CLISH Lockup and Deployment Stall During Long-Running CLISH Ping/Traceroute

Available Languages

Download Options

  • PDF     (19.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (85.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (70.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 30, 2026
Document ID:225509

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Issue

On Cisco Secure Firewall Firepower platforms (versions 7.6.4, 7.7, and 10.0.0), when multiple SSH sessions are active to the same device, executing a long-running command (such as a continuous ping) in one session using the CLISH CLI blocks other CLI commands from completing in other sessions or CLISH. For example, if an administrator starts a continuous ping in one SSH CLISH session and attempts to execute show commands in another CLISH session, the subsequent commands hang until the long-running command completes or is aborted. In certain versions, the long-running ping cannot be aborted from CLISH, leading to a CLISH or deployment lockup. Using expert mode or the LINA engine directly (via system support diagnostic-cli) allows operation without this blocking behavior.

Environment

  • Cisco Secure Firewall Firepower hardware platforms: 1000, 1200, and 4200 series
  • Software Versions: 7.6.4, 7.7, 10.0.0
  • Multiple SSH sessions (same or different users) to the same device
  • CLISH CLI interface
  • Expert mode and LINA diagnostic CLI usage
  • Tested with commands: ping, traceroute, show sip, show ip, show conn, show xlate
  • Issue reproduced on FPR1010, FPR1200, and FPR4200 appliances
  • Related defects: CSCws82823, CSCwb84748

Resolution

The problem shows these symptoms:

  • Establish two SSH sessions to the device using different or identical user credentials.

  • In Session 1, run a long-running ping with a high repeat count from FTD CLISH prompt. 

> ping 1.1.1.1 repeat 2000
caution-icon

Caution: If testing, attempt this with smaller count numbers, such a number as 2000 could take hours to complete.

note-icon

Note: A ping/traceroute in CLISH does not show any progress characters as normally seen directly in the LINA CLI.

In Session 2, attempt to run another LINA command in CLISH such as show sip.

> show sip

The command in Session 2 does not complete until the ping in Session 1 finishes or is aborted.

This resolution is available:

  • Abort the initial prolonged command with Ctrl+C to avoid CLISH lockup and deployment stalling.

  • In affected versions, long-running pings in CLISH cannot be aborted by Ctrl+C or by closing the SSH session. 

  • If attempted, the backend process continues, and CLISH remains locked for other LINA commands.

  • If the FTD is found in such a state, or if it is suspected that the FTD has entered such a state with a stuck, prolonged ping, a reboot of the FTD is necessary to recover.

  • To avoid CLISH/deployment lockup, run LINA commands using the LINA engine directly. This method does not exhibit the defective behavior.

> system support diagnostic-cli
firepower# ping 1.1.1.1 repeat 2000

Commands executed via the LINA diagnostic CLI do not block CLISH or deployment processes in other sessions. However, system support diagnostic-cli only permits one CLI user per session.

Additional Considerations and Observations

  • Traceroute commands can usually be aborted in CLISH, but can still cause temporary stalling (~3 minutes) for new LINA commands in other sessions.

  • Deployment operations initiated from the Secure Firewall Management Center or Device Manager can be delayed or blocked if a long-running ping is active in CLISH, as both processes use synchronous methods and wait for completion (up to 10 minutes).

  • This blocking behavior is by design for synchronous process operations; however, the inability to abort was introduced by the defect.

Cause

The root cause is a defect (Cisco Bug ID CSCws82823) that inadvertently removed required code from certain CLI commands in CLISH, preventing the LINA engine from properly recognizing and managing long-running commands. This resulted in the loss of Ctrl+C abort functionality and caused CLISH to lock up, blocking other commands and deployment operations until the long-running command completed. The blocking behavior is due to the synchronous nature of CLISH command processing.

Related Content

Revision History

Revision Publish Date Comments
2.0
30-Mar-2026
Initial Release, formatting. Did not stage first time.
1.0
11-Mar-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Echo Quiroz-Garcia
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products