Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall device manager
For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes or What's New for Cisco Defense Orchestrator.
Release Dates
Version |
Build |
Date |
Platforms |
---|---|---|---|
7.2.9 |
44 |
2024-10-22 |
All |
7.2.8.1 |
17 |
2024-08-26 |
All |
7.2.8 |
25 |
2024-06-24 |
All |
7.2.7 |
500 |
2024-04-29 |
All |
7.2.6 |
168 |
2024-04-22 |
No longer available. |
167 |
2024-03-19 |
No longer available. |
|
7.2.5.2 |
4 |
2024-05-06 |
All |
7.2.5.1 |
29 |
2023-11-14 |
All |
7.2.5 |
208 |
2023-07-27 |
All |
7.2.4.1 |
43 |
2023-07-27 |
All |
7.2.4 |
169 |
2023-05-10 |
Management center |
165 |
2023-05-03 |
Devices |
|
7.2.3.1 |
13 |
2023-04-18 |
Management center |
7.2.3 |
77 |
2023-02-27 |
All |
7.2.2 |
54 |
2022-11-29 |
All |
7.2.1 |
40 |
2022-10-03 |
All |
7.2.0.1 |
12 |
2022-08-10 |
All |
7.2.0 |
82 |
2022-06-06 |
All |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
Features
For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
Note |
Patches are largely limited to urgent bug fixes: Bugs. If a patch does include a feature or behavior change, it is described in the section for the "parent" release. |
Upgrade Impact
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration. Having to enable a new setting or deploy a policy post-upgrade to take advantage of a new feature does not count as upgrade impact.
The feature descriptions below include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.
Snort 3
Snort 3 is the default inspection engine for threat defense.
Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.
Important |
If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade. |
Intrusion Rules and Keywords
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
FlexConfig
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions below include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
Caution |
Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues. |
REST API
For information on what's new in the REST API, see the Secure Firewall Management Center REST API Quick Start Guide or the Cisco Secure Firewall Threat Defense REST API Guide.
Cisco Success Network Telemetry
Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. For information on what's new with telemetry, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center.
Language Preferences
If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Management Center Features in Version 7.2.9
Feature |
Minimum FMC |
Minimum FTD |
Details |
---|---|---|---|
Administration |
|||
Cisco Security Cloud regions: India and Australia. |
7.2.9 7.6.0 |
7.2.9 7.6.0 |
Cisco Security Cloud integration now supports the India and Australia regional clouds. New/modified screens:
Version restrictions: Not supported with Version 7.2.0–7.2.8, 7.3.x, or 7.4.0–7.4.2. |
Management Center Features in Version 7.2.8
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Platform |
|||
Threat defense virtual for Megaport. |
7.2.8 |
7.2.8 |
We introduced threat defense virtual for Megaport (Megaport Virtual Edge). High availability is supported; clustering is not. Version restrictions: Initially, you may not be able to freshly deploy Versions 7.3.x or 7.4.x. Instead, deploy Version 7.2.8–7.2.x and upgrade. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Management Center Features in Version 7.2.7
Management Center Features in Version 7.2.6
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The features listed here are also available in Version 7.2.7.
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Reintroduced Features |
|||
Reintroduced features. |
7.2.6 |
Feature dependent |
Version 7.2.6 reintroduces the following features, enhancements, and critical fixes:
|
Interfaces |
|||
Configure DHCP relay trusted interfaces from the management center web interface. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface. New/modified screens: Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your FlexConfigs. |
NAT |
|||
Create network groups while editing NAT rules. |
7.2.6 7.4.1 |
Any |
You can now create network groups in addition to network objects while editing a NAT rule. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
High Availability/Scalability: Threat Defense |
|||
Reduced "false failovers" for threat defense high availability. |
7.2.6 7.4.0 |
7.2.6 7.4.0 |
Other version restrictions: Not supported with management center or threat defense Version 7.3.x. |
High Availability: Management Center |
|||
Single backup file for high availability management centers. |
7.2.6 7.4.1 |
Any |
When performing a configuration-only backup of the active management center in a high availability pair, the system now creates a single backup file which you can use to restore either unit. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Unified Backup of Management Centers in High Availability |
Event Logging and Analysis |
|||
Open the packet tracer from the unified event viewer. |
7.2.6 7.4.1 |
Any |
You can now open the packet tracer from the unified event view (...) next to the desired event and click Open in Packet Tracer. ). Click the ellipsis icon (Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon instead of the ellipsis icon. Not supported with management center Version 7.3.x or 7.4.0. |
Health Monitoring |
|||
Health alerts for excessive disk space used by deployment history (rollback) files. |
7.2.6 7.4.1 |
Any |
The Disk Usage health module now alerts if deployment history (rollback) files are using excessive disk space on theged management center. Deploy the management center health policy after upgrade. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Disk Usage for Device Configuration History Files Health Alert |
Health alerts for NTP sync issues. |
7.2.6 7.4.1 |
Any |
A new Time Server Status health module reports issues with NTP synchronization. Deploy the management center health policy after upgrade. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Time Synchronization and Health Modules |
Deployment and Policy Management |
|||
View and generate reports on configuration changes since your last deployment. |
7.2.6 7.4.1 |
Any |
You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:
This is especially useful after you upgrade either the management center or threat defense devices, so that you can see the changes made by the upgrade before you deploy. New/modified screens: .Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Set the number of deployment history files to retain for device rollback. |
7.2.6 7.4.1 |
Any |
You can now set the number of deployment history files to retain for device rollback, up to ten (the default). This can help you save disk space on the management center. New/modified screens: Deploy > Deployment History () > Deployment Setting > Configuration Version Setting Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Upgrade |
|||
Improved upgrade starting page and package management. |
7.2.6 7.4.1 |
Any |
A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages. Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes. New/modified screens:
Deprecated screens/options:
Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Enable revert from the threat defense upgrade wizard. |
7.2.6 7.4.1 |
Any, if upgrading to 7.1+ |
You can now enable revert from the threat defense upgrade wizard. Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Select devices to upgrade from the threat defense upgrade wizard. |
7.2.6 |
Any |
Use the wizard to select devices to upgrade. You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
View detailed upgrade status from the threat defense upgrade wizard. |
7.2.6 7.4.1 |
Any |
The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Unattended threat defense upgrades. |
7.2.6 |
Any |
The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Simultaneous threat defense upgrade workflows by different users. |
7.2.6 |
Any |
We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Skip pre-upgrade troubleshoot generation for threat defense devices. |
7.2.6 |
Any |
You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space. To manually generate troubleshooting files for a threat defense device, choose System (), click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Suggested release notifications. |
7.2.6 7.4.1 |
Any |
The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Management Center New Features by Release |
New upgrade wizard for the management center. |
7.2.6 7.4.1 |
Any |
A new upgrade starting page and wizard make it easier to perform management center upgrades. After you use System () to get the appropriate upgrade package onto the management center, click Upgrade to begin. Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Hotfix high availability management centers without pausing synchronization. |
7.2.6 7.4.1 |
Any |
Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Administration |
|||
Updated internet access requirements for direct-downloading software upgrades. |
7.2.6 7.4.1 |
Any |
Upgrade impact. The system connects to new resources. The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Scheduled tasks download patches and VDB updates only. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Scheduled download tasks stop retrieving maintenance releases. The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates. To direct-download maintenance (and major) releases to the management center, use System () . Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Usability, Performance, and Troubleshooting |
|||
Enable/disable access control object optimization. |
7.2.6 7.4.1 |
Any |
You can now enable and disable access control object optimization from the management center web interface. New/modified screens: System () Other version restrictions: Access control object optimization is automatically enabled on all management centers upgraded or reimaged to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all management centers upgraded or reimaged to Version 7.3.x. It is configurable and enabled by default for management centers reimaged to Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade to those releases. See: Access Control Preferences and. |
Cluster control link ping tool. |
7.2.6 7.4.1 |
Any |
You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs. New/modified screens: More () > Cluster Live Status >Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Snort 3 restarts when it uses too much memory, which can trigger HA failover. |
7.2.6 7.4.1 |
7.2.6 with Snort 3 7.4.1 with Snort 3 |
To improve continuity of operations, excessive memory use by Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process uses too much memory. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the memory threshold. Platform restrictions: Not supported with clustered devices. New/modified CLI commands: configure snort3 memory-monitor , show snort3 memory-monitor-status Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
Set the frequency of Snort 3 core dumps. |
7.2.6 7.4.1 |
7.2.6 with Snort 3 7.4.1 with Snort 3 |
You can now set the frequency of Snort 3 core dumps. Instead of generating a core dump every time Snort crashes, you can generate one the next time Snort crashes only. Or, generate one if a crash has not occurred in the last day, or week. Snort 3 core dumps are disabled by default for standalone devices. For high availability and clustered devices, the default frequency is now once per day instead of every time. New/modified CLI commands: configure coredump snort3 , show coredump Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
Capture dropped packets with the Secure Firewall 3100/4200. |
7.2.6 7.4.1 |
7.2.6 (no 4200) 7.4.1 |
Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100/4200 can now capture these dropped packets. New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command. Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
Deprecated Features |
|||
Deprecated: DHCP relay trusted interfaces with FlexConfig. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. Other version restrictions: This feature is not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, also redo your FlexConfigs. |
Management Center Features in Version 7.2.5
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Interfaces |
|||
Management center detects interface sync errors. |
7.2.5 7.4.1 |
Any |
Upgrade impact. You may need to sync interfaces after upgrade. In some cases, the management center can be missing a configuration for an interface even though the interface is correctly configured and functioning on the device. If this happens, and your management center is running:
Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. The management center will neither block deploy nor warn you of missing configurations. You can still sync interfaces manually if you think you are having an issue. |
Management Center Features in Version 7.2.4
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers. |
7.2.4 |
Any |
When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers. See: Interface Overview. |
Automatically update CA bundles. |
7.0.5 7.1.0.3 7.2.4 |
7.0.5 7.1.0.3 7.2.4 |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference |
Access control performance improvements (object optimization). |
7.2.4 |
Any |
Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed devices. Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time. New/modified screens (requires Version 7.2.6): System () . Other version restrictions: Not supported with management center Version 7.3.x. |
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
Management Center Features in Version 7.2.3
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Firepower 1010E. |
7.2.3.1 7.3.1.1 |
7.2.3 |
We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center. Version restrictions: These devices do not support Version 7.3.x or 7.4.0. Support returns in Version 7.4.1. |
Management Center Features in Version 7.2.2
This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.2.
Management Center Features in Version 7.2.1
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100. |
7.2.1 |
7.2.1 |
We introduced these hardware bypass network modules for the Secure Firewall 3100:
New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface For more information, see Inline Sets and Passive Interfaces. |
Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. |
7.2.1 |
7.2.1 |
We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM. |
Management Center Features in Version 7.2.0
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Platform |
||||||||||||||||||||||||||||||||
Snapshots allow quick deploy of threat defense virtual for AWS and Azure. |
7.2.0 |
7.2.0 |
You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
Analytics mode for cloud-managed threat defense devices. |
7.2.0 |
7.0.3 7.2.0 |
Concurrently with Version 7.2, we introduced the cloud-delivered Firewall Management Center, which uses the Cisco Defense Orchestrator platform and unites management across multiple Cisco security solutions. We take care of feature updates. On-prem hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from an on-prem management center. New/modified screens:
New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers Version restrictions: Not supported with threat defense Version 7.1. For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator. |
|||||||||||||||||||||||||||||
ISA 3000 support for shutting down. |
7.2.0 |
7.2.0 |
Support returns for shutting down the ISA 3000. This feature was introduced in Version 7.0.2 but was temporarily deprecated in Version 7.1. |
|||||||||||||||||||||||||||||
High Availability/Scalability: Threat Defense |
||||||||||||||||||||||||||||||||
Clustering for threat defense virtual in both public and private clouds. |
7.2.0 |
7.2.0 |
You can now configure clustering for the following threat defense virtual platforms:
New/modified screens:
For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware). |
|||||||||||||||||||||||||||||
16-node clusters for the Firepower 4100/9300, and for threat defense virtual for AWS and GCP. |
7.2.0 |
7.2.0 |
You can now configure 16-node clusters for the Firepower 4100/9300, and for threat defense virtual for AWS and GCP. Note that the Secure Firewall 3100 still only supports 8 nodes. For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud. |
|||||||||||||||||||||||||||||
Autoscale for threat defense virtual for AWS gateway load balancers. |
7.2.0 |
7.2.0 |
We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
Autoscale for threat defense virtual for GCP. |
7.2.0 |
7.2.0 |
Upgrade impact. Threat defense virtual for GCP cannot upgrade across Version 7.2.0. We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB). Version restrictions: Due to interface changes required to support this feature, threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must deploy a new instance and redo any device-specific configurations. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
Interfaces |
||||||||||||||||||||||||||||||||
LLDP support for the Firepower 2100 and Secure Firewall 3100. |
7.2.0 |
7.2.0 |
You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces. New/modified screens: New/modified commands: show lldp status , show lldp neighbors , show lldp statistics For more information, see Interface Overview. |
|||||||||||||||||||||||||||||
Pause frames for flow control for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity For more information, see Interface Overview. |
|||||||||||||||||||||||||||||
Breakout ports for the Secure Firewall 3130 and 3140. |
7.2.0 |
7.2.0 |
You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140. New/modified screens: Devices > Device Management > Chassis Operations For more information, see Interface Overview. |
|||||||||||||||||||||||||||||
Configure VXLAN from the management center web interface. |
7.2.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. New/modified screens:
For more information, see Regular Firewall Interfaces. |
|||||||||||||||||||||||||||||
NAT |
||||||||||||||||||||||||||||||||
Enable, disable, or delete more than one NAT rule at a time. |
7.2.0 |
Any |
You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule. For more information, see Network Address Translation. |
|||||||||||||||||||||||||||||
VPN |
||||||||||||||||||||||||||||||||
Certificate and SAML authentication for RA VPN connection profiles. |
7.2.0 |
7.2.0 |
We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes. New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy. For more information, see Remote Access VPN. |
|||||||||||||||||||||||||||||
Route-based site-to-site VPN with hub and spoke topology. |
7.2.0 |
7.2.0 |
We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs. New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke. For more information, see Site-to-Site VPNs. |
|||||||||||||||||||||||||||||
IPsec flow offload for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command. For more information, see Site-to-Site VPNs. |
|||||||||||||||||||||||||||||
Routing |
||||||||||||||||||||||||||||||||
Configure EIGRP from the management center web interface. |
7.2.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router. If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool. New/modified screens: For more information, see EIGRP and Migrating FlexConfig Policies. |
|||||||||||||||||||||||||||||
Virtual router support for the Firepower 1010. |
7.2.0 |
7.2.0 |
You can now configure up to five virtual routers on the Firepower 1010. For more information, see Virtual Routers. |
|||||||||||||||||||||||||||||
Support for VTIs in user-defined virtual routers. |
7.2.0 |
7.2.0 |
You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers. New/modified screens: For more information, see Virtual Routers. |
|||||||||||||||||||||||||||||
Policy-based routing with path monitoring. |
7.2.0 |
7.2.0 |
You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing. New/modified screens:
New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring For more information, see Policy Based Routing. |
|||||||||||||||||||||||||||||
Threat Intelligence |
||||||||||||||||||||||||||||||||
DNS-based threat intelligence from Cisco Umbrella. |
7.2.0 |
Any |
We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection. New/modified screens:
For more information, see DNS Policies. |
|||||||||||||||||||||||||||||
IP-based threat intelligence from Amazon GuardDuty. |
7.2.0 |
Any |
You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
Access Control: Threat Detection and Application Identification |
||||||||||||||||||||||||||||||||
Dynamic object management with:
|
7.2.0 |
Any |
Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:
|
|||||||||||||||||||||||||||||
Bypass inspection or throttle elephant flows on Snort 3 devices. |
7.2.0 |
7.2.0 with Snort 3 |
You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable. For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB). New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab. For more information, see Elephant Flow Detection. |
|||||||||||||||||||||||||||||
Encrypted visibility engine enhancements. |
7.2.0 |
7.2.0 with Snort 3 |
We made the following enhancements to the encrypted visibility engine (EVE):
The following connection event fields have changed along with these enhancements:
This feature now requires a Threat license. For more information, see Access Control Policies and Application Detection. |
|||||||||||||||||||||||||||||
TLS 1.3 inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of TLS 1.3 traffic. New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default. For more information, see SSL Policies. |
|||||||||||||||||||||||||||||
Improved portscan detection. |
7.2.0 |
7.2.0 with Snort 3 |
With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection. New/modified screens: We added Threat Detection to the access control policy's Advanced tab. For more information, see Threat Detection. |
|||||||||||||||||||||||||||||
VBA macro inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content. By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors. To configure custom intrusion rules to match against decompressed macros, use the vba_data option. For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||||||||||||||||
Improved JavaScript inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts. By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector. To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example:
For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||||||||||||||||
Improved SMB 3 inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of SMB 3 traffic in the following situations:
For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||||||||||||||||
Event Logging and Analysis |
||||||||||||||||||||||||||||||||
Improved SecureX integration, SecureX orchestration. |
7.2.0 |
Any |
We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page. When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management. Note that this page also governs the cloud region for and event types sent to the Secure Network Analytics (Stealthwatch) cloud using Security Analytics and Logging (SaaS), even though the web interface does not indicate this. Previously, these options were on System () > Integration > Cloud Services. Enabling SecureX does not affect communications with the Secure Network Analytics cloud; you can send events to both. The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration. As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface. Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+. See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide |
|||||||||||||||||||||||||||||
Log security events to multiple Secure Network Analytics on-prem data stores. |
7.2.0 |
7.0.0 |
When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+. New/modified screens:
This feature requires Secure Network Analytics Version 7.1.4. For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide. |
|||||||||||||||||||||||||||||
Database access changes. |
7.2.0 |
Any |
We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format. For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2. |
|||||||||||||||||||||||||||||
eStreamer changes. |
7.2.0 |
Any |
A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events. For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2. |
|||||||||||||||||||||||||||||
Deployment and Policy Management |
||||||||||||||||||||||||||||||||
Auto rollback of a deployment that causes a loss of management connectivity. |
7.2.0 |
7.2.0 |
You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and threat defense to go down. Previously, you could only manually roll back a configuration using the configure policy rollback command. New/modified screens:
For more information, see Device Management. |
|||||||||||||||||||||||||||||
Generate and email a report when you deploy configuration changes. |
7.2.0 |
Any |
You can now generate a report for any deploy task. The report contains details about the deployed configuration. New/modified pages: Deployment History () icon > More ()Generate Report For more information, see Configuration Deployment. |
|||||||||||||||||||||||||||||
Access control policy locking. |
7.2.0 |
Any |
You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it. We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles. For more information, see Access Control Policies. |
|||||||||||||||||||||||||||||
Object group search is enabled by default. |
7.2.0 |
Any |
The Object Group Search setting is now enabled by default when you add a device to the management center. New/modified screens: For more information, see Device Management. |
|||||||||||||||||||||||||||||
Access control rule hit counts persist over reboot. |
7.2.0 |
7.2.0 |
Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node. New/modified CLI commands: show rule hits For more information, see the Cisco Secure Firewall Threat Defense Command Reference. |
|||||||||||||||||||||||||||||
New user interface for the access control policy. |
7.2.0 |
Any |
There is a new experimental user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface. The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy.
