file caused outage |
|
|
Kilburn Park freezes / crashes on netboot system load |
|
|
Update CiscoSSL to 1.1.1o.7.3sp.143 |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 33) |
|
|
In addition to the c_rehash shell command injection identified in CVE-2022-1292 |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 34) |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 35) |
|
|
Fail-To-Wire interfaces flaps intermittently due to watchdog timeout in KP platform |
|
|
FPR4100/9300 Blade discovery may hang due to internal communication failure with blade adapter |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36) |
|
|
CCM layer (Seq 38) WR8, LTS18, LTS21 |
|
|
FTW: port pairs unexpectedly going to bypass due to failure |
|
|
"power down soft-shut-down" option is restarting the blade while testing 92.11 release |
|
|
Firepower 2100 FTD: ssh-access-list configuration are lost after upgrading |
|
|
BootCLI commands user messages to be more clear |
|
|
Software upgrade on ASA application may failure without obvious reasons |
|
|
CIAM: openssh - CVE-2021-41617 |
|
|
Syslog over TLS accepting wildcard in middle of FQDN |
|
|
CIAM: bind 9.11.4 |
|
|
CIAM: cpio 2.12 |
|
|
CIAM: mod-security - CVE-2021-42717 |
|
|
4100/9300: GET/PATCH sys/mgmt-ipv6 returned 404 error |
|
|
FXOS should check reference clock stratum instead of NTP server local clock stratum |
|
|
CIAM: python 3.9.2 |
|
|
FXOS: Third-party interop between Ciena Waveserver with firepower chassis. |
|
|
CIAM: zlib - CVE-2018-25032 |
|
|
FTD upgrade fails - not enough disk space from old FXOS bundles in distributables partition |
|
|
CIAM: glibc 2.33 CVE-2022-23219 and others |
|
|
CIAM: libxml - CVE-2022-23308 |
|
|
CIAM: strongswan - CVE-2021-45079 |
|
|
/var/tmp partition fullness warning on FXOS |
|
|
Lina traceback and core file size is beyond 40G and compression fails on FTD |
|
|
CIAM: apache-http-server - CVE-2022-31813 and Others |
|
|
CIAM: curl - CVE-2022-22576 and others |
|
|
Firepower module show-tech file generation may fail with error "Failed to create archive!" |
|
|
NTP logs will eventually overwrite all useful octeon kernel logs |
|
|
FXOS partition opt_cisco_platform_logs on FP1K/FPR2K may go Full due to ucssh_*.log |
|
|
CIAM: libtirpc - CVE-2021-46828 |
|
|
link state propagation stops working when performing full chassis reboot |
|
|
rsc_5_min.log store location should move to a different partition |
|
|
CIAM: expat - multiple versions |
|
|
ENH: Save output of 'top -H' to topout.log* files in FPRM |
|
|
ENH: Fail-to-Wire feature switching standby/bypass from CLI |
|
|
ENH - Setting the zmqio sched policy and priority for MIO heartbeat channel |
Resolved bugs in FXOS 2.10.1.207
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.207:
|
Caveat ID Number |
Description |
|---|---|
|
ENH: Prevent CCL IP addressing on the 169.254.x.x subnet on cluster creation |
|
|
Shutdown command reboots instead of shutting the FP1k device down. |
|
|
App-instance startup version is ignored and set to running-version after copy config |
|
|
ENH: Save output of 'top -H' to topout.log* files in FPRM |
|
|
USB kernel modules required for FMC |
|
|
FXOS changes to provide dmidecode access to container |
|
|
Uploading firmware triggers data port-channel to flap |
|
|
ASA snmpd Traceback & cores on an active unit |
|
|
CIAM: expat - CVE-2022-25235 and others |
|
|
Firepower 1K FTD sends LLDP packets with internal MAC address of eth2 interface |
|
|
Update LTS18 to RCPL 24 |
|
|
MIO: No blade reboot during CATERR if fault severity is non-Severe or CATERR sensor is different |
|
|
Port-channel member interfaces are lost and status is down after software upgrade |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 124, seq 20) |
|
|
WR8 and LTS18 commit id update in CCM layer (sprint 126, seq 22) |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 25) |
|
|
Evaluation of ssp for vulnerabilities resolved in Apache httpd 2.4.53 |
|
|
The smConLogger traceback is caused by memory leak. |
|
|
WM 1150: Upgrade to asa image "99.16.4.24-198" fails on Wm1150 platform |
|
|
FXOS is not rotating log files for management interface |
|
|
ASA/FTD traceback and reload on netsnmp_handler_check_cache function |
|
|
Tune throttling flow control on syslog-ng destinations |
|
|
IPv6 support for ftdv in azure platform |
|
|
Need to upgrade or patch syslog-ng in WR os for FMC to support the ecdh-curve-list() setting |
|
|
Implementation of CLI for ipv6 logo certification |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 125, seq 21) |
|
|
ASAv SSH session getting terminated with ospf network command using Azure / Azure Stack hub |
|
|
FXOS: WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. |
|
|
ASA SNMPd traceback in netsnmp_subtree_split |
|
|
Update certificate bundle for 7.2 release |
|
|
WR8 and LTS18 commit id update in CCM layer (seq 24) |
|
|
RM 1120 Port state going down, speed is 100/10 and duplex full/Half, speed and duplexmismatchpresent |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (seq 26) |
|
|
nvram logs consistently written every 2 seconds causing high disk utilization |
|
|
TPK keep rebooting with /bin/echo: write error: No space left on device |
|
|
WM 1010 10/100Mbps full duplex setting is not getting effect |
|
|
Switch detected unknown MAC address from FPR1140 Management Interface |
|
|
FPR1010 in HA Printing Broadcast Storm Alerts for Multiple Interfaces |
|
|
Increase logging level to diagnose LACP process unexpected restart events |
|
|
FXOS: Third-party interop between Ciena Waveserver with firepower chassis. |
|
|
Portmanager/LACP improvement to capture logging events on external event restarts |
|
|
FXOS misses logs to diagnose root cause of module show-tech file generation failure |
|
|
FIPS self-tests must be run when CC mode is enabled - files are missing |
|
|
FXOS is not rotating log files for partition opt_cisco_platform_logs |
|
|
CIAM: Apache-http-server CVE-2021-44790 and CVE-2021-44224 |
|
|
FPR2100 ONLY - PERMANENT block leak of size 80, 256, and 1550 memory blocks & blackholes traffic |
|
|
WM11xx: Getting "ERROR: waiting for fxos_log_shutdown" during shutdown. |
|
|
Portmanager/LACP improvement to avoid false restarts and increase of logging events |
|
|
LTS18 commit id update in CCM layer (seq 27) |
|
|
Upgrade to CiscoSSL FOM 7.3sp and CiscoSSL 1.1.1o.7.3sp.143-fips in SSP MIO |
|
|
FPR1010: Add support for ATU, VTU and other switch faults to be read through CLI |
|
|
Upgrade fail & App Instance fail to start with err "CSP_OP_ERROR. CSP signature verification error." |
|
|
CIAM: glibc - CVE-2021-33574 CVE-2021-35942 CVE-2021-38604 |
|
|
Physical interface is not coming up on SSP side even though adminState enabled |
|
|
ASA installation/upgrade fails due to internal error "Available resources not updated by module" |
|
|
ASA running on SSP platform generate critical error "[FSM:FAILED]: sam:dme:MgmtIfSwMgmtOobIfConfig" |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 32) |
|
|
2.10.1 build breakage |
Resolved bugs in FXOS 2.10.1.179
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.179:
|
Caveat ID Number |
Description |
|---|---|
|
FXOS Operational State:Thermal-problem intermittently |
|
|
In FPR2100,after power off/on,the fxos version is mismatched with asa version. |
|
|
ENH: Add failure reason in Fault messages |
|
|
Need show command to see the details of transceiver of FXOS mgmt port via CLI |
|
|
Upgrade to 2.10.1.166 causes degraded SM - Unrecognized Firmware format |
|
|
Enhance asa_cmd_server to execute a command at requested interval |
|
|
BCM SDK (SDK-258005) and SDK - Field Alert - - SDK-233993 |
|
|
Send PnuOS logs from blade to MIO |
|
|
Serviceability Request - Add error message that FXOS firmware is not fully activated |
