Field Notice: FN - 72550 - ASA and Firepower Software: Secure Firewall Appliance Might Traceback And Reload In A High Availability Configuration - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.1 |
03-Aug-23 |
Updated the Workaround/Solution Section |
1.0 |
09-Mar-23 |
Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
9 |
9.12.4, 9.14.4, 9.16.2, 9.16.3, 9.18.1 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
6.4 |
6.4.0.15 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
7.0 |
7.0.2 |
|
NON-IOS |
Firepower Threat Defense (FTD) Software |
7.2 |
7.2.0 |
|
NON-IOS |
Adaptive Security Appliance (ASA) Software |
Interim |
9.12.4 Interim, 9.14.4 Interim, 9.16.2 Interim, 9.16.3 Interim, 9.18.1 Interim |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCwb93932 | ASA/FTD traceback and reload with timer services assertion |
Problem Description
For some versions of Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, the Cisco Secure Firewall appliance might traceback and reload when in a failover High Availability (HA) configuration.
Background
Cisco Secure Firewall deployments in failover HA configurations with stateful failover enabled might experience a race condition that causes affected ASA or FTD software to run out of memory buffer when the connection state is synchronized. This condition causes the firewall device to traceback and reload.
Problem Symptom
The log files might show one of these error messages after the firewall traceback and reload. The error messages are available from the console in the crashinfo file (ASA and FTD software) or in the ASAconsole.log file located in /ngfw/var/log/ (FTD software only).
- Periodic handler with timer_services assertion
Timer callback is NULL, last callback is 0x55d7682ca768~0x55d7682ca76f flags=0x0
------ Dump timer ------
0x00001504d1c588e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0x00001504d1c588f0: c0 2b 65 a8 04 15 00 00 f8 88 c5 d1 04 15 00 00 | .+e.............
0x00001504d1c58900: f8 88 c5 d1 04 15 00 00 00 00 00 00 00 00 00 00 | ................
0x00001504d1c58910: 00 00 00 00 00 00 00 00 ed 94 05 ed ba 0a 00 00 | ................
0x00001504d1c58920: ef | .
------ End of timer Dump ------
core0: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative.
assertion "0" failed: file "timer_services.c", line 166 - FREEB/Double Block Free
======= BLOCK DOUBLE FREE ========
core1: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative.
assertion "0" failed: file "block.c", line 4777 - FREEB dsx assertion
core5: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative.
assertion "point->ext_count == 0" failed: file "dsx.c", line 401
core1: An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative.
assertion "point->ext_count == 0" failed: file "dsx.c", line 401
Workaround/Solution
Workarounds
Complete one of these workarounds:
- Downgrade the ASA or FTD software to an unaffected release.
- Disable stateful failover configuration (for ASA-based devices only).
- Disable failover.
Solution
For ASA-based devices, upgrade to one of the Cisco ASA software versions shown in this table in order to resolve the traceback and reload issue for failover HA configurations.
| Release Version | Fixed Version |
|---|---|
| 9.12(4)39 - 9.12(4)41 | 9.12(4)47 or later |
| 9.14(4) - 9.14(4)7 | 9.14(4)12 or later |
| 9.16(2)3 | Migrate to a fixed release |
| 9.16(3) - 9.16(3)14 | 9.16(3)15 or later |
| 9.18(1) - 9.18(1)1 | 9.18(1)3 or later |
For Firepower-based devices, upgrade to one of the FTD software versions shown in this table in order to resolve the traceback and reload issue for failover HA configurations.
| Release Version | Fixed Version |
|---|---|
| 6.4.0.15 | 6.4.0.16 or later |
| 7.0.2 | 7.0.2.1 or later |
| 7.2.0 | 7.2.0.1 or later |
Note: FTD Version 6.6.x is not affected by the issue described in this field notice.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance