Cisco Secure Firewall Threat Defense with Firewall Chassis Manager, Version 10
This document contains release information for Cisco Secure Firewall Threat Defense with Secure Firewall Device Manager.
 Note |
Version 10 begins a new release numbering scheme and cadence. For more information, see the Cisco's Next Generation Firewall Product Line Software Release and Sustaining Bulletin. |
Release Dates
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
10.0.0 |
140 |
2025-12-03 |
All |
Features
Features in Version 10.0.0
|
Feature |
Description |
|---|---|
|
Hardware Features |
|
|
Support for Secure Firewall 220. |
You can use the Firewall Device Manager to configure the Secure Firewall 220. Support includes the following limitations:
|
|
Public and Private Cloud |
|
|
Firewall Threat Defense Virtual for Microsoft Hyper-V. |
Firewall Threat Defense Virtual now supports Microsoft Hyper-V. |
|
End of support: VMware vSphere/VMware ESXi 6.5, 6.7, 7.0, and 7.5. |
Upgrade impact. Upgrade VMware before you upgrade the software. We discontinued support for virtual deployments on VMware vSphere/VMware ESXi 6.5, 6.7, 7.0, and 7.5. Upgrade your hosting environment to Version 8.0 before you upgrade any virtual appliance. Version restrictions: Versions 7.3.x and 7.4.1 are not qualified on VMware 8.0. If you run any of these versions, upgrade to VMware 8.0 first. Move to the next step as soon as possible. For best results, perform a multi-step upgrade: first the virtual appliance to 7.4.2–7.7.x, then VMware, then the virtual appliances again. |
|
Larger default disk size and the ability to resize the disk post-deployment for Firewall Threat Defense Virtual |
The default disk size for virtual firewalls has changed. |
|
Firewall and IPS Features |
|
|
Limit ciphers used for the Firewall Device Manager web server and the captive portal used for active authentication identity rules. |
You can limit which ciphers can be used when connecting to the Firewall Device Manager, or when users are prompted for active authentication by identity rules. By limiting the ciphers allowed, you can enforce stronger security requirements than the default ciphers. We added the Firewall Device Manager Web Server and Identity Web Server cards to the page. The previous SSL settings applied to remote access VPN connections only. |
|
VPN Features |
|
|
Disconnect remote access VPN sessions by removing the smart card. |
If you use smart cards for RA VPN connections, you can configure the group policy to disconnect if the smart card is removed. This feature is enabled by default on all group policies on upgrade. You can disable the feature, so that connections are not dropped on smart card removal. We added the Disconnect on Smart Card Removal option to the Session Settings in the RA VPN group policy configuration. |
|
Administrative Features |
|
|
Updated internet access requirements for Security Intelligence feeds. |
Upgrade impact. The system connects to new resources. The system now gets Security Intelligence feeds from the same place as URL filtering data:
The system no longer requires access to intelligence.sourcefire.com. |
|
TACACS+ server authentication, authorization, and accounting support for Firewall Device Manager HTTPS management connections. |
You can configure the Firewall Device Manager to use your TACACS+ servers to authenticate and authorize HTTPS connections to the Firewall Device Manager. You can also enable TACACS+ accounting for these connections. We added TACACS+ server and server group objects to the identity sources and updated the management system settings (, AAA Configuration tab) to allow the selection of a TACACS+ server group. |
Related updates and deprecations
Resolved issues
This table lists the resolved security issues in this specific software release.
Table last updated: 2025-12-03
|
ID |
Headline |
|---|---|
|
Order of access-list/ access-group is different in standby unit. Full sync happens during node-join. |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
Custom rule with "metadata:impact_flag red" in Snort3 not detected as Impact Level 1 |
|
|
Additional tab/space added in ACL logging messages in EMBLEM format causing ingestion issues |
|
|
Evaluation of multiple Azul Zulu vulnerabilities on openjre ASDM |
|
|
[FMC HA] Follower accepts data only from 1 leader |
|
|
Redis is an open source, in-memory database that persists on disk. An |
|
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
|
ASA block depletion due to SSL pre auth connections |
|
|
FMC GUI does not Accept "@" in the username for remote storage used for backups |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
FMC Legacy UI allows you to create time range objects in past time in ACL |
|
|
FTD native: ldap configuration fails to deploy to ftd when using same user as radius |
|
|
Unable to load Extended ACL objects if the count is more than few hundreds |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
FMC API put taking long time to update Extended ACL objects when count is huge like hundreds |
|
|
Firepower wiping SSL trustpoint config after reloading. |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
|
|
Unable to save the Ext ACL object - "Only Host and Network in IPv4 and IPv6 format are supported." |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software HTTP Server Remote Code Execution Vulnerability |
|
|
Cisco Secure Firewall Management Center Software Command Injection Vulnerability |
|
|
IPv6 Management communication is lost due to a missing management-only multicast route. |
|
|
ARP is silently dropping packet for an unreachable next hop |
|
|
Traceback & Reload in Thread Name Unicorn Admin Handler |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Duplicate ACLs seen on FMC UI when Access Rules are created through API |
|
|
Cisco Secure Firewall Threat Defense Software Geolocation Remote Access VPN Bypass Vulnerability |
|
|
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities |
|
|
Traffic hits incorrect ACP rules during policy deployment on FTD with dynamic objects |
|
|
Cisco Secure Firewall Management Center Software Radius Remote Code Execution Vulnerability |
|
|
Lina: Traceback in thread name ssh on executing show access-list after ACL deletion |
|
|
Route map object ACL match clause overwrited in all route maps objects after saving changes. |
|
|
ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
|
|
Cleaning of /var/temp backup files post Backup completion not cleaning |
|
|
Policy Deployment: When using MD5 in Site-to-Site VPN, manual deployment fails with validation error, but schedule deployment succeeds. |
|
|
Packet-tracer displaying incorrect ACL even though traffic action is taken based on the expected ACL. |
|
|
Reverting FTD upgrade silently removes object overrides on the FMC for the reverted FTD |
|
|
PAO logic for access rules POST/PUT api call for spaces in ip addresses in ACL rules |
|
|
External auth login with RADIUS to FMC UI may fail if Class attribute is used |
|
|
FMC RADIUS external authentication access requests missing 6 attributes after FMC upgrade |
|
|
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities |
|
|
ASA from CSM/CLI - no access-list ACL_name line line_nr remark on last ACL line shows message - "Specified remark does not exist" |
|
|
Invalid host header reveals ASA interface IP address |
|
|
CVE-2025-32462: sudo: Before 1.9.17p1, allows users to execute commands on unintended machines. |
|
|
Inbound IPsec packets are dropped by IPsec offload when the crypto map ACL is using specific ports. |
|
|
RAVPN SSL/IKEV2 AUTH FAILURE: AAA PROCESS MISHANDLING BROKEN FIBER CLASS |
|
|
FMC: Copy/Cut/Paste or drag/drop ACE in Extended ACL object, deletes existing Rules |
|
|
Firewall joins a cluster although gets incomplete ACL policy rules during replication |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
|
|
SAML response rejected with message for certain IDPs |
|
|
Drop counter doesn't increment for embryonic related drops in 'show service policy' |
|
|
Invalid OSPF process popup blocking route-map configuration |
|
|
FMC: Realm sync after import, un assigns IPS policies configured in ACEs |
|
|
Deployment failure or traffic not matching configured rules after renaming several objects |
|
|
uZTNA Private resource not working due to hztna CRT expiration on FTD |
|
|
SFDataCorrelator backtrace every 1 hour after VDB update on FMC |
|
|
FMC UI route-map access list stuck |
This table lists the resolved functional issues in this specific software release.
Table last updated: 2025-12-03
|
ID |
Headline |
|---|---|
|
"logging debug-trace persistent" fails for "debug ip ..." related debugs |
|
|
DP-CP arp-in and adj-absent queues need to be separated |
|
|
User-Role permission for Object-MGMT "Find-Usage" |
|
|
Write cache is disabled on some FMC M5 appliances |
|
|
Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
|
|
Add UI message when user attempts to switch role from standby FMC with pending device registration: Chassis and Device |
|
|
Inline pair has incorrect FTW bypass operation mode of 'Phy Bypass' |
|
|
ASA/FTD : High LINA memory observed after configuring multiple AnyConnect packages |
|
|
Last Synchronized date in FMC smart license status is not always accurate |
|
|
New realm user are incorrectly getting mapped to discovered user |
|
|
scheduled task may not run at all if UTC start times (based on DST) are on different calendar days |
|
|
FMC does not support Umbrella with proxy setting |
|
|
on 2k platform, external authentication fails for users starting with number |
|
|
Snort3 Rule Recommendations - add error message if Network Discovery is not configured |
|
|
Misleading error message while attemtping to revert upgrade on inelligible device |
|
|
External Auth on FMC may throw err "Can't use string ("") as a HASH ref while "strict refs" in use" |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Stale anyconnect entries causing issues with routing |
|
|
Edit search page and unified event viewer very slow to load due to high number of search-related EOs |
|
|
DAP: debug dap trace not fully shown after 3000+ lines |
|
|
ENH: Add a command or a script to regenerate CA Certificate on FTD |
|
|
snort3 crashes observed due to memory corruption in file api |
|
|
Lina traceback in ZMQ Proxy caused service loss. |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
ENH : ASDM does not accept VTI Interface for routes, CLI works |
|
|
3100/4200: qdma driver watchdog timeout |
|
|
FTD 7.4.1 Snort shows 100% utilization even at a low traffic rate |
|
|
Snort3 traceback and restarts with race conditions |
|
|
Fault "Adapter 1/x/y is unreachable" due to connectivity failure between supervisor and VIC adapter |
|
|
Applications are incorrectly identified as TOR and blocked by Snort3 |
|
|
Snort creating too many snort-unified log files when frequent policy deploys |
|
|
Snort3 traceback and reload due to memory corruption in file module |
|
|
Snort3 crashes due to processing pdf tokenizer with no limits. |
|
|
Snort3 crashes while collecting flow-ip-profiling |
|
|
Incorrect syslog generated on failure to process SGT from ISE during RA authentication |
|
|
FMC - Add warning message when configuring CCL MTU |
|
|
SNMP for mgmt0/diagnostic outgoing traffic is missing |
|
|
WebEx traffic not getting bypassed in snort3 (allow rules) |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
ASDM- Unable to edit Secure Client Profile |
|
|
FMC : DAP configuration "laggy/hangs" when trying to configure via FMC. |
|
|
Increase sftunnel AUTH_TIMEOUT to 60 |
|
|
debug menu command to prevent 1550 block depletion due to sendinglogs to TCP syslog server |
|
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
|
Creating cluster bundle tar files for cluster failing with remote storage SSH configured |
|
|
FMC unable to search Objects when there is a DNS configured |
|
|
Add timestamps into bash_history |
|
|
S2S VPN config removed unexpectedly after deployment |
|
|
File Download fails intermittently with malware & file policy configured |
|
|
SSH access with public key authentication fails after FXOS upgrade |
|
|
FXOS: Directory /var/tmp Triggering FXOS Fault F0182 due to vdc.log (Excessive Logging,Log Rotation) |
|
|
Set Weight option missing in UI when FTD sensor reverted and re-upgraded |
|
|
Propogate SGT deployed to FTD if copy deviceconfiguration(SGT configuration UI andLINA doesnt match) |
|
|
FMC GUI does not allow saving ECMP configuration when there is a route leak for a VRF |
|
|
FMC find usage feature not showing all associated access control policies for random objects |
|
|
NAT traps have to be rate-limited |
|
|
FMC/FTD: Policy Deployment Fails For Existing FTDv Deployments on Cloud with VNI interfaces |
|
|
Alert user that FDM is not Supported for FTDv in Openstack if they try to enable it |
|
|
snort "exits normally" in loop every 1 min resulting in complete outage |
|
|
FMC displays VPN tunnel status as unknown even when the tunnels are up |
|
|
Invalid Name Warning Missing from FMC after upgrade and Save greyed out (Configure DAP records through Rest API) |
|
|
Unused objects deletion taking longer time |
|
|
Discrepency in the unused object count between the FMC UI and API results |
|
|
Secure Client Connection Profile Address Pool not Shown |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
MariaDB import failure that lead to FMC-HA Synchronization Incomplete |
|
|
Use of Named interface in SLA Monitor causing cdFMC migration failure |
|
|
Switch FMC-HA fails: MariaDB replication is not in good state - can not sync |
|
|
FTD running on FPR2k devices, using CMI, has no ARP for 203.0.113.129 |
|
|
FTD deployment fails with error "Snort command failed due to bad config" |
|
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
|
Snort3 Crashinfo not decoding certain lines with "no unwind info found" |
|
|
FMCv300 not consuming any FMCv300 device license |
|
|
fs-daemon hap reset with core generation |
|
|
Secure Client External Browser package Image shown 2 same packages |
|
|
policy_deployment.db does not get updated with the correct anyconnect/secure client version |
|
|
Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
|
|
FMC not using configured proxy for smart licensing |
|
|
Traceback and reload in Thread Name Datapath |
|
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
|
NAT divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
|
|
ACP copy not possible in Firepower Management Center |
|
|
Longevity setup:TPK cluster node is displayed as empty cluster in device mgmt page |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
Unreachable Hosts and URLs of syslog configuration Block Device Management Page Loading |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
ASA traceback and reload in freeb_core_local_internal |
|
|
FDM Order of reading nested object group indexing is causing deployment failure |
|
|
Intrusion policy having same name in different Domains causes IPS policy corruption |
|
|
Coverity System SA warnings 2024-09-09, Coverity Defects 922530 922529 922528 922630 921809 921808 |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
Frequent traceback after upgrading FTD HA |
|
|
Remove the File Capture Disk Manager SILO to prevent captured files from overwhelming the Disk Mgr |
|
|
On FMC, Backend server JVM is running out of memory when policies and objects are huge |
|
|
ASA Traceback after upgrade to 9.20.3.7 |
|
|
Send Virtual Tunnel Interface enabled by default on SVTI |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
FCM GUI became inaccessible after upgrading to ASA 9.18.4.22 | FPR 2130 Platform Mode |
|
|
Bandwidth information of a port-channel is not getting updated if an interface member goes down. |
|
|
FDM RA VPN SAML UI does not set port in base-url when custom webvpn port is used |
|
|
“Copy when complete” option not working for SSH Public Shared Key Authentication on FMC |
|
|
Traceback and reload with Thread Name: vtemplate process |
|
|
Traceback and reload during clear bgp * ipv6 unicast involving watchdog |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
ASA: IPv6 EIGRP routes learned from other neighbors are missing in updates after failover |
|
|
FMC1600-K9 PDF download failed in deploy tab |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
cdFMC - Unable to save network group object |
|
|
ASA/FTD - Traceback and Reload in Threadname IP RIB Update |
|
|
Clearing all non applicable alerts post license registration success |
|
|
Intf Link down (Init, mac-link-down) seen - EtherChannel Membership in Down/Down/Down state after unplug/replug of the cable |
|
|
show blocks old core local can lead to unexpected reload. |
|
|
Smart license UI on cdFMC and FMC showing duplicate license count for Malware , IPS , URLFilter and Apex |
|
|
RA VPN Config Error -- Import PKCS12 operation failed - Deployment Failure |
|
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
|
Banner motd does not display when configured |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
Event-list not deployed when using Enable All Syslog Messages |
|
|
Block S2S and remote access configurations for public cloud cluster |
|
|
FMC UI login fails with "Unable to authorize access." |
|
|
loading an ECDSA certificate into the FMC causes Auth Daemon to crash and reload repeatedly |
|
|
FMC: OSPF NSF-awareness (helper mode) cannot be configured on a standalone FTD |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
FMC does not remove community list override when this is modified. |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
RTSP packets getting stuck in transmit queue leading to 9k blocks exhaustion. |
|
|
FMC Does not throw error with duplicate entries in input while modifying prefix list through API |
|
|
Choosing clause 91 FEC via the FMC sets fec 544 instead of fec 528 on QSFP-100G-CU3M |
|
|
Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
|
|
Realm with greater than 16 directories cannot be deployed in RA-VPN for LDAP |
|
|
Confusing Verdict for Snort Injects - Change From Block to "Replaced"/"Injected" |
|
|
FDM - All IPSec tunnels get reset after changing PFS value for one tunnel |
|
|
User EO revisions accumulate forever, eventually overflowing Pruner's ability to do its job |
|
|
ipv6 ping Vrf name changed after xml processing |
|
|
core corruption still seen with switching to quick core feature |
|
|
snort3 : FMC connection event logs do not show URL in DNS query using TCP |
|
|
ASA clock is out of sync 2 hours when timezone is configured to Europe/Dublin which is GMT. |
|
|
Identity NAT should not throw error due to exceeding threshold if destination only objects expand |
|
|
FP1150 ASA/FTD - Traceback and reload triggered by watchdog timer |
|
|
lucene directory missing from FDM backup |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
WM-DT-7.7.0-40:: Observed switch config failed and switch Mac error on device console |
|
|
FTD Clish: "more.fxos" process is left running when the ssh terminal session is abruptly terminated |
|
|
FMC Not listing the any connect images in RAVPN Wizard and FMT tool |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
FXOS reset and reload due to snmpd service failure |
|
|
Create report option should be hidden from Health Events Page on CDFMC |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
URL getting allowed even with block rule in place. |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
FTD generates syslog 430002 as VPN Routing without VPN hairpin |
|
|
Policy Deployment Failure Due to Special Characters in AC Policy Rule Names |
|
|
FTD reboot and traceback in DATAPATH due to IPv6 packet processing |
|
|
Error thrown for individual rule hitcount if rule name contains certain special characters |
|
|
Debuggability: FP2100 port-channel interfaces flap after upgrade |
|
|
Tunnel Summary and Topology View in S2S monitoring doesn't display the right status. |
|
|
Dynamic Analysis Status Changed time only changes upon submission of a file for dynamic analysis |
|
|
Use of browser Refresh button on the Captured File Summary page may result in an unexpected warning |
|
|
FTD Upgrade Failure on Script 800_post/020_710_fix_users_and_roles.pl |
|
|
Warning messages from using Analyze button on Captured File Summary page need to be more specific |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
Nitrox Engine (Crypto Accelerator) problem affecting crypto hardware offload on FPR3100/4200 platforms |
|
|
Community lists should not throw an error until the last item in the list is being deleted |
|
|
sfipproxy prometheus configuration is attempted for not supported models and replaces sfipproxy.conf |
|
|
Unable to login to FMC GUI due to HTTP 401 UNAUTHORIZED error |
|
|
Aggressive scale down and scale up of nodes causing the failure |
|
|
Serviceability Enhancement - Make FXOS disk errors more descriptive |
|
|
SNMP walk on FXOS 2.14.1.167 causing warning loop |
|
|
ZIP files are not being transferred when Archive category is selected from File Policy using snort3 |
|
|
Exclude perf monitoring files from device backup |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for users with privilege 15. |
|
|
Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-3-4280' |
|
|
Enabling debugs with EEM fails |
|
|
The whois lookup command for the FMC GUI does not properly handle errors |
|
|
Detectors sync issue on FMC upgraded to 7.7 |
|
|
Dispatch queue drops have no snapshot or tuple view for dropped flows |
|
|
Snort3 crashed because don't fragment bit was set and it did not treat ipv4 fragments as fragments |
|
|
FDM: De Registration stuck with this error: Licensing task is in progress |
|
|
Buffer calculation for new app_bin missing in the upgrade framework |
|
|
Prune the older files in /ngfw/var/cisco/deploy/pkg/var/cisco/packages |
|
|
FTD - LSP Installation/ Deployment Failure |
|
|
FMC upgrade page shows upgrade failed but the device is upgraded |
|
|
Backup may fail with generic "Backup died unexpectedly" error message |
|
|
IKEv2 Rekeys fail due to fragmentation during the IKE Rekey |
|
|
Importing SFO fails with the error "No UUID Provided" |
|
|
False alert "Terminating long running backup" on FMC due to UI backup timeout error. |
|
|
FXOS allows booting and starting an image installation using a Patch image |
|
|
Snort3 restart on the first deployment post FMC upgrade. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
FMC removes prefix-list overides used for BGP and installs defaults values by itself. |
|
|
Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
|
|
FTD TS is collecting duplicated data |
|
|
Better handling of invalid/bad data in fleet upgrade workflow. |
|
|
process_stderr.log: Could not open link aggregation log file '/ngfw/var/log/link_aggregation.log' |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
Reduce TS package size |
|
|
FTD sending "0.0.0.0" NAS-IP-Address attribute when authenticating/authorizing using Radius |
|
|
debug packet-condition does not work as expected |
|
|
9K block depletion causing slowdown of all traffic through firewall |
|
|
Suddenly customer lost SSH access to the ASA |
|
|
Empty snapshot being sent when when auth-daemon restarts causing user logout |
|
|
DNS and default gateway are removed on FTD managed through data interface - DNS |
|
|
auth-daemon process restarts due to race condition |
|
|
Deployment failure due to invalid AnyConnect Images and Secure Client Profile references |
|
|
REST Api allows to create a realm without a directory configuration |
|
|
Enhance Backup Status Notifications for Unified Backup Failures on FMC |
|
|
Upgrade failure after RMA due to Sensor table having incorrect serial number |
|
|
Unexpected SFDataCorrelator exit after deployment to managed devices following VDB install on FMC |
|
|
Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series |
|
|
Management1 Gateway Configuration Should Be Optional on FPR 4200 Series |
|
|
FMC Site-to-Site Monitoring Dashboard is not working at all |
|
|
Unit taking ~13 secs to become active |
|
|
FMC remote storage test sometimes fails when configured to a server running Solar Winds SCP/SFTP |
|
|
Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
|
|