|
|
FXOS System temporary directory usage is unexpectedly high |
|
|
FXOS may display fault F1256 about missing local disk 0 |
|
|
FXOS traceback and reload due Service "ascii-cfg" sent SIGABRT for not setting heartbeat. |
|
|
Need show command to see the details of FPGA version on Firepower devices |
|
|
NBN: New PSU PID support in MIO |
|
|
Evaluation of ssp for CDPD crash Nexus devices from CDP table corruption |
|
|
ENH: Include dmesg -T command output in FXOS show-tech files |
|
|
RDNSSD: "Packet too big" error in IPv6 path MTU |
|
|
ENH: Include output of 'show cc-mode' and 'show fips-mode' in chassis show-tech |
|
|
FXOS A crafted request uri-path can cause mod_proxy to forward the request to an origin server... |
|
|
FXOS | high Align-Err counter on port-channel48 |
Resolved bugs in FXOS 2.10.1.166
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.166:
|
Caveat ID Number |
Description |
|---|---|
|
FXOS: some interface transition logs have no reason |
|
|
FXOS Apache HTTP Server Multiple Vulnerabilities (CVE-2020-11993) and (CVE-2020-9490) |
|
|
ENH: Rename status BYPASS-FAIL for fail-to-wire inline pairs |
|
|
Fault F0736 should not be generated due to unreacheable default gateway |
|
|
Firepower memory leak in svc_sam_dcosAG |
|
|
Handle CIMC Watchdog reset in MIO |
|
|
FXOS : 'Memory leak' may casue appAG process traceback and reload |
|
|
When ASA upgrade fails, version status is desynched between platform and application |
|
|
Lina traceback and core file size is beyond 40G and compression fails. |
|
|
SSH access with public key authentication requires user password |
|
|
ENH: Include output of 'show card detail expand' and 'show card-config' in chassis show-tech |
|
|
Port dcosAG leak fix CSCvx14602 to KP/WM |
|
|
AppAgent Heartbeat enhancement |
|
|
FPR4100/9300 IPv6 config cannot be applied using Rest API LTP on 9300/4100 Supervisor |
|
|
Disk utilization increasing /var/tmp in FPR4150-ASA chassis |
|
|
FXOS process core pruned/deleted from system files (no validation) |
|
|
ENH: FPR 4100/9300 bcm_usd process logs to support possible RCA |
|
|
Chassis SSD firmware upgrade may be prevented improperly |
|
|
IPv6 allowed networks cannot be provisioned via the bootstrap JSON config file for LTP |
|
|
Add version number in service-mgr logs |
|
|
correct heartbeat log level |
|
|
7.0.0.1-14 9300 FTD node failed to join the cluster after the upgrade |
|
|
ping6 command under connect local-mgmt not working |
|
|
decommission blade should be blocked when disk format in progress |
|
|
Enhancement to make link down/flap reasons from CSCvo90987 user readable |
|
|
"show hardware internal bcm-usd info driver-info" returns error |
|
|
BCM SDK patch - Parity error in TDM Calendar memories causes traffic drop after SER correction |
|
|
Need more bcm-usd output in tech-support |
|
|
FPR-NM-4X40G EPM card aggregate interfaces are down after non-graceful OIR |
|
|
port CSCvt54456's changes to SDK 6.5.16 |
|
|
CLI to enable/disable SDK logs |
|
|
Send PnuOS logs from blade to MIO |
|
|
Add Server environment detail to techsupport |
|
|
Display message ???nothing to update??? if the SSD installed is not applicable for the firmware update |
|
|
svc_sam_statsAG_log core file found while setting the admin state to offline in card 3 |
|
|
Chassis Reset reason shows different dates |
|
|
Drop counter statistics for BCM |
|
|
9300/4100 Enable Blade Console logs for Release images |
|
|
Upgrade FOM from 7.0a to 7.0b |
|
|
VDP installation failed with error "CSP reached max-app-limit. Install Rejected" |
|
|
Enable log rotation of rsc* logfiles that can grow large due to bug CSCvy13543 |
|
|
NTP script generates "binary operator expected" syntax error |
|
|
ma_ctx files with '.backup' extension seen after applying the workaround for CSCvx29429 |
Open Bugs in FXOS 2.10.1.159
There are no disclosed open defects at this time.
Resolved bugs in FXOS 2.10.1.159
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.10.1.159:
|
Caveat ID Number |
Description |
|---|---|
|
httpd leaves a zombie process (rotatelogs) behind |
|
|
Backplane Eth1/9 link keeps DOWN until reboot the chassis |
|
|
SNMP OID for SystemUpTime show incorrect value |
|
|
KP: Can't login to fxos due to disk full error |
|
|
FPR1010 / FPR2110 is booting to ROMMON mode |
|
|
ENH: Need to log reset-reason for FP2100 hardware |
|
|
ASA telemetry: Auto registration of device for telemetry failed |
|
|
FPR1010 - Add temperature/warnings for SSD when thresholds are exceeded |
|
|
Fxos Snmp-user is not persistent after reboot |
|
|
LCMB: Dynamic medium page allocation can lead to memory depletion |
|
|
Confusing message about 'without removing the physical hardware' during Acknowledge Security Module |
|
|
Add stack support for FTD/NGIPS to improve the troubleshoot of processes in D state |
|
|
FCM should say is not possible to change AAA server when same protocol is configured for Auth |
|
|
FTD or ASA Hangs After Reload Due to Internal Heartbeat Issue |
|
|
NTP script error leading to clock drift and traffic interruption |
|
|
FXOS FTD Multi Instance CPU cores shared between different instances |
|
|
FP1010 / 2100 - FTD: Management port down/down after FTD upgrade to release 6.6.0 |
|
|
FTD 2100: Packet drops during the transition of BYPASS to NON-BYPASS when device is rebooted |
|
|
FP1010 poemgr crashes |
|
|
ASA Traceback in thread name: CERT API memory leak while processing CRLs |
|
|
ASA on FP2100 keeps generating ASA-4-199016 (9.13.1, appliance mode) |
|
|
FXOS: svc_sam_dcosAG process crash on FirePower 4100/9300 |
|
|
Get netsnmp-5.8 compiled with AES 192/256 support |
|
|
connector log exhausted disk space |
|
|
FPR2k: FCM Syslog Remote Destinations tab disappeared after upgrading |
|
|
FDM: None of the NTP Servers can be reached - Using Data interfaces as Management Gateway |
|
|
2100 series ASA: Internal 1/1 link Flapping logs |
|
|
bad allowed_cpus in /etc/sf/arc.conf probably from cspCfg.xml |
|
|
FPR-1010 incorrectly classifies 9120AXI AP as Class 1 instead of Class 4 |
|
|
Eval of FXOS for Apache vulnerabilities CVE-2020-1927 and CVE-2020-1934 |
|
|
[ciam] "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0 passing HTML containing |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 85) |
|
|
An extra whitespace in cluster group name of FTD causing data unit to be kicked out. |
|
|
FXOS ASA race condition leading to cluster join failure and network outage |
|
|
FXOS LACP packet logging to pktmgr.out and lacp.out fills up /opt/cisco/platform/logs to 100% |
|
|
Firepower 4100/9300 - Fail-to-wire (FTW) EPM ports link flap during show tech collection |
|
|
Reject the NTP server on the MIO side when the stratum value is higher than device can handle |
|
|
TD2 does not load balance MPLS across backplane interfaces and sends it all to first interface |
|
|
CIAM: nfs-utils 1.3.0 |
|
|
Many core.snmpd under the FXOS cores location |
|
|
FXOS - AAA/RADIUS - NAS-IP Field set to 127.0.01 |
|
|
Service module not returning error to supervisor when SMA resources are depleted |
|
|
ASA app-instance restart without audit log or trigger |
|
|
FXOS: FPR2100 may go into fail-safe mode after configuring SNMP followed by reload |
|
|
FXOS Multi-Instance fault F0479 Virtual Interface link state is down |
|
|
Cisco Firepower Threat Defense Software SNMP Denial of Service Vulnerability |
|
|
Firepower may reboot for no apparent reason |
|
|
Firepower 9300 FPR-NM-4X100G or FPR-NM-2X100G interface may blackhole port-channel member traffic |
|
|
FXOS dynamically learning mac-address of external machine causing outage |
|
|
SNMP polling stopped working on active device in HA |
|
|
Multi-instance Portchannel VLANs not programmed correctly causing internal traffic loss |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 90) |
|
|
NTP "Server Status" is blank in Firepower Chassis Manager when more than one NTP server configured |
|
|
ASA module fails to upgrade (GracefulStopApp FSM failure) |
|
|
Some VIF interfaces may be reported as down in FXOS faults after software upgrade |
|
|
FXOS sending additional internal VLAN TAG leading to ARP update failure on devices. |
|
|
FP2100 - SNMP: incorrect values returned for Ethernet statistics polling |
|
|
2.9.1.84 - 4 node QP longevity setup with SNMPD core on Primary |
|
|
Duplicate ARP replies for IPv4 management address on FTD |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 92) |
|
|
statsAG memory leak |
|
|
No utility to handle XFS corruption on 2100/1000 series Firepower devices |
|
|
chassis manager code comments appears post authentication FPR2130 |
|
|
FPR device does not recognize USB/pendrive that exeeds 8GB |
|
|
FPR1010: Internal-Data0/0 and data interfaces are flapping during SMB file transfer |
|
|
FXOS: Voltage on DC PSU displayed with wrong values from the 'show stats' |
|
|
FXOS portAG memory leak during periodical interface polls |
|
|
FTD/ASA creates coredump file with "!" character in filename (zmq changes (fxos) for CSCvv40406 ) |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 94, seq 1) |
|
|
VIC adapter kernel crash at boot |
|
|
Upgrade : FSM status can show incorrect value after upgrade |
|
|
FPR2100 High disk usage in partition /opt/cisco/platform/logs due to growth of httpd log files |
|
|
Message appearing constantly on diagnostic-cli |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 98, seq 2) |
|
|
Firepower 1000 Series stops passing traffic when a member of the port-channel is down |
|
|
Memory leak : DME process may traceback generating core on Firepower 4100/9300 (M5 series only) |
|
|
Error "No such file or directory" happended when using "copy ftp: wrokspace:" in FXOS 2.8.1 |
|
|
MIO crashed due to HA policy of Reset with Service: bcm_usd hap reset |
|
|
4100/9300: Cannot associate port channel / interface to App |
|
|
AZURE ASA/FTD NIC MAC address might get re-ordered upon a reboot |
|
|
Timezone in "show clock" is different from which in "show run clock" |
|
|
The FXOS logrotate does not rotate properly all the log files |
|
|
CRUZ paloview is not accessible on release build |
|
|
"Link not connected" error when using WSP-Q40GLR4L transceiver and Arista switch |
|
|
SSH access with public key authentication fails after FXOS upgrade |
|
|
ASA upgrade failed with: "CSP directory does not exist - STOP_FAILED Application_Not_Found" |
|
|
Radius Key with the ASCII character " configured on FXOS does not work after chassis reload. |
|
|
FXOS upgrade does not do proper compatibility check for FTD image |
|
|
FP2100 ASA - 1 Gbps SFP in network module down/down after upgrade to 9.15.1.1 |
|
|
FPR2100: ASA/FTD generates message "Local disk 2 missing on server 1/1" |
|
|
FXOS upgrade fails with error "does not support application instances of deployment type container" |
|
|
Need handling of rmu read failure to ignore link state update when link state API read fails |
|
|
FXOS reporting old FTD version after FTD upgrade to 6.7.0 |
|
|
Pre-login-banner not showing on FCM WebUI |
|
|
FXOS clock sync issue during blade boot up due to "MIO DID NOT RESPOND TO FORCED TIME SYNC" |
|
|
Evaluation of ssp for Sudo privilege escalation Jan 21 vulnerability |
|
|
ENH: add a way to disable the FQDN check |
|
|
ma_ctx*.log consuming high diskspace on FPR4100/FPR9300 despite the fix for CSCvx07389 |
|
|
Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privile |
|
|
FXOS show fault warning code F4526902 |
|
|
Unable to save new cluster node configs on FCM due to java error |
|
|
Evaluation of ssp for OpenSSL March 2021 vulnerabilities |
|
|
Failure accessing FXOS with connect fxos admin from Multi-Context ASA if admin context is changed |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 110, seq 10) |
Related Documentation
For additional information on the Firepower 9300 or 4100 series security appliance and FXOS, see Navigating the Cisco FXOS Documentation.
Online Resources
Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure FXOS software and to troubleshoot and resolve technical issues.
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Feedback