For more information, see Access Control Policies. |
|||||||||||||||||||||||||||||
Upgrade |
||||||||||||||||||||||||||||||||
Copy upgrade packages ("peer-to-peer sync") from device to device. |
7.2.0 |
7.2.0 |
Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers. This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:
New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status |
|||||||||||||||||||||||||||||
Auto-upgrade to Snort 3 after successful threat defense upgrade. |
7.2.0 |
7.2.0 |
When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3. After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version. Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x. |
|||||||||||||||||||||||||||||
Upgrade for single-node clusters. |
7.2.0 |
Any |
You can now use the device upgrade page (System () ). ) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices. Supported platforms: Firepower 4100/9300, Secure Firewall 3100 |
|||||||||||||||||||||||||||||
Revert threat defense upgrades from the CLI. |
7.2.0 |
7.2.0 |
You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.
New/modified CLI commands: upgrade revert , show upgrade revert-info . For more information, see Revert the Upgrade. |
|||||||||||||||||||||||||||||
Administration |
||||||||||||||||||||||||||||||||
Back up and restore threat defense virtual for AWS. |
7.2.0 |
Any |
You can now use the management center to back up threat defense virtual for AWS, except device clusters. To restore, use the device CLI. For more information, see Backup/Restore. |
|||||||||||||||||||||||||||||
Multiple DNS server groups for resolving DNS requests. |
7.2.0 |
Any |
You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers. New/modified screens: For more information, see Platform Settings. |
|||||||||||||||||||||||||||||
Configure certificate validation with threat defense by usage type. |
7.2.0 |
7.2.0 |
You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates. New/modified screens: We added a Validation Usage option to certificate enrollment objects: . For more information, see Object Management. |
|||||||||||||||||||||||||||||
French language option for web interface. |
7.2.0 |
Any |
You can now switch the management center web interface to French. New/modified screens: System () > Configuration > Language For more information, see System Configuration. |
|||||||||||||||||||||||||||||
Web interface changes: deployment and user activity integrations. |
7.2.0 |
Any |
Version 7.2 changes these management center menu options in all cases.
|
|||||||||||||||||||||||||||||
Web interface changes: SecureX, threat intelligence, and other integrations. |
7.2.0 |
Any |
Version 7.2 changes these management center menu options if you are upgrading from Version 7.0.1 or earlier, or from Version 7.1.
|
|||||||||||||||||||||||||||||
Troubleshooting |
||||||||||||||||||||||||||||||||
Dropped packet statistics for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands. For more information, see the Cisco Secure Firewall Threat Defense Command Reference. |
|||||||||||||||||||||||||||||
Deprecated Features |
||||||||||||||||||||||||||||||||
Deprecated: EIGRP with FlexConfig. |
7.2.0 |
Any |
You can now configure EIGRP routing from the management center web interface. You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all. And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon. The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies . |
|||||||||||||||||||||||||||||
Deprecated: VXLAN with FlexConfig. |
7.2.0 |
Any |
You can now configure VXLAN interfaces from the management center web interface. You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni. And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. |
|||||||||||||||||||||||||||||
Deprecated: Automatic pre-upgrade troubleshooting. |
7.2.0 |
Any |
To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files. To manually generate troubleshooting files for the management center, choose System (), click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files. |
|||||||||||||||||||||||||||||
Deprecated: Geolocation details. |
Any |
Any |
In May 2022 we split the GeoDB into two packages: a country code package mapping IP addresses to countries/continents, and an IP package containing additional contextual data associated with routable IP addresses. In January 2024, we stopped providing the IP package. This saves disk space and does not affect geolocation rules or traffic handling in any way. Any contextual data is now stale, and upgrading to most later versions deletes the IP package. Options to download the IP package or view contextual data have no effect, and are removed in later versions. |
Device Manager Features in Version 7.2.x
Feature |
Description |
---|---|
Platform Features |
|
Firepower 1010E. |
We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Minimum threat defense: 7.2.3 |
Threat defense virtual for GCP. |
You can now use device manager to configure threat defense virtual for GCP. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Threat defense virtual for Megaport. |
You can now use device manager to configure threat defense virtual for Megaport (Megaport Virtual Edge). High availability is supported. Minimum threat defense: 7.2.8 Other version restrictions: Initially, you may not be able to freshly deploy Versions 7.3.x or 7.4.x. Instead, deploy Version 7.2.8–7.2.x and upgrade. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Network modules for the Secure Firewall 3100. |
We introduced these network modules for the Secure Firewall 3100:
Minimum threat defense: 7.2.1 |
Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. |
We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. Minimum threat defense: 7.2.1 |
ISA 3000 support for shutting down. |
Support returns for shutting down the ISA 3000. This feature was introducted in Version 7.0.2 but was temporarily deprecated in Version 7.1. |
Firewall and IPS Features |
|
Object-group search is enabled by default for access control. |
The CLI configuration command object-group-search access-control is now enabled by default for new deployments. If you are configuring the command using FlexConfig, you should evaluate whether that is still needed. If you need to disable the feature, use FlexConfig to implement the no object-group-search access-control command. |
Rule hit counts persist over reboot. |
Rebooting a device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node. We modified the following threat defense CLI command: show rule hits . |
VPN Features |
|
IPsec flow offload. |
On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command. See: IPSec Flow Offload |
Interface Features |
|
Breakout port support for the Secure Firewall 3130 and 3140. |
You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140. New/modified screens: |
Enabling or disabling Cisco Trustsec on an interface. |
You can enable or disable Cisco Trustsec on physical, subinterface, EtherChannel, VLAN, Management, or BVI interfaces, whether named or unnamed. By default, Cisco Trustsec is enabled automatically when you name an interface. We added the Propagate Security Group Tag attribute to the interface configuration dialog boxes, and the ctsEnabled attribute to the various interface APIs. |
Licensing Features |
|
Permanent License Reservation Support for ISA 3000. |
ISA 3000 now supports Universal Permanent License Reservation for approved customers. |
Administrative and Troubleshooting Features |
|
Ability to force full deployment. |
When you deploy changes, the system normally deploys just the changes made since the last successful deployment. However, if you are experiencing problems, you can elect to force a full deployment, which completely refreshes the configuration on the device. We added the Apply Full Deployment option to the deployment dialog box. |
Automatically update CA bundles. |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. |
Threat defense REST API version 6.3 (v6). |
The threat defense REST API for software version 7.2 is version 6.3. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.3 is the same as 6.0, 6.1, and 6.2: v6. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into device manager, then click the more options button () and choose API Explorer. |
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration. Having to enable a new setting or deploy a policy post-upgrade to take advantage of a new feature does not count as upgrade impact.
Note |
Deploying can affect traffic flow and inspection; see the appropriate upgrade guide for details: Cisco Secure Firewall Threat Defense: Install and Upgrade Guides. |
Tip |
Features, enhancements, and critical fixes can skip releases; these skipped releases are usually short-term major versions or early maintenance releases for long-term major versions. To minimize upgrade impact, do not upgrade to a release that deprecates features. In most cases, you can upgrade directly to the latest maintenance release for any major version. |
Upgrade Impact Features for Management Center
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
7.2.6–7.2.x |
|
7.2.5-7.2.x |
|
7.2.4+ |
|
7.2.4–7.2.x |
|
7.2.4–7.2.5 |
|
7.2.0+ |
|
7.1.0+ |
|
7.0.0+ |
|
6.7.0+ |
|
Upgrade Impact Features for Threat Defense with Management Center
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
7.2.4+ |
|
7.2.0+ |
|
7.1.0+ |
|
7.0.5–7.0.x |
|
7.0.0+ |
|
6.7.0+ |
Upgrade Impact Features for Threat Defense with Device Manager
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
7.2.4+ |
|
7.1.0+ |
|
7.0.0+ |
|
6.7.0+ |
Upgrade Guidelines
The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade, see the appropriate upgrade guide: For Assistance.
Upgrade Guidelines for Management Center
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.8.x |
7.2.8.0 |
Patch uninstall not supported: Version 7.2.8.x to Version 7.2.8.0. |
Uninstall is not supported for the Version 7.2.8.1 management center patch. Because patches are cumulative, and because uninstalling returns you to the patch level you upgraded from, this means that uninstall is not supported from any Version 7.2.8.x patch back to Version 7.2.8 (the base version). |
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
7.0.0–7.2.x |
6.4.0–6.7.x |
Reconnect with Threat Grid for high availability management centers. |
Version 7.0.0 fixes an issue with management center high availability and malware detection where, after failover, the system stopped submitting files for dynamic analysis (CSCvu35704). For the fix to take effect, you must reassociate with the Cisco Threat Grid public cloud after upgrading. After you upgrade the high availability pair to Version 7.0.0+, on the primary management center:
|
Upgrade Guidelines for Threat Defense with Management Center
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
7.2.0–7.6.x |
6.7.0–7.1.x |
Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. |
You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance. |
7.2.0–7.2.6 |
7.1.x 6.6.0–7.0.2 |
Unregister and reregister devices after reverting threat defense. |
If you revert from Version 7.2.0–7.2.6 to Version 6.6.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680). |
6.7.0–7.2.x |
6.4.0–6.6.x |
Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs. |
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only. |
Upgrade Guidelines for Threat Defense with Device Manager
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
6.7.0–7.2.x |
6.4.0–6.6.x |
Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs. |
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
In most cases, we recommend you use the latest FXOS build in each major version. For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
For firmware upgrade guidelines (for upgrades to FXOS 2.13 and earlier), see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
Upgrade Path
Planning your upgrade path is especially important for large deployments, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment or other upgrades.
Upgrading the Management Center
The management center must run the same or newer version as its devices. Upgrade the management center to your target version first, then upgrade devices. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the management center, then devices again.
Upgrading Threat Defense with Chassis Upgrade
For the Firepower 4100/9300, major versions require a FXOS upgrade. You should also check for firmware upgrades.
Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.
Supported Direct Upgrades
This table shows the supported direct upgrades for management center and threat defense software. Note that although you can upgrade directly to major and maintenance releases, patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release.
For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, threat defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
Current Version |
Target Software Version |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
7.6 |
7.4 |
7.3 |
7.2 |
7.1 |
7.0 |
6.7 |
6.6 |
6.5 |
6.4 |
6.3 |
|
Firepower 4100/9300 FXOS Version for Chassis Upgrades | |||||||||||
2.16 |
2.14 |
2.13 |
2.12 |
2.11 |
2.10 |
2.9 |
2.8 |
2.7 |
2.6 |
2.4 |
|
7.6 |
YES |
— |
— |
— |
— |
— |
— |
— |
— |
— |
— |
7.4 |
YES |
YES † |
— |
— |
— |
— |
— |
— |
— |
— |
— |
7.3 |
YES |
YES |
YES |
— |
— |
— |
— |
— |
— |
— |
— |
7.2 |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
— |
— |
7.1 |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
— |
7.0 |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
6.7 |
— |
— |
— * |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
6.6 |
— |
— |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
6.5 |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
— |
— |
6.4 |
— |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
— |
6.3 |
— |
— |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
6.2.3 |
— |
— |
— |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
* You cannot upgrade from Version 6.7.x to 7.3.x. You can, however, manage Version 6.7.x devices with a Version 7.3.x management center.
† You cannot upgrade threat defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only. Instead, upgrade your management center and devices to Version 7.4.1+.
Bugs
For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.
Important |
We do not list open bugs for maintenance releases or patches. Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs in Version 7.2.0
Table last updated: 2024-05-02
Bug ID |
Headline |
---|---|
Jumbo frame performance has degraded up to -45% on Firepower 2100 series |
|
7.2.0 1984 Nutanix vFMC not accessible after upgrade from 7.1.0 |
|
TLS 1.3 connections to sites previously decrypted may fail |
|
Evicted units re-joined existing Cluster but not listed on Control and other evicted vFTD Cluster |
|
snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8, inner_sip message |
|
vFTD installed with JF but still FMC shows info about JF getting enabled and to reboot vFTD |
|
Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot |
|
Early data may cause xtls to not wait for probe response |
|
FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports |
|
onPremFMC with only CDO Managed devices registered, Malware Event pages shows license warning |
|
User cannot filter by device in the new AC policy UI |
|
Inconsistencies seen after switching from old UI to new UI without saving the policy |
|
New AC Policy UI: ACP rule list takes a long time to load in case of large rule set |
|
Search is slow and semantic based searches are not working in new ACP UI |
|
Cannot copy rules from one policy to another policy using new AC policy UI |
|
Fetching hit counts takes longer in NEW ACP UI when compared to the legacy ACP UI |
|
ACP rule is deleted when discarding changes, post rule reposition. |
Resolved Bugs in Version 7.2.9
Table last updated: 2024-10-22
Bug ID |
Headline |
---|---|
App-instance showing as Started instead of Online |
|
[ENH] FTD should show error/warning when attaching a not valid certificate to the interface for VPN |
|
FXOS fault F1758 description should not be specific to subinterfaces |
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
FXOS does not retry NTP sync with servers |
|
Time sync status and error message do not elaborate NTP server rejection case |
|
IKEv2 debugs: Received Policies and Expected Policies are empty |
|
For FTD HA or cluster, incorrect device name may be shown in eventing UI and dashboard statistics |
|
2X100G netmod card shows 10 Mbps on first member of port channel when second interface added |
|
ASA traceback and reload on Datapath process |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASA/FTD: Improve GTP Inspection Logging |
|
ASA/FTD: GTP Inspection engine serviceability |
|
Write wrapper around "kill" command to log who is calling it |
|
Intrusion user not able to change intrusion action and File Policy |
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
HashiCorp Vault's implementation of Shamir's secret sharing used precomp |
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
Unable to upload FTD version image to FCM |
|
Firewall Traceback and reload due to SNMP thread |
|
FTD: TLS Server Identity does not work if size of client hello more than TCP MSS bytes |
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
False critical high CPU alerts for FTD device system cores running instantaneous high usage |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
Failed to transfer new image file to FPR2130 and traceback was observed |
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
Incomplete rootwalk. snmpwalk on 816 MIB is getting timeout. |
|
FTD events stopped being sent to FMC, EventHandler logs "publishing blocked" |
|
Intermittently flow is getting white-listed by the snort for the unknow app-id traffic. |
|
ASA crashed with Saml scenarios |
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
Syslog not updating when prefilter rule name changes |
|
ASA: Traceback and reload when switching from single to multiple mode |
|
ASA traceback due to panic event during SNMP configuration |
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
Lina core observed in 6.4.0.17-22 in Kp with scaled traffic |
|
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, |
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
evaluate open-vm-tools / VMware Tools on FMC for VMware -- CVE-2023-20900 and VMSA-2023-0019 |
|
The html/template package does not apply the proper rules for handling o |
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
additional command outputs needed in FTD troubleshoot for blocks and ssl cache |
|
Lina core at snp_nat_xlate_verify_magic.part and soft traces |
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
FTD-HA does not fail over sometimes when snort3 crashes |
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
A flaw was found in glibc. In an uncommon situation, the gaih_inet fun |
|
Reload takes forever when reload command is issued on the lina prompt when devices are on HA |
|
ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
VTI tunnel goes down due to route change detected in VRF scenario |
|
Lina Traceback : Thread Name: DATAPATH during session terminate |
|
crypto_archive file generated after the software upgrade. |
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The n |
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The x |
|
urllib3 is a user-friendly HTTP client library for Python. urllib3 doe |
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
FTD traceback due to system memory exhaustion |
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue |
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
FTD 1120 standby sudden reboot |
|
Traceback on FP2140 without any trigger point. |
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
Python 3.x through 3.10 has an open redirection vulnerability in lib/h |
|
An issue was discovered in the Linux kernel before 6.3.3. There is an |
|
Twisted is an event-based framework for internet applications. Prior t |
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
File-extracts.logs are not recognised by the diskmanager leading to high disk space |
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scrip |
|
use kill tree function in SMA instead of SIGTERM |
|
Detailed logging related to reason behind sub-interface admin state change during operations |
|
FTD HA should not be created partially on FMC |
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
Deployment fails on new AWS FTDv device with "no username admin" |
|
ASA traceback and reload on Thread Name: DATAPATH |
|
low memory/stress causing traceback in SNMP |
|
ISA3000 Traceback and reload boot loop |
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
ASA|FTD Traceback & reload in thread name Datapath |
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
Snort3 traceback and restarts with race conditions |
|
Snot3 traceback in TcpReassembler::scan_data_post_ack |
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
The "show asp drop" command usage requires better updates for cluster-related drops |
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
MSP Quota setting for instances is not correct |
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
Suppress "End of script output before headers" syslog on FXOS |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Debugs failed to be enabled on SSH session |
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
traceback and reload around function HA |
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
FTD: Improve or optimize LSP package verification logic to run it faster |
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
Standby FTD experiencing periodic traceback and reload |
|
CCM ID 62 - LTS18 |
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
An issue was discovered in drivers/input/input.c in the Linux kernel b |
|
An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl |
|
A vulnerability was found in GnuTLS. The response times to malformed c |
|
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL |
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
Snort stripping packet information and injects its packet with 0 bytes data |
|
HTTP/HTTPS detection for application needs to fail it's detection earlier |
|
Unable to send unknown file disposition to ThreatGrid due to mem cache issue |
|
Report file generated for AC policy is empty |
|
ASA CLI hangs with 'show run' on multiple SSH |
|
some stdout logs not rotated by logrotate |
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super |
|
In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro |
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
Access to website via Clientless SSL VPN Fails |
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
Check metadata cache size when generating retrospective events |
|
A memory leak problem was found in ctnetlink_create_conntrack in net/n |
|
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab |
|
linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den |
|
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 |
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
Snort process spamming syslog-ng messages so our on KP platform syslog-ng is being killed |
|
ASA Checkheaps traceback while entering same engineID twice |
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
The DNS message parsing code in 'named' includes a section whose compu |
|
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6 |
|
libexpat through 2.5.0 allows a resource consumption denial of service event |
|
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DT |
|
A denial of service vulnerability due to a deadlock was found in sctp_ |
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
An out-of-memory flaw was found in libtiff that could be triggered by |
|
ASA/FTD Traceback and Reload during ssl session establishment |
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
The secondary device reloaded while rebooting the primary device. |
|
Bailout when lina_io_write fails persistent with EPIPE errno. |
|
Policy cache cleanup thread should cleanup any cache that is left open for a logged out session |
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The i |
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
CCM ID 67 - LTS18 |
|
Backup exits with memory allocation error on 4115 |
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
FTD: Primary takes active role after reloading |
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
extra file check is not reporting with pmtool SecureLSP lsp-rel-xxx command |
|
Issue when two FQDN objects with same IP are added in source or destination (FTD/ASA) |
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
Lina contains outdated libexpat source code |
|
Snort3: SQL traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs |
|
SFDataCorrelator memory leak after unregistering an active device |
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
Multiple context interfaces fail to pass traffic |
|
Dns-guard prematurely closing conn due to timing condition |
|
ASA traceback with thread name SSH |
|
High latency observed on FPR31xx or FPR42xx |
|
SFDataCorrelator memory growth when pruning a huge number of old service identities |
|
FTD: Backups fail on Multi-Instance or standalone with error "Backup died unexpectedly" |
|
Additional memory tracking in SFDataCorrelator |
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
A bug in QEMU could cause a guest I/O operation otherwise addressed to |
|
libexpat through 2.6.1 allows an XML Entity Expansion attack when ther |
|
A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI |
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client. |
|
ASA traceback and reload when accessing file system from ASDM |
|
SFDataCorrelator high memory usage when restart with large network map hosts |
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
All IPV6 BGP routes configured in device flapping |
|
Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
File descriptor leak when validating upgrade images |
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000 |
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
Snort3 continuous traceback & reload with each deployment |
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
Deployment time increased by 30-45 seconds after the upgrade when applying specific Platform Setting |
|
sync call got stuck resulting in boot loop |
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
Syslogs continue to be sent after disabling logging class on ASA |
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
FDM HA deployment fails with 'ApplicationException: Unable to export to database' error |
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
FMC on upgrade results in FTDv losing its performance tier |
|
FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser |
|
SNMP v1 and v2c traps from diagnostic and data ints stop working on a KP/vFTD after product upgrade |
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
Faulty input validation in the core of Apache allows malicious or expl |
|
In GNU tar before 1.35, mishandled extension attributes in a PAX archi |
|
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of |
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
HTTP Response splitting in multiple modules in Apache HTTP Server allo |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
In the Linux kernel, the following vulnerability has been resolved: B |
|
HTTP/2 incoming headers exceeding the limit are temporarily buffered i |
|
wall in util-linux through 2.40, often installed with setgid tty permi |
|
The iconv() function in the GNU C Library versions 2.39 and older may |
|
less through 653 allows OS command execution via a newline character i |
|
Snort2 SSL decryption with known key fails on Chrome v124 and above. |
|
ASA after upgrade to 9.18.4.24 not able to save config with error: "Configuration line too long" |
|
disable stat check for file |
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
Snort2 - SSL decryption failing and some websites not loading on Chrome v124+ |
|
WebVPN connections stuck in CLOSEWAIT state |
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
nscd: Stack-based buffer overflow in netgroup cache If the Name Servi |
|
nscd: netgroup cache may terminate daemon on memory allocation failure |
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
Add New Syslog for Routes for NP add/delete |
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
FTD is not resolving FQDN for ACLs intermittently |
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
command to print the debug menu setting of service worker |
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
|
Traceback and reload on active unit due to HA break operation. |
|
TCP Session Interrupted if Keep-Alive with 1 Byte is Received |
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
Traceback and reload during FTD upgrade due to FQDN network object NAT |
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
FTD : Management interface showing down despite being up and operational |
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
High Snort3 CPU as encrypted traffic isn't allow listed when TSID enabled |
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
Add warning message when configuring CCL MTU |
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
Remove SGT frames/packets to allow VTI decryption |
|
Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
Requests is a HTTP library. Prior to 2.32.0, when making requests thro |
|
In the Linux kernel, the following vulnerability has been resolved: B |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: H |
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Safety Net for Infinite Recursion Crashes due to Bad Stream TCP State in Post-ACK mode |
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
256/1550 block depletion process fover_thread |
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
High cpu on "update block depletion" causing BGP flap terminated on FTD |
|
Umbrella registration status is not synced to newly added data nodes |
|
FMC REST API calls to get AC policy data times out, AC policy GUI slowness with larger rule query |
|
Product Upgrades page showing 'Unknown Family 66' for FMC upgrade packages |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex |
|
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo |
|
GRE traffic getting dropped after failover |
|
Network address API calls taking long time to complete |
|
Vulnerabilities in linux-kernel CVE-2023-52439 |
|
Vulnerabilities in linux-kernel CVE-2023-52435 |
|
21xx: debug log process hangs preventing recovery from stuck writing operations |
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
NTP is not synchronising when using SHA-1 authentication |
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
Split brain issue in HA failover due to which outage happened on customer network |
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/ |
|
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause inva |
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and |
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
ASA crashing in thread PIX Garbage Collector with inspect-rtsp enabled. |
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
Radius Authentication test fails due to missing radclient command |
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
Large number of stats files can cause events to be delayed |
|
Lina traceback and reload in data-path thread |
|
Unstable HA causing depolyment failure |
|
Increase memory usage leading to tracebacks in Lina. |
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
CGroups errors in ASA Syslog during every reboot |
|
Readiness check should be in place for larger undo/ibdata log files |
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
An issue was discovered in the C AMQP client library (aka rabbitmq-c) |
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
HW: 3110 not rebooting after power outage, requiring manual power cycle |
|
FMC GUI has a limitation to display only 50 SSH rules for FTD (Under platform settings >> SSH) |
|
Events or stats are missing after EventHandler logs "Error loading input module" |
|
After FMC upgrade results in standby FTDv losing its performance tier for FTD HA |
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
Resolved Bugs in Version 7.2.8.1
Table last updated: 2024-08-26
Bug ID |
Headline |
---|---|
Address SSP OpenSSH regreSSHion vulnerability |
Resolved Bugs in Version 7.2.8
Table last updated: 2024-06-24
Bug ID |
Headline |
---|---|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
High LINA CPU observed due to NetFlow configuration |
|
Threat Defense Upgrade wizard is unable to initiate hotfix installation on FTD clusters |
Resolved Bugs in Version 7.2.7
Table last updated: 2024-04-29
Bug ID |
Headline |
---|---|
FTD Boot Loop with SNMP Enabled after reload/upgrade |
Resolved Bugs in Version 7.2.6
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The bugs listed here are also fixed in Version 7.2.7.
Table last updated: 2024-04-22
Bug ID |
Headline |
---|---|
OGO changing the order of custom object group contents causing an outage at static NAT |
Table last updated: 2024-07-26
Bug ID |
Headline |
---|---|
FTD RA VPN: Rename of IP Address Pool and connection Profile name together causes deployment failure |
|
ASA syslog 113005 does not show the user's IP address |
|
Incorrect validation msg - Invalid value supplied for input parameter : "?" |
|
'test aaa authentication' command shows wrong timeout value |
|
FDM does not deploy 'crypto ikev1 am-disable' when aggressive mode is to be disabled |
|
Cores generated due to expected/graceful shutdown need to be cleaned up |
|
Disable "ca-check" option should be available on FDM |
|
ASA is unable to establish SSL connectivity to servers using Self-signed certificate |
|
Enabling SSO feature with no/wrong configuration restarts auth-daemon process constantly |
|
FMC shows error when editing prefix-list attached to active route-map within BGP protocol |
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
Upgrade to 6.6.1 got failed at 800_post/1025_vrf_policy_upgrade.pl |
|
ASA show tech should include recent messages from dpdk.log in the flash |
|
FXOS Major Faults about adapter host and virtual interface being down |
|
Error Loading Data: Couldnt resolve few of the STDACE BBs |
|
FMC does not broadcast administrator user session end for Realms in a non-leaf FMC Domain |
|
Getting Unprocessable URL categories objects when using API call |
|
FMC is pushing SLA monitor commands in an incorrect order causing deployment failure. |
|
Block snmpd process from getting spawned under FTD pmtool |
|
FMC4500/4600 shows virtual license |
|
Post FMC upgrade, event data migration task never ends, and shows no progress |
|
Unable to push extra domains >1024 Character, as part of Custom Attribute under Anyconnect VPN |
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
"SFDataCorrelator:Parser [ERROR] Syntax error" on FTD device |
|
Windows 11 OS is not selectable when creating a DAP record via FMC |
|
LINA time-sync correction |
|
snort3 crashinfo sometimes fails to collect all frames |
|
FMC: LDAP shell login may fail if LDAP server is slow to query the DNS servers for users |
|
FMC: Did not remove unneeded shell external auth users from /etc/passwd |
|
ENH: F1661 More details on failure reason and log location |
|
DBCheck.pl shows warnings for "health_alarm_static.healthmon_module_id" |
|
FMC GUI not displaying correct count of unused network objects |
|
TLS 1.3 connections to sites previously decrypted may fail |
|
The Device Upgrade page might fail to load when device selection has FTD clusters / HA pairs |
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
Snort down due to missing lua files because of disabled application detectors (PM side) |
|
FMC | Interface update Failed. Could not find source interface |
|
Unable to configure suppression/threshold for an intrusion rule |
|
Deployment/Tasks Button not seen FMC_UI while doing upgrade tests configured in Light theme |
|
Prevention of RSA private key leaks regardless of root cause. |
|
FMC HA status alert "degraded - maintenance" seen periodically after upgrade |
|
Correlation events matching on Intrusion Event Inline Result does not work properly |
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
HA Serviceability Enh: Adding HA heartbeat module in data-plane |
|
FMC-GUI bypass session timeout while staying in any Event tab if Refresh Interval is enabled |
|
Auth-Daemon process is getting restarted continuously when SSO disabled in HA setup |
|
Cannot save realm configuration unless AD Join Password is empty |
|
Device is not marked as dirty when Store Fewer Events on FMC or data plane logging is enabled in SAL |
|
Identity policy took long time to display the available port menu |
