Cisco Firepower 4100/9300 FXOS Release Notes, 2.6(1)

This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.6(1).

Use this release note as a supplement with the other documents listed in the documentation roadmap:


Note

The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.


Introduction

The Cisco Firepower security appliance is a next-generation platform for network and content security solutions. The Firepower security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

The Firepower security appliance provides the following features:

  • Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.

  • Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.

  • FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.

  • FXOS REST API—Allows users to programmatically configure and manage their chassis.

What’s New

New Features in FXOS 2.6.1.169

New Features in FXOS 2.6.1.166

New Features in FXOS 2.6.1.157

Cisco FXOS 2.6.1.157 introduces the following new features:

  • Support for Firepower Threat Defense 6.4.0.

  • Support for 56-physical core security module SM-56.

  • You can now deploy ASA and FTD logical devices on the same Firepower 9300.


    Note

    Requires ASA 9.12(1) and Firepower 6.4.0.


  • You can now enable TLS/SSL hardware acceleration for one container instance on a module/security engine. TLS/SSL hardware acceleration is disabled for other container instances, but enabled for native instances. See the Firepower Management Center configuration guide for more information.

  • New/modified commands: config hwCrypto enable, show hwCrypto

  • Fixes for various problems (see Resolved Bugs in FXOS 2.6.1.157).

New Features in FXOS 2.6.1.131

Cisco FXOS 2.6.1.131 introduces the following new features:

  • Support for ASA 9.12(1).

  • Support for Radware DefensePro 8.13.01.09-3.

  • Support for Firepower 4115, 4125, and 4145 security appliances.

  • Support for 40 and 48-physical core security modules SM-40 and SM-48.

  • You can now install a mix of different security module types on the same Firepower 9300. Support for this feature requires ASA 9.12(1) or later.


    Note

    To use clustering with your Firepower 9300, all security modules installed on the chassis must be of the same type.


  • For the FTD bootstrap configuration, you can now set the NAT ID for the FMC in the Firepower Chassis Manager. Previously, you could only set the NAT ID within the FXOS CLI or FTD CLI. Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication—the FMC specifies the device IP address, and the device specifies the FMC IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.

    New/modified screens:

    Logical Devices > Add Device > Settings > Firepower Management Center NAT ID field

  • You can now configure the key used for encrypting sensitive data during configuration export. You must set the encryption key before you can export a configuration. Make sure that the same encryption key is set on the system when importing that configuration.

  • You can now generate and download technical support log files from Firepower Chassis Manager.

  • You now have the option to enable or disable LLDP.

  • You can now use a new Low Touch Provisioning method to perform first time setup over the Management port.

  • Fixes for various problems (see Resolved Bugs in FXOS 2.6.1.131).

Software Download

You can download software images for FXOS and supported applications from one of the following URLs:

For information about the applications that are supported on a specific version or FXOS, see the Cisco FXOS Compatibility guide at this URL:

http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

Important Notes

  • When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application. Note that this issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.

  • Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.

  • When upgrading a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide ( http://www.cisco.com/go/firepower9300-install) or Cisco Firepower 4100 Series Hardware Installation Guide ( http://www.cisco.com/go/firepower4100-install), the fault(s) will be cleared automatically and no additional action is required.

Adapter Bootloader Upgrade

FXOS 2.6(1) contains additional testing to verify the security module adapters on your security appliance. After installing FXOS 2.4.1.101 or later, you might receive a critical fault similar to the following indicating that you should update the firmware for your security module adapter:

Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.

If you receive the above message, use the following procedure to update the boot image for your adapter:

  1. Connect to the FXOS CLI on your Firepower security appliance. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco Firepower 4100/9300 FXOS CLI Configuration Guide, 2.6(1) or Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration Guide, 2.6(1).

  2. Enter the adapter mode for the adapter whose boot image you are updating:

    fxos-chassis# scope adapter 1/security_module_number/adapter_number

  3. Enter show image to view the available adapter images and to verify that fxos-m83-8p40-cruzboot.4.0.1.62.bin is available to be installed:

    fxos-chassis /chassis/server/adapter # show image
    Name Type Version
    
    --------------------------------------------- -------------------- -------
    
    fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62)
    
    fxos-m83-8p40-vic.4.0.1.51.gbin Adapter 4.0(1.51)
  4. Enter update boot-loader to update the adapter boot image to version 4.0.1.62:

    fxos-chassis /chassis/server/adapter # update boot-loader 4.0(1.62)
    Warning: Please DO NOT reboot blade or chassis during upgrade, otherwise, it may cause adapter to become UNUSABLE!
    After upgrade has completed, blade will be power cycled automatically
    fxos-chassis /chassis/server/adapter* # commit-buffer
  5. Enter show boot-update status to monitor the update status:

    fxos-chassis /chassis/server/adapter # show boot-update status
    State: Updating
    fxos-chassis /chassis/server/adapter # show boot-update status
    State: Ready
  6. Enter show version detail to verify that the update was successful:


    Note

    Your show version detail output might differ from the following example. However, verify that Bootloader-Update-Status is “Ready” and that Bootloader-Vers is 4.0(1.62).


    fxos-chassis /chassis/server/adapter # show version detail
    Adapter 1:
    Running-Vers: 5.2(1.2)
    Package-Vers: 2.2(2.17)
    Update-Status: Ready
    Activate-Status: Ready
    Bootloader-Update-Status: Ready
    Startup-Vers: 5.2(1.2)
    Backup-Vers: 5.0(1.2)
    Bootloader-Vers: 4.0(1.62)

System Requirements

You can access the Firepower Chassis Manager using the following browsers:

  • Mozilla Firefox—Version 42 and later

  • Google Chrome—Version 47 and later

  • Microsoft Internet Explorer—Version 11 and later

We tested FXOS 2.3(1) using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. We anticipate that future versions of these browsers will also work. However, if you experience any browser-related issues, we suggest you revert to one of the tested versions.

Upgrade Instructions

You can upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.6(1.157) if it is currently running any FXOS 2.0(1) or later build.

For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.

Installation Notes

  • An upgrade to FXOS 2.6(1) can take up to 45 minutes. Please plan your upgrade activity accordingly.

  • If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.

  • If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs

The following table lists select bugs open at the time of this Release Note publication:

Table 1. Open Bugs Affecting FXOS 2.6(1)
Identifier Description
CSCus73654 ASA do not mark management-only for the mgmt interface assign by LD
CSCuu33739 Physical interface speeds in port-channel are incorrect
CSCuw31077 Filter applied to a interface should be validated
CSCux37821 Platform settings auth the order field shows only lowest-available
CSCux63101 All memory(s) under Memory array shows as unknown in operable column
CSCux77947 Pcap file size not updated properly when data sent at high rate
CSCux98517 Un-decorating data port for VDP should be allowed from Chassis Manager
CSCuz93180 AAA LDAP configuration does not preserve information if validation fails
CSCva86452 link flap on switch connected to 10G and 40G SR FTW card on power off
CSCvc03494 Radware vDP cannot be added into APSolute Vision. As a workaround, you must manually download the device driver and install it into Vision.
CSCvc44522 Log Capacity on Management controller Server1/1 is very low Warning
CSCvd90177 Security Module went to fault state after reloading Supervisor on 4150 with FXOS 2.2.1.57
CSCvf16473 LLDP packets not captured on MIO
CSCvf94658 SSH is not accessible to the device after erase configuration
CSCvg68299 FXOS chassis manager interface gets disassociated from FTD after a failover
CSCvi71367 Supervisor crashed after reboot--unable to handle kernel NULL pointer dereference
CSCvj93832 M5 Blades x86 cpu fails to come up after x86 power cycle using "init 6" in sspos
CSCvk26697 bcm_usd_log core files detected with 92.4.1.2889 image
CSCvk72915 Security Module stuck in Rommon inconsistently after reboot
CSCvm66013 Supervisor unresponsive during reboot. Kernel Panic issue seen.
CSCvm84592 Filter configs are lost when “Edit Session” is done for a capture session
CSCvm86523 6th node will not ssp3ru cluster 6.3.0-1592
CSCvn42252 Low-touch provisioning debug command mode prompt not working properly
CSCvn57429 Ftd app-instance is stuck in install failed with INSTALL_ERROR. Application internal script Error.
CSCvo03589 App agent heart beat can miss in MI scenario
CSCvo30356 Port-channels are in suspended state after upgrade
CSCvo40078 incorrect uptime displayed
CSCvo55237 The global upgrade button is grayed out even though one security module is up
CSCvo55510 FXOS low-touch provisioning screen does not allow prefix
CSCvo55809 ASA App stuck in installing sate on 2.6.1.112 + ASA 9.12.0.125
CSCvo58998 FXOS Cruz Adapter doesn't validate data sent by logical device causing dropped offloaded packets
CSCvo60117 Interface not associated to MI instance even though it shows in chassis manager as allocated
CSCvo74625 6.4.0 - IPv6 routing doesn't work for WM and KP when mgmt gateway configure as data-interfaces
CSCvo83802 Cluster node management connectivity lost after reboot
CSCvp10674 FTD may not become online after installing vDP and upgrading FXOS to version 2.4.1
CSCvp44939 ASA app stuck in installing with error 'SMA_blade_reboot_inprogress' on 2.6.1.157 + 9.12.1.111

Resolved Bugs in FXOS 2.6.1.169

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.6.1.169:

Table 2. Resolved Bugs in FXOS 2.6.1.169

Identifier

Description

CSCvm96265 Disable HTTP OPTIONS enabled
CSCvo40340 FPR4100: serial, model and vendor are black after FAN OIR
CSCvq17910 Multicast MAC not programmed on chassis upon app reboot or cluster rejoin
CSCvq19641 Evaluation of Firepower 4k/9k Supervisor for TCP_SACK
CSCvq33916 Linkdown between FP 4100 and switch when using 40gb bidi to 40/100 bidi

Resolved Bugs in FXOS 2.6.1.166

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.6.1.166:

Table 3. Resolved Bugs in FXOS 2.6.1.166

Identifier

Description

CSCvk60985

Machine Check events logged. Possible hardware issue. FXOS Blade: mcelog support

CSCvn77125

FXOS: copy command should allow for wildcards to transfer multiple files

CSCvn99658

FXOS lacp related logs pktmgr.out and lacp.out grows too large

CSCvo85861

Propagate link-state not shown in FTD CLI

CSCvo90987

Enhancement for debugging link down/flap issues for bcm_usd.log files on customer units

CSCvp10674

FTD may not become online after installing vDP and upgrading FXOS to version 2.4.1

CSCvp15176

Apps installed on firepower devices may report comm failure and assume itself as active/master.

CSCvp21561

Cruz Adaptor crash due to kernel patch incompatible with cruz kernel version

CSCvp40260

Prevent STP and FC frames from being sent to SUP CPU

CSCvp56801

'show tech-support module 1 app-instance <appname> <identifier>' fails when only 1x instance on 4100

CSCvp83437

serial console login using local account succeeds but immediately returns to login prompt

Resolved Bugs in FXOS 2.6.1.157

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.6.1.157:

Table 4. Resolved Bugs in FXOS 2.6.1.157
Identifier Description
CSCvm72541 Speed is 0 in interfaceMapping message if a port-channel's status is down
CSCvo10291 FTD External Auth using RADIUS fails when pre-shared key contains database characters
CSCvo29067 FXOS upgrade hangs and started generating DME corefiles
CSCvo44171 Firepower version 2.2.2.86 reloads due to License Manager with abnormal auth renewal each 30 sec
CSCvo64091 SSP:Cluster Slave FTD Provisioning failing because "Required external ports not available"
CSCvo65464 FPR2100: EIGRP routes with learned over port channel interface become Infinite FD
CSCvo75349 FXOS Blade CRUZ FW coredump due to a memory corruption
CSCvo87116 MTS messages stuck in AppAG recv_q
CSCvp09791 FXOS/FTD multi-instance deployments multicast traffic outage

Resolved Bugs in FXOS 2.6.1.131

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.6.1.131:

Table 5. Resolved Bugs in FXOS 2.6.1.131
Identifier Description
CSCvg54742 FTW - Traffic loss seen when chassis shutdown gracefully from FXOS GUI
CSCvj00997 "show open-network-ports" not showing the proper information on FP4100 Series
CSCvj47857 MIO Crashed on bootup due to ethpm hap reset
CSCvj96380 SAM Coupler should force FTW bypass if switch bypass enable fails
CSCvk46399 svc_sam_bladeAG_log core seen after MIO reboot
CSCvm31905 OpenSSH Bailout Delaying User Enumeration Vulnerability
CSCvm37578 Local User login asaConsoleDbg Permission denied error
CSCvm51377 Linux Kernel acpi_ns_evaluate() Function Information Disclosure Vulnerability
CSCvm97473 Linux Kernel drivers/tty/n_tty.c Denial of Service Vulnerability
CSCvn24594 add NTPDATE update of blade sysclock from the supervisor before starting NTPD
CSCvn41072 Linux Kernel vcpu_scan_ioapic Function Issue
CSCvn50990 Wireshark DCOM Dissector Denial of Service Vulnerability
CSCvn68238 DPDK vhost-user Interface Information Disclosure Vulnerability
CSCvn76908 [ciam] Linux Kernel USB Subsystem Data Size Checks Handling Vulnerability
CSCvn83018 Firepower 2100: Memory leak seen with process LACP
CSCvo08464 [ciam] Sudo get_process_ttyname Function Device Name Handling Security Bypass Vulnerability
CSCvo31071 Traffic drops when a unit is re-joining the cluster.
CSCvo58998 FXOS Cruz Adapter doesn't validate data sent by logical device causing dropped offloaded packets

Online Resources

Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure Firepower software and to troubleshoot and resolve technical issues.

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.