Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall Device Manager
For cloud deployments, see the Cloud-Delivered Firewall Management Center release notes or What's New for Security Cloud Control.
Release Dates
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.4.7 |
50 |
2026-04-15 |
All |
|
7.4.6 |
7 |
2026-02-17 |
Firewall Management Center |
|
7.4.5 |
2 |
2026-01-14 |
Firewall Management Center |
|
7.4.4 |
462 |
2026-01-05 |
All devices |
|
7.4.3 |
315 |
2025-10-13 |
All |
|
7.4.2.4 |
9 |
2025-09-25 |
All |
|
7.4.2.3 |
4 |
2025-06-17 |
All |
|
7.4.2.2 |
28 |
2025-03-03 |
All |
|
7.4.2.1 |
30 |
2024-10-09 |
All |
|
7.4.2 |
172 |
2024-07-31 |
All |
|
7.4.1.1 |
12 |
2024-04-15 |
All |
|
7.4.1 |
172 |
2023-12-13 |
All |
|
7.4.0 |
81 |
2023-09-07 |
Firewall Management Center Secure Firewall 4200 series |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information. For compatibility, see Cisco Secure Firewall Threat Defense Compatibility Guide.
Features
For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
Upgrade Impact
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
The feature descriptions here include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.
Features in Maintenance Releases
Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target.
If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Snort Features
Snort 3 is the default inspection engine for Firewall Threat Defense. Snort 3 features for Firewall Management Center deployments also apply to Firewall Device Manager, even if they are not listed as new Firewall Device Manager features. However, keep in mind that the Firewall Management Center may offer more configurable options than Firewall Device Manager.
 Important |
Snort 2 is deprecated in Version 7.7+, and prevents Firewall Threat Defense upgrade. If you are still using Snort 2 on older devices, switch to Snort 3 for improved detection and performance. |
Intrusion Rules and Keywords
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
FlexConfig
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions here include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
Integrations and Logging
These integrations and logging facilities may have new features associated with threat defense and management center releases:
-
Syslog: Cisco Secure Firewall Threat Defense Syslog Messages
-
Cisco Success Network: Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center
-
REST API: Secure Firewall Management Center REST API Quick Start Guide and Cisco Secure Firewall Threat Defense REST API Guide
Firewall Management Center Features in Version 7.4.7
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
|---|---|---|---|---|---|
|
Model Migration |
|||||
|
Firewall Management Center without upgrading first |
7.4.7 (source) 10.0.0 (target) |
7.3.0 |
You can now migrate an older Firewall Management Center to a Version 10.0+ Firewall Management Center without first upgrading the source system to the target version.
Version restrictions: Not supported from a Version 7.6.x or 7.7.x Firewall Management Center. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
Firewall Management Center Features in Version 7.4.6
There are no new features in this release. See Resolved Bugs in Version 7.4.6.
Firewall Management Center Features in Version 7.4.5
There are no new features in this release. See Resolved Bugs in Version 7.4.5.
Firewall Management Center Features in Version 7.4.4
Due to CSCws69719, Version 7.4.4 for the Firewall Management Center was deferred on 202-10-13 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.
There are no new features in this release. See Resolved Bugs in Version 7.4.4.
Firewall Management Center Features in Version 7.4.3
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Features from Earlier Maintenance Releases |
|||
|
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.4.3 also has:
|
|
Platform |
|||
|
DC power supply for the Secure Firewall 4200 |
7.4.3 7.6.2 7.7.0 |
7.4.3 7.6.2 7.7.0 |
The FPR4200-PWR-DC for Secure Firewall 4200 is a 1500 W DC power supply. The dual power supply modules can supply up to 1500 W power across the input voltage range (48 VDC to 60 VDC). The load is shared when both power supply modules are plugged in and running at the same time. |
|
Device Management |
|||
|
IMDSv2 support for AWS deployments. |
7.4.3 7.6.0 |
7.4.3 7.6.0 |
Firewall Threat Defense and Firewall Management Center virtual for AWS now support Instance Metadata Service Version 2 (IMDSv2), a security improvement over IMDSv1. When you enable the instance metadata service on AWS, IMDSv2 Optional mode is still the default, but we recommend you choose IMDSv2 Required. We also recommend you switch your upgraded instances. Platform restrictions: Not available for Firewall Management Center Virtual 300 See: Secure Firewall Threat Defense Virtual getting started guides and Cisco Secure Firewall Management Center Virtual Getting Started Guide |
|
Health Monitoring |
|||
|
Independently configure health monitoring for physical and subinterfaces. |
7.4.3 7.6.1 7.7.0 |
Any |
You can now disable health monitoring for a physical interface while continuing to monitor and receive health alerts for its subinterfaces. You can disable alerts permanently or temporarily. To do this, configure the device for health monitoring exclusion, edit that configuration to enable module-level exclusion, and finally configure exclusion settings for the Interface Settings health module. New/modified screens: System ( See: Health |
|
View health status for devices in leaf domains while logged into the parent domain. |
7.4.3 7.6.1 7.7.0 |
Any |
In a multidomain deployment, you can now view health status for devices in leaf domains while logged into the parent domain. See: Health |
|
Performance |
|||
|
Faster failover for high availability Firewall Threat Defense. |
7.4.3 7.6.4 7.7.0 |
7.4.3 7.6.4 7.7.0 |
With Firewall Threat Defense high availability failover, the new active device generates multicast packets for each MAC address entry and sends them to all bridge group interfaces, which prompts the upstream switches to update their routing tables. This task now runs asynchronously in the data plane, privileging critical failover tasks in the control plane. This makes failover faster, reducing downtime. See: High Availability |
|
Integrations |
|||
|
Umbrella integration with Firewall Management Center over a proxy. |
7.4.3 7.6.1 7.7.10 |
Any |
Umbrella integration with Firewall Management Center now works over a proxy. See: Configuring the Umbrella DNS Connector for Cisco Secure Firewall Management Center |
Firewall Management Center Features in Version 7.4.2
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Features from Earlier Maintenance Releases |
|||
|
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.4.2 also has: |
|
Platform |
|||
|
Firewall Management Center Virtual 300 for Azure. |
7.4.2 7.6.0 |
Any |
We introduced the Firewall Management Center Virtual 300 for Azure. It can manage up to 300 devices, and high availability is supported. Migration from the FMCv25 for Azure is also supported. See: Cisco Secure Firewall Management Center Virtual Getting Started Guide and Cisco Secure Firewall Management Center Model Migration Guide |
|
High Availability: Management Center |
|||
|
High availability for Firewall Management Center Virtual for Azure. |
7.4.2 7.6.0 |
Any |
We now support high availability for Firewall Management Center Virtual for Azure. In a Firewall Threat Defense deployment, you need two identically licensed Firewall Management Centers, as well as one Firewall Threat Defense entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 Firewall Threat Defense entitlements. If you are managing Version 7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements. Platform restrictions: Not supported with FMCv2 See: Cisco Secure Firewall Management Center Virtual Getting Started Guide and High Availability |
Firewall Management Center Features in Version 7.4.1
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Features from Earlier Maintenance Releases |
|||
|
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.4.1 also has:
|
|
Platform |
|||
|
Network modules for the Secure Firewall 3130 and 3140. |
7.4.1 |
7.4.1 |
The Secure Firewall 3130 and 3140 now support these network modules:
See: Cisco Secure Firewall 3100 Series Hardware Installation Guide |
|
Optical transceivers for Firepower 9300 network modules. |
7.4.1 |
7.4.1 |
The Firepower 9300 now supports these optical transceivers:
On these network modules:
|
|
Performance profile support for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on Firewall Threat Defense Virtual. See: Platform Settings |
|
Interfaces |
|||
|
Deploy without the diagnostic interface on Firewall Threat Defense Virtual for Azure and GCP. |
7.4.1 |
7.4.1 |
You can now deploy without the diagnostic interface on Firewall Threat Defense Virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:
Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Secure Firewall Threat Defense Virtual getting started guides |
|
Device Management |
|||
|
Inspect and protect traffic through an Azure Virtual WAN hub. |
7.4.1 |
7.4.1 |
You can now use Firewall Threat Defense Virtual for Azure to inspect and protect traffic through a Microsoft Azure Virtual WAN hub. This integration allows you to consistently and easily apply security policies and configurations across all spokes in the hub, and to leverage built-in scalability and load balancer capabilities for optimal performance. See: Secure Firewall Threat Defense Virtual getting started guides |
|
Device management services supported on user-defined VRF interfaces. |
7.4.1 |
Any |
Device management services configured in the Firewall Threat Defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. Platform restrictions: Not supported with container instances or clustered devices. See: Platform Settings |
|
High Availability/Scalability: Firewall Threat Defense |
|||
|
Multi-instance mode for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (Firewall Threat Defense upgrade). New/modified screens: New/modified Firewall Threat Defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6 New/modified FXOS CLI commands: create device-manager , set deploymode Platform restrictions: Not supported on the Secure Firewall 3105. See: Multi-Instance Mode for the Secure Firewall 3100 and Secure Firewall Threat Defense upgrade guides for Firewall Management Center |
|
16-node clusters for Firewall Threat Defense Virtual for VMware and KVM. |
7.4.1 |
7.4.1 |
You can now configure 16-node clusters for Firewall Threat Defense Virtual for VMware and Firewall Threat Defense Virtual for KVM. See: Clustering for Firewall Threat Defense Virtual in a Private Cloud |
|
Target failover for clustered Firewall Threat Defense Virtualdevices for AWS. |
7.4.1 |
7.4.1 |
You can now configure target failover for clustered Firewall Threat Defense Virtual for AWS using the AWS Gateway Load Balancer (GWLB). Platform restrictions: Not available with five and ten-device licenses. See: Clustering for Firewall Threat Defense Virtual in a Public Cloud |
|
Detect configuration mismatches in Firewall Threat Defense high availability pairs. |
7.4.1 |
7.4.1 |
You can now use the CLI to detect configuration mismatches in Firewall Threat Defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats See: High Availability and Cisco Secure Firewall Threat Defense Command Reference |
|
High Availability: Management Center |
|||
|
Firewall Management Center high availability synchronization enhancements. |
7.4.1 |
Any |
Firewall Management Center high availability (HA) includes the following synchronization enhancements:
New/modified screens: You can view these alerts on the following screens:
See: High Availability |
|
SD-WAN |
|||
|
Application monitoring on the SD-WAN Summary dashboard. |
7.4.1 |
7.4.1 |
You can now monitor WAN interface application performance on the SD-WAN Summary dashboard. New/modified screens: |
|
VPN |
|||
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. See: VPN Overview |
|
Crypto debugging enhancements for the Secure Firewall 3100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200. See: Decryption Rules |
|
View details of the VTIs in route-based VPNs. |
7.4.1 |
Any |
You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs. New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab. See: Site-to-Site VPNs |
|
Routing |
|||
|
Configure BFD routing on IS-IS interfaces with FlexConfig. |
7.4.1 |
7.4.1 |
You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces. |
|
Access Control: Threat Detection and Application Identification |
|||
|
Zero trust access enhancements. |
7.4.1 |
7.4.1 with Snort 3 |
Firewall Management Center now includes the following zero trust access enhancements:
New/modified screens: New/modified CLI commands: show running-config zero-trust , show zero-trust statistics |
|
CIP detection. |
7.4.1 |
7.4.1 with Snort 3 |
You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies. See: Access Control Rules |
|
CIP safety detection. |
7.4.1 |
7.4.1 with Snort 3 |
CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the Firewall Management Center's network Analysis policy and assign it to an access control policy. New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box. See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
|
Access Control: Identity |
|||
|
Captive portal support for multiple Active Directory realms (realm sequences). |
7.4.1 |
7.4.1 |
Upgrade impact. Update custom authentication forms. You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules. In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously. If you use the HTTP Response Page authentication type, after you upgrade Firewall Threat Defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms. Restrictions: Not supported with Microsoft Azure Active Directory. New/modified screens: |
|
Share captive portal active authentication sessions across firewalls. |
7.4.1 |
7.4.1 |
Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.
New/modified screens: |
|
Merge downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources, using the Firewall Management Center web interface. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. New/modified screens: New CLI commands:
See: Object Management |
|
Health Monitoring |
|||
|
Chassis-level health alerts for the Firepower 4100/9300. |
7.4.1 |
Any with FXOS 2.14.1 |
You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the Firewall Management Center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view. You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the Firewall Management Center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI. New/modified screens: See: Device Management |
|
Improved Firewall Management Center memory usage calculation, alerting, and swap memory monitoring. |
7.4.1 |
Any |
Upgrade impact. Memory usage alert thresholds may be lowered. We improved the accuracy of Firewall Management Center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the Firewall Management Center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work. You can also add new swap memory usage metrics to a new or existing Firewall Management Center health dashboard. Make sure you choose the Memory metric group. New/modified screens:
See: Health |
|
Deployment and Policy Management |
|||
|
Change management. |
7.4.1 |
Any |
You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed. We added the System( See: Change Management |
|
Upgrade |
|||
|
Firmware upgrades included in FXOS upgrades. |
7.4.1 |
Any |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
|
Automatically generate configuration change reports after Firewall Management Center upgrade. |
7.4.1 |
Any |
You can automatically generate reports on configuration changes after major and maintenance Firewall Management Center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center. Version restrictions: Only supported for Firewall Management Center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version. New/modified screens: See: System Configuration |
|
Administration |
|||
|
Erase the hard drives on a hardware Firewall Management Center. |
7.4.1 |
Any |
You can use the Firewall Management Center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image. New/modified CLI commands: secure erase See: Secure Firewall Management Center Command Line Reference |
|
Troubleshooting |
|||
|
Troubleshooting file generation and download available from Device and Cluster pages. |
7.4.1 |
7.4.1 |
You can generate and download troubleshooting files for each device on the Device page and also for all cluster nodes on the Cluster page. For a cluster, you can download all files as a single compressed file. You can also include cluster logs for the cluster for cluster nodes. You can alternatively trigger file generation from the menu. New/modified screens: See: Device Management |
|
Automatic generation of a troubleshooting file on a node when it fails to join the cluster. |
7.4.1 |
7.4.1 |
If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page. |
|
View CLI output for a device or device cluster. |
7.4.1 |
Any |
You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output. New/modified screens: See: Device Management |
|
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded. However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring. This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig. New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status Supported platforms: Firepower 1000/2100, Firepower 4100/9300 Platform restrictions: Not supported in multi-instance mode. See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
|
Deprecated Features |
|||
|
Deprecated: Health alerts for frequent drain of events. |
7.4.1 |
7.4.1 |
The Disk Usage health module no longer alerts with
See: Troubleshooting |
|
Deprecated: VPN Tunnel Status health module. |
7.4.1 |
Any |
We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead. |
|
Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. This feature is now supported in the Firewall Management Center web interface. |
) quick access icon in the menu.
Firewall Management Center Features in Version 7.4.0
Note |
Version 7.4.0 is available only on the Firewall Management Center and the Secure Firewall 4200. A Version 7.4.0 Firewall Management Center can manage older versions of other device models, but you must use a Secure Firewall 4200 for features that require Firewall Threat Defense 7.4.0. Support for all other device platforms resumes in Version 7.4.1. |
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
|---|---|---|---|---|---|
|
Features from Earlier Maintenance Releases |
|||||
|
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.4.0 also has:
|
||
|
Platform |
|||||
|
Firewall Management Center 1700, 2700, 4700. |
7.4.0 |
Any |
We introduced the Firewall Management Center 1700, 2700, and 4700, which can manage up to 300 devices. Firewall Management Center high availability is supported. See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting Started Guide |
||
|
Firewall Management Center Virtual for Microsoft Hyper-V. |
7.4.0 |
Any |
We introduced Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Firewall Management Center high availability is supported. See: Cisco Secure Firewall Management Center Virtual Getting Started Guide |
||
|
Secure Firewall 4200. |
7.4.0 m |
7.4.0 |
We introduced the Secure Firewall 4215, 4225, and 4245. You must manage these devices with a Firewall Management Center. They do not support device manager. These devices support the following new network modules:
See: Cisco Secure Firewall 4200 Series Hardware Installation Guide |
||
|
Performance profile support for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on Firewall Threat Defense Virtual. See: Platform Settings |
||
|
Platform Migration |
|||||
|
Migrate Firepower 1000/2100 to Secure Firewall 3100. |
7.4.0 |
Any |
You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100. New/modified screens: Platform restrictions: Migration not supported from the Firepower 1010 or 1010E. See: Device Management |
||
|
Migrate Firepower Management Center 4600 to Secure Firewall Management Center for AWS. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
|
Migrate Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
|
Migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 only |
7.0.0 |
You can migrate a Firepower Management Center 1000/2500/4500 to a Version 7.4.0 Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old Firewall Management Center from Version 7.0 to Version 7.4.0.
To summarize the migration process:
See:
If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
|
Migrate devices from Firepower Management Center 1000/2500/4500 to Cloud-Delivered Firewall Management Center. |
7.4.0 only |
7.0.3 |
You can migrate devices from Firepower Management Center 1000/2500/4500 to Cloud-Delivered Firewall Management Center. To migrate devices, you must temporarily upgrade the on-prem Firewall Management Center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 Firewall Management Centers do not support device migration to the cloud. Additionally, only standalone and high availability Firewall Threat Defense running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.
To summarize the migration process:
See: If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
|
Device Management |
|||||
|
Zero-Touch Provisioning to register the Firepower 1000/2100 and Secure Firewall 3100 to the Firewall Management Center using a serial number. |
7.4.0 |
Mgmt. center is publicly reachable: 7.2.0 Mgmt. center is not publicly reachable: 7.2.4, 7.4.1 |
Zero-Touch Provisioning (also called low-touch provisioning) lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the Firewall Management Center by serial number without having to perform any initial setup on the device. The Firewall Management Center integrates with SecureX and Security Cloud Control for this functionality. New/modified screens: See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning) |
||
|
Interfaces |
|||||
|
Merged management and diagnostic interfaces. |
7.4.0 |
7.4.0 |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later and:
Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration. For platform settings, this means:
New/modified screens: New/modified commands: show management-interface convergence See: Interface Overview |
||
|
VXLAN VTEP IPv6 support. |
7.4.0 |
7.4.0 |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the Firewall Threat Defense Virtual cluster control link or for Geneve encapsulation. New/modified screens: |
||
|
Loopback interface support for BGP and management traffic. |
7.4.0 |
7.4.0 |
You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog. New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface |
||
|
Loopback and management type interface group objects. |
7.4.0 |
7.4.0 |
You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces. New/modified screens: See: Object Management |
||
|
High Availability/Scalability: Threat Defense |
|||||
|
Manage Firewall Threat Defense high availability pairs using a data interface. |
7.4.0 |
7.4.0 |
Firewall Threat Defense high availability now supports using a regular data interface for communication with the Firewall Management Center. Previously, only standalone devices supported this feature. See: Device Management |
||
|
SD-WAN |
|||||
|
WAN summary dashboard. |
7.4.0 |
7.2.0 |
The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures. New/modified screens: Overview > WAN Summary |
||
|
Policy-based routing using HTTP path monitoring. |
7.4.0 |
7.2.0 |
Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination. New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box. Platform restrictions: Not supported for clustered devices. See: Policy Based Routing |
||
|
Policy-based routing with user identity and SGTs. |
7.4.0 |
7.4.0 |
Upgrade impact. Check SGT propagation before device upgrade. You can now classify network traffic based on users, user groups, and SGTs in PBR policies. Select the identity and SGT objects while defining the extended ACLs for the PBR policies. Note that as a result of how this feature was implemented, Firewall Threat Defense can now add egress SGTs to traffic if the egress interface is configured to propagate SGTs. This can happen with ISE integration even if you do not configure policy-based routing. Starting with Version 7.4.0, the Propagate Security Group Tag option is disabled by default for new interfaces. But because upgrade respects your current settings, this option may be enabled for existing interfaces.
New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag See: Object Management |
||
|
VPN |
|||||
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100. You can change the configuration using FlexConfig and the flow-offload-ipsec command. Other requirements: FPGA firmware 6.2+ See: VPN Overview |
||
|
Crypto debugging enhancements for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We made the following enhancements to crypto debugging:
New/modified CLI commands: show counters See: Decryption Rules |
||
|
VPN: Remote Access |
|||||
|
Customize Secure Client messages, icons, images, and connect/disconnect scripts. |
7.4.0 |
7.1.0 |
You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:
Firewall Threat Defense distributes these customizations to the endpoint when an end user connects from the Secure Client. New/modified screens:
See: Remote Access VPN |
||
|
VPN: Site to Site |
|||||
|
Easily view IKE and IPsec session details for VPN nodes. |
7.4.0 |
Any |
You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard. New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab. See: Site-to-Site VPNs |
||
|
Site-to-site VPN information in connection events. |
7.4.0 |
7.4.0 with Snort 3 |
Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by. New/modified screens: |
||
|
Easily exempt site-to-site VPN traffic from NAT translation. |
7.4.0 |
Any |
We now make it easier to exempt site-to-site VPN traffic from NAT translation. New/modified screens:
|
||
|
Routing |
|||||
|
Configure graceful restart for BGP on IPv6 networks. |
7.4.0 |
7.3.0 |
You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later. New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor. See: BGP |
||
|
Virtual routing with dynamic VTI. |
7.4.0 |
7.4.0 |
You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN. New/modified screens: Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices. See: Virtual Routers |
||
|
Access Control: Threat Detection and Application Identification |
|||||
|
Clientless zero-trust access. |
7.4.0 |
7.4.0 with Snort 3 |
Zero Trust Access allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy. The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications. New/modified screens: New/modified CLI commands:
See: Zero Trust Access |
||
|
Encrypted visibility engine enhancements. |
7.4.0 |
7.4.0 with Snort 3 |
Encrypted Visibility Engine (EVE) can now:
New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings. |
||
|
Exempt specific networks and ports from bypassing or throttling elephant flows. |
7.4.0 |
7.4.0 with Snort 3 |
You can now exempt specific networks and ports from bypassing or throttling elephant flows. New/modified screens:
Platform restrictions: Not supported on the Firepower 2100 series. |
||
|
First-packet application identification using custom application detectors. |
7.4.0 |
7.4.0 with Snort 3 |
A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector. |
||
|
Sensitive data detection and masking. |
7.4.0 |
7.4.0 with Snort 3 |
Upgrade impact. New rules in default policies take effect. Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns. Disabling data masking is not supported. |
||
|
Improved JavaScript inspection. |
7.4.0 |
7.4.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
||
|
MITRE information in file and malware events. |
7.4.0 |
7.4.0 |
The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views. See: Network Malware Protection and File Policies and File/Malware Events and Network File Trajectory |
||
|
Access Control: Identity |
|||||
|
Cisco Secure Dynamic Attributes Connector on the Firewall Management Center. |
7.4.0 |
Any |
You can now configure the Cisco Secure Dynamic Attributes Connector on the Firewall Management Center. Previously, it was only available as a standalone application. |
||
|
Microsoft Azure AD as a user identity source. |
7.4.0 |
7.4.0 |
You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control. New/modified screens:
Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level) See: Realms |
||
|
Event Logging and Analysis |
|||||
|
Configure Firewall Threat Defense devices as NetFlow exporters from the Firewall Management Center web interface. |
7.4.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. NetFlow is a Cisco application that provides statistics on packets flows. You can now use the Firewall Management Center web interface to configure Firewall Threat Defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs. New/modified screens: See: Platform Settings |
||
|
More information about "unknown" SSL actions in logged encrypted connections. |
7.4.0 |
7.4.0 |
Serviceability improvements to the event reporting and decryption rule matching.
New/modified screens:
|
||
|
Health Monitoring |
|||||
|
Stream telemetry to an external server using OpenConfig. |
7.4.0 |
7.4.0 |
You can now send metrics and health monitoring information from your Firewall Threat Defense devices to an external server (gNMI collector) using OpenConfig. You can configure either Firewall Threat Defense or the collector to initiate the connection, which is encrypted by TLS. New/modified screens: System ( See: Health |
||
|
New asp drop metrics. |
7.4.0 |
7.4.0 |
You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group. New/modified screens: System ( |
||
|
Administration |
|||||
|
Send detailed Firewall Management Center audit logs to syslog. |
7.4.0 |
Any |
You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The Firewall Management Center supports backup and restore of the audit configuration log. New/modified screens: System ( See: System Configuration |
||
|
Granular permissions for modifying access control policies and rules. |
7.4.0 |
Any |
You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams. When defining user roles, you can select the option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions. See: Users |
||
|
Support for IPv6 URLs when checking certificate revocation. |
7.4.0 |
7.4.0 |
Previously, Firewall Threat Defense supported only IPv4 OCSP URLs. Now, Firewall Threat Defense supports both IPv4 and IPv6 OCSP URLs. See: System Configuration and Object Management |
||
|
Default NTP server updated. |
7.4.0 |
Any |
The default NTP server for new Firewall Management
Center deployments changed from sourcefire.pool.ntp.org to
time.cisco.com. We recommend you use the Firewall Management
Center to serve time to its own devices. You can update the Firewall Management
Center's NTP server on System ( |
||
|
Usability, Performance, and Troubleshooting |
|||||
|
Usability enhancements. |
7.4.0 |
Any |
You can now:
|
||
|
Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, you can use a new direction keyword with the capture command. New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ] |
||
|
Snort 3 restarts when it becomes unresponsive, which can trigger HA failover. |
7.4.0 |
7.4.0 with Snort 3 |
To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts. New/modified CLI commands: configure snort3-watchdog |
||
|
Deprecated Features |
|||||
|
Deprecated: NetFlow with FlexConfig. |
7.4.0 |
Any |
You can now configure Firewall Threat Defense devices as NetFlow exporters from the Firewall Management Center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs. See: Platform Settings |
||
Firewall Device Manager Features in Version 7.4.x
Note |
Firewall Device Manager support for Version 7.4 features begins with Version 7.4.1. This is because Version 7.4.0 is not available on any platforms that support device manager. |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Network modules for the Secure Firewall 3130 and 3140. |
We introduced these network modules for the Secure Firewall 3130 and 3140:
See: Cisco Secure Firewall 3100 Series Hardware Installation Guide |
|
IMDSv2 support for AWS deployments. |
Threat defense virtual for AWS now supports Instance Metadata Service Version 2 (IMDSv2), a security improvement over IMDSv1. When you enable the instance metadata service on AWS, IMDSv2 Optional mode is still the default, but we recommend you choose IMDSv2 Required. We also recommend you switch your upgraded instances. See: Secure Firewall Threat Defense Virtual getting started guides |
|
Firewall and IPS Features |
|
|
Sensitive data detection and masking. |
Upgrade impact. New rules in default policies take effect. Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns. Disabling data masking is not supported. Requires Snort 3. |
|
VPN Features |
|
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. |
|
Interface Features |
|
|
Merged management and diagnostic interfaces. |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later, and you did not have any configuration for the diagnostic interface, then the interfaces will merge automatically. If you upgraded to 7.4 or later, and you have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible. Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including management) in the configuration. New/modified screens:
New/modified commands: show management-interface convergence |
|
Deploy without the diagnostic interface on threat defense virtual for Azure and GCP. |
You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Azure deployments still require at least two data interfaces, but GCP requires that you replace the diagnostic interface with a data interface, for a new minimum of three. (Previously, threat defense virtual deployments required one management, one diagnostic, and at least two data interfaces.) Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Secure Firewall Threat Defense Virtual getting started guides |
|
Inline sets for Firepower 1000 series, Firepower 2100, and Secure Firewall 3100. |
You can configure inline sets on Firepower 1000 series, Firepower 2100, and Secure Firewall 3100 devices. We added the inline sets tab to the Interface page. |
|
Licensing Features |
|
|
Changes to license names and support for the Carrier license. |
Licenses have been renamed:
In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections. Use FlexConfig to configure these features. See: Licensing the System |
|
Administrative and Troubleshooting Features |
|
|
Default NTP server updated. |
Upgrade impact. The system connects to new resources. The default NTP servers have changed from sourcefire.pool.ntp.org to time.cisco.com. To use a different NTP server, select Device, then click Time Services in the System Settings panel. |
|
SAML servers for HTTPS management user access. |
You can configure a SAML server to provide external authentication for HTTPS management access. You can configure external users with the following types of authorization access: Administrator, Audit Admin, Cryptographic Admin, Read-Write User, Read-Only User. You can use Common Access Card (CAC) for login when using a SAML server. We updated the SAML identity source object configuration, and the page to accept them. |
|
Detect configuration mismatches in threat defense high availability pairs. |
You can now use the CLI to detect configuration mismatches in threat defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats |
|
Capture dropped packets with the Secure Firewall 3100. |
Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100 can now capture these dropped packets. New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command. |
|
Firmware upgrades included in FXOS upgrades. |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1+ now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
|
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
When the data plane process on the Firepower 1000/2100 or the Firepower 4100/9300 crashes, the system reloads the process instead of rebooting the device. Reloading the data plane also restarts other processes, including Snort. If the data plane crashes during bootup, the device follows the normal reload/reboot sequence; this avoids a reload loop. This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig. New/modified ASA CLI commands: data-plane quick-reload , show data-plane quick-reload status New/modified threat defense CLI commands: show data-plane quick-reload status See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
|
Require the Message-Authenticator attribute in all RADIUS responses. |
Upgrade impact. For the Firepower 4100/9300, check FXOS compatibility before you upgrade Firewall Threat Defense. After Firewall Threat Defense upgrade, enable the option for existing servers. You can now require the Message-Authenticator attribute in all RADIUS responses, ensuring that the Firewall Threat Defense VPN gateway securely verifies every response from the RADIUS server, whether for RA VPN or access to the device itself. The Require Message-Authenticator for all RADIUS Responses option is enabled by default for new RADIUS servers. We also recommend you enable it for existing servers. Disabling it may expose firewalls to potential attacks. New CLI commands: message-authenticator-required Version restrictions: Requires Version 7.0.7, 7.2.10, 7.4.3, 7.6.1, or 7.7+. For the Firepower 4100/9300, may require an FXOS upgrade; for minimum builds, see Cisco Secure Firewall Threat Defense Compatibility Guide. |
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target. |
Upgrade Impact Features for Firewall Management Center
This table lists and links to descriptions of features that may have upgrade impact for Firewall Management Center. The first column is for your current version and the link indicates when the feature was originally introduced.
|
Current version |
Features with upgrade impact |
|---|---|
|
7.4.0–7.4.2 7.2.0–7.2.9 7.1.x 7.0.6 and earlier |
|
|
7.4.0 and earlier |
|
|
7.4.0 7.3.x 7.2.5 and earlier |
|
|
7.4.0 7.3.x 7.2.0–7.2.5 7.1.x 7.0.5 and earlier |
|
|
7.3.x and earlier |
|
|
7.3.0–7.3.1 7.2.0–7.2.3 7.1.x 7.0.5 and earlier |
|
|
7.3.x 7.2.3 and earlier |
|
|
7.2.x and earlier |
|
|
7.2.0–7.2.9 7.1.x 7.0.7 and earlier |
|
|
7.2.0–7.2.3 7.1.0–7.1.0.2 7.0.4 and earlier |
|
|
7.1.x and earlier |
|
|
7.0.x and earlier |
|
Upgrade Impact Features for Firewall Threat Defense with Firewall Management Center
This table lists and links to descriptions of features that may have upgrade impact for Firewall Threat Defense with Firewall Management Center. The first column is for your current version and the link indicates when the feature was originally introduced.
|
Current version |
Features with upgrade impact |
|---|---|
|
7.4.0–7.4.2 7.3.x 7.2.0–7.2.9 7.1.x 7.0.6 and earlier |
|
|
7.4.0–7.4.1 7.3.x 7.2.9 and earlier |
|
|
7.4.0 and earlier |
|
|
7.3.x and earlier |
|
|
7.2.x and earlier |
|
|
7.2.0–7.2.3 7.1.0–7.1.0.2 7.0.4 and earlier |
|
|
7.1.x and earlier |
|
|
7.0.x and earlier |
Upgrade Impact Features for Firewall Threat Defense with Firewall Device Manager
|
Target version |
Features |
|---|---|
|
|
|
|
|
|
|
Upgrade Guidelines
These release notes contain upgrade warnings and guidelines that are specific to each release. You should also check for features and bugs with upgrade impact.
