Issue
On Cisco Secure Firewall Firepower platforms (versions 7.6.4, 7.7, and 10.0.0), when multiple SSH sessions are active to the same device, executing a long-running command (such as a continuous ping) in one session using the CLISH CLI blocks other CLI commands from completing in other sessions or CLISH. For example, if an administrator starts a continuous ping in one SSH CLISH session and attempts to execute show commands in another CLISH session, the subsequent commands hang until the long-running command completes or is aborted. In certain versions, the long-running ping cannot be aborted from CLISH, leading to a CLISH or deployment lockup. Using expert mode or the LINA engine directly (via system support diagnostic-cli) allows operation without this blocking behavior.
Environment
- Cisco Secure Firewall Firepower hardware platforms: 1000, 1200, and 4200 series
- Software Versions: 7.6.4, 7.7, 10.0.0
- Multiple SSH sessions (same or different users) to the same device
- CLISH CLI interface
- Expert mode and LINA diagnostic CLI usage
- Tested with commands:
ping, traceroute, show sip, show ip, show conn, show xlate
- Issue reproduced on FPR1010, FPR1200, and FPR4200 appliances
- Related defects: CSCws82823, CSCwb84748
Resolution
The problem shows these symptoms:
- Establish two SSH sessions to the device using different or identical user credentials.
- In Session 1, run a long-running ping with a high repeat count from FTD CLISH prompt.
> ping 1.1.1.1 repeat 2000
CAUTION: If testing, attempt this with smaller count numbers, such a number as 2000 could take hours to complete.
NOTE: A ping/traceroute in CLISH does not show any progress characters as normally seen directly in the LINA CLI.
- In Session 2, attempt to run another LINA command in CLISH such as "show sip".
> show sip
- The command in Session 2 does not complete until the ping in Session 1 finishes or is aborted.
This resolution is available:
- Abort the initial prolonged command with Ctrl+C to avoid CLISH lockup and deployment stalling.
- In affected versions, long-running pings in CLISH cannot be aborted by Ctrl+C or by closing the SSH session.
- If attempted, the backend process continues, and CLISH remains locked for other LINA commands.
- If the FTD is found in such a state, or if it is suspected that the FTD has entered such a state with a stuck, prolonged ping, a reboot of the FTD is necessary to recover.
- To avoid CLISH/deployment lockup, run LINA commands using the LINA engine directly. This method does not exhibit the defective behavior.
> system support diagnostic-cli
firepower# ping 1.1.1.1 repeat 2000
- Commands executed via the LINA diagnostic CLI do not block CLISH or deployment processes in other sessions. However, system support diagnostic-cli only permits one CLI user per session.
Additional Considerations and Observations:
- Traceroute commands can usually be aborted in CLISH, but can still cause temporary stalling (~3 minutes) for new LINA commands in other sessions.
- Deployment operations initiated from the Secure Firewall Management Center or Device Manager can be delayed or blocked if a long-running ping is active in CLISH, as both processes use synchronous methods and wait for completion (up to 10 minutes).
- This blocking behavior is by design for synchronous process operations; however, the inability to abort was introduced by the defect.
Cause
The root cause is a defect (Cisco Bug ID CSCws82823) that inadvertently removed required code from certain CLI commands in CLISH, preventing the LINA engine from properly recognizing and managing long-running commands. This resulted in the loss of Ctrl+C abort functionality and caused CLISH to lock up, blocking other commands and deployment operations until the long-running command completed. The blocking behavior is due to the synchronous nature of CLISH command processing.
Related Content
Feedback