Release Notes for the Cisco Secure Firewall ASA, 9.22(x)
This document contains release information for ASA software version 9.22(x).
 Note |
9.22(1) was not released. The first release was 9.22(1.1). |
Important Notes
-
No support in ASA 9.22(1) and later for the Firepower 2100—ASA 9.20(x) is the last supported version.
-
Smart licensing default transport changed in 9.22—In 9.22, the smart licensing default transport changed from Smart Call Home to Smart Transport. You can configure the ASA to use Smart Call Home if necessary using the transport type callhome command. When you upgrade to 9.22, the transport is automatically changed Smart Transport. If you downgrade, the transport is set back to Smart Call Home, and if you want to use Smart Transport, you need to specify transport type smart . Note also that the licensing URL for Smart Transport is https://smartreceiver.cisco.com (compared to tools.cisco.com), so be sure to allow that URL on upstream routers.
-
For models with built-in-switches, subinterfaces can't use VLAN 1 in 9.22 and later—For models with built-in switches, you cannot create a subinterface using VLAN 1. VLAN 1 is reserved for the logical VLAN interface for switch ports. If you upgrade a 1010 to 9.22(1) or later, and you have assigned VLAN 1 to a subinterface, you must first change the VLAN ID for your subinterface to a new VLAN. After upgrading, if present, VLAN 1 will be removed from the subinterface.
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.22(3)
Released: March 26, 2026
|
Feature |
Description |
|---|---|
|
Firewall Features |
|
|
Changed output for the show access-list element-count and show asp table network-object commands. |
The show access-list element-count command now shows 2 counts: total number of objects, and total number of access control entries. The show asp table network-object count information includes new counters for the number of additions to the source table and number of those additions to the source table that are duplicate. In addition, the Hitcnt (hit count) column was removed. New/Modified commands: show access-list element-count , show asp table network-object |
|
High Availability and Scalability Features |
|
| ASAc High Availability and SR-IOV feature enablement |
This enables High Availability (HA) support for ASA container (ASAc) deployments in Docker and Kubernetes environments. Two ASAc container instances can be deployed on separate Docker hosts and configured as a primary–secondary failover pair. SR-IOV feature supports single Root I/O virtualization (SR-IOV) interfaces in ASAc container deployments within Docker and Kubernetes environments. |
|
Administrative, Monitoring, and Troubleshooting Features |
|
|
SSH X.509 certificate authentication |
You can now use an X.509v3 certificate to authenticate a user for SSH (RFC 6187). For the Firepower 4100/9300, you need version 2.16(2.109+). New/Modified commands: aaa authorization exec ssh-x509 , ssh authentication method , ssh trustpoint sign, ssh username-from-certificate , validation-usage ssh-client Also in 9.20(4), 9.24(1). |
|
AES-256-GCM SSH cipher |
The ASA supports the AES-256-GCM cipher for SSH. It is enabled by default for all and high encryption levels. New/Modified commands: ssh cipher encryption Also in 9.20(4), 9.24(1). |
|
Message-of-the-day (motd) banner shows the failover state and the last failover time |
When using failover, if you configure the banner motd command, then the banner shows information about the failover state and the last failover time of the unit you are logging into. This information is useful if you are performing actions at the CLI, such as troubleshooting, and a failover occurs between sessions. New or modified commands: banner motd Also in 9.24(1). |
|
Automated Certificate Management Environment (ACME) protocol for TLS device certificates. |
You can configure Automated Certificate Management Environment (ACME) protocol to ASA trustpoint to manage the TLS device certificates. ACME enables simplified certificate management through auto renewal, domain validation, and easy enrolling and revoking of certificates. You can choose to use the Let's Encrypt CA server or use any other ACME server for the authentication. ACME uses http01 method for authentication. New or modified commands: crypto ca trustpoint enrollment protocol crypto ca authenticate Also in 9.23(1). |
|
Display of UDP's initiator and responder values in connection status output |
For UDP traffic flows, the ASA displays the initiator and responder field values in the connection detail status. These field values indicate the direction of communication, which helps in troubleshooting network connectivity issues. New/Modified commands: show conn detail Also in 9.20(4), 9.24(1). |
|
Block depletion monitoring in failover and standalone units |
When block depletion occurs, the ASA collects troubleshooting logs and sends out a syslog. For failover, the ASA fails over to the standby unit. The ASA can also force a crash and reload to recover from depletion. Added/modified commands: fault-monitor , block-depletion . Also in 9.23(1). |
New Features in ASA 9.22(2)
Released: April 10, 2025
There are no new features in this release.
New Features in ASA 9.22(1.1)
Released: September 16, 2024
Note |
9.22(1) was not released. |
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
Secure Firewall 1210/1220 |
The Secure Firewall 1210/1220 is a compact desktop firewall with a built-in switch and, depending on the model, Power over Ethernet+ (PoE+).
|
||
|
ASA Virtual Supports Dual-Arm Deployment Mode on AWS with GWLB |
ASA Virtual now supports the dual-arm deployment mode on AWS with GWLB. This mode enables ASA Virtual to directly forward internet-bound traffic to the internet through the internet gateway after traffic inspection, while also performing network address translation (NAT). The dual-arm mode differs from the single-arm mode, which helps in routing inspected outbound traffic back to the GWLB, and then to the internet through the internet gateway. The dual-arm mode supports forwarding of inspected traffic from ASA Virtual to the internet in both single VPC and multiple VPC network environments. The advantages of the dual-arm mode in ASA Virtual are:
For more information, see Cisco Secure Firewall ASA Virtual Getting Started Guide, 9.22. |
||
|
Deploy the Cisco Secure Firewall ASA container (ASAc) in a Kubernetes or Docker Environment |
A container is a software package that bundles up code and associated requirements such as system libraries, system tools, default settings, and so on, to ensure that the application runs successfully in a computing environment. You can deploy the ASA container (ASAc) in an open-source Kubernetes or Docker environment. |
||
|
ASA Virtual on VMware ESXi support |
ASA Virtual on VMware now supports ESXi version 8.0. For more information, see Cisco Secure Firewall ASA Virtual Getting Started Guide, 9.22. |
||
|
Firewall Features |
|||
|
Object group search optimization. |
The object group search feature has been enhanced to reduce object lookup time when evaluating access control rules to match connections and to reduce CPU overhead. There are no changes to configuring object group search, the optimized behavior happens automatically. We added the following commands in the device CLI, or enhanced command output: clear asp table network-object , debug ac logs , packet-tracer , show access-list , show asp table network-group , show object-group . |
||
|
High Availability and Scalability Features |
|||
|
Secure Firewall 3100 and 4200 maximum cluster nodes increased to 16. |
For the Secure Firewall 3100 and 4200, the maximum nodes were increased from 8 to 16. |
||
|
Secure Firewall 3100 and 4200 cluster Individual interface mode |
Individual interfaces are normal routed interfaces, each with their own Local IP address used for routing. The Main cluster IP address for each interface is a fixed address that always belongs to the control node. When the control node changes, the Main cluster IP address moves to the new control node, so management of the cluster continues seamlessly. Load balancing must be configured separately on the upstream switch. New/Modified commands: cluster interface-mode individual |
||
|
ASA Virtual Clustering deployment support on the AWS Multi-Availability Zone |
You can now deploy and configure the ASA virtual cluster across multiple availability zones in an AWS region. The cluster also has dynamic scaling capability (Autoscale), which helps in scaling up or scaling down virtual devices based on demand. Extending the ASA virtual cluster across multiple availability zones in an AWS region enables continuous traffic inspection and dynamic scaling during disaster recovery. For more information, see Deploy a Cluster for the ASA Virtual in a Public Cloud. |
||
|
MTU ping test on cluster node join |
When a node joins the cluster, it checks MTU compatibility by sending a ping to the control node with a packet size matching the cluster control link MTU. If the ping fails, a notification is generated so you can fix the MTU mismatch on connecting switches and try again. |
||
|
Interface Features |
|||
|
For models with built-in-switches, subinterfaces can't use VLAN 1 |
For models with built-in switches, you cannot create a subinterface using VLAN 1. VLAN 1 is reserved for the logical VLAN interface for switch ports. If you upgrade a 1010 to 9.22(1) or later, and you have assigned VLAN 1 to a subinterface, you must first change the VLAN ID for your subinterface to a new VLAN. After upgrading, VLAN 1 will be removed from the subinterface. |
||
|
License Features |
|||
|
Smart Transport is the default Smart Licensing transport |
Smart Licensing now uses Smart Transport as the default transport. You can optionally enable the former type, Smart Call Home, if necessary. New/Modified commands: transport proxy , transport type , transport url |
||
|
ASAvU (Unlimited) license to deploy ASA virtuals with 32 cores and 64 cores |
ASAvU license achieves maximum throughput on deployments with 32 cores and 64 cores and is supported only on VMware and KVM. New/Modified commands: throughput level unlimited |
||
|
Administrative, Monitoring, and Troubleshooting Features |
|||
|
Disable the USB port (disk1) |
By default, the type-A USB port (disk1) is enabled and could not be disabled. You can now disable USB port access for security purposes on the following models:
This setting is stored in firmware and requires a reload. Moreover, if the USB port is disabled and you downgrade to a version that does not support this feature, the port will remain disabled and you cannot re-enable it without erasing the NVRAM.
New/Modified commands: usb-port disable , show usb-port |
||
|
Block depletion monitoring in failover and standalone units |
When block depletion occurs, the ASA collects troubleshooting logs and sends out a syslog. For failover, the ASA fails over to the standby unit. The ASA can also force a crash and reload to recover from depletion. Added/modified commands: fault-monitor , block-depletion . |
||
|
VPN Features |
|||
|
DTLS Crypto Acceleration |
Cisco Secure Firewall 4200 and 3100 series support DTLS cryptographic acceleration. The hardware performs DTLS encryption and decryption, and improves the throughput of the DTLS-encrypted and DTLS-decrypted traffic. The hardware also performs optimization of the egress-encrypted packets to improve latency. New/Modified commands: flow-offload-dtls , flow-offload-dtls egress-optimization |
||
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Upgrade Path: ASA Appliances
What Version Should I Upgrade To?
On the Cisco Support & Download site, the suggested release is marked with a gold star. For example:
View Your Current Version
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
Upgrade Guidelines
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.
Upgrade Paths
This table provides upgrade paths for ASA.
Note |
ASA 9.20 was the final version for the Firepower 2100. ASA 9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300. ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.20 |
— |
Any of the following: → 9.22 |
|
9.19 |
— |
Any of the following: → 9.22 → 9.20 |
|
9.18 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 |
|
9.17 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.13 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.12 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.10 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.9 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.8 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.7 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.6 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.5 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.4 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.3 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.2 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
Upgrade Path: ASA Logical Devices for the Firepower 4100/9300
-
FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. (FXOS 2.0.1–2.2.1 can upgrade as far as 2.8.1. For versions earlier than 2.0.1, you need to upgrade to each intermediate version.) Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:
-
FXOS 2.2 → FXOS 2.11 (the highest version that supports 9.8)
-
ASA 9.8 → ASA 9.17 (the highest version supported by 2.11)
-
FXOS 2.11 → FXOS 2.13
-
ASA 9.17 → ASA 9.19
-
-
Firewall Threat Defense: Interim upgrades may be required for Firewall Threat Defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the Firewall Management Center upgrade guide for your version.
-
ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.
|
FXOS Version |
Model |
ASA Version |
Firewall Threat Defense Version |
||||
|---|---|---|---|---|---|---|---|
|
2.16 |
Firepower 4112 |
9.22 (recommended) 9.20 9.19 9.18 9.17 |
7.6 (recommended) 7.4 7.3 7.2 7.1 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.22 (recommended) 9.20 9.19 9.18 9.17 |
7.6 (recommended) 7.4 7.3 7.2 7.1 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.14(1) |
Firepower 4112 |
9.20 (recommended) 9.19 9.18 9.17 9.16 9.14 |
7.4 (recommended) 7.3 7.2 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.20 (recommended) 9.19 9.18 9.17 9.16 9.14 |
7.4 (recommended) 7.3 7.2 7.1 7.0 6.6 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.13 |
Firepower 4112 |
9.19 (recommended) 9.18 9.17 9.16 9.14 |
7.3 (recommended) 7.2 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.19 (recommended) 9.18 9.17 9.16 9.14 |
7.3 (recommended) 7.2 7.1 7.0 6.6 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.12 |
Firepower 4112 |
9.18 (recommended) 9.17 9.16 9.14 |
7.2 (recommended) 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.18 (recommended) 9.17 9.16 9.14 9.12 |
7.2 (recommended) 7.1 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.18 (recommended) 9.17 9.16 9.14 9.12 |
7.2 (recommended) 7.1 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.11 |
Firepower 4112 |
9.17 (recommended) 9.16 9.14 |
7.1 (recommended) 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.17 (recommended) 9.16 9.14 9.12 |
7.1 (recommended) 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.17 (recommended) 9.16 9.14 9.12 9.8 |
7.1 (recommended) 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.10
|
Firepower 4112 |
9.16 (recommended) 9.14 |
7.0 (recommended) 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.16 (recommended) 9.14 9.12 |
7.0 (recommended) 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.16 (recommended) 9.14 9.12 9.8 |
7.0 (recommended) 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.9 |
Firepower 4112 |
9.14 |
6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.14 9.12 |
6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.14 9.12 9.8 |
6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.8 |
Firepower 4112 |
9.14 |
6.6
|
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.14 (recommended) 9.12
|
6.6 (recommended)
6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.14 (recommended) 9.12 9.8 |
6.6 (recommended)
6.4 6.2.3 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.6(1.157)
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.12
|
6.4 |
||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.12 (recommended) 9.8 |
6.4 (recommended) 6.2.3 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.6(1.131) |
Firepower 9300 SM-48 Firepower 9300 SM-40 |
9.12 |
Not supported |
||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.12 (recommended) 9.8 |
||||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.3(1.73) |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8
|
6.2.3 (recommended)
|
||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.3(1.66) 2.3(1.58) |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8
|
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.2 |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8 |
Firewall Threat Defense versions are EoL |
||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
Note on Downgrades
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.22(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA on hyper-v: couldn't configure VLAN after upgrade |
|
|
Inconsistent LINA hostname synchronization between ASA/FTD HA/failover units |
|
|
ASA/FTD Traceback and reload in BGP |
|
|
ASA may traceback and reload in Thread Name "lina_get_block_mask" |
|
|
FPR42xx - Multi-Instance FTD fails to start with error "Insufficient shaping queue, resource allocation is pending" |
|
|
BGP unexpectedly removes all routes from BGP table during failover tests. |
|
|
ciscossh stack: OTP-based SSH authentication via RADIUS fails |
|
|
Few FQDN's only sending IPV6 request but not IPV4 request |
|
|
ARP requests are not forwarded to all FTDs on the chassis in multi-instance deployment |
|
|
FTD is not resolving several FQDN's for ACL's after upgrade to 7.6.4 |
|
|
show inventory reports transceiver PID as numeric internal value instead of Cisco SKU |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.22(3)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
"logging debug-trace persistent" fails for "debug ip ..." related debugs |
|
|
DP-CP arp-in and adj-absent queues need to be separated |
|
|
Order of access-list/ access-group is different in standby unit. Full sync happens during node-join. |
|
|
Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
|
|
on 2k platform, external authentication fails for users starting with number |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Stale anyconnect entries causing issues with routing |
|
|
DAP: debug dap trace not fully shown after 3000+ lines |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
Member interface admin status is not updated on Lina after enabling port-channel interface |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
Incorrect syslog generated on failure to process SGT from ISE during RA authentication |
|
|
Victoria-DT CX: support of 10 port-channels on 1220 CX model |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT |
|
|
Disable csd/hostscan invokation for clientless/webvpn flow |
|
|
Device traceback and reload thrice with Panic at spin_lock_fair_mode_enqueu and nlp_init(). |
|
|
CSF1200 DT may randomly go unresponsive during normal course of operation |
|
|
MI: core.lina.async_thr is generated after reboot |
|
|
ASA/FTD - Traceback and reload Due to Race Condition in TCP Proxy |
|
|
Cisco FXOS and UCS Manager Software Stored Cross-Site Scripting Vulnerability |
|
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
|
High lina CPU and/or Traceback and reload in spin_lock_get_actual_internal |
|
|
Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
|
|
Traceback and reload in Thread Name Datapath |
|
|
NAT divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
|
|
DNS FQDN obj doesn't go unresolved upon FQDN obj deleted on server/intf to reach sever is down in 7.7 |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
ASA traceback and reload in freeb_core_local_internal |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
LINA may observe random traceback with Netflow configured |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