See the upgrade guide for general information on time and disk space requirements, and for details on system behavior during upgrade, which can include interruptions to traffic flow and inspection: For Assistance.
Upgrade Guidelines for Firewall Management Center
|
Current Version |
Guideline |
Details |
||
|---|---|---|---|---|
|
7.4.1 |
Migration failure: do not migrate to Firewall Management Center Version 7.4.1 if you are using Security Intelligence. |
Patch the target Firewall Management Center to Version 7.4.1.1 before you begin migration. The source Firewall Management Center can continue to run Version 7.4.1.
For more information on model migration, see the Cisco Secure Firewall Management Center Model Migration Guide. |
||
|
7.2.6–7.2.x |
Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x–7.4.0. |
Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+. |
Upgrade Guidelines for Firewall Threat Defense with Firewall Management Center
|
Current Version |
Guideline |
Details |
|---|---|---|
|
7.4.x or earlier |
Do not upgrade the Firepower 1010 if a subinterface uses VLAN 1 |
For models with built-in switches, you cannot create a subinterface using VLAN 1. VLAN 1 is reserved for the logical VLAN interface for switch ports. If you upgrade the Firepower 1010 to Version 7.6+ later, and you have assigned VLAN 1 to a subinterface, you must first change the VLAN ID for your subinterface to a new VLAN. After upgrading, if present, VLAN 1 will be removed from the subinterface. |
|
7.4.1 |
Reimage prohibited: Firepower 4100/9300 to Version 7.4.2+ on FXOS 2.14.1.131 or 2.14.1.143. |
Although we document that FXOS 2.14.1.163+ is required for Firewall Threat Defense 7.4.x, this is for reimaging to 7.4.2+. If you are already running an earlier FXOS 2.14.1 build, you can successfully upgrade to 7.4.2+ without upgrading FXOS (CSCwf64429). Note that in most cases, we recommend the latest FXOS build for reimages and upgrades. For more information, see the Firepower 4100/9300 FXOS release notes. |
Upgrade Guidelines for Firewall Threat Defense with Firewall Device Manager
|
Current Version |
Guideline |
Details |
|---|---|---|
|
7.4.x or earlier |
Do not upgrade the Firepower 1010 if a subinterface uses VLAN 1 |
For models with built-in switches, you cannot create a subinterface using VLAN 1. VLAN 1 is reserved for the logical VLAN interface for switch ports. If you upgrade the Firepower 1010 to Version 7.6+ later, and you have assigned VLAN 1 to a subinterface, you must first change the VLAN ID for your subinterface to a new VLAN. After upgrading, if present, VLAN 1 will be removed from the subinterface. |
|
7.4.1 |
Reimage prohibited: Firepower 4100/9300 to Version 7.4.2+ on FXOS 2.14.1.131 or 2.14.1.143. |
Although we document that FXOS 2.14.1.163+ is required for Firewall Threat Defense 7.4.x, this is for reimaging to 7.4.2+. If you are already running an earlier FXOS 2.14.1 build, you can successfully upgrade to 7.4.2+ without upgrading FXOS (CSCwf64429). Note that in most cases, we recommend the latest FXOS build for reimages and upgrades. For more information, see the Firepower 4100/9300 FXOS release notes. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
In most cases, we recommend you use the latest build for your FXOS major version.
For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
Upgrade Path
Planning your upgrade path and order is especially important for large deployments, high availability/clustering, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment, or other upgrades. Those scenarios, as well as information on revert and uninstall, are covered in more detail in the upgrade guide: For Assistance.
Choosing your upgrade target
Go directly to the latest Version 7.4 release possible to minimize upgrade and other impact. This is because features, enhancements, and critical fixes can skip "future" releases that are ahead by version, but not by release date. For example, if you are up-to-date within major Version A, upgrading to dot-zero Version B can deprecate features and fixes.
If you cannot go to the latest release, at least make sure your current version was released on a date before your target version. In the following table, confirm your current version is listed next to your target version. If it is not, choose a later target.
|
Target version |
Current version: confirm yours is listed. |
|||||
|---|---|---|---|---|---|---|
|
from 7.0 |
from 7.1 |
from 7.2 |
from 7.3 |
from 7.4 |
||
|
to 7.4.7 |
2026-04-15 |
7.0.0–7.0.9 |
7.1.0 |
7.2.0–7.2.11 |
7.3.0–7.3.1 |
7.4.0–7.4.6 |
|
to 7.4.6 |
2026-02-17 |
7.0.0–7.0.9 |
7.1.0 |
7.2.0–7.2.11 |
7.3.0–7.3.1 |
7.4.0–7.4.5 |
|
to 7.4.5 |
2026-01-14 |
7.0.0–7.0.8 |
7.1.0 |
7.2.0–7.2.10 |
7.3.0–7.3.1 |
7.4.0–7.4.4 |
|
to 7.4.4 |
2026-01-05 |
7.0.0–7.0.8 |
7.1.0 |
7.2.0–7.2.10 |
7.3.0–7.3.1 |
7.4.0–7.4.3 |
|
to 7.4.3 |
2025-10-13 |
7.0.0–7.0.8 |
7.1.0 |
7.2.0–7.2.10 |
7.3.0–7.3.1 |
7.4.0–7.4.2 |
|
to 7.4.2 |
2024-07-31 |
7.0.0–7.0.6 |
7.1.0 |
7.2.0–7.2.8 |
7.3.0–7.3.1 |
7.4.0–7.4.1 |
|
to 7.4.1 |
2023-12-13 |
7.0.0–7.0.6 |
7.1.0 |
7.2.0–7.2.5 |
7.3.0–7.3.1 |
7.4.0 |
|
to 7.4.0 * |
2023-09-07 |
— |
— |
— |
— |
— |
* You cannot upgrade managed devices to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only, and is not supported with Firewall Device Manager.
Upgrading a patched deployment
Critical fixes in patches/vulnerability (fourth-digit) releases can also skip future releases. If you depend on these critical fixes, verify that your target version contains them. For a full list of release dates, see Cisco Secure Firewall Management Center New Features by Release or Cisco Secure Firewall Device Manager New Features by Release.
Supported upgrades and downgrades
This section summarizes upgrade and downgrade capability. For help with:
-
Choosing an upgrade target, see Choosing your upgrade target.
-
Upgrade and downgrade procedures, including general guidelines, best practices, and troubleshooting, see the upgrade guide for the version you are currently running: https://www.cisco.com/go/ftd-upgrade.
Supported upgrades
This table shows the supported direct upgrades for Firewall Management Center and Firewall Threat Defense software.
Note |
You can upgrade directly to any release except patches (fourth-digit releases). You cannot upgrade directly to a patch from a previous major or maintenance release. Although a patched device (fourth-digit) can be managed with an unpatched Firewall Management Center, fully patched deployments undergo enhanced testing. |
|
Current version |
Target software version |
|||||||
|---|---|---|---|---|---|---|---|---|
|
to 10.x |
7.7 |
7.6 |
7.4 * |
7.3 |
7.2 |
7.1 |
7.0 |
|
|
from 10.x |
YES |
— |
— |
— |
— |
— |
— |
— |
|
from 7.7 |
YES |
YES |
— |
— |
— |
— |
— |
— |
|
from 7.6 |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
from 7.4 |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
|
from 7.3 |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
|
from 7.2 |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
from 7.1 |
— |
— |
YES |
YES |
YES |
YES |
YES |
— |
|
from 7.0 |
— |
— |
— |
YES |
YES |
YES |
YES |
YES |
|
from 6.4 |
— |
— |
— |
— |
— |
— |
— |
YES |
* Firewall Threat Defense Version 7.4.0 is available as a fresh install on the Secure Firewall 4200 only. It removes significant features, enhancements, and critical fixes included in earlier versions. Upgrade to a later release.
Supported FXOS versions for Firepower 4100/9300 upgrades
For the Firepower 4100/9300, this table lists companion FXOS versions. If a chassis upgrade is required, Firewall Threat Defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
|
Target Firewall Threat Defense version |
Minimum FXOS version |
|---|---|
|
10.x |
2.18.0 |
|
7.7 |
2.17.0 |
|
7.6 |
2.16.0 |
|
7.4.1–7.4.x |
2.14.1 |
|
7.4.0 |
— |
|
7.3 |
2.13.0 |
|
7.2 |
2.12.0 |
|
7.1 |
2.11.1 |
|
7.0 |
2.10.1 |
|
6.7 |
2.9.1 |
|
6.6 |
2.8.1 |
|
6.4 |
2.6.1 |
Supported downgrades
If an upgrade succeeds but the system does not function to your expectations, you may be able to return to a previous version. For general information, particularly on common scenarios where returning to a previous version is not supported or recommended, see the upgrade guide: https://cisco.com/go/ftd-upgrade.
Bugs
For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cloud-Delivered Firewall Management Center release notes.
Important |
We do not list open bugs for most maintenance releases or patches. |
Important |
Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs in Version 7.4.0
Table last updated: 2023-09-11
|
Bug ID |
Headline |
|---|---|
|
Deploy failure when flow export destinations are swapped or port value changed |
|
|
IDP SAML missing filter in Zero Trust Policy shows all groups have missing IDP data |
|
|
New User activity page does not display events for Special Identities Realm |
|
|
Azure AD sessions do not get removed after disabling subscription or changing ise configuration |
|
|
Importing a realm with a proxy will fail |
|
|
Editing CSDAC dynamic attribute filter throwing Internal Error |
|
|
OSPFv3 BFD sessions not coming up for more than 7 |
|
|
PBR configuration using User Identity is not migrated during FTD migration to cdFMC |
|
|
Save button disabled when updating Zero Trust Policy |
|
|
New SRU is not immediately installed upon management center upgrade |
|
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
|
EventHandler should not log warning if it fails to open a unified file when the file doesn't exist |
Resolved Bugs in Version 7.4.7
Table last updated: 2026-04-15
|
Bug ID |
Headline |
|---|---|
|
ASDM Access Issue When SSL VPN And HTTP Server Is Configured On Same Port |
|
|
Deploy failure after interface group or port value change in Netflow collector config or max collector limit of 5 is reached |
|
|
FTD unable to re-join the HA after upgrade from 7.2.0 build 82 to 7.2.5 build 203. |
|
|
NGFWPolicy::Manager::populateGlobalSnapshot() NGFW HA plugin takes longer time to validate |
|
|
unable to register device post restoring the backup |
|
|
Issue summary: Some non-default TLS server configurations can cause un |
|
|
Switch role of FTDHA backup task and backup name have discrepancy in UI SensorList/management page |
|
|
hms process consuming 20GB memory on cdFMC tenant. |
|
|
Cisco FXOS and UCS Manager Software Stored Cross-Site Scripting Vulnerability |
|
|
Observing Lina Core for 2.17 in BS/QP with App Instance Stuck in 'Started' State |
|
|
SEC-PWD-CONTROL - PSB - Proxy password showing in plain text on FMC |
|
|
FMC GUI does not Accept "@" in the username for remote storage used for backups |
|
|
CVE-2024-47728: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49888: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49934: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49974: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49996: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50014: linux-kernel: ext4: fix access to uninitialised lock in fc replay |
|
|
CVE-2024-50055: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50067: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50138: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50154: linux-kernel: In the Linux kernel, the following vuln... |
|
|
Addressing CVEs reported in unicorn zlib library |
|
|
FMC Legacy UI allows you to create time range objects in past time in ACL |
|
|
FTD native: ldap configuration fails to deploy to ftd when using same user as radius |
|
|
FMC API put taking long time to update Extended ACL objects when count is huge like hundreds |
|
|
CVE-2021-47036: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2021-47199: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2021-47455: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2021-47469: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2021-47552: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52476: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52698: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52757: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52845: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26663: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26739: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26928: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-27388: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35863: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35864: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35867: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35868: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35896: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35925: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35945: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35998: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36286: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36954: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36959: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-38662: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-42283: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-43834: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-43835: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-46739: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-46857: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47678: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50258: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50272: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50301: linux-kernel: security/keys: fix slab-out-of-bounds in key_task_permission |
|
|
CVE-2024-50302: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50304: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53052: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53066: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53121: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53124: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53135: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53138: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53140: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53146: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53157: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53179: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-55916: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56647: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56662: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56664: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56672: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56688: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56720: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56728: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56739: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56751: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56756: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56763: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56770: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56779: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57807: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57890: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57938: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57940: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-8006: libpcap: Remote packet capture support is disabled by ... |
|
|
Firepower wiping SSL trustpoint config after reloading. |
|
|
Unable to save the Ext ACL object - "Only Host and Network in IPv4 and IPv6 format are supported." |
|
|
IPv6 Management communication is lost due to a missing management-only multicast route. |
|
|
ARP is silently dropping packet for an unreachable next hop |
|
|
Intrusion rules CVE filter does not function for certain input formats |
|
|
CVE-2021-47247: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2022-23491: python-certifi: Certifi is a curated collection of Ro... |
|
|
CVE-2022-49043: libxml2: xmlXIncludeAddNode in xinclude.c in libxml2 ... |
|
|
CVE-2022-49046: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2022-49190: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2022-49215: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2022-49219: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52587: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52612: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52621: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52622: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52879: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-25629: c-ares: c-ares is a C library for asynchronous DNS re... |
|
|
CVE-2024-26659: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26664: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26669: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26671: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26679: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26686: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26687: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26763: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26764: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26773: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26805: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26809: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36903: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36927: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-40945: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-40972: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-40984: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53217: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53224: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56171: libxml2: libxml2 before 2.12.10 and 2.13.x before 2.1... |
|
|
CVE-2024-56568: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56569: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2021-47182: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57874: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57977: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-57981: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-58005: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-58017: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-9287: python: A vulnerability has been found in the CPython ... |
|
|
CVE-2025-21638: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21669: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21690: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21745: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21776: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21779: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21785: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21791: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21814: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-27113: libxml2: libxml2 before 2.12.10 and 2.13.x before 2.1... |
|
|
The ObjectSerializationDecoder in Apache MINA uses Javaâs native deseria |
|
|
CVE-2021-47212: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26816: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26830: linux-kernel: i40e: Do not allow untrusted VF to remove administratively set MAC |
|
|
CVE-2024-26851: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-27437: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-34158: golang: Calling Parse on a "// +build" build tag line... |
|
|
CVE-2024-45336: golang: The HTTP client drops sensitive headers after... |
|
|
CVE-2024-45341: golang: A certificate with a URI which has a IPv6 add... |
|
|
CVE-2022-49546: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2022-49728: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52936: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21640: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21898: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21920: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21928: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21959: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-32414: libxml2: In libxml2 before 2.13.8 and 2.14.x before 2... |
|
|
Lina: Traceback in thread name ssh on executing show access-list after ACL deletion |
|
|
CVE-2025-21853: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-32415: libxml2: In libxml2 before 2.13.8 and 2.14.x before 2... |
|
|
Vulnerable version of Highcharts used by Context Explorer |
|
|
ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
|
|
Policy Deployment: When using MD5 in Site-to-Site VPN, manual deployment fails with validation error, but schedule deployment succeeds. |
|
|
CVE-2021-47265: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26870: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26891: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-22063: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-37785: linux-kernel: In the Linux kernel, the following vuln... |
|
|
Reverting FTD upgrade silently removes object overrides on the FMC for the reverted FTD |
|
|
PSB: SEC-LOG-NOSENS-FR2 - P12 cert passphrase logged in plaintext in FMC logs |
|
|
ASA from CSM/CLI - no access-list ACL_name line line_nr remark on last ACL line shows message - "Specified remark does not exist" |
|
|
Invalid host header reveals ASA interface IP address |
|
|
CVE-2025-32463: sudo: Sudo before 1.9.17p1 allows local users to obtain |
|
|
CVE-2025-32462: sudo: Before 1.9.17p1, allows users to execute commands on unintended machines. |
|
|
Inbound IPsec packets are dropped by IPsec offload when the crypto map ACL is using specific ports. |
|
|
CVE-2025-0689: grub2: When reading data from disk, the grub's UDF fil... |
|
|
CVE-2025-1125: grub2: When reading data from a hfs filesystem, grub's... |
|
|
CVE-2025-4516: python: There is an issue in CPython when using 'bytes... |
|
|
CVE-2025-6965: sqlite: There exists a vulnerability in SQLite version... |
|
|
CVE-2025-21639: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21683: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21700: linux-kernel: In the Linux kernel, the following vuln... |
|
|
Deployment Failure After Removing An Object From ACL Used in DAP |
|
|
CVE-2025-21605: redis: Redis is an open source, in-memory database th... |
|
|
CVE-2025-27363: free-type: An out of bounds write exists in FreeType ... |
|
|
CVE-2025-21760: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21762: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21763: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21764: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21846: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-21999: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-22005: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2025-32023: redis: Redis is an open source, in-memory database th... |
|
|
CVE-2025-47273: python-setuptools: setuptools is a package that allow... |
|
|
CVE-2025-48367: redis: Redis is an open source, in-memory database th... |
|
|
CVE-2024-3447: qemu: A heap-based buffer overflow was found in the SD... |
|
|
CVE-2024-6345: python-setuptools: A vulnerability in the package_inde... |
|
|
CVE-2024-6505: qemu: A flaw was found in the virtio-net device in QEM... |
|
|
CVE-2024-8088: python: CPython "zipfile" module affecting "zipfile.Path" |
|
|
CVE-2024-8354: qemu: A flaw was found in QEMU. An assertion failure w... |
|
|
CVE-2024-10524: wget: Applications that use Wget to access a remote r... |
|
|
CVE-2024-26627: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26633: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26635: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26641: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26733: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26735: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26747: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26772: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26804: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26808: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26810: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26812: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26843: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26852: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26894: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26924: linux-kernel: In the Linux kernel, the following vuln... |
|
|
RAVPN SSL/IKEV2 AUTH FAILURE: AAA PROCESS MISHANDLING BROKEN FIBER CLASS |
|
|
FMC: Copy/Cut/Paste or drag/drop ACE in Extended ACL object, deletes existing Rules |
|
|
Drop counter doesn't increment for embryonic related drops in 'show service policy' |
|
|
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. |
|
|
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers |
|
|
CVE-2025-32988: gnutls: A flaw was found in GnuTLS. A double-free vul... |
|
|
CVE-2025-32990: gnutls: A heap-buffer-overflow (off-by-one) flaw was ... |
|
|
CVE-2024-26960: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26976: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35823: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35835: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35888: linux-kernel: In the Linux kernel, the following vuln... |
|
|
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an ou |
|
|
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an un |
|
|
Netty is an asynchronous, event-driven network application framework. Pr |
|
|
Jetty through 9.4.x is prone to a timing channel in util/security/Passwo |
|
|
In Eclipse Jetty HTTP/2 server implementation, when encountering an inva |
|
|
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allo |
|
|
An integer overflow can be triggered in SQLite’s 'concat_ws()' function. |
|
|
There exists a vulnerability in SQLite versions before 3.50.2 where the |
|
|
When reading a specially crafted 7Z archive, the construction of the lis |
|
|
When reading a specially crafted 7Z archive, Compress can be made to all |
|
|
CVE-2024-35960: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-38541: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-38612: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-41110: docker: Moby is an open-source project created by Doc... |
|
|
CVE-2024-58250: ppp: The passprompt plugin in pppd in ppp before 2.5.... |
|
|
CVE-2023-24531: golang: Command go env is documented as outputting a ... |
|
|
CVE-2024-46981: redis: Redis is an open source, in-memory database th... |
|
|
CVE-2025-38352: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-35955: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36623: docker: moby through v25.0.3 has a Race Condition vul... |
|
|
CVE-2024-38473: apache-http-server: Encoding problem in mod_proxy in ... |
|
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTM |
|
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTM |
|
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTM |
|
|
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code v |
|
|
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user |
|
|
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user |
|
|
In all versions of the package jspdf, it is possible to use <<script>scr |
|
|
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL |
|
|
axios is a promise based HTTP client for the browser and node.js. The is |
|
|
axios 1.7.2 allows SSRF via unexpected behavior where requests for path |
|
|
Axios is a promise based HTTP client for the browser and Node.js. When A |
|
|
DOMPurify before 3.2.4 has an incorrect template literal regular express |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software TCP Flood Denial of Service Vulnerability |
|
|
SFDataCorrelator backtrace every 1 hour after VDB update on FMC |
|
|
FPR3100 May Not Power On After Upgrade or Reboot |
|
|
FMC should fail the policy deployment in case of any interface/zone installation issues. |
|
|
ASP ACL rule (dhcp network scope) fail to be removed during "no nameif" or interface deletion process |
|
|
Deployment Failure soon After Removing An Object From ACL Used in DAP even before commit |
|
|
ASA/FTD responding without relay_sig parameter in SAML dupicate request |
|
|
Snort 3 Rule update not working if version field not updated |
|
|
ASA/FTD traceback and reload after applying capture type isakmp command from LINA CLI |
Table last updated: 2026-04-15
|
Bug ID |
Headline |
|---|---|
|
DP-CP arp-in and adj-absent queues need to be separated |
|
|
User-Role permission for Object-MGMT "Find-Usage" |
|
|
Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
|
|
Last Synchronized date in FMC smart license status is not always accurate |
|
|
scheduled task may not run at all if UTC start times (based on DST) are on different calendar days |
|
|
on 2k platform, external authentication fails for users starting with number |
|
|
Interface statistics and tunnel uptime display support for VTI/DVTI interfaces |
|
|
FTD unit comes up with HA disabled when configuration backup is restored |
|
|
Misleading error message while attemtping to revert upgrade on inelligible device |
|
|
Snort3 cores on Firepower 2100 series FTD in driver code |
|
|
DAP: debug dap trace not fully shown after 3000+ lines |
|
|
FDM HA Switch : Peer fails to get into Active state due to Interface check |
|
|
ASA software on FP3110 showing incorrect serial number in show inventory output |
|
|
Message for upgrade_resume.sh failure failure due to resuming on /new-root should be enhanced |
|
|
S2S tunnels shown inactive on FMC dashboard though tunnels are up on FTD due to out-of-order events |
|
|
Unable to upgrade FTD after revert from a CDFMC-supported version to a non CDFMC-supported version |
|
|
Error 403: Forbidden when tried to access certificate trustpoint enrolment page on FMC Domain user |
|
|
Member interface admin status is not updated on Lina after enabling port-channel interface |
|
|
Active node reload during peer app sync or config sync causes premature failover, config sync failure, and unexpected reboot |
|
|
Unable to export and import AC-policy in the same FMC version (Snort2 or snort3 IPS corruption related bug, where stale entries are present) |
|
|
Debug: Eth1/1 flapping unexpectedly |
|
|
Counters are not matching between cluster exec and show cluster access-list |
|
|
SNMP walk does not work if IP is configured after SNMP is configured on ngfw management interface. |
|
|
FTD: Invalid counter for TCP_PRX PROBE_TOTAL_ACTIVE_CONN |
|
|
FMC HM showing "normal" eventhough FTD having Comm Failure |
|
|
TPK: FXOS does not cleanup RM queues on MI instance start failure |
|
|
ASA: Running the failsafe-exit command caused the interface to enter a DISABLED state |
|
|
delay in creating process of Readiness/upgrade post initiating from UI |
|
|
Merged PCAP file from 'capture traffic' CLI is smaller than anticipated, or appears to be missing packets |
|
|
IPSecOffload: Traffic gets dropped when esp null encryption is used on the ipsec proposal |
|
|
SNMP host group content change results in SNMP process termination on management interface |
|
|
Error 'Wait for registration to complete' seen in packet tracer page if device template was applied to selected device |
|
|
OSPFv2 connections through inline set in cluster are shown as centralized |
|
|
Removing switch capture configuration from CLI deletes capture PCAP files from disk |
|
|
snmpd core seen in ASA/FTD |
|
|
Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
|
|
SNMP v1 and v2c traps from diagnostic and data ints stop working on a KP/vFTD after product upgrade |
|
|
FPR2100-ASA Unable to generate CSR without FXOS IP address on SAN field |
|
|
Internal error screen displayed while navigating to next page on syslog ui |
|
|
FXOS LTP: Some platforms return more than one image for analysis |
|
|
Unable to run "nslookup" command on FXOS |
|
|
Issue with FMC while using RestAPI for creating security zone object |
|
|
Failure to read the signature keys (mult-instance deployment) |
|
|
"show inventory" output shows Name: "power supply 0" on Firepower |
|
|
Post upgrade to 7.4.2-S2S tunnel status is showing empty |
|
|
Incorrect syslog generated on failure to process SGT from ISE during RA authentication |
|
|
Config Sync Optimisation : fover_thread: Hash comparison timeout expired while computing config hash |
|
|
FMC - Timestamps in "Analyze Hit Counts" dialog of AC policy are incorrect |
|
|
Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
|
|
Re-Registering the FMC with on-Prem server is getting failed |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
In Multi-Instance FTD mode, the Data-Sharing interface remains in “Waiting” state after unit reboot followed by failover |
|
|
Radius server configuration for FTD external authentication is not deployed to FTD. |
|
|
qemu is being listed in show users cli command |
|
|
FMC UI, when SNMP version is set to disabled, FMC doesn't verify community string |
|
|
FPR3K SFP+(10G) optics:Port Channel mem intf becomes down after reload/flap/reinsertion on peer side |
|
|
Standard Access List Objects can be written with leading whitespace |
|
|
Dangling interfaces exists in SecurityZone/Interface group and interface |
|
|
Add IPv6 to shun CLI |
|
|
Peer sending proposal unacceptable during rekey after switch over for IKEv1 SVTI |
|
|
‘Send Virtual Tunnel Interface IP to the peers’ flag is not properly set for backup VTI in DVTI |
|
|
Increase connection retry count in 200_pre/100_get_snort_from_dc.pl |
|
|
Instrument new logs in the startup process to collect more information |
|
|
Warning should be given when large IP range is used in mapped source along with service keyword |
|
|
Incorrect network module slot and status information in "show module" command output |
|
|
Failover prompt shows state active while the firewall is in Negotiation |
|
|
Certificate validation fails with trustpool when FIPS is enabled |
|
|
FMC restore should be marked failed when cfgdb dump fails during restore |
|
|
Disable csd/hostscan invokation for clientless/webvpn flow |
|
|
Sftunnel still existing with older IP for standby unit even after changing the ip address from FMC. |
|
|
Partition "/opt/cisco/config" gets full due to btmp file not getting logrotated |
|
|
Cluster disabled while modifying the coredump filesystem |
|
|
Increase sftunnel AUTH_TIMEOUT to 60 |
|
|
show conn detail rx-ring 4294967295(max val)filter displaying connection having invalid rx-ring num |
|
|
Multiple core.svc_sam_statsAG on FxOS platforms |
|
|
Include show mgmt-ip-debug in fxos tech support |
|
|
Missing CPU and Memory threshold adjustability under Health Policy |
|
|
TPK-MI FTD instance getting validation error and ftds in splitbrain HA post upgrade 7.6.0-1685 |
|
|
Lina crash at compTriggerEventbyName on WM with 100% memory utilization |
|
|
"clear configure interface" causing ACK/FHELLO drops during HA break on standby |
|
|
Migration of TPK native cluster failed because of sftunnel process going down. |
|
|
FP4245 - NPU Accelerator changed speed of 100Gb interface to 10Mb |
|
|
"Failed to upgrade firmware Image" fault should mention the firmware that failed to upgrade |
|
|
Creating cluster bundle tar files for cluster failing with remote storage SSH configured |
|
|
DNS Feed and Network Feed are failed on Standby FMC after upgrade |
|
|
Intermittent ftd_ha_info directory creation failure; WM1120 |
|
|
Large number of Error messages in HA fover_trace.log file cause log rotation in small amount of time |
|
|
SFDataCorrelator memory leak for Intrusion event extra data |
|
|
FXOS MTU Handling for Front Panel and Uplink Ports on Firepower devices require improvement |
|
|
ibdatafix script needs to address cfgdb if the FMC is running version 7.3 or higher. |
|
|
cdFMC: ADI proxy terminated multiple times on TPK MI when used as proxy on REALM |
|
|
one of the instance went to start-failed state on WA4245-760-102 |
|
|
Enhance nlp debuggability and provide persistency for the nlp logs |
|
|
Secure Firewall CSF-1200: sma reported fault: Lina has started, but is not yet running |
|
|
Show mod functionality needs to be fixed after change was reverted in CSCwk63011 due to regression |
|
|
ASA 9.16 SSH Client login to User-Context is not working with ecdsa |
|
|
Propogate SGT deployed to FTD if copy deviceconfiguration(SGT configuration UI andLINA doesnt match) |
|
|
ASA PKI - MS cert policy extension not handled properly |
|
|
ASA will crash on certificate display commands |
|
|
Deployment failing with "no nameif" on the failover interface |
|
|
Lina traceback and reload on ztna app disable |
|
|
MI: core.lina.async_thr is generated after reboot |
|
|
FMC displays VPN tunnel status as unknown even when the tunnels are up |
|
|
Invalid Name Warning Missing from FMC after upgrade and Save greyed out (Configure DAP records through Rest API) |
|
|
Access Control Policy export fails due to dangling object on Intrusion Policy Recommendations |
|
|
ASA - Failover config resync failed and unexpected reboot occurred |
|
|
Unused objects deletion taking longer time |
|
|
4200/3100/1200 hardware allow to change AppAgent timer |
|
|
Deployment failed with the reason "Error-no dhcpd enable inside" |
|
|
FTD HA Standby Reloads Repeatedly After Upgrade to 7.4.2.1 |
|
|
MariaDB import failure that lead to FMC-HA Synchronization Incomplete |
|
|
SNORT2 High CPU Utilization (100%) during user_enforcement SXP Data Sync |
|
|
FIPS self-test failure message needed |
|
|
Not able to create ssh session when changing key-lengths |
|
|
Classic license validation on standalone FMC may fail due to lower case letters in license key |
|
|
FMC: Enable validation of "Comment" Field under Automating Policy Deployment Tasks |
|
|
Crash/assertion in snp_vpn_int_api during extended VPN traffic tests |
|
|
FMC RAVPN Active Session termination throws error- "Error while terminating session" |
|
|
Syslog servers below in FTD logging send hostname info as per emblem config for first syslog server |
|
|
Few Snort3 IPS rule preset filters are not working correctly |
|
|
FMC does not delete intrusion rules from database when they are removed from LSP |
|
|
Port block distribution issue is seen on 9.18 |
|
|
High lina CPU and/or Traceback and reload in spin_lock_get_actual_internal |
|
|
Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
|
|
FMC not using configured proxy for smart licensing |
|
|
ASA crashes on password change attempt |
|
|
Newline character in interface description results in deployment failure |
|
|
FMC Management workflow issue: Cannot remove NetworkObject from group and delete it in same ticket |
|
|
Traceback and reload in Thread Name Datapath |
|
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
|
NAT divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
|
|
ACP copy not possible in Firepower Management Center |
|
|
Raw coredump file not getting deleted on vFTD even after compressed core generation |
|
|
Intenal error seen when trying to include domains in dynamic split tunneling of custom attribute |
|
|
Unreachable Hosts and URLs of syslog configuration Block Device Management Page Loading |
|
|
FMC to warn users when deploying other configs alongside FlexConfig. |
|
|
ASA traceback and reload in freeb_core_local_internal |
|
|
FMC can generate health alerts when ntp temporary switches to HW local clock from external server |
|
|
Multi-Instance in Secure Firewall not updating sftunnel certificates |
|
|
ASA Traceback after upgrade to 9.20.3.7 |
|
|
Deploy Preview comparison PDF report not getting generated |
|
|
SAML DNS LB fails to redirect to local host when local-base-url contains uppercase letters |
|
|
FCM GUI became inaccessible after upgrading to ASA 9.18.4.22 | FPR 2130 Platform Mode |
|
|
“Copy when complete” option not working for SSH Public Shared Key Authentication on FMC |
|
|
FTD: deploy failure when configured L2 access-list. "Cannot mix different types of access lists." |
|
|
Traceback and reload during clear bgp * ipv6 unicast involving watchdog |
|
|
EventHandler not restarted after running system support reset-event-bookmarks on FTD 7.2 and above |
|
|
Memory block corruption: RAVPN SSL/IKEV2 auth failure, AAA SHIM available fibers exhausted |
|
|
ASA: IPv6 EIGRP routes learned from other neighbors are missing in updates after failover |
|
|
FMC1600-K9 PDF download failed in deploy tab |
|
|
FTD is droping TCP syslog messages |
|
|
cdFMC - Unable to save network group object |
|
|
ASA/FTD - Traceback and Reload in Threadname IP RIB Update |
|
|
Ipv6 TCP Syslog are not properly generated on WM-HA Active unit in 7.7.0-1607 |
|
|
Clearing all non applicable alerts post license registration success |
|
|
show blocks old core local can lead to unexpected reload. |
|
|
Smart license UI on cdFMC and FMC showing duplicate license count for Malware , IPS , URLFilter and Apex |
|
|
FMC UI login fails with "Unable to authorize access." |
|
|
FMC: OSPF NSF-awareness (helper mode) cannot be configured on a standalone FTD |
|
|
RTSP packets getting stuck in transmit queue leading to 9k blocks exhaustion. |
|
|
FMC Does not throw error with duplicate entries in input while modifying prefix list through API |
|
|
FMC User permissions allows user to Suspend HA even when "Modify Devices" is not selected |
|
|
User EO revisions accumulate forever, eventually overflowing Pruner's ability to do its job |
|
|
ipv6 ping Vrf name changed after xml processing |
|
|
Validation is missing when PC is used in both DHCP relay agent as well as in server server-side intf |
|
|
FP1150 ASA/FTD - Traceback and reload triggered by watchdog timer |
|
|
WM-DT- FXOS Critical Faults seen due to PortMgr IPC Communication failure. |
|
|
FTD Clish: "more.fxos" process is left running when the ssh terminal session is abruptly terminated |
|
|
FMC managing various lower version vFTDs throws Event Handler errors |
|
|
FTD generates syslog 430002 as VPN Routing without VPN hairpin |
|
|
MonetDB Monitor should detect missing columns in stats partitions |
|
|
Policy Deployment Failure Due to Special Characters in AC Policy Rule Names |
|
|
FTD reboot and traceback in DATAPATH due to IPv6 packet processing |
|
|
Error thrown for individual rule hitcount if rule name contains certain special characters |
|
|
Dynamic Analysis Status Changed time only changes upon submission of a file for dynamic analysis |
|
|
Use of browser Refresh button on the Captured File Summary page may result in an unexpected warning |
|
|
Core file generated completely, but the contents are inconsistent on FPR 2100 |
|
|
FTD Upgrade Failure on Script 800_post/020_710_fix_users_and_roles.pl |
|
|
Warning messages from using Analyze button on Captured File Summary page need to be more specific |
|
|
printf: minus sign is not handled properly when width modifier used. |
|
|
Unable to login to FMC GUI due to HTTP 401 UNAUTHORIZED error |
|
|
Aggressive scale down and scale up of nodes causing the failure |
|
|
Serviceability Enhancement - Make FXOS disk errors more descriptive |
|
|
ZIP files are not being transferred when Archive category is selected from File Policy using snort3 |
|
|
Exclude perf monitoring files from device backup |
|
|
Multiple TCP logging host with timestamp option not working with IPv4 & IPv6 host |
|
|
Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-3-4280' |
|
|
Buffer calculation for new app_bin missing in the upgrade framework |
|
|
Prune the older files in /ngfw/var/cisco/deploy/pkg/var/cisco/packages |
|
|
FTD - LSP Installation/ Deployment Failure |
|
|
FMC upgrade page shows upgrade failed but the device is upgraded |
|
|
Backup may fail with generic "Backup died unexpectedly" error message |
|
|
IKEv2 Rekeys fail due to fragmentation during the IKE Rekey |
|
|
Importing SFO fails with the error "No UUID Provided" |
|
|
Snort3 restart on the first deployment post FMC upgrade. |
|
|
Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
|
|
Better handling of invalid/bad data in fleet upgrade workflow. |
|
|
process_stderr.log: Could not open link aggregation log file '/ngfw/var/log/link_aggregation.log' |
|
|
Reduce TS package size |
|
|
FTD sending "0.0.0.0" NAS-IP-Address attribute when authenticating/authorizing using Radius |
|
|
9K block depletion causing slowdown of all traffic through firewall |
|
|
DNS and default gateway are removed on FTD managed through data interface - DNS |
|
|
Deployment failure due to invalid AnyConnect Images and Secure Client Profile references |
|
|
REST Api allows to create a realm without a directory configuration |
|
|
Enhance Backup Status Notifications for Unified Backup Failures on FMC |
|
|
Upgrade failure after RMA due to Sensor table having incorrect serial number |
|
|
Unexpected SFDataCorrelator exit after deployment to managed devices following VDB install on FMC |
|
|
FMC Site-to-Site Monitoring Dashboard is not working at all |
|
|
Unit taking ~13 secs to become active |
|
|
FMC remote storage test sometimes fails when configured to a server running Solar Winds SCP/SFTP |
|
|
Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
|
|
FMC Alert: Discover Health Module Compilation Error |
|
|
CIMC Password length restricted to 16 characters with LOM enabled |
|
|
FMC: Deployment takes longer than expected when removing SNMP hosts from Platform Settings |
|
|
Remote storage server password showing in plaintext in httpsd_error_log |
|
|
ASA/FTD traceback and reload in vaccess_nameif_action thread |
|
|
Remote backup generated successfully but configuration database backup is empty |
|
|
Smart license UI showing variable performance tier when stand by FMC is made active |
|
|
SSL Debug Logs Persist After Debug Reset |
|
|
Module show tech generation fails with external authentication |
|
|
Ensure the watchdog triggers even if a single snort3 thread becomes unresponsive. |
|
|
Counter from IKEV2 stats does not match the number of tunnels in VPN-Sessiondb |
|
|
Port-channel member interface flap renders it as an inactive member |
|
|
Disabling OSPFv3 on FMC does not clear passive interface and area config from FTD interfaces |
|
|
FMC IPsec SA remaining key lifetime incorrect conversion of seconds to hh:mm:ss |
|
|
Cluster node got deleted partially and devices have become Standalone on FMC UI |
|
|
syslog-ng may not immediately restart on FTD as expected upon changing FTD host name |
|
|
Fleet copy package fails: Copies completed but failed to be acknowledged by device(s): 1. |
|
|
FMC - Health Monitor shows 'No Data Available' due to too many open files |
|
|
Warwick Avenue: LLDP neighbours are not discovered if MGMT 1/2 interface is down |
|
|
Decryption policy failed to migrate to cdFMC from on-prem FMC. |
|
|
Error after logging out from FMC UI using SSO with PingId |
|
|
ASA FTD traceback in Checkheaps process after enabling "controller monitor internal-interfaces free-blocks 100" command |
|
|
Upgrading a 7.0.x sensor to 7.0.7 when managed by an FMC via hostname results in errors |
|
|
Traffic failure due to 9344 blocks leak |
|
|
'${dsk_a} missing or inoperable. Rebooting Blade.' error does not specify missing or inoperable disk |
|
|
[Cluster] CPU Utilization of 100% when NAT Pool exhaustion happens in a context. |
|
|
FTD: Large Delay in packets being inspected by snort |
|
|
LINA core observed pointing to "IP RIB Update" thread |
|
|
FTD does not synchronize via NTP from Secondary Management Center in HA when the Primary is down |
|
|
DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
|
|
Logical App Stuck in 'Start Failed' Due to checkSystemCPUs Failure |
|
|
Failover and state link not accepting valid subnet mask |
|
|
mix of major versions between FMC and FTD causes per-core CPU use health module to not work on FTD |
|
|
FTD HA | Same MAC for port-channels causing network outage. |
|
|
Deployment to FTD Fails at 5% due to corruption with interface object |
|
|
Refresh Icon on Inventory Details Fails to Update Chassis Information for All Models |
|
|
Handle cases where Vault is not running during task execution and add health Alert |
|
|
Memory leak: ASA Fragment size 72 causing memory exhaustion in MEMPOOL_GLOBAL_SHARED POOL |
|
|
Captured file status is not updated if threat score is cached on FTDs |
|
|
Bulk Edit Rules - Security Zone Search does not yield all zones if zone count is more than 1000 |
|
|
Deployment Failure in Hub and Spoke VTI Topology with DHCP Configured VPN Interfaces |
|
|
BFD flap due to ASA not processing incoming BFD packets after unrelated BFD peers go down |
|
|
Columns missing from event partitions |
|
|
SNMP configuration is not applied consistently across same FTDs type and version |
|
|
Deployment failure due to rsync |
|
|
ASA/FTD traceback and reload with SNMP Notify Thread seen on 3110 |
|
|
Portscan event in FMC displays incorrect source/destination when set to 'low' setting |
|
|
Traceback in thread name DATAPATH when a unit is re-joining the cluster |
|
|
deployment slowness seen when huge number of policies are present |
|
|
Post-Failover FQDN Resolution Deferred Until Next DNS Poll Interval |
|
|
ENH: UDP traffic flow requires Initiator and Responder fields in the "show conn detail" output. |
|
|
Cryptochecksum changed after reloading. |
|
|
Saving changes under Policy > Alerts > Intrusion Emails in FMC GUI multiple times removes old changes |
|
|
'configure network management-data-interface' allows to configure same IP on data and mgmt interface |
|
|
Local user details not replicated to data nodes in a cluster setup. |
|
|
ASDM: Displays Error of Keypair already exists when adding an identity certificate. |
|
|
Deployment failure not updated on databases of data node |
|
|
FMC page may get stuck in loading state while trying to fetch BGP configuration |
|
|
Boot-Time warning if CPU core count is below minimum requirement |
|
|
ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
|
|
ASA SSH login fails at the first attempt when it is integrated with DUO |
|
|
ASA/FTD traceback and reload triggered by the Smart Call Home process in sch_dispatch_to_url. |
|
|
If command replication fails to any nodes in cluster, send kick the node out from cluster to fmc |
|
|
Policy deploy would not write entries when referenced object is missing |
|
|
Command replication failure to cluster nodes on command commit noconfirm revert-save after access-list, additional debugs |
|
|
FMC Custom widget to display host count per sensor shows incorrect sensor name |
|
|
"Error during policy validation An internal error is preventing the system... "due to stale sensor ref in security zones |
|
|
Missing RADIUS accounting response messages may result in delays or failures of connectivity from chassis to instances |
|
|
FTD: Excessive logging for UserGroup |
|
|
FPR 4125 Multi instance: High Snort and System Core CPU Usage (100%) Triggering FMC Critical Alerts |
|
|
FMC Unable to Download User Groups from AD Realm via LDAP |
|
|
ASAv restarts unexpectedly |
|
|
cdFMC Not Displaying Interfaces and Security Zones When HA Secondary Device Is Active |
|
|
FMC Displays SSE Enrollment Failure Alarm Despite No Active Integration with SecureX |
|
|
Duplicate VTI cause VPN Flaps |
|
|
FTD Cluster: Incorrect log when snort engine restart times out |
|
|
LINA stays inactive without reloading after traceback on non-CP thread |
|
|
Users with "Modify Threat Configuration" permission are not able to modify Intrusion/File Policies within the Access Control Policy (ACP) rules |
|
|
Secondary Address should only be configurable for FMC-managed FTDs when using data interfaces for management |
|
|
Unable to Edit or Break FTD-HA via FMC GUI because of UI lock issues during create |
|
|
Traceback in threadname DATAPATH while trying to re-join cluster. |
|
|
Excessive number of AD users in FTD External Authentication could lead to deployment failure when disabled. |
|
|
ASA/FTD traceback and reload in function mp_percore |
|
|
Disabled rule parameters incorrectly carried over to new rule in child policy |
|
|
ASA traceback and reload |
|
|
high CPU usage after ASA upgrade from 9.20.3.9 to 9.20.3.16 running on Hyper-V |
|
|
FMC Restore of remote Unified backup fails due to no space left on the device |
|
|
Lina crash in threat detection due during first deployment after upgrade |
|
|
ASA: tls-proxy maximum-session command error |
|
|
ESP packets encapsulating subsequent fragments are dropped with ASP unexpected-packet drop reason |
|
|
SSL error causing connection to Cisco Smart Software Manager (CSSM) to terminate |
|
|
ASA/FTD: the ssl trust-point command deleted after a reload |
|
|
User Creation Fails with RADIUS Dynamic Provisioning Enabled on Firepower device. |
|
|
FMC GUI Inaccessibility and blank due to 'Malformed JSON String' Exception |
|
|
Deployment is mandatory after FMC upgrade condition should be included in Upgrade code |
|
|
FTD/ASA SSH: Terminal monitor is not showing logs |
|
|
Wrong URL incorrectly displayed for file upload with Japanese text in file path for client-less VPN |
|
|
The Firepower bandwidth_analyzer.pl script does not perform proper input validation for the '--size' option |
|
|
FMC Audit tcp-tls syslog is truncated or incorrectly formatted |
|
|
Negative value displayed for buffer drops when using " show cluster info load-monitor details" |
|
|
ASA crashinfo files not generated on FP4200 devices |
|
|
Syslog format is not properly printed when EMBLEM format is enabled at least in one syslog host |
|
|
ADI cores reading corrupt SXP file |
|
|
Multiple mail drops and enq failures are seen while traffic is going through the box. |
|
|
depoyment failure reason and transcript to be updated on FMC |
|
|
Policy deploy failing on FTD when trying to remove Umbrella DNS Configuration |
|
|
CPU usage by "WebVPN Timer Process" on standby ASA device |
|
|
WA HA: Error while fetching metadata for FTD HA. |
|
|
Case differences in SAML SSO usernames cause login loop |
|
|
FMC reporting IPv6 non overlapped host object-group as fully overlapped object-group |
|
|
Multiple consumers try to bind to the same ZeroMQ socket |
|
|
Deploy failure when Indexing is not working |
|
|
Deployment failure when selecting ECMP zone member interface in ZTNA policy |
|
|
SAML IdP entityID increase from capped 128 character maximum |
|
|
dmesg and kern.log file flooded with Tx Queue=0 logs |
|
|
"CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
|
|
Internal error is seen when editing the rule with IPV6 contents |
|
|
The chassis serial number is empty post registration in FMC |
|
|
Traffic drops post deployment when secondary skips app sync and become active immediately after bootstrap config apply |
|
|
ASA Memory leak while processing large CRLs. |
|
|
LDAP users in ACP always show realm out of sync. |
|
|
ASA Clock reverts to UTC after device reload |
|
|
ASA/FTD: ASP drop capture for 'invalid-ip-length' or 'sp-security-failed' does not work with match criteria |
|
|
Table on Syslog Settings tab in FTD platform settings policy may appear with improper dimensions |
|
|
Customer DU CONSULT, NPS 6 - ACP search toggle for exact IP or Port match |
|
|
WA/TPK: EPM FPGA upgrade chooses incorrect bundle |
|
|
Memory leak in SSL crypto causing high Lina memory usage on lower-end devices |
|
|
Opening, imported policy says internal error. |
|
|
HA state should not transition from ColdStandby to Active |
|
|
FMC Auto Deployment Task fails to run repeatedly |
|
|
Prolonged delays in firewall restart/reboot completion |
|
|
Restoring .tgz context file causes allocated interfaces to be removed from 'system' configuration |
|
|
Need to have deploy Warning for IKEv2 Policy with same Priority Conflict in FTD VPN Configurations on FTD |
|
|
FMC Dynamic Objects Limited to 1000 |
|
|
LINA traceback Observed on FTDv Firewalls Deployed in Azure: snp_vxlan_encap_and_send_to_remote_peer |
|
|
FMC Overview Connection Summary Shows No Data by Responder IP |
|
|
Threat/AMP Upgrade tasks are being created soon after HF installation completed |
|
|
Missing Security Zones in zones.conf Affecting ngfw.rules Functionality |
|
|
If failover IPSEC PSK is 78 characters or greater HA breaks with "Could not set failover ipsec pre-shared-key" |
|
|
Inventory details on FMC GUI shows the incorrect compliance mode |
|
|
Stop generating health alerts for transient high CPU utilization |
|
|
Issue with interface status visibility in Firepower Chassis Manager 4225 managed by FMC |
|
|
Memory Leak observed on FP2110 running ASA due to monitoring interface configured in HA |
|
|
FP3105 Traceback and Reload after changing the speed on Ethernet interface |
|
|
FMC generate_certs.pl script fails to regenerate CA Certificate |
|
|
FTD incorrectly transitions TCP state to established when client sends RST after SYN-ACK |
|
|
Audit Logs Display Repeated Session Expiration Entries Even When the System is Idle |
|
|
Traceback and Reload while two processes attempt to free a TD subnet structure |
|
|
Misleading "failover reset" log printed on console when reload triggered by HA. |
|
|
management-data-interface commands fail with "Enable of interface failed" error due to case-sensitive interface name |
|
|
CoA processing stops after DAP |
|
|
FTD may drop traffic in the Azure cloud at mlx5 driver level. |
|
|
Policy Deployment tasks should not be stuck indefinitely |
|
|
FP2110 - ntpd process constantly crashing |
|
|
ASA: Traceback and reload on threat detection, interfaces unstable after that |
|
|
Duplicate messages during deployment to be discarded by CD to avoid further deployment failures |
|
|
Snort3 blocking ESMTP traffic intermittently and trigger IPS signatures: 124:1:2 |
|
|
ASA/FTD - Assert triggered during FP_PUNT replace (aaa account match) |
|
|
Traceback and reload after editing SNMP config, with tmatch |
|
|
Local FTD backups are failing due to a lack of disk space on /tmp. |
|
|
Long running AQ task got killed after timeout on FMC but corresponding backup task on FTD is still running |
|
|
FPR4200 | FPR3100 Multi Instance Chassis Deployment Failed in DNS configuration |
|
|
Errors on all interface of FPR1010 | line protocol is down ( not associated with supervisor ) |
|
|
expat/xml FW rebooted itself and no crashinfo generated |
|
|
Manually Downloading VDB Update Requires Manually Refreshing the Web Browser to get the VDB Update to be Displayed on the Page |
|
|
Dynamic Attributes Connector Status shows One or more services are unhealthy |
|
|
Idle SSH sessions persist beyond the configured timeout without graceful termination by Fin flag |
|
|
Multicast and broadcast packets do not reach all multi-instance firewalls via shared interface on 3100/4200 |
|
|
Intrusion Event Packet Data via syslog/estreamer show no packet data for large packets |
|
|
SmartLicensing should accept certain special characters |
|
|
ASA SNMP Response Issue - Responses Sent Only for Odd OIDs, Not for Even |
|
|
Lina Traceback and Reload after enabling 'TLS Server Identity Discovery' |
|
|
Unable to use the plus sign in the email-id for the identity when configuring an S2S VPN |
|
|
Deployment failure soon after forming FTD HA |
|
|
ASAv deploy failed - console stuck at continuous |
|
|
Multiple System Configurations Missing from FMC GUI Post-Upgrade |
|
|
FTD Traceback while executing 'asp load-balance per-packet' |
|
|
SSH login to FTD management IP address lands in FXOS shell instead of FTD CLISH due to missing /mnt/boot/application/*.def file |
|
|
FTD 3130 HA Lina tracebacks at ikev2_bin2hex_str |
|
|
FMC Upgrade stalls Indefinitely at 999_update_onpremfmc_diskcache.sh |
|
|
Unable to edit Dynamic Analysis Connection cloud settings when FMC cannot connect to the US cloud |
|
|
FMC uses old DNS server for resolution despite correct configuration |
|
|
FTD is not sending a reset packet when the incoming traffic hits "block with reset" rule |
|
|
FTD upgrade failed due to bundle image existence verification failure |
|
|
FMC API: RAVPN sub-endpoints are unstable (When concurrent GET API calls are made, some might fail returning 404 'Resource not found' error for available UUIDs) |
|
|
FMC does not allow to use IP address with 0 value in last octet as gateway while configuring static route for a device. Error: Enter valid IPv4 host value |
|
|
FTD does not generate any events for the Platform Faults health module if no platform faults are present |
|
|
FPR 4200: HA link arp packets getting dropped, internal uplink linkChange counters incrementing |
|
|
FMC ACP Top User Deleted When Deleting Users With Legacy UI |
|
|
Password Expiry Age does not reset after Password Change |
|
|
show asp rule-engine issues with complete and run time |
|
|
non-SSL traffic wrongly classified as SSLv2 causing drops with TSID enabled |
|
|
SNMP traps are not sent to one of multiple SNMP servers, in certain conditions |
|
|
FMC - Deployment Fails with "Deployment failed due to timeout during configuration generation" |
|
|
ASA : Performance and high CPU usage seen on Hyper-V |
|
|
IKEv1 L2Lvpn fails in phase 2 with "Rejecting IPsec tunnel: no matching crypto map entry" after upgrade |
|
|
HA Primary/Active unit goes to disabled state as "HA state progression failed due to app sync timeout" in build 10.0.0-196 |
|
|
FTD: Instance stuck in Boot Loop |
|
|
1140 FTD HA primary failed to reboot after executing the reload command from expert mode |
|
|
SRU Upgrade Fails Due to Leaked Activity IDs from ClusterPostUpgradeHandler |
|
|
Intermittent Blank Screen When Loading Access Control Policy in New UI |
|
|
Possible unregistration when deploying during HA Switchover |
|
|
FMC modify the BGP password that start with value "0x" |
|
|
Not probing for http Opportunistic TLS |
|
|
FP 4115 ASA Cluster: GTP inspection causing high lina CPU 70% - 90%+ depend on traffic |
|
|
Firepower: SSH access lost after timezone change in platform mode |
|
|
LSP Version not listed in dropdown under Intrusion Policies> Snort3 >Rule Overrides> Advanced Filters |
|
|
FMC UI displays upgrade failure despite successful firewall upgrade |
|
|
ASDM Parsing Failure on Two Contexts |
|
|
Snort perf_monitor_base.csv memory data not getting populated |
|
|
FTD HA devices marked as failed and deployment failure due to exception in CCMtoCDInQHandlerThread |
|
|
ASA client IP missing from TACACS+ authorization request in SSH |
|
|
Http inspector support for OPPORTUNISTIC_TLS |
|
|
Reboots on FP2130 due to missing heimdall PID |
|
|
Unable to upload Secure Firewall Posture image file with a size over 200MB |
|
|
"no http server basic-auth-client ASDM" allows ASDM connections to ASA. |
|
|
MonetDB may fail to start on FMC if maximum parallel/concurrent logins per CLI user is set to 1 |
|
|
Interfaces are coming up when the Firepower is shutting down |
|
|
Policy deployment fails when inline-set is configured on FTD HA |
|
|
'Access token invalid' is prompted, if a stress test is made on the ACP |
|
|
Low RAM allocation on ASAv can trigger unexpected behavior in 'asdm image' command |
|
|
Policy Import failure: Object ID Collision Causes ClassCastException |
|
|
Flexconfig policy deletion left the stale references |
|
|
cdFMC: All Device Deploy Validations were failing post deletion of Flexconfig for one device |
|
|
Cleanup of perf_monitor files per instance per day |
|
|
FPR4215 "Not supported" alarm occurred, when insert the SFPs |
|
|
Traceback in HA stby node while snmpwalk on natAddrMapTable |
|
|
ASA/FTD: Traceback in thread name CP Processing due to DCERPC inspection |
|
|
Disabled manual nat rule is replacing the almost replica manual NAT rule |
|
|
EventHandler wastes CPU re-scanning files that contain no requested events |
|
|
Connection blocking active although "logging permit-hostdown' is set |
|
|
Timeout values not honored after "sftunnel_change_max_conn_check.pl" changes |
|
|
Sftunnel TLS13 connection goes down after upgrade when two interfaces configured with same IP on FMC GUI |
|
|
Standby FMC Fails to Sync ids_event_class_map Table, Resulting in Misclassified Intrusion Events |
|
|
Both the units in HA changed the encryption algorithm simultaneously |
|
|
FMC API is reporting Windows for all AnyConnect images while querying RA VPN policies |
|
|
add context for cmd-invalid-encap asp-drop type in the "show asp drop" command usage |
|
|
ASA/FTD - 1550 Block Depletion Due to Instability of TCP Syslog Channel(s) |
|
|
Block depletion - stuck at ssl_decrypt_cb location |
|
|
FPR HA ESP sequence number discrepancy when standby changes to Active resulting in Anti-replay drops |
|
|
Intermittent deployment stuck "in progress" for few devices |
|
|
Dataplane <> Control Plane may be overwhemed in the event of a massive influx of traffic with no existing ARP Adj present |
|
|
WCCP redirection not working as expected on transparent FTD |
|
|
Device doesn't boot and gets stuck after a successful upgrade |
|
|
SRU-triggered policy deployments occurred following initial/standby FMC during FMC HA & standalone upgrades |
|
|
cloudAgent process error "CloudAgent: [ERROR] Update message is not of type dictionary" |
|
|
FP3140 FTD HA Upgrade Getting Stuck |
|
|
Slow UI and inability to check disk usage on FMC due to NFS configuration |
|
|
File policy stops working due to SMB tcp conn terminated after 1hr for unknown reason despite not idle |
|
|
Anyconnect users incorrectly get the prompts, based on the previous tunnel-group |
|
|
ASA: Traceback and reload after saving asdm image |
|
|
Empty Dynamic Attribute IP mappings pushed to FTD from FMC Secondary Unit |
|
|
Deleting a domain using domain_manager --deleteDomain <domain_uuid> on FMC CLI brings down the estreamer service |
|
|
SNMP OID Polling for Chassis temperature not giving response |
|
|
RADIUS external auth doing one request per interface when bad username/password attempted |
|
|
Secure Client SAML - External Browser May Prompt for a Certificate when using IKEv2-IPsec and Certificate Mapping |
|
|
Missing Policy Based Routes on FMC PBR Page |
|
|
FTD may generate a large number of "ssl-certs-unified" files. |
|
|
TLS audit syslog configuration and certificates not replicating to secondary FMC in HA deployment |
|
|
Continuous logs_archive.asa-interface-idb.log getting generated on ASA |
|
|
FMC may not complete Cisco Security Cloud integration when using on-prem Smart Software Manager for smart licensing |
|
|
Disable FEC mode when interface speed for 25G interface is reduced to 10G |
|
|
The /api/fmc_netmap/v1/domain/{domainUUID}/hosts API endpoint not showing MAC addresses |
|
|
ASA/FTD may traceback and reload citing Thread Name 'lina' as the faulting thread. |
|
|
Dynamic Offloaded Flows Interrupted midstream |
|
|
FMC is returning status code 400s of GET request for Get Device Data |
|
|
cdFMC 7.7 Fails to Display Health Data for specific FTD's |
|
|
Intermittent drop of self-originated ICMP TTL exceeded messages with reason "Unable to obtain connection lock (connection-lock)" |
|
|
FTD/ASA may traceback and reload |
|
|
FMC/FTD: Policy Deployment failure after disabling NVE Interface config in VTEP Tab of FTD Cluster |
|
|
FTD Policy deployment reported as failed incorrectly on FMC when communications disrupted |
|
|
Lina traceback due to the incorrect option being received in the packet. |
|
|
Secure client tunnel group authentication is affected when using SDI protocol |
|
|
ASA/FTD: Wrong value shown for X509_STORE_CTX in 'show ssl objects' |
|
|
S2S VPN status for Topology with Extranet shows inconsistence at times. This is because when the tunnel status is received from the device bidirectional update should happen |
|
|
RTSP Flows are dropped with drop reason "First TCP packet not SYN" |
|
|
ASA/FTD - Traceback and Reload in Threadname DATAPATH |
|
|
Unable to create interface object with a "same" name as earlier when we had a network connectivity issue |
|
|
Upgrade failure on FMC on GCP 000_start/112_CF_check.sh |
|
|
ASA/FTD: SCEP enrollment fails with SCEP server reachable over VPN and sourced from inside interface |
|
|
ASAv on Hyper-v encountering boot loop issues when running netvsc driver |
|
|
Lina: Traceback and reload webvpn_session_release |
|
|
ASA traceback and reload due to memory corruption in IPsec SA pointers |
|
|
GeoDB content is not restored when restoring a backup to a freshly deployed FMC |
|
|
High network latency observed on ASAv |
|
|
FTD traceback and reload on DATAPATH |
|
|
Unable to upload VPN client profile package under Objects > Object Management > VPN > Secure client File to FMC while logged in via External User. |
|
|
FTD: SSH/SFTP on port 200 is being misclassified as SRC |
|
|
ASA traceback while disabling GTP inspection |
|
|
WPK node rebooted with lina core while trying to form cluster in snp_nat_allocate_port |
|
|
FP2140 running FTD traceback during deployment |
|
|
Lina: Traceback and reload for watchdog on BGP |
|
|
EIGRP adjacency fails over VTI(IPSEC) |
|
|
Enhance UI error messages to inform users that deployment is not allowed due to version mismatch. |
|
|
FMC scheduled backup task attempts to backup removed managed device resulting in error "Cannot trigger backup since sensor is not reachable" |
|
|
FTD - FTD RADIUS authentication fails with "bad authenticator" after disabling Management Interface Convergence |
|
|
Device->Certificates page not loading with error "Error in fetching certificate details" |
|
|
Add validation on FMC UI to prevent admin to configure more than allowed IKE policies |
|
|
security intelligence block list event logging can't be disabled |
|
|
Inconsistent Cluster State: All Nodes Acting as Data Nodes with No Control Node |
|
|
ASA/FTD traceback and reload in Lina |
|
|
Warning Users When Creating Rules with Multiple 'Any' Fields in FMC |
|
|
Unable to remove certificate-group-map |
|
|
FPR-4200: Port-channel flaps while generating chassis FPRM |
|
|
FP2110 Critical fault alerts for remote users |
|
|
Deployment failure due to unrecognized command "vpn-simultaneous-logins none" |
|
|
ASA/FTD traceback and reload in L2 vaccess_nameif_action thread |
|
|
FTD silently drops out of order packets |
|
|
Problems may arise when an automated script attempts to deploy to add or delete an SNMP user in a multi-context environment. |
|
|
removing all usages of a DHCP IPv6 pool object from FTD interface config does not delete the object from FTD |
|
|
deployment to FTD from cdFMC after migration from on-prem FMC failed due to handling of DHCP IPv6 pool object |
|
|
Improve logging for correction actions that would lead to mark the network discovery policy dirty |
|
|
ASA/FTD: Fragmentation issue for IKE_Auth packets |
|
|
Collecting "show tech-support fprm" results in corefile in TAR process |
|
|
MariaDB cores due to conflicting queries on VPN_TUNNEL_STATUS |
|
|
ASA traceback and reload while removing capture |
|
|
RADIUS External authentication doesn't work after migration between FMC platforms. |
|
|
ASA: Traceback and reload on ARP code when the pinged device is unreachable |
|
|
UI does not display dynamic objects when API request does not have ObjectType:IP field |
|
|
'Convert and auto-import' option from the policy sync tab, is currently not correctly copying overridden rule actions to Snort3 rules. |
|
|
High cpu on block depletion |
|
|
Cannot replace FDM UI certificate due to "SSP Server Unavailable" error |
|
|
Memory leak in virtual-access nameif strings |
|
|
ASA timestamp getting stuck for syslog messages until the device sync up with NTP |
|
|
ASA may traceback during manual failover |
|
|
Few FQDNs are not resolving after FTD upgrade |
|
|
FTD upgrade failed at 999_z_must_remain_last_finalize_boot.sh |
|
|
FMC Audit Logs for configuration change entries show FMC IP instead of FMC Hostname in host field. |
|
|
Incorrect Numbering and Missing Policy Rules in ACP Reports on FMC GUI. |
|
|
FTD-side fix for Message asa_log_client exited 1 time(s) seen multiple times |
|
|
snmpEngineBoots does not increase when ASA reloads |
|
|
SFDataCorrelator process on the FMC was stuck during initialization |
|
|
FMC's API response contains "-1" for port values |
|
|
FPR 3110 MI (shared subinterface) - Traffic outage when disabling multicast routing on one FW instance |
|
|
reader command fails to process vpn event unified log files |
|
|
LINA May Encounter Traceback and Reload if SSH Session Uses ChaCha20-Poly1305 Cipher |
|
|
Platform settings missing in FMC REST API response for Firepower 3100/4200 multi-instance logical devices |
|
|
Lina Traceback and reload in Thread: "cli_xml_request_process" |
|
|
External auth login for FTD managed by a newer FMC version may fail for new changes done on the server |
|
|
FTD Upgrade failure: '999_z_must_remain_last_finalize_boot.sh' Script Fails Due to Missing/Inaccessible 'messages' File in 'var/log' |
|
|
Faults generated during first boot on 6.x can't be cleared |
|
|
FTD - AppId fails to extract DNS hostname causing DNS Security Intelligence policy bypass on Snort V3 |
|
|
The identity cert will miss "ca" if the same cert also installed as device-certificate. Reboot will fail to install identity cert |
|
|
While in App-Sync phase, cluster node does not transition to disabled state when CCL interface goes down |
|
|
Few Licenses are not being replicated to Standby FMC on FMC HA |
|
|
FTD , dcosAG continuously crashing |
|
|
Actual username does not appear in SSL policy under child domain only |
|
|
Traceback and reload in threadname datapath due to flow-offload. |
|
|
Failed to convert snort2 rules to snort 3 in 7.4.3 FMC version |
|
|
M6 FMC Direct Install -Kernel crash and device struck during baseline |
|
|
Enable out of order packet discovery by default in appid |
|
|
Pkt injection failed when using transparent ethernet bridging |
|
|
ASA: Traceback with Thread Name DATAPATH-0-13302 |
|
|
FMC API Explorer Does not log out user sessions |
|
|
Appliance enters into fail-safe mode due to warnings thrown by nat config. |
|
|
License registration still fails with ssl trustpoint and smart transport mode configured despite fix for CSCwp10957 |
|
|
Deployment fails when interface has . or _ symbol |
|
|
ASA/FTD does not accept "id-kp-ipsecIKE" or "anyExtendedKeyUsage" in EKU for usage type IPSEC VPN Peer |
|
|
Lina: asacli Traceback & reload due to SSH/SCP initiated from firewall exec mode |
|
|
FMC backup downloads to 0 bytes |
|
|
Deployment Failure while removing Passive Interface in OSPF and Interface configuration at the same time |
|
|
Unable to delete Dynamic Access Policy |
|
|
FTD installing two default routes coming over EIGRP having different metrics |
|
|
unresponsive hmdaemon process on the FTD leading to Blank Device metrics on FMC Health Dashboard |
|
|
Unable to Edit or Delete Unused Intrusion Policies After Migration |
|
|
CLISH locks up for other commands and deploy is stalled when ping or traceroute is executed in CLISH and cannot be aborted |
|
|
Generating Snort3 recommendations fails due to Internal Error |
|
|
When the FMC language is set to Japanese, the Device Name changes to an IP address. |
|
|
Unable to retrieved SNMP OID crasActGrpName (1.3.6.1.4.1.9.9.392.1.3.22.1.1) |
|
|
Warning about the usage of failsafe-exit |
|
|
The EoRevisionStore table shows a pattern of size increase early in the week followed by pruning at week's end. |
|
|
FMC: Deployments fail when secondary FTD is active in HA due to SF tunnel reconnection race condition |
|
|
iOS/Android AnyConnect clients fail AAA/AD authentication with passwordless users |
|
|
Unable to make S2S VPN config changes with error "NAT Traversal cannot be disabled on this endpoint" |
|
|
DAP Records fetch group policies displayed by their UUID instead of names (policies beyond the first 25 listed alphabetically due to the limit of 25 set when grouppolicies called in DAP) |
|
|
FMC DAP policies missing in the UI on the DAP listing page (if there's a DAP policy with an all-numeric record name) |
|
|
Trustpoint deletion failure on FMC (if there's a certificate enrolled on the device which has an illegal character (according to JIBX) say 0x02 (^B)) |
|
|
Traffic is not hitting the expected rule, instead hitting default deny rule. |
|
|
Allow new Radius user login when Radius user reached maximum limit |
|
|
Unable to use newly created or system defined object IPv4-Private-All-RFC1918 as a filter in events |
|
|
FMC Health Monitoring Generates Excessive Alerts for Undo Log Size Threshold Set Too Low |
|
|
Upgrade of FTD-HA failed on primary FTD |
|
|
sf-backup-inator.pl --> Failed to Call RNA Start For SFDC process |
|
|
In a domain aware FMC environment, pre-deployment validation errors are seen due to sub-domain group policies referencing global Secure Client Profiles, complaining of invalid / non existing file entries |
|
|
FTD sending duplicate syslog messages to the syslog server |
|
|
FMC-created capture for FTD causes generation of excessive 'capture_*' files to FTD disk |
|
|
FMC: Temporary SSL policy views does not get cleared after session ends |
|
|
Improper URL Alias (group-url) length validation |
|
|
Netflow CLI handling requirement |
|
|
Error/slownesss while saving access control rules in AC policy |
|
|
FTD: Snort3 meta-ack ACTION_BAD_PKT flag contaminates parent packet causing stream holes |
|
|
use-after-free in call_handlers when flow_data list is mutated |
|
|
Adjust timeout during restore command to unlimited for FP2100 platforms |
|
|
PKI in ASA not able to parse "HTTP/1.1 426 Upgrade Required" |
|
|
Clear the IPv4 rp_filter setting to allow FMC with dual management interfaces in same subnet |
|
|
missing column mitigation can cause unintended table drops during upgrade |
|
|
Deployment is failing as same IP config or tunnel is used for multiple spokes |
Resolved Bugs in Version 7.4.6
Table last updated: 2026-03-04
|
Bug ID |
Headline |
|---|---|
|
Cisco Secure Firewall Management Center Software Authentication Bypass Vulnerability |
Resolved Bugs in Version 7.4.5
Table last updated: 2026-01-14
|
Bug ID |
Headline |
|---|---|
|
Dynamic Objects cannot be deleted with FMC 7.4.4 |
Resolved Bugs in Version 7.4.4
Due to CSCws69719, Version 7.4.4 for the Firewall Management Center was deferred on 202-10-13 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The bugs here are also fixed in Version 7.4.5.
Table last updated: 2026-03-04
|
Bug ID |
Headline |
|---|---|
|
Cisco Secure Firepower Management Center Software SQL Injection Vulnerability |
|
|
Cisco Secure Firepower Management Center Software SQL Injection Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Authenticated Command Injection Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Memory Corruption Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Memory Exhaustion Vulnerability |
|
|
Cisco Secure Firewall Management Center and Secure Firewall Threat Defense Software Path Traversal Vulnerability |
|
|
Cisco Secure Firewall Management Center Software Authentication Bypass Vulnerability |
|
|
Cisco Secure Firewall Management Center Software Command Injection Vulnerability |
|
|
Cisco Secure Firewall Management Center Software SQL Injection Vulnerability |
|
|
Cisco Secure Firewall Threat Defense Software Snort 3 Visual Basic for Application Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Threat Defense Software Snort 3 Visual Basic for Application Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Threat Defense Software Snort 3 Visual Basic for Application Heap Overflow Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Threat Defense Software Snort 3 Visual Basic for Application Infinite Loop Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Threat Defense Software SSL Decryption Policy Denial of Service Vulnerability |
|
|
Cisco Secure FTD Software Authenticated Command Injection Vulnerability |
|
|
FMC: Realm sync after import, un assigns IPS policies configured in ACEs |
|
|
high cpu and high disk util fault as ucssh process is in never ending loop |
|
|
Invalid OSPF process popup blocking route-map configuration |
|
|
Multiple Cisco Products Snort 3 DCERPC Vulnerabilities |
|
|
Multiple Cisco Products Snort 3 DCERPC Vulnerabilities |
|
|
Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability |
|
|
Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability |
|
|
Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability |
Table last updated: 2026-03-04
|
Bug ID |
Headline |
|---|---|
|
9300 date setting shows Jan 1 2012 - causing 9300 FTD registration with FMC to fail |
|
|
ActionQueueScra invoked oom-killer |
|
|
FMC find usage feature not showing all associated access control policies for random objects |
|
|
ASA/FTD - Traceback and reload Due to Race Condition in TCP Proxy |
|
|
Configure Multi-Instance in Secure Firewall 3100 Series using patched versions of code |
|
|
fix block loc oper set after free |
|
|
Slow download speeds with AnyConnect over TLS on networks with high latency |
|
|
Snort3 crash with a segmentation fault during end-of-flow processing |
|
|
FXOS reset and reload due to snmpd service failure |
|
|
sfipproxy prometheus configuration is attempted for not supported models and replaces sfipproxy.conf |
|
|
AC policy with Network Group Override object causes deployment failure/rules missing |
|
|
sftunnel and sfipproxy configuration files updates are not atomic |
|
|
sfipproxy may not restart and fail services like User Identities when enable file is not detected |
|
|
Snort3 Traceback due to watchdog during appid NAVL instantiation |
|
|
Memory corruption leading to lina assertion and traceback |
|
|
wpk - 1gsx link remains up on wpk but on switch side it shows as not connected |
|
|
3100/4200: 1G Management interface flapping after upgrade |
|
|
3RU MI instances offline after baseline/creation |
|
|
FTD: Packets Dropped due to tcp-seq-past-win due to delayed packet through Snort |
|
|
Multiple heartbeat response failures observed from service orchestration |
|
|
tunnel protection ipsec policy feature not working on backup VTI tunnel |
|
|
FTD MI: SNMP polling fails to work after the upgrade |
|
|
FP4225: Interface with SFP - 10/25G_LR_S (or CSR_S) is not coming up after reboot of peer side. |
|
|
Number of sessions in cache for Tomcat are set incorrectly |
|
|
WA MI: Two apps went to Not Responding state with reason: Error in App Instance ftd. sma reported fault: Instance xxx is disabled due to restart loop. Please consider reinstalling this app-instance. |
|
|
DNS-GUARD is not capable to be de-activated on FTD Devices |
|
|
SNMP process continuously restarts |
|
|
Database synchronization should auto-resume post network/checksum issues |
|
|
ASA/FTD may traceback and reload due to memory exhaustion |
|
|
Policy Export/Import Issue, Users not getting imported to the access control rule. |
|
|
80, 1550 and 9472 block depletion seen on ASA/FTD 2100 when SMB multichannel traffic is sent |
|
|
Inotify user watch limits require adjustment for 3100 and 4200 platforms running MI FTDs |
Resolved Bugs in Version 7.4.3
Table last updated: 2026-03-04
|
Bug ID |
Headline |
|---|---|
|
Modification of destination entries failed, when Source Object Group and Destination Object Group contain same inner object-group |
|
|
AWS ASAv: Support for IMDSv2 |
|
|
An issue was discovered in function _libssh2_packet_add in libssh2 1.10. |
|
|
An exploitable use after free vulnerability exists in the window functio |
|
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
|
The DNS message parsing code in 'named' includes a section whose compu |
|
|
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6 |
|
|
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 whe |
|
|
A flaw in query-handling code can cause 'named' to exit prematurely wi |
|
|
A bad interaction between DNS64 and serve-stale may cause 'named' to c |
|
|
Backup exits with memory allocation error on 4115 |
|
|
Cisco ASA and FTD Software VPN Web Server Limited Information Disclosure Vulnerability |
|
|
VPN config isn't getting sync to leaf domain, when FTD moved to leaf domain |
|
|
Internal cached access-group list maintenance issue with unexpected clear configure access-list |
|
|
The Portable Network Graphics library (libpng) 1.0.15 and earlier allows |
|
|
Smart license registration failing on FDM post 7.4.1 baseline due to http-proxy |
|
|
Memory manager improvements for webvpn internal lua library |
|
|
Cluster migration - cannot re-register deleted cluster node(AO mode) to on-prem FMC |
|
|
Unable to change authentication methods on default tunnel group when using FDM |
|
|
FMC - plain-text passwords for External Authentication Profile "Radius Server Key" |
|
|
Only US region in FDM Cloud Services. |
|
|
FTD is not resolving FQDN for ACLs intermittently |
|
|
Unable to establish RAVPN session on FTD HA setup |
|
|
Cloud regions dropdown may not show any regions if FMC connectivity is down during upgrade |
|
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
|
FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
|
FTD: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
|
FDM: Blast-RADIUS CVE-2024-3596 |
|
|
FTD: Policy deployment failed due to mismatch of checksum. |
|
|
FMC: Blast-RADIUS CVE-2024-3596 |
|
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
|
Custom rule with "metadata:impact_flag red" in Snort3 not detected as Impact Level 1 |
|
|
With CVE-ID cannot search the IPS events on the FMC |
|
|
Snort3 reloads when AppID reload and snort restarts are happening simultaneously |
|
|
vFMC upgrade from 7.6.0-68 to 7.7.0-1358 failed @800_post/890_install_version_masked_apps.pl |
|
|
Long boot time seen with one AC rule having object-group and other plain ACL's |
|
|
In the Linux kernel fix a possible io_uring deadlock |
|
|
Misconfigured Cross-Origin-Opener-Policy |
|
|
Additional tab/space added in ACL logging messages in EMBLEM format causing ingestion issues |
|
|
FTD Restore Failing because of no space left on the device |
|
|
Cisco FXOS and UCS Manager Software Stored Cross-Site Scripting Vulnerability |
|
|
Cisco FXOS and UCS Manager Software Stored Cross-Site Scripting Vulnerability |
|
|
Customer FQDNs for VPN can be found on the internet unexpectedly |
|
|
Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability |
|
|
CVE-2024-26595: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-46826: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47679: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47684: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47692: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47693: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47705: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47707: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47737: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47745: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49875: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49881: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49927: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49954: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49955: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49959: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-26958: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49983: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49995: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50002: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50010: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50036: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50038: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50058: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50082: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50083: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50095: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50131: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50142: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50151: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50191: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50194: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50195: linux-kernel: In the Linux kernel, the following vuln... |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Heap Corruption Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
Lina interface fragment db queue size is incorrectly stuck at 4294967295 - ASA/FTD |
|
|
Cisco Secure Firewall Threat Defense Software TLS with Snort 3 Detection Engine Denial of Service Vulnerability |
|
|
Unable to load Extended ACL objects if the count is more than few hundreds |
|
|
Snort3: Malware Policy not detecting file while performing FTP file transfer via Active FTP |
|
|
CVE-2023-52679: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-12084: rsync: A heap-based buffer overflow flaw was found in... |
|
|
CVE-2024-12085: rsync: A flaw was found in rsync which could be trigg... |
|
|
CVE-2024-12086: rsync: A flaw was found in rsync. It could allow a se... |
|
|
CVE-2024-12087: rsync: A path traversal vulnerability exists in rsync... |
|
|
CVE-2024-12088: rsync: A flaw was found in rsync. When using the '--s... |
|
|
CVE-2024-12747: rsync: A flaw was found in rsync. This vulnerability ... |
|
|
CVE-2024-26704: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36899: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-36940: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-42285: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-44934: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-44987: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-46743: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-46800: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50047: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-50262: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53057: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53068: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53096: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53099: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53142: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-53173: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56601: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56606: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56614: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56615: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-56658: linux-kernel: In the Linux kernel, the following vuln... |
|
|
Memory leak in RAVPN |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software IPsec Denial of Service Vulnerability |
|
|
Traceback & Reload in Thread Name Unicorn Admin Handler |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Authentication Denial of Service Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Memory Exhaustion Denial of Service Vulnerability |
|
|
Duplicate ACLs seen on FMC UI when Access Rules are created through API |
|
|
Cisco Secure Firewall Management Center Software SQL Injection Vulnerabilities |
|
|
Snort2|3 traceback in libdaq initialization phase after deployments |
|
|
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Unauthenticated Memory Exhaustion Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Lua Interpreter Denial of Service Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software Remote Access SSL VPN Authenticated Memory Exhaustion Denial of Service Vulnerability |
|
|
Cisco FXOS and UCS Manager Software Command Injection Vulnerability |
|
|
Cisco FXOS and UCS Manager Software Command Injection Vulnerability |
|
|
Traffic hits incorrect ACP rules during policy deployment on FTD with dynamic objects |
|
|
Traffic does not match expected ACL when destination contains object-group type network-service |
|
|
Cisco Secure Firewall Management Center Software Radius Remote Code Execution Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability |
|
|
Cleaning of /var/temp backup files post Backup completion not cleaning |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software Multiple Context Mode SCP Unauthorized File Access Vulnerability |
|
|
Updated HTTPD Docker image version |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability |
|
|
Cisco Secure Firewall Threat Defense Software Snort Deep Inspection Bypass Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
Cisco Secure FTD Software Authenticated DoS Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability |
|
|
External auth login with RADIUS to FMC UI may fail if Class attribute is used |
|
|
FMC RADIUS external authentication access requests missing 6 attributes after FMC upgrade |
|
|
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software SSH Partial Private Key Authentication Bypass Vulnerability |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability |
|
|
Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
|
|
Firewall joins a cluster although gets incomplete ACL policy rules during replication |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
Table last updated: 2026-04-03
|
Bug ID |
Headline |
|---|---|
|
ASA PKI - Doesn't recognize the extension 1.3.6.1.4.1.311.21.10 in cert |
|
|
FTD deployment failing due to "address-pool in use" |
|
|
Misleading syslog on ASA regarding tunnel group match using certificate map |
|
|
Write cache is disabled on some FMC M5 appliances |
|
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
|
show access-control-config doesn't show NAP/IPS policy name |
|
|
Time sync status and error message do not elaborate NTP server rejection case |
|
|
syslog %ASA-6-605004 was not seen when Login denied from serial to console |
|
|
Firepower 1000/2100 may boot to ROMMON mode |
|
|
Search Feature of Large Access Control Policy Not Able to Find Searched-For Values |
|
|
Inline pair has incorrect FTW bypass operation mode of 'Phy Bypass' |
|
|
FMC to provide health alert 60 days prior to cacert.pem certificate expiry |
|
|
System popover is empty for Network Admin and Security Approver users |
|
|
New realm user are incorrectly getting mapped to discovered user |
|
|
FMC does not support Umbrella with proxy setting |
|
|
Add capability to disable auto-negotiation for 100G ports |
|
|
Wrong extranet device name and type showing in S2SVPN listing page |
|
|
Snort returns "Blocked by SSL" with no SSL policy. |
|
|
FP2130 - Incorrect spelling seen in tech_support_brief in FPRM |
|
|
Upgrade readiness failed in WM FDM @009_check_snort_preproc.sh but upgrade to 7.3.1-19 passed |
|
|
Banner login does not display when configured |
|
|
External Auth on FMC may throw err "Can't use string ("") as a HASH ref while "strict refs" in use" |
|
|
FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Stale anyconnect entries causing issues with routing |
|
|
Edit search page and unified event viewer very slow to load due to high number of search-related EOs |
|
|
[API] Searching for objects inside groups does not filter in rule editor window |
|
|
FMC VPN Monitoring Dashboard incorrectly shows Standby FTD as VPN Session owner in HA pair |
|
|
EIGRP flexconfig migration 7.2.0, no CLIs should not be migrated if they are not the default config |
|
|
ENH: FMC External Authentication doesn't work for SSH when configured with IPv6. |
|
|
ENH: Add a command or a script to regenerate CA Certificate on FTD |
|
|
FMC should not allow to create faulty snort3 rules with unknown characters |
|
|
[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
|
|
cdFMC managed FTD show ntp cli output includes an error - uninitialized value |
|
|
Logging improvement for messages exchange between LinaConfigTool and xml server |
|
|
FMC Policy Analysis - Broken Redudancy Logic Check |
|
|
Syslogs over management interface don't go through loggerd after FTD reboot or lina reload |
|
|
ENH - Exempt TSID probe from going through EVE inspection |
|
|
Remote Desktop (RDP) traffic fails with TSID enabled |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
After rebooting, the future date set on the FPR2100 platform is not reflected (set clock manually) |
|
|
FTD-HA does not fail over sometimes when snort3 traceback |
|
|
FTD: Policy Deployment failure due to abort as no progress |
|
|
CSF 4200: PSU Fan speed is critical |
|
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
|
FTD: Mariadb might cause OOM due to not-so-effective memory release algorithm in glibc allocator |
|
|
Rule with same name exists when trying to edit ACP rules |
|
|
FTD: The crucial upgrade script should not be bypassed by the Upgrade Retry |
|
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
|
WA MI: Traps(linkup/down) from chassis is not seen on NMS even if unification is enabled |
|
|
Firewall shows misleading SCP file copy failure reasons |
|
|
"Proxy thread creation successful" is presented as an Error in syslog messages, during bootup |
|
|
Terminating all or single stale IP address which is in-use even when session is not there |
|
|
Full reassembly fails for post-Snort IPv6 TLS proxy traffic |
|
|
Config-url is accepting directory as the config file |
|
|
Management access over VPN not working when NAT exempt is configured with any->any |
|
|
"zmq_poll return 1" logs on the FTD console |
|
|
FMC: Displaying "missing en-US:BGP" via Deployment Preview when BGP Changes have been Reverted |
|
|
ASA: The logical device may boot into failsafe mode because of an large configuration. |
|
|
Deployment failed due to missing AnyConnect Profile File |
|
|
FMC error out Invalid IPv4 Network or Host literal from the group while Adding a network in the ACP |
|
|
Excessive new lines in OSPF debugs impairs readability of debugs in syslog messages |
|
|
Incorrect health monitor alerts for ISE-PIC connectivity |
|
|
low memory/stress causing block double free and reload |
|
|
ASA/FTD: Traceback and reload reload in in process 'lina' due to ikev2_find_child_sa_by_local_spi |
|
|
ISA3000 Traceback and reload boot loop |
|
|
We should be skipping sru_install during for Minor patch upgrades and install only on required basis |
|
|
FMC Deployment preview shows different information before and after FTD deploy |
|
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
|
FTD 7.4.1 Snort shows 100% utilization even at a low traffic rate |
|
|
Misleading Certificate Attribute Checking Under DAP Endpoint Criteria |
|
|
Snort3 traceback in TcpReassembler::scan_data_post_ack |
|
|
In an FMC HA pair, "Health Monitor" may show incorrect roles when the Secondary unit is Active. |
|
|
interface idb logging log rotation to FXOS logrotate utility |
|
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
|
Bootstrap after upgrade failed - Resume HA with reason deployment already exists |
|
|
Failed reason unknown and unable to proceed with FTD upgrade |
|
|
6x25G netmod ports down with Version 2 QSFPs |
|
|
Policy deployment failures on TPK MI chassis after redeploying same instance |
|
|
Error logs generated for ssh access to ASA when eddsa is used as kex hostkey |
|
|
Creating DAP policy with underscore "_" is not visible as applied to Remote Access VPN policy |
|
|
Device listing taking long due to FTD_HA REST-API delay - Can be seen in loading HealthMon page. |
|
|
aaa port 80 listener configuration not applied during startup in fips mode |
|
|
Devices in HA pair shows as standalone in Threat Defense Upgrade page |
|
|
CloudAgent Smart Agent Exception - The Smart Agent Manager requires NTP to be running on FDM |
|
|
Unable to send unknown file disposition to ThreatGrid due to mem cache issue |
|
|
FMC deployment failure due to incorrect error message type sent to FMC |
|
|
Reword the CLI message shown after running the 'erase configuration' command |
|
|
Report file generated for AC policy is empty |
|
|
Deployment failure due to Rsync-chunk-checksum slowness |
|
|
Automatic VDB/SRU Download Fails Due to Simultaneous Signature Validation |
|
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
|
Migration of S2S from ASA to FMC across domains |
|
|
Low touch provisioning fails at initialProvision step |
|
|
Lina traceback and reload in Thread Name: cli_xml_request_process |
|
|
FMC HA sync status shows failed during VDB/SRU installation on Active and standby FMC |
|
|
EIGRP bandwidth is changing after upgrade or after "shutdown"/"no shutdown" commands |
|
|
Backup failure message doesn't help the user |
|
|
VMXNET3 driver is not getting loaded automatically on the bootup for FMCv300 |
|
|
logging list MANAGER_VPN_EVENT_LIST getting removed and re-applied for every deployment |
|
|
Patch API response does not include port values when user modifies Source network |
|
|
Network Risk Report on FMC lacks option to select data source, could cause report generation to fail |
|
|
Deleting Snort 3 IPS Rule doesn't Generate Audit Log |
|
|
ENH: FTD Add debug message to indicate "No CRL found in User identity Certificate" |
|
|
FTD management interface DHCP server may fail to start causing connectivity issues or showing faults |
|
|
comm_alarm raised despite ARP response is successful on LAN and STATE interfaces |
|
|
ICMP replies randomly does not reaching the sender node when initiated from the node. |
|
|
Confusing error message (Timeout) when downloading pcap file when no 'File Download' permission |
|
|
Tomcat and Apache maxHeader size should be increased to avoid 413 errors on some FMC pages |
|
|
FTD - sftunnel unstable connectivity issues when control and event are configured in same subnet |
|
|
Web Contents files appear as text/plain when they should be application/octet-stream |
|
|
"show failover app-sync stats" to be included in "show failover statistics all" |
|
|
FMC-SSE Cloud Configuration SSE Enrollment Failure alert due to empty connector.toml file on the FTD |
|
|
TSS_Daemon process is exiting every minute |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
|
Deploy doesnt show up on FMC upon merging unmerged diagnostic on FTD-HA |
|
|
username containing '@' character works for asa login but fails for 'connect fxos' |
|
|
Policy stuck in loading state on FMC UI |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
|
rna_ip_os_map can grow very large that causes SFDataCorrelator to stop processing events |
|
|
Missing Column(s) in eventdb table |
|
|
Error when running 'show tech-support module detail' on FPR9K |
|
|
restored FMC backup devices display as "normal" and "healthy" although without connection with FMC |
|
|
FMC allows loading a binary certificate in the External Authentication Object |
|
|
Allow more than one search strings within applications section in Access control policy |
|
|
Validation required incorrect CLI Access Users in External Auth |
|
|
Instance DNS servers may be silently discarded due to lack of DNS server count validation |
|
|
FDM bootstrap might be interrupted by extra reboot due to firmware upgrade |
|
|
Geolocation updates page should throw an error in case support site in unreachable |
|
|
Wrong IP address on FMC audit logs |
|
|
After upgrade FDM deployment fails "Timeout waiting for snort detection engines to process traffic" |
|
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
|
Dns-guard prematurely closing conn due to timing condition |
|
|
URL Filtering and Cisco-Intelligence-Feed Download Failure |
|
|
FDM /ngfw/var/sf/fwcfg/zones.conf is empty for 7.3.1 |
|
|
SFDataCorrelator memory growth when processing a huge number of expired user identities |
|
|
FTD compliance mode not accurately shown on FMC for newly registered FTDs |
|
|
IPv6 rule with manual address entry FMC with ::/0 is not working as expected. |
|
|
FTDv - The interface connected to the AWS GW may have connection issues for DHCP or an idle state. |
|
|
ACP rule may not get applied post-deployment/Deployment failure due to FXOS- FTD timezone mismatch |
|
|
Critical Processes show twice after upgrade to 7.0.6.x |
|
|
Unable to add additional LDAP attribue maps on upgraded FMC |
|
|
Internal Certificate Import Error : Failed to validate Cert Based EO: Unsupported Key Type |
|
|
BGP config related to holdtime not being deployed sucessfully |
|
|
object lookup doesn't show referenced policy automatically under object management |
|
|
Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
|
|
Crypto ikev2 policy sequence order alters on interface/sub-interface config changes |
|
|
FMC unable to upload PKCS12 certificate using Passphrase longer than 48 characters in length. |
|
|
Cleanup stale logrotate files |
|
|
FTD HA status in ON Prem FMC is corrupted reporting Secondary as Primary |
|
|
High CPU usage in svc_sam_dme process during deployment post breaking cluster or deleting inline-set |
|
|
File descriptor leak when validating upgrade images |
|
|
Deployment failure and rollback when changing parent of subinterface with failover MAC address |
|
|
Internal error during deployment: {0} seen on FDM caused by Lina Timeout |
|
|
Disable health module does not delete UMS messages for that health module. |
|
|
Snmpwalk throws Error messages #"snmp/error: truncating integer value > 32 bits" |
|
|
FMC gets flooded with"Unable to find SSL rule id for policy" if TLS server identity discovery is on |
|
|
ECDSA certificates are not supported by FMC ISE integration |
|
|
Certificate check in LDAP settings is too restrictive |
|
|
FMC GUI errors out when searching for Topology Name that has a decimal point in the name |
|
|
Tomcat and VmsBackendServer down post upgrade if a userrole description is too long |
|
|
Some cloud features may not work if FMC SSO feature is toggled ON but not configured |
|
|
FTD: "show asp inspect-dp snort" output shows high CPU |
|
|
Error during policy validation while navigating through AC policy |
|
|
"FDM Keyring's certificate is invalid, reason: expired" health alert on FMC |
|
|
PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
|
|
Deployment time increased by 30-45 seconds after the upgrade when applying specific Platform Setting |
|
|
sync call got stuck resulting in boot loop |
|
|
Deployment failure and rollback when BGP communities added or removed in route-map match clause |
|
|
Snort3: Smaller size packets exceeding the max segment limit cause Snort-block |
|
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
|
tpk_mi upgrade failed from 7.4.1.1 > 7.6.0 000_start/000_00_run_cli_kick_start.sh. |
|
|
"show failover config-sync stats" cli output to be included in "show failover statistics all" |
|
|
Policy Deployment failure in FTD HA node due to timeout for SHOW_XML_REQUEST |
|
|
User group map miss after Hardware FMC model migration from FMC2600 to FMC4700 |
|
|
No pxGrid IP-SGT updates on FMC when the pxGrid connection is lost following ISE reboot or restart |
|
|
ENH Logs FP4110 (FXOS 2.10.1.179) Security module stopped responding after device reboot |
|
|
"App sync TX/RX stats" and "HA NLP client current TX/RX stats" being reset during App Sync |
|
|
cdFMC and onPrem FMC: Device management / listing is showing chassis url for FPR-1K running 7.4.1 |
|
|
SFDataCorrelator deadlock on reconfigure after RNAStop and monetdb output queue is full |
|
|
FDM HA deployment fails with 'ApplicationException: Unable to export to database' error |
|
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
|
FAN is working as expected but FAN LED is in off state. |
|
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
|
SFDataCorrelator log spam, repeatedly purging expired services and client apps |
|
|
FTD failed to join FTD-HA after upgrade revert |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
|
[7.6.0]Radius auth not working with custom secret key |
|
|
FMC Health Monitoring sends incomplete message when language is changed. |
|
|
Larger entries in EoRevisionStore table causing HA Sync to fail mysqldump process |
|
|
FTD /mnt 100% disk utilization due to snort memory mapped files |
|
|
Snort3 crashes while collecting flow-ip-profiling |
|
|
FMC: Comments on rule change required not working in Classic Theme Legacy UI |
|
|
CD App Sync error on FDM HA after LINA crash |
|
|
disable stat check for file |
|
|
cdFMC : AC rule shown as removed in policy preview |
|
|
Access rule name shows "invalid ID" instead of the rule names after patching from 7.2.4 to 7.2.5 |
|
|
Encountering an unknown error [9999] when attempting to modify the identity policy. |
|
|
Classification mismatch between intrusion and correlation events |
|
|
M6 hardware models are hardly storing only a week old health monitoring data |
|
|
CdFMC: FTD Migration Failing on Registration Phase |
|
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
|
WebVPN connections stuck in CLOSEWAIT state |
|
|
Realm download task failing with ADI process is not currently available |
|
|
Unable to download users/groups getting Failed to get response from ADI. |
|
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
|
Filtered ACP rules are not greyed out when disabled using Bulk action |
|
|
FTD does not compact files that are used to communicate updates to the SGT/IP mappings |
|
|
FTD Unable to register to FMC due to empty DNS Server configured. |
|
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
|
Loss of interface mapping with security zones after deployment |
|
|
FMC REST API || ICMP objects with no code value breaking GET call and JSON parsing |
|
|
Add New Syslog for Routes for NP add/delete |
|
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
|
On Slow networks, sftunnel continues to label connections as STALE. |
|
|
Upgrade FMC fails while running script 120_check_legacy_private_cloud_for_ampkit.pl |
|
|
Force deploy not re-generating export-cache in the device |
|
|
ADI Session Processing Delays return after upgrade to 7.2.x |
|
|
FMC - Custom User role VPN allows user to make changes to Site to Site VPN when Modify is unchecked. |
|
|
Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
|
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
|
"Rule Unavailable" for some local intrusion rules may be shown in intrusion event packet view |
|
|
Accepting duplicate object/group-object into object-group from multiple ssh sessions |
|
|
RC4 ciphers cannot be disabled on FMC/FTD for captive portal authentication with Kerberos |
|
|
Traceback and reload on active unit due to HA break operation. |
|
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
|
ASA Firepower module option to push software upgrade missing in FMC release |
|
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
|
TS filename still showing the old IP after FMC management IP is changed |
|
|
FTD : Management interface showing down despite being up and operational |
|
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
|
ASA/FTD: Low Memory Leads to Reload due to process Unified2File_Read |
|
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
|
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
|
FMC Users page in sub domain does not load |
|
|
Add warning message when configuring CCL MTU |
|
|
Upgrade readiness fails due to snort plugins |
|
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
|
Remove SGT frames/packets to allow VTI decryption |
|
|
Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
|
|
FMC - Add warning message when configuring CCL MTU |
|
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
|
No devices listed in Packet Tracer "Select Device" dropdown |
|
|
Backups may fail on remote storage when the filebackup.tar contents are huge |
|
|
EventHandler may not send events to the FMC when Snort wrote many zero-length snort-unified files |
|
|
FTD cannot obtain the VPN route if answer only is configured with reverse route injection enabled |
|
|
temporary backups files shouldn't be kept on remote storage and do not parse other format files |
|
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
|
FMC 7.2.5 Showing incorrect data of FTD HA at 6.6.5 under fleet upgrade |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD memory depletion resulting in traceback and reload |
|
|
SFDataCorrelator stops receiving events on a device channel when the other channel blocks |
|
|
FTD 7.4.1.x sends NAS-IP-Address:0.0.0.0 in Radius Request packet as network interface |
|
|
AppIdSessionData causes snort3 to crash 7.2.6 |
|
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
|
Enable logs to identify corrupted policy when deployment fails with "SNAPSHOT_PG_TIMESTAMP_ERROR" |
|
|
256/1550 block depletion process fover_thread |
|
|
FMC "java.lang.OutOfMemoryError: Java heap space" errors in feed_data_manager.log |
|
|
low memory/stress causing block double free and reload |
|
|
MonetDB down due to a corrupt table (table missing columns) |
|
|
Devices not listed to add a data node when creating a cluster because of OS version mismatch |
|
|
Health Alerts are generating for sub interface even when main interface is excluded. |
|
|
ISE connection status health alerts on FMC with ise services down |
|
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
|
Update Fan RPM Thresholds for 42xx platforms |
|
|
High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops) |
|
|
FTD lost connection with cdFMC after FTD backup Restoration |
|
|
Upgrading a standalone 2110 from 6.6.7-223 to 7.2.8-25 causes "Interface Modified" alert on FMC |
|
|
if conn_meta null, dont send packet to snort |
|
|
FMC should not take a policy backup during patch / Hotfix installations. |
|
|
Endpoint Assessment features are not enabled when HostScan package is modified via FMC |
|
|
Umbrella registration status is not synced to newly added data nodes |
|
|
Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
|
|
WebEx traffic not getting bypassed in snort3 (allow rules) |
|
|
ASA to FTD migration via FMT causes improper configuration of interface groups in FMC backend config |
|
|
Need to Protect LINA from getting killed by OOM |
|
|
Changes made on health policy are not being saved |
|
|
Zone Based AC rule has missing interface mapping |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
|
ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
|
|
CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT |
|
|
Potential upgrade failure in 800_post/890_install_version_masked_apps.pl |
|
|
NAT Exemptions in UI will not load when object group is added as protected network |
|
|
FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring |
|
|
Standby HA FMC entering standalone mode - /var/tmp/compliance.rules which was created was invalid. |
|
|
API call for ftdallinterfaces returns an inaccurate "self" element. |
|
|
Unable to upgrade cluster with status "cluster/HA pair is not eligible' |
|
|
FMC can not connect to private AMP when proxy is enabled in management interface |
|
|
ENH: FMC support for DHCP relay on VTI/physical interfaces in ECMP zone |
|
|
GRE traffic getting dropped after failover |
|
|
IPv6 SSL Anyconnect access blocked in HA pair |
|
|
21xx: debug log process hangs preventing recovery from stuck writing operations |
|
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
|
Exception raised while fetching telemetry data from the FMC |
|
|
App instance stuck in STOP_FAILED with error message |
|
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
|
Terminating Active sessions from new UI Layout throws error- "Error while terminating session" |
|
|
FMC deployment fails due to S2S VTI VPN does not have any Virtual Tunnel Interface assigned |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
Failures and records are not seen in "show failover statistics" after simulating failures |
|
|
FMC: API interface settings differ from GUI settings for Diagnostic Interface |
|
|
FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
|
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
|
Incorrect initialization of the domain_uuid in the sensor table and empeers table in the standby FMC |
|
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
|
ASA crashing in thread PIX Garbage Collector with inspect-rtsp enabled. |
|
|
FTDv traceback in Thread name - PTHREAD |
|
|
Policy deployment fails due to mismatch in 'ip local pool' command between fmc and lina config |
|
|
ASA/FTD: Memory Exhaustion due to Threat-Detection |
|
|
FTD does not mark stuck ongoing deployments as failed leading to subsequent deployment failures |
|
|
Empty user attributes in LDAP causes partial user/group download |
|
|
Improve logging for LDAPS SSL errors |
|
|
FMC : DAP configuration "laggy/hangs" when trying to configure via FMC. |
|
|
snort2 'ids_event_msg_map' clean up is not happening when import sfo fails during cdFMC migration. |
|
|
FMC: Not receiving any Email Alert after upgrade |
|
|
Increase Logging Level for TAm Services |
|
|
FTD upgrade to 7.4.2 via FDM is blocked |
|
|
Scheduled backups fail to execute on other cluster nodes when there is a change on the control node |
|
|
CSDAC connectors not coming up after FMC upgrade |
|
|
Login banner not seen at login prompt for a multi-instance FTD on 3100/4200 |
|
|
Source Port and Destination Port are swapped during the evaluation of SID |
|
|
'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete |
|
|
tmp_cisco is consuming high boot volume space and leaking of file descriptors on FMC |
|
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
|
|
Partial configuration gets lost for a HA FTD pair, if FMC connectivity is lost during upgrade |
|
|
Keep a FMC backup locally until we copy the file to remote server successfully |
|
|
Search Index shouldn't be failed if any of the port object value is invalid |
|
|
Backup_info table is not being pruned, causing DB queries to slow down |
|
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
|
FMC allows uploading a binary certificate in Identity Certificate import |
|
|
FMC - Predeploy validation should error and block deployment if VPN Certificate is in failed state. |
|
|
FMC Health Monitor shows misleading CPU core numbers for Firepower 2100 |
|
|
Large number of stats files can cause events to be delayed |
|
|
FTD: Process sftunnel exited unexpectedly with a core file generated |
|
|
Lina traceback and reload in data-path thread |
|
|
Excessive logging of "vpn:vpn [INFO] device" messages in /var/log/messages file |
|
|
Unstable HA causing depolyment failure |
|
|
IPv6 Neighbor Discovery/multicast traffic affected on shared interface in multi instance setup |
|
|
FTD upgrade failure due to multiple DB folders in /ngfw/var/cisco/deploy/tmp_bundle/db/ path |
|
|
CLI "ssl server-max-version" Can't be deployed Via Flex Config |
|
|
Packet captures from FMC GUI doesn't warn the user about an adverse impact on FTD device performance |
|
|
ASA|FTD Traceback & reload in process name lina |
|
|
Document NAT warning "The NAT rule exceeds the threshold limit of 131,838 IP addresses.." |
|
|
Increase memory usage leading to tracebacks in Lina. |
|
|
When using time based object in ACP event doesn't show up in FMC |
|
|
Snort3 file detection fails with asymmetric traffic in IDS passive mode |
|
|
VPN Topology status shows No Active Data in the S2S VPN Dashboard |
|
|
Generated Crypto checksum changes without configuration change |
|
|
Configure manager command hangs without any output on a TPK in native mode (FTD) |
|
|
Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
|
|
CGroups errors in ASA Syslog during every reboot |
|
|
ldap.conf does not get generated using hostname impacting external radius authentication |
|
|
df commands are getting stuck at times due to mount storage points |
|
|
DVTI: Provide info / warning message about interface shut and no shut upon DVTI config modification |
|
|
Log spam and possible network slowness due to failed dns lookups for syslog server |
|
|
FMC unable to search Objects when there is a DNS configured |
|
|
Readiness check should be in place for larger undo/ibdata log files |
|
|
Unsupported characters in Azure Display Name causes errors in Access Control Policy |
|
|
Correlation Fails to Detect Connection Duration |
|
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
|
fix to remove space characters in auth object names during FMC upgrade may cause upgrade failure |
|
|
"custom workflow" GUI show Error 500, after create an custom workflow with Chineses description |
|
|
Browser redirects to blank page when the user clicks the WebVPN bookmark |
|
|
FMC GUI has a limitation to display only 50 SSH rules for FTD (Under platform settings >> SSH) |
|
|
Connection been logged for rules with no logging enabled |
|
|
QoS policy editor on FMC GUI lacks functional pagination when QoS policy has more than 50 rules |
|
|
Prefilter policy not getting applied to child ACP when inherited from base policy |
|
|
The ASA's OSPF routing table is not properly synchronized with the neighbors |
|
|
Increase timeout for SFTunnel Connection Check requests |
|
|
Add connection status file for marking slow SFTunnel connections |
|
|
Events or stats are missing after EventHandler logs "Error loading input module" |
|
|
FTD logs should contain the certificate name or files which are corrupt |
|
|
FMC Health Plug-in for NTPD status analysis is not using localized data |
|
|
SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect |
|
|
FMC Does Not Accept Valid IP Range Format in Access List under system configuration settings |
|
|
Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
|
|
FTD Vault process exits every 1 minute with: Process vaultApp exited normally |
|
|
SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured |
|
|
hostname/IP Address field does not accept domains ending in a number |
|
|
LINA may traceback in Thread Name: Datapath with NAT config |
|
|
FTD Secondary Unit got stuck in Bulk sync state. |
|
|
Portmanager and lacp sync is not programmatic |
|
|
ASA/FTD will allow local IP pool with invalid netmask |
|
|
NAT Rules Before deleted when policy is saved on FMC |
|
|
Objects get duplicated when policy imported using 'Replace Existing' option |
|
|
TACACS+ traffic is dropped by TLS Server Identity in XTLS module |
|
|
Offbox FMC Application/IPS/URL events validation failed: created network objects not found |
|
|
S2S VPN config removed unexpectedly after deployment |
|
|
File Download fails intermittently with malware & file policy configured |
|
|
FTD wizard on active HA FMC show an error message that refers the other manager as "analytics FMC" |
|
|
FTD/ASA may traceback and reload in DATAPATH thread |
|
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
|
|
FTD upgrade may fail in 901_reapply_sensor_policy.pl if policy_deployment.db is corrupt/unavailable |
|
|
FMC Deployment Failure When Modifying NAT Policy with Block Allocation and Round-Robin Enabled |
|
|
FMC: Unable to save interface config as save button is greyed out |
|
|
ENH: Provide option independently enable/disable HM for physical and sub interfaces |
|
|
DNS settings removed in post-upgrade deployment |
|
|
ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
|
|
enhance sma 2nd cruz heartbeat logging |
|
|
ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
|
|
100GB interface flaps with Innolight QSFPs in both ends |
|
|
Not able to remove or clear Fault "The password encryption key has not been set." |
|
|
FMC Upgrade Fails at 39% 600_schema/103_csm_cfgdbmigration.sh |
|
|
ASA/FTD may traceback and reload in Thread Name "fover_parse" |
|
|
show run access-list command returns warning |
|
|
Issues with extdb Omniquery execution |
|
|
Snort3 crash on TLS cert have same issuer and common name,but sign algo and public key are different |
|
|
snort2 instances restart unexpectedly with OOM during policy deployment |
|
|
FMC AzureAD User/Groups Download Failing: too many SQL variable |
|
|
SQLNet traffic getting dropped intermittently in Clustering data unit. |
|
|
EventHandler can block when multiple SSE consumers are enabled |
|
|
DAP Cert Serial Number check field should be freeform instead of hex format on FMC |
|
|
Set Weight option missing in UI when FTD sensor reverted and re-upgraded |
|
|
FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
|
|
Incompatible members warning message after Po member interface flaps unable to rejoin Po |
|
|
Snort 3 rules display discrepancy in the GUI of FMC. |
|
|
Refresh of Inventory shows incorrect message "Device is not reachable" with sftuunel is UP |
|
|
FMC DHCP Relay Agents and Servers doesn't show in the UI or allow any changes |
|
|
In RAVPN policy edit action getting stuck, when editing LDAP attribute maps |
|
|
Unable to edit/delete client module in the RAVPN group policy |
|
|
Re-Enabling multichannel cli post upgrade if disabled prior to upgrade |
|
|
ASA traceback and reload on thread snmp_inspect |
|
|
FMC not sending/synchronizing the RADIUS config file to the FTDs |
|
|
Unable to login to FMC via external LDAP User post FMC Migration. |
|
|
ASA traceback and reload due to stack overflow while using APCF file |
|
|
ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
|
|
Global search of the objects not working due to stale domain id reference |
|
|
FTD Lina process is brought down if mysql/mariadb is restarted for any reason post FTD startup |
|
|
Snort3 blocking ESMTP traffic intermittently and trigger IPS signatures 124:3:2 and 124:1:2 |
|
|
NAT traps have to be rate-limited |
|
|
Scheduled tasks do not run when interval is set to 24 hours but do when set to 1 days |
|
|
HTTP Path Data Metrics not Visible in FMC |
|
|
On cdFMC FTD-HA pair standby node has stale Interface status health alert |
|
|
License showing diffrent tier in FMC UI |
|
|
Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
|
|
ASA/FTD may traceback and reload in DATAPATH-1-20757 |
|
|
SFDataCorrelator cores while calling DCEControlMessageReconfigure |
|
|
External auth (Radius) User unable to login to FTD due to mismatched cases during initial login |
|
|
Alert user that FDM is not Supported for FTDv in Openstack if they try to enable it |
|
|
FMC does not clear old Intrusion Policy recommendations when they are regenerated |
|
|
snort "exits normally" in loop every 1 min resulting in complete outage |
|
|
Registration Cleanup Should NOT Run if the peers Directory Cannot Be Opened |
|
|
FMC Remote Storage Error: Use of uninitialized value $^WARNING_BITS in bitwise xor (^) |
|
|
ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
|
|
Secondary FMC indicates the FTD is still upgrading, despite the upgrade being completed. |
|
|
ENH: FMC API: Threat Defense Upgrade Options skip automatic generating of troubleshooting files |
|
|
PBR with default next-hop not allowed without next hop |
|
|
Discrepency in the unused object count between the FMC UI and API results |
|
|
'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
|
|
GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
|
|
FQDNs are unresolved via DNS on data interface after reboot or traceback |
|
|
LINA core observed pointing to "IP RIB Update" thread |
|
|
FMCv is incompatible with certain KVM hypervisor software versions |
|
|
Enhancement to remove zone check on dhcp relay server facing interfaces . |
|
|
Identity Mapping Filter shows blank, even though there is a selected network object. |
|
|
Copy/Paste for a rule on any UI page other than page 1 results in policy UI loading back to page 1. |
|
|
FTD device stuck in rommon mode after pressing reset button |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
|
|
Memory Blocks 80 and 9344 leak due to priority-queue |
|
|
GTP inspection not allowing GTP data packets if session create response has cause type 18 |
|
|
When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
|
|
Unity style enrollment after registering to the AMPkit portal |
|
|
ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
|
|
FTD HA active node interfaces went down after failed policy deploy |
|
|
vertical scroll bar missing in Available Rules modal in correlation policy editor in most UI themes |
|
|
FlexConfig objects Policy_Based_Routing and Policy_Based_Routing_Clear cause deployment failure |
|
|
ADI on FTD does not stop after a crash |
|
|
ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
|
|
Intrusion rule recommendations fail to apply when "Generate" option is used and then applied later |
|
|
Scale cdFMC:Policy deploy fails when Audit log to Syslog is configured with invalid ipv6 syslog host |
|
|
User id mismatch - add extra logs |
|
|
FTD cluster to traceback and reload after extended PAT is enabled |
|
|
Validation errors after updating Hub and Spoke topology. |
|
|
ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
|
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
|
Unable to add Data nodes to Existing Cluster setup during cluster app-sync phase |
|
|
Critical health alert, module SMART_LICENSE Smart Licensing Agent is not running |
|
|
Admin users are prompted to change local password when authenticating to external server |
|
|
HA would bring data interfaces up while moving from cold standby to failed state |
|
|
Large number of stale revisions in CloudConfig affects FMC performance. |
|
|
ASA may traceback and reload in Thread Name 'ssh' |
|
|
FTD: Management0/0 status went down, line protocol is up after upgrade |
|
|
GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
|
|
fs-daemon hap reset with core generation |
|
|
FTD: Snort AppID Misclassifies NetBIOS-ssn Traffic as Unknown |
|
|
Push messages including UMS are broken when the FMC is reached on port 443 |
|
|
ASA booting process may freeze when including 'no pim' or 'no igmp' config |
|
|
FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
|
|
Jumbo frame packets are being fragmented |
|
|
Generic error thrown when a user tries to access Packet-Capture page |
|
|
Extended PAT configuration can be enabled on clustered devices when FMC UI states it will be ignored |
|
|
Snort3 crash in js norm with out-of-range exception during unescaping |
|
|
FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
|
|
correlation rules with access control rule name condition will not properly save on standby FMC |
|
|
Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
|
|
Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
|
|
Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
|
|
SMB remote backup failure due to realm sync |
|
|
Serviceability : FQDN Packet based debug and capture trace support |
|
|
FMC Upgrade slowness is seen at stage 300_os/070_setup_partition.sh while copying cache files |
|
|
Graceful restart flag in FTD OPEN message set to 0 when power is lost |
|
|
LSP deployment fails in MI environments following a patch or hotfix installation failure. |
|
|
Longevity setup:TPK cluster node is displayed as empty cluster in device mgmt page |
|
|
DNS FQDN obj doesn't go unresolved upon FQDN obj deleted on server/intf to reach sever is down in 7.7 |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
Undefined value in port object on access policy page with new UI |
|
|
FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
|
|
HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
|
|
SAML SSO Test Configuration and SSO login doesn't work even after a successful configuration |
|
|
MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
|
|
recurring GeoDB updates may fail to install when scheduled at the same time of day as rule updates |
|
|
FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
|
|
Intrusion policy having same name in different Domains causes IPS policy corruption |
|
|
Coverity System SA warnings 2024-09-09, Coverity Defects 922530 922529 922528 922630 921809 921808 |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
ASA 21xx: 'sh environment temperature' shows incorrect temperature values |
|
|
SFDataCorrelator memory leak on HandleUserLoginInfoMsg |
|
|
FMC UI becomes unresponsive when converting and downloading Snort 2 rules |
|
|
LINA may observe random traceback with Netflow configured |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
Frequent traceback after upgrading FTD HA |
|
|
On FMC, Backend server JVM is running out of memory when policies and objects are huge |
|
|
Send Virtual Tunnel Interface enabled by default on SVTI |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
JBDC client throwing error on certain queries after upgrade |
|
|
Modify memory allocation for policy deployment subgroup |
|
|
Application Name Change in VDB Not Reflected During Event Processing |
|
|
Snort3: TCP Midstream Traffic on ACK Normalized by snort and blocked by the Stream Preprocessor |
|
|
Deploy preview fails if device is moved from one domain to another domain |
|
|
FTD registration to FMC gets hung when RabbitMQ is down. |
|
|
Traceback and reload with Thread Name: vtemplate process |
|
|
EventHandler cores during startup when sending events to syslog or SNMP for a huge number of rules |
|
|
FMC memory leak after talos_reg.crt becomes active |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
Specific IP settings are not kept in FMC GUI for BGP route map object in BGP Clauses after saving. |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
SFF_SFP_10G_25G_CSR_S from Finisar ports bouncing when use as HA link |
|
|
Intf Link down (Init, mac-link-down) seen - EtherChannel Membership in Down/Down/Down state after unplug/replug of the cable |
|
|
FMC Health Monitor (HM) graph shows incorrect number of Snort and System CPU cores |
|
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
|
Banner motd does not display when configured |
|
|
After upgrading FMC, deployment fails because of high SI Objects |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
Event-list not deployed when using Enable All Syslog Messages |
|
|
Update beakerd and libnikita to handle excessive logging issue |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
FMC does not remove community list override when this is modified. |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
|
|
Talos registration cert may fail to generate if smart licensing VA name contains certain characters |
|
|
Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
|
|
Very High threat confidence is displayed for the threat score 98 |
|
|
extdb query error when ordering by count(*) |
|
|
core corruption still seen with switching to quick core feature |
|
|
snort3 : FMC connection event logs do not show URL in DNS query using TCP |
|
|
Identity NAT should not throw error due to exceeding threshold if destination only objects expand |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
FTD FP2100 port-channel interfaces flap with LACP |
|
|
FMC Not listing the any connect images in RAVPN Wizard and FMT tool |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
Unknown disposition files take a long time receive status and threat score. |
|
|
URL getting allowed even with block rule in place. |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
Debuggability: FP2100 port-channel interfaces flap after upgrade |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
Community lists should not throw an error until the last item in the list is being deleted |
|
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
|
Malware block not happening due to malware cloud lookup timeout |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for users with privilege 15. |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
Enabling debugs with EEM fails |
|
|
Detectors sync issue on FMC upgraded to 7.7 |
|
|
Snort3 crashed because don't fragment bit was set and it did not treat ipv4 fragments as fragments |
|
|
Users from legacy radius server can login to Standby FMC domain when MA is enabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
FMC removes prefix-list overides used for BGP and installs defaults values by itself. |
|
|
FTD TS is collecting duplicated data |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
debug packet-condition does not work as expected |
|
|
Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series |
|
|
Management1 Gateway Configuration Should Be Optional on FPR 4200 Series |
|
|
TLS.- Outlook only supports TLS 1.2 and not 1.3- FMC uses TLS 1.3 by default |
|
|
Disable Reverse Path Filter for Dual Management Interfaces on FPR 4200 Series |
|
|
Active FMC - False alerts of FMC HA in degraded sync state |
|
|
Random QOS policies are getting negatted and added with subsequent deployment |
|
|
First cycle of FMC HA periodic sync may fail after resuming sync following FMC software upgrade |
|
|
AMP related health alert during upgrade and typo in the alert message |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
show bgp update-group a.b.c.d displays "no such neighbor" when there is a valid neighbor |
|
|
FMC: Media type displayed on the FMC's FCM is not matching CLI after swapping sfps |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
show tech-support fprm detail command is getting stuck for longer duration |
|
|
Snort3 traceback and deployment failure with VDB upgrade |
|
|
Memory leak leading to split brain |
|
|
Firepower hits route limit due to ASP table resource exhaustion affecting traffic forwarding |
|
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
Installation of Hotfix may fail at 800_post/998_expire_ac_policy.pl on the standby FMC |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
After upgrade from newer lower MR to Old Higher MR seeing health module compilation error |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
/mnt/disk0/log folder duplicated on troubleshooting package |
|
|
FMC Rest API returns only the first 1000 network object entries |
|
|
Overrides not working on chained/inherited custom IPS policies |
|
|
Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
|
|
After renewal FMC CA, the certificate cannot be used for ArcSight integration |
|
|
Default Pass action for rules in Snort 3 local rule groups may cause blank error in IPS policies |
|
|
FPR9K-SM-56 Cluster - FTD Stuck in an application install loop & error 'pooled address is unknown' |
|
|
Network Outage when Primary FTD Instance is Disabled from FCM |
|
|
Unable to validate change ticket: |
|
|
snmp_logging_thread is utilizing high CPU in control plane |
|
|
FMC health policy and Default Health Policy do not have correct moduleList |
|
|
FPR9K-SM-56 Cluster Node APP_SYNC timeout twice before joining "6" member inter-chassis cluster |
|
|
FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload |
|
|
The NAS-IP-Address attribute is missing from the Access-Request in FMC |
|
|
Interface mac stuck issue seen with peer switch reloads or after upgrade |
|
|
FTD Upgrade Retry failure (Unable to execute Retry after failure in FTD while upgrading to 7.7.10) |
|
|
SNMP polling to chassis is unsuccessful with FTD Multi-instance in HA used as SNMP agent |
|
|
TLS handshake fails with reverse SSL flow and TSID (TLS Server Identity) enabled |
|
|
Certain special characters or spaces in RADIUS user passwords cause login failure in FMC |
|
|
Post reposition or move operation fails then if user saves, it would lead to loss of rules & may cause an outage |
|
|
BFD packets are not dropped for single-hop BFD sessions received via alternate path |
|
|
Difference in RSA key length at multiple spots in FXOS |
|
|
L3 Clustering where BGP immediately comes up while DATA node is still in bulk sync |
|
|
CSF4200 management1/2 interface shows up/up on lina despite physically disconnected |
|
|
Unidirectional communication over ccl leading to split-cluster. |
|
|
SMB remote FMC backups are failing due to relam sync |
|
|
backout change preventing enabling clustering in FIPS mode |
|
|
FP4100/9300 Fatal error: Incomplete chain observed before watchdogs with reset code 0x0040 |
|
|
The total disk keep on increasing on the disk status wizard on the Health Monitor page. |
|
|
FTD MI: SNMP polling fails to work after upgrade |
|
|
Devices show offline due to "Appliance unreachable" due to HMS deadlock inserting to DB |
|
|
Subsequent DNS packets are dropped in a single flow if one domain hits the custom DNS SI block list |
|
|
Error 500: Internal Server Error in FMC when generating report for global domain intrusion policy used in child domain ACP |
|
|
Unable to change few IPS rule actions after upgrading from snort2 to snort3 |
|
|
FP9300/4100 may traceback & reload due to a "Kernel Panic" |
|
|
FTD: Traffic Getting Dropped with Reason "Blacklist" following "Pruned memcap flows" |
|
|
FDM stuck deployment task in Queued state |
|
|
An ICMP not reachable storm might cause high CPU on a two units FTD cluster |
|
|
FMC deployment hungs and fail due to "NGFW_UPGRADE is missing in map" |
|
|
File download halts around the 2.1 GB |
|
|
IKEv2-EAP Authentication Fails with Windows and MacOS Native VPN Clients |
|
|
Clarify the working of Fallthrough to Interface PAT (Destination Interface) as it is not working as expected |
|
|
The estreamer debug command is not producing the expected output |
|
|
Clean-up of temporary tar file is not happening when copy to remote storage fails during backup. |
|
|
If a user_ip_map.snapshot exists with an low timestamp value, snapshots are created frequently |
|
|
Cluster: Multi-blade chassis not transmitting broadcast traffic outbound to specific vlan |
|
|
SSL - Issues with DND a particular site after FTD upgrade on Chrome and Edge post upgrade |
|
|
TCP RST Packets Fail to Match Configured Geolocation-Based Rules |
|
|
High disk usage due to snort-unified.log |
|
|
SFDataCorrelator_user_id_mismatch.log overconsumption of disk |
|
|
Adding interface taking more than 30 sec with loading security zones |
|
|
WA: Traceback and reload due to lock contention on the tmatch table during deployment with large snmp config |
|
|
FMC dashboard dynamic analysis over time is shown as "No Data" |
|
|
Snort may drop SCTP packets and block SCTP connections |
|
|
3RU MI instances offline after baseline/creation |
|
|
FTD: Injected/Trimmed packets dropped by LINA due to invalid-ip-length |
|
|
VPN lost during a rekey with 'IKEv2 negotiation aborted due to ERROR: Platform errors' |
|
|
OSPF: Lina Traceback and Reload on Both Units in High Availability Setup. |
|
|
FMC Authentication Fails with freeradius, "Invalid NAS IP Address" Error Displays Unexpected IP |
|
|
ASA/FTD in HA, snmptranslate process during the boot-up causing High CPU and IPC timeouts, causing split-brain. |
|
|
NAS-IPv6-Address attribute is missing from the Access-Request in FMC |
|
|
UIP control event causes identity to reload potentially blocking packet processing for more than 10 sec |
|
|
Though disabled rules exist , are shown as 0 for Snort3 rule recommendations |
|
|
WM RM 1150: A reboot of an FTD in a HA pair may cause split-brain sometimes, in unknown conditions |
|
|
NAS-Identifier Attribute has always "sshd" value |
|
|
Traceback seen while FQDN list expands more than 200 entries for a resolved ip |
Resolved Bugs in Version 7.4.2.4
Table last updated: 2025-09-25
|
Bug ID |
Headline |
|---|---|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
Resolved Bugs in Version 7.4.2.3
Table last updated: 2025-06-17
|
Bug ID |
Headline |
|---|---|
|
Frequent route updates causes routes to get removed causing outages |
|
|
Policy Deployment Hung at 5% or 8% Deployment - Collecting policies and objects |
Resolved Bugs in Version 7.4.2.2
Table last updated: 2025-08-21
|
Bug ID |
Headline |
|---|---|
|
OpenPrinting CUPS is a standards-based, open source printing system fo |
|
|
A flaw was found in GLib. GVariant deserialization fails to validate t |
|
|
A flaw was found in GLib. GVariant deserialization is vulnerable to a |
|
|
A flaw was found in glib, where the gvariant deserialization code is v |
|
|
A flaw was found in GLib. The GVariant deserialization code is vulnerable |
|
|
A flaw was found in GLib. GVariant deserialization is vulnerable to an |
|
|
A flaw was found in glibc. In an uncommon situation, the gaih_inet fun |
|
|
Due to a failure in validating the length provided by an attacker-craf |
|
|
An issue in the CPIO command of Busybox v1.33.2 allows attackers to ex |
|
|
Due to failure in validating the length provided by an attacker-crafte |
|
|
urllib3 is a user-friendly HTTP client library for Python. urllib3 pre |
|
|
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue |
|
|
LibTIFF is vulnerable to an integer overflow. This flaw allows remote |
|
|
A vulnerability was found in libtiff due to multiple potential integer |
|
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
|
An issue was discovered in the Linux kernel through 6.5.9. During a ra |
|
|
Twisted is an event-based framework for internet applications. Prior t |
|
|
cryptography is a package designed to expose cryptographic primitives |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Rules Bypass Vulnerability |
|
|
This flaw allows a malicious HTTP server to set "super cookies" in cur |
|
|
Postfix through 3.8.4 allows SMTP smuggling unless configured with smt |
|
|
A vulnerability was found in GnuTLS. The response times to malformed c |
|
|
linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den |
|
|
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 |
|
|
Cisco Secure Firewall Management Center Software XPATH Injection Vulnerability |
|
|
libexpat through 2.5.0 allows a resource consumption denial of service event |
|
|
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DT |
|
|
Vim before 9.0.2142 has a stack-based buffer overflow due to a set language map error |
|
|
A DMA reentrancy issue leading to a use-after-free error was found in |
|
|
A bug in QEMU could cause a guest I/O operation otherwise addressed to |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
libexpat through 2.6.1 allows an XML Entity Expansion attack when ther |
|
|
A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI |
|
|
Faulty input validation in the core of Apache allows malicious or expl |
|
|
In GNU tar before 1.35, mishandled extension attributes in a PAX archi |
|
|
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
In the Linux kernel, partitioning error existed CVE-2023-52458 |
|
|
HTTP Response splitting in multiple modules in Apache HTTP Server allo |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: K |
|
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
|
In the Linux kernel, the following vulnerability has been resolved: R |
|
|
HTTP/2 incoming headers exceeding the limit are temporarily buffered i |
|
|
wall in util-linux through 2.40, often installed with setgid tty permi |
|
|
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vuln |
|
|
A flaw has been discovered in GnuTLS where an application crash can be |
|
|
The iconv() function in the GNU C Library versions 2.39 and older may |
|
|
less through 653 allows OS command execution via a newline character i |
|
|
In the Linux kernel, serial: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed |
|
|
nscd: Stack-based buffer overflow in netgroup cache If the Name Servi |
|
|
nscd: Null pointer crashes after notfound response If the Name Servic |
|
|
nscd: netgroup cache may terminate daemon on memory allocation failure |
|
|
nscd: netgroup cache assumes NSS callback uses in-buffer strings The |
|
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
|
In the Linux kernel, the following vulnerability has been resolved: U |
|
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
Requests is a HTTP library. Prior to 2.32.0, when making requests thro |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: H |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
strongSwan versions 5.9.2 through 5.9.5 are affected by authorization |
|
|
The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex |
|
|
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo |
|
|
Vulnerabilities in linux-kernel CVE-2023-52439 |
|
|
Vulnerabilities in linux-kernel CVE-2023-52435 |
|
|
Vulnerabilities in linux-kernel CVE-2023-52463 |
|
|
urllib3 is a user-friendly HTTP client library for Python. When using |
|
|
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/ |
|
|
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the |
|
|
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause inva |
|
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
|
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and |
|
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
|
Cisco Secure Firewall Management Center Software HTML Injection Vulnerability |
|
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software DHCP Denial of Service Vulnerability |
|
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
|
In the Linux kernel, for ata: libata-core: Fix null pointer dereference on error |
|
|
In the Linux kernel, for tcp_metrics: validate source addr length |
|
|
In the Linux kernel, the following vulnerability has been resolved: c |
|
|
Jinja is an extensible templating engine. Special placeholders in the |
|
|
Jinja is an extensible templating engine. The 'xmlattr' filter in affe |
|
|
Vim is an open source command line text editor. Vim < v9.1.0647 has do |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.5 |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
Insufficient Input Validation Vulnerability |
|
|
Insufficient Input Validation Vulnerability |
|
|
Attempting to edit chassis of multinstance FTD gets "Request Timed Out. Retry after sometime." |
|
|
A null pointer dereference flaw was found in the hugetlbfs_fill_super |
|
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
|
In the Linux kernel, nvme: avoid double free special payload on discard request retry |
|
|
In the Linux kernel, the following vulnerability has been resolved: p |
|
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
|
In the Linux kernel, the following vulnerability has been resolved: c |
|
|
Cisco Secure Firewall Threat Defense Software Snort 3 Denial of Service Vulnerability |
|
|
In the Linux kernel, for filelock: Remove locks reliably when fcntl/close race is detected |
|
|
In the Linux kernel, within mm: avoid overflows in dirty throttling logic |
|
|
A flaw was found in the python-cryptography package. This issue may al |
|
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, for dma: fix call order in dmam_free_coherent dmam_free_coherent() |
|
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
|
Fix a Linux kernel file access permissions access check error |
|
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
|
Fix linux kernel divide by zero error when calling ioctl TIOCSSERIAL with bad baud rate |
|
|
In the Linux kernel, the following vulnerability has been resolved: g |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: v |
|
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
|
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not |
|
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
|
In the Linux kernel, the following vulnerability has been resolved: K |
|
|
In the Linux kernel, the following vulnerability has been resolved: P |
|
|
Cisco ASA/FTD Firepower 3100/4200 Series TLS 1.3 Cipher Denial of Service Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Redis is an open source, in-memory database that persists on disk. Aut |
|
|
Redis is an open source, in-memory database that persists on disk. An |
|
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
|
In the Linux kernel, the following vulnerability has been resolved: r |
|
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
|
There is a MEDIUM severity vulnerability affecting CPython. Regul |
|
|
There is a LOW severity vulnerability affecting CPython, specifically |
|
|
Cisco Secure Firewall Management Center and Secure Firewall Threat Defense Software Command Injection Vulnerability |
|
|
CVE-2022-48975: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47659: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47660: linux-kernel: In the Linux kernel, the following vuln... |
|
|
Cisco Secure Firewall Management Center Software Authorization Bypass Vulnerability |
|
|
Cisco Secure Firewall Management Center Software Authorization Bypass Vulnerability |
|
|
FMC is not pushing no-validation-usage to the trustpoint if user not choosing validation usage type |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial of Service Vulnerability |
|
|
CVE-2024-38538: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52498: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52572: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2023-52615: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-46777: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47668: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47701: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-47742: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49858: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49860: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49878: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49882: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49883: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49884: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49889: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49948: linux-kernel: In the Linux kernel, the following vuln... |
|
|
CVE-2024-49949: linux-kernel: In the Linux kernel, the following vuln... |
Table last updated: 2025-08-21
|
Bug ID |
Headline |
|---|---|
|
ENH: Appliance hostname or ip address should be included in FX-OS syslogs |
|
|
SNORT3: proxy traffic issue on port 80 when tls1.3 inspection enabled |
|
|
ENH: Need the output of "show ssh-client" in FPRM show tech bundle |
|
|
Snort3 TCP flow cache entry growth caused by embryonic connection mismanagement |
|
|
Lina core at swapcontext on FTD during policy deployment |
|
|
MSP Quota setting for instances is not correct |
|
|
Traffic incorrectly matches an ALLOW rule with a time-range object after time has expired |
|
|
Disk quota for the corefile should be revisited based on platform |
|
|
Add support for new Cloud SSX regions for India and Australia |
|
|
FMC HA Wizard shows error "Unable to retrieve high availability status." with other languages |
|
|
Snort3 traceback and reload due to memory corruption in file module |
|
|
Disable/Enable an MI instance results it in "State Failed" |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
CDO: Chassis onboarding to CDO is failing with hostname |
|
|
ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread. |
|
|
IPv6 tunnel packets to DVTI Tunnel source on vrf loopback dropped (acl-drop) |
|
|
FMC REST API calls to get AC policy data times out, AC policy GUI slowness with larger rule query |
|
|
ASA/FTD may traceback and reload |
|
|
FTD/FxOS - Upgrade/erase configuration result in App-instance 'Operational State: Starting' |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
FMC in CC-mode audit over syslog not working |
|
|
Policy export fails with error "Unable to process the policy information for Export" |
|
|
Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
|
|
RAVPN Certificate Group Map get removed after it is modified on the FMC |
|
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
|
Continuous loading state and PolicyRPC call remains in pending |
|
|
SNMP trap OID changed after upgrade |
|
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
|
Platform settings policy hidden on UI |
|
|
FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
|
|
FTD/ASA : 1SXF interfaces on FP3100 stay in a link-down state when connected to a Nexus 9K Switch |
|
|
PDTS write from Daq can fail when PDTS buffer is full and it would eventually lead block depletion |
|
|
Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
|
|
FTD inline-set ignore reverse flag for inject/rewrite |
|
|
ID attribute of other device during copying config via REST API POST can remove original config |
|
|
FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
|
|
ha-mode graceful-restart is missing in advanced preview |
|
|
SSH access with public key authentication fails after FXOS upgrade |
|
|
FXOS: messages rotates every 40 minutes due to Notification Daemon messages' being spammed |
|
|
Deployment transcript showing "Enable management access: false" |
|
|
FTDv and FTD on 4100/9300 unlocking based on time is not configurable |
|
|
TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link |
|
|
ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
|
|
FXOS: Directory /var/tmp Triggering FXOS Fault F0182 due to vdc.log (Excessive Logging,Log Rotation) |
|
|
FMC is sending a wrong value for engineID in SNMPv3 traps |
|
|
ADI crashes on FTD due to both FMC ADIs going unmuted |
|
|
FTD syslog-over-TLS allowing too many curves in CC mode |
|
|
FPR9K-SM-56 module intermittently lock up and cause traffic impact. |
|
|
Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption |
|
|
FTD reload with traceback on swapcontext function |
|
|
Can't delete IPS policy when Workflow Mode is enabled |
|
|
Radius user ssh login fails with error: username is not defined with a service type that is valid |
|
|
Graceful restart flag in FTD OPEN message set to 0 when power is lost |
|
|
FMC unnecessary sending "network-service reload" to FTD on every deployment regardless of change |
|
|
FMC : OSPF setting screen cannot be opened in FMC English UI |
|
|
False alerts of FMC HA in degraded sync state |
|
|
FMC backup failed while cfgdb dump after upgrading FMC to 7.4.2.1 |
|
|
Snort3 traceback and reload during user identity reload |
|
|
Last synchronization time in the FMC HA page shows 'Data unavailable' in language other than English |
|
|
Snort3 traceback and reload with stale pointer |
|
|
Stale Snort3 stream inspector flow stash after flow data is cleared |
|
|
External authentication radius SSH login failure with FXOS version 2.14.1.186 |
Resolved Bugs in Version 7.4.2.1
Table last updated: 2025-03-03
|
Bug ID |
Headline |
|---|---|
|
Time sync status and error message do not elaborate NTP server rejection case |
|
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
|
FTW no longer working in NM3 on Warwick |
|
|
Cisco ASA and FTD NSG Access Control List Bypass Vulnerability |
|
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
|
Cisco ASA and FTD VPN Web Client Services Cross-Site Scripting Vulnerabilities |
|
|
Cisco Secure Firewall Management Center Software Command Injection Vulnerability |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
FMC on upgrade results in FTDv losing its performance tier |
|
|
Snort2 SSL decryption with known key fails on Chrome v124 and above. |
|
|
Snort2 - SSL decryption failing and some websites not loading on Chrome v124+ |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
CDO: Chassis onboarding to CDO is failing with hostname |
|
|
Cisco Firepower Management Center SQL Injection Vulnerability |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
Cisco FTD for Cisco Firepower 2100 Series TCP UDP Snort 2 and Snort 3 DoS Vulnerability |
|
|
Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
|
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
DAP policies not working with attribute TRUE/FALSE |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
|
Unable to create MI FTD in TPK chassis |
|
|
Configure External Storage fails second time with same backup profile |
|
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
|
FTD - Â Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
|
FMC4700 displays premature fan speed alerts |
|
|
After FMC upgrade results in standby FTDv losing its performance tier for FTD HA |
|
|
Crash handler notification for snort3 failure not being sent in MI setup. |
|
|
Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
Resolved Bugs in Version 7.4.2
Table last updated: 2024-07-31
|
Bug ID |
Headline |
|---|---|
|
FMC HA synchronisation task failures should generate alarms |
|
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
|
FXOS does not retry NTP sync with servers |
|
|
IKEv2 debugs: Received Policies and Expected Policies are empty |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
Prevention of RSA private key leaks regardless of root cause. |
|
|
mgmt interface taking long time to come up and causing cluster registration issues |
|
|
Deleting a routed mode Etherchannel interface changes member interfaces to switch port mode |
|
|
FMC 7.0.2 Deployment error message is irrelevant | Deployment Failed due to configuration error |
|
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
|
ssl policy errors: Unable to get server certificate's internal cached status |
|
|
ASA traceback and reload on Datapath process |
|
|
Device Management Applied Policies Widget Defaulting to classic theme when editting |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ENH: Combine firmware bundle packages into FXOS MIO update packages |
|
|
ASA/FTD: Improve GTP Inspection Logging |
|
|
ASA/FTD: GTP Inspection engine serviceability |
|
|
Classic and Unified Events should handle cases when SMC is unreachable |
|
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
|
Cisco-Intelligence-Feed - Failed to download due to timeout |
|
|
Consul and Consul Enterprise allowed an authenticated user with service: |
|
|
Snort3 is crashing frequently on cd_pdts.so |
|
|
Deployment fails to FTD when reusing/reassigning existing vlan id to diff interface |
|
|
Cannot copy rules from one policy to another policy using the new AC policy UI |
|
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
|
FTD: ADI.conf - send_s2s_vpn_events is set to 0, even after applying s2s vpn health policy |
|
|
HashiCorp Vault's implementation of Shamir's secret sharing used precomp |
|
|
FMC deploy logs rotating faster because of /internal_rest_api/accesscontrol/rapplicationsavailable |
|
|
Error loading data in NAT page - When unused port object is used |
|
|
AC policy change is not reflected in instance page on edit |
|
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
|
show version system prints errors about PM_Control.sock |
|
|
Identity Policy Active auth snort3 redirect hostname doesn't list all FQDN objects\u0009 |
|
|
Failing to dowload FTD image via SAML SSO login |
|
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
|
ASA crashed with Saml scenarios |
|
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
|
ASA: Traceback and reload when switching from single to multiple mode |
|
|
snort3 crashes observed due to memory corruption in file api |
|
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
|
Getting an exception on the UI while editing and saving the intrusion policy |
|
|
Extensive logging for a problematic deployment caused logs to rollover important logs |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
|
Save button disabled when updating ZTNA policy |
|
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
|
Vulnerabilities in linux-kernel 5.10.79 CVE-2023-3111 and others |
|
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
|
The html/template package does not apply the proper rules for handling o |
|
|
Improve CPU utilization in ssl inspection for supported signature algorithm handling |
|
|
FMC Deployment failure in csm_snapshot_error |
|
|
ASA does not sent 'warmstart' snmp trap |
|
|
FMC Deployment failed due to internal errors after upgrade |
|
|
LINA would randomly generate a traceback and reload on FPR-1K |
|
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
|
FDM: Allow turn on/off GSP mempool polling via Flexconfig |
|
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
A flaw was found in QEMU. The async nature of hot-unplug enables a rac |
|
|
ENH: FMC - Ability to Filter Security Zone in Interface Drop Down Selection |
|
|
ASA traceback under match_partial_keyword during CPU profiling |
|
|
Reload takes forever when reload command is issued on the lina prompt when devices are on HA |
|
|
FMC Primary disk degraded error |
|
|
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a |
|
|
No error message is given when deleting object referred in new object created in another ticket |
|
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
|
Cannot configure Correlation rule because there are no values for GID that exceed 2000 |
|
|
In FPR4200/FPR3100-cluster observed core file ?core.lina? observed on device reboot. |
|
|
Disconnecting RA VPN users from the FMC gui fails. |
|
|
Backup restore: silent failure when the device managed locally |
|
|
FTD: Internal certificate generation results to certificate and private key mismatch |
|
|
Need ability to configure SSH public key auth without using root shell |
|
|
FMC plain-text passwords for radius server and certificate passphrase |
|
|
FTD: Traceback in threadname cli_xml_request_process |
|
|
crypto_archive file generated after the software upgrade. |
|
|
Random FTD snort3 traceback |
|
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
|
An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c i |
|
|
Init process spikes to 100% CPU usage after a failed backup |
|
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
|
syslog not generated "ASA-3-202010: NAT pool exhausted" while passing traffic from iLinux to oLinux |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
|
Event search with URL object ${example} is displaying no results |
|
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Connection drops during file transfers due to HeartBeat failures |
|
|
Thirty-day automatic upgrade revert-info deletion is not resilient to communication failures |
|
|
FMC clean_revert_backup script fails silently without creating any logs |
|
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
|
SSX Eventing continues to go to old tenant upon FTD migration to CDO. |
|
|
FTD 1120 standby sudden reboot |
|
|
SNMP Unresponsive when snmp-server host specified |
|
|
Traceback on FP2140 without any trigger point. |
|
|
Daily Change Reconciliation Report Randomly Generating Reports with the same time periods |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
FMC backup fails with "Registration Blocking" failure caused by DCCSM issues |
|
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
|
HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023 - Golang |
|
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
|
Debug messages seen on console on executing show tech-support fprm detail |
|
|
Hardware bypass not working as expected in FP3140 |
|
|
Source of the VTI interface is getting empty |
|
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
|
ASA traceback and reload during ACL configuration modification |
|
|
FMC does not generate email health notifications for Database Integrity Check failures. |
|
|
CP Session Handling for per site auth is inaccurate for Cluster break and join scenarios |
|
|
Error Text is repeated twice for Interface config if pool range is less than Cluster Nodes plus 1 |
|
|
Firewall traceback and reload due to SSH thread |
|
|
FMC-4600: Pre-Filter policy is showing as none |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
|
Fail open snort-down is off in inline pairs despite it being enabled and deployed from FMC |
|
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
|
HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx |
|
|
Python 3.x through 3.10 has an open redirection vulnerability in lib/h |
|
|
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.Th |
|
|
An issue was discovered in the Linux kernel before 6.5.9, exploitable |
|
|
A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` |
|
|
A heap out-of-bounds write vulnerability in the Linux kernel's Linux K |
|
|
Standby manager addition is failed on Primary FMC due to previous entries in table |
|
|
Stale HA transactions need to be moved to failed and subsequent HA transaction needs to be created |
|
|
Device/port-channel goes down with a core generated for portmanager |
|
|
In FIPS mode, External auth with TLS config enabled, CLI logins are not working (FMC & FTDs) |
|
|
FMC Analysis Vulnerabilities error "Unable to process this query. Please try the query again." |
|
|
ASA : Modifying a route-map in one context affects other contexts |
|
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
|
User assigned to a read only custom role is not able to view content of intrusion policy for snort2 |
|
|
EIGRP migration failed using 'FlexConfig Policiies' script failed generating database corruption |
|
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
|
Error Fetching Data in Exclude Policy Page when non permanent exclude periods are selected |
|
|
Deployment stuck on FMC when device goes down during deploy and doesn't boot up |
|
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
|
file-extracts.logs are not recognised by the diskmanager leading to High disk space |
|
|
cdFMC: Table View of Rule Update Import Log UI is throwing error, unable to check SRU update log |
|
|
PSU fan shows critical in show environment output while operating normally |
|
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
|
ipv6 table flush exception when cli_firstboot installs bootstrap configuration multi instance |
|
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
|
After importing AC policy, Realm is not present in UI causing validation error for Azure AD users |
|
|
Unable to SSH into FTD device using External authentication with Radius |
|
|
tls website decryption breaks with ERR_HTTP2_PROTOCOL_ERROR |
|
|
FTD Upgrade logs should contain the certificate name or files |
|
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
Detailed logging related to reason behind sub-interfce admin state change during operations |
|
|
ASA/FTD traceback and reload due to file descriptor limit being exceeded |
|
|
Health Monitor Alerts set in Global are not sending alert from devices assigned in leaf domain |
|
|
Hostnames are replaced with IP addresses in alert email content |
|
|
Module name displayed in the alert got changed and it is differ from the one set in FMC |
|
|
FTD HA should not be created partially on FMC |
|
|
FDM deployment failure |
|
|
Policy Apply failed moving from FDM to FMC |
|
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
|
Deployment fails on new AWS FTDv device with "no username admin" |
|
|
FTD HA Failure after SNORT crash. |
|
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
|
Umbrella Profile and others cleared incorrectly when editing group policy in the UI |
|
|
MonetDB startup enhancement to clean up large files |
|
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
|
installing GeoDB country code package update to FMC does not automatically push updates to FTDs |
|
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
|
Deployment fails if Network Discovery policy reference is missing from FMC Database |
|
|
ASA traceback and reload on Thread Name: DATAPATH |
|
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
|
FMC Validation failure for large object range and success for object network in NAT64 |
|
|
low memory/stress causing traceback in SNMP |
|
|
Monetdb having 14GB of unknown BAT data causing "High unmanaged disk usage on /Volume" |
|
|
Snort3 traceback with fqdn traffics |
|
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
|
FTD drops double tagged BPDUs. |
|
|
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11. |
|
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
|
API:/operational/commands not working as swagger indicate |
|
|
"Update file is corrupted" for "Download Latest Cisco Firepower Geolocation Database Update." in FMC |
|
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
|
Sftunnel DEBUG level not logged on FMC/FTD after running DEBUG script |
|
|
Update logs - SSP object serialization during HA |
|
|
A flaw was found in the 9p passthrough filesystem (9pfs) implementatio |
|
|
Before Go 1.20, the RSA based TLS key exchanges used the math/big libr |
|
|
ASA|FTD Traceback & reload in thread name Datapath |
|
|
Event Searching with Objects and Networks Leads to only showing events matching Objects |
|
|
Threat Defense Service Policy - Reset Connection Upon Timeout not working |
|
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
|
Error while trying to push SNMP configuration using API |
|
|
Snort3 crash with race conditions |
|
|
Filtering the Malware Events table by IP address removes events which should remain in the results. |
|
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
|
Unable to Synch more then 100 environment-data with data unit |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
Decryption policy page is empty if user that modified/created policy was deleted. |
|
|
413 Request Entity Too Large error due to cookies added by FMC/Amplitude |
|
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
|
7.4 - If policy save in progress deploy might indicate failure for only few devices |
|
|
The "show asp drop" command usage requires better updates for cluster-related drops |
|
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
|
Readiness check failed on vFTD during upgrade from 741-172 to 760-1270 |
|
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
|
Internal error when attempting to configure PBR in FMC |
|
|
HMS process crash - "interface conversion: interface {} is nil, not map[string]interface {}" |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Suppress "End of script output before headers" syslog on FXOS |
|
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
High disk usage caused by large write-ahead log in eventdb |
|
|
ZTNA: FMC doesn't accept IdP with local domain |
|
|
A malicious HTTP sender can use chunk extensions to cause a receiver r |
|
|
strongSwan before 5.9.12 has a buffer overflow and possible unauthenti |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
Debugs failed to be enabled on SSH session |
|
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
|
SFDataCorrelator timeout thread deadlock detection core on busy FMC |
|
|
Threat Defense Upgrade wizard might incorrectly show clusters/HAs as disabled |
|
|
Null pointer dereference in SNMP that results in traceback and reload |
|
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
|
MonetDB memory usage grows slowly over time |
|
|
traceback and reload around function HA |
|
|
Correlation policy not work when condition of the rule is "Intrusion Policy" is XXX |
|
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
|
Lina traceback on RAVPN connection after enabling webvpn debug |
|
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
|
The report doesn't include "Default Variables" information after change "Variable Sets" name |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
FMC: Packet-tracer showing a "Interface not supported" error for VLAN interfaces |
|
|
Devices might change status to "missing the upgrade package" after Readiness Check is initiated |
|
|
FMC configured DAP rule with Azure IDP SAML attributes does not match |
|
|
Product Upgrades page: Download action creates a lot of "uninitialized value" error messages in log |
|
|
A heap out-of-bounds write vulnerability in the Linux kernel's Perform |
|
|
A use-after-free vulnerability in the Linux kernel's ipv4: igmp compon |
|
|
A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classifie |
|
|
During FMC hardware migration failure encountered due to missing prometheus directories |
|
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
upgrade of FMC to 7.2.x removes FlexConfig-provided EIGRP authentication from interfaces on FTDs |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
|
standard error (stderr) not inserted into restore.log when restoring FMC backups |
|
|
Download failed for Available Upgrade Packages |
|
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
|
Unable to delete custom DNS Server Group Object post upgrade 7.2.x |
|
|
FTD: Improve or optimize LSP package verification logic to run it faster |
|
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
|
Configuring MTU value via CLI does not apply |
|
|
Standby FTD experiencing periodic traceback and reload |
|
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
|
ASDM connection lost issue is observed in ASAv device due to config issue |
|
|
It was discovered that when exec'ing from a non-leader thread, armed P |
|
|
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL |
|
|
An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Tra |
|
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
|
tds-cloud-events.json getting updated from both cdFMCs (ftd migration from 1 tenant to another) |
|
|
FDM deployment fails with error "Some interfaces have been added to or removed from the device" |
|
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
|
FMC: Add logging for PM functions |
|
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
|
FMC API Call for Network Object Overrides Returns Different Results for Active vs Standby FW |
|
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
|
Snort stripping packet information and injects its packet with 0 bytes data |
|
|
singlevar in lparser.c in Lua from (including) 5.4.0 up to 5.4.4 |
|
|
An issue in the component luaG_runerror of Lua v5.4.4 and below leads to ... |
|
|
HTTP/HTTPS detection for application needs to fail it's detection earlier |
|
|
ACP page goes blank or error thrown if one of the ACP rules has user created app filter |
|
|
MonetDB Monitor triggers for restarting MonetDB based on WAL size are not effective |
|
|
ASA CLI hangs with 'show run' on multiple SSH |
|
|
Incorrect Variable set in derived policy when derived policy is same as default. |
|
|
Upgrade Failed with error "Upgrade failed because of undeployed changes present on the device" |
|
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
|
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super |
|
|
External Radius authentication fails post upgrade if radius key includes special characters |
|
|
SFData correlator keep terminating on FTDs configured for IDS |
|
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
|
Every realm sync indicates an access control policy change |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
Access to website via Clientless SSL VPN Fails |
|
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
|
Heap-use-after-free in Discovery Filter on Snort shutdown |
|
|
7.2 - Deployment doesn't timeout, runs for hours after LSP install |
|
|
Check metadata cache size when generating retrospective events |
|
|
A flaw was found in the networking subsystem of the Linux kernel withi |
|
|
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulner |
|
|
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab |
|
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
|
FTD: Hostname Missing from Syslog Message |
|
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
|
Tomcat restarts in the middle of the LTP flow due to certificate update |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
|
FMC: Multiple Email address in Email Alert not working |
|
|
Snort process spamming syslog-ng messages so our on KP platform syslog-ng is being killed |
|
|
Backup failures needs to be displayed with the correct state on GUI |
|
|
ASA Checkheaps traceback while entering same engineID twice |
|
|
Backup generation on FDM fails with the error "Unable to backup Legacy data." |
|
|
pmtool restart of monetdb fails to bring up monetdb, too many files in monetdb Volume directory |
|
|
SFDataCorrelator creates huge numbers of to_import files when MonetDB table partition creation fails |
|
|
FMC : Health Monitor Alert is not properly issued regarding disk usage |
|
|
vFMC25 OCI to vFMC300 OCI migration failed 'Migration from Y to a is not allowed.' |
|
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
|
FMC Server Certificate shows Only First 20 Objects |
|
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
|
"pmtool restartbyid <invalid id>" should give some indication of error |
|
|
Deployment failure due to exceeding logging event list name size |
|
|
libuv is a multi-platform support library with a focus on asynchronous |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
FMC: fireamp generating too many logs |
|
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
|
cdFMC Multiple health monitor widgets throwing Error while fetching data |
|
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
|
BBManager text based search - lucene |
|
|
User not entitled for packet captures, is still able to open it from the Device Management |
|
|
Unable to remove suppression from snort3 rule once added |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
In Snort 3 policy editor, selecting a Rule Action of \u201cRule Action\u201d causes UI to spin indefinitely |
|
|
The secondary device reloaded while rebooting the primary device. |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
Bailout when lina_io_write fails persistent with EPIPE errno. |
|
|
Never expiring machine user not logged out at various places |
|
|
Policy cache cleanup thread should cleanup any cache that is left open for a logged out session |
|
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
|
fpr1k/2k/3k/4200:Need ability to configure SSH public key auth without using root shell |
|
|
FMC: Upgrade fails at "800_post/991_update_scheduled_tasks.pl" |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
|
Page getting expaned while getting continuous task notifications |
|
|
FP2110: When Leaving On-Box (FDM) Mode Platform API Fails |
|
|
Issues with FMC Deployment preview (Advanced Preview) |
|
|
PM restart needs to be blocked or warned the user that it may go for reboot |
|
|
FMC - Inheritance Settings Select Base Policy Menu disappears while scrolling using Light or Dusk UI |
|
|
In Object page able to delete and create system provided object |
|
|
Object optimisation gets disabled on FMC if next deployment is after two hours |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
|
FTDv reloads and generate backtrace after push EIGRP config |
|
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
|
After upgrading the ASA, \u201cSlot 1: ATA Compact Flash memory\u201d shows a ditterent value |
|
|
extra file check is not reporting with pmtool SecureLSP lsp-rel-xxx command |
|
|
LSP Deployment fails in multi instance FP 41xx / 93xx |
|
|
Rabbitmq queues on FMC vHost may not be cleaned up after element removal |
|
|
CCM ID 68 - LTS21 - CISCO_LTS21_R2160 release branch |
|
|
FTD/ASA : CSR generation with comma between \u201cCompany Name\u201d attribute does not work expected |
|
|
FMC shows a non-User-Friendly Error during a Policy Deployment failure due to snapshot failure |
|
|
Rest API '/devices/devicerecords' is returning mismatch of values for (RA VPN) policy object id |
|
|
Identity Mapping Filter field gets updated with newly created network objects. |
|
|
Lina contains outdated libexpat source code |
|
|
Snort3: SQL traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs |
|
|
Health Policy Configuration - Unable to remove device from the policy |
|
|
SFDataCorrelator memory leak after unregistering an active device |
|
|
3140 3 MI instances upgrade failed |
|
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
|
TLS Secure Client sessions cannot be established on ASA 9.19 and 9.20 |
|
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
|
Snort3 event PCAPs contain only header data when decrypting HTTP/2 |
|
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
|
Multiple context interfaces fail to pass traffic |
|
|
rsync is not happening to standby unit when perform oob changes in active unit. |
|
|
ASA traceback with thread name SSH |
|
|
High latency observed on FPR3120 |
|
|
SFDataCorrelator memory growth when pruning a huge number of old service identities |
|
|
Unable to approve ticket due to monitored int in HA and getting Error to contact Cisco Support. |
|
|
FMC 7.3 Deployment failed due to OOM in PBR Configuration |
|
|
Backups fail on multi-instance with error "Backup died unexpectedly" |
|
|
Additional memory tracking in SFDataCorrelator |
|
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
|
FTD-HA creation is failing because FMC takes longer time to save overrides. |
|
|
FTD-HA upgrade fails to start - Configuration is out of sync between active and standby |
|
|
CCM ID LTS21-100 with RCPL21 update |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
|
Stale Health Alerts seen on the UMS after model migration |
|
|
ASA traceback and reload when accessing file system from ASDM |
|
|
SFDataCorrelator high memory usage when restart with large network map hosts |
|
|
4200s have high UDP latency at low packet rates. |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
SSE connection events, FirewallRuleList field is not sent in proper format |
|
|
All IPV6 BGP routes configured in device flapping |
|
|
Snort creating too many snort-unified log files when frequent policy deploys |
|
|
Large write-ahead log may leave monetdb in disabled state |
|
|
FMC backup remote server copy to Solar Winds remote server failing after upgrading to 7.x versions. |
|
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
|
FDM1010E 7.4.1 unable to register to SA, getting "Invalid entitlement tag" |
|
|
False positive ISE bulk download alert error seen on FMC |
|
|
FMC REST API not sending 'deploymentStatus' Attribute |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
|
FMC only accepts a maximum of 30 characters for shared secret key when connecting to RADIUS server |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
|
Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000 |
|
|
OGO changing the order of custom object group contents causing an outage at static NAT |
|
|
Snort3 crashes due to processing pdf tokenizer with no limits. |
|
|
cdFMC : Support for new regions in Aus and India |
|
|
Autodeployment failing on cdFMC v20240307 when onboarding a 1010 v7.2.5 |
|
|
New User activity page does not load because the VPN bytes in and out are long. |
|
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
|
Snort dropping connections with reason blocked or blacklisted by the firewall preprocessor |
|
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
|
Deployment fails on FTD HA while doing LINA ONLY DEPLOYMENT |
|
|
eStreamer memory leak when the FMC receives events from CDO-managed FTDs |
|
|
Access rule getting pushed with "deny tcp any any" on snort |
|
|
IP-SGT mappings on Lina-side are not being removed, when FMC pxGrid connection is disabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
|
FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser |
|
|
High LINA CPU observed due to NetFlow configuration |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
HTTP Response splitting in multiple modules in Apache HTTP Server allows |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
ASA after upgrade to 9.18.4.24 not able to save config with error: "Configuration line too long" |
|
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
|
FMC got deregistered from Smart License after upgrade |
|
|
Captive portal returns bad request for snort 2 for FMC 7.4.x , FTD version < 7.4 |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
"set ip next-hop" line deleted from config at reload if IP address is ma |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
command to print the debug menu setting of service worker |
|
|
LSP downloads are not using the Web proxy, when configured. |
|
|
TCP Session Interrupted if Keep-Alive with 1 Byte is Received |
|
|
TLS Client Hello packet is dropped by snort |
|
|
cdFMC Fails to configure-geneve-encapsulation on interface |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
|
It was discovered that a nft object or expression could reference a nf |
|
|
An out-of-bounds access vulnerability involving netfilter was reported |
Resolved Bugs in Version 7.4.1.1
Table last updated: 2024-04-24
|
Bug ID |
Headline |
|---|---|
|
HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx |
|
|
Readiness check failed on vFTD during upgrade from 741-172 to 760-1270 |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
Resolved Bugs in Version 7.4.1
Table last updated: 2025-02-25
|
Bug ID |
Headline |
|---|---|
|
FMC should monitor only named interfaces on FTD |
|
|
FMC: critical processes can not boot up including vmsDBEngine |
|
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
|
Cores generated due to expected/graceful shutdown need to be cleaned up |
|
|
FMC fails to connect to SSM with error "Failed to send the message to the server" |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
deployment failing with - Unable to load container |
|
|
BGP table not removing connected route when interface goes down |
|
|
IPTables.conf file is disappearing resulting in backup and restore failure. |
|
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
|
In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
|
FMC is pushing SLA monitor commands in an incorrect order causing deployment failure. |
|
|
"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog |
|
|
Standby unit failed to join failover due to large config size. |
|
|
FTD with Inline TAP re-writes frame with wrong MAC Address leading to connectivity problems. |
|
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
|
Unable to push extra domains >1024 Character, as part of Custom Attribute under Anyconnect VPN |
|
|
user-name from certificate feature does not work with SER option |
|
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
|
Disable NLP rules installation workaround after mgmt-access into NLP is enabled |
|
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
|
"SFDataCorrelator:Parser [ERROR] Syntax error" on FTD device |
|
|
ISA3000 in boot loop after powercycle |
|
|
ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
|
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
|
Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server. |
|
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
|
[TPK 3105] Management through data interface not working |
|
|
FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated |
|
|
ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url |
|
|
snort3 crashinfo sometimes fails to collect all frames |
|
|
ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5 |
|
|
FW traceback in timer infra / netflow timer |
|
|
PBR not working on ASA routed mode with zone-members |
|
|
FMC GUI not displaying correct count of unused network objects |
|
|
RIP is advertising all connected Anyconnect users and not matching route-map for redistribution |
|
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
|
Lina traceback and reload during EIGRP route update processing. |
|
|
ASA Traceback & reload in thread name: Datapath |
|
|
ASA/FTD traceback and reload on NAT related function nat_policy_find_location |
|
|
Network Object not visible after Flex migration and unable to save interface change in EIGRP->Setup |
|
|
We can't monitor the interface via "snmpwalk" once interface is removed from context. |
|
|
ASA/FTD failover pair traceback and reload due to connection replication race condition |
|
|
ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled. |
|
|
Unable to apply SSH settings to ASA version 9.16 or later |
|
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
|
Snort down due to missing lua files because of disabled application detectors (PM side) |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
|
No-buffer drops on Internal Data interfaces despite little evidence of CPU hog |
|
|
ASA/FTD on FP1000 may reload during very heavy AnyConnect SSL VPN tunnel establishment |
|
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
|
Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3). |
|
|
User without password prompted to change password when logged in from SSH Client |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket" |
|
|
Temporary HA split-brain following upgrade or device reboot |
|
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
|
FTD: SNMP failures after upgrade to 7.0.2 |
|
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
|
ASA traceback and reload when modifying DNS inspection policy via CSM or CLI |
|
|
Digitally signed ASDM image verification error on FPR3100 platforms |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
ASA - Restore not remove the new configuration for an interface setup after backup |
|
|
FMC M6 4700 10/25G - IP reachability Failed |
|
|
"show nat pool cluster" commands run within EEM scripts lead to traceback and reload |
|
|
ASA/FTD Voltage information is missing in the command "show environment" |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695' |
|
|
ASA/FTD can not parse UPN from SAN field of user's certificate |
|
|
AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject |
|
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
|
ASA/FTD Traceback and Reload in Thread name Lina or Datatath |
|
|
Traceback and Reload while HA sync after upgrading and reloading. |
|
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
MI hangs and not repsonding when FTD container instance is reloaded |
|
|
ASA Traceback and Reload on process name Lina |
|
|
Incorrect IF-MIB response when failover is configured on multiple contexts |
|
|
ASA: SLA debugs not showing up on VTY sessions |
|
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
|
Snort leaking file descriptors with each u2 file created |
|
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
|
SSL AnyConnect access blocked after upgrade |
|
|
Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
|
|
ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled |
|
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
|
ASA/FTD may traceback and reload in Thread Name: fover_health_monitoring_thread |
|
|
ASA/FTD: GTP inspection causing 9344 sized blocks leak |
|
|
ASA HA - Restore in primary not remove new interface configuration done after backup |
|
|
ASA/FTD traceback and reload when ssh using username with nopassword keyword |
|
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
|
SFDataCorrelator error: Table 'cfgdb.user_ioc_state' doesn't exist |
|
|
ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent to PDTS |
|
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
MPLS tagging removed by FTD |
|
|
FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks |
|
|
ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP |
|
|
ASA parser accepts incomplete network statement under OSPF process and is present in show run |
|
|
syslog related to failover is not outputted in FPR2140 |
|
|
IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response |
|
|
ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context |
|
|
ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
vti hub with NAT-T enabled pinholes connections are looping and causing snort busy drops |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread' |
|
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
|
ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb" |
|
|
TACACS Accounting includes an incorrect IPv6 address of the client |
|
|
Call home configuration on standby device is lost after reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591' |
|
|
FTD - Traceback in Thread Name: DATAPATH |
|
|
FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
|
|
CGroups errors in ASA syslog after startup |
|
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
|
During the deployment time, device got stuck processing the config request. |
|
|
"inspect snmp" config difference between active and standby |
|
|
ASA/FTD traceback and reload caused by SNMP process failure |
|
|
Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with interface NAT |
|
|
Unable to configure 'match ip address' under route-map when using object-group in access list |
|
|
FTD Traceback and reload when applying long commands from FMC UI or CLISH |
|
|
ASA/FTD Traceback and reload in Threadname: IKE Daemon |
|
|
Valid DNS requests are being dropped by Lina DNS inspection when Umbrella DNS is configured |
|
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
|
ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
|
|
dvti hub core at ctm_sw_ipsec_cleanup_frags+394 |
|
|
Using write standby in a user context leaves secondary firewall license status in an invalid state |
|
|
Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5. |
|
|
ASA/FTD memory leak and tracebacks due to ctm_n5 resets |
|
|
Lina Traceback and reload when issuing 'debug menu fxos_parser 4' |
|
|
ESP rule missing in vpn-context may cause IPSec traffic drop |
|
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
|
ISA3000 LACP channel member SFP port suspended after reload |
|
|
ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
|
ifAdminStatus output is abnormal via snmp polling |
|
|
logging/syslog is impacted by SNMP traps and logging history |
|
|
FTD Traceback and reload |
|
|
ASA Custom login page is not working through webvpn after an upgrade |
|
|
Snort3 unexpectedly dropping packets after 4MB when using file inspection with detection mode NAP |
|
|
User/group download may fail if a different realm is changed and saved |
|
|
Unable to add on-board and netmod interfaces to the same port-channel on Firepower 3110 |
|
|
FTD traceback on Lina due to syslog component. |
|
|
ASA/FTD Cluster Traceback and Reload during node leave |
|
|
deployment fails for bad config with error unable load so rules |
|
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
|
cacert.pem on FMC expired and all the devices showing as disabled. |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
ASA might generate traceback in ikev2 process and reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event' |
|
|
ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread |
|
|
GTP inspection drops packets for optional IE Header Length being too short |
|
|
ASA/FTD traceback due to block data corruption |
|
|
ASA/FTD: NAT configuration deployment failure |
|
|
ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled |
|
|
ASA/FTD High CPU in SNMP Notify Thread |
|
|
FTD in HA traceback multiple times after adding a BGP neighbour with prefix list. |
|
|
ISE Connection Monitor shows inaccurate alert status |
|
|
ASA/FTD SNMP traps enqueued when no SNMP trap server configured |
|
|
ASA/FTD Transactional Commit may result in mismatched rules and traffic loss |
|
|
Device should not move to Active state once Reboot is triggered |
|
|
No nameif during traffic causes the device traceback, lina core is generated. |
|
|
Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel |
|
|
ASAv show crashinfo printing in loop continuously |
|
|
Management access over VPN not working when custom NAT is configured |
|
|
Cluster registration is failing because DATA_NODE isn't joining the cluster |
|
|
3130 HA assert: mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE |
|
|
FTD: Traceback & reload in process name lina |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
Syslog 106016 is not rate-limited by default |
|
|
Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
|
|
ASA traceback and reload due to DNS inspection |
|
|
PIM register packets are not sent to Rendezvous Point (RP) due to PIM tunnel interface down state |
|
|
Blade remains online for more than 600 secs after deleting Native logical device on 92.14.0 |
|
|
FMC: Script to change hostname/IP on FTD's when FMC's Ip/hostname is changed |
|
|
New AC Policy UI: ACP rule list takes a long time to load in case of large rule set |
|
|
256 / 1550 Block leak with TLS1.3 session |
|
|
Not able to ping Virtual IP of FTDv cluster |
|
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
|
|
Deployment failure while configuring port-channels |
|
|
Multiple messages in a single packet are not handled correctly |
|
|
vFTD Platforms not tracking CPU/Memory metrics for Health Monitoring |
|
|
Saving capture with special characters fails to download - Error Timed out |
|
|
Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability |
|
|
FDM FPR2k Netmork module interfaces are greyed out post 7.1.0 update |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
internal.cloudapp.net_snort3 core file is generated on DST setup |
|
|
Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long |
|
|
Device API healthStatus for cluster devices not aligned with health status on device listing |
|
|
Snort3 stream core found init_tcp_packet_analysis |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
Traffic fails in Azure ASAv Clustering after "timeout conn" seconds |
|
|
ASA: After upgrade cannot connect via ssh to interface |
|
|
Unable to register new devices to buildout FMC 2700 (FMC HA Active) |
|
|
ASA/FTD may traceback and reload after a reload with DHCPv6 configured |
|
|
FTD HA upgrade fails due to one unit starting upgrade before the other rejoins HA pair |
|
|
Identity network filter not removed from FTD |
|
|
Internal Error while editing PPPoE configurations |
|
|
Nodes randomly fail to join cluster due to internal clustering error |
|
|
FTD: HA crash and interfaces down on FPR4200 |
|
|
Secondary state flips between Ready & Failed when node is rebooted and mgmt interface is shutdown |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
IKEv2 Multi-DVTI Hub Support FTD/ASA |
|
|
Search is slow and semantic based searches are not working in new ACP UI |
|
|
Application management interface may be down causing management connectivity failures |
|
|
FMC-HA Sync loss for more then hr due to MariaDB replication is not in good state and recovered |
|
|
Configuring HTTP-proxy on active in a HA setup from UI does not replicate to standby in FDM |
|
|
Defunct mojo process in device listing page |
|
|
Azure FMC not accessible after upgrading from 7.3.0 to 7.4.0 |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
8x10Gb netmod fails to come online |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed |
|
|
FTD registration failure due to empty channelStrings and missing HA_STATE file |
|
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
|
Traffic drops with huge rule evaluation on snort |
|
|
dvti memory leak on mp_counter_alloc |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' when checking Geneve capture |
|
|
FTD: The upgrade was unsuccessful because the httpd process was not running |
|
|
Snort2 ENH: Use a common pattern matcher list for CN and SNI patterns in apps |
|
|
DBCheck error is unclear when monetdb is in a 'crashed' state |
|
|
The interface is deleted from interface group if the user change the name of it [API] |
|
|
Intrusion user not able to change intrusion action and File Policy |
|
|
v1_message* and abp* files & sxp bookmark are not cleaned in user_enforcement on device registration |
|
|
Unable to create MI HA after changing resource profile |
|
|
FMC search error: "Error Loading Data Search Service Please Try Again." |
|
|
EventHandler warnings if syslog facility is CONSOLE |
|
|
FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
FMC: Domain creation fails with error "Index 'netmap_num' for table 'domain_control_info'" |
|
|
FMC: GEOLOCATION size is causing upgrade failures |
|
|
FTD upgrade from 7.0 to 7.2.x and traceback/reload due to management-access enabled |
|
|
FDM: Cannot create multiple RA-VPN profiles with different SAML servers that have the same SAML IDP\u2028 |
|
|
Protocol Down with lower CPU instances on ESXi 8 for ASAv and FTDv |
|
|
Umbrella DNS Policy Doesn't honor Multiple URLs entered into the Bypass Domain Field |
|
|
Memory leak in the MessageService |
|
|
Readiness Check Failed [ERROR] Fatal error: Enterprise Object integrity check failed with errors |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
Create Identity Services Engine via API returns 404 Client Error: Not Found |
|
|
Upgrade readiness failed in WM FDM @009_check_snort_preproc.sh but upgrade to 7.3.1-19 passed |
|
|
Cluster hardening fixes |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
|
|
FTD HA app-sync failure, due to corruption in cache files. |
|
|
add syslog ids the range 805003 ? 852002 for rate limit under fmc |
|
|
validation check on FMC GUI causing issue and throwing error when adding new NAT objects |
|
|
Connections not replicated to Standby FTD |
|
|
FTD Crash in Thead Name: CP Processing |
|
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
|
Cannot Force Break FTD HA Pair |
|
|
User Group Download fetches less data than available or fails with "Size limit exceeded" error |
|
|
FMC device search page removes FTD from the groups and put them back to ungrouped |
|
|
All the matching network object groups are not listed if the network objects are filtered by name |
|
|
FMCv on KVM does not recognize the platform/model correctly |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
asa_snmp.log is not rotated, resulting in large file size |
|
|
FMC/FTD Dynamic VPN. Possibility to choose default preshared key from the dropdown list. |
|
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
|
|
Change color codes to represent processes in 'Waiting' state |
|
|
ASA/FTD: Traceback and reload due to high rate of SCTP traffic |
|
|
FMC UI response is very slow: Add health module monitoring FMC ntpd server(s) accessibility |
|
|
FTD readiness and upgrade passed with exception log as ProgressReport' has no attribute 'KB_UNIT' |
|
|
Unable to Access FMC GUI when using Certificate Authentication |
|
|
Phase 2 NAP delay seen in 7.0.1 while deploying policy |
|
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
|
FDM Deployment failure after VDB and SRU upgrade |
|
|
Connection events incorrectly show OVERSUBSCRIPTION flow message for passive interface traffic |
|
|
Health monitoring cores due to health alerts with more than 8 fields |
|
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
|
Platform Settings allowed Syslog to add TCP protocol with 514 port |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
Snort3 cores seen in certain conditions with traffic |
|
|
ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory. |
|
|
Selective policy deploy with Identity Policy (captive-portal) and SSL Policy (dp-tcp-proxy) CLI |
|
|
snort3 - missing necessary counters for RNA statistics |
|
|
RRD files cannot be updated if the timestamp is ahead of time as a result of a system clock drift |
|
|
EventHandler occasional corrupt bundle record - SFDataCorrelator logs "Error deserializing" |
|
|
sfhassd process is not running after Revert from 7.4.0-1755 to 7.3.0-69 |
|
|
portmanager.sh outputing continuous bash warnings to log files |
|
|
3100 unit failed to join the cluster with error "configured object (sys/switch-A/slot-2) not found" |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
Cluster upgrade docs need more info on mixed-version clusters due to upgrade failure/reimage |
|
|
Setting heartbeat timeout to 6sec for Firepower 4100 and 9300 |
|
|
Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability |
|
|
FMC Restore of remote backup fails due to no space left on the device |
|
|
If the user navigate to Packet Tracer from Device Mgmt page, the selected device is incorrect |
|
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144 |
|
|
Deployments can cause certain RAVPN users mapping to get removed. |
|
|
Snort down due to missing lua files because of disabled application detectors (VDB side) |
|
|
getting wrong destination zone on traffic causing traffic to match wrong AC rule |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
getReadinessStatusTaskList pjb request is very frequent when user in Upgrade sensor list page |
|
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
node is leaving TPK cluster due to interface health check failure |
|
|
Firepower hotfixes should not be allowed to install when already installed previously |
|
|
Unable to edit name or inspection mode of intrusion policy |
|
|
DBCheck shouldn't run against MonetDB if user is collecting config backup alone |
|
|
Correlation rule 'Security Intelligence Category' option is missing DNS and URL values |
|
|
MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason |
|
|
Network Object Group overrides not visible or be edited from FMC GUI |
|
|
Update Configuration State if sync is skipped |
|
|
Unable to change admin user password after FMC migration if it had LOM access |
|
|
FMC - Import SSL Certificate Pinning from a CSV file may result in a failure to deploy policy on FTD |
|
|
Device list takes longer to load while creating new AC policy |
|
|
High Disk Utilization and Performance issue due to large MariaDB Undo Logs |
|
|
User is not informed of the dependent IPS when policy import fails. |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
Snort3 crash found during cleaning up a CHP object |
|
|
High CPU usage on multiple appliances incorrectly seen on FMC |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
The interface configuration is missing after the FTD upgrade |
|
|
access-list: Cannot mix different types of access lists. |
|
|
Change in syslog message ASA-3-202010 |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
FTD: High-Availability unit struck at CD App Sync error due to error ngfwManager restart on peer |
|
|
WINSCP and SFTP detectors do not work as expected |
|
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
deployment failure with Error-logging FMC MANAGER_VPN_EVENT_LIST |
|
|
S2S dashboard SVTI tunnel details are missing after upgrade |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
|
|
Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates |
|
|
MariaDB Process in FMC should use jemalloc instead of glibc |
|
|
Remove Priority-queue command from FTD|| Priority-queue command causes silent egress packet drops |
|
|
store_*list_history.pl task is created every 5min without getting closed causing FMC slowness. |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
2100 Reload due to internal links going down and NPU disconnection |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
Unable to delete custom rule group even when excluded from all the ips policies |
|
|
vFTD runs out of memory and goes to failed state |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
7.0.6 - Lina Crash in RAVPN interface with anomaly traffic in both non-FIPS and FIPS mode |
|
|
Failover: standby unit traceback and reload during modifying access-lists |
|
|
Firepower reloads unexpectedly with a traceback |
|
|
FTD Diskmanager.log is corrupt causing hm_du module to alert false high disk usage |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
[IMS_7_4_0] FTD revert fails "The management state validation cannot be done, Cannot revert" |
|
|
vFMC: Scheduled deployment failing |
|
|
Correlation events for Connection Tracker <, <=, = or != rules show data for unrelated connections |
|
|
Snort Crash with SMB inspection traffic |
|
|
Firewall Traceback and reload due to SNMP thread |
|
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
|
FMC not generating FTD S2S VPN alerts when down or idle |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
Health alert for significant difference of record numbers received with bulk download |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
Duplicate FTD cluster has been created when multiple cluster events comes at same time |
|
|
Packet data is still dropped after upgrade |
|
|
False critical high CPU alerts for FTD device system cores running instantaneous high usage |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
azure vftd node traceback while loading multiple network-service objects during ns_reload. |
|
|
after HA break, selected list shows both the devices when 1 device selected for upgrade |
|
|
Critical Alert Smart Agent is not registered with Smart Licensing Cloud |
|
|
Snort3 core in navl seen during traffic flow |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
Editing identity nat rule disables "perform route lookup" silently |
|
|
FTD: SNMP not working on management interface |
|
|
Snort2 engine is crashing after enabling TLS Server Identity Discovery feature |
|
|
Snort core while running IP Flow Statistics |
|
|
FMC displays VPN status as unknown even if the status is up if one of the peer is extranet |
|
|
Decrypting engine/ssl connections hang with PKI Interface Error seen |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason |
|
|
FMC pushes the "shutdown" command on the management interface for the logical device |
|
|
FPR 1010 - Switch ports in trunk mode may not pass vlan traffic after power loss or reboot |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
import of .SFO to FMC failed due to included local/custom rules having a blank rule message field |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
Cisco Firepower Management Center Software SQL Injection Vulnerability |
|
|
HA secondary unit disabled after reboot - Process Manager failed to secure LSP |
|
|
Deployment blocked due to port object with IP range max limit 131838 in NAT64 |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
|
Some Vault secrets including LDAP missing files after upgrade if the Vault token is corrupted |
|
|
FMC: Should not be able to add the same interface to the same ECMP zone |
|
|
FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
FTD /ngfw disk space full from Snort3 url db files |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
Port-channel interface speed changes from 10G to 1G after a policy deployment |
|
|
Snort crash in active response |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
|
core-compressor fails due to core filename with white space |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
Snort blacklisting traffic during deployment |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
Encrypted Visibility Engine (EVE) FMC dashboard tab and widgets not renamed after 7.1 > 7.2+ upgrade |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
File sizes larger than 100MB for AnyConnect/Secure Client images cannot be uploaded on FMC |
|
|
FTD events stopped being sent to FMC, EventHandler logs "publishing blocked" |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
SRU installation gets stuck at 602_log_package.pl script, causing deployment failure |
|
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
|
Packet drop due to unexpected-packet drop reason if route to destination is missing in egress VRF |
|
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
|
Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
|
The FMC preview deployment shows a wrong information. |
|
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
|
ASA traceback when re-configuring access-list |
|
|
LILO validation during Readiness Check missing |
|
|
sfdatacorrelator crashing due to table corruption 'rua_event_xxxxx' |
|
|
Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability |
|
|
PAC Key file missing on standby on reload |
|
|
SYSLOG UDP: One of syslog server is not getting the syslog message with userVRF |
|
|
FMC upgrade stuck at 1039_fmc_rabbitmq_enable |
|
|
'Frequent drain of events (not unprocessed events) to be removed from FMC |
|
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
|
FMC userrole missing permissions may cause Tomcat to continuously restart after upgrade to 7.2.4 |
|
|
SQL packets involved in large query is drop by SNORT3 with reason snort-block |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
Deploy status is going to deployed right after starting deployment then going to deploying state |
|
|
While editing AC-policy rules, the rule order number becomes misaligned. |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
dl_task.pl tasks keep getting created every hour when a database query is blocked |
|
|
Firewall Blocking packets after failover due to IP <-> SGT mappings |
|
|
Syslog not updating when prefilter rule name changes |
|
|
FTD (FDM) fails when executing script 800_post/100_ftd_onbox_data_import.sh |
|
|
FMC FlexConfig re-orders objects after a single successful deployment |
|
|
FTD - Upgrade triggers persistent VPN Tunnel health monitor alarm |
|
|
Ping to the configured systemIP on management interface getting failed in cluster setup. |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
Enhancement for Lina copy operation for startup-config to backup-config.cfg in HA |
|
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
FTD not generating end of connection event after "Deleting Firewall session" |
|
|
DAP: FMC adds characters in a LUA script |
|
|
Removal of msie-proxy commands during flexconfig rollback |
|
|
Snort2:Skip writing malware seed file duing process shutdown |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
FMC7.2.x EIGRP flexconfig migration fails with internal error due to interface config mismatch |
|
|
FMC Restore is stuck in vault clear stage after mysql restore completed |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
|
ASA traceback due to panic event during SNMP configuration |
|
|
Large file download failed due to hitting the max segment limit |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager |
|
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
Configuration archive creation failing and causing deployment preview to throw error |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
Extended Access List Object does not allow IP range configuration |
|
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
|
Avoid unnecessary DB operations when processing derived fingerprints |
|
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload while running show inventory |
|
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
|
AMP Cloud look up timeout frequently. |
|
|
FMC SSO timesout when user session is active for more than 1 hr (idle timeout) |
|
|
Initiator Country and Continent missing on Custom View on Event viewer |
|
|
ASA:Management access via IPSec tunnel is NOT working |
|
|
FMC does not verify certificate issued to FTD device, when TLS1.3 is used |
|
|
FMC HA : Redundant FTD registration task failing on secondary FMC when FTD is disconnected. |
|
|
FMC: query_engine.log Growing More Quickly Than Expected, Resulting In High Disk Utilization |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
SFDataCorrelator crashing repeatedly in RNA_DB_InsertServiceInfo |
|
|
Devices with classic licenses are failed to register with FMC running version 7.2.X |
|
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
|
SNORT3 - FTD - TSID high cpu, daq polling when ssl enabled is not pulling enough packets |
|
|
Source NAT Rule performing incorrect translation due to interface overload |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
|
VPN Load Balancing Cluster IP address/host name is not on the same subnet as the public interface |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
|
additional command outputs needed in FTD troubleshoot for blocks and ssl cache |
|
|
FMC HA: When logging into the standby FMC stacktraces are always present. |
|
|
Lina core at snp_nat_xlate_verify_magic.part and soft traces |
|
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
|
Cannot use .k12 domain on realm AD Primary Domain configuration |
|
|
Fixing the regression caused while handling web UI is not getting FTDv Variable |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
Configuring and unconfiguring "match ip address test" may lead to traceback |
|
|
sshd restarting during upgrade leading to have /new-root as default root partition |
|
|
Backup fails on migrated FMC |
|
|
Configuration to disable TLS1.3 |
|
|
Diskmanager process terminated unexpectedly |
|
|
Prefilter cannot add Tunnel Endpoints in Tunnel Rule on FMC |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
FTDvs through put got changed to 100Kbps after upgrade |
|
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
|
Community string sent from router is not matching ASA |
|
|
ASA/FTD may traceback and reload due to watchdog time exceeding the default 15 seconds |
|
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
Unable to create VRF via FDM in Firepower 3105 device |
|
|
Coverity 886745: OVERRUN in verify_generic_signature |
|
|
Error while saving RAVPN with LDAP attribute map containing entry without cisco attr mapping name |
|
|
Snort3 dropping IP protocol 51 |
|
|
Unexpected high values for DAQ outstanding counter |
|
|
FMC does not save changes made on access list. |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
FMC should report user whether it supports or not while configuring remote storage |
|
|
ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
|
|
SNMP fails to poll accurate hostname from FMC |
|
|
VTI tunnel goes down due to route change detected in VRF scenario |
|
|
Every HA sync attempts to disable URL filtering if already disabled. |
|
|
eStreamer JSON parse error and memory leak |
|
|
Snort is getting reloaded during deploy due to diff in timerange and nap conf contents in each run |
|
|
FTD unregisters the standby FMC immediately after a successful registration |
|
|
FDM Upgrade failure due to expired certificates. |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Import Fails for Policy Description having new line. |
|
|
ASA: Traceback and reload during tests of High number of traffic flows and syslog messages |
|
|
cdFMC : FTD Dashboard does not display any data for last 1 hour or 6 hours. |
|
|
SSX Eventing continues to go to old tenant upon FTD migration to CDO. |
|
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
|
FMC missing validation for syslog port setting |
|
|
SFDataCorrelator logs "Killing MySQL connection" every minute, causing performance problems |
|
|
FMC/cdFMC increase API rate limit |
|
|
Node kicked out of cluster while enabling or disabling rule profiling |
|
|
Capture-traffic Clish command with snort3 not producing a proper resulting capture |
|
|
Cisco ASA and FTD Software Inactive-to-Active ACL Bypass Vulnerability |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
VPN and certificate configuration is cleared after the deployment - Regression of CSCwh29167 |
|
|
LINA would randomly generate a traceback and reload on FPR-1K |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
|
|
Classic licenses needs to be manually added after registering to license during migration/RMA |
|
|
Run All function on FMC Health Monitoring page is greyed out after upgrade |
|
|
FMC Model migration document doesn't have the roll-back steps if they hit failures |
|
|
FMC - Syslog overide in ACP always sent via Management interface |
|
|
Port Configuration Error in M6 FMC Documentation for Eth3 and Eth2 on FMC1700,FMC2700,FMC4700 Models |
|
|
FTD Registration fails if Management interface has the same IP as Data Interface |
|
|
FMC: FTD Subinterface SGT Propagation Default change to disabled |
|
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
|
Onboarding on-prem FMC to CDO using SecureX fails due to User Authentication Failed error |
|
|
DOC: Update the Deploy Virtual Auto Scale Solution using GWLB on AWS Guide |
|
|
Connection been logged for rules with no logging enabled |
|
|
snort2 instances restart unexpectedly with OOM during policy deployment |
Resolved Bugs in Version 7.4.0
Table last updated: 2025-02-25
|
Bug ID |
Headline |
|---|---|
|
Improve logging of Secure Firewall (Firepower)backups and retry for gzip when using remote storage |
|
|
Flex config Preview of $SYS_FW_ENABLED_INSPECT_PROTOCOL_LIST throws error |
|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
Filtering Network objects is not working, getting 'Error Loading Data' |
|
|
Radius Key with the ASCII character " configured on FXOS does not work after chassis reload. |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
Upgrade to 6.6.1 got failed at 800_post/1025_vrf_policy_upgrade.pl |
|
|
Observed few snort instances stuck at 100% |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
File list preview: Deleting two list having few similar contents throws stacktrace on FMC-UI |
|
|
Error Loading Data: Couldnt resolve few of the STDACE BBs |
|
|
"Warning:Update failed/in-progress." Cosmetic after successful update |
|
|
Crashinfo script is invoked on SFR running snort2 and device fails to upgrade to 7.0 |
|
|
SNORT2: FTD is performing Full proxy even when SSL rule has DND action. |
|
|
ENH:FMC Removal and manual reconfiguration of changes for CAC-authenticated users should not happen |
|
|
IPS policy should be imported when its referred in Access Control policy |
|
|
Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI |
|
|
FMC4500/4600 shows virtual license |
|
|
FDM IKEv2 S2S PSK Not Deploying Correctly (Changing Asymmetric to Symmetric PSK) |
|
|
API key corrupted for FMC with multiple interfaces |
|
|
FMC NFS configuration failling after upgrade from 6.4.0.4 to 7.0.1 |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
Modify /800_post/1027_ldap_external_auth_fix.pl to not fail FMC upgrade when objects are corrupt |
|
|
Microsoft update traffic blocked with Snort version 3 Malware inspection |
|
|
FDM: Policy deployment failure after upgrade due to unused IKEv1 policies |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
Disk usage errors on Firepower Azure device due to large backup unified files under ngfw directory |
|
|
FDM bootstrap could be skipped if device rebooted when bootstrap is not completed |
|
|
FMC backup may fail due to monetdb backup failure with return code 102 |
|
|
upgrade with a large amount of unmonitored disk space used can cause failed upgrade and hung device |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
|
FMC | Interface update Failed. Could not find source interface |
|
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
|
Snort3: NFSv3 mount may fail for traffic through FTD |
|
|
Deployment/Tasks Button not seen FMC_UI while doing upgrade tests configured in Light theme |
|
|
FMC: Validation check to prevent exponential expansion of NAT rules |
|
|
Selective deployment of IPS may cause outage due to incorrectly written FTD configuration files |
|
|
Connection Events seen on FMC even though the rule is not configured to send events to FMC |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
FMC 7.2.0|7.3.0 Integration > Identity Sources page does not load, keeps spinning |
|
|
Excessive logging from hm_du.pm may lead to syslog-ng process restarts |
|
|
Failing to generate FMC Backup/Restore via SMB/SSH |
|
|
Estreamer page fails to load in ASDM |
|
|
Snort3 crash with TLS 1.3 |
|
|
Fix multiple crash handler issues |
|
|
FTD unable to sync HA due to snort validation failed |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
|
sybase related modules should be removed |
|
|
snort3 hangs in Crash handler which can lead to extended outage time during a snort crash |
|
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
|
FPR2140 ASA Clock Timezone reverts to UTC after appliance restart/reload |
|
|
Auth-Daemon process is getting restarted continuously when SSO disabled |
|
|
FMC RSS Feed broken because FeedBurner is no longer active - "Unable to parse feed" |
|
|
25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC |
|
|
link state propagation stops working when performing full chassis reboot |
|
|
FPR1000 ASA/FTD: Primary takes active role after reloading |
|
|
Database may fail to shut down and/or start up properly during upgrade |
|
|
Cannot save realm configuration unless AD Join Password is empty |
|
|
Snort process may trace back in ssl_debug_log_config and generate core file |
|
|
Intrusion events intermittently stop appearing in FMC when using snort3 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36) |
|
|
ASAv "Unable to retrieve license info. Please try again later" |
|
|
FTD misses diagnostic data required for investigation of "Communication with NPU lost" error |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
|
Captive portal support in cross domain |
|
|
FMC module specific health exclusion disables all health checks |
|
|
SNMP 'Confirm Community String' string is not auto-populated after the FMC upgrade |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
PDTS write from Daq can fail when PDTS buffer is full eventually leads to block depletion |
|
|
multiple snort3 crashes after upgrading FTD from 7.2.0 to 7.2.0.1 |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Deployment Fails with stacktrace: Invalid type (LocalIdentitySource) |
|
|
FTD sensor rules missing from ngfw.rules file after a sensor backup restore execution |
|
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices |
|
|
Missing fqdns_old.conf file causes FTD HA app sync failure |
|
|
FMC - Unable to initiate deployment due to incorrect threat license validation |
|
|
during download from file event on FMC, high CPU use on FMC for 20 minutes before download fails |
|
|
FTD upgrade failure due to Syslog files getting generated/deleted rapidly |
|
|
FTD Unable to bind to port 8305 after management IP change |
|
|
ASA/FTD: Using Round Robin with PAT rules on two or more interfaces breaks IP stickiness |
|
|
Object edit slowness when it is associated with NAT rules |
|
|
GTP drops not always logged on buffer and syslog |
|
|
File events show Action as "Malware Block" for files with correct disposition of unknown |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
HA did not failover due to misleading status updates from NDClient |
|
|
FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
|
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
|
HTTP Block Response and Interactive Block response pages not being displayed by Snort3 |
|
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
All traffic blocked due to access-group command missing from FTD config |
|
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
|
log rotate failing to cycle files, resulting in large file sizes |
|
|
FTD: FTPS Data Channel connection impacted by TLS Server Identity and Discovery Probe sent by FTD |
|
|
FMC HA - files in tmp/Sync are left on secondary when synchronisation task fails |
|
|
lost cac.conf after upgrade to 7.2.1 for FMC smart-card auth |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
Duplicate SMB session id packets causing snort3 crash |
|
|
LTS18 and LTS21 commit id update in CCM layer (seq 39) |
|
|
Cisco FXOS Software Arbitrary File Write Vulnerability |
|
|
Filtering of jobs in deploy history page is applying the criteria only on Top50 jobs |
|
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
|
Proxy is engaged even when we have a Definitive DND rule match |
|
|
FMC can allow deployment of NAP in test mode with Decrypt policy |
|
|
SSL Policy DND default Rule fails on error unsupported cipher suite and SKE error. |
|
|
Firepower Management Center GUI view for Snort2 Local Intrusion Rules is missing |
|
|
Very long validation time during Policy Deployment due to big network object in SSL policy |
|
|
FMC HA webUI is not getting FTDv Variable tier assigned FTDv - Variable |
|
|
Re-downloaded users from a forest with trusted domains may become unresolved/un-synchronized |
|
|
deployment failed with OOM (out of memory) for policy_apply.pl process |
|
|
Packet-Tracer interfaces not showing up in UI after updating interface name from lower to upper case |
|
|
SRU installation failure. |
|
|
FMC not showing any alerts/warnings when deploying changes of prefix list with same seq # |
|
|
Expected snmp output is not found in 'show run | in fxos snmp' |
|
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
FTDv Cluster Health Monitor fails with "Error fetching live status of the cluster" |
|
|
Object NAT edit is failing |
|
|
Pre-login banner on FCM webUI shows extra characters on 92.14.0 |
|
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
|
Periodic sync failures are not reported to users |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
FXOS: memory leak in svc_sam_envAG process |
|
|
800_post/1027_ldap_external_auth_fix.pl upgrade error -- reference to missing authentication object |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40) |
|
|
ASA - traceback and reload when Webvpn Portal is used |
|
|
Port-channel interface went down post deployment |
|
|
FMC UI showing disabled/offline for multiple devices as health events are not processed |
|
|
Missing SSL MEMCAP causes deployment failure due timeout waiting for snort detection engines |
|
|
Pre-deployment failure seen in FMC due to huge number policies |
|
|
Upgrades are not cleaning up mysql files leading to alert for 'High unmanaged disk usage on /ngfw' |
|
|
ASA restore is not applying vlan configuration |
|
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
|
Add validation in lua detector api to check for empty patterns for service apps |
|
|
FMC not opening deployment preview window |
|
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
Data migration from Sybase to MariaDB taking more time due to large data size of POLICY_SNAPSHOT |
|
|
FMC gives an irrelevant error message for Snort2 to Snort3 rules conversion failure |
|
|
Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+. |
|
|
Need corrections in log_handler_file watchdog crash fix |
|
|
Deployment failure with localpool overlap error after upgrade |
|
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
Misleading drop reason in "show asp drop" |
|
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
|
Recursive panic under lina_duart_write |
|
|
FMC UI may become unavailable and show "System processes are starting" message after upgrade |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
allocate more cgroup memory for policy deployment subgroup |
|
|
HA Periodic sync is failing due to cfg files are missing |
|
|
At times AC Policy save takes longer time, may be around 10 or above mins |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
|
FMC UI Showing inaccurate data in S2S VPN Monitoring page |
|
|
FTDv: Policy Deployment failure due to interface setting on failover interface |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cross-domain users with non-ASCII characters are not resolved |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
FXOS is not rotating PoE logs |
|
|
FP4125 2.10.1.166 FTD applications in HA went into not responding state |
|
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
|
Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability |
|
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
|
FMC Connection Event stop displaying latest event |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
FMC should not accept carriage return in the interface description field of a managed device |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
S2S VPN dashboard shows ipv4 SVTI tunnel down between KP-HA and WA-HA after KP-HA Switch role. |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
FMC 7.1.0.1 Doesn't throw warning that S2S VPN Configs contain deprecated MD5 Hash during deployment |
|
|
FMC: Updates page takes more than 5 minutes to load |
|
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
|
30+ seconds data loss when unit re-join cluster |
|
|
Predefined FlexConfig Text Objects are not exported by Import-Export |
|
|
FMC External Auth test error "Encryption method is configured but you did not upload a certificate." |
|
|
FTD with Snort3 might have memory corruption BT in snort file with same IP traffic scaling |
|
|
FMC import takes too long |
|
|
FPR3110 Fans' SN in label are different from show inventory cli output |
|
|
Snort crashes while reloading mercury library with any VDB install on 7.3.0 and 7.4.0 |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
intrusion events fail to migrate from MariaDB to MonetDB following FMC upgrade from 7.0.3 to 7.1.0 |
|
|
Import/export fails with backend error |
|
|
MI FTD running 7.0.4 is on High disk utilization |
|
|
Snort drops Bomgar application packets with Early Application Detection enabled |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
Snort3 crash seen sometimes while processing a future flow connection after appid detectors reload |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Snort outputs massive volume of packet events - IPS event view may show "No Packet Information" |
|
|
FMC should display the status of physical FTD interfaces bundled in port-channel |
|
|
FTD -Snort match incorrect NAP id for traffic |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
Snort mem used alert should read the value from perfstats for snort instance rather than cgroups |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
FTDs running 6.6.x show as disconnected on new HM (6.7+) but checks are running and updating |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
Unable to access Dynamic Access policy |
|
|
Number of objects are not getting updated under policies>>>Security intelligence >>>Block list |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Disabling NAVL guids from userappid.conf doesn't work |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
seeing error on access policies on FMC - "Error during policy validation" |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Deployment changes to push VDB package based on Device model and snort engine |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
MariaDB crash (segmentation fault) related to netmap query |
|
|
Software upgrade on FDM fails due to improver next-hop validation |
|
|
FMC | Deployment failure in csm_snapshot_error |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
Incorrect Paging and count value for Time Range Object Get API |
|
|
FAN LED flashing amber on FPR2100 |
|
|
No Inspect Interruption warning when deploy after FMC upgrade |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
SFDataCorrelator performance degradation involving hosts with many discovered MAC addresses |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
Can't modify RA vpn group policy on FDM 7.3 |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
FMC SecureX via proxy stops working after upgrade to 7.x |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
41xx: Blade does not capture or log a reboot signal |
|
|
High FMC backup file size due to configurations snapshot for all managed devices |
|
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
|
Summary status dashboard takes more than 3 mins to load upon login |
|
|
Interactive Block action doesn't work when websites are redirected to https |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
collection of top.log.gz in troubleshoot can be corrupt due to race condition |
|
|
Unexpected "No Traffic" health alert on Standby HA Data Interface where no data flows |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Database table optimization not working for some of the tables |
|
|
Email alert incorrectly send for a successful database backup |
|
|
FMC HA Synchronization can hang forever if no response from SendUserReloadSGTAndEndpointsEvent |
|
|
FMC: Upgrade fails at DB Integrity check due to large number of EO warnings for "rule_comments" |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
On a cloud-delivered FMC there is no way to send events to syslog without sending to SAL/CDO as well |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
Threatgrid integration configuration is not sync'd as part of the FMC HA Synchronisation |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD Deployment failures due to "snort3.validation.lua:5: '=' expected near 'change'" |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
Purging of Config Archive failed for all the devices if one device has no versions |
|
|
High Lina memory use due to leaked SSL handles |
|
|
FMC Unable to fetch VPN troubleshooting logs. |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
FMC deployment preview showing full config instead of delta. |
|
|
FMC is not taking BGP default originate configuration via API PUT request. |
|
|
TLS sessions dropped under certain conditions after a fragmented Client Hello |
|
|
FMC Health Monitor does not report alerts for the Interface Status module |
|
|
Deployment failing - "Error while printing show-xml-response file contents" XML response too big |
|
|
FMC HA info is not sync'ed reliably to FTD to support CLOUD_SERVICE |
|
|
FMC deployment failure:"Validation failed: This is a slav*/ha standby device, rejecting deployment." |
|
|
null connection error seen in logs |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
FTD High unmanaged disk usage alert is triggered due to stored files located on /ngfw/Volume/root1/ |
|
|
Policy deploy failure "error executing /*!40101 SET character_set_client = @saved_cs_client */; *" |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Traffic drop when primary device is active |
|
|
Snort mem used alert should be consistent with value from top.log |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
add warning to FTD platform settings when VPN Logging Settings logging level is informational |
|
|
Snort3: Process in D state resulting in OOM with jemalloc memory manager |
|
|
After disabling malware analysis, high disk usage on /dev/shm/snort |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
|
Unexpected firewalls reloads with traceback. |
|
|
Slow UI loading for Table View of Hosts |
|
|
Database integrity check takes several minutes to complete |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
FPR2100: Mulitple snort3 & snort2 cores got generated and sensor goes down in KP platform |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
FMC External authentication getting "Internal error" |
|
|
rpc service detector causing snort traceback due to universal address being an empty string |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
Copy and pasting rules is broken and give blank error message in ID policy |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
occasional failure to load light-modal-ac-rule-xx.css with a net::ERR_TOO_MANY_RETRIES error |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
SFDataCorrelator cores due to stuck database query after 1 hour deadlock timeout |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
changing time window settings in FMC GUI event viewers may not work with FMC integrated with SecureX |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
|
Active authentication sessions are showing in VPN dashboard |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
TLS Server Identity may cause certain clients to produce mangled Client Hello |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Multiple traceback seen on standby unit. |
|
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
|
FMC Upgrade: generation of sftunnel.json file per FTD does not check for duplicate names |
|
|
FMC: Backup to an unavailable remote host results in the inability to restart the appliance. |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Remove the limit of 30characters in the rule name which a rule is moved from ACP to Prefilter |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Question mark in NAT description causes config mismatch on Data members of an FTD cluster |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
IMS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Need to Warn the users before triggering a full deployment on FTD managed by FDM |
|
|
Snort3 crashes are seen under Dce2Smb2FileTracker processing of data |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
Frequent errors seen regarding failures to load bulkcsv files that don't exist |
|
|
Remove FMC drop_cache trigger to prevent Disk I/O increase due to file cache thrashing |
|
|
Unable to save Access Control Policy changes due to Internal error |
|
|
Management interface link status not getting synced between FXOS and ASA |
|
|
SNMP on SFR module goes down and won't come back up |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Not able to remove group policy from RAVPN via REST API |
|
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
NGIPSv syslog-tls.conf.tt needs filters removed when in CC mode |
|
|
The user belonging to a subdomain, is unable to collect packet tracer |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Manager gets unregistered on its own from the FTD, show manager shows 'No managers configured' |
|
|
BGP IPv6 configuration : route-map association with neighbour not getting deployed |
|
|
FMC: Incorrect FTD cluster role status leading to inability to upgrade FTD |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
FTD:Node not joining cluster with "Health check detected that control left cluster" due to SSL error |
|
|
After FMC upgrade, SecureX ribbon redirects to US cloud region regardless of the set cloud region |
|
|
/var/sf/QueryPoolData fills up with warehouse directories |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
DAP policy created in FMC Gui, to detect a Windows OS with a hotfix, will not work as expected |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
FXOS fault F0853 and F0855 seen despite keyring reporting renewed |
|
|
FTD 2100 -Update daq-ioq mempool to help protect against buffer corruption |
|
|
Unable to delete custom anyconnect attribute --dynamic-split-tunnel from group-policy |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
DCCSM session authorization failure cause multiple issues across FMC |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
Pri-Active FMC NOT triggering registration TASK for FTD to configure standby manager |
|
|
Post backup restore multiple processes are not up. No errors are observed during backup or restore. |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
Deployment failed in snapshot generation after upgrading FMC to 7.3 |
|
|
ASA/FTD may traceback and reload after changing IP of authentication server |
|
|
TID python processes stuck at 100% CPU |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Snort3 fails to match SMTPS traffic to ACP rules |
|
|
FMC should push the AnyConnect Custom attribute defer keyword as lowercase instead of capitalized |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
FTD: unable to run any commands on CLISH prompt |
|
|
Snort high memory alerts still seen despite fix for CSCwd84942 |
|
|
Deployment is blocked due to Pre-deploy Validation Error - Invalid endpoint |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
Selective deployment negating the route configs |
|
|
Selective deployment removing the prefilter-configs |
|
|
Selective deployment removing the Group policy |
|
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
|
Unable to login to FTD using external authentication |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
FMC runs out of space when Snort sends massive numbers of packet logs |
|
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
SFDataCorrelator spam seen in /var/log/messages |
|
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
|
CD App Sync error is App Config Apply Failed on Secondary/Standby after backup restore on RMA device |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
Snort2 rule recommendations increases disabled rule count drastically |
|
|
[FMC model migration] Health monitoring on FMC reporting errors |
|
|
Upgraded FMC didn't mark FTD's with Hot Fix as light registered - failed FMC HA sync |
|
|
High rate of network map updates can cause large delays and backlogs in event processing |
|
|
ndclientd error message 'Local Disk is full' needs to provide mount details which is full |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
Improve Azure AD realm documentation |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
Deployment for eigrp / bgp change may cause temporary outage during policy apply |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
LDAP External auth config fails to deploy to FTD if same LDAP server is added as Primary and backup |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
FMC isn't allowing to create more than 30 VLAN interfaces |
|
|
FMC Upgrade from Active-Primary FMC is failed with "Installation failed: Peer Discovery incomplete." |
|
|
Fix Snort3 Memory Utilisation Value |
|
|
Prune target should account for the allocated memory from the thread pruned |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
FMC system restore authentication error during FMC re-image when using FTP/SCP protocol |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
email alert to scheduled activity is not working after upgrading to 7.2 |
|
|
"Failed to convert snort 2 custom rules. Refer /var/sf/htdocs/ips/snort.rej for more details." |
|
|
ASA traceback and reload with process name: cli_xml_request_process |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
vFMC300 to FMC2600 migration failure with error "migration from R to N is not allowed" |
|
|
Notification Daemon false alarm of Service Down |
|
|
CVIM Console getting stuck in "Booting the kernel" page |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
Missing Instance ID in unified_events-2.log |
|
|
Elephant flow detection disabled on FMC, getting enabled on FTD after random deployment |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
correlation events based on connection events do not contain Security Intelligence Category content |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
FTD returns no output of "show elephant-flow status" when efd.lua file's content is empty |
|
|
FP1140 7.0.4 Deployment keep failing with error "Can\'t use an undefined value as a HASH reference" |
|
|
Snort2 rule assignments missing from ngfw.rules (assignment_data table ) after FMC upgrade. |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Threat-detection does not allow to clear individual IPv6 entries |
|
|
need to turn off default TLS 1.1 (deprecated) support for the FDM GUI |
|
|
ASA not updating Timezone despite taking commands |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
Umbrella DNS Negate of Bypass Domain Field is not generated from FMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
FMC error displaying users page due to wide characters in real name field |
|
|
FDM Cannot create self-signed certificates due to Expiration Date format |
|
|
AC policy deploy failing on 7.2.4 FMC to 6.7 FTD |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
DOC: Misleading Documentation of Cisco Firepower 2100 GLC-T and GLC-TE SFP Support |
|
|
FTD: Unable to process a TLS1.2 website with TLS Server Identity with client generating SSL Errors |
|
|
Found Orphaned SFTop10Cacher processes |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
standby in disabled state after QP-MI HA 7.0.3 to 7.2.4-126, APPLY_APP_CONFIG_APPLICATION_FAILURE |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
FTD: ADI.conf - send_s2s_vpn_events is set to 0, even after applying s2s vpn health policy |
|
|
Snort3 Crash in SslServiceDetector after call from nss_passwd_lookup |
|
|
Prune symmetric triggers that existed in sfsnort schema before FMC upgrade to 7.3 version or later |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
Readiness check needs to be allowed to run without pausing FMC HA |
|
|
Setting heartbeat timeout to 6sec for BS and QP |
|
|
Upgrade Device listing page is taking more than 15 mins to load page fully with 25 FTDs registered |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
|
"Security Intelligence feed download failed" displayed even though it succeeded |
|
|
ISE Integration Network filter not accepting multiple comma separated networks |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
Unable to load intrusion policy page on FMC GUI |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
FTD container restored from backup fails to register to FMC due to Peer send bad hash error |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
When enabling backup peer ip on FMC 7.3.1 with a space the VPN IPSec profile would be removed |
|
|
Failure to remove snort stat files older than 70 days |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
Changes to lamplighter logs written to /var/log/tid_process.log |
|
|
FATAL errors in DBCheck due to missing columns in eventdb table |
|
|
admin user should be excluded from CLI shell access filter |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
No logrotate and max size is configured for Health.log file |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
ASA Packet-tracer displays the first ACL rule always, though matches the right ACL |
|
|
FTD HA Creation fails resulting in devices showing up in an inconsistent state on the FMC |
|
|
Not able to add files with file names which has '\u' to clean list from Malware Summary page |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
SFDataCorrelator process crashing very frequently on the FMC. |
|
|
crashhandler running with test mode snort |
|
|
FMC backup management page showing "Verifying Backup" for FTD sensors. |
|
|
FMC backup restore page takes around 5 mins to load when remote storage is unreachable |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
Standby FMC SSH connection getting disconnected frequently. |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FMC Fails to deploy or register new FTDs due to SFTunnel Establishment Failure. |
|
|
Snort3 crash after the consequent snort restart if duplicate custom apps are present |
|
|
FTD: GRE traffic is load balanced between CPU cores |
|
|
SFTunnel Fails to Properly Establish due to running_config.conf file misconfiguration |
|
|
ASA: Traceback and reload while updating ACLs on ASA |
|
|
FMC should handle error appropriately when ISE reports error during SXP download |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
FMC UI related issue in Object management page |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
NMAP Remediation scan tasks remain in pending state in action queue table, does not clear out |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Adding verify check for networks added under network object group in FMC |
|
|
Old LSP packages are not pruned causing high disk utilization |
|
|
CSM backup failed due to modification of CSM audit log file while tar was reading it |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
FMC config archives retention reverts to default if ca_purge tool was used prior to 7.2.4 upgrade |
|
|
TelemetryApp process keeps exiting every minute after upgrading the FMC |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory in low end platforms |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
Health Monitoring to NOT collect route stats for transparent mode FTD |
|
|
FMC needs to properly validate QoS policy rules before allowing deployment to FTD |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
Unable to list down the interface under the device exclude policy |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Include a warning during break HA when secondary unit is active |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
FMC 1600 process ssp_snmp_trap_fwdr high memory utilization |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Unable to configure and deploy IPv6 DNS server for RAVPN in FMC 7.2.4 |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Disable TLS 1.1 permanently for sftunnel communication |
|
|
[Snort 3] IPS Policy Overrides not working on Chained Intrusion Policies |
|
|
FMC GUI | ACP page gets blank and hang while doing search in rules and moving to last pages |
|
|
Copy of Policy causes all devices to be marked as dirty |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
|
Cisco Firepower Management Center Software SQL Injection Vulnerability |
|
|
EOStore failed error is outputted after deleting shared rule layer. |
|
|
Encrypted Visibility Engine (EVE) dashboard tab and widgets not added to FMC GUI upon upgrade |
|
|
The authentication object names should not contain white spaces |
|
|
FTD - Issue with the LSP package code during deploy rollback. |
|
|
Unable to save intrusion policy after upgrade to 7.x as the name exceeds 40 characters |
|
|
Rule update filter in Intrusion policy shows inconsistent results |
For Assistance
Upgrade Guides
In Firewall Management Center deployments, the Firewall Management Center must run the same or newer maintenance (third-digit) release as its managed devices. Upgrade the Firewall Management Center first, then devices. Use the upgrade guide for the version you are currently running—not your target version.
|
Platform |
Upgrade Guide |
Link |
|---|---|---|
|
Firewall Management Center |
Firewall Management Center version you are currently running. |
https://cisco.com/go/fmc-upgrade |
|
Firewall Threat Defense with Firewall Management Center |
Firewall Management Center version you are currently running. |
https://cisco.com/go/ftd-fmc-upgrade |
|
Firewall Threat Defense with device manager |
Firewall Threat Defense version you are currently running. |
https://cisco.com/go/ftd-fdm-upgrade |
|
Firewall Threat Defense with Cloud-Delivered Firewall Management Center |
Cloud-Delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier Firewall Threat Defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
|
Platform |
Install Guide |
Link |
|---|---|---|
|
Firewall Management Center hardware |
Getting started guide for your Firewall Management Center hardware model. |
|
|
Firewall Management Center Virtual |
Getting started guide for the Firewall Management Center Virtual. |
|
|
Firewall Threat Defense hardware |
Getting started or reimage guide for your device model. |
|
|
Firewall Threat Defense Virtual |
Getting started guide for your Firewall Threat Defense Virtual version. |
|
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
|
FXOS for the Firepower 1000/2100 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
Cisco FXOS Troubleshooting Guide for the Firewall Threat Defense |
More Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: https://cisco.com/go/threatdefense-74-docs
-
Cisco Support & Download site: https://cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Feedback