Bugs listed for a patch were verified as resolved when that patch was initially released.
 Note |
For your convenience, this document provides lists of resolved bugs for each patch. These lists are auto-generated once and are not subsequently updated. Depending on how (and when) a particular resolved issue was categorized or updated in our system, it may not appear in the release notes. This does not mean that the issue is not resolved. You should regard the Cisco Bug Search Tool as the 'source of truth.' |
If you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of resolved bugs for Firepower products. These general queries display resolved bugs for Firepower products running Version 6.4.0.x patches:
You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also search by bug ID, or for specific keywords.
Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is available on the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloaded an earlier build, do not use it.
You cannot upgrade from one build to another for the same Firepower version. If a new build would fix your issue, determine if an upgrade or hotfix would work instead. If not, you must uninstall and then reinstall. Sometimes, you may need to.
Use this table to determine if a new Version 6.4.0.x build is available for your platform.
| Version | New Build | Released |
Platforms |
Resolves |
|---|---|---|---|---|
|
6.4.0.2 |
35 |
2019-07-03 |
FMC/FMCv FTD/FTDv, except Firepower 1000 series |
CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade If you already upgraded to Version 6.4.0.2-34 and have FTD devices configured for high availability, apply Hotfix F. In FMC deployments, apply the hotfix to the FMC. In FDM deployments, apply the hotfix to both devices. The hotfix is available on the Cisco Support & Download site, in the same location as the Version 6.4.0.2 upgrade packages. |
| Bug ID | Headline |
|---|---|
|
Intrusion Event Performance Graphs load blank on 4100 and 9300 |
|
|
SDI - SUSPENDED servers cause 15sec delay in the completion of a authentication with a good server |
|
|
ASA Enhancement: Generate syslog message once member of the SDI cluster changes state |
|
|
Traceback in VPN Clustering HA timer thread when member tries to join the cluster |
|
|
OSPF Process ID doesnot change even after clearing OSPF process |
|
|
ENH: ACE details for warning "found duplicate element" |
|
|
ENH: Add process information to "Command Ignored, configuration in progress..." |
|
|
FTD inline/transparent sends packets back through the ingress interface |
|
|
cts import-pac tftp: syntax does not work |
|
|
Option to display port number on access-list instead of well known port name on ASA |
|
|
ASA HA IKEv2 generic RA - AnyConnect Premium All In Use incorrect on standby |
|
|
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability |
|
|
LINA traceback on ASA in HA Active Unit repeatedly |
|
|
FILE RESUME BLOCK being randomly thrown causing access issues on files from SMB share. |
|
|
"Too much data during a write" messages flooding communication channel |
|
|
Cisco ASA and FTD Software WebVPN CPU Denial of Service Vulnerability |
|
|
Cluster master reload cause ping failure to the Management virtual IP |
|
|
Upload an update gives "update request entity too large" error when using CAC(HTTPS Client Certs) |
|
|
ASA failover LANTEST messages are sent on first 10 interfaces in the configuration. |
|
|
VPN Pre-deploy validations takes around 20 seconds for each device |
|
|
FTD LINA traceback at DATAPATH-8-15821 |
|
|
FP2100 - Flow oversubscribing ring/CPU core causing disruption to working flows on FP2100 platforms |
|
|
ENH: ASA Cluster debug for syn cookie issues |
|
|
lost heartbeat causing reload |
|
|
ASA is unable to verify the file integrity |
|
|
FTD 4150 VPN s2s deployment failure with 6K spokes |
|
|
FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled |
|
|
Policy deployment to FP 8000 sensor is failing when NAT is configured |
|
|
SSL VPN may not be able to establish due to SSL negotiation issue |
|
|
When only IP communication is disrupted on failover link LANTEST msg is not sent on data interfaces |
|
|
Connection events stop coming from device after lost handshake message |
|
|
ASA traceback observed when moving EZVPN spokes to the device. |
|
|
Dual stacked ASAv manual failover issues |
|
|
ASA5515-K9 standby traceback in Thread Name ssh |
|
|
ASA Traceback on Saleen in Thread Name: IPv6 IDB |
|
|
Disable asp load-balance per-packet functionality from fp2100 until all bugs fixed |
|
|
Traceback: Cluster unit lina assertion in thread name:Cluster controller |
|
|
ASA cluster does not flush OSPF routes |
|
|
Slow "securityzones" REST API |
|
|
FPR2100 FTD Standby unit leaking 9K blocks |
|
|
High Disk Utilization due to mysql-server.err failing to rotate after CSCvn30118 |
|
|
ASA:BGP recursive route lookup for destination 3 hop away is failing. |
|
|
F_RNA_EVENT_LIMIT for MC4000 should be 20 million |
|
|
Connections fail to replicate in failover due to failover descriptor mis-match on port-channels |
|
|
ASA generates incorrect error message about PCI cfg space when enumerating Internal-Data0/1 |
|
|
VPN events between 12 and 1 PM UTC are not displayed on the FMC |
|
|
DNS lookup using mgmt VRF not possible because FMC doesn't allow interface after server address |
|
|
Active device is not reporting correct peer state. |
|
|
Flow Offload Hashing Change of Behavior |
|
|
ASA traceback in Thread IPsec Message Handler |
|
|
Deployment rollback causes momentary traffic drop when error in a LINA ONLY section of delta cli |
|
|
where clause not working for external data base access |
|
|
Policy deployment fails with 400+ interfaces in security zone due to incorrect formation of deployDB |
| Bug ID | Headline |
|---|---|
|
Read sAMAccountUserName from ISE when it is available |
|
|
InlineResult for IPS event missing metadata "Would have blocked" |
|
|
URL Filtering Shows All URLs as Uncategorized |
|
|
Upgrade anomalies result in policy deploy failure: NGFW_UPGRADE is missing in map file |
|
|
Fail to Wire configuration disabled for multiple interface-pair inline-sets during FTD upgrades |
|
|
Security Intelligence does not drop HTTPS connections to blacklisted URLs when SSL policy is enabled |
|
|
Must disable and then re-enable SNMP in FMC UI after adding new user |
|
|
Flooding of logs with message "Unknown HPQ rule key" |
|
|
Unable to login with AD username containing upper case RADIUS |
|
|
SNMPv3 User(s) deleted after upgrade |
|
|
Warrning "There is an empty group in the source networks" in SSL policy |
|
|
User login fails into FMC GUI for LDAP user if the password contains SPACE in the string |
|
|
File policy not inspecting some malware document (.doc) and Adobe flash (.swf) files. |
|
|
Slow device related REST API calls |
|
|
FMT | MTU value not within the permissible range |
|
|
Policy deployment from FMC to FTD fails due to domain_snapshot_timeout (20m) |
| Bug ID | Headline |
|---|---|
|
Traceback on Thread Name: DATAPATH-2-1785 |
|
|
False positive for general microengine fault |
|
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
|
ASA traceback with Thread: DATAPATH-8-2035 |
|
|
ASA Traceback (watchdog timeout) when syncing config from active unit (inc. cachefs_umount) |
|
|
"default Keyring's certificate is invalid, reason: expired" health alert |
|
|
Traceback in DATAPATH on ASA |
|
|
Route tracking failure |
|
|
ENH: ASA - support for more than 4 servers in multiple mode. |
|
|
Port-Channel issues on HA link |
|
|
IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform |
|
|
review of CVE-2016-8858 (OpenSSH) on Firepower software |
|
|
Graceful Restart BGP does not work intermittently |
|
|
Control-plane ACL doesn't work correctly on FTD |
|
|
ASA Multicontext traceback and reload due to allocate-interface out of range command |
|
|
FXOS lacp related logs pktmgr.out and lacp.out grows too large |
|
|
ASA may traceback in thread logger when cluster is enabled on slave unit |
|
|
ASA may traceback and reload while waiting for "dns_cache_timer" process to finish. |
|
|
Cisco FirePower Threat Defense Information Disclosure Vulnerability |
|
|
Traceback in threadname DATAPATH-0-1668 while freeing memory block |
|
|
ASA SCP transfer to box stall mid-transfer |
|
|
ASA traceback in thread SSH |
|
|
Lina does not properly report the error for configuration line that is too long |
|
|
SCP large file transfer to the box result in a traceback |
|
|
ASA App stuck in installing state on few images |
|
|
ASA: BGP routes is cleared on routing table after failover occur and bgp routes are changed |
|
|
Traceback and reload citing Datapath as affected thread |
|
|
management-only of diagnostic I/F on secondary FTD get disappeared |
|
|
ASA may traceback and reload. Potentially related to WebVPN traffic |
|
|
6.4.0 - IPv6 routing doesn't work for WM and KP when mgmt gateway configure as data-interfaces |
|
|
Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities |
|
|
Standby Firewall reloads with a traceback upon doing a manual failover |
|
|
HTTP with ipv6 using w3m is failing |
|
|
ASA sends password in plain text for "copy" command |
|
|
ASA unable to authenticate users with special characters via https |
|
|
LACPDUs should not be sent to snort for inline-set interfaces |
|
|
The delay command in interface configuration is modified after rebooted |
|
|
ASA may traceback and reload. suspecting webvpn related |
|
|
ASAv Azure: Route table BGP propagation setting reset when ASAv fails over |
|
|
Unable to process gtpv1 identification req message for header TEID : 0 |
|
|
ASA drops GTPV1 SGSN Context Req message with header TEID:0 |
|
|
ASA/FTD generates syslog for missing SSD 2: /dev/sdb is present. Status: Inoperable. |
|
|
Syslog alerts are not sent to server when Global Rule Thresholding is disabled on Intrusion Policy |
|
|
"established tcp" does not work post 9.6.2 |
|
|
ASA sends invalid redirect response for POST request |
|
|
IKEv2 RA Generic client - stuck outgoing asp table entry - traffic encrypted with stale SPI |
|
|
Unable to configure more than 100 aaa-server group limit reached |
|
|
CCM Infrastructure Update for WR8 |
|
|
DHCP NACK silently dropped by ASA sent from DHCP server if configured as DHCP relay |
|
|
Fail-to-Wire (FTW) Ports fail to recover on 2100 Firepower platforms. |
|
|
FTD Cluster traceback experienced when other unit leaves the Cluster |
|
|
Audit syslog for SFR module/7000/8000 devices uses TCP instead of UDP for syslog communication |
|
|
Fail-Closed FTD passes packets through on Snort processes down |
|
|
IP Address stuck in local pool and showing as "In Use" even when the AnyConnect client disconnects |
|
|
Thread Name: CP DP SFR Event Processing traceback |
|
|
ASA does not respond to DHCP request packet on BVI interface |
|
|
After reboot, "ssh version 1 2" added to running-config |
|
|
ASA Failover split brain (both units active) after rebooting a Firepower chassis |
|
|
MCA+AAA+OTP with RADIUS challenge fails to send aggauth handle in challenge |
|
|
Time zone in syslogs messages |
|
|
rna_networks is empty after Network Discovery deployment. |
|
|
FTD/Firepower Policy deployment fails when running simultaneous deployment to many devices. |
|
|
Unsupported runtime JavaScript exception handling in the client side WebVPN rewriter |
|
|
Firepower: Network file trajectory graph does not load |
|
|
ASA 9.9.2 Clientless WebVPN - HTML entities are incorrectly decoded when processing HTML |
|
|
FTD traceback and reload on LINA thread |
|
|
Snort processes dump core with memory corruption on Series 3 devices |
|
|
Policy Deployment Failure due to Special Characters & encoding |
|
|
Deployment failing in snort validation- SMTP: Could not allocate SMTP mime mempool |
|
|
Traceback: "saml identity-provider" command will crash multi-context ASAs |
|
|
ASA may traceback due to SCTP traffic despite fix CSCvj98964 |
|
|
When deleting context the ssh key-exchange goes to Default GLOBALLY! |
|
|
"ssl trust-point" command will be removed when restoring backup via CLI |
|
|
ASA IKEv2 - ASA sends additional delete message after initiating a phase 2 rekey |
|
|
Watchdog on ASAv when logging to buffer |
|
|
Correlation rule alerting is not working in 6.4.0 |
|
|
GTP response messages with non existent cause are getting dropped with error message TID is 0 |
|
|
Memory leak observed when ASA-SFR dataplane communication flaps |
|
|
TID fails to add source as a URL - Flat file |
|
|
SFDC crashes inserting into packet_log table after upgrading to 6.4.0 |
|
|
Failed SSH Login attempts not being exported via syslog |
|
|
Firepower Primary Detection Engine process might terminated after Manager upgrade |
|
|
URL DB download failure alerts on FMC; new URL DB updates not taking effect on FMC/FDM |
|
|
Traffic not matching expected ACP rule after updating to 6.4.0 |
|
|
Deleted URL Objects are not being removed from the ngfw.rules. |
|
|
Fatal Error message in FMC GUI when upgrading 5525 from 6.4.0-102 > 6.4.0.4-31 but upgrade completes |
| Bug ID | Headline |
|---|---|
|
GUI should allow max 256 addresses per DHCP pool |
|
|
AnyConnect connections fail with TCP connection limit exceeded error |
|
|
Deploy fails on FTD HA due to exception when parsing big xml response |
|
|
Unable to create RAVPN Conn-Profile if group-policy attr and FQDN are edited in the same wizard flow |
|
|
FDM-HA formation has failed after upgrading to 6.3.0.3-69 |
|
|
Help pages always show up in English |
|
|
ASA report SFR module as 'Unresponsive' after reloading ASA module on 5585 platform |
|
|
FMC 6.3 Multitenancy/Domain LDAPS User/Group Download Failure Due to Certificate Location |
|
|
Network FIle Trajectory page takes 90 seconds to load each time |
|
|
Firepower 8000 interfaces might flap due to unhandled resource temporarily unavailable issue |
|
|
FTD show tech from troubleshooting files incomplete |
|
|
Changes in interface-group or interface-zone in subdomain overwrites Global domain. |
|
|
natd thread of nfm_exceptiond uses about 90% to 100% CPU time |
|
|
FMC UI: VPN Hub and Spoke topology slow loading |
|
|
BCDB file copy from FMC on to vFTD getting truncated, vFTD running on Azure platform. |
|
|
Deployment failure after upgrade to 6.4 in ASA5500-X running FTD |
|
|
HTTP blacklist - blacklist rules are not removed from sensor when unassigned and deplyed from FMC |
|
|
Policy deploy failure 6.5.0-1148 post upgrade with CC mode with openSSL call during SSL pol Export |
|
|
On reset CD not clearing its flags[parseFailoverReqIssued] which prevents further node join attempts |
|
|
FMC 6.4.0 - Policy deployment failure - Duplicate domain entries in domains.conf |
|
|
600_schema/100_update_database.sh should return error if database update fails |
| Bug ID | Bug ID |
|---|---|
|
Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2 |
|
|
FTD Files are Allowed Through Multiple Pre-existing Connections Despite the File Policy Verdict |
|
|
sfstunnel process in FTD is holding large cloud db files that are already deleted |
|
|
tcp proxy: ASA traceback on DATAPATH |
|
|
712x devices become unstable when switching inline set from TAP to inline |
|
|
4140 Multi-Instance Not Load-Balancing Correctly with 4 Instances |
|
|
Loading AC policy editor takes too long, needs loading indicator |
|
|
FMC Audit Logs will only display Admin and System as owners when deploying to 3D devices -GUI/SYSLOG |
|
|
Unsupported EC curve x25519 on FTD |
|
|
FTDv does not have configuration on initial bringup with mix of vmxnet3 and ixgbevf interfaces |
|
|
FPR platform IPsec VPN goes down intermittently |
|
|
Deployment on FTD with low memory results on interface nameif to be removed |
|
|
Upgrading ASA cluster to 9.10.1.7 cause traceback |
|
|
EIGRP breaks when new sub-interface is added and "mac-address auto" is enabled |
|
|
Deploy failed because adaptive profiling config file corrupt |
|
|
ids_event_alerter high memory usage due to large firewall_rule_cache table |
|
|
Mysql traffic on non standard port is not correctly classified |
|
|
ngfwManager doesn't start if ngfw.properties is empty |
|
|
FMC shows connection events with packet count as 0 |
|
|
FTD-CLUSTER:Adding new unit in cluster can cause traffic drop |
|
|
VPN sessions failing due to PKI handles not freed during rekeys |
|
|
Audit Log Settings Failing Leading to being unable to edit System Settings |
|
|
SCALE: with 500+ devices, UMS causes the UI to hang, especially during deploy |
|
|
Enhancement to address high IKE CPU seen due to tunnel replace scenario |
|
|
ASA traceback and reloads when issuing "show inventory" command |
|
|
Internal Error when editing an Access Control Policy |
|
|
ASA Traceback and reload while running IKE Debug |
|
|
Telemetry not sent when FMC managing lots of devices |
|
|
Enhancement: add counter for Duplicate remote proxy |
|
|
For SMB, remote storage configuration should allow configuring version string with dot(.) |
|
|
Do not decrypt rule causes traffic interruptions. |
|
|
cloud agent core after generating a large number of continuous URL lookups (>30M) |
|
|
SSL rules with App-ID conditions can limit decryption capability |
|
|
NAT rules can get applied in the wrong order when you have duplicate rules |
|
|
FMC times out after 10 mins to fetch device list for deployment |
|
|
Firepower Recommendations does not enable IPS rules that are GID 3 |
|
|
Cisco Firepower Management Center RSS Cross-Site Scripting Vulnerabilities |
|
|
Health monitoring options for user identity functionality on FMC. |
|
|
DTLS 1.2 and AnyConnect oMTU |
|
|
ENH - Option to configure Port Block Allocation on FTD |
|
|
ASA: Watchdog traceback in Datapath |
|
|
FTD lina cored with Thread name: cli_xml_server |
|
|
Allow FTDs to perform URL lookups directly without having to go through the FMC |
|
|
Random SGT tags added by FTD |
|
|
(snort)File is not getting detected when going over HTTPS (SSL Resign) |
|
|
FTD sets automatically metric 0 when we redistribute OSPF into BGP via FMC GUI. |
|
|
Multiple ClamAV Vulnerabilities For Cisco Firepower Management Center for pre 6.5.0 |
|
|
FIPS mode gets disabled after rollback from a failed policy deploy |
|
|
FMC-ISE integration doesn't work if explicit UPN doesn't match implicit UPN |
|
|
ASA 5506/5508/5516 traceback in Thread Name octnic_hm_thread |
|
|
REST API query /api/fmc_config/v1/domain/UUID/devices/devicerecords fails |
|
|
On upgraded FMC Device FXOS devices are shown dirty even after successful deployment. |
|
|
Wrong rule matched when using ambiguous DND |
|
|
integrate pxgrid capability, connection hang, curl hang issues |
|
|
Misleading deploy Warning message when Flex Config policy is being deployed |
|
|
Policy deployment remove and add back ospf neighbor |
|
|
Slowness in loading Device Management page on FMC when there are over 500 managed devices |
|
|
NAT policy apply failing with error duplicate |
|
|
Ensure Error Message with Dup NATs Is Clear and Actionable |
|
|
FMC Global Pre-deployment Phase takes longer after upgrade to 6.4 |
|
|
Policy deployment failed with error snort validation failed (Bad value specified for memcap ) |
|
|
Firepower Primary Detection Engine process terminated after Manager upgrade |
| Bug ID | Headline |
|---|---|
|
Random packet drops by session preprocessor |
|
|
Network discovery not working with network groups containing literals - user or Cisco created. |
Feedback