|
Error message while editing ACP |
|
Deploy page fails to load if any FTD cluster or HA device state is not proper in DB |
|
ASAv- management interface config from controller Node not replicated to newly joined data Node |
|
UI does not respect session timeout when in real time mode |
|
User/group download may fail if a different realm is changed and saved |
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
Invalid query seen in MonetDB merovingian.log |
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
"Inspection Interruption" is seen as YES but snort3 didn't restart |
|
ISE Connection Monitor shows inaccurate alert status |
|
No events for FPR1010 chassis temperature on health monitor |
|
FTD: FTPS Data Channel connection impacted by TLS Server Identity and Discovery Probe sent by FTD |
|
ASAv show crashinfo printing in loop continuously |
|
Active and Standby device details not available in FMC logs during FTD HA break |
|
FTD: Traceback & reload in process name lina |
|
SEC-WEB-CLCKJACK failure on FMC: frame ancestors directive missing |
|
SSL Policy DND default Rule fails on error unsupported cipher suite and SKE error. |
|
Packet-Tracer interfaces not showing up in UI after updating interface name from lower to upper case |
|
SRU installation failure. |
|
FMC not showing any alerts/warnings when deploying changes of prefix list with same seq # |
|
FMC: Script to change hostname/IP on FTD's when FMC's Ip/hostname is changed |
|
Periodic sync failures are not reported to users |
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+. |
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
FMC UI may become unavailable and show "System processes are starting" message after upgrade |
|
FDM QW/QP: All URL traffic blocked in BAT/BQT test |
|
cdFMC: SFDataCorrelator cores and user to group map not updated on sensor |
|
Saving capture with special characters fails to download - Error Timed out |
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability |
|
FMC External Auth test error "Encryption method is configured but you did not upload a certificate." |
|
Cisco ASA and FTD ICMPv6 Message Processing Denial of Service Vulnerability |
|
Traps are not getting generated in UUT for config change in multicontext |
|
Import/export fails with backend error |
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
CCL/CLU filters are not working correctly |
|
FMC should display the status of physical FTD interfaces bundled in port-channel |
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
Snort3 stream core found init_tcp_packet_analysis |
|
Standby FMC show FMC-HA as healthy when Active unit Sybase is down |
|
Disabling NAVL guids from userappid.conf doesn't work |
|
seeing error on access policies on FMC - "Error during policy validation" |
|
Enhance logging mechanism for syslogs |
|
Traffic fails in Azure ASAv Clustering after "timeout conn" seconds |
|
FMC | Deployment failure in csm_snapshot_error |
|
No Inspect Interruption warning when deploy after FMC upgrade |
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
Optimization of Side Bar loading for HealthMon page |
|
ASA/FTD may traceback and reload after a reload with DHCPv6 configured |
|
Need to provide rate-limit on "logging history <mode>" |
|
Unexpected "No Traffic" health alert on Standby HA Data Interface where no data flows |
|
Email alert incorrectly send for a successful database backup |
|
Internal Error while editing PPPoE configurations |
|
Nodes randomly fail to join cluster due to internal clustering error |
|
Secondary state flips between Ready & Failed when node is rebooted and mgmt interface is shutdown |
|
FMC Unable to fetch VPN troubleshooting logs. |
|
FTD/Lina or ASA traceback and reload related to thread ctm_qat_engine |
|
FMC deployment preview showing full config instead of delta. |
|
Deployment failing - "Error while printing show-xml-response file contents" XML response too big |
|
Support cluster pending_rejoin in virtual platform FTDv |
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
FTD High unmanaged disk usage alert is triggered due to stored files located on /ngfw/Volume/root1/ |
|
Policy deploy failure "error executing /*!40101 SET character_set_client = @saved_cs_client */; *" |
|
Snort mem used alert should be consistent with value from top.log |
|
add warning to FTD platform settings when VPN Logging Settings logging level is informational |
|
After disabling malware analysis, high disk usage on /dev/shm/snort |
|
[SXP-UserIP Muted Leader]FMC HA Join flushes FW IP_SGT Mapping and restreams in registered sensors. |
|
KP - core.SAMsgThread core created while HA switchover in multicontext |
|
FMC External authentication getting "Internal error" |
|
ASA Traceback & reload citing thread name: asacli/0 |
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
Logging class Support for routing |
|
Copy and pasting rules is broken and give blank error message in ID policy |
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
Sybase arbiter is not up on FMC HA |
|
occasional failure to load light-modal-ac-rule-xx.css with a net::ERR_TOO_MANY_RETRIES error |
|
Traffic drops with huge rule evaluation on snort |
|
dvti memory leak on mp_counter_alloc |
|
FTD: The upgrade was unsuccessful because the httpd process was not running |
|
DBCheck error is unclear when monetdb is in a 'crashed' state |
|
The interface is deleted from interface group if the user change the name of it [API] |
|
stream_tcp PDUs does not capture vlan ID |
|
Host cache logs flooding the box |
|
FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version |
|
Error thrown on AC Rule creation/update and save after index creation |
|
Remove the limit of 30characters in the rule name which a rule is moved from ACP to Prefilter |
|
Need to Warn the users before triggering a full deployment on FTD managed by FDM |
|
Frequent errors seen regarding failures to load bulkcsv files that don't exist |
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
FDM: Cannot create multiple RA-VPN profiles with different SAML servers that have the same SAML IDP\u2028 |
|
Generate password does not meet requirements while in CC mode |
|
Not able to remove group policy from RAVPN via REST API |
|
Unable to process query error on events; FMC UI; monetdb maximum connections reached |
|
NGIPSv syslog-tls.conf.tt needs filters removed when in CC mode |
|
The user belonging to a subdomain, is unable to collect packet tracer |
|
Protocol Down with lower CPU instances on ESXi 8 for ASAv and FTDv |
|
logging is getting disabled if ssl rules are reordered |
|
BGP IPv6 configuration : route-map association with neighbour not getting deployed |
|
FMC: Incorrect FTD cluster role status leading to inability to upgrade FTD |
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
FMC EIGRP 'For input string: "route-map"' error when configuring EIGRP post 7.2 upgrade |
|
FMC Connection Events page "Error: Unable to process this query. Please contact support." |
|
Readiness Check Failed [ERROR] Fatal error: Enterprise Object integrity check failed with errors |
|
/var/sf/QueryPoolData fills up with warehouse directories |
|
DAP policy created in FMC Gui, to detect a Windows OS with a hotfix, will not work as expected |
|
Create Identity Services Engine via API returns 404 Client Error: Not Found |
|
FTD 2100 -Update daq-ioq mempool to help protect against buffer corruption |
|
Unable to delete custom anyconnect attribute --dynamic-split-tunnel from group-policy |
|
FSIC db include Python byte-code files and can result in health alert and system integrity failure. |
|
Post backup restore multiple processes are not up. No errors are observed during backup or restore. |
|
Cluster hardening fixes |
|
SSO user gets logged in to FMC UI if a valid local user credentials are pre-populated in the browser |
|
Snort3 out of memory and process exit unexpectedly due to memory not released by flows |
|
FTD HA app-sync failure, due to corruption in cache files. |
|
FMC should push the AnyConnect Custom attribute defer keyword as lowercase instead of capitalized |
|
validation check on FMC GUI causing issue and throwing error when adding new NAT objects |
|
IN clause does not work for externalization queries after upgrading to 7.0.x |
|
Requests from intelligence page fail after RMQ was stopped for some time |
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
CD App Sync error is App Config Apply Failed on Secondary/Standby after backup restore on RMA device |
|
[FMC model migration] Health monitoring on FMC reporting errors |
|
Cannot Force Break FTD HA Pair |
|
ndclientd error message 'Local Disk is full' needs to provide mount details which is full |
|
Network Discovery: Performance issues caused by the use of \u2018any\u2019 network object in the rules |
|
User Group Download fetches less data than available or fails with "Size limit exceeded" error |
|
LDAP External auth config fails to deploy to FTD if same LDAP server is added as Primary and backup |
|
FMC device search page removes FTD from the groups and put them back to ungrouped |
|
Intrusion Event Information under statistics tab is empty |
|
ac-policy rule section showing non-existing index page in old ac-policy UI |
|
Moving the app-agent logging to asynchronous logging mechanism(Same as SNMP). |
|
FXOS needs to provide a command that will display the total power on hours of chassis/blade |
|
FMC isn't allowing to create more than 30 VLAN interfaces |
|
[Azure FMCv] Deployment with SSH key option is not adding the keys correctly. |
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
|
Change color codes to represent processes in 'Waiting' state |
|
FMC system restore authentication error during FMC re-image when using FTP/SCP protocol |
|
email alert to scheduled activity is not working after upgrading to 7.2 |
|
Apache Commons FileUpload before 1.5 does not limit the number of reques |
|
In Apache MINA, a specifically crafted, malformed HTTP request may cause |
|
An issue in protobuf-java allowed the interleaving of com.google.protobu |
|
In Apache MINA, a specifically crafted, malformed HTTP request may cause |
|
ASA/FTD: Traceback and reload due to high rate of SCTP traffic |
|
Script to trigger HA when RSS memory threshold exceeds configurable threshold |
|
FMC UI response is very slow: Add health module monitoring FMC ntpd server(s) accessibility |
|
"Failed to convert snort 2 custom rules. Refer /var/sf/htdocs/ips/snort.rej for more details." |
|
FTD readiness and upgrade passed with exception log as ProgressReport' has no attribute 'KB_UNIT' |
|
FMC UI stuck after completing compatibility check |
|
FTS under AC Policy Listing page with 'obj' gives Error Moving Data error with CTS DB |
|
vFMC300 to FMC2600 migration failure with error "migration from R to N is not allowed" |
|
External Auth on FMC may throw err "Can't use string ("") as a HASH ref while "strict refs" in use" |
|
Unable to Access FMC GUI when using Certificate Authentication |
|
Local rules are not seen in the UI after converting from Snort2 to Snort3 in 7.2.4-82 FMC |
|
Elephant flow detection disabled on FMC, getting enabled on FTD after random deployment |
|
Database backup failed on KVM FMC |
|
improve serviceability to handle TLS 1.3 only flows when TLS 1.3 decryption is not enabled |
|
correlation events based on connection events do not contain Security Intelligence Category content |
|
Phase 2 NAP delay seen in 7.0.1 while deploying policy |
|
FTD returns no output of "show elephant-flow status" when efd.lua file's content is empty |
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
FP1140 7.0.4 Deployment keep failing with error "Can\'t use an undefined value as a HASH reference" |
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
need to turn off default TLS 1.1 (deprecated) support for the FDM GUI |
|
ASA not updating Timezone despite taking commands |
|
Umbrella DNS Negate of Bypass Domain Field is not generated from FMC |
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
SecureX page in FMC GUI blank after FMC upgrade |
|
Cross launching packet tracer from Unified Events page |
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory. |
|
AC policy deploy failing on 7.2.4 FMC to 6.7 FTD |
|
Selective policy deploy with Identity Policy (captive-portal) and SSL Policy (dp-tcp-proxy) CLI |
|
Getting an error while saving report template |
|
Found Orphaned SFTop10Cacher processes |
|
RRD files cannot be updated if the timestamp is ahead of time as a result of a system clock drift |
|
CSM backup failed within FMC backup due to modification of file while tar was reading it |
|
EventHandler occasional corrupt bundle record - SFDataCorrelator logs "Error deserializing" |
|
sfhassd process is not running after Revert from 7.4.0-1755 to 7.3.0-69 |
|
ActionQueue task sandbox data update throws SQL Error post 7.2.4 upgrade |
|
reload-threshold should not be an option under show memory |
|
Recovery from RMU failures due to control link going to bad state |
|
New CLI for config clu_update/keepalive interval |
|
FP1000:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
7.2.4-129 - GCP cluster - health check failures |
|
Health Monitoring exports negative snort swap memory metric value |
|
Readiness check needs to be allowed to run without pausing FMC HA |
|
SSE does not update relevant information after first discovery of an asset. |
|
LSP version not updated to latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build. |
|
FMC Restore of remote backup fails due to no space left on the device |
|
Misleading trace log about state transition |
|
Snort3 is not closing the pcap file handle and disk is getting full |
|
"Security Intelligence feed download failed" displayed even though it succeeded |
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144 |
|
Unable to load intrusion policy page on FMC GUI |
|
Deployments can cause certain RAVPN users mapping to get removed. |
|
Snort down due to missing lua files because of disabled application detectors (VDB side) |
|
FTD container restored from backup fails to register to FMC due to Peer send bad hash error |
|
HA Sync Failed health alert generated for both FMC units in HA pair - HA subsequently recovered |
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
xml2js version 0.4.23 allows an external attacker to edit or add new pro |
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
ASA accepts replayed SAML assertions for RA VPN authentication |
|
Firepower hotfixes should not be allowed to install when already installed previously |
|
Changes to lamplighter logs written to /var/log/tid_process.log |
|
Unable to edit name or inspection mode of intrusion policy |
|
Secondary FMC should allow edit of FTD IP/hostname details under device tab |
|
admin user should be excluded from CLI shell access filter |
|
No logrotate and max size is configured for Health.log file |
|
DBCheck shouldn't run against MonetDB if user is collecting config backup alone |
|
Security zones are not showing in AC policy UI |
|
FTD HA Creation fails resulting in devices showing up in an inconsistent state on the FMC |
|
Network Object Group overrides not visible or be edited from FMC GUI |
|
Not able to add files with file names which has '\u' to clean list from Malware Summary page |
|
Upgrade readiness check shows failed in GUI for all sensors due to sensor display name characters. |
|
Unable to change admin user password after FMC migration if it had LOM access |
|
FMC backup management page showing "Verifying Backup" for FTD sensors. |
|
FMC - Import SSL Certificate Pinning from a CSV file may result in a failure to deploy policy on FTD |
|
Device list takes longer to load while creating new AC policy |
|
High Disk Utilization and Performance issue due to large MariaDB Undo Logs |
|
FMC backup restore page takes around 5 mins to load when remote storage is unreachable |
|
User is not informed of the dependent IPS when policy import fails. |
|
SSE disconnect breaks cloud lookups after restoration. |
|
Snort3 crash found during cleaning up a CHP object |
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues |
|
Standby FMC SSH connection getting disconnected frequently. |
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
Reordering columns in report designer is glitchy when using Atomic |
|
Flooding log in trace file , fo_chk_peer_down_ifcs |
|
SFTunnel Fails to Properly Establish due to running_config.conf file misconfiguration |
|
SGT Troubleshooting the ability to correlate to IP Address |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
FMC should handle error appropriately when ISE reports error during SXP download |
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
Drop rule is not being removed when snmp unification on blade is removed. |
|
Third heartbeat packet is not sent before declaring the application health failure |
|
ASA/FTD: Traceback and reload with Thread Name 'PTHREAD' |
|
access-list: Cannot mix different types of access lists. |
|
Change in syslog message ASA-3-202010 |
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
FTD: High-Availability unit struck at CD App Sync error due to error ngfwManager restart on peer |
|
Wyoming/SFCN ASA: Wrong values shown DBRG in show crypto ssl objects CLI |
|
REST API [PUT]: PC called without h/w config, existing h/w config is set to null in the DB |
|
WINSCP and SFTP detectors do not work as expected |
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
S2S dashboard SVTI tunnel details are missing after upgrade |
|
diskmanager silo covering /var/sf/htdocs/img/dashboard/no-cache/ needs much lower hwm and lwm |
|
NMAP Remediation scan tasks remain in pending state in action queue table, does not clear out |
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
|
Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates |
|
MariaDB Process in FMC should use jemalloc instead of glibc |
|
securex sse integration needs instructions updated |
|
cannot unregister FTD from Cisco Cloud in FDM if already unregistered/unenrolled from cloud side |
|
Show dns ip-cache has old bids after switching snort versions, which affects path-monitoring output. |
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
[Enhancement] No of config archives should be configurable from UI |
|
serviceability improvement for CSCwe28912 where HA state in failed state. |
|
Unable to delete custom rule group even when excluded from all the ips policies |
|
FMC config archives retention reverts to default if ca_purge tool was used prior to 7.2.4 upgrade |
|
ca_purge tool needs to restart Tomcat |
|
Reconcile FMC state: FMC Upgrade needs to create upgrade status file to support FTD Upgrade guards. |
|
TelemetryApp process keeps exiting every minute after upgrading the FMC |
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
FXOS raises a fault for administratively disabled management interface |
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory on certain platforms |
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
FMC needs to properly validate QoS policy rules before allowing deployment to FTD |
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
FTD Diskmanager.log is corrupt causing hm_du module to alert false high disk usage |
|
FTD snmpd process traceback and restart |
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
Unable to list down the interface under the device exclude policy |
|
The exclude policy to exclude interface status will be removed on FMC after a while |
|
Selecting "All interfaces " under FTD exclude policy for interface status module doesn't work |
|
[IMS_7_4_0] FTD revert fails "The management state validation cannot be done, Cannot revert" |
|
FMC taking long times to save override objects even if not modified |
|
vFMC: Scheduled deployment failing |
|
Correlation events for Connection Tracker <, <=, = or != rules show data for unrelated connections |
|
Transfer Packets option change to NO automatically when change the device name in device management |
|
FMC not generating FTD S2S VPN alerts when down or idle |
|
Dumping of last 20 rmu request response packets failed |
|
Health alert for significant difference of record numbers received with bulk download |
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
Duplicate FTD cluster has been created when multiple cluster events comes at same time |
|
Azure FTDv, managed locally by FDM, goes in boot cycle/reload loop after the first deployment |
|
after HA break, selected list shows both the devices when 1 device selected for upgrade |
|
Critical Alert Smart Agent is not registered with Smart Licensing Cloud |
|
Unable to configure and deploy IPv6 DNS server for RAVPN in FMC 7.2.4 |
|
When communications are disabled for FTD from FMC UI backend shows connection is staying enabled. |
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
Editing identity nat rule disables "perform route lookup" silently |
|
SI Feeds get downloaded despite the feed updates being user disabled |
|
Disable TLS 1.1 permanently for sftunnel communication |
|
FMC displays VPN status as unknown even if the status is up if one of the peer is extranet |
|
Decrypting engine/ssl connections hang with PKI Interface Error seen |
|
FMC GUI | ACP page gets blank and hang while doing search in rules and moving to last pages |
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason |
|
Switch ports in trunk mode may not pass vlan traffic after power loss or reboot |
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
import of .SFO to FMC failed due to included local/custom rules having a blank rule message field |
|
Adi: Log specific host FQDN used for bulk download and websocket connections |
|
ENH: FMC, Disable 'create client' under eStremer tab in the GUI when it is running in UCAPL mode |
|
Cisco Firepower Management Center Software SQL Injection Vulnerability |
|
Deployment blocked due to port object with IP range max limit 131838 in NAT64 |
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
FPR1k Switchport passing CDP traffic |
|
snort minidumps no longer managed by diskmanager after moving to var/common |
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
In Multi-manager scenario,cdFMC&Analytics FMC,FTD should only receive identity feeds from Config FMC |
|
Traceback @<capture_file_show+605 at ../infrastructure/capture/capture_file_finesse.c:282> |
|
Port-channel interface speed changes from 10G to 1G after a policy deployment |
|
Snort crash in active response |
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
Upgrade from 7.2.x to 7.2.5 may fail if there is null value observed in speed/duplex in interface |
|
FMC GUI Not Saving Interface Settings |
|
FMC HA - Health Policy - Applied count shows "0" appliance |
|
ASA traceback on Lina process with FREEB and VPN functions |
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
core-compressor fails due to core filename with white space |
|
EOStore failed error is outputted after deleting shared rule layer. |
|
PSEQ (Power-Sequencer) firmware - remove device-id check |
|
Encrypted Visibility Engine (EVE) dashboard tab and widgets not added to FMC GUI upon upgrade |
|
Encrypted Visibility Engine (EVE) FMC dashboard tab and widgets not renamed after 7.1 > 7.2+ upgrade |
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
|
External authentication fails if the object name contains space characters |
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
Lack of validation of string length creating object/category names using API |
|
Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side |
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
FTD - Issue with the LSP package code during deploy rollback. |
|
ASA traceback when re-configuring access-list |
|
Upgrade FxOS CiscoSSL to version 1.1.1v and FOM 7.3a |
|
LILO validation during Readiness Check missing |
|
sfdatacorrelator crashing due to table corruption 'rua_event_xxxxx' |
|
Stale manager presence on FTD after failed registration to cdFMC, causes new registration to fail. |
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
FXOS: Alperton 100G NetMod not being acknowledged properly |
|
FMC upgrade stuck at 1039_fmc_rabbitmq_enable |
|
'Frequent drain of events (not unprocessed events) to be removed from FMC |
|
FMC userrole missing permissions may cause Tomcat to continuously restart after upgrade to 7.2.4 |
|
Negotiation to Cold Standby taking 30mins on TPK with 900 sub-interfaces |
|
While editing AC-policy rules, the rule order number becomes misaligned. |
|
dl_task.pl tasks keep getting created every hour when a database query is blocked |
|
Firewall Blocking packets after failover due to IP <-> SGT mappings |
|
Unable to save intrusion policy after upgrade to 7.x as the name exceeds 40 characters |
|
Rule update filter in Intrusion policy shows inconsistent results |
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
Ping to the configured systemIP on management interface getting failed in cluster setup. |
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
Enhancement for Lina copy operation for startup-config to backup-config.cfg in HA |
|
Number of files lina-io starts limited to 8 because of which fover log files are missing on HA pair |
|
Removal of msie-proxy commands during flexconfig rollback |
|
FMC7.2.x EIGRP flexconfig migration fails with internal error due to interface config mismatch |
|
FMC Restore is stuck in vault clear stage after mysql restore completed |
|
Occasionally External auth may not work after HA failover to Active |
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
Snort busy drops for HTTPS traffic through VPN with less traffic - 2K depletion |
|
Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager |
|
Some Syslog IDs cannot be configured on Platform Settings. |
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
ENH - Exempt TSID probe from going through EVE inspection |
|
Configuration archive creation failing and causing deployment preview to throw error |
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
Extended Access List Object does not allow IP range configuration |
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
Some TLS1.3 probes test site cases fail due to rst+ack not sent out of FTD during timeout |
|
FMC SSO timesout when user session is active for more than 1 hr (idle timeout) |
|
Initiator Country and Continent missing on Custom View on Event viewer |
|
ASA:Management access via IPSec tunnel is NOT working |
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
FXOS: svc_sam_dcosAG process getting crashed repeatedly on FirePower 4100 |
|
FMC 4600 v7.2.4 EVE dashboard widget showing corrupt data |
|
ASA: Traceback and reload during 6 nodes cluster synchronization after CCL link failure/recovery |
|
Improve CPU utilization in ssl inspection for supported signature algorithm handling |
|
ASA does not sent 'warmstart' snmp trap |
|
FMC Deployment failed due to internal errors after upgrade |
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
SNORT3 - FTD - TSID high cpu, daq polling when ssl enabled is not pulling enough packets |
|
Source NAT Rule performing incorrect translation due to interface overload |
|
LINA would randomly generate a traceback and reload on FPR-1K |
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
FTD traceback and reload within TLS tracker for TLS 1.3 SSL decryption |
|
FTD - Captive portal enabled is still running despite the feature is off |
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
FDM should provide a way to disable WebVPN portal on FTD |
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
Configuring and unconfiguring "match ip address test" may lead to traceback |
|
FTD: Traceback and Reload in Process Name: lina |
|
Diskmanager process terminated unexpectedly |
|
ASA: Traceback and reload when restore configuration using CLI |
|
FTD - Incorrect High SNORT memory utilization display with TLS server identity |
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
Community string sent from router is not matching ASA |
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
Coverity 886745: OVERRUN in verify_generic_signature |
|
ASA traceback under match_partial_keyword during CPU profiling |
|
Error while saving RAVPN withLDAP attribute map containing entry without cisco attr mapping name |
|
Snort3 dropping IP protocol 51 |
|
Upgrade from FMC 7.2.4.1 to 7.2.5 failed at 600_schema/000_install_fmc.sh |
|
XTLS: With TSID AC-Policy configured plugin is not disengaging immediately at CH |
|
Unexpected high values for DAQ outstanding counter |
|
FMC does not save changes made on access list. |
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
Snort generating an excessive number of snort-unified log files with zero bytes |
|
S3_Core: crashinfo: increase buffer space to print longer function names |
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
In FPR4200/FPR3100-cluster observed core file ?core.lina? observed on device reboot. |
|
Snort is getting reloaded during deploy due to diff in timerange and nap conf contents in each run |
|
FMC plain-text passwords for radius server and certificate passphrase |
|
unused interface object ids may be present in zone configuration after FTD reregistration |
|
FTD unregisters the standby FMC immediately after a successful registration |
|
FDM Upgrade failure due to expired certificates. |
|
FTD: Traceback in threadname cli_xml_request_process |
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
syslog not generated "ASA-3-202010: NAT pool exhausted" while passing traffic from iLinux to oLinux |
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Connection drops during file transfers due to HeartBeat failures |
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
SNMP Unresponsive when snmp-server host specified |
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
SFDataCorrelator logs "Killing MySQL connection" every minute, causing performance problems |
|
FMC backup fails with "Registration Blocking" failure caused by DCCSM issues |
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
Hardware bypass not working as expected in FP3140 |
|
Node kicked out of cluster while enabling or disabling rule profiling |
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
ASA traceback and reload during ACL configuration modification |
|
CCM Seq 58 - LTS18 |
|
Firewall traceback and reload due to SSH thread |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
ASA: The logical device may boot into failsafe mode because of an large configuration. |
|
Standby manager addition is failed on Primary FMC due to previous entries in table |
|
Stale HA transactions need to be moved to failed and subsequent HA transaction needs to be created |
|
Device/port-channel goes down with a core generated for portmanager |
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
ASA : Modifying a route-map in one context affects other contexts |
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
FTD: Update WM firmware to 1023.0207 |
|
Snort Crash during selection of signature algorithm ECDSA |
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
|
PSU fan shows critical in show environment output while operating normally |
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
Unable to SSH into FTD device using External authentication with Radius |
|
tls website decryption breaks with ERR_HTTP2_PROTOCOL_ERROR |
|
FTD Upgrade logs should contain the certificate name or files |
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
ASA/FTD traceback and reload due to file descriptor limit being exceeded |
|
Policy Apply failed moving from FDM to FMC |
|
FTD HA Failure after SNORT crash. |
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
installing GeoDB country code package update to FMC does not automatically push updates to FTDs |
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
Snort3 traceback with fqdn traffics |
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
FTD drops double tagged BPDUs. |
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
Unable to Synch more then 100 environment-data with data unit |
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
Default Umbrella DNS Policy returns an error after upgrade to FMC 7.2.5.1 |
|
Lina traceback on RAVPN connection after enabling webvpn debug |
|
Devices might change status to "missing the upgrade package" after Readiness Check is initiated |
|
Product Upgrades page: Download action creates a lot of "uninitialized value" error messages in log |
|
Download failed for Available Upgrade Packages |
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
CCM ID 63 - LTS18 |
|
SFData correlator keep terminating on FTDs configured for IDS |
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
FTD: Hostname Missing from Syslog Message |
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
Backup generation on FDM fails with the error "Unable to backup Legacy data." |
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
Issues with FMC Deployment preview (Advanced Preview) |
|
Snort 3 Traceback on AppIdSessionApi |
|
DOC: Need to show up 10 slots rather than 6 for the HDD for FMC4600/FMC4700 |
|
DOC: Clarify FTD revert vs uninstall, and provide examples |
Resolved Bugs in Version 7.2.5.2
Table last updated: 2024-05-06
Bug ID |
Headline |
---|---|
FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version |
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
Resolved Bugs in Version 7.2.5.1
Table last updated: 2024-05-22
Bug ID |
Headline |
---|---|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
Failing to generate FMC Backup/Restore via SMB/SSH |
|
FTD unable to sync HA due to snort validation failed |
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
FDM: "failover replication http" command may disappear from FTD running config |
|
cacert.pem on FMC expired and all the devices showing as disabled. |
|
All traffic blocked due to access-group command missing from FTD config |
|
Proxy is engaged even when we have a Definitive DND rule match |
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability |
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
FTD-HA upgrade failed |
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
FMC deployment failure:"Validation failed: This is a slav*/ha standby device, rejecting deployment." |
|
null connection error seen in logs |
|
LINA traceback with icmp_thread |
|
TLS Server Identity may cause certain clients to produce mangled Client Hello |
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
Multiple traceback seen on standby unit. |
|
FMC: Backup to an unavailable remote host results in the inability to restart the appliance. |
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
FMC: GEOLOCATION size is causing upgrade failures |
|
High memory usage on monetDB, FMC does not show connection events |
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
Umbrella DNS Policy Doesn't honor Multiple URLs entered into the Bypass Domain Field |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
Deployment for eigrp / bgp change may cause temporary outage during policy apply |
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
Snort2 rule assignments missing from ngfw.rules (assignment_data table ) after FMC upgrade. |
|
Add knob to pause/resume file specific logging in asa log infra. |
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
FTD : Traceback in ZMQ running 7.3.0 |
|
ASA sends OCSP request without user-agent and host |
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
ASA Traceback and reload citing process name 'lina' |
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
ASAv in Hyper-V drops packets on management interface |
|
getReadinessStatusTaskList pjb request is very frequent when user in Upgrade sensor list page |
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
Failure to remove snort stat files older than 70 days |
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
FMC Fails to deploy or register new FTDs due to SFTunnel Establishment Failure. |
|
FTD: GRE traffic is not being load balanced between CPU cores |
|
ASA: Traceback and reload while updating ACLs on ASA |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
The interface configuration is missing after the FTD upgrade |
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
ASA/FTD may traceback and reload citing process name "lina" |
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
Old LSP packages are not pruned causing high disk utilization |
|
Remove Priority-queue command from FTD|| Priority-queue command causes silent egress packet drops |
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
store_*list_history.pl task is created every 5min without getting closed causing FMC slowness. |
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
DNS cache entry exhaustion leads to traceback |
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
vFTD runs out of memory and goes to failed state |
|
ASA Traceback & reload on process name lina due to memory header validation |
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
7.0.6 - Lina Crash in RAVPN interface with anomaly traffic in both non-FIPS and FIPS mode |
|
Failover: standby unit traceback and reload during modifying access-lists |
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
Add meaningful logs when the maximums system limit rules are hit |
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
FTD: SNMP not working on management interface |
|
Snort2 engine is crashing after enabling TLS Server Identity Discovery feature |
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
Cisco Firepower Management Center Software SQL Injection Vulnerability |
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
LDAP missing files after upgrade when the Vault token is corrupted |
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
FTD /ngfw disk space full from Snort3 url db files |
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
FMC needs to properly maintain Redis data directory to prevent unbounded disk usage |
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
Large SMB servers result in timeouts returning verdicts between FMC and FTD devices |
|
File sizes larger than 100MB for AnyConnect/Secure Client images cannot be uploaded on FMC |
|
Traceback seen on FTD running on Firepower 2100 series |
|
ASA/FTD residual free |
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
The FMC preview deployment shows a wrong information. |
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
PAC Key file missing on standby on reload |
|
SQL packets involved in large query is drop by SNORT3 with reason snort-block |
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
Policy deployment failed due to "1 errors seen during populateGlobalSnapshot" |
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
Large file download failed due to hitting the max segment limit |
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
ASA/FTD may traceback and reload while running show inventory |
|
AMP Cloud look up timeout frequently. |
|
SFDataCorrelator crashing repeatedly in RNA_DB_InsertServiceInfo |
|
Devices with classic licenses are failed to register with FMC running version 7.2.X |
|
Fixing the regression caused while handling web UI is not getting FTDv Variable |
|
Prefilter cannot add Tunnel Endpoints in Tunnel Rule on FMC |
|
FTDvs through put got changed to 100Kbps after upgrade |
Resolved Bugs in Version 7.2.5
Table last updated: 2024-05-22
Bug ID |
Headline |
---|---|
Audit log records does not appear in the correct order |
|
Microsoft update traffic blocked with Snort version 3 Malware inspection |
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
FTD Unable to bind to port 8305 after management IP change |
|
More information is required on Syslog 202010 messages for troubleshooting |
|
FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm |
|
FMC HA webUI is not getting FTDv Variable tier assigned FTDv - Variable |
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
FTD traceback and reload while deploying PAT POOL |
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
Multicast connection built or teardown syslog messages may not always be generated |
|
FPR2100: Mulitple snort3 & snort2 cores got generated and sensor goes down in KP platform |
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
Workaround to set hwclock from ntp logs on low end platforms |
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled |
|
ENH: FXOS need to track Security Module for Disk quota exceeded related issue |
|
SNMP on SFR module goes down and won't come back up |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
Manager gets unregistered on its own from the FTD, show manager shows 'No managers configured' |
|
After FMC upgrade, SecureX ribbon redirects to US cloud region regardless of the set cloud region |
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
Pri-Active FMC NOT triggering registration TASK for FTD to configure standby manager |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
Snort3 fails to match SMTPS traffic to ACP rules |
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
Interface remains DOWN in an Inline-set with propagate link state |
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
ASA traceback and reload with process name: cli_xml_request_process |
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
Missing Instance ID in unified_events-2.log |
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
Threat-detection does not allow to clear individual IPv6 entries |
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
FTD: Unable to process a TLS1.2 website with TLS Server Identity with client generating SSL Errors |
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
TCP ping is completely broken starting in 9.18.2 |
|
Snort3 Crash in SslServiceDetector after call from nss_passwd_lookup |
|
portmanager.sh outputing continuous bash warnings to log files |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
Lina traceback and reload due to fragmented packets |
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
ISE Integration Network filter not accepting multiple comma separated networks |
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
TCP normalizer needs stats that show actions like packet drops |
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason |
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
SFDataCorrelator process crashing very frequently on the FMC. |
|
crashhandler running with test mode snort |
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device |
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
Firewall may drop packets when routing between global or user VRFs |
|
ASA access-list entries have the same hash after upgrade |
|
Snort3 crash after the consequent snort restart if duplicate custom apps are present |
|
Possible segfault in snort3 when appid tries to delete the app info table |
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
Health Monitoring to NOT collect route stats for transparent mode FTD |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
Packet data is still dropped after upgrade |
|
[Snort 3] IPS Policy Overrides not working on Chained Intrusion Policies |
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
DOC:When using an SLR, it does not properly documented what happens if one of the licenses expires. |
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
Resolved Bugs in Version 7.2.4.1
Table last updated: 2024-05-22
Bug ID |
Headline |
---|---|
Audit log records does not appear in the correct order |
|
Microsoft update traffic blocked with Snort version 3 Malware inspection |
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
FTD Unable to bind to port 8305 after management IP change |
|
More information is required on Syslog 202010 messages for troubleshooting |
|
FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm |
|
FMC HA webUI is not getting FTDv Variable tier assigned FTDv - Variable |
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
FTD traceback and reload while deploying PAT POOL |
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
Multicast connection built or teardown syslog messages may not always be generated |
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
Workaround to set hwclock from ntp logs on low end platforms |
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
ENH: FXOS need to track Security Module for Disk quota exceeded related issue |
|
SNMP on SFR module goes down and won't come back up |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
Manager gets unregistered on its own from the FTD, show manager shows 'No managers configured' |
|
After FMC upgrade, SecureX ribbon redirects to US cloud region regardless of the set cloud region |
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
Pri-Active FMC NOT triggering registration TASK for FTD to configure standby manager |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
Snort3 fails to match SMTPS traffic to ACP rules |
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
Interface remains DOWN in an Inline-set with propagate link state |
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
CSCwe88772 |
ASA traceback and reload with process name: cli_xml_request_process |
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
Missing Instance ID in unified_events-2.log |
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
Threat-detection does not allow to clear individual IPv6 entries |
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
Unable to process a TLS1.2 website with TLS Server Identity, it generates ERR_SSL_PROTOCOL_ERROR. |
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
TCP ping is completely broken starting in 9.18.2 |
|
Snort3 Crash in SslServiceDetector after call from nss_passwd_lookup |
|
portmanager.sh outputing continuous bash warnings to log files |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability |
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
Lina traceback and reload due to fragmented packets |
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
ISE Integration Network filter not accepting multiple comma separated networks |
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
TCP normalizer needs stats that show actions like packet drops |
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason |
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
SFDataCorrelator process crashing very frequently on the FMC. |
|
crashhandler running with test mode snort |
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
Packets are not forwarding between global vrf to user vrf and vice-versa |
|
ASA access-list entries have the same hash after upgrade |
|
Snort3 crash after the consequent snort restart if duplicate custom apps are present |
|
Possible segfault in snort3 when appid tries to delete the app info table |
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
Health Monitoring to NOT collect route stats for transparent mode FTD |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
Packet data is still dropped after upgrade |
|
[Snort 3] IPS Policy Overrides not working on Chained Intrusion Policies |
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
Resolved Bugs in Version 7.2.4
Table last updated: 2024-05-22
Bug ID |
Headline |
---|---|
Audit log records does not appear in the correct order |
|
Improve logging of Secure Firewall (Firepower)backups and retry for gzip when using remote storage |
|
Flex config Preview of $SYS_FW_ENABLED_INSPECT_PROTOCOL_LIST throws error |
|
Traceback in the output of tail-logs command |
|
Incorrect rules are highlighted during search in AC rules |
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
Performing packet trace using the sub-interface nameif results in an error |
|
FMC HA issues with too many open file descriptors for sfipproxy UDP conn |
|
FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries |
|
Performance Degradation in GetGroupDependency API |
|
FMC ACL Search Move arrows do not work |
|
Observed few snort instances stuck at 100% |
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
File list preview: Deleting two list having few similar contents throws stacktrace on FMC-UI |
|
Access Control Rule - Comment disappears if clicked to another tab before saving the comment. |
|
"Warning:Update failed/in-progress." Cosmetic after successful update |
|
Unable to download captured file from FMC Captured files UI |
|
Subsystem query parameter not filtering records for "auditrecords" restapi |
|
SNORT2: FTD is performing Full proxy even when SSL rule has DND action. |
|
Deployment fails with internal_errors - Cannot get fresh id |
|
FXOS does not send any syslog messages when the duplex changes to "Half Duplex" |
|
In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
Incorrect error when creating two RA-VPN profiles with different SAML servers that have the same IDP |
|
FP2100: ASA/FTD with threat-detection statistics may traceback and reload in Thread Name 'lina' |
|
IPS policy should be imported when its referred in Access Control policy |
|
"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog |
|
FTD: show ntp shows managing DC even though NTP sync is done via FXOS |
|
Grammatical errors in failover operating mode mismatch error message |
|
Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI |
|
Syslog over TLS accepting wildcard in middle of FQDN |
|
Standby unit failed to join failover due to large config size. |
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
API key corrupted for FMC with multiple interfaces |
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
Disable NLP rules installation workaround after mgmt-access into NLP is enabled |
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
FMC showing "INVALID ID" under "Traffic by User" Widget but error not seen on Connection Events |
|
Clean up session index handling in IKEv2/SNMP/Session-mgr for MIB usage |
|
TLS client in the sftunnel TLS tunnel offers curves in CC mode that are not allowed by CC |
|
syncd process exits due to invalid GID and database synchronization issue |
|
ASA/FTD may traceback and reload in process Lina |
|
ISA3000 in boot loop after powercycle |
|
FMC upgrade failure: 114_DB_table_data_integrity_check.pl failed |
|
ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
|
Modify /800_post/1027_ldap_external_auth_fix.pl to not fail FMC upgrade when objects are corrupt |
|
ASA/FTD datapath threads may run into deadlock and generate traceback |
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
FTD Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability |
|
FP2100: ASA/FTD high availability is not resilient to unexpected lacp process termination |
|
Losing ssh connection while copying huge file to device though device has enough space. |
|
FTD: Logs and Debugs for SSL/TLS traffic drop due to NAP in Detection Mode |
|
duplicate log entry for /mnt/disk0/log/asa_snmp.log |
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
FMC shows limited interfaces in policy-based routing config (egress interface selection) |
|
Bootstrap After Upgrade failed due to Duplicate Key of Network Object |
|
Jumbo frame performance has degraded up to -45% on Firepower 2100 series |
|
Event Rate on FMC Health Monitoring Dashboard shows extremely high values |
|
ASA/FTD Traceback and reload in Process Name: lina |
|
FTD - Unable to resolve DNS when only diagnostic interface is used for DNS lookups |
|
FTD upgrade fails - not enough disk space from old FXOS bundles in distributables partition |
|
CVE-2022-28199: Evaluation for FTDv and ASAv |
|
Resumed SSL sessions with uncached tickets may fail to complete |
|
FMC Deploying negative and positive form of BGP password command across deployments |
|
FDM Need to block the deployment when a Security zone object is not associated with an interface |
|
ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5 |
|
FTD/FDM: SSL connections to sites using RSA certs with 3072 bit keys may fail |
|
Update diskmanager to monitor cisco_uridb files in /ngfw/var/sf/cloud_download folder. |
|
FP2100/FP1000: Built-in RJ45 ports randomly not coming up after portmanager restart events |
|
CIAM: heimdal 1.0.1 |
|
Breaking FMCv HA in AWS gives VTEP CONFIGURATION IS NOT SUPPORTED FOR CURRENT PERFORMANCE TIER alert |
|
FMC-HA upgrade failure due to presence of this file "update.status" |
|
FTD - %FTD-3-199015: port-manager: Error: DOM Block Read failure, port X, st = X log false/positive |
|
ASA Traceback & reload in thread name: Datapath |
|
copying FMC backup to remote storage will fail if FMC has never connected via SSH/SCP to remote host |
|
Error 403: Forbidden when expanding in view group objects |
|
Config sync fails for command "quit" |
|
onPremFMC with only CDO Managed devices registered, Malware Event pages shows license warning |
|
FTD registration fails on on-prem FMC |
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
Lina traceback and core file size is beyond 40G and compression fails on FTD |
|
No-buffer drops on Internal Data interfaces despite little evidence of CPU hog |
|
Disk usage is 100% on secondary FMC .dmp files created utilized all the disk space |
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
FMC shows 'File Not Stored' after download a file |
|
Deployment failure with ERROR Process Manager failed to verify LSP ICDB |
|
Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3). |
|
Azure ASA NIC MAC address for Gigeth 0/1 and 0/2 become out of order when adding interfaces |
|
User without password prompted to change password when logged in from SSH Client |
|
The interface's LED remains green blinking when the optical fiber is unplugged on FPR1150 |
|
FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket" |
|
Temporary HA split-brain following upgrade or device reboot |
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
FTD: SNMP failures after upgrade to 7.0.2 |
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
Conn data-rate command can be enabled or disabled in unprivileged user EXEC mode |
|
ASA/FTD Voltage information is missing in the command "show environment" |
|
Failed user login on FMC does not record entry in audit log when using external authentication |
|
FMC Deployment does not start for cluster devices |
|
IPv6 ICMP configuration is added and removed during policy deployment |
|
Issue with snort perfstat parsing / Hmdeamon not starting after disk full reported |
|
LTP feature not working on KP ASA with 9.18 |
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
Update diskmanager to monitor deploy directories in /ngfw/var/cisco/deploy/db |
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
JOBS_TABLE not getting purged if deployReports not available |
|
FMC: Slowness in Device management page |
|
With scaled EFD throttle connections, de-throttle using clear efd-throttle command traceback lina |
|
ASA/FTD Traceback and Reload in Thread name Lina or Datatath |
|
FMC Health Monitoring JSON error |
|
Unable to removed not used SAL On-Premise FMC configuration |
|
Traceback and Reload while HA sync after upgrading and reloading. |
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
MI hangs and not repsonding when FTD container instance is reloaded |
|
ASA Traceback and Reload on process name Lina |
|
ASA: SLA debugs not showing up on VTY sessions |
|
FPR1010 upgrade failed - Error running script 200_pre/100_get_snort_from_dc.pl |
|
ASA process with cleartext token when not able to encrypt it |
|
FMC: Validation check to prevent exponential expansion of NAT rules |
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
Observed Logs at syslog server side as more than configured message limit per/sec. |
|
JOBS_TABLE not getting purged due to foreign Key constraint violation in policy_diff_main |
|
FMC 7.0 - Receiving alert "health monitor process: no events received yet" for multiple devices |
|
The device is unregistered when Rest API calls script. |
|
OSPF template adds "default-information-originate" to area <area-id> nssa statement on hitting OK. |
|
cannot add IP from event to global lists (block or do-not-block) if similar IP is already on list |
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
SNMP: FMC doesn't reply to OID 1.3.6.1.2.1.25.3.3.1.2 |
|
SSL AnyConnect access blocked after upgrade |
|
In addition to the c_rehash shell command injection identified in CVE-2022-1292 |
|
FMC: Extended ACL object should support mixed protocols on different entries |
|
ASA/FTD may traceback and reload while executing SCH code |
|
Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
|
ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled |
|
AWS ASAv Clustering: enable cluster breaking ssh session |
|
False positives for Ultrasurf |
|
FMC - Cannot Edit Standard ACL with error regarding "Only Host objects allowed" |
|
CIAM: mariadb - multiple versions CVE-2022-32081 |
|
Deploy page listing takes 1.5 to 2 mins with 462 HA device |
|
FTD is unusable post reboot if manager is deleted and FIPS is enabled |
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
Selective deployment of IPS may cause outage due to incorrectly written FTD configuration files |
|
ASA/FTD: GTP inspection causing 9344 sized blocks leak |
|
ASA HA - Restore in primary not remove new interface configuration done after backup |
|
ASA/FTD traceback and reload when ssh using username with nopassword keyword |
|
NTP logs will eventually overwrite all useful octeon kernel logs |
|
FXOS partition opt_cisco_platform_logs on FP1K/FPR2K may go Full due to ucssh_*.log |
|
vFMC upgrade 7.0.4-36 > 7.3.0-1553 failed: Error running script 200_pre/007_check_sru_install.sh |
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
SFDataCorrelator Discovery Event bottleneck can cause Connection Event delay and backlog |
|
ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent to PDTS |
|
mojo_server processes unnecessarily restarting during log rotation |
|
When searching IPv6 rule in the access-control policy, no result will show |
|
FMC 7.2.0|7.3.0 Integration > Identity Sources page does not load, keeps spinning |
|
Reload mercury when userappid.conf is modified on FMC and deploy is issued |
|
Selective deploy enables interaction with SRU interdependent-policies due to FMC API timeout |
|
show ssl-policy-config does not show the policy when countries are being used in source/dest network |
|
Excessive logging from hm_du.pm may lead to syslog-ng process restarts |
|
FTD Upgrade Fail - Readiness Check Successful, but Readiness status never shown |
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
MPLS tagging removed by FTD |
|
FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks |
|
ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP |
|
Estreamer page fails to load in ASDM |
|
ASA parser accepts incomplete network statement under OSPF process and is present in show run |
|
syslog related to failover is not outputted in FPR2140 |
|
Scheduled tasks may not run on active FMC in HA after switchover or split-brain resolution |
|
IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response |
|
Trigger FTD backup with remote storage option enabled along with retrieval to FMC fails |
|
AD username with trailing space causes download of users/groups to fail |
|
Able to see the SLA debug logs on both console & VTY sessions even if we enable only on VTY session. |
|
Limit the number of deployment jobs in deploy history to 50 as default to avoid slowness |
|
FMC: Scheduled backups working fine, but FMC email alerts displaying it failed. |
|
ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 35) |
|
KP-2130 - Observed crash with PPK configured |
|
ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6 |
|
FMC does not use proxy with authentication when accessing AMP cloud services |
|
Vulnerabilities on Cisco FTD Captive Portal on TCP port 885 |
|
SFDataCorrelator host timeout query can block event processing and cause a deadlock restart |
|
FMC GUI timeout and issues with loading http page due to exceeded http connections |
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
FMC ACP PDF report generared in blank/0 bytes using UI |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
vti hub with NAT-T enabled pinholes connections are looping and causing snort busy drops |
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread' |
|
mismatch in the config pushed from FMC and running config on FTD |
|
ASA CLI for TCP Maximum unprocessed segments |
|
Portchannel configured from FDM breaks "Use the Data Interfaces as the Gateway" for Mgmt interface |
|
Essentials licenses are not assigned to the device and Edit licenses also not working |
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb" |
|
TACACS Accounting includes an incorrect IPv6 address of the client |
|
Call home configuration on standby device is lost after reload |
|
FPR2140 ASA Clock Timezone reverts to UTC after appliance restart/reload |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591' |
|
FMC UI should disallow simultaneous deactivation of FMC interface management and event channels |
|
FMC RSS Feed broken because FeedBurner is no longer active - "Unable to parse feed" |
|
FTD - Traceback in Thread Name: DATAPATH |
|
FMC allows shell access for user name with "." but external authentication will fail |
|
25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC |
|
Fail-To-Wire interfaces flaps intermittently due to watchdog timeout in Firepower 2100 platform |
|
cdFMC: Policy deployment is failing after upgrade cdFMC |
|
FPR1000 ASA/FTD: Primary takes active role after reloading |
|
FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
|
CGroups errors in ASA syslog after startup |
|
Database may fail to shut down and/or start up properly during upgrade |
|
During the deployment time, device got stuck processing the config request. |
|
FMC 7.1+ allows ECMP FlexConfig depoyment |
|
"inspect snmp" config difference between active and standby |
|
[Deploy Performance] degrade in deployment page on FMC |
|
ASA/FTD traceback and reload caused by SNMP process failure |
|
Intrusion events intermittently stop appearing in FMC when using snort3 |
|
Default Domain in VPN group policy objects cannot be deleted |
|
Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with interface NAT |
|
Unable to configure 'match ip address' under route-map when using object-group in access list |
|
ASA NAT rules are not working as expected after an upgrade to 9.18.2 |
|
FTD Traceback and reload when applying long commands from FMC UI or CLISH |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36) |
|
ASA/FTD Traceback and reload in Threadname: IKE Daemon |
|
Vulnerabilities in spring-framework - multiple versions CVE-2022-22970 |
|
On slow networks with some packets loss sftunnel may mark connections as STALE |
|
Valid DNS requests are being dropped by Lina DNS inspection when Umbrella DNS is configured |
|
for system processes limit the CPUs used to the number of system CPUs |
|
ASAv "Unable to retrieve license info. Please try again later" |
|
Prefilter policy - Available port menu long response time, Prefilter Network Search takes long time |
|
FMC can download only the first 10000 cross-domain user groups |
|
Group delete during realm download can cause inconsistent user_to_group map on FTD |
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
FTD misses diagnostic data required for investigation of "Communication with NPU lost" error |
|
ASA/FTD may traceback and reload in Thread Name 'appagent_async_client_receive_thread' hog detection |
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
|
7.3 - Message flood by Use of uninitialized value $unix_time in numeric gt |
|
Using write standby in a user context leaves secondary firewall license status in an invalid state |
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5. |
|
Cluster disabled unit getting registered as standalone in FMC and further deployment failing |
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
ASA/FTD memory leak and tracebacks due to ctm_n5 resets |
|
Lina Traceback and reload when issuing 'debug menu fxos_parser 4' |
|
ESP rule missing in vpn-context may cause IPSec traffic drop |
|
Captive portal support in cross domain |
|
CCM layer (Seq 38) WR8, LTS18, LTS21 |
|
R2130 use the Wind River CIS_LTS21_R2130 OS branch for the 7.3.0 Beta2 release. |
|
FMC module specific health exclusion disables all health checks |
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
Continual ngfwManager process restarts due to incomplete FMC HA device registration |
|
FMC - Deployment blocked when ECMP route configured via same interface |
|
ISA3000 LACP channel member SFP port suspended after reload |
|
ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
SNMP 'Confirm Community String' string is not auto-populated after the FMC upgrade |
|
ifAdminStatus output is abnormal via snmp polling |
|
ASA/FTD may traceback and reload when RAVPN with SAML is configured |
|
logging/syslog is impacted by SNMP traps and logging history |
|
Cluster status is not updated across 16 node GCP cluster |
|
FMC local backup fails cause of "Update Task: Database integrity check failed" - Syslog server issue |
|
FTD Traceback and reload |
|
ASA Custom login page is not working through webvpn after an upgrade |
|
Snort3 unexpectedly dropping packets after 4MB when using file inspection with detection mode NAP |
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
Config-dispatcher to fail the deployment immediately when download fails, instead of failing later |
|
FTD traceback on Lina due to syslog component. |
|
Cisco FXOS Software Arbitrary File Write Vulnerability |
|
PDTS write from Daq can fail when PDTS buffer is full eventually leads to block depletion |
|
ASA/FTD Cluster Traceback and Reload during node leave |
|
multiple snort3 crashes after upgrading FTD from 7.2.0 to 7.2.0.1 |
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
HTTP URI is sometimes missing from intrusion event view |
|
Create a resiliency configuration option for SFTunnel to support HA and FTD connectivity |
|
Access rule policy page takes longer time to load |
|
Multiple log files have zero bytes due to logrotate failure |
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
Deployment Fails with stacktrace: Invalid type (LocalIdentitySource) |
|
FTD sensor rules missing from ngfw.rules file after a sensor backup restore execution |
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices |
|
Missing fqdns_old.conf file causes FTD HA app sync failure |
|
"Move" option is greyed out on Backup-Restore in FMC |
|
ASA might generate traceback in ikev2 process and reload |
|
ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event' |
|
Deployment fails with Config Error -- proxy paired |
|
FMC - Unable to initiate deployment due to incorrect threat license validation |
|
during download from file event on FMC, high CPU use on FMC for 20 minutes before download fails |
|
FTD upgrade failure due to Syslog files getting generated/deleted rapidly |
|
FTD Unable to bind to port 8305 after management IP change |
|
ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread |
|
Object edit slowness when it is associated with NAT rules |
|
GTP inspection drops packets for optional IE Header Length being too short |
|
GTP drops not always logged on buffer and syslog |
|
ASA/FTD traceback due to block data corruption |
|
Device readiness upgrade check failure - sftunnel sync issue due to time change |
|
File events show Action as "Malware Block" for files with correct disposition of unknown |
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
SFDataCorrelator RNA-Stop action should not block when database operations are hung |
|
ASA goes for traceback/reload with message - snmp_ma_kill_restart: vf is NULL |
|
HA did not failover due to misleading status updates from NDClient |
|
FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
ASA/FTD: NAT configuration deployment failure |
|
HTTP Block Response and Interactive Block response pages not being displayed by Snort3 |
|
ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled |
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
ASA/FTD High CPU in SNMP Notify Thread |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
FTD in HA traceback multiple times after adding a BGP neighbour with prefix list. |
|
rsc_5_min.log store location should move to a different partition |
|
Cert serial number not displayed properly in PCA debug and syslogs |
|
Functional: FMCv patch upgrade is fails |
|
ASA/FTD SNMP traps enqueued when no SNMP trap server configured |
|
ASA/FTD Transactional Commit may result in mismatched rules and traffic loss |
|
Incorrect Frequent Drain of Connection Events alert |
|
Device should not move to Active state once Reboot is triggered |
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
log rotate failing to cycle files, resulting in large file sizes |
|
FMC HA - files in tmp/Sync are left on secondary when synchronisation task fails |
|
FMC deleted some access-rules due to an incorrect delta generated during the policy deployment. |
|
Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel |
|
Management access over VPN not working when custom NAT is configured |
|
lost cac.conf after upgrade to 7.2.1 for FMC smart-card auth |
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
Duplicate SMB session id packets causing snort3 crash |
|
ADI process may become unstable when downloading a large number of users |
|
Cluster registration is failing because DATA_NODE isn't joining the cluster |
|
LTS18 and LTS21 commit id update in CCM layer (seq 39) |
|
Cisco FXOS Software Arbitrary File Write Vulnerability |
|
Filtering of jobs in deploy history page is applying the criteria only on Top50 jobs |
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
TLS connections to Exchange 2007 server may fail |
|
Prevent cluster heartbeat probing failure in virtual platform |
|
FMC can allow deployment of NAP in test mode with Decrypt policy |
|
ASA: Traceback and reload due to clientless webvpn session closure |
|
ASA/FTD may traceback and reload in Thread lina |
|
Syslog 106016 is not rate-limited by default |
|
FMC - Error message "The server response was not understood. Please contact support." on UI |
|
ASA/FTD Traceback and reload when configuring ISAKMP captures on device |
|
SFDataCorrelator delay in processing events when the intrusion event rate is high |
|
Firepower Management Center GUI view for Snort2 Local Intrusion Rules is missing |
|
Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
|
Very long validation time during Policy Deployment due to big network object in SSL policy |
|
ASA traceback and reload due to DNS inspection |
|
FMC HA webUI is not getting FTDv Variable tier assigned FTDv - Variable |
|
Re-downloaded users from a forest with trusted domains may become unresolved/un-synchronized |
|
PIM register packets are not sent to Rendezvous Point (RP) due to PIM tunnel interface down state |
|
deployment failed with OOM (out of memory) for policy_apply.pl process |
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
Object NAT edit is failing |
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
FXOS: memory leak in svc_sam_envAG process |
|
Device name always shows as 'firepower' in CDO event view |
|
800_post/1027_ldap_external_auth_fix.pl upgrade error -- reference to missing authentication object |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40) |
|
ASA - traceback and reload when Webvpn Portal is used |
|
Port-channel interface went down post deployment |
|
FMC UI showing disabled/offline for multiple devices as health events are not processed |
|
Missing SSL MEMCAP causes deployment failure due timeout waiting for snort detection engines |
|
Pre-deployment failure seen in FMC due to huge number policies |
|
Upgrades are not cleaning up mysql files leading to alert for 'High unmanaged disk usage on /ngfw' |
|
ASA restore is not applying vlan configuration |
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
Add validation in lua detector api to check for empty patterns for service apps |
|
Route leaking of local host having /32 mask may lead to crash |
|
FMC not opening deployment preview window |
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
FPR3100: 4x40 network module LEDs do not blink with traffic |
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
Data migration from Sybase to MariaDB taking more time due to large data size of POLICY_SNAPSHOT |
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
|
FMC gives an irrelevant error message for Snort2 to Snort3 rules conversion failure |
|
Need corrections in log_handler_file watchdog crash fix |
|
Deployment failure with localpool overlap error after upgrade |
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
Disable asserts in FTD production builds |
|
Misleading drop reason in "show asp drop" |
|
[IMS_7_3_0/7_2_0] Lina crashed on VMware 2 node cluster during sending GRE traffic |
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
Recursive panic under lina_duart_write |
|
Config Archive should get created if Rest-GET method failed on device |
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
allocate more cgroup memory for policy deployment subgroup |
|
HA Periodic sync is failing due to cfg files are missing |
|
At times AC Policy save takes longer time, may be around 10 or above mins |
|
Memory depletion while running EMIX traffic profile on QP HA active node |
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
FMC UI Showing inaccurate data in S2S VPN Monitoring page |
|
mdbtrace.log can fill storage on FMC |
|
FTDv: Policy Deployment failure due to interface setting on failover interface |
|
ASA Connections stuck in idle state when DCD is enabled |
|
Cross-domain users with non-ASCII characters are not resolved |
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
AC clients fail to match DAP rules due to attribute value too large |
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
FXOS is not rotating PoE logs |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 41) |
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
FDM FPR2k Netmork module interfaces are greyed out post 7.1.0 update |
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
Snort 3 traceback on stream prune_lru |
|
FMC Connection Event stop displaying latest event |
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
Port-channel member port status flag and membership status are Down if LACPDUs are not received |
|
Clustering is disabled on all data nodes after power off/on |
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
internal.cloudapp.net_snort3 core file is generated on DST setup |
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
FMC 7.1.0.1 Doesn't throw warning that S2S VPN Configs contain deprecated MD5 Hash during deployment |
|
FMC: Updates page takes more than 5 minutes to load |
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
30+ seconds data loss when unit re-join cluster |
|
Predefined FlexConfig Text Objects are not exported by Import-Export |
|
FTD with Snort3 might have memory corruption BT in snort file with same IP traffic scaling |
|
FMC import takes too long |
|
ASA/FTD traceback and reload when IPSec/Ikev2 vpn session bringup with dh group 31 in fips mode |
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
Traps are not getting generated in UUT for config change in multicontext |
|
intrusion events fail to migrate from MariaDB to MonetDB following FMC upgrade from 7.0.3 to 7.1.0 |
|
MI FTD running 7.0.4 is on High disk utilization |
|
Snort drops Bomgar application packets with Early Application Detection enabled |
|
FMC upgrade fails: 114_DB_table_data_integrity_check.pl, stating Snort2IPSNAPCleanup.pm not be found |
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
Snort3 crash seen sometimes while processing a future flow connection after appid detectors reload |
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
Snort outputs massive volume of packet events - IPS event view may show "No Packet Information" |
|
CCL/CLU filters are not working correctly |
|
snort2 does not match rules based on application SMTP/SMTPS anymore after a while |
|
FTD -Snort match incorrect NAP id for traffic |
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
FTDs running 6.6.x show as disconnected on new HM (6.7+) but checks are running and updating |
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
Unable to access Dynamic Access policy |
|
Number of objects are not getting updated under policies>>>Security intelligence >>>Block list |
|
Cut-Through Proxy does not work with HTTPS traffic |
|
High disk usage due to process_stdout.log and process_stderr.log logrotate failure (no rotation) |
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
Deployment changes to push VDB package based on Device model and snort engine |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 42) |
|
MariaDB crash (segmentation fault) related to netmap query |
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
FAN LED flashing amber on FPR2100 |
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
FMCv 7.2.0 - FTD management IP is not correctly updated on the FMC after changing the FTD mngmnt IP |
|
SFDataCorrelator performance degradation involving hosts with many discovered MAC addresses |
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
snort sets tunnel bypass for geneve encoded packets |
|
The Standby Device going in failed state due to snort heartbeat failure |
|
Primary ASA traceback upon rebooting the secondary |
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
FMC SecureX via proxy stops working after upgrade to 7.x |
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
ASA is unexpected reload when doing backup |
|
41xx: Blade does not capture or log a reboot signal |
|
High FMC backup file size due to configurations snapshot for all managed devices |
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
Unified events and connection events pages don't load anymore. DB Cores generated every few minutes |
|
Unable to register new devices to buildout FMC 2700 (FMC HA Active) |
|
Summary status dashboard takes more than 3 mins to load upon login |
|
Interactive Block action doesn't work when websites are redirected to https |
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
FTD/ASA traceback and reload during to tmatch compilation process |
|
collection of top.log.gz in troubleshoot can be corrupt due to race condition |
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
Database table optimization not working for some of the tables |
|
FMC HA Synchronization can hang forever if no response from SendUserReloadSGTAndEndpointsEvent |
|
FMC: Upgrade fails at DB Integrity check due to large number of EO warnings for "rule_comments" |
|
ASA goes to failsafe mode after FXOS upgrade |
|
On a cloud-delivered FMC there is no way to send events to syslog without sending to SAL/CDO as well |
|
FPR1120:connections are getting teardown after switchover in HA |
|
Threatgrid integration configuration is not sync'd as part of the FMC HA Synchronisation |
|
None option under trustpoint doesn't work when CRL check is failing |
|
FTD Deployment failures due to "snort3.validation.lua:5: '=' expected near 'change'" |
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
FTD is dropping GRE traffic from WSA |
|
ASA binding with LDAP as authorization method with missing configuration |
|
ASA: Traceback and reload while processing SNMP packets |
|
monetdb log use all of disk spaces on /Volume |
|
Snort crashing on FTD |
|
Purging of Config Archive failed for all the devices if one device has no versions |
|
High Lina memory use due to leaked SSL handles |
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
TLS sessions dropped under certain conditions after a fragmented Client Hello |
|
FMC Health Monitor does not report alerts for the Interface Status module |
|
FMC HA info is not sync'ed reliably to FTD to support CLOUD_SERVICE |
|
After device registration or FMC upgrade, devices sometimes don't send events to the FMC |
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
Traffic drop when primary device is active |
|
Snort3: Process in D state resulting in OOM with jemalloc memory manager |
|
Maria DB crashing/holding high CPU and not allowing users to login GUI and CLI |
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
Unexpected firewalls reloads with traceback. |
|
Slow UI loading for Table View of Hosts |
|
Database integrity check takes several minutes to complete |
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
FTD HA does not break from FMC GUI but HA bootstrap is removed from devices |
|
FPR2100: Mulitple snort3 & snort2 cores got generated and sensor goes down in KP platform |
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
Using proxy authentication in FMC for smart licensing is failing after upgrading to 7.0.5 |
|
8x10Gb netmod fails to come online |
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
rpc service detector causing snort traceback due to universal address being an empty string |
|
ASA Traceback & reload citing thread name: asacli/0 |
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
ASA/FTD Show chunkstat top command implementation |
|
SFDataCorrelator cores due to stuck database query after 1 hour deadlock timeout |
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
FTD upgrade failure at "999_finish/999_zz_install_bundle.sh" due to bad key cert |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' when checking Geneve capture |
|
changing time window settings in FMC GUI event viewers may not work with FMC integrated with SecureX |
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
EventHandler warnings if syslog facility is CONSOLE |
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
FMC Upgrade: generation of sftunnel.json file per FTD does not check for duplicate names |
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
FMC: Domain creation fails with error "Index 'netmap_num' for table 'domain_control_info'" |
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
Question mark in NAT description causes config mismatch on Data members of an FTD cluster |
|
IMS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
Snort3 crashes are seen under Dce2Smb2FileTracker processing of data |
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
Remove FMC drop_cache trigger to prevent Disk I/O increase due to file cache thrashing |
|
Unable to save Access Control Policy changes due to Internal error |
|
log rotation for process_stderr.log and process_stdout.log files may fail due to race condition |
|
Management interface link status not getting synced between FXOS and ASA |
|
Certain containers have extra gray borders and certain containers are styled incorrectly |
|
Manager gets unregistered on its own from the FTD, show manager shows 'No managers configured' |
|
FTD:Node not joining cluster with "Health check detected that control left cluster" due to SSL error |
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
After FMC upgrade, SecureX ribbon redirects to US cloud region regardless of the set cloud region |
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 45) |
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
DCCSM session authorization failure cause multiple issues across FMC |
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
ASA/FTD traceback in snp_tracer_format_route |
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
Pri-Active FMC NOT triggering registration TASK for FTD to configure standby manager |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
ASA/FTD may traceback and reload |
|
TID python processes stuck at 100% CPU |
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
FTD: unable to run any commands on CLISH prompt |
|
Deployment is blocked due to Pre-deploy Validation Error - Invalid endpoint |
|
FTD 3100 Crash in Thead Name: CP Processing |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
Selective deployment negating the route configs |
|
Selective deployment removing the prefilter-configs |
|
Unable to login to FTD using external authentication |
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
FMC runs out of space when Snort sends massive numbers of packet logs |
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
SFDataCorrelator spam seen in /var/log/messages |
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
Snort2 rule recommendations increases disabled rule count drastically |
|
Upgraded FMC didn't mark FTD's with Hot Fix as light registered - failed FMC HA sync |
|
High rate of network map updates can cause large delays and backlogs in event processing |
|
vFMC disk space full due to 40GB of /var/lib/mysql/undo* files |
|
FMC Upgrade from Active-Primary FMC is failed with "Installation failed: Peer Discovery incomplete." |
|
Fix Snort3 Memory Utilisation Value |
|
Prune target should account for the allocated memory from the thread pruned |
|
SFDataCorrelator log spam when network map is full |
|
asa_snmp.log is not rotated, resulting in large file size |
|
Requirement: Log rotate utility needs to handle the rotating of the asa-appagent.log file |
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
Notification Daemon false alarm of Service Down |
|
Username-from-certificate feature cannot extract the email attribute |
|
Missing Instance ID in unified_events-2.log |
|
Mserver restarts frequently |
|
Getting "Unknown" for multiple SSL fields when status is Do Not Decrypt (Unsupported Cipher Suite) |
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
DOC: Add note regarding FTD/Lina syslog message format |
|
FTD: Unable to process a TLS1.2 website with TLS Server Identity with client generating SSL Errors |
|
standby in disabled state after QP-MI HA 7.0.3 to 7.2.4-126, APPLY_APP_CONFIG_APPLICATION_FAILURE |
|
Upgrade Device listing page is taking more than 15 mins to load page fully with 25 FTDs registered |
|
ISE Integration Network filter not accepting multiple comma separated networks |
|
Can't log with "info" and "debug". |
|
FATAL errors in DBCheck due to missing columns in eventdb table |
|
SFDataCorrelator process crashing very frequently on the FMC. |
|
In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device |
|
Health Monitoring to NOT collect route stats for transparent mode FTD |
|
Comments disappear from access rules when the rule is copied within or out of Access Policy. |
|
Images missing on sf.xml file |
|
Packet data is still dropped after upgrade |
|
[Snort 3] IPS Policy Overrides not working on Chained Intrusion Policies |
|
DOC: FMC New Features by Release page outdated suggested release |
|
Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability |
Resolved Bugs in Version 7.2.3.1
Table last updated: 2023-04-18
Bug ID |
Headline |
---|---|
Firepower 1010E speed and duplex are set to "auto" on the FMC, deployment fails |
Resolved Bugs in Version 7.2.3
Table last updated: 2023-02-27
Bug ID |
Headline |
---|---|
Multiple log files have zero bytes due to logrotate failure |
|
FTD process log files can fill disk and cause system down events and block user login ability |
|
In addition to the c_rehash shell command injection identified in CVE-2022-1292 |
Resolved Bugs in Version 7.2.2
Table last updated: 2020-11-30
Bug ID |
Headline |
---|---|
Temporary HA split-brain following upgrade or device reboot |
Resolved Bugs in Version 7.2.1
Bug ID |
Headline |
---|---|
Return error messages when failing to retrieve objects from database |
|
ASA/FTD 9344 blocks depleted due to high volume of fragmented traffic |
|
FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries |
|
Not able to login to UI/SSH on FMC, console login doesn't prompt for password |
|
Default variable set missing on FMC |
|
BGP table not removing connected route when interface goes down |
|
Shutdown command reboots instead of shutting the FP1k device down. |
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
Unstable client processes may cause LINA zmqio traceback on FTD |
|
MonetDB crashing due to file size error |
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
username form cert feature does not work with SER option |
|
ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped |
|
URL lookup responding with two categories |
|
Cannot add object to network group on FMC |
|
ISA3000 in boot loop after powercycle |
|
Chassis and application sets the time to Jan 1, 2010 after reboot |
|
FXOS misses logs to diagnose root cause of module show-tech file generation failure |
|
Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-9-11543' |
|
SSL policy deploy failing when using special characters on SSL rule names |
|
FIPS self-tests must be run when CC mode is enabled - files are missing |
|
WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 25) |
|
Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server. |
|
SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels. |
|
Malware Block false positives triggered after upgrade to version 7.0.1 |
|
FDM: Policy deployment failure after upgrade due to unused IKEv1 policies |
|
GeoDB updates on multi-domain environment requires a manual policy deployment |
|
WR8, LTS18 and LTS21 commit id update in CCM layer (seq 26) |
|
ASA snmpd Traceback & cores on an active unit |
|
Disk usage errors on Firepower Azure device due to large backup unified files under ngfw directory |
|
FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated |
|
ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url |
|
ASA DHCP server fails to bind reserved address to Linux devices |
|
CVE-2022-28199: Evaluation for FTDv and ASAv |
|
PM needs to restart the Disk Manager after creating ramdisk to make DM aware of the ramdisk |
|
FTD: AAB cores are not complete and not decoding |
|
FMC is stuck on loading SI objects page |
|
FP4112|4115 Traceback & reload on Thread Name: netfs_thread_init |
|
ASA traceback in Thread Name: SXP CORE |
|
ASA unable to configure aes128-gcm@openssh.com when FIPS enabled |
|
ASA traceback in Thread Name: fover_parse and triggered by snmp related functions |
|
FW traceback in timer infra / netflow timer |
|
FXOS is not rotating log files for partition opt_cisco_platform_logs |
|
PBR not working on ASA routed mode with zone-members |
|
Some SSL patterns not detected after VDB 356 or higher is installed |
|
ASA crashes on fp2100 when checking CRL |
|
RIP is advertising all connected Anyconnect users and not matching route-map for redistribution |
|
FTD offloads SGT tagged packets although it should not |
|
ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated destination |
|
ASA/FTD firewall may traceback and reload when tearing down IKE tunnels |
|
ASA HA Active/standby tracebacks seen approximately every two months. |
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
Portmanager/LACP improvement to capture logging events on external event restarts |
|
Snmpwalk output of memory does not match show memory/show memory detail |
|
Deployment failing when collecting policies. |
|
TPK ASA: Device might get stuck on ftp copy to disk |
|
ACP Network Validation Failure - Unable to parse ip - Can't call method "binip" - Blank Space |
|
FMC upgrade fails due Mismatch in number of entries between /etc/passwd and /etc/shadow |
|
Lina traceback and reload during EIGRP route update processing. |
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8, inner_sip message |
|
FMC DBcheck.pl hungs at "Checking mysql.rna_flow_stats_template against the current schema" |
|
Flex Config allow - "timeout icmp-error hh:mm:ss" |
|
ASA: Multiple Context Mixed Mode SFR Redirection Validation |
|
Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot |
|
ASA/FTD traceback and reload on NAT related function nat_policy_find_location |
|
SNMP interface threshold doesn't trigger properly when traffic sent to interface ~4gbps |
|
FMC syslog-ng daemon fails to start if log facility is set to ALERT |
|
upgrade with a large amount of unmonitored disk space used can cause failed upgrade and hung device |
|
We can't monitor the interface via "snmpwalk" once interface is removed from context. |
|
ASA/FTD traceback and reload with timer services assertion |
|
ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled. |
|
Unable to apply SSH settings to ASA version 9.16 or later |
|
Intrusion Policy shows last modified by admin even though changes are made by a different user |
|
FPR1010 - No ARP on switchport VLAN interface after portmanager DIED event |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports |
|
New ACP UI does not load if there are manually entered Location IP literal values in that policy |
|
Not re-subscribing to ISE topics after certain ISE connectivity issues. |
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
Fragmented packets are dropped when unit leaves cluster |
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
Upgrade fails when using DDNS Service with user and password |
|
TTL values causing packets to retransmit |
|
Watchdog crash on FP1000 during very heavy AnyConnect SSL VPN tunnel establishment |
|
Unable to disable "Retrieve to Management Center |
|
snort3 crash due to NULL pointer in TLS Client Hello Evaluation |
|
Azure ASA NIC MAC address for Gigeth 0/1 and 0/2 become out of order when adding interfaces |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
ASA/FTD IPSEC debugs missing reason for change of peer address and timer delete |
|
URL cloud lookup if enabled on the FMC may not work on newly registered devices. |
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
ASA traceback and reload when modifying DNS inspection policy via CSM or CLI |
|
Control-Plane ACL Non-Functional After Upgrade to 9.18(1) or 7.2.0-82 Firepower |
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
DCERPC traffic is dropped after upgrade to snort3 due to Parent flow is closed |
|
ASA - Restore not remove the new configuration for an interface setup after backup |
|
FMC logs user out when editing any backdraft page |
|
Syslog facility "ALERT" should be changed on FDM since is not supported anymore by syslog-ng |
|
Database files on disk grow larger than expected for some frequently updated tables |
|
"show nat pool cluster" commands run within EEM scripts lead to traceback and reload |
|
Upgrade to MariaDB 10.5.16 to get security vulnerability fixes |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695' |
|
ASA/FTD can not parse UPN from SAN field of user's certificate |
|
AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject |
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
AC Policy UI: Cannot search rules while the rules are loading |
|
AC Policy New UI: Adding rule inside a category throws index error |
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
Snort3: NFSv3 mount may fail for traffic through FTD |
|
ASA: SLA debugs not showing up on VTY sessions |
|
Retrospective file disposition updates fail due to incorrect eventsecond values in fileevent tables |
|
High unmanaged disk usage on Firepower 2110 device |
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
FPR3100: 8x1G copper netmod may incorrectly report obsolete firmware on boot |
|
Onboarding on-prem FMC to CDO using SecureX fails due to User Authentication Failed error |
|
FMC authentication with SecureX Orchestration fails |
|
Upgrade fail & App Instance fail to start with err "CSP_OP_ERROR. CSP signature verification error." |
|
FTD Multiple log files with zero byte size. |
|
Snort3 crash with TLS 1.3 |
|
snort3 hangs in Crash handler which can lead to extended outage time during a snort crash |
|
v7.2 post-upgrade performance issues due to excessive intrusionevent partition tables |
|
SFDataCorrelator fails to start after <7.1 to >=7.1.0 upgrade due to compliance.rules "session_both" |
|
Deployment fails with error Invalid Snort3IntrusionPolicy mode. Supports only inline and inline-test |
Resolved Bugs in Version 7.2.0.1
Bug ID |
Headline |
---|---|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
ASA/FTD traceback and reload with timer services assertion |
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
Resolved Bugs in Version 7.2.0
Bug ID |
Headline |
---|---|
Expired certs cause Security Intelligence updates to fail |
|
FMC Event backups to remote SSH storage targets fail |
|
Redundant service-object group created while crypto ACL is used in S2S VPN. |
|
Portmanager/LACP improvement to avoid false restarts and increase of logging events |
|
FMC Backup failure- Monetdb backup failure code 102 |
|
Disk corruption occurs when /mnt/disk0 partition is full and blade is rebooted |
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
SLR license application failes on manged devices |
|
FMC should support southern hemisphere DST configurations |
|
Connection events are not sent to Firepower Management Center due to deploy race condition |
|
FMC CPU graph displays the wrong number of Snort and System cores |
|
SFDataCorrelator performance problems involving redundant new host events with only MAC addresses |
|
Radius external authentication object fails to install on FTD due to invalid retries |
|
Long delays when executing SNMP commands |
|
Snort cores generated intermittently when SSL policy is enabled on the ASA-SFR module |
|
AnyConnect users with mapped group-policies take attributes from default GP under the tunnel-group |
|
Multiple Cisco Products Snort Modbus Denial of Service Vulnerability |
|
Losing admin and other users from Mysql DB and EO |
|
SNMPv3 doesn't work for SFR modules running version 7.0 |
|
SSL decryption not working due to single connection on multiple in-line pairs |
|
The 'show cluster info trace' output is overwhelmed by 'tag does not exist' messages |
|
Infinitely running jobs in the task list |
|
Datapath deadlocks seen on when sending ICMP PMTU for AnyConnect-SSL |
|
FXOS is not rotating log files for management interface |
|
Access Policy Control Clear Hit Count throwing Error 403: Forbidden |
|
WM 1010 HA Failover is not successful when we give failover active in secondary. |
|
FMC Does not allow to create an EIGRP authentication secret key using the $ character |
|
SNMPv3 not working after upgrade of FMC |
|
FPR2100 ONLY - PERMANENT block leak of size 80, 256, and 1550 memory blocks & blackholes traffic |
|
Unable to push extra domains >1024 Character, as part of Custom Attribute under Anyconnect VPN |
|
Elektra upgrade failed while upgrading |
|
Occasionally policy deployment failure are reported as successful |
|
Software upgrade on ASA application may failure without obvious reasons |
|
FMC GUI does not load Intrusion Policies |
|
Cannot open FMC Access Details -> Configuration tab after FMC upgrade |
|
FMC process dbsrv16 has high CPU utilization after the FMC upgrade |
|
FTD does not send the authentication information to proxy server when download the VDB and GEODB. |
|
Update host from URL if not available in the packet to stop cloud lookup for null host http requests |
|
Unable to remove/modify Standard Access List objects in FMC |
|
PKI "OCSP revocation check" failing due to sha256 request instead of sha1 |
|
Unable to generate the PDF with access policy having large nested objects |
|
Fail to import with error "is not a table" |
|
Server hello done on TLS stripped by FTD after enabling 'early application detection' with snort3 |
|
ASA/FTD Traceback in crypto hash function |
|
User unrecognized alarm for discovered identity realm users |
|
Devices with same catagory are catagorized with multiple catagory names |
|
ASA/FTD MAC modification is seen in handling fragmented packets with INSPECT on |
|
Cluster CCL interface capture shows full packets although headers-only is configured |
|
FMC: Add validation checks for the combination of SSL/Snort3/NAP in Detection mode |
|
FTD Failover unit does not join HA due to "HA state progression failed due to APP SYNC timeout" |
|
QP vFTD Policy Deployment with snort2 Failed with Undefined package variable |
|
SNMP polling fails after a re-image |
|
ASDM on MAC popup remove hostscan/CSD pkg |
|
SRU install should validate files upon completion |
|
ssl inspection may have unexpected behavior when evicting certificates |
|
FMC connection event search causing high memory utilisation for index.cgi |
|
Unable to load Devices --> Certificates page |
|
FPR1010 in HA Printing Broadcast Storm Alerts for Multiple Interfaces |
|
A carefully crafted request body can cause a buffer overflow in the ... |
|
Unable to save the application policy filter. Save tab is stuck and its continuously loading. |
|
Occasionally deleted sensor/interfaces are not removed from security zones |
|
FTD stops generating Syslog ID 430002 and 430003 with EventHandler cores |
|
SNMPv3 - SNMP EngineID changes after every configuration change |
|
FMC GUI can be accessed by an expired password when using .cgi with https://FMCIP/login.cgi |
|
Deployment rollback causes brief traffic drop due to order of operations |
|
Multiple Cisco Products Server Name Identification Data Exfiltration Vulnerability |
|
Access rule-ordering gets automatically changed while trying to edit it before page refresh/load |
|
Unable to restrict user access when using ASDM |
|
ASA SNMP Poll is failing & show display "Unable to honour this request now.Please try again later." |
|
7.1.0.1-25 upgrade failed on KP-HA at 800_post/901_reapply_sensor_policy.pl |
|
snort3 - resumed sessions not being decrypted can fail |
|
Snort instance CPU stuck at 100% |
|
Unable to save DAP Endpoint Criteria as "Disabled" |
|
In some cases snmpwalk for ifXTable may not return data interfaces |
|
SFDataCorrelator memory growth with cloud-based malware events |
|
Firepower 2100 FTD: ssh-access-list configuration are lost after upgrading |
|
FTD AC VPN certificate is lost across reloads |
|
Evaluation OpenJDK CVEs for ASDM & ASA REST API |
|
Big number of repetitive messages in snmpd.log leading to huge log size |
|
Disk utilization increasing /var/tmp in FPR4150-ASA chassis |
|
DNS server configuration is lost if configuring through RA VPN page on FDM 7.1.0 |
|
FMC 7.0 FlexConfig blocked mac-address-table aging-time for transparent FTD without any alternativ |
|
Cannot use underscore (_) in FMC's realm AD Primary Domain configuration |
|
ASDM:DAP config missing AAA Attributes type (Radius/LDAP) |
|
NAT rule modification after rule search changes rule order |
|
FDM failover pair - new configured sVTI IPSEC SA is not synced to standby. FDM shows HA not in sync |
|
Time-range objects incorrectly populated in prefilter rules |
|
Entitlement tags contain invalid character. |
|
Cgroup triggering oom-k for backup process |
|
Execution of commands appears to result in a new zombie process |
|
Event Rate on FMC Health Monitoring Dashboard shows extremely high values |
|
Cisco FXOS and NX-OS Software Cisco Discovery Protocol Service Denial of Service |
|
Customized Variables name cause Snort3 validation failure |
|
Connection events are not seen on FMC, SFDataC doesn't process events from to_import dir |
|
FDM: Add validation checks for the combination of SSL/Snort3/NAP in Detection mode |
|
NAT (any,any) statements in-states the failover interface and resulting on Split Brain events |
|
Snort3 .dmp and crashinfo files are not managed by diskmanager |
|
FDM IKEv2 S2S PSK Not Deploying Correctly (Changing Asymmetric to Symmetric PSK) |
|
log file flooded by ssl_policy log_error messages when ssl debug is enabled |
|
Unexpected HTTP/2 data frame causing segfault |
|
Snort stops processing packets when SSL decryption debug enabled - Snort2 |
|
Cisco Firepower Management Center Cross-site Scripting Vulnerability |
|
duplicate ACP rules are generated on FMC 6.6.5 after rule copy. |
|
Snort blocking and dropping packet, with bigger size(1G) file download |
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 125, seq 21) |
|
ASA traceback and reload on routing |
|
Security: CVE-2021-44228 -> Log4j 2 Vulnerability |
|
Increase logging level to diagnose LACP process unexpected restart events |
|
Implement SNP API to check ifc and ip belongs to HA LU or CMD interface |
|
Proxy URI URL for URL Filtering (beaker service) includes encoded user/password strings |
|
FDM: Management interface name mismatch between HA units and FDM UI / CLI |
|
Threshold mis-behavior of "-1" after configuring Type:Both for specific rule |
|
ASA/FTD Traceback in memory allocation failed |
|
ASA installation/upgrade fails due to internal error "Available resources not updated by module" |
|
QP4110 and QW4115 in disabled state with CD App Sync error is Rsync is not enabled on active device |
|
HM process OOM killed on FTD 1120 |
|
FTD VTI reports TUNNEL_SRC_IS_UP false despite source interface is up/up and working |
|
Snort reload times out causing restart |
|
SFDataCorrelator crash at AddFileToPendingHash() due to race condition |
|
Config only FMC: SI feed downloaded file does not match expected checksum |
|
Connection event report displays the same device twice |
|
ASAV will not boot on REDHAT KVM under Dell PowerEdge R650 |
|
Lina process remains in started status after a major FTD upgrade to 6.7 or 7.0 |
|
nullPointerException during 100_ftd_onbox_data_import.pl causes upgrade from 7.0.0 to 7.1.0 to fail |
|
Syslog IDs 725021 and 725022 are not listed as valid IDs |
|
Registered devices may miss on standby FMC due to AnyConnect HostScan class files sync failure |
|
snort3 - Policy does not become dirty after updating LSP -when only custom intrusion policies in use |
|
Loggerd process is getting killed due to OOM under high logging rate |
|
ENH: Enhance the deployment failure behavior on FTD managed by FDM |
|
FMC - "Receiving thread exited with an exception: stoi" causing pxGrid to flap |
|
Cisco Firepower Threat Defense Software DNS Enforcement Denial of Service Vulnerability |
|
Unable to configure NAP under Advanced Tab in AC policy |
|
REST API - Bulk AC rules creation fails with 422 Unprocessable Entity |
|
If a connection to Smart Satellite Server is using a certificate, it cannot be reverted |
|
Unable to create Monitor Alerts in FMC |
|
Policy deployment may fail if platform settings contain DH group1 for SSL |
|
FXOS A crafted request uri-path can cause mod_proxy to forward the request to an origin server... |
|
When PM disables mysqld, sometimes it is taking longer than expected to fully shutdown. |
|
URL incorrectly extracted for TLS v1.2 self signed URLs when "Early application detection" enabled |
|
Multiple issues with transactional commit diagnostics |
|
ASA/FTD traceback and reload on netsnmp_handler_check_cache function |
|
FTD/FDM: RA VPN sessions disconnected after every deployment if custom port for RA VPN is configured |
|
FMC should not create archival for NGIPS devices |
|
FMC is generating and removing the AAA commands for the realm unnecessarily |
|
FDM High Availability cannot be created using Etherchannel as failover interface. |
|
Random characters displayed on DNSQuery field for specific queries. |
|
Primary takes active role after reload |
|
SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels. |
|
default-information originate is configured first then Stub command is not allowed for config |
|
Deployment gets hung at snapshot generation phase during deploy |
|
FMC UI may become inaccessible due to connection leaks in internal database |
|
FMC: Unable to configure AnyConnect MTU for group-policy with only IKEv2 protocol enabled |
|
CIAM: Apache-http-server CVE-2021-44790 and CVE-2021-44224 |
|
ssl unexpected behavior with resumed sessions |
|
Uploading firmware triggers data port-channel to flap |
|
VDB Version shouldn't be update if fails |
|
FPR8000 sensor UI login creates shell user with basic privileges |
|
FTD software upgrade may fail at 200_pre/505_revert_prep.sh |
|
Authorization Failure in DCCSM bridge during device registration. |
|
FTD upgrade fails on 800_post/100_ftd_onbox_data_import.sh |
|
Error F0854 FDM Keyring's RSA modulus is invalid |
|
FMC event report generation fails if one is already running |
|
Continuous ADI traceback and reload on FPR2100 registered to FMC HA |
|
Facilities ALERT, AUDIT, CLOCK and KERN do not work in sending Audit Log to syslog from FMC. |
|
LACP packets through inline-set are silently dropped |
|
ISA3000 shutdown command reboots system and does not shut system down. |
|
Active FMC not deregistering sensors after breaking HA |
|
FMC should do an abort of any previous configuration sessions before applying new delta |
|
Host information is missing when Security Zones are configured in Network Discovery rules |
|
ASA with SNMPv3 configuration observes unexpected reloads with snmpd cores |
|
Portmanager/LACP improvement to capture logging events on external event restarts |
|
FMC does not check for IP overlap with FTD failover interface |
|
FMC hardware appliance restore ends with an error "Unknown Failure Condition" |
|
FP1010 Switchport access vlan interface in up/up status but not passing traffic |
|
Random packet block by Snort in SSL flow |
|
RTC unstable clock register read causes "watchdog: BUG: soft lockup - CPU#0 stuck" error on console |
|
Realm download fails if one of the groups is deleted on the AD |
|
Snort Generator ID 3 rules disabled following Snort reload |
|
Unable to uncheck option Always advertise the default route for OSPF |
|
FMC SI Health Alerts: SI URL List and Feeds - Failure False Positives |
|
multiple db folders current-policy-bundle after deployment with anyconnect package before upgrade |
|
FTD misleading OVER_SUBSCRIBED flow flag for mid-stream flow |
|
snort 2 ssl-debug files may not be written |
|
"Interface configuration has changed on device" message may be shown after FTD upgrade |
|
ASA traceback and reload on snp_ha_trans_alloc_msg_muxbuf_space function |
|
LACP policy name set to Null after upgrade to 7.1.0.90 (2.11.1.154) on FPR1150 |
|
ASA/FTD traceback and reload at IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test |
|
Can't create Flexconfig Object with ldap-naming-attribute pager cause pager is block. |
|
ASA/FTD: OCSP may fail to work after upgrade due to "signer certificate not found" |
|
Multi-instance internal portchannel VLANs may be misprogrammed causing traffic loss |
|
Multiple Cisco Products Snort Modbus Denial of Service Vulnerability |
|
upload is failed when more number of cursors are returned from PAS |
|
FMC may disable autonegotiation for port-channels with 1Gbps SFP fiber members after FTD upgrade |
|
Loggerd syslog has stray incorrect timestamps, e.g. well before FirstPacketSecond |
|
LSP downloads fail when using proxy |
|
FMC intrusion event search produces inconsistent results |
|
FMC NFS configuration failling after upgrade from 6.4.0.4 to 7.0.1 |
|
FDM UI inaccessible 503 Service Unavailable due to five DNS servers configured |
|
Traceback: Standby FTD reboots and generates crashinfo and lina core on thread name cli_xml_server |
|
"Non stop forwarding not supported on '1'" error while configuring MAC address |
|
Deployment Failed at phase-2 with domain snapshot error |
|
FP9k SM-44 6.7.0.2 High CPU on radware vdp Cores after upgrade |
|
SNORT3 / SSL / Definitive DND verdict when there's an extra DND bottom rule, instead of regular DND |
|
Unable to add additional RADIUS authentication objects after upgrade to 6.7.0 |
|
ASA/FTD may traceback and reload. "c_assert_cond_terminate" in stack trace |
|
Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
|
FDM-managed FTD upgrade failure when custom cipher is selected in SSL Settings |
|
FMC ibdata1 file might grow large in size |
|
Snort cores in pdts_sftls_daq_acquire with SSL activated |
|
License and rule counts telemetry data incorrectly generated for HA managed devices |
|
Continuous deployment failure on QW-4145 device |
|
FMC NAT Policy report generation does not record the rules every 51*x |
|
FMC Realm user/group download doesn't spin the task |
|
Policy deployment fails with error- Rule update is running but there are no updates in progress. |
For Assistance
Upgrade Guides
In management center deployments, the management center must run the same or newer version as its managed devices. Upgrade the management center first, then devices. Note that you always want to use the upgrade guide for the version of management center or device manager that you are currently running—not your target version.
Platform |
Upgrade Guide |
Link |
---|---|---|
Management center |
Management center version you are currently running. |
https://www.cisco.com/go/fmc-upgrade |
Threat defense with management center |
Management center version you are currently running. |
https://www.cisco.com/go/ftd-fmc-upgrade |
Threat defense with device manager |
Threat defense version you are currently running. |
https://www.cisco.com/go/ftd-fdm-upgrade |
Threat defense with cloud-delivered Firewall Management Center |
Cloud-delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier threat defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
Platform |
Install Guide |
Link |
---|---|---|
Management center hardware |
Getting started guide for your management center hardware model. |
|
Management center virtual |
Getting started guide for the management center virtual. |
|
Threat defense hardware |
Getting started or reimage guide for your device model. |
|
Threat defense virtual |
Getting started guide for your threat defense virtual version. |
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
FXOS for the Firepower 1000/2100 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
More Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: http://www.cisco.com/go/threatdefense-72-docs
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts