For your convenience, these release notes list the resolved bugs for each patch.
 Note |
Each list is auto-generated once and is not subsequently updated. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. You should regard the Cisco Bug Search Tool as the 'source of truth.' |
For resolved issues, see:
If you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of resolved bugs for Firepower products. You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also search by bug ID, or for specific keywords.
These general queries display resolved bugs for Firepower products running Version 6.4.0 patches:
Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is available on the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloaded an earlier build, do not use it.
You cannot upgrade from one build to another for the same Firepower version. If a new build would fix your issue, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco Firepower Hotfix Release Notes for quicklinks to publicly available Firepower hotfixes.
Use this table to determine if a new build is available for your platform.
| Version | New Build | Released | Platforms | Resolves |
|---|---|---|---|---|
|
6.4.0.2 |
35 |
2019-07-03 |
FMC/FMCv FTD/FTDv, except Firepower 1000 series |
CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade If you already upgraded to Version 6.4.0.2-34 and have FTD devices configured for high availability, apply Hotfix F. In FMC deployments, apply the hotfix to the FMC. In FDM deployments, apply the hotfix to both devices. |
|
Bug ID |
Headline |
|---|---|
|
Lina traceback on 21xx following upgrade from 6.4.0.8 to 6.4.0.9 |
|
|
CRL command missing on FP1k |
|
Bug ID |
Headline |
|---|---|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities |
|
|
Original Client IP does not populate for dropped events when inline normalization enabled |
|
|
ASA/FTD traceback and reload in Thread Name: SXP CORE |
|
|
FeedDownloader should not update status to Downloading after download is complete |
|
|
ASA traceback on spin_lock_release_actual |
|
|
Multiple Cisco Products SNORT HTTP Detection Engine File Policy Bypass Vulnerability |
|
|
Hostscan: LastSuccessfulInstallParams can not be detected by Hostscan |
|
|
Firepower:Misleading stats w.r.t "Memory Usage" being displayed under System->Monitoring->Statistics |
|
|
CLI Banner not seen on FTD |
|
|
Large number of stale Objects in EOAttributes table results in high CPU/backup failure |
|
|
Not able to upload the STIX or Flat File Manually under Threat Intelligence Director |
|
|
Cisco FMC and FTD Software sftunnel Pass the Hash Vulnerability |
|
|
Cisco FMC and FTD Software Directory Traversal Vulnerability |
|
|
FTD Traceback and Reload on Lina thread for thread_logger |
|
|
FMC UI Unresponsive After Attempt To Register Smart License With Smart Satellite |
|
|
FTD ftd_sftunnel core is generated after upgrading from 6.4.0 |
|
|
Cisco Firepower Management Center Software Denial of Service Vulnerability |
|
|
Snort rendering block verdict for rules with action of alert. |
|
|
Cisco Firepower Threat Defense Software Hidden Commands Vulnerability |
|
|
After failover, Active unit tcp sessions are not removed when timeout reached |
|
|
Cisco Firepower Management Center Multiple Cross-Site Scripting Vulnerabilities |
|
|
FTD may crash when processing fragmented packets |
|
|
Memory leak SSL_ALLOC [ERROR] ssl_alloc.c:113:ssl_alloc_destroy() |
|
|
Estreamer process queries wrong database for rna_policy_rules table and causes excessive logging |
|
|
Analysis Connection Events doesn't show and report all the events in UI |
|
|
FMC high CPU utilization in sfmbservice |
|
|
Estreamer should terminate a connection when not receiving ACKs for a long time |
|
|
Cisco Firepower Threat Defense Software TCP Intercept Bypass Vulnerability |
|
|
FMC shows policies out of date after successful deploy |
|
|
Policy deployment failed with error "Can't use an undefined value as a HASH reference " |
|
|
SSH via External Auth to NGIPS succeeds then closes immediately |
|
|
DNS Application Detector sometimes fails to detect DNS traffic |
|
|
FTD-HA: after restoring FTD-HA backup file, snort process will be down |
|
|
FTD Snort Rule Profiling does not work consistently - log folder is missing |
|
|
Configuration might not replicated if packet loss on the failover Link |
|
|
FMC connections to v3.sds.cisco.com are bypassing proxy |
|
|
Cannot download TAXII feeds in Intelligence Sources v6.2.3 -> v6.4.0.4 on either HTTP or HTTPS |
|
|
NTP configuration is not synchronized to LINA on Multi Instance |
|
|
Lina traceback when changing device mode of FTD |
|
|
Snort file mempool corruption leads to performance degradation and process failure. |
|
|
FP2100: Traceback and reload when processing traffic through more than two inline sets |
|
|
Cisco ASA Software and FTD Software Web Services Denial of Service Vulnerability |
|
|
admin user is not authorized to access the device routing configuration inside the domain. |
|
|
Firepower Device Manager (FDM) option to disable SSL rekey is not reflected on the config |
|
|
Cisco Firepower Threat Defense Software SSL Input Validation Denial of Service Vulnerabili |
|
|
Firepower 7000 & 8000 cannot sent emails on version 6.4 |
|
|
Deployment fails after upgrading to 6.4.0.x if ND policy refs are missing |
|
|
Network Discovery Policy rules are ignored if it uses network groups |
|
|
Same Security Zone used in ACP rule is Not pushed to NGFW rules |
|
|
Policy deployment fails subsequent to SRU |
|
|
Cisco Firepower 2100 Series SSL/TLS Inspection Denial of Service Vulnerability |
|
|
Cisco Firepower Threat Defense Software TCP Flood Denial of Service Vulnerability |
|
|
Deployment failure with message (Can't call method "binip" on unblessed reference) |
|
|
Cisco Firepower Management Center Software Open Redirect Vulnerability |
|
|
SFDatacorrelator and Snort process cores repeatedly while loading malware seed file |
|
|
Firepower FTD transparent does not decode non-ip packets |
|
|
FTD failover due to error "Inspection engine in other unit has failed due to snort and disk failure" |
|
|
Calls fail once anyconnect configuration is added to the site to site VPN tunnel |
|
|
SNORT Fatal Error due to out of range interface ID |
|
|
Inspect Interruption - Error in deployment page. |
|
|
ASA/FTD traceback and reload due to memory leak in SNMP community string |
|
|
Application classification is not retried if a flow is marked brute force failed. |
|
|
Cisco Firepower Threat Defense Software Inline Pair/Passive Mode DoS Vulnerability |
|
|
Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability |
|
|
Policy deployment failure after SRU update on FTD with passive zone |
|
|
When vlan encapsulation is exceeded decoding errors are depleting disk space. |
|
|
Allow 30-seconds of NFE microengine missing heartbeat faults before engaging error recovery |
|
|
SCTP heartbeats failing across the firewall in Cluster deploymnet. |
|
|
Cisco Firepower 4110 ICMP Flood Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Software FTP Inspection Bypass Vulnerability |
|
|
FMC not sending some audit messages to remote syslog server |
|
|
Cisco ASA and FTD WebVPN CRLF Injection Vulnerability |
|
|
Wrong direction in SSL-injected RESET causes it to exit through wrong interface, causing MAC flap |
|
|
FTD: Traceback and reload related to lina_host_file_open_raw function |
|
|
Active FTP fails when secondary interface is used on FTD |
|
|
sctp-state-bypass is not getting invoked for inline FTD |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities |
|
|
Excessive logging from the daq modules process_snort_verdict verdict blacklist |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS Vuln |
|
|
snort instances CPU spikes to >90% at low non-SSL traffic with SSL policy applied |
|
|
Registration of device should be allowed as long as deploy status = DEPLOYED or FAILED |
|
|
Dynamic RRI route is not destroyed when IKEv2 tunnel goes down |
|
|
Crypto ring stalls when the length in the ip header doesn't match the packet length |
|
|
FTD Standby unit does not join HA due to "HA state progression failed due to APP SYNC timeout" |
|
|
FMC Unable to fetch VPN troubleshooting logs from WM Model devices |
|
|
Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008 |
|
|
ASA traceback Thread name - webvpn_task |
|
|
Cisco Firepower Management Center Software Denial of Service Vulnerability |
|
|
KP IOQ driver. Add defensive parameter and state checks. |
|
|
ASA 9.13.1.7 traceback and reload while processing hostscan data (process name LINA ) |
|
|
Cisco ASA and FTD Web Services File Upload Denial of Service Vulnerability |
|
|
Events may stop coming from a device due to a communication deadlock |
|
|
Local User Password not updating in 6.4.0.9 |
|
|
ASA is sending failover interface check control packets with a wrong destination mac address |
|
|
FMC -Deployment Failure- Anyconnect - "Certificate Map" using "DC (Domain Component)" to match cert. |
|
|
6.4.0.9 upgrade from 6.4.0 with CC mode causes httpsd.conf to have an incorrect config |
|
|
NetFlow reporting impossibly large flow bytes |
|
|
AppId caches proxy IP instead of tunneled IP for ultrasurf |
|
|
FTD traceback and reload on thread "IKEv2 Mgd Timer Thread" |
|
|
Cisco ASA Software and FTD Software Web Services Denial of Service Vulnerability |
|
|
FTD traceback and reload on FP2120 LINA Active Box. VPN |
|
|
Handling for longer header length messages going from DAQ to Oct driver |
|
|
Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100 |
|
|
Time sync do not work correctly for FTD on FP1000/1100 series platform |
|
|
duplicate ip addresses in sfipproxy.conf |
|
|
False positives for ultrasurf |
|
|
Cisco ASA and FTD Software OSPFv2 Link-Local Signaling Denial of Service Vulnerability |
|
|
SNMP traps can't be generated via diagnostic interface |
|
|
ASA should allow null sequence encoding in certificates for client authentication. |
|
|
Certificate mapping for AnyConnect on FTD stops working. |
|
|
Traceback: Modifying FTD inline-set tap-mode configuration with active traffic |
|
|
DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently. |
|
|
Cisco Firepower Threat Defense Software Multi-Instance Container Escape Vulnerability |
|
|
HKT - Failover time increases with upgrade to 9.8.4.15 |
|
|
Cisco ASA and FTD Software SIP Denial of Service Vulnerability |
|
|
FTD 6.4.0.8 traceback & reload on thread name : CP processing |
|
|
High unmanaged disk usage on /ngfw due to logrotate and missing /var/spool/cron/root directory. |
|
|
FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry |
|
|
ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA |
|
|
FTD Lina traceback in datapath due to double free |
|
|
Cisco ASA Software and FTD Software Web Services Cross-Site Scripting Vulnerability |
|
|
Cisco ASA and FTD Software SSL/TLS Session Denial of Service Vulnerability |
|
|
Cisco ASA and FTD IP Fragment Memory Leak Vulnerability |
|
|
ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message |
|
|
FMC pushes certificate map incorrectly to lina |
|
|
syslog-ng process utilizing 100% CPU |
|
|
Cisco ASA and FTD Software SSL VPN Direct Memory Access Denial of Service Vulnerability |
|
|