AC policy with Network Group Override object causes deployment failure/rules missing |
|
|
TLS.- Outlook only supports TLS 1.2 and not 1.3- FMC uses TLS 1.3 by default |
|
|
LSP upload/download + auto-deploy is failing |
|
|
Disable Reverse Path Filter for Dual Management Interfaces on FPR 4200 Series |
|
|
Active FMC - False alerts of FMC HA in degraded sync state |
|
|
FMC Alert: Discover Health Module Compilation Error |
|
|
CIMC Password length restricted to 16 characters with LOM enabled |
|
|
FMC: Deployment takes longer than expected when removing SNMP hosts from Platform Settings |
|
|
FTD upgrade allowed with dirty policy after FMC upgrade |
|
|
Random QOS policies are getting negatted and added with subsequent deployment |
|
|
First cycle of FMC HA periodic sync may fail after resuming sync following FMC software upgrade |
|
|
Remote storage server password showing in plaintext in httpsd_error_log |
|
|
AMP related health alert during upgrade and typo in the alert message |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Deployment due to system upgrade is failing at PREPARE phase in FDM-HA |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
ASA/FTD traceback and reload in vaccess_nameif_action thread |
|
|
FMC: Media type displayed on the FMC's FCM is not matching CLI after swapping sfps |
|
|
Remote backup generated successfully but configuration database backup is empty |
|
|
Smart license UI showing variable performance tier when stand by FMC is made active |
|
|
cdFMC does not show more than 25 realms in the GUI |
|
|
sftunnel and sfipproxy configuration files updates are not atomic |
|
|
Getting " Realm is disabled, enable it on the Realms page " while adding dynamic attributes |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
SSL Debug Logs Persist After Debug Reset |
|
|
show tech-support fprm detail command is getting stuck for longer duration |
|
|
Snort3 traceback and deployment failure with VDB upgrade |
|
|
Memory leak leading to split brain |
|
|
ENH: Include SystemID in "show system detail" in techsupport file |
|
|
Module show tech generation fails with external authentication |
|
|
Ensure the watchdog triggers even if a single snort3 thread becomes unresponsive. |
|
|
Counter from IKEV2 stats does not match the number of tunnels in VPN-Sessiondb |
|
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
|
Port-channel member interface flap renders it as an inactive member |
|
|
sfipproxy may not restart and fail services like User Identities when enable file is not detected |
|
|
Disabling OSPFv3 on FMC does not clear passive interface and area config from FTD interfaces |
|
|
FMC IPsec SA remaining key lifetime incorrect conversion of seconds to hh:mm:ss |
|
|
Cluster node got deleted partially and devices have become Standalone on FMC UI |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
syslog-ng may not immediately restart on FTD as expected upon changing FTD host name |
|
|
Installation of Hotfix may fail at 800_post/998_expire_ac_policy.pl on the standby FMC |
|
|
Deployment is failing due to the policy changes report request in progress |
|
|
FMC - Health Monitor shows 'No Data Available' due to too many open files |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
After upgrade from newer lower MR to Old Higher MR seeing health module compilation error |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
Warwick Avenue: LLDP neighbours are not discovered if MGMT 1/2 interface is down |
|
|
Decryption policy failed to migrate to cdFMC from on-prem FMC. |
|
|
/mnt/disk0/log folder duplicated on troubleshooting package |
|
|
Generic or irrelevant error for remote storage device test/save failures |
|
|
Error after logging out from FMC UI using SSO with PingId |
|
|
FTD health metrics show "No data available" on the FMC |
|
|
Upgrading a 7.0.x sensor to 7.0.7 when managed by an FMC via hostname results in errors |
|
|
Serviceability enhancement for "system support trace" capabilities |
|
|
Traffic failure due to 9344 blocks leak |
|
|
FMC Rest API returns only the first 1000 network object entries |
|
|
Snort3 Traceback due to watchdog during appid NAVL instantiation |
|
|
'${dsk_a} missing or inoperable. Rebooting Blade.' error does not specify missing or inoperable disk |
|
|
Overrides not working on chained/inherited custom IPS policies |
|
|
[Cluster] CPU Utilization of 100% when NAT Pool exhaustion happens in a context. |
|
|
FTD: Large Delay in packets being inspected by snort |
|
|
Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
|
|
FTD does not synchronize via NTP from Secondary Management Center in HA when the Primary is down |
|
|
DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
|
|
After renewal FMC CA, the certificate cannot be used for ArcSight integration |
|
|
Logical App Stuck in 'Start Failed' Due to checkSystemCPUs Failure |
|
|
Failover and state link not accepting valid subnet mask |
|
|
Default Pass action for rules in Snort 3 local rule groups may cause blank error in IPS policies |
|
|
mix of major versions between FMC and FTD causes per-core CPU use health module to not work on FTD |
|
|
FMC/FDM Client side certificate used to communicate to Talos did not auto-renew correctly |
|
|
CPU core numbers not specified in results from operational/metrics FMC REST API endpoint |
|
|
FPR9K-SM-56 Cluster - FTD Stuck in an application install loop & error 'pooled address is unknown' |
|
|
FTD HA | Same MAC for port-channels causing network outage. |
|
|
Deployment to FTD Fails at 5% due to corruption with interface object |
|
|
Network Outage when Primary FTD Instance is Disabled from FCM |
|
|
snmp_logging_thread is utilizing high CPU in control plane |
|
|
FMC health policy and Default Health Policy do not have correct moduleList |
|
|
FPR9K-SM-56 Cluster Node APP_SYNC timeout twice before joining "6" member inter-chassis cluster |
|
|
Refresh Icon on Inventory Details Fails to Update Chassis Information for All Models |
|
|
/objects/fqdn filter paramaters not working |
|
|
FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload |
|
|
The NAS-IP-Address attribute is missing from the Access-Request in FMC |
|
|
Captured file status is not updated if threat score is cached on FTDs |
|
|
Bulk Edit Rules - Security Zone Search does not yield all zones if zone count is more than 1000 |
|
|
Deployment Failure in Hub and Spoke VTI Topology with DHCP Configured VPN Interfaces |
|
|
BFD flap due to ASA not processing incoming BFD packets after unrelated BFD peers go down |
|
|
SNMP polling to chassis is unsuccessful with FTD Multi-instance in HA used as SNMP agent |
|
|
SNMP configuration is not applied consistently across same FTDs type and version |
|
|
Deployment failure due to rsync |
|
|
3100 Marvell 4.3.14 CPSS patch for the interface mac stuck issue seen with peer switch reloads |
|
|
TLS handshake fails with reverse SSL flow and TSID (TLS Server Identity) enabled |
|
|
ASA/FTD traceback and reload with SNMP Notify Thread seen on 3110 |
|
|
FMC getting health alert - cgroup_monitor exited 5 time(s) |
|
|
Passive Agent core containers like BEE does not come up beyond 3 crashes. |
|
|
Certain special characters or spaces in RADIUS user passwords cause login failure in FMC |
|
|
Portscan event in FMC displays incorrect source/destination when set to 'low' setting |
|
|
Object search failing due to BB invalid data |
|
|
Deploy failure seen when we use same vlan id in vlan intf and sub intf |
|
|
Traceback in thread name DATAPATH when a unit is re-joining the cluster |
|
|
deployment slowness seen when huge number of policies are present |
|
|
Post-Failover FQDN Resolution Deferred Until Next DNS Poll Interval |
|
|
Post reposition or move operation fails then if user saves, it would lead to loss of rules & may cause an outage |
|
|
Cryptochecksum changed after reloading. |
|
|
BFD packets are not dropped for single-hop BFD sessions received via alternate path |
|
|
Saving changes under Policy > Alerts > Intrusion Emails in FMC GUI multiple times removes old changes |
|
|
Local user details not replicated to data nodes in a cluster setup. |
|
|
ASDM: Displays Error of Keypair already exists when adding an identity certificate. |
|
|
Difference in RSA key length at multiple spots in FXOS |
|
|
L3 Clustering where BGP immediately comes up while DATA node is still in bulk sync |
|
|
Deployment failure not updated on databases of data node |
|
|
FMC page may get stuck in loading state while trying to fetch BGP configuration |
|
|
Unidirectional communication over ccl leading to split-cluster. |
|
|
FTD Hub-and-Spoke VPN Topology – Backup VTI Fails When DHCP is Used for External IP |
|
|
SMB remote FMC backups are failing due to relam sync |
|
|
FTD Dashboard queries only primary device for FTD HA |
|
|
Boot-Time warning if CPU core count is below minimum requirement |
|
|
ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
|
|
backout change preventing enabling clustering in FIPS mode |
|
|
ASA/FTD traceback and reload triggered by the Smart Call Home process in sch_dispatch_to_url. |
|
|
If command replication fails to any nodes in cluster, send kick the node out from cluster to fmc |
|
|
Policy deploy would not write entries when referenced object is missing |
|
|
Command replication failure to cluster nodes on command commit noconfirm revert-save after access-list, additional debugs |
|
|
FMC Custom widget to display host count per sensor shows incorrect sensor name |
|
|
"Error during policy validation An internal error is preventing the system... "due to stale sensor ref in security zones |
|
|
Missing RADIUS accounting response messages may result in delays or failures of connectivity from chassis to instances |
|
|
fover_trace.log not rotating and growing to a massive size |
|
|
FPR 4125 Multi instance: High Snort and System Core CPU Usage (100%) Triggering FMC Critical Alerts |
|
|
FMC Unable to Download User Groups from AD Realm via LDAP |
|
|
ASAv restarts unexpectedly |
|
|
ASA: asacli Processes Not Terminated When SSH Sessions Are Closed |
|
|
cdFMC Not Displaying Interfaces and Security Zones When HA Secondary Device Is Active |
|
|
FMC Displays SSE Enrollment Failure Alarm Despite No Active Integration with SecureX |
|
|
Duplicate VTI cause VPN Flaps |
|
|
FTD Cluster: Incorrect log when snort engine restart times out |
|
|
FTD: SGT Inline tag stripped from SIP packets |
|
|
FP4100/9300 Fatal error: Incomplete chain observed before watchdogs with reset code 0x0040 |
|
|
LINA stays inactive without reloading after traceback on non-CP thread |
|
|
Users with "Modify Threat Configuration" permission are not able to modify Intrusion/File Policies within the Access Control Policy (ACP) rules |
|
|
Unified Event Viewer does not work with certain filters |
|
|
Secondary Address should only be configurable for FMC-managed FTDs when using data interfaces for management |
|
|
Unable to Edit or Break FTD-HA via FMC GUI because of UI lock issues during create |
|
|
The total disk keep on increasing on the disk status wizard on the Health Monitor page. |
|
|
FTD MI: SNMP polling fails to work after upgrade |
|
|
Excessive number of AD users in FTD External Authentication could lead to deployment failure when disabled. |
|
|
Error Encountered While Disabling the 'Call-Home Reporting Anonymous' Option in Call-Home Configuration |
|
|
Devices show offline due to "Appliance unreachable" due to HMS deadlock inserting to DB |
|
|
FTD Intermittent Syslog Alert: mcelog daemon is not running. Restarting the daemon. |
|
|
ASA/FTD traceback and reload in function mp_percore |
|
|
FPR failover split brain when upgrade primary/standby device's FXOS version |
|
|
Snort2 crashes in loop after FMC upgrade |
|
|
Subsequent DNS packets are dropped in a single flow if one domain hits the custom DNS SI block list |
|
|
ASA traceback and reload |
|
|
high CPU usage after ASA upgrade from 9.20.3.9 to 9.20.3.16 running on Hyper-V |
|
|
SFF_SFP_10G_25G_CSR_S V03 modules from Finisar ports bouncing when connected. |
|
|
FMC Restore of remote Unified backup fails due to no space left on the device |
|
|
Error 500: Internal Server Error in FMC when generating report for global domain intrusion policy used in child domain ACP |
|
|
ASA: tls-proxy maximum-session command error |
|
|
SSL error causing connection to Cisco Smart Software Manager (CSSM) to terminate |
|
|
ASA/FTD: the ssl trust-point command deleted after a reload |
|
|
User Creation Fails with RADIUS Dynamic Provisioning Enabled on Firepower device. |
|
|
FMC GUI Inaccessibility and blank due to 'Malformed JSON String' Exception |
|
|
Deployment is mandatory after FMC upgrade condition should be included in Upgrade code |
|
|
FMC UI breaks when configuring Client-side interface settings for DHCP Relay |
|
|
Collecting "show tech-support fprm" results into core for tar itself |
|
|
No log file present for troubleshoot generation, if there is any issue with TS generation |
|
|
Wrong URL incorrectly displayed for file upload with Japanese text in file path for client-less VPN |
|
|
Tmatch memory is mostly consumed by ARP-DP. |
|
|
The Firepower bandwidth_analyzer.pl script does not perform proper input validation for the '--size' option |
|
|
Unable to change few IPS rule actions after upgrading from snort2 to snort3 |
|
|
FMC Audit tcp-tls syslog is truncated or incorrectly formatted |
|
|
Negative value displayed for buffer drops when using " show cluster info load-monitor details" |
|
|
Tunnel Status shows "No Active Data" when spoke behind NAT on S2S Monitoring UI |
|
|
ASA crashinfo files not generated on FP4200 devices |
|
|
Syslog format is not properly printed when EMBLEM format is enabled at least in one syslog host |
|
|
ADI cores reading corrupt SXP file |
|
|
FP9300/4100 may traceback & reload due to a "Kernel Panic" |
|
|
Multiple mail drops and enq failures are seen while traffic is going through the box. |
|
|
depoyment failure reason and transcript to be updated on FMC |
|
|
Policy deploy failing on FTD when trying to remove Umbrella DNS Configuration |
|
|
wpk - 1gsx link remains up on wpk but on switch side it shows as not connected |
|
|
Error while downloading lsp from support site because VaultApp could not unseal Vault on FMC |
|
|
FDM stuck deployment task in Queued state |
|
|
An ICMP not reachable storm might cause high CPU on a two units FTD cluster |
|
|
Secure firewall posture image is not available in the ASA device backup when generated from ASDM |
|
|
CPU usage by "WebVPN Timer Process" on standby ASA device |
|
|
cdFMC returns 403 forbidden error while configuring webhook alerts |
|
|
FMC deployment hungs and fail due to "NGFW_UPGRADE is missing in map" |
|
|
Case differences in SAML SSO usernames cause login loop |
|
|
FMC reporting IPv6 non overlapped host object-group as fully overlapped object-group |
|
|
Deploy failure when Indexing is not working |
|
|
Error : Msglyr::ZMQWrapper::registerSender() : Failed to bind ZeroMQ Socket |
|
|
Deployment failure when selecting ECMP zone member interface in ZTNA policy |
|
|
SAML IdP entityID increase from capped 128 character maximum |
|
|
dmesg and kern.log file flooded with Tx Queue=0 logs |
|
|
IKEv2-EAP Authentication Fails with Windows and MacOS Native VPN Clients |
|
|
Clarify the working of Fallthrough to Interface PAT (Destination Interface) as it is not working as expected |
|
|
The estreamer debug command is not producing the expected output |
|
|
"CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
|
|
Internal error is seen when editing the rule with IPV6 contents |
|
|
The chassis serial number is empty post registration in FMC |
|
|
If a user_ip_map.snapshot exists with an low timestamp value, snapshots are created frequently |
