Cisco Firepower 4100/9300 FXOS Release Notes, 2.8(1)

This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.8(1).

Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:


Note

The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.


Introduction

The Cisco Firepower security appliance is a next-generation platform for network and content security solutions. The Firepower security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

The Firepower security appliance provides the following features:

  • Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.

  • Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.

  • FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.

  • FXOS REST API—Allows users to programmatically configure and manage their chassis.

What’s New

New Features in FXOS 2.8.1.125

Fixes for various problems (see Resolved Bugs in FXOS 2.8.1.125).

Cisco FXOS 2.8.1 introduces the following new features:

Table 1. New Features in FXOS 2.8.1

Feature

Description

Support for Firepower 4112 security appliances

For more information about Firepower 4112 security appliances, see the Cisco Firepower 4112, 4115, 4125, and 4145 Hardware Installation Guide

Support for Firepower Threat Defense 6.6

For more information about Firepower 6.6, see the Cisco Firepower Release Notes, Version 6.6.0.

Support for ASA 9.14(1)

For more information about ASA 9.14(1), see the Release Notes for the Cisco ASA Series, 9.

FXOS API Explorer

The FXOS REST API, available on the Firepower chassis, includes an API Explorer that describes the resources and JSON objects available for your programmatic use. The Explorer provides information about the attribute-value pairs in each object, and you can “try out” the various HTTP methods in real time.

To access the FXOS API Explorer, either navigate to Help > API Explorer in the Firepower Chassis Manager interface, or edit the Firepower Chassis Manager URL to point to /api/api-explorer/index.html (for example, https//fcm.example.com/api/api-explorer/index.html).

Support for VLAN 2.8.1 subinterfaces on a cluster type interface (multi-instance use only)

For use with multi-instance clusters, you can now create VLAN subinterfaces on cluster type interfaces. Because each cluster requires a unique cluster control link, VLAN subinterfaces provide a simple method to fulfill this requirement. You can alternatively assign a dedicated EtherChannel per cluster. Multiple cluster type interfaces are now allowed.

Firepower Chassis Manager changes for combined FXOS FPRM and FXOS Chassis Tech Support troubleshooting logs

The information logged in the FXOS FPRM and FXOS Chassis Tech Support logs are now combined. You can now view all FPRM and tech support log information using the tech-support chassis 1 detail command.

Note the following FXOS CLI and Chassis Manager interface changes:

  • show tech-support fprm detail command is deprecated, in favor of tech-support chassis 1 detail

  • FPRM log file is deprecated

Ability to disable auto-negotiation on 1G optical SFP ports for Firepower 4100/9300

You can now disable auto-negotiation on 1G optical SFP ports for Firepower 4100 and 9300 devices by switching between [Yes] and [No] on the port.

SSH server support for ECDSA

The Firepower 4100/9300 FXOS CLI now has the following support:

  • The generation and zeroization of ECDSA keys with curves of 256, 384, and 521.

  • The following SSH host key algorithms: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

Fixes for various problems

For more information, see Resolved Bugs in FXOS 2.8.1.105.

Software Download

You can download software images for FXOS and supported applications from one of the following URLs:

For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

Important Notes

  • In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.

  • When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application.


    Note

    This issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.


  • Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.

  • When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.

System Requirements

  • You can access the Firepower Chassis Manager using the following browsers:

    • Mozilla Firefox—Version 42 and later

    • Google Chrome—Version 47 and later

    • Microsoft Internet Explorer—Version 11 and later

    We tested FXOS 2.8(1) using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.

Upgrade Instructions

You can upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.8(1) if it is currently running any FXOS 2.0(1) or later build.

For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.

Installation Notes

  • An upgrade to FXOS 2.8(1) can take up to 45 minutes. Plan your upgrade activity accordingly.

  • If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.

  • If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.

  • Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Adapter Bootloader Upgrade

FXOS 2.8(1) provides additional testing to verify the security module adapters on your security appliance. After installing FXOS 2.4.1.101 or later, you might receive a critical fault similar to the following indicating that you should update the firmware for your security module adapter:

Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.

If you receive this, use the following procedure to update the boot image for your adapter. Note that this procedure may result in a traffic disruption, and thus should be performed during a maintenance window to avoid business impact.

  1. Connect to the FXOS CLI on your Firepower security appliance. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco Firepower 4100/9300 FXOS CLI Configuration Guide, 2.8(1) or Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration Guide, 2.8(1).

  2. Enter the adapter mode for the adapter whose boot image you are updating:

    fxos-chassis# scope adapter 1/security_module_number/adapter_number

  3. Enter show image to view the available adapter images and to verify that fxos-m83-8p40-cruzboot.4.0.1.62.bin is available to be installed:

    fxos-chassis /chassis/server/adapter # show image
    Name Type Version
    
    --------------------------------------------- -------------------- -------
    
    fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62)
    
    fxos-m83-8p40-vic.4.0.1.51.gbin Adapter 4.0(1.51)
  4. Enter update boot-loader to update the adapter boot image to version 4.0.1.62:

    fxos-chassis /chassis/server/adapter # update boot-loader 4.0(1.62)
    Warning: Please DO NOT reboot blade or chassis during upgrade, otherwise, it may cause adapter to become UNUSABLE!
    After upgrade has completed, blade will be power cycled automatically
    fxos-chassis /chassis/server/adapter* # commit-buffer
  5. Enter show boot-update status to monitor the update status:

    fxos-chassis /chassis/server/adapter # show boot-update status
    State: Updating
    fxos-chassis /chassis/server/adapter # show boot-update status
    State: Ready
  6. Enter show version detail to verify that the update was successful:


    Note

    Your show version detail output might differ from the following example. However, verify that Bootloader-Update-Status is “Ready” and that Bootloader-Vers is 4.0(1.62).


    fxos-chassis /chassis/server/adapter # show version detail
    Adapter 1:
    Running-Vers: 5.2(1.2)
    Package-Vers: 2.2(2.17)
    Update-Status: Ready
    Activate-Status: Ready
    Bootloader-Update-Status: Ready
    Startup-Vers: 5.2(1.2)
    Backup-Vers: 5.0(1.2)
    Bootloader-Vers: 4.0(1.62)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs

The following table lists select bugs open at the time of this Release Notes publication:

Table 2. Open Bugs Affecting FXOS 2.8(1)
Identifier Description

CSCvr05722

FXOS / ASA multi context changing mgmt ip will remove interface allocation on logical pp instance

CSCvr96620

FXOS call home address validation does not accept common name without domain prefix

CSCvs08696

Firepower Chassis Manager Showing Smart Agent Disabled after upgrade to 2.7.1

CSCvs37955

Confusing message about 'without removing the physical hardware' during Acknowledge Security Module

CSCvs66482

SNMP cored multiple times resulting FXOS hap reset

CSCvs72450

FXOS - Recover hwclock of service module from corruption due to simultaneous write collision

CSCvs73924

FCM should say is not possible to change AAA server when same protocol is configured for Auth

CSCvt09257

the SSH and console of firepower4110 is not working

CSCvt20235

All FTW interfaces link flap at random times

CSCvt34160

"Link not connected" error after reboot when using WSP-Q40GLR4L transceiver on FPR9K-NM-4X40G

CSCvt39897

FP 4120 svc_sam_dcosAG crashed with crash type:139

CSCvt42413

Removing FAN module from the device doesn’t change the value of cfprEquipmentFanModuleStatsSuspect

CSCvt43944

Multiple shut/no shut on N9K causes link failure if connected to FP9300 with WSP-Q40GLR4L xceiver

CSCvt45066

FXOS sends Link Down SNMP trap when the link is Up when changing interface status from FCM

CSCvt53023

duplicate default network control policy in GUI

CSCvt54943

extra "Local Disk 3" displayed on FPR9300

Resolved Bugs in FXOS 2.8.1.125

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.8.1.125:

Table 3. Resolved Bugs in FXOS 2.8.1.125
Identifier Description

CSCvs92044

FXOS L3 Egress Object Resource Leak due to Port-Channel Member Interface Flaps

CSCvt06091

FXOS displays a WSP-Q40GLR4L transceiver from show interface as type QSFP-40G-LR4

CSCvt17448

OSPF multicast mac getting removed from l2-table causing OSPF to fail

CSCvt17947

Need dedicated Rx rings for failover and OSPF on Firepower platform - Cruz fix

CSCvt20235

Firepower 4100 series all FTW interfaces link flap at the same time but occur rarely

CSCvt34160

"Link not connected" error after reboot when using WSP-Q40GLR4L transceiver on FPR9K-NM-4X40G

CSCvt35134

FPR4100/9300: Packet drops during the transition of BYPASS to NON-BYPASS when device is rebooted

CSCvt39897

FP 4120 svc_sam_dcosAG crashed with crash type:139

CSCvt54943

extra "Local Disk 3" displayed on FPR9300 (improved solution)

CSCvt70832

fpr4100 snmp polling to fxos memory-usage shows incorrect value compare with CLI's output

CSCvt78809

Instance start failed due to VNIC configuration error

CSCvt90558

9300/4100 : Port-channel down after chassis software upgrade.

CSCvt98524

Enhance common-msglyr library to set/get ZMQ_XPUB_NODROP channel property

CSCvu20257

WR6, WR8 and LTS18 commit id update in CCM layer (sprint 85)

CSCvu27487

FXOS ASA race condition leading to cluster join failure and network outage

CSCvu75930

Service module not returning error to supervisor when SMA resources are depleted

CSCvu81224

Blade unresponsive after several months of Uptime

CSCvu85589

Firepower 9300 FPR-NM-4X100G or FPR-NM-2X100G interface may blackhole port-channel member traffic

CSCvv03805

Multi-instance Portchannel VLANs not programmed correctly causing internal traffic loss

Resolved Bugs in FXOS 2.8.1.105

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.8.1.105:

Table 4. Resolved Bugs in FXOS 2.8.1.105
Identifier Description

CSCvn57429

Ftd app-instance is stuck in install failed with INSTALL_ERROR. Application internal script Error.

CSCvo30356

Port-channels are in suspended state after upgrade

CSCvo55237

The global upgrade button is grayed out even though one security module is up

CSCvo58998

FXOS Cruz Adapter doesn't validate data sent by logical device causing dropped offloaded packets

CSCvo60117

Interface not associated to MI instance even though it shows in chassis manager as allocated

CSCvo83802

Cluster node management connectivity lost after reboot

CSCvp10674

FTD may not become online after installing vDP and upgrading FXOS to version 2.4.1

CSCvq30293

Bootstrap configuration is not updated after FTD version downgrade

CSCvq87570

" hostname transmission sts" script is getting failed due to exception Hostname null

CSCvr68885

FXOS fault F0479 Virtual Interface link state is down

Online Resources

Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure Firepower software and to troubleshoot and resolve technical issues.

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.