ASA Traceback after upgrade to 9.20.3.7 |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
FCM GUI became inaccessible after upgrading to ASA 9.18.4.22 | FPR 2130 Platform Mode |
|
|
Bandwidth information of a port-channel is not getting updated if an interface member goes down. |
|
|
Traceback and reload with Thread Name: vtemplate process |
|
|
Traceback and reload during clear bgp * ipv6 unicast involving watchdog |
|
|
Memory block corruption: RAVPN SSL/IKEV2 auth failure, AAA SHIM available fibers exhausted |
|
|
ASA: IPv6 EIGRP routes learned from other neighbors are missing in updates after failover |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Heap Corruption Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Memory Exhaustion Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
ASA/FTD - Traceback and Reload in Threadname IP RIB Update |
|
|
Intf Link down (Init, mac-link-down) seen - EtherChannel Membership in Down/Down/Down state after unplug/replug of the cable |
|
|
show blocks old core local can lead to unexpected reload. |
|
|
Set limit for the number of glibc arenas in lina to avoid ASA/FTD system overhead memory issues |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
Slow download speeds with AnyConnect over TLS on networks with high latency |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
RTSP packets getting stuck in transmit queue leading to 9k blocks exhaustion. |
|
|
Choosing clause 91 FEC via the FMC sets fec 544 instead of fec 528 on QSFP-100G-CU3M |
|
|
Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
|
|
Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
|
|
ASA clock is out of sync 2 hours when timezone is configured to Europe/Dublin which is GMT. |
|
|
FP1150 ASA/FTD - Traceback and reload triggered by watchdog timer |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
WM-DT- FXOS Critical Faults seen due to PortMgr IPC Communication failure. |
|
|
FPR2100 & FPR1100: Port-channel interfaces flap with LACP |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
FTD generates syslog 430002 as VPN Routing without VPN hairpin |
|
|
FTD reboot and traceback in DATAPATH due to IPv6 packet processing |
|
|
Debuggability: FP2100 port-channel interfaces flap after upgrade |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
Firepower wiping SSL trustpoint config after reloading. |
|
|
Nitrox Engine (Crypto Accelerator) problem affecting crypto hardware offload on FPR3100/4200 platforms |
|
|
Community lists should not throw an error until the last item in the list is being deleted |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
|
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
|
Memory leak in RAVPN |
|
|
Serviceability Enhancement - Make FXOS disk errors more descriptive |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for users with privilege 15. |
|
|
Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-3-4280' |
|
|
Enabling debugs with EEM fails |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
IKEv2 Rekeys fail due to fragmentation during the IKE Rekey |
|
|
FXOS allows booting and starting an image installation using a Patch image |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software HTTP Server Remote Code Execution Vulnerability |
|
|
Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
FTD sending "0.0.0.0" NAS-IP-Address attribute when authenticating/authorizing using Radius |
|
|
debug packet-condition does not work as expected |
|
|
9K block depletion causing slowdown of all traffic through firewall |
|
|
Suddenly customer lost SSH access to the ASA |
|
|
Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series |
|
|
Unit taking ~13 secs to become active |
|
|
Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
|
|
FMC: Deployment takes longer than expected when removing SNMP hosts from Platform Settings |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
IPv6 Management communication is lost due to a missing management-only multicast route. |
|
|
ASA/FTD traceback and reload in vaccess_nameif_action thread |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software IPsec Denial of Service Vulnerability |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
show tech-support fprm detail command is getting stuck for longer duration |
|
|
Memory leak leading to split brain |
|
|
ENH: Include SystemID in "show system detail" in techsupport file |
|
|
Firepower hits route limit due to ASP table resource exhaustion affecting traffic forwarding |
|
|
ARP is silently dropping packet for an unreachable next hop |
|
|
Counter from IKEV2 stats does not match the number of tunnels in VPN-Sessiondb |
|
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
|
Port-channel member interface flap renders it as an inactive member |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
Traceback & Reload in Thread Name Unicorn Admin Handler |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Authentication Denial of Service Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Memory Exhaustion Denial of Service Vulnerability |
|
|
Warwick Avenue: LLDP neighbours are not discovered if MGMT 1/2 interface is down |
|
|
ASA FTD traceback in Checkheaps process after enabling "controller monitor internal-interfaces free-blocks 100" command |
|
|
Traffic failure due to 9344 blocks leak |
|
|
'${dsk_a} missing or inoperable. Rebooting Blade.' error does not specify missing or inoperable disk |
|
|
[Cluster] CPU Utilization of 100% when NAT Pool exhaustion happens in a context. |
|
|
FTD: Large Delay in packets being inspected by snort |
|
|
Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
|
|
Memory corruption leading to lina assertion and traceback |
|
|
DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
|
|
Logical App Stuck in 'Start Failed' Due to checkSystemCPUs Failure |
|
|
FTD HA | Same MAC for port-channels causing network outage. |
|
|
snmp_logging_thread is utilizing high CPU in control plane |
|
|
FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload |
|
|
Memory leak: ASA Fragment size 72 causing memory exhaustion in MEMPOOL_GLOBAL_SHARED POOL |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Unauthenticated Memory Exhaustion Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Lua Interpreter Denial of Service Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Authenticated Memory Exhaustion Denial of Service Vulnerability |
|
|
Cisco FXOS and UCS Manager Software Command Injection Vulnerability |
|
|
BFD flap due to ASA not processing incoming BFD packets after unrelated BFD peers go down |
|
|
SNMP polling to chassis is unsuccessful with FTD Multi-instance in HA used as SNMP agent |
|
|
SNMP configuration is not applied consistently across same FTDs type and version |
|
|
Deployment failure due to rsync |
|
|
3100 Marvell 4.3.14 CPSS patch for the interface mac stuck issue seen with peer switch reloads |
|
|
ASA/FTD traceback and reload with SNMP Notify Thread seen on 3110 |
|
|
Portscan event in FMC displays incorrect source/destination when set to 'low' setting |
|
|
Traceback in thread name DATAPATH when a unit is re-joining the cluster |
|
|
Post-Failover FQDN Resolution Deferred Until Next DNS Poll Interval |
|
|
Cryptochecksum changed after reloading. |
|
|
BFD packets are not dropped for single-hop BFD sessions received via alternate path |
|
|
Local user details not replicated to data nodes in a cluster setup. |
|
|
ASDM: Displays Error of Keypair already exists when adding an identity certificate. |
|
|
L3 Clustering where BGP immediately comes up while DATA node is still in bulk sync |
|
|
ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
|
|
backout change preventing enabling clustering in FIPS mode |
|
|
ASA SSH login fails at the first attempt when it is integrated with DUO |
|
|
ASA/FTD traceback and reload triggered by the Smart Call Home process in sch_dispatch_to_url. |
|
|
If command replication fails to any nodes in cluster, send kick the node out from cluster to fmc |
|
|
Command replication failure to cluster nodes on command commit noconfirm revert-save after access-list, additional debugs |
|
|
ASA: MAC address of the port-channel interface changes leading to ping failure |
|
|
SSH Login Fails Across All Contexts After Removing SSH Configuration from One Context or Deleting a Context |
|
|
FPR 4125 Multi instance: High Snort and System Core CPU Usage (100%) Triggering FMC Critical Alerts |
|
|
Lina: Traceback in thread name ssh on executing show access-list after ACL deletion |
|
|
ASAv restarts unexpectedly |
|
|
LINA stays inactive without reloading after traceback on non-CP thread |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability |
|
|
ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
|
|
Traceback in threadname DATAPATH while trying to re-join cluster. |
|
|
Error Encountered While Disabling the 'Call-Home Reporting Anonymous' Option in Call-Home Configuration |
|
|
FTD Intermittent Syslog Alert: mcelog daemon is not running. Restarting the daemon. |
|
|
ASA/FTD traceback and reload in function mp_percore |
|
|
ASA traceback and reload |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software Multiple Context Mode SCP Unauthorized File Access Vulnerability |
|
|
high CPU usage after ASA upgrade from 9.20.3.9 to 9.20.3.16 running on Hyper-V |
|
|
SFF_SFP_10G_25G_CSR_S modules from Finisar ports bouncing when connected. |
|
|
ASA: tls-proxy maximum-session command error |
|
|