|
|
Traffic drops post deployment when secondary skips app sync and become active immediately after bootstrap config apply |
|
|
ASA Memory leak while processing large CRLs. |
|
|
LDAP users in ACP always show realm out of sync. |
|
|
Capture the reason of reboot in FTD logs |
|
|
FTD Active Authentication hostname value not included in cp_redirect_params.conf file |
|
|
ASA Core file generated is corrupted |
|
|
ASA Clock reverts to UTC after device reload |
|
|
ASA/FTD: ASP drop capture for 'invalid-ip-length' or 'sp-security-failed' does not work with match criteria |
|
|
Customer DU CONSULT, NPS 6 - ACP search toggle for exact IP or Port match |
|
|
Memory leak in SSL crypto causing high Lina memory usage on lower-end devices running FTD 7.7.0 |
|
|
HA state should not transition from ColdStandby to Active |
|
|
FMC Auto Deployment Task fails to run repeatedly |
|
|
URL filtering download failure - talosAgent keeps exiting on FMC |
|
|
Cluster: Multi-blade chassis not transmitting broadcast traffic outbound to specific vlan |
|
|
SSL - Issues with DND a particular site after FTD upgrade on Chrome and Edge post upgrade |
|
|
TCP RST Packets Fail to Match Configured Geolocation-Based Rules |
|
|
Data Node Deregisters from With No Clear Error Message on vFMC in AWS When Deploying Stack Using Private IP's |
|
|
FP1140 Critical FXOS fault alerts (F1000413) after upgrade |
|
|
Prolonged delays in firewall restart/reboot completion |
|
|
Restoring .tgz context file causes allocated interfaces to be removed from 'system' configuration |
|
|
High disk usage due to snort-unified.log |
|
|
FTD - SNMP Walk of FXOS FTD OID Tree Returns Empty or Times Out |
|
|
SFDataCorrelator_user_id_mismatch.log overconsumption of disk |
|
|
Adding interface taking more than 30 sec with loading security zones |
|
|
FMC Dynamic Objects Limited to 1000 |
|
|
LINA traceback Observed on FTDv Firewalls Deployed in Azure: snp_vxlan_encap_and_send_to_remote_peer |
|
|
Threat/AMP Upgrade tasks are being created soon after HF installation completed |
|
|
WA: Traceback and reload due to lock contention on the tmatch table during deployment with large snmp config |
|
|
Missing Security Zones in zones.conf Affecting ngfw.rules Functionality |
|
|
If failover IPSEC PSK is 78 characters or greater HA breaks with "Could not set failover ipsec pre-shared-key" |
|
|
Inventory details on FMC GUI shows the incorrect compliance mode |
|
|
Files missing from FTD troubleshoot file |
|
|
FPR42xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
FMC dashboard dynamic analysis over time is shown as "No Data" |
|
|
Stop generating health alerts for transient high CPU utilization |
|
|
Issue with interface status visibility in Firepower Chassis Manager 4225 managed by FMC |
|
|
Memory Leak observed on FP2110 running ASA due to monitoring interface configured in HA |
|
|
FP3105 Traceback and Reload after changing the speed on Ethernet interface |
|
|
Snort may drop SCTP packets and block SCTP connections |
|
|
Schema Validation Error Encountered While Editing AnyConnect/Secure Client Profiles |
|
|
The syslog server called fluentbit can't recognize the fox syslog format and print it |
|
|
3100/4200: 1G Management interface flapping after upgrade |
|
|
CA Certificate Generation Issue Post restoring the Sanitised FMC Backup |
|
|
Audit Logs Display Repeated Session Expiration Entries Even When the System is Idle |
|
|
RAVPN Geolocation: Deployment failing by enabling all or specific countries in service access object |
|
|
Traceback and Reload while two processes attempt to free a TD subnet structure |
|
|
Misleading "failover reset" log printed on console when reload triggered by HA. |
|
|
management-data-interface commands fail with "Enable of interface failed" error due to case-sensitive interface name |
|
|
3RU MI instances offline after baseline/creation |
|
|
FTD: Injected/Trimmed packets dropped by LINA due to invalid-ip-length |
|
|
FDM Intrusion Events Not Displayed When Browser Language Is Set to Japanese |
|
|
VPN lost during a rekey with 'IKEv2 negotiation aborted due to ERROR: Platform errors' |
|
|
Security module reboot triggered by a CIMC reset. |
|
|
Policy Deployment tasks should not be stuck indefinitely |
|
|
ASA: Traceback and reload on threat detection, interfaces unstable after that |
|
|
Deployment fails deployment with "Deployment failed due to failure in retrieving running configuration information from device." |
|
|
Duplicate messages during deployment to be discarded by CD to avoid further deployment failures |
|
|
Flash Device error: Azure FMC |
|
|
Snort3 blocking ESMTP traffic intermittently and trigger IPS signatures: 124:1:2 |
|
|
ASA/FTD - Assert triggered during FP_PUNT replace (aaa account match) |
|
|
Traceback and reload after editing SNMP config, with tmatch |
|
|
Local FTD backups are failing due to a lack of disk space on /tmp. |
|
|
Long running AQ task got killed after timeout on FMC but corresponding backup task on FTD is still running |
|
|
Backup Timeout is not sufficient when FTD backups are huge and low bandwidth |
|
|
FTD backups sizes are huge like close to GB and above |
|
|
Firepower 9300 - DNM-2X100G Interfaces not passing traffic post upgrade to FXOS 2.17.0.518 |
|
|
FP3100/4200 rebooting after generating crypto_archive with error on console "KC ILK issue detected" |
|
|
Post FTD HA device deletion, RAVPN VPN references were still present causing deploy failures for existing ones |
|
|
OSPF: Lina Traceback and Reload on Both Units in High Availability Setup. |
|
|
Secondary FMC-HA Peer Exclusion list not taking effect for Network Discovery |
|
|
Rule action 'Disabled' of rule 1:23858 in Secure Firewall Management Center does not align with snort.lua in Firepower |
|
|
Need to remove compatibility popup added by CSCut04399 on ASDM |
|
|
Dynamic Attributes Connector Status shows One or more services are unhealthy |
|
|
Idle SSH sessions persist beyond the configured timeout without graceful termination by Fin flag |
|
|
Intrusion Event Packet Data via syslog/estreamer show no packet data for large packets |
|
|
update the health alert to specify invalid proxy characters |
|
|
ASA SNMP Response Issue - Responses Sent Only for Odd OIDs, Not for Even |
|
|
debug menu tls-offload option <> to be provided to resolve slow download speed using curl to download large file with SSL Decrypt Resign Policy |
|
|
Lina Traceback and Reload after enabling 'TLS Server Identity Discovery' |
|
|
Unable to use the plus sign in the email-id for the identity when configuring an S2S VPN |
|
|
Deployment failure soon after forming FTD HA |
|
|
FTD: Packets Dropped due to tcp-seq-past-win due to delayed packet through Snort |
|
|
ASAv deploy failed - console stuck at continuous |
|
|
Multiple System Configurations Missing from FMC GUI Post-Upgrade |
|
|
ASA/FTD in HA, snmptranslate process during the boot-up causing High CPU and IPC timeouts, causing split-brain. |
|
|
FTD packer-tracer showing remark rule id in access-list for a rule not getting hit |
|
|
FTD Traceback while executing 'asp load-balance per-packet' |
|
|
SSH login to FTD management IP address lands in FXOS shell instead of FTD CLISH due to missing /mnt/boot/application/*.def file |
|
|
Multicast and unicast packets do not reach the correct instance for random subinterfaces |
|
|
FTD 3130 HA Lina tracebacks at ikev2_bin2hex_str |
|
|
FMC Upgrade stalls Indefinitely at 999_update_onpremfmc_diskcache.sh |
|
|
FMC 7.6 NAT Source and IP Not Populating within Unified Event Viewer |
|
|
7.6 - Firepower 3100 series - Upgrading an HA pair from a version without the fix for CSCwo00444 to 7.6 causes one firewall to go into a traceback/reload loop |
|
|
Unable to edit Dynamic Analysis Connection cloud settings when FMC cannot connect to the US cloud |
|
|
FMC uses old DNS server for resolution despite correct configuration |
|
|
FTD is not sending a reset packet when the incoming traffic hits "block with reset" rule |
|
|
FTD upgrade failed due to bundle image existence verification failure |
|
|
FMC does not allow to use IP address with 0 value in last octet as gateway while configuring static route for a device. Error: Enter valid IPv4 host value |
|
|
FTD does not generate any events for the Platform Faults health module if no platform faults are present |
|
|
FPR 4200: HA link arp packets getting dropped, internal uplink linkChange counters incrementing |
|
|
FMC ACP Top User Deleted When Deleting Users With Legacy UI |
|
|
Password Expiry Age does not reset after Password Change |
|
|
ASDM: Using the Secure Client VPN Wizard results in an incomplete configuration |
|
|
show asp rule-engine issues with complete and run time |
|
|
non-SSL traffic wrongly classified as SSLv2 causing drops with TSID enabled |
|
|
SNMP traps are not sent to one of multiple SNMP servers, in certain conditions |
|
|
FMC - Deployment Fails with "Deployment failed due to timeout during configuration generation" |
|
|
ASA : Performance and high CPU usage seen on Hyper-V |
|
|
IKEv1 L2Lvpn fails in phase 2 with "Rejecting IPsec tunnel: no matching crypto map entry" after upgrade |
|
|
ASDM fails to connect via ipv6 due to https hostname wrong error |
|
|
FTD: Instance stuck in Boot Loop |
|
|
IPv6 function is stalled, link-local address marked [DUPLICATE] and IPv6 traffic stopped after failover due to split-brain |
|
|
502 Proxy Error when regenerating certificate in ISE Quick Configuration tab |
|
|
Clustering : SNMP traffic drop due to cluster redirect offload |
|
|
SRU Upgrade Fails Due to Leaked Activity IDs from ClusterPostUpgradeHandler |
|
|
Remote Access Monitoring doesn't show client IP correctly. |
|
|
Send Email when complete emails not working with advanced deployment |
|
|
Intermittent Blank Screen When Loading Access Control Policy in New UI |
|
|
tunnel protection ipsec policy feature not working on backup VTI tunnel |
|
|
Possible unregistration when deploying during HA Switchover |
|
|
FTD MI: SNMP polling fails to work after the upgrade |
|
|
Not probing for http Opportunistic TLS |
|
|
Packet Captures show misleading information when blocked due to TCP server unavailable. |
|
|
FP4225: Interface with SFP - 10/25G_LR_S (or CSR_S) is not coming up after reboot of peer side. |
|
|
Number of sessions in cache for Tomcat are set incorrectly |
|
|
FMC UI displays upgrade failure despite successful firewall upgrade |
|
|
ASDM Parsing Failure on Two Contexts |
|
|
WA MI: Two apps went to Not Responding state with reason: Error in App Instance ftd. sma reported fault: Instance xxx is disabled due to restart loop. Please consider reinstalling this app-instance. |
|
|
ASA client IP missing from TACACS+ authorization request in SSH |
|
|
Http inspector support for OPPORTUNISTIC_TLS |
|
|
Reboots on FP2130 due to missing heimdall PID |
|
|
Unable to upload Secure Firewall Posture image file with a size over 200MB |
|
|
"no http server basic-auth-client ASDM" allows ASDM connections to ASA. |
|
|
Remove Object Overlaps can remove unrelated objects |
|
|
DNS-GUARD is not capable to be de-activated on FTD Devices |
|
|
MonetDB may fail to start on FMC if maximum parallel/concurrent logins per CLI user is set to 1 |
|
|
Interfaces are coming up when the Firepower is shutting down |
|
|
FlexConfig migration may cause sudden logout from FMC GUI session |
|
|
Policy deployment fails when inline-set is configured on FTD HA |
|
|
'Access token invalid' is prompted, if a stress test is made on the ACP |
|
|
Low RAM allocation on ASAv can trigger unexpected behavior in 'asdm image' command |
|
|
Flexconfig policy deletion left the stale references |
|
|
cdFMC: All Device Deploy Validations were failing post deletion of Flexconfig for one device |
|
|
Cannot delete interface objects with names over 30 characters. |
|
|
FPR4215 "Not supported" alarm occurred, when insert the SFPs |
|
|
FDM: UI gets stuck on upgrade progress at 9% when upgrade fails attempting to install an already installed hotfix |
|
|
Traceback in HA stby node while snmpwalk on natAddrMapTable |
|
|
FMC does not accept underscore characters for remote storage hostname settings |
|
|
ASA/FTD: Traceback in thread name CP Processing due to DCERPC inspection |
|
|
Database synchronization should auto-resume post network/checksum issues |
|
|
EventHandler wastes CPU re-scanning files that contain no requested events |
|
|
Connection blocking active although "logging permit-hostdown' is set |
|
|
Summary Dashboard widgets do not wrap or truncate text properly |
|
|
Timeout values not honored after "sftunnel_change_max_conn_check.pl" changes |
|
|
Sftunnel TLS13 connection goes down after upgrade when two interfaces configured with same IP on FMC GUI |
|
|
Standby FMC Fails to Sync ids_event_class_map Table, Resulting in Misclassified Intrusion Events |
|
|
Both the units in HA changed the encryption algorithm simultaneously |
|
|
FMC API is reporting Windows for all AnyConnect images while querying RA VPN policies |
|
|
add context for cmd-invalid-encap asp-drop type in the "show asp drop" command usage |
|
|
Block 80 depletion ssl_decrypt_cb |
|
|
4200 interface image in FMC does not match interface order in device |
|
|
FPR HA ESP sequence number discrepancy when standby changes to Active resulting in Anti-replay drops |
|
|
Use of FMC GUI features via user role escalation may cause user to lose all permissions during GUI session |
|
|
FTD port status not reflecting properly on FMC. |
|
|
Intermittent deployment stuck "in progress" for few devices |
|
|
Deployment changed performance profile, unable to retrieve running configuration |
|
|
Traceback seen while FQDN list expands more than 200 entries for a resolved ip |
|
|
Device doesn't boot and gets stuck after a successful upgrade |
|
|
SRU-triggered policy deployments occurred following initial/standby FMC during FMC HA & standalone upgrades |
|
|
Slow UI and inability to check disk usage on FMC due to NFS configuration |
|
|
File policy stops working due to SMB tcp conn terminated after 1hr for unknown reason despite not idle |
|
|
Anyconnect users incorrectly get the prompts, based on the previous tunnel-group |
|
|
ASA: Traceback and reload after saving asdm image |
|
|
Show crypto accelerator shows max crypto throughput is 6 Gbps For 3K & 225Mbps for FTDv |
|
|
Empty Dynamic Attribute IP mappings pushed to FTD from FMC Secondary Unit |
|
|
Deleting a domain using domain_manager --deleteDomain <domain_uuid> on FMC CLI brings down the estreamer service |
|
|
Secure Client SAML - External Browser May Prompt for a Certificate when using IKEv2-IPsec and Certificate Mapping |
|
|
FTD may generate a large number of "ssl-certs-unified" files. |
|
|
ndclient stops monitoring snort during deployment causing outage |
|
|
TLS audit syslog configuration and certificates not replicating to secondary FMC in HA deployment |
|
|
Continuous logs_archive.asa-interface-idb.log getting generated on ASA |
|
|
FMC GUI slow time to load web pages post upgrade to 7.6.x |
|
|
FMC may not complete Cisco Security Cloud integration when using on-prem Smart Software Manager for smart licensing |
|
|
FTD HA Upgrade Failed on Secondary Unit Due to HA Being in a Failed State From FMC's Perspective |
|
|
ASA/FTD may traceback and reload citing Thread Name 'lina' as the faulting thread. |
|
|
Dynamic Offloaded Flows Interrupted midstream |
|
|
FMC is returning status code 400s of GET request for Get Device Data |
|
|
Disabled certificate is easily accessible and the sanitisation alone is not fool-proof |
|
|
cdFMC 7.7 Fails to Display Health Data for specific FTD's |
|
|
Intermittent drop of self-originated ICMP TTL exceeded messages with reason "Unable to obtain connection lock (connection-lock)" |
|
|
FMC/FTD: Policy Deployment failure after disabling NVE Interface config in VTEP Tab of FTD Cluster |
|
|
FTD Policy deployment reported as failed incorrectly on FMC when communications disrupted |
|
|
Lina traceback due to the incorrect option being received in the packet. |
|
|
Secure client tunnel group authentication is affected when using SDI protocol |
|
|
Interlaken (ILK) link between the Nitrox and KC2 failure, causing traffic backpressure / traffic outage |
|
|
Device upgrade using direct downloads from support site doesn't work correctly when FMC is behind a proxy |
|
|
ASA/FTD: Wrong value shown for X509_STORE_CTX in 'show ssl objects' |
|
|
S2S VPN status shows Unknown for Extranet direction while managed direction shows Active (bidirectional tunnel status not synchronized) |
|
|
RTSP Flows are dropped with drop reason "First TCP packet not SYN" |
|
|
GUI: File upload shows generic 'Invalid file size' instead of actionable message with actual and maximum allowed sizes |
|
|
ASA/FTD - Traceback and Reload in Threadname DATAPATH |
|
|
Rate limit conn-limit SNMP traps |
|
|
Upgrade failure on FMC on GCP 000_start/112_CF_check.sh |
|
|
ASAv on Hyper-v encountering boot loop issues when running netvsc driver |
|
|
Detection engine Folder is huge in size for FTD backups |
|
|
ASA traceback and reload due to memory corruption in IPsec SA pointers |
|
|
GeoDB content is not restored when restoring a backup to a freshly deployed FMC |
|
|
High network latency observed on ASAv |
|
|
Unable to upload VPN client profile package under Objects > Object Management > VPN > Secure client File to FMC while logged in via External User. |
|
|
Device goes into bootloop due to missing librte_mbuf.so.22 and librte_ring.so.22 |
|
|
Enhance UI error messages to inform users that deployment is not allowed due to version mismatch. |
|
|
Add validation on FMC UI to prevent admin to configure more than allowed IKE policies - Regression CSCwf10137 |
|
|
ASA/FTD traceback and reload in Lina |
|
|
Few Chassis devices are not visible to assign the policies |
|
|
Deployment failure due to unrecognized command "vpn-simultaneous-logins none" |
|
|
ASA/FTD Traceback and reload in L2 table creation failure |
|
|
FTD silently drops out of order packets |
|
|
removing all usages of a DHCP IPv6 pool object from FTD interface config does not delete the object from FTD |
|
|
ASA may traceback during manual failover |
Open issues
This table lists the open issues in this specific software release.
Table last updated: 2025-12-03
|
ID |
Headline |
|---|---|
|
10.0: 1240/1250 VPN IKEv2 TCP 450B w/ AVC degraded ~4-5% |
|
|
FTD Performance down -8% on 1200 (Snort side) and 1010/ISA3k |
|
|
Move SQLite databases under /var/sf/sqlite folder to the high endurance partition of FTDs |
|
|
FMC UI not accessible for few min due to MySQLUtil [ERROR] UpdateTable: MySQL error 2002 |
|
|
Secure Firewall 200 not available after backup/restore when using an access control rule with URL categories |
|
|
Policy not marked out of date after a vdb upgrade as part of FMC upgrade |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner for refresh information.
For compatibility information, see:
Upgrade and downgrade
Choosing your upgrade target
Go directly to the latest Version 10 release possible to minimize upgrade and other impact.
Features, enhancements, and critical fixes can skip "future" releases that are ahead by version, but not by release date. For example, if you are up-to-date within major Version A, upgrading to dot-zero Version B can deprecate features and fixes.
If you cannot go to the latest release, at least make sure your current version was released on a date before your target version. In the following table, confirm your current version is listed next to your target version. If it is not, choose a later target.
|
Target version |
Current version: confirm yours is listed. |
|||||
|---|---|---|---|---|---|---|
|
from 7.3 |
from 7.4 |
from 7.6 |
from 7.7 |
from 10.0 |
||
|
to 10.0.0 |
2025-12-03 |
7.3.0–7.3.1 |
7.4.0–7.4.3 |
7.6.0–7.6.3 |
7.7.11 |
— |
Upgrading from a patched deployment
Critical fixes in patches/vulnerability (fourth-digit) releases can also skip future releases. If you depend on these critical fixes, verify that your target version contains them. For a full list of release dates, see Cisco Secure Firewall Device Manager New Features by Release.
Supported upgrades and downgrades
This section summarizes upgrade and downgrade capability. For help with:
-
Choosing an upgrade target, see Choosing your upgrade target.
-
Upgrade and downgrade procedures, including general guidelines, best practices, and troubleshooting, see the upgrade guide for the version you are currently running: https://www.cisco.com/go/ftd-upgrade.
-
Any upgrade or downgrade issues for this specific release, see Open issues and Known issues with upgrade.
Supported upgrades
This table shows the supported direct upgrades for Firewall Threat Defense software.
Note |
You can upgrade directly to any major (first and second-digit) or maintenance (third digit) release. Patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release. |
|
Current version |
Target software version |
|||||||
|---|---|---|---|---|---|---|---|---|
|
to 10.0 |
7.7 |
7.6 |
7.4 * |
7.3 |
7.2 |
7.1 |
7.0 |
|
|
from 10.0 |
YES |
— |
— |
— |
— |
— |
— |
— |
|
from 7.7 |
YES |
YES |
— |
— |
— |
— |
— |
— |
|
from 7.6 |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
from 7.4 |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
|
from 7.3 |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
|
from 7.2 |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
from 7.1 |
— |
— |
YES |
YES |
YES |
YES |
YES |
— |
|
from 7.0 |
— |
— |
— |
YES |
YES |
YES |
YES |
YES |
|
from 6.4 |
— |
— |
— |
— |
— |
— |
— |
YES |
* You cannot upgrade Firewall Threat Defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only, and is not supported with Firewall Device Manager. Upgrade to a later release.
For the Firepower 4100/9300, this table lists companion FXOS versions. If a chassis upgrade is required, Firewall Threat Defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
|
Target Firewall Threat Defense version |
Minimum FXOS version |
|---|---|
|
10.x |
2.18.0 |
|
7.7 |
2.17.0 |
|
7.6 |
2.16.0 |
|
7.4.1–7.4.x |
2.14.1 |
|
7.4.0 |
— |
|
7.3 |
2.13.0 |
|
7.2 |
2.12.0 |
|
7.1 |
2.11.1 |
|
7.0 |
2.10.1 |
|
6.7 |
2.9.1 |
|
6.6 |
2.8.1 |
|
6.4 |
2.6.1 |
Supported downgrades
If an upgrade succeeds but the system does not function to your expectations, you may be able to revert. For general information, particularly on common scenarios where returning to a previous version is not supported or recommended, see the upgrade guide: https://cisco.com/go/ftd-upgrade.
Known issues with upgrade
This section lists upgrade limitations and feature impact for this release. For general guidelines and best practices, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Device Manager.
Known issues with upgrade
This table lists upgrade limitations for this release.
|
Current version |
Issue |
Details |
|---|---|---|
|
7.7 or earlier |
Revert prohibited: Firewall Threat Defense Virtual Version 10+ to earlier versions. |
Security enhancements to the startup framework (bootloader firmware) mean that you cannot revert Firewall Threat Defense Virtual upgrades from Version 10+ to earlier versions. After upgrade, we also recommend you migrate configurations to freshly deployed Version 10+ instances and decommission the old ones. |
Features with upgrade impact
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.In the following table, check all releases between your current and target version.
Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target. |
|
Target version |
Features |
|---|---|
| 10.0.0+ |
|
|
|
|
|
|
Feedback