Editing the IP in a Radius Server Group object results in unintended values for the IP address |
|
|
FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks |
|
|
URL rules are incorrectly promoted on series 3 resulting in traffic matching the wrong rule. |
|
|
Binary rules (SO rules) are not loaded when snort reloads |
|
|
AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently |
|
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities |
|
|
FTD: Traceback and reload when changing capture buffer options on a already applied capture |
|
|
Cisco ASA Software and FTD Software WebVPN Portal Access Rule Bypass Vulnerability |
|
|
Cisco Firepower Threat Defense Software SNMP Denial of Service Vulnerability |
|
|
Encoded Rule Plugin SID: value, GID: 3 not registered properly. Disabling this rule |
|
|
Dynamic routing protocols summary route not being replicated to standby |
|
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities |
|
|
High unmanaged disk usage on /ngfw due to large process_stdout.log file |
|
|
HTTPS connections matching 'Do not decrypt' SSL decryption rule may be blocked |
|
|
Lina Traceback during FTD deployment when WCCP config is being pushed |
|
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco Firepower 1000 Series Bleichenbacher Attack Vulnerability |
|
|
Cisco Firepower Management Center Software Common Access Card Authentication Bypass Vuln |
|
|
Cisco ASA Software Web-Based Management Interface Reflected Cross-Site Scripting Vulnerabi |
|
|
3 min delay caused by AbstractBaseDeploymentValidationHandler.validatePreApply during deploy. |
|
|
Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows |
|
|
FTD Traceback and reload while trying to switch peer on HA |
|
|
DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail |
|
|
Reset not sent when traffic matches AC-policy configured with block/reset and SSL inspection |
|
|
Snort 2: Memory Leak in SSL Decrypt & Resign Processing |
|
|
FQDN rules do not work on 1k platforms |
|
|
Failed upgrade does not create audit messages in syslog |
| Bug ID | Headline |
|---|---|
|
ENHancement: Cannot add DNS lists that contain _ at the beginning of the list. |
|
|
"show open-network-ports" not showing the proper infomration on FP4100 Series |
|
|
Lina Traceback due to invalid TSC values |
|
|
Cisco Firepower Threat Defense Software Management Interface DoS Vulnerability |
|
|
Traceback on 2100 - watchdog |
|
|
Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability |
|
|
FTD/ASA - Cluster/HA - Master/Active unit does not update all the route changes to Slaves/Standby |
|
|
FTD - Inner Flow: Carrier id flow lookup enhancement |
|
|
Refresh Root CAs that SSL uses for resigning in FTD/FMC |
|
|
Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability |
|
|
deployment failure with sftunnel exception while primary active. |
|
|
Unrestricted File Upload in FMC -Backup Management - Upload Backup |
|
|
captures of both CLISH and LINA doesn't work with IPv6 address |
|
|
Increase number of worker for mojo-server on large appliances |
|
|
Upgrade Enhancements to STRAP verification for anyconnect - Cisco VPN session replay vulnerability |
|
|
slib memory manager : mempool mutex vs spinlock selection |
|
|
Firepower managed devices may stop responding to SNMPv3 GET/WALK requests |
|
|
OpenSSL vulnerability CVE-2019-1559 on FTD |
|
|
FMC:Page stuck when editing inline sets |
|
|
ICMP error packets being dropped for Null pdts_info |
|
|
Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability |
|
|
FDM - user downloads not working with LDAPS |
|
|
Unable to add user on FTD using external authentication |
|
|
Cisco Firepower Threat Defense Software SSL/TLS URL Category Bypass Vulnerability |
|
|
Console connection for FPR2100 is disconnected randomly about 20 minutes. |
|
|
ASA traceback and reload related to crypto PKI operation |
|
|
ASA traceback and reload for the CLI "Show nat pool" |
|
|
PPPoE session not coming up after reload. |
|
|
SFDataCorrelator high CPU during SI update |
|
|
Cluster: BGP route may go in out of sync in some scenarios |
|
|
Policy deployment is reported as successful on the FMC but it is actually failed |
|
|
FTD in HA pair crashes in ids_event_proce process after policy deployment |
|
|
Mac address flap on switch with wrong packet injected on ingress FTD interface |
|
|
FMC : FMC detect HA Sync Failed |
|
|
FPR1010 - Add temperature/warnings for SSD when thresholds are exceeded |
|
|
Packet loss over failover link triggers Split-Brain |
|
|
Segfault in libclamav.so (in the context of SFDataCorrelator) |
|
|
Traceback on snp_policy_based_route_lookup when deleting a rule from access-list configured for PBR |
|
|
Cisco Firepower 2100 Series Security Appliances ARP Denial of Service Vulnerability |
|
|
ASA Static route disappearing from asp table after learning default route via BGP |
|
|
Many user_ip_map files even though no realm is configured |
|
|
FPR2100: Power doesn't turn off after turned off the power button on back of chassis |
|
|
FTD/LINA Traceback and reload observed in thread name: cli_xml_server |
|
|
FMC upgrading to 6.3/6.4 shouldn't remove existing deprecated flexconfig |
|
|
Initial FTD Deploy After Policy Import causes Unused Objects which bloat policy size |
|
|
Deployment failed on FTD with reason "failed to retrieve running configuration" |
|
|
Session processing delay from FMC wastefully querying all Directory Servers normalizing bad username |
|
|
CD is required to ignore Cluster-Msg-Delivery-Confirmation in Cluster Node Release Lina State |
|
|
FTD: Deployment through slow links may fail |
|
|
FTDv Deployment in Azure causes unrecoverable traceback state due to no dns domain-lookup any" |
|
|
Cisco ASA and Cisco FTD Software OSPF Packets Processing Memory Leak Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533' |
|
|
NPE in SecurityIntelligenceEoConvertor causes Lucene indexing failure |
|
|
ASA traceback and reload on Thread DATAPATH-0-2064 |
|
|
FMC existing rule error while adding new rule |
|
|
port manager crashes with "shutdown" command from clish CLI |
|
|
Lina traceback when changing device mode of FTD |
|
|
Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump |
|
|
Not able to access FMC devices with Chrome on Mac after upgrade to Catalina. |
|
|
TunnelClient for CSM_CCMservice on ngfwManager not reading ACK sent from CSM_CCM service on FMC |
|
|
FTD traceback and reload on thread DATAPATH-1-15076 when SIP inspection is enabled |
|
|
ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK |
|
|
6.5 CloudEvent code writes config files in a way that 6.4 code does not understand |
|
|
Throttle SSE Attempts on FTDs |
|
|
Snort unexpectedly exits with SSL policy enabled and debug_policy_all |
|
|
ERROR: entry for ::/0 exists when configuring ipv6 icmp |
|
|
Network Performance Degradation when SSL policy is enabled |
|
|
Fix consoled from getting stuck and causing HA FTD policy deployment errors. |
|
|
eStreamer repeatedly exits after "Failed to deserialize policy event" |
|
|
6.4.0.4 FMC WebUI cannot create a Series-3 stack (Cannot select primary device) |
|
|
addition of netmap_num to constraints causes performance degradation |
|
|
Receiving error 403 when editing User Preferences on FP8000 sensors |
|
|
Traceback when processing SSL traffic under heavy load |
|
|
Snort handles traffic as Tagged, when CMD field does not exist in Frame |
|
|
SNMP polling fails on Standby FMC as the snmpd process is in Waiting state |
|
|
Upgrade kernel to cpe:2.3:o:linux:linux_kernel:4.14.158: |
|
|
pm process becomes randomly deadlocked when communicating with hardware. |
|
|
FMC generates referred interfaces cli delta after access-list cli delta |
|
|
Prevent octeon_init from getting stuck and causing HA FTD policy deployment errors. |
|
|
FTD not sending system syslog messages in CC mode |
|
|
AnyConnect 4.8 is not working on the FPR1000 series |
|
|
WR6 and WR8 commit id update in CCM layer(sprint 75) |
|
|
GET ALL for devicerecords we get "isPartOfContainer": false for devices part of HA and cluster |
|
|
ASA traceback and reload when running command "clear capture /" |
|
|
Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability |
|
|
Upgrade of 6.4.0.4-34 to 6.4.0.6 is deleting Static Route |
|
|
ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
|
|
On firepower devices, hardware rules are not updated after successful policy deployment |
|
|
ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection |
|
|
ASA Traceback Thread Name: IKE Daemon |
|
|
FP41xx incorrect interface applied in ASA capture |
|
|
FTD Traceback Lina process |
|
|
FPR-1000 Series Random Number Generation Error |
|
|
catalina.<date>.log files can consume all disk space in their partition |
|
|
Deployment is marked as success although LINA config was not pushed |
|
|
logs about SF_Egress_Zone/SF_Ingress_Zone is empty even though security zones have interfaces |
|
|
Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
|
|
FTD Traceback in thread 'ctm_ipsec_display_msg' |
|
|
IPSec SAs are not being created for random VPN peers |
|
|
FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto |
|
|
Policy deployment failure due to snmp configuration after upgrading FMC to 6.6 |
|
|
Disable Full Proxy to Light Weight Proxy by Default. (FP2LWP) on FTD Devices |
| Bug ID | Headline |
|---|---|
|
DHCP Client Proxy doesn't disable after FO units are flipped |
|
|
ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After Successful SSL handshake |
|
|
fireamp.pl using 100% Cpu after restore backup. |
|
|
Duplicate preprocessor keyword: ssl |
|
|
Try to assign devices to platform settings policy list of devices randomly disappear under policy |
|
|
Not able to ssh, ssh_exec: open(pager) error on console |
|
|
High unmanaged disk space on Firepower devices due to untracked files |
|
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
|
Manage the sfhassd thread CPU affinity to match the Snort CPU affinity |
|
|
/var/opt/CSCOpx/MDC/tomcat/log/stdout.logs writing excessive log messages which may fill the disk |
|
|
ASA/FTD: Twice nat Rule with same service displaying error "ERROR: NAT unable to reserve ports" |
|
|
ASA/Lina Traceback related to TLS/VPN |
|
|
With SSL HW acceleration enabled, FTD TCP Proxy tears down the connection after 3 retransmissions |
|
|
Slave unit having mgmt-only can't join to cluster |
|
|
Firepower Recommendations rule count changes even when not regenerated |
|
|
traceback and reload when establishing ASDM connection to fp1000 series platform |
|
|
Overrides cannot be added for port object if it is used in variable sets in sub domains |
|
|
ENH: Add "Management-access" to FDM flex-config CLI and a CLI-console API issue via SSE/CDO |
|
|
After failover, Active unit tcp sessions are not removed when timeout reached |
|
|
ASA/FTD may traceback and reload in Thread Name 'BGP Router' |
|
|
FPR 2100, low block 9472 causes packet loss through the device. |
|
|
Cached malware disposition does not always expire as expected |
|
|
Retrieving an specfic rule by ID of a child Access Policy returns a 404 : Not Found status. |
|
|
Cisco ASA Software Kerberos Authentication Bypass Vulnerability |
|
|
Cisco VPN session replay vulnerability : STRAP fix on ASA for SSL(OpenSSL 1.0.2) and SCEP proxy |
|
|
Management interface configuration leads to immediate traceback and reload |
|
|
Traffic interruptions for FreeBSD systems |
|
|
Long processing time to insert policy deploy task if many application filter object used in ACPolicy |
|
|
Multiple context 5585 ASA, transparent context losing mangement interface configuration. |
|
|
Traceback in tcp-proxy |
|
|
IPSEC SA is deleted by failover which is caused by link down |
|
|
DCD Causes Standby to send probes |
|
|
NAT rules deleted from FDM backend after moving NAT rules in UI and deploying |
|
|
Stack Units: Deploy fails after upgrade on different Domain with unable to load NDPolicy obj err |
|
|
ASA Traceback in Ikev2 Daemon |
|
|
Only a subset of devices where deployed from a device group during scheduled deploy |
|
|
Cisco Firepower Threat Defense Software Management Access List Bypass Vulnerability |
|
|
ASA may traceback on display_hole_og |
|
|
FTD/LINA Standby may traceback and reload during logging command replication from Active |
|
|
App-sync failure if unit tries to join HA during policy deployment |
|
|
HA FTD on FPR2110 traceback after deploy ACP from FMC |
|
|
Changing a rule and saving quickly might remove configuration. |
|
|
Overrides cannot be added for network object if it is used in variable sets in sub domains |
|
|
Dual stack ASAv failover triggered by reload issue |
|
|
AC policy lookup done for SYN+ACK packet when tcp-intercept and a monitor AC policy is configured |
|
|
Mac Rewrite Occurring for Identity Nat Traffic |
|
|
FTD/LINA traceback and reload observed in thread name: cli_xml_server |
|
|
Cisco ASA and FTD Software Path Traversal Vulnerability |
|
|
Deployment failure if SRU install is in progress |
|
|
configurations getting wiped off from standby, while deployment fails on active |
|
|
Information systems must use the POST method over TLS when transmitting |
|
|
Information Systems implementing file upload feature must validate the file size |
|
|
systems must enforce controls that prevent confidential information from being stored within cookie |
|
|
device loading slow, related REST API calls |
|
|
Lina Traceback during FTD deployment when PBR config is being pushed |
|
|
FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block. |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote |
|
|
Nested network object group not getting expanded for NAP rules resulting in deployment failure |
|
|
Turn off egress-optimization processing |
|
|
Anyconnect sessions limited incorrectly |
| Bug ID | Headline |
|---|---|
|
Duplicate preprocessor keyword: ssl |
|
|
FTD may not match correct Access Control rule following a deploy to multiple devices |
|
|
multi-deploy causes a sudden drop of intrusion events |
|
|
Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability |
|
|
Turn off egress-optimization processing |
Note |
Version 6.4.0.6 was removed from the Cisco Support & Download site on 2019-12-19. If you are running this version, we recommend you upgrade. The bugs listed here are also fixed in Version 6.4.0.7. |
| Bug ID | Headline |
|---|---|
|
Intrusion Event Performance Graphs load blank on 4100 and 9300 |
|
|
VPN-Session doesn't get replicated to standby unit when standby device is upgraded to 9.12 image |
|
|
SDI - SUSPENDED servers cause 15sec delay in the completion of a authentication with a good server |
|
|
ASA Enhancement: Generate syslog message once member of the SDI cluster changes state |
|
|
Traceback in VPN Clustering HA timer thread when member tries to join the cluster |
|
|
OSPF Process ID doesnot change even after clearing OSPF process |
|
|
ENH: ACE details for warning "found duplicate element" |
|
|
ENH: Add process information to "Command Ignored, configuration in progress..." |
|
|
FTD inline/transparent sends packets back through the ingress interface |
|
|
cts import-pac tftp: syntax does not work |
|
|
Option to display port number on access-list instead of well known port name on ASA |
|
|
ASA HA IKEv2 generic RA - AnyConnect Premium All In Use incorrect on standby |
|
|
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability |
|
|
LINA traceback on ASA in HA Active Unit repeatedly |
|
|
FILE RESUME BLOCK being randomly thrown causing access issues on files from SMB share. |
|
|
"Too much data during a write" messages flooding communication channel |
|
|
Cisco ASA and FTD Software WebVPN CPU Denial of Service Vulnerability |
|
|
Cluster master reload cause ping failure to the Management virtual IP |
|
|
Upload an update gives "update request entity too large" error when using CAC(HTTPS Client Certs) |
|
|
ASA failover LANTEST messages are sent on first 10 interfaces in the configuration. |
|
|
VPN Pre-deploy validations takes around 20 seconds for each device |
|
|
FTD LINA traceback at DATAPATH-8-15821 |
|
|
FP2100 - Flow oversubscribing ring/CPU core causing disruption to working flows on FP2100 platforms |
|
|
ENH: ASA Cluster debug for syn cookie issues |
|
|
lost heartbeat causing reload |
|
|
ASA is unable to verify the file integrity |
|
|
FTD 4150 VPN s2s deployment failure with 6K spokes |
|
|
FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled |
|
|
Policy deployment to FP 8000 sensor is failing when NAT is configured |
|
|
Cisco Firepower Management Center Stored Cross-Site Scripting Vulnerability |
|
|
Cisco Firepower Management Center Multiple Cross-Site Scripting Vulnerabilities |
|
|
SSL VPN may not be able to establish due to SSL negotiation issue |
|
|
When only IP communication is disrupted on failover link LANTEST msg is not sent on data interfaces |
|
|
Connection events stop coming from device after lost handshake message |
|
|
ASA traceback observed when moving EZVPN spokes to the device. |
|
|
Dual stacked ASAv manual failover issues |
|
|
ASA5515-K9 standby traceback in Thread Name ssh |
|
|
ASA Traceback on Saleen in Thread Name: IPv6 IDB |
|
|
Disable asp load-balance per-packet functionality from fp2100 until all bugs fixed |
|
|
Traceback: Cluster unit lina assertion in thread name:Cluster controller |
|
|
ASA cluster does not flush OSPF routes |
|
|
Slow "securityzones" REST API |
|
|
FPR2100 FTD Standby unit leaking 9K blocks |
|
|
High Disk Utilization due to mysql-server.err failing to rotate after CSCvn30118 |
|
|
ASA:BGP recursive route lookup for destination 3 hop away is failing. |
|
|
F_RNA_EVENT_LIMIT for MC4000 should be 20 million |
|
|
Connections fail to replicate in failover due to failover descriptor mis-match on port-channels |
|
|
ASA generates incorrect error message about PCI cfg space when enumerating Internal-Data0/1 |
|
|
VPN events between 12 and 1 PM UTC are not displayed on the FMC |
|
|
DNS lookup using mgmt VRF not possible because FMC doesn't allow interface after server address |
|
|
Active device is not reporting correct peer state. |
|
|
Flow Offload Hashing Change of Behavior |
|
|
ASA traceback in Thread IPsec Message Handler |
|
|
Deployment rollback causes momentary traffic drop when error in a LINA ONLY section of delta cli |
|
|
where clause not working for external data base access |
|
|
Policy deployment fails with 400+ interfaces in security zone due to incorrect formation of deployDB |
| Bug ID | Headline |
|---|---|
|
Read sAMAccountUserName from ISE when it is available |
|
|
Firepower frequent traceback and restart on SFDataCorrelator process |
|
|
InlineResult for IPS event missing metadata "Would have blocked" |
|
|
URL Filtering Shows All URLs as Uncategorized |
|
|
Upgrade anomalies result in policy deploy failure: NGFW_UPGRADE is missing in map file |
|
|
Fail to Wire configuration disabled for multiple interface-pair inline-sets during FTD upgrades |
|
|
Security Intelligence does not drop HTTPS connections to blacklisted URLs when SSL policy is enabled |
|
|
Must disable and then re-enable SNMP in FMC UI after adding new user |
|
|
Flooding of logs with message "Unknown HPQ rule key" |
|
|
Unable to login with AD username containing upper case RADIUS |
|
|
SNMPv3 User(s) deleted after upgrade |
|
|
Warning "There is an empty group in the source networks" in SSL policy |
|
|
User login fails into FMC GUI for LDAP user if the password contains SPACE in the string |
|
|
File policy not inspecting some malware document (.doc) and Adobe flash (.swf) files. |
|
|
Slow device related REST API calls |
|
|
FMT | MTU value not within the permissible range |
|
|
Policy deployment from FMC to FTD fails (or takes more time) due to domain_snapshot_timeout (20m) |
| Bug ID | Headline |
|---|---|
|
Traceback on Thread Name: DATAPATH-2-1785 |
|
|
Reduce opportunities for false positive general microengine fault |
|
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
|
ASA traceback with Thread: DATAPATH-8-2035 |
|
|
ASA Traceback (watchdog timeout) when syncing config from active unit (inc. cachefs_umount) |
|
|
"default Keyring's certificate is invalid, reason: expired" health alert |
|
|
Traceback in DATAPATH on ASA |
|
|
Route tracking failure |
|
|
ENH: ASA - support for more than 4 servers in multiple mode. |
|
|
Port-Channel issues on HA link |
|
|
IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform |
|
|
Update needed for CVE-2016-8858 (OpenSSH) on Firepower software |
|
|
Linux Kernel 4.14 Vulnerabilities |
|
|
Graceful Restart BGP does not work intermittently |
|
|
Control-plane ACL doesn't work correctly on FTD |
|
|
ASA Multicontext traceback and reload due to allocate-interface out of range command |
|
|
ASA may traceback in thread logger when cluster is enabled on slave unit |
|
|
ASA may traceback and reload while waiting for "dns_cache_timer" process to finish. |
|
|
Cisco FirePower Threat Defense Information Disclosure Vulnerability |
|
|
Traceback in threadname DATAPATH-0-1668 while freeing memory block |
|
|
ASA SCP transfer to box stall mid-transfer |
|
|
ASA traceback in thread SSH |
|
|
Lina does not properly report the error for configuration line that is too long |
|
|
Cisco Adaptive Security Appliance Software Secure Copy Denial of Service Vulnerability |
|
|
ASA App stuck in installing state on few images |
|
|
ASA: BGP routes is cleared on routing table after failover occur and bgp routes are changed |
|
|
Traceback and reload citing Datapath as affected thread |
|
|
ASA: EzVPN Client does not work after software upgrade to specific releases |
|
|
management-only of diagnostic I/F on secondary FTD get disappeared |
|
|
ASA may traceback and reload. Potentially related to WebVPN traffic |
|
|
6.4.0 - IPv6 routing doesn't work for WM and KP when mgmt gateway configure as data-interfaces |
|
|
Slow deployment due to slower IntrusionPolicy step in global snapshot population |
|
|
Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities |
|
|
Standby Firewall reloads with a traceback upon doing a manual failover |
|
|
Cisco ASA Software and FTD Software FTP Inspection Denial of Service Vulnerability |
|
|
HTTP with ipv6 using w3m is failing |
|
|
ASA sends password in plain text for "copy" command |
|
|
ASA unable to authenticate users with special characters via https |
|
|
LACPDUs should not be sent to snort for inline-set interfaces |
|
|
The delay command in interface configuration is modified after rebooted |
|
|
ASA may traceback and reload. suspecting webvpn related |
|
|
ASAv Azure: Route table BGP propagation setting reset when ASAv fails over |
|
|
Unable to process gtpv1 identification req message for header TEID : 0 |
|
|
ASA drops GTPV1 SGSN Context Req message with header TEID:0 |
|
|
ASA/FTD generates syslog for missing SSD 2: /dev/sdb is present. Status: Inoperable. |
|
|
Syslog alerts are not sent to server when Global Rule Thresholding is disabled on Intrusion Policy |
|
|
"established tcp" does not work post 9.6.2 |
|
|
ASA sends invalid redirect response for POST request |
|
|
IKEv2 RA Generic client - stuck outgoing asp table entry - traffic encrypted with stale SPI |
|
|
Unable to configure more than 100 aaa-server group limit reached |
|
|
CCM Infrastructure Update for WR8 |
|
|
Cisco ASA Software and FTD Software SIP Inspection Denial of Service Vulnerability |
|
|
Fail-to-Wire (FTW) Ports fail to recover on 2100 Firepower platforms. |
|
|
FTD traceback due to watchdog on xlate_detach |
|
|
Cisco ASA Software and FTD Software OSPF LSA Processing Denial of Service Vulnerability |
|
|
Audit syslog for SFR module/7000/8000 devices uses TCP instead of UDP for syslog communication |
|
|
Fail-Closed FTD passes packets through on Snort processes down |
|
|
IP Address stuck in local pool and showing as "In Use" even when the AnyConnect client disconnects |
|
|
Thread Name: CP DP SFR Event Processing traceback |
|
|
ASA does not respond to DHCP request packet on BVI interface |
|
|
USGv6 Failures From Kernel Upgrade [3.10 to 4.14] |
|
|
After reboot, "ssh version 1 2" added to running-config |
|
|
ASA Failover split brain (both units active) after rebooting a Firepower chassis |
|
|
MCA+AAA+OTP with RADIUS challenge fails to send aggauth handle in challenge |
|
|
Evaluate Cisco 8000 series for CVE-2019-11815 |
|
|
Timezone displayed in SYSLOG messages but not in the logging buffer |
|
|
rna_networks is empty after Network Discovery deployment. |
|
|
FTD/Firepower Policy deployment fails when running simultaneous deployment to many devices. |
|
|
Unsupported runtime JavaScript exception handling in the client side WebVPN rewriter |
|
|
Firepower: Network file trajectory graph does not load |
|
|
ASA 9.9.2 Clientless WebVPN - HTML entities are incorrectly decoded when processing HTML |
|
|
FTD Traceback and Reload on LINA Caused by SSL Decryption DND Preservation |
|
|
Linux Kernel sas_expander.c Race Condition Arbitrary Code Execution ... |
|
|
Snort processes dump core with memory corruption on Series 3 devices |
|
|
Policy Deployment Failure due to Special Characters & encoding |
|
|
Deployment failing in snort validation- SMTP: Could not allocate SMTP mime mempool |
|
|
Traceback: "saml identity-provider" command will crash multi-context ASAs |
|
|
ASA may traceback due to SCTP traffic despite fix CSCvj98964 |
|
|
When deleting context the ssh key-exchange goes to Default GLOBALLY! |
|
|
Firepower Dynamic Snort Rules are Disabled After a Deployment Involving a Snort Reload |
|
|
Evaluation of sfims for TCP_SACK |
|
|
"ssl trust-point" command will be removed when restoring backup via CLI |
|
|
ASA IKEv2 - ASA sends additional delete message after initiating a phase 2 rekey |
|
|
Watchdog on ASAv when logging to buffer |
|
|
Correlation rule alerting is not working in 6.4.0 |
|
|
GTP response messages with non existent cause are getting dropped with error message TID is 0 |
|
|
Memory leak observed when ASA-SFR dataplane communication flaps |
|
|
TID fails to add source as a URL - Flat file |
|
|
SFDC crashes inserting into packet_log table after upgrading to 6.4.0 |
|
|
Failed SSH Login attempts not being exported via syslog |
|
|
Firepower Primary Detection Engine process might terminated after Manager upgrade |
|
|
URL DB download failure alerts on FMC; new URL DB updates not taking effect on FMC/FDM |
|
|
Traffic not matching expected ACP rule after updating to 6.4.0 |
|
|
Fatal Error message in FMC GUI when upgrading 5525 from 6.4.0-102 > 6.4.0.4-31 but upgrade completes |
| Bug ID | Headline |
|---|---|
|
GUI should allow max 256 addresses per DHCP pool |
|
|
ASA report SFR module as 'Unresponsive' after reloading ASA module on 5585 platform |
|
|
FMC 6.3 Multitenancy/Domain LDAPS User/Group Download Failure Due to Certificate Location |
|
|
AnyConnect connections fail with TCP connection limit exceeded error |
|
|
Network FIle Trajectory page takes 90 seconds to load each time |
|
|
Unable to create RAVPN Conn-Profile if group-policy attr and FQDN are edited in the same wizard flow |
|
|
FDM-HA formation has failed after upgrading to 6.3.0.3-69 |
|
|
Firepower 8000 interfaces might flap due to unhandled resource temporarily unavailable issue |
|
|
FTD show tech from troubleshooting files incomplete |
|
|
Changes in interface-group or interface-zone in subdomain overwrites Global domain. |
|
|
Help pages always show up in English |
|
|
natd thread of nfm_exceptiond uses about 90% to 100% CPU time |
|
|
Deploy fails on FTD HA due to exception when parsing big xml response |
|
|
FMC UI: VPN Hub and Spoke topology slow loading |
|
|
BCDB file copy from FMC on to vFTD getting truncated, vFTD running on Azure platform. |
|
|
Deployment failure after upgrade to 6.4 in ASA5500-X running FTD |
|
|
HTTP blacklist - blacklist rules are not removed from sensor when unassigned and deplyed from FMC |
|
|
Policy deploy failure 6.5.0-1148 post upgrade with CC mode with openSSL call during SSL pol Export |
|
|
Executing 'failover' twice on active unit, clears interface configuration on standby unit |
|
|
On reset CD not clearing its flags[parseFailoverReqIssued] which prevents further node join attempts |
|
|
FMC 6.4.0 - Policy deployment failure - Duplicate domain entries in domains.conf |
|
|
600_schema/100_update_database.sh should return error if database update fails |
| Bug ID | Headline |
|---|---|
|
New added management interface does not have "management-only" configuration |
|
|
Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2 |
|
|
FTD Files are Allowed Through Multiple Pre-existing Connections Despite the File Policy Verdict |
|
|
sfstunnel process in FTD is holding large cloud db files that are already deleted |
|
|
tcp proxy: ASA traceback on DATAPATH |
|
|
712x devices become unstable when switching inline set from TAP to inline |
|
|
4140 Multi-Instance Not Load-Balancing Correctly with 4 Instances |
|
|
Loading AC policy editor takes too long, needs loading indicator |
|
|
FMC Audit Logs will only display Admin and System as owners when deploying to 3D devices -GUI/SYSLOG |
|
|
Lina msglayer performance improvements: port Hotfix BO |
|
|
Unsupported EC curve x25519 on FTD |
|
|
FTDv does not have configuration on initial bringup with mix of vmxnet3 and ixgbevf interfaces |
|
|
IPsec VPN goes down intermittently during a re-key |
|
|
Deployment on FTD with low memory results on interface nameif to be removed - finetune mmap thresh |
|
|
Upgrading ASA cluster to 9.10.1.7 cause traceback |
|
|
EIGRP breaks when new sub-interface is added and "mac-address auto" is enabled |
|
|
Deploy failed because adaptive profiling config file corrupt |
|
|
ids_event_alerter high memory usage due to large firewall_rule_cache table |
|
|
Mysql traffic on non standard port is not correctly classified |
|
|
ngfwManager doesn't start if ngfw.properties is empty |
|
|
FMC shows connection events with packet count as 0 |
|
|
FTD-CLUSTER:Adding new unit in cluster can cause traffic drop |
|
|
Cisco Firepower Threat Defense Software Command Injection Vulnerability |
|
|
VPN sessions failing due to PKI handles not freed during rekeys |
|
|
Audit Log Settings Failing Leading to being unable to edit System Settings |
|
|
SCALE: with 500+ devices, UMS causes the UI to hang, especially during deploy |
|
|
Enhancement to address high IKE CPU seen due to tunnel replace scenario |
|
|
ASA traceback and reloads when issuing "show inventory" command |
|
|
Internal Error when editing an Access Control Policy |
|
|
ASA Traceback and reload while running IKE Debug |
|
|
Telemetry not sent when FMC managing lots of devices |
|
|
Enhancement: add counter for Duplicate remote proxy |
|
|
Cisco Firepower Detection Engine RTF/RAR Malware and File Policy Bypass Vulnerabilities |
|
|
For SMB, remote storage configuration should allow configuring version string with dot(.) |
|
|
Do not decrypt rule causes traffic interruptions. |
|
|
cloud agent core after generating a large number of continuous URL lookups (>30M) |
|
|
Cisco Firepower Threat Defense Software Multi-Instance Container Escape Vulnerabilities |
|
|
Simultaneous FINs on flow-offloaded flows lead to stale conns |
|
|
SSL rules with App-ID conditions can limit decryption capability |
|
|
NAT rules can get applied in the wrong order when you have duplicate rules |
|
|
FMC times out after 10 mins to fetch device list for deployment |
|
|
Firepower Recommendations does not enable IPS rules that are GID 3 |
|
|
Cisco Firepower Management Center RSS Cross-Site Scripting Vulnerabilities |
|
|
Health monitoring options for ISE connectivity on FMC. |
|
|
DTLS 1.2 and AnyConnect oMTU |
|
|
ENH - Option to configure Port Block Allocation on FTD |
|
|
ASA traceback and reload observed in Datapath due to SIP inspection. |
|
|
ASA: Watchdog traceback in Datapath |
|
|
FTD lina cored with Thread name: cli_xml_server |
|
|
Allow FTDs to perform URL lookups directly without having to go through the FMC Pre 6.5.0 |
|
|
Random SGT tags added by FTD |
|
|
(snort)File is not getting detected when going over HTTPS (SSL Resign) |
|
|
FTD sets automatically metric 0 when we redistribute OSPF into BGP via FMC GUI. |
|
|
Multiple ClamAV Vulnerabilities For Cisco Firepower Management Center for pre 6.5.0 |
|
|
FIPS mode gets disabled after rollback from a failed policy deploy |
|
|
FMC-ISE integration doesn't work if explicit UPN doesn't match implicit UPN |
|
|
Cisco ASA & FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability |
|
|
REST API query /api/fmc_config/v1/domain/UUID/devices/devicerecords fails |
|
|
On upgraded FMC Device FXOS devices are shown dirty even after successful deployment. |
|
|
Wrong rule matched when using ambiguous DND |
|
|
integrate pxgrid capability, connection hang, curl hang issues |
|
|
Cisco Firepower Detection Engine RTF/RAR Malware and File Policy Bypass Vulnerabilities |
|
|
ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path Check |
|
|
Misleading deploy Warning message when Flex Config policy is being deployed |
|
|
Policy deployment remove and add back ospf neighbor |
|
|
Slowness in loading Device Management page on FMC when there are over 500 managed devices |
|
|
NAT policy apply failing with error duplicate |
|
|
Ensure Error Message with Dup NATs Is Clear and Actionable |
|
|
FMC Global Pre-deployment Phase takes longer after upgrade to 6.4 |
|
|
Policy deployment failed with error snort validation failed (Bad value specified for memcap ) |
|
|
Firepower Primary Detection Engine process terminated after Manager upgrade |
| Bug ID | Headline |
|---|---|
|
Random packet drops by session preprocessor |
|
|
Network discovery not working with network groups containing literals - user or Cisco created. |
Feedback