ESP packets encapsulating subsequent fragments are dropped with ASP unexpected-packet drop reason |
|
|
SSL error causing connection to Cisco Smart Software Manager (CSSM) to terminate |
|
|
ASA/FTD: the ssl trust-point command deleted after a reload |
|
|
FTD/ASA SSH: Terminal monitor is not showing logs |
|
|
Wrong URL incorrectly displayed for file upload with Japanese text in file path for client-less VPN |
|
|
Tmatch memory is mostly consumed by ARP-DP. |
|
|
Negative value displayed for buffer drops when using " show cluster info load-monitor details" |
|
|
ASA crashinfo files not generated on FP4200 devices |
|
|
Syslog format is not properly printed when EMBLEM format is enabled at least in one syslog host |
|
|
Multiple mail drops and enq failures are seen while traffic is going through the box. |
|
|
Policy deploy failing on FTD when trying to remove Umbrella DNS Configuration |
|
|
wpk - 1gsx link remains up on wpk but on switch side it shows as not connected |
|
|
An ICMP not reachable storm might cause high CPU on a two units FTD cluster |
|
|
CPU usage by "WebVPN Timer Process" on standby ASA device |
|
|
WA HA: Error while fetching metadata for FTD HA. |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability |
|
|
Error : Msglyr::ZMQWrapper::registerSender() : Failed to bind ZeroMQ Socket |
|
|
SAML IdP entityID increase from capped 128 character maximum |
|
|
dmesg and kern.log file flooded with Tx Queue=0 logs |
|
|
IKEv2-EAP Authentication Fails with Windows and MacOS Native VPN Clients |
|
|
Clarify the working of Fallthrough to Interface PAT (Destination Interface) as it is not working as expected |
|
|
"CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
|
|
ASA Memory leak while processing large CRLs. |
|
|
ASA Core file generated is corrupted |
|
|
ASA Clock reverts to UTC after device reload |
|
|
ASA/FTD: ASP drop capture for 'invalid-ip-length' or 'sp-security-failed' does not work with match criteria |
|
|
Memory leak in SSL crypto causing high Lina memory usage on lower-end devices |
|
|
HA state should not transition from ColdStandby to Active |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability |
|
|
FP1140 Critical FXOS fault alerts (F1000413) after upgrade |
|
|
Prolonged delays in firewall restart/reboot completion |
|
|
Restoring .tgz context file causes allocated interfaces to be removed from 'system' configuration |
|
|
FTD - SNMP Walk of FXOS FTD OID Tree Returns Empty or Times Out |
|
|
LINA traceback Observed on FTDv Firewalls Deployed in Azure: snp_vxlan_encap_and_send_to_remote_peer |
|
|
WA: Traceback and reload due to lock contention on the tmatch table during deployment with large snmp config |
|
|
If failover IPSEC PSK is 78 characters or greater HA breaks with "Could not set failover ipsec pre-shared-key" |
|
|
FPR42xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability |
|
|
Memory Leak observed on FP2110 running ASA due to monitoring interface configured in HA |
|
|
FP3105 Traceback and Reload after changing the speed on Ethernet interface |
|
|
3100/4200: 1G Management interface flapping after upgrade |
|
|
Traceback and Reload while two processes attempt to free a TD subnet structure |
|
|
Misleading "failover reset" log printed on console when reload triggered by HA. |
|
|
ASA from CSM/CLI - no access-list ACL_name line line_nr remark on last ACL line shows message - "Specified remark does not exist" |
|
|
Invalid host header reveals ASA interface IP address |
|
|
S2S VPN is not recovering after IPSEC-Rekey event |
|
|
FTD may drop traffic in the Azure cloud at mlx5 driver level. |
|
|
FP2110 - ntpd process constantly crashing |
|
|
ASA: Traceback and reload on threat detection, interfaces unstable after that |
|
|
ASA/FTD - Assert triggered during FP_PUNT replace (aaa account match) |
|
|
Traceback and reload after editing SNMP config, with tmatch |
|
|
FPR4200 | FPR3100 Multi Instance Chassis Deployment Failed in DNS configuration |
|
|
Errors on all interface of FPR1010 | line protocol is down ( not associated with supervisor ) |
|
|
FP3100/4200 rebooting after generating crypto_archive with error on console "KC ILK issue detected" |
|
|
OSPF: High CPU, Route flaps, Lina Traceback and Reload in High Availability Setup. |
|
|
expat/xml FW rebooted itself and no crashinfo generated |
|
|
CVE-2025-32463: sudo: Sudo before 1.9.17p1 allows local users to obtain |
|
|
CVE-2025-32462: sudo: Before 1.9.17p1, allows users to execute commands on unintended machines. |
|
|
Inbound IPsec packets are dropped by IPsec offload when the crypto map ACL is using specific ports. |
|
|
Idle SSH sessions persist beyond the configured timeout without graceful termination by Fin flag |
|
|
Multicast and broadcast packets do not reach all multi-instance firewalls via shared interface on 3100/4200 |
|
|
ASA SNMP Response Issue - Responses Sent Only for Odd OIDs, Not for Even |
|
|
SSE-ASAc Recommit the fix got reverted during sync |
|
|
debug menu tls-offload option <> to be provided to resolve slow download speed using curl to download large file with SSL Decrypt Resign Policy |
|
|
Lina Traceback and Reload after enabling 'TLS Server Identity Discovery' |
|
|
FTD: Packets Dropped due to tcp-seq-past-win due to delayed packet through Snort |
|
|
ASAv deploy failed - console stuck at continuous |
|
|
ASA/FTD in HA, snmptranslate process during the boot-up causing High CPU and IPC timeouts, causing split-brain. |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
FTD packer-tracer showing remark rule id in access-list for a rule not getting hit |
|
|
FTD Traceback while executing 'asp load-balance per-packet' |
|
|
SSH login to FTD management IP address lands in FXOS shell instead of FTD CLISH due to missing /mnt/boot/application/*.def file |
|
|
Multicast and unicast packets do not reach the correct instance for random subinterfaces |
|
|
FTD 3130 HA Lina tracebacks at ikev2_bin2hex_str |
|
|
FMC 7.6 NAT Source and IP Not Populating within Unified Event Viewer |
|
|
7.6 - Firepower 3100 series - Upgrading an HA pair from a version without the fix for CSCwo00444 to 7.6 causes one firewall to go into a traceback/reload loop |
|
|
FTD upgrade failed due to bundle image existence verification failure |
|
|
Deployment Failure After Removing An Object From ACL Used in DAP |
|
|
FPR 4200: HA link arp packets getting dropped, internal uplink linkChange counters incrementing |
|
|
Password Expiry Age does not reset after Password Change |
|
|
show asp rule-engine issues with complete and run time |
|
|
WA - add port-info statistics for 2nd uplink in 4245 & mgmt 1/2 |
|
|
SNMP traps are not sent to one of multiple SNMP servers, in certain conditions |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Memory Corruption Vulnerability |
|
|
ASA : Performance and high CPU usage seen on Hyper-V |
|
|
IKEv1 L2Lvpn fails in phase 2 with "Rejecting IPsec tunnel: no matching crypto map entry" after upgrade |
|
|
HA Primary/Active unit goes to disabled state as "HA state progression failed due to app sync timeout" in build 10.0.0-196 |
|
|
RAVPN SSL/IKEV2 AUTH FAILURE: AAA PROCESS MISHANDLING BROKEN FIBER CLASS |
|
|
FTD: Instance stuck in Boot Loop |
|
|
1140 FTD HA primary failed to reboot after executing the reload command from expert mode |
|
|
Firewall joins a cluster although gets incomplete ACL policy rules during replication |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
|
|
FTD MI: SNMP polling fails to work after the upgrade |
|
|
SAML response rejected with message for certain IDPs |
|
|
Drop counter doesn't increment for embryonic related drops in 'show service policy' |
|
|
Packet Captures show misleading information when blocked due to TCP server unavailable. |
|
|
FP 4115 ASA Cluster: GTP inspection causing high lina CPU 70% - 90%+ depend on traffic |
|
|
FP4225: Interface with SFP - 10/25G_LR_S (or CSR_S) is not coming up after reboot of peer side. |
|
|
Firepower: SSH access lost after timezone change in platform mode |
|
|
ASDM Parsing Failure on Two Contexts |
|
|
WA MI: Two apps went to Not Responding state with reason: Error in App Instance ftd. sma reported fault: Instance xxx is disabled due to restart loop. Please consider reinstalling this app-instance. |
|
|
ASA client IP missing from TACACS+ authorization request in SSH |
|
|
Reboots on FP2130 due to missing heimdall PID |
|
|
"no http server basic-auth-client ASDM" allows ASDM connections to ASA. |
|
|
Interfaces are coming up when the Firepower is shutting down |
|
|
Policy deployment fails when inline-set is configured on FTD HA |
|
|
Low RAM allocation on ASAv can trigger unexpected behavior in 'asdm image' command |
|
|
FPR4215 "Not supported" alarm occurred, when insert the SFPs |
|
|
Traceback in HA stby node while snmpwalk on natAddrMapTable |
|
|
"longer-prefixes" filter on "show route" command not filtering correctly |
|
|
SNMP process continuously restarts |
|
|
ASA/FTD: Traceback in thread name CP Processing due to DCERPC inspection |
|
|
Connection blocking active although "logging permit-hostdown' is set |
|
|
ASA/FTD may traceback and reload due to memory exhaustion |
|
|
Both the units in HA changed the encryption algorithm simultaneously |
|
|
add context for cmd-invalid-encap asp-drop type in the "show asp drop" command usage |
|
|
ASA/FTD - 1550 Block Depletion Due to Instability of TCP Syslog Channel(s) |
|
|
Block 80 depletion ssl_decrypt_cb |
|
|
FPR HA ESP sequence number discrepancy when standby changes to Active resulting in Anti-replay drops |
|
|
FTD port status not reflecting properly on FMC. |
|
|
Deployment changed performance profile, unable to retrieve running configuration |
|
|
Dataplane <> Control Plane may be overwhemed in the event of a massive influx of traffic with no existing ARP Adj present |
|
|
WCCP redirection not working as expected on transparent FTD |
|
|
Traceback seen while FQDN list expands more than 200 entries for a resolved ip |
|
|
Device doesn't boot and gets stuck after a successful upgrade |
|
|
FP3140 FTD HA Upgrade Getting Stuck |
|
|
File policy stops working due to SMB tcp conn terminated after 1hr for unknown reason despite not idle |
|
|
Anyconnect users incorrectly get the prompts, based on the previous tunnel-group |
|
|
ASA: Traceback and reload after saving asdm image |
|
|
Show crypto accelerator shows max crypto throughput is 6 Gbps For 3K & 225Mbps for FTDv |
|
|
SNMP OID Polling for Chassis temperature not giving response |
|
|
Secure Client SAML - External Browser May Prompt for a Certificate when using IKEv2-IPsec and Certificate Mapping |
|
|
Continuous logs_archive.asa-interface-idb.log getting generated on ASA |
|
|
FXOS:ASA SSH login fails at the first attempt when it is integrated with DUO |
|
|
ASA/FTD may traceback and reload citing Thread Name 'lina' as the faulting thread. |
|
|
Dynamic Offloaded Flows Interrupted midstream |
|
|
Intermittent drop of self-originated ICMP TTL exceeded messages with reason "Unable to obtain connection lock (connection-lock)" |
|
|
FTD/ASA may traceback and reload |
|
|
Lina traceback due to the incorrect option being received in the packet. |
|
|
Secure client tunnel group authentication is affected when using SDI protocol |
|
|
Interlaken (ILK) link between the Nitrox and KC2 failure, causing traffic backpressure / traffic outage |
|
|
ASA/FTD: Wrong value shown for X509_STORE_CTX in 'show ssl objects' |
|
|
RTSP Flows are dropped with drop reason "First TCP packet not SYN" |
|
|
ASA/FTD - Traceback and Reload in Threadname DATAPATH |
|
|
Rate limit conn-limit SNMP traps |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software TCP Flood Denial of Service Vulnerability |
|
|
ASA/FTD: SCEP enrollment fails with SCEP server reachable over VPN and sourced from inside interface |
|
|
ASAv on Hyper-v encountering boot loop issues when running netvsc driver |
|
|
Lina: Traceback and reload webvpn_session_release |
|
|
ASA traceback and reload due to memory corruption in IPsec SA pointers |
|
|
High network latency observed on ASAv |
|
|
FTD traceback and reload on DATAPATH |
|
|
ASA traceback while disabling GTP inspection |
|
|
WPK node rebooted with lina core while trying to form cluster in snp_nat_allocate_port |
|
|
FP2140 running FTD traceback during deployment |
|
|
Lina: Traceback and reload for watchdog on BGP |
|
|
ASAv memory leak leading to reload |
|
|
FTD - FTD RADIUS authentication fails with "bad authenticator" after disabling Management Interface Convergence |
|
|
Inconsistent Cluster State: All Nodes Acting as Data Nodes with No Control Node |
|
|
ASA/FTD traceback and reload in Lina |
|
|
Unable to remove certificate-group-map |
|
|
VPN-MT: ASA (99.22.3.39) crashed with one TLS session |
|
|
FP2110 Critical fault alerts for remote users |
|
|
ASA/FTD traceback and reload in L2 vaccess_nameif_action thread |
|
|
ASA/FTD Traceback and reload in L2 table creation failure |
|
|
FTD silently drops out of order packets |
|
|
Problems may arise when an automated script attempts to deploy to add or delete an SNMP user in a multi-context environment. |
|
|
ASA/FTD: Fragmentation issue for IKE_Auth packets |
|
|
Collecting "show tech-support fprm" results in corefile in TAR process |
|
|
ASA traceback and reload while removing capture |
|
|
BEMS01922035: asa-app-agent: FP2130 9.20.4 ASA ha pair just one unit crashes once it is active - DOLLAR ACADEMY (ASA 699917514) |
|
|
ASA: Traceback and reload on ARP code when the pinged device is unreachable |
|
|
High cpu on block depletion |
|
|
ASP ACL rule (dhcp network scope) fail to be removed during "no nameif" or interface deletion process |
|
|
Memory leak in virtual-access nameif strings |
|
|
ASA timestamp getting stuck for syslog messages until the device sync up with NTP |
|
|
ASAv Traceback and Reload 30 secs - 5 mins after the BGP neighbor relationship is formed with the peer |
|
|
ASA may traceback during manual failover |
|
|
Few FQDNs are not resolving after FTD upgrade |
|
|
snmpEngineBoots does not increase when ASA reloads |
|
|
Inotify user watch limits require adjustment for 3100 and 4200 platforms running MI FTDs |
|
|
FPR 3110 MI (shared subinterface) - Traffic outage when disabling multicast routing on one FW instance |
|
|
Multiple issues with either Interface not coming up or CRC errors with 25/50G LR SFP |
|
|
FTD/ASA: Traceback and reload on memory corruption caused by “occam_arena__get_block” |
|
|
LINA May Encounter Traceback and Reload if SSH Session Uses ChaCha20-Poly1305 Cipher |
|
|
Lina Traceback and reload in Thread: "cli_xml_request_process" |
|
|
SNMP polling fails to work after upgrade |
|
|
Faults generated during first boot on 6.x can't be cleared |
|
|
The identity cert will miss "ca" if the same cert also installed as device-certificate. Reboot will fail to install identity cert |
|
|
ASA/FTD responding without relay_sig parameter in SAML dupicate request |
|
|
Lina engine traceback, due to assertion in datapath. |
|
|
While in App-Sync phase, cluster node does not transition to disabled state when CCL interface goes down |
|
|
Traceback and reload in threadname datapath due to flow-offload. |
|
|
Lina crash on FTDv |
|
|
ASA: Traceback with Thread Name DATAPATH-0-13302 |
|
|
Appliance enters into fail-safe mode due to warnings thrown by nat config. |
|
|
License registration still fails with ssl trustpoint and smart transport mode configured despite fix for CSCwp10957 |
|
|
ASA/FTD does not accept "id-kp-ipsecIKE" or "anyExtendedKeyUsage" in EKU for usage type IPSEC VPN Peer |
|
|
Lina: asacli Traceback & reload due to SSH/SCP initiated from firewall exec mode |
|
|
FTD installing two default routes coming over EIGRP having different metrics |
|
|
ASA/FTD assert crash after applying capture type isakmp command from LINA CLI |
|
|
ASA/FTD may traceback and reload in spin_lock_check_for_deadlock |
|
|
Unable to retrieved SNMP OID crasActGrpName (1.3.6.1.4.1.9.9.392.1.3.22.1.1) |
|
|
Azure ASAv Interface speed auto-negotiation not working |
|
|
Crash at Process Name: lina <ctm_cryptodev_terminate_session+168> |
|
|
Traffic is not hitting the expected rule, instead hitting default deny rule. |
|
|
Cluster Control Link (CCL) Capture with match statement only captures one direction (ingress) packets |
|
|
Cisco Secure Firewall 3100/4200 performs dynamic flow-offload on unsupported versions |
|
|
Auto-rejoin timer not starting for a unit which has left the cluster. |
Resolved Bugs in Version 9.22(2)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASDM Access Issue When SSL VPN And HTTP Server Is Configured On Same Port |
|
|
Firepower 1000/2100 may boot to ROMMON mode |
|
|
Banner login does not display when configured |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Stale anyconnect entries causing issues with routing |
|
|
[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
|
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
|
Lina core at swapcontext on Standby FTD during policy deployment |
|
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
|
Debug: Eth1/1 flapping unexpectedly |
|
|
PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
|
|
tpk_mi upgrade failed from 7.4.1.1 > 7.6.0 000_start/000_00_run_cli_kick_start.sh. |
|
|
snmpd core seen in ASA/FTD |
|
|
Failure to read the signature keys (mult-instance deployment) |
|
|
Fail to start a disabled container on chassis reboot and misses to log the activity to Heimdall |
|
|
FTD is not resolving FQDN for ACLs intermittently |
|
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
Remove SGT frames/packets to allow VTI decryption |
|
|
ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread. |
|
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
|
ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
|
|
CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT |
|
|
FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring |
|
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
|
Incorrect network module slot and status information in "show module" command output |
|
|
App instance stuck in STOP_FAILED with error message |
|
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
|
FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
|
Failures and records are not seen in show failover statistics after simulating failures |
|
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
|
FMC in CC-mode audit over syslog not working |
|
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
|
FTDv traceback in Thread name - PTHREAD |
|
|
ASA/FTD: Memory Exhaustion due to Threat-Detection |
|
|
Partition "/opt/cisco/config" gets full due to btmp file not getting logrotated |
|
|
FTD upgrade to 7.4.2 via FDM is blocked |
|
|
VPN Client Application version and OS is not displayed for the FTD Standby peer under User Activity |
|
|
'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete |
|
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
|
|
Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
|
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
|
Lina traceback and reload in data-path thread |
|
|
Unstable HA causing depolyment failure |
|
|
IPv6 Neighbor Discovery failure on shared interface in multi instance setup |
|
|
FP4245 - NPU Accelerator changed speed of 100Gb interface to 10Mb |
|
|
ASA|FTD Traceback & reload in process name lina |
|
|
Increase memory usage leading to tracebacks in Lina. |
|
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
|
Generated Cryptochecksum changes without configuration change |
|
|
Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
|
|
CGroups errors in ASA Syslog during every reboot |
|
|
ldap.conf does not get generated using hostname |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software DHCP Denial of Service Vulnerability |
|
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
|
Browser redirects to blank page when the user clicks the WebVPN bookmark |
|
|
The ASA's OSPF routing table is not properly synchronized with the neighbors |
|
|
SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect |
|
|
FXOS MTU Handling for Front Panel and Uplink Ports on Firepower devices require improvement |
|
|
Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
|
|
FTD - Â Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
|
SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured |
|
|
Long boot time seen with one AC rule having object-group and other plain ACL's |
|
|
LINA may traceback in Thread Name: Datapath with NAT config |
|
|
FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
|
|
FTD Secondary Unit got stuck in Bulk sync state. |
|
|
ASA/FTD will allow local IP pool with invalid netmask |
|
|
Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
|
|
FTD/ASA may traceback and reload in DATAPATH thread |
|
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
|
|
FTD inline-set ignore reverse flag for inject/rewrite |
|
|
Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
|
|
FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
|
|
Show mod functionality needs to be fixed after change was reverted in CSCwk63011 due to regression |
|
|
Misconfigured Cross-Origin-Opener-Policy |
|
|
ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
|
|
enhance sma 2nd cruz heartbeat logging |
|
|
ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
|
|
100GB interface flaps with Innolight QSFPs in both ends |
|
|
Not able to remove or clear Fault "The password encryption key has not been set." |
|
|
ASA/FTD may traceback and reload in Thread Name "fover_parse" |
|
|
TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link |
|
|
show run access-list command returns warning |
|
|
SQLNet traffic getting dropped intermittently in Clustering data unit. |
|
|
ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
|
|
Enable NFS Client 4.1 in the kernel to debug NFS and EFS mount issues: SIGKILL(9) to stunnel |
|
|
FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
|
|
Incompatible members warning message after Po member interface flaps unable to rejoin Po |
|
|
ASA traceback and reload on thread snmp_inspect |
|
|
ASA traceback and reload due to stack overflow while using APCF file |
|
|
ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
|
|
NAT traps have to be rate-limited |
|
|
Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
|
|
Evaluation of ssp for mod_nuova logs authentication tokens |
|
|
Cisco FXOS and UCS Manager Software Stored Cross-Site Scripting Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
|
|
4200/3100/1200 hardware allow to change AppAgent timer |
|
|
'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
|
|
GTP inspection drops packet with error Reason:(IE-Type:CAUSE(2) IE is missing) |
|
|
GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
|
|
Cisco ASA/FTD Firepower 3100/4200 Series TLS 1.3 Cipher Denial of Service Vulnerability |
|
|
FTD HA Standby Reloads Repeatedly After Upgrade to 7.4.2.1 |
|
|
LINA core observed pointing to "IP RIB Update" thread |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD device stuck in rommon mode after pressing reset button |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
|
|
Memory Blocks 80 and 9344 leak due to priority-queue |
|
|
GTP inspection not allowing GTP data packets if session create response has cause type 18 |
|
|
When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
|
|
ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
|
|
FPR9K-SM-56 module intermittently lock up and cause traffic impact. |
|
|
ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
|
|
Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption |
|
|
FTD cluster to traceback and reload after extended PAT is enabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
|
|
FTD reload with traceback on swapcontext function |
|
|
Syslog servers below in FTD logging send hostname info as per emblem config for first syslog server |
|
|
ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
|
|
memory fragmentation resulted in hugepages unavailable for lina |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Rules Bypass Vulnerability |
|
|
Admin users are prompted to change local password when authenticating to external server |
|
|
HA would bring data interfaces up while moving from cold standby to failed state |
|
|
ASA may traceback and reload in Thread Name 'ssh' |
|
|
Discrepancy in VPN bytes with RA VPN user activity report |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial of Service Vulnerability |
|
|
FTD: Management0/0 status went down, line protocol is up after upgrade |
|
|
GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
|
|
ERROR: cannot set default route for broadcast packets. |
|
|
ASA booting process may freeze when including 'no pim' or 'no igmp' config |
|
|
FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
|
|
Jumbo frame packets are being fragmented |
|
|
Traceback and reload due to webvpn dtls flow offload enabled |
|
|
MI: Instances going in split brain when assigned RP with CPU cores between 14-70 on FPR42xx |
|
|
FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
|
|
Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
|
|
Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
|
|
Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
|
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
|
FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
|
|
HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
|
|
MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
|
|
FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
ASA 21xx: 'sh environment temperature' shows incorrect temperature values |
|
|
LINA may observe random traceback with Netflow configured |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Heap Corruption Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
Addressing CVEs reported in unicorn zlib library |
|
|
Asia/Bangkog timezone option not listed in ASA running on firepower1k |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Banner motd does not display when configured |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
Occasionaly, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
|
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
|
Command authorization fallback to Local only works for priv 15 users. |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
Enabling debugs with EEM fails |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
Resolved Bugs in Version 9.22(1.1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
FXOS Major Faults about adapter host and virtual interface being down |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
App-instance showing as Started instead of Online |
|
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
|
PLR license reservation for ASAv5 is requesting ASAv10 |
|
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
|
ASA: FPR11xx: Loss of NTP sync following a reload after upgrade |
|
|
Some syslogs for AnyConnect SSL are generated in admin context instead of user context |
|
|
Tune throttling flow control on syslog-ng destinations |
|
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
ASA/FTD stuck after crash and reboot |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
Prevention of RSA private key leaks regardless of root cause. |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
logging/syslog is impacted by SNMP traps and logging history |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
ASA/FTD: Traceback and reload in Thread Name: EIGRP-IPv4 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
User with no vpn-filter may get additional access when per-user-override is set |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
FTD: Traceback & reload in process name lina |
|
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
256 / 1550 Block leak with TLS1.3 session |
|
|
ASA restore is not applying vlan configuration |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
ASA traceback and reload on Datapath process |
|
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
|
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
Port-channel member port status flag and membership status are Down if LACPDUs are not received |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
30+ seconds data loss when unit re-join cluster |
|
|
Cisco ASA and FTD ICMPv6 Message Processing Denial of Service Vulnerability |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
MI FTD running 7.0.4 is on High disk utilization |
|
|
High CPU Utilization on FXOS for processes smConlogger |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
Traffic fails in Azure ASAv Clustering after "timeout conn" seconds |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
ASA: After upgrade cannot connect via ssh to interface |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
FAN LED flashing amber on FPR2100 |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
The Standby Device going in failed state due to snort heartbeat failure |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
FPR41xx/9300: Blade does not capture or log a reboot signal |
|
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
|
Cisco ASA and FTD Software VPN Packet Validation Vulnerability |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
ASA/FTD may traceback and reload after a reload with DHCPv6 configured |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
FTD/ASA traceback and reload during to tmatch compilation process |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
Nodes randomly fail to join cluster due to internal clustering error |
|
|
FTD: HA crash and interfaces down on FPR4200 |
|
|
High Lina memory use due to leaked SSL handles |
|
|
Secondary state flips between Ready & Failed when node is rebooted and mgmt interface is shutdown |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IP SLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
ASA/FTD: Improve GTP Inspection Logging |
|
|
ASA/FTD: GTP Inspection engine serviceability |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Traffic drop when primary device is active |
|
|
Cisco ASA and FTD Software Remote Access SSL VPN Multiple Certificate Auth Bypass |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 43) |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
8x10Gb netmod fails to come online |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' when checking Geneve capture |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Multiple traceback seen on standby unit. |
|
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
|
|
FTD upgrade from 7.0 to 7.2.x and traceback/reload due to management-access enabled |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
|
The public API function BIO_new_NDEF is a helper function used for str |
|
|
Management interface link status not getting synced between FXOS and ASA |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Protocol Down with lower CPU instances on ESXi 8 for ASAv and FTDv |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
CCM seq 45 - WR6, WR8, LTS18 and LTS21. |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
ASA/FTD may traceback and reload |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
Connections not replicated to Standby FTD |
|
|
FTD Crash in Thead Name: CP Processing |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
|
Unable to login to FTD using external authentication |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
ASA/FTD: Traceback and reload due to high rate of SCTP traffic |
|
|
ASA traceback and reload with process name: cli_xml_request_process |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
Firepower Chassis Manager is not accessible with ECDSA certificates |
|
|
Notification Daemon false alarm of Service Down |
|
|
CVIM Console getting stuck in "Booting the kernel" page |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Threat-detection does not allow to clear individual IPv6 entries |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
ASA not updating Timezone despite taking commands |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
|
ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory. |
|
|
Cisco FTD Software Software for Cisco Firepower 2100 Series Inspection Rules DoS Vulnerability |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
portmanager.sh outputing continuous bash warnings to log files |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
3100 unit failed to join the cluster with error "configured object (sys/switch-A/slot-2) not found" |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
Setting heartbeat timeout to 6sec for Firepower 4100 and 9300 |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
LSP version not updated to latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build. |
|
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
ASA accepts replayed SAML assertions for RA VPN authentication |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
node is leaving TPK cluster due to interface health check failure |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
ASA/FTD : Packet-tracer may displays incorrect ACL rule, though produces correct verdict. |
|
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
Update Configuration State if sync is skipped |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FTD: GRE traffic is not being load balanced between CPU cores |
|
|
ASA: Traceback and reload while updating ACLs on ASA |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
ASA/FTD: Traceback and reload with Thread Name 'PTHREAD' |
|
|
access-list: Cannot mix different types of access lists. |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
Change in syslog message ASA-3-202010 |
|
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
Wyoming/SFCN ASA: Wrong values shown DBRG in show crypto ssl objects CLI |
|
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
|
|
Remove Priority-queue command from FTD|| Priority-queue command causes silent egress packet drops |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
2100 Reload due to internal links going down and NPU disconnection |
|
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
vFTD runs out of memory and goes to failed state |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory on certain platforms |
|
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
|
Failover: standby unit traceback and reload during modifying access-lists |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
FTD snmpd process traceback and restart |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
Firewall Traceback and reload due to SNMP thread |
|
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
FMC process ssp_snmp_trap_fwdr high memory utilization |
|
|
azure vftd node traceback while loading multiple network-service objects during ns_reload. |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
FTD: SNMP not working on management interface |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
Cisco ASA Software and FTD Software SAML Assertion Hijack Vulnerability |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason |
|
|
Switch ports in trunk mode may not pass vlan traffic after power loss or reboot |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
|
FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FPR1k Switchport passing CDP traffic |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
Failed to transfer new image file to FPR2130 and traceback was observed |
|
|
Traceback @<capture_file_show+605 at ../infrastructure/capture/capture_file_finesse.c:282> |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
|
ARP learning issues with Multiple-instance running 100G Netmod |
|
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
|
Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
|
Logging improvement for messages exchange between LinaConfigTool and xml server |
|
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
|
ASA traceback when re-configuring access-list |
|
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
PAC Key file missing on standby on reload |
|
|
FXOS: Alperton 100G NetMod not being acknowledged properly |
|
|
ASA software on FP3110 showing incorrect serial number in show inventory output |
|
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
ASA: Traceback and reload when switching from single to multiple mode |
|
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
|
Ping to the configured systemIP on management interface getting failed in cluster setup. |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
|
ASA traceback due to panic event during SNMP configuration |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload while running show inventory |
|
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
|
ASA:Management access via IPSec tunnel is NOT working |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
FXOS: svc_sam_dcosAG process getting crashed repeatedly on FirePower 4100 |
|
|
After rebooting, the future date set on the FPR2100 platform is not reflected (set clock manually) |
|
|
ASA does not sent 'warmstart' snmp trap |
|
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
|
Source NAT Rule performing incorrect translation due to interface overload |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
|
Lina core at snp_nat_xlate_verify_magic.part and soft traces |
|
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
Configuring and unconfiguring "match ip address test" may lead to traceback |
|
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
|
FTD: Traceback and Reload in Process Name: lina |
|
|
Configuration to disable TLS1.3 |
|
|
FTD-HA does not fail over sometimes when snort3 crashes |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
|
Community string sent from router is not matching ASA |
|
|
ASA/FTD may traceback and reload due to watchdog time exceeding the default 15 seconds |
|
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
|
CSF 4200: PSU Fan speed is critical |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
Coverity 886745: OVERRUN in verify_generic_signature |
|
|
ASA traceback under match_partial_keyword during CPU profiling |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
|
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
|
VTI tunnel goes down due to route change detected in VRF scenario |
|
|
In FPR4200/FPR3100-cluster observed core file ?core.lina? observed on device reboot. |
|
|
FTD installation fails on FPR-2K "Error in App Instance FTD. Available memory not updated by blade" |
|
|
FTD: Traceback in threadname cli_xml_request_process |
|
|
Firewall shows misleading SCP file copy failure reasons |
|
|
crypto_archive file generated after the software upgrade. |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
|
ASA: Traceback and reload during tests of High number of traffic flows and syslog messages |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
|
FTD 1120 standby sudden reboot |
|
|
SNMP Unresponsive when snmp-server host specified |
|
|
Traceback on FP2140 without any trigger point. |
|
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
|
Hardware bypass not working as expected in FP3140 |
|
|
Config-url is accepting directory as the config file |
|
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
|
ASA traceback and reload during ACL configuration modification |
|
|
Firewall traceback and reload due to SSH thread |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
|
FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
|
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
|
ASA: The logical device may boot into failsafe mode because of an large configuration. |
|
|
Device/port-channel goes down with a core generated for portmanager |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
ASA : Modifying a route-map in one context affects other contexts |
|
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
|
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
|
PSU fan shows critical in show environment output while operating normally |
|
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
|
ipv6 table flush exception when cli_firstboot installs bootstrap configuration multi instance |
|
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
Detailed logging related to reason behind sub-interface admin state change during operations |
|
|
Policy Apply failed moving from FDM to FMC |
|
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
|
ASA traceback and reload on Thread Name: DATAPATH |
|
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
|
low memory/stress causing traceback in SNMP |
|
|
ISA3000 Traceback and reload boot loop |
|
|
Snort3 traceback with fqdn traffics |
|
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
|
FTD drops double tagged BPDUs. |
|
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
|
ASA|FTD Traceback & reload in thread name Datapath |
|
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
|
Unable to Synch more then 100 environment-data with data unit |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
|
interface idb logging log rotation to FXOS logrotate utility |
|
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Rules Bypass Vulnerability |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
Debugs failed to be enabled on SSH session |
|
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
|
Null pointer dereference in SNMP that results in traceback and reload |
|
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
|
traceback and reload around function HA |
|
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
Policy deployment failures on TPK MI chassis after redeploying same instance |
|
|
Error logs generated for ssh access to ASA when eddsa is used as kex hostkey |
|
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
|
Standby FTD experiencing periodic traceback and reload |
|
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
|
ASDM connection lost issue is observed in ASAv device due to config issue |
|
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
|
ASA CLI hangs with 'show run' on multiple SSH |
|
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
Access to website via Clientless SSL VPN Fails |
|
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
|
FTD: Hostname Missing from Syslog Message |
|
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
|
EIGRP bandwidth is changing after upgrade or after "shutdown"/"no shutdown" commands |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
|
ASA Checkheaps traceback while entering same engineID twice |
|
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
|
ENH: FTD Add debug message to indicate "No CRL found in User identity Certificate" |
|
|
Intermittent loss of management traffic due to DHCP service failing to start |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
|
FTW no longer working in NM3 on Warwick |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
|
ICMP replies randomly does not reaching the sender node when initiated from the node. |
|
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
The secondary device reloaded while rebooting the primary device. |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
Web Contents files appear as text/plain when they should be application/octet-stream |
|
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
|
username containing '@' character works for asa login but fails for 'connect fxos' |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
|
FTDv reloads and generate backtrace after push EIGRP config |
|
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
|
Error when running 'show tech-support module detail' on FPR9K |
|
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
|
TLS Secure Client sessions cannot be established on FTD Due to RSA-PSS Signing Algorithm |
|
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
|
Disk quota for the corefile should be revisited based on platform |
|
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
|
Multiple context interfaces fail to pass traffic |
|
|
Dns-guard prematurely closing conn due to timing condition |
|
|
ASA traceback with thread name SSH |
|
|
High latency observed on FPR3120 |
|
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
|
Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client. |
|
|
ASA traceback and reload when accessing file system from ASDM |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
All IPV6 BGP routes configured in device flapping |
|
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
|
ASA: Running the failsafe-exit command caused the interface to enter a DISABLED state |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
|
Snmpwalk throws Error messages #"snmp/error: truncating integer value > 32 bits" |
|
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
|
SNMP host group content change results in SNMP process termination on management interface |
|
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
|
FAN is working as expected but FAN LED is in off state. |
|
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
|
High LINA CPU observed due to NetFlow configuration |
|
|
Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
|
FPR2100-ASA Unable to generate CSR without FXOS IP address on SAN field |
|
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
Failsafe mode default values are unattainable on some platforms need adjustment per platform/mode |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
Unable to run "nslookup" command on FXOS |
|
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
|
"show inventory" output shows Name: "power supply 0" on Firepower |
|
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
|
WebVPN connections stuck in CLOSEWAIT state |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
|
command to print the debug menu setting of service worker |
|
|
Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
|
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
|
Traceback and reload on active unit due to HA break operation. |
|
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
|
Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
|
|
FTD : Management interface showing down despite being up and operational |
|
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort Crash in FTD HA |
|
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
|
Add warning message when configuring CCL MTU |
|
|
Radius server configuration for FTD external authentication is not deployed to FTD. |
|
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
|
256/1550 block depletion process fover_thread |
|
|
High cpu on "update block depletion" causing BGP flap terminated on FTD |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1756' |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
|
IPv6 SSL Anyconnect access blocked in HA pair |
|
|
Instrument new logs in the startup process to collect more information |
|
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
Failover prompt shows state active while the firewall is in Negotiation |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
|
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
Cisco General Terms
The Cisco General Terms (including other related terms) governs the use of Cisco software. You can request a physical copy from Cisco Systems, Inc., P.O. Box 641387, San Jose, CA 95164-1387. Non-Cisco software purchased from Cisco is subject to applicable vendor license terms. See also: https://cisco.com/go/generalterms.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback