Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall Device Manager
For cloud deployments, see the Cisco Cloud-delivered Firewall Management Center Release Notes or What's New for Firewall in Security Cloud Control.
Release Dates
Version |
Build |
Date |
Platforms: Upgrade |
Platforms: Reimage |
---|---|---|---|---|
7.6.2 |
329 |
2025-08-11 |
All |
All |
7.6.1 |
291 |
2025-06-02 |
All |
All |
7.6.0 |
113 |
2024-09-16 |
All |
All |
41 |
2024-06-27 |
— |
No longer available. |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
Features
For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
Upgrade Impact
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
The feature descriptions here include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.
Features in Maintenance Releases
Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target.
If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Snort Features
Snort 3 is the default inspection engine for Firewall Threat Defense. Snort 3 features for Firewall Management Center deployments also apply to Firewall Device Manager, even if they are not listed as new Firewall Device Manager features. However, keep in mind that the Firewall Management Center may offer more configurable options than Firewall Device Manager.
![]() Important |
Snort 2 is deprecated in Version 7.7+, and prevents Firewall Threat Defense upgrade. If you are still using Snort 2 on older devices, switch to Snort 3 for improved detection and performance. |
Intrusion Rules and Keywords
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
FlexConfig
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions here include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
Integrations and Logging
These integrations and logging facilities may have new features associated with threat defense and management center releases:
-
Syslog: Cisco Secure Firewall Threat Defense Syslog Messages
-
Cisco Success Network: Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center
-
REST API: Secure Firewall Management Center REST API Quick Start Guide and Cisco Secure Firewall Threat Defense REST API Guide
Firewall Management Center Features in Version 7.6.2
This release introduces stability, hardening, and performance enhancements.
Firewall Management Center Features in Version 7.6.1
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Features from Earlier Maintenance Releases |
|||
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.6.1 also has:
|
Platform Migration |
|||
Migrate select Firepower 4100/9300 models to Secure Firewall 3100/4200. |
7.6.1 |
Any |
You can now easily migrate configurations to the Secure Firewall 3100/4200 from these devices:
|
Device Management |
|||
Add device by registration key using basic initial configuration added to the Device (Wizard) |
7.6.1 7.7.0 |
An y |
You can now use the Device (Wizard) to add a device using a registration key with a basic initial configuration. This functionality is still present on the screen as well.New/modified screens: See: Device Management |
Routing |
|||
BGP AS-Override. |
7.6.1 7.7.0 |
7.6.1 7.7.0 |
Firewall Threat Defense can now overwrite an ASN received from a peer with its own BGP ASN. This allows other routers peering with Firewall Threat Defense to accept advertised prefixes without detecting a loop based on the contents of the AS_PATH attribute. New/modified screens: See: BGP |
Health Monitoring |
|||
Independently configure health monitoring for physical and subinterfaces. |
7.6.1 7.7.0 |
Any |
You can now disable health monitoring for a physical interface while continuing to monitor and receive health alerts for its subinterfaces. You can disable alerts permanently or temporarily. To do this, configure the device for health monitoring exclusion, edit that configuration to enable module-level exclusion, and finally configure exclusion settings for the Interface Settings health module. New/modified screens: System ( Version restrictions: Not supported with Version 7.6.0. See: Health |
View health status for devices in leaf domains while logged into the parent domain. |
7.6.1 7.7.0 |
Any |
In a multidomain deployment, you can now view health status for devices in leaf domains while logged into the parent domain. Version restrictions: Not supported in Version 7.6.0. See: Health |
Upgrade |
|||
Devices with internet access download upgrade packages from the internet. |
7.6.1 7.7.0 |
Any (some restrictions) |
You can now begin device and chassis upgrades without the upgrade package. At the appropriate time, devices will get the package directly from the internet. This saves time and Firewall Management Center disk space. Devices without internet access can continue to get the package from the Firewall Management Center or an internal server. Note that devices try the internal server (if configured) before either the internet or the Firewall Management Center. If the internal server download fails, newer devices with internet access try the internet then the Firewall Management Center, while older devices and devices without internet access just try the Firewall Management Center. (In this context, "newer" means Firewall Threat Defense 7.6+ or chassis 7.4.1+.) Restrictions: Firewall Management Center and devices must be able to access the internet. There is no way to force a device with internet access to try the Firewall Management Center before it tries the internet. Not supported for hotfixes. Download location: https://cdo-ftd-images.s3-us-west-2.amazonaws.com/ See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Integrations |
|||
Umbrella integration with Firewall Management Center over a proxy. |
7.6.1 |
Any |
Umbrella integration with Firewall Management Center now works over a proxy. Version restrictions: Not supported with Version 7.2.0–7.2.10, 7.4.0–7.4.2, 7.6.0, 7.7.0. See: Configuring the Umbrella DNS Connector for Cisco Secure Firewall Management Center |
Firewall Management Center Features in Version 7.6.0
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Features from Earlier Maintenance Releases |
|||
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.6.0 also has:
|
Platform |
|||
Secure Firewall 1200. |
7.6.0 |
7.6.0 |
We introduced the Secure Firewall 1200, which includes these models:
See: Cisco Secure Firewall CSF-1210CE, CSF-1210CP, and CSF-1220CX Hardware Installation Guide |
Network module for the Secure Firewall 4200. |
7.6.0 |
7.6.0 |
We introduced this network module for the Secure Firewall 4200:
The module is also designed to support 200-Gb, 100-Gb, and 40-Gb per port. It provides full-duplex Ethernet traffic per port. The 400-Gb network module supports two QSFP-DD transceivers and is designed to also support 200-Gb QSFP56, 100-Gb QSFP28, and 40-Gb QSFP+ transceivers. See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide |
Disable the front panel USB-A port on the Firepower 1000 and Secure Firewall 3100/4200. |
7.6.0 |
7.6.0 |
You can now disable the front panel USB-A port on the Firepower 1000 and Secure Firewall 3100/4200. By default, the port is enabled. New/modified Firewall Threat Defense CLI commands: system support usb show , system support usb port disable , system support usb port enable New/modified FXOS CLI commands for the Secure Firewall 3100/4200 in multi-instance mode: show usb-port , disable USB port , enable usb-port See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Firepower 4100/9300 FXOS Command Reference |
Public and Private Cloud |
|||
Deploy virtual firewall clusters across multiple AWS availability zones. |
7.6.0 fault |
7.6.0 |
You can now deploy Firewall Threat Defense Virtual clusters across multiple availability zones in an AWS region. This enables continuous traffic inspection and dynamic scaling (AWS Auto Scaling) during disaster recovery. |
Deploy Firewall Threat Defense Virtual for AWS in two-arm-mode with GWLB. |
7.6.0 |
7.6.0 |
You can now deploy Firewall Threat Defense Virtual for AWS in two-arm-mode with GWLB. This allows you to directly forward internet-bound traffic after traffic inspection, while also performing network address translation (NAT). Two-arm mode is supported in single and multi-VPC environments. Restrictions: Not supported with clustering. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
IMDSv2 support for AWS deployments. |
7.6.0 |
7.6.0 |
Firewall Threat Defense and Firewall Management Center virtual for AWS now support Instance Metadata Service Version 2 (IMDSv2), a security improvement over IMDSv1. When you enable the instance metadata service on AWS, IMDSv2 Optional mode is still the default, but we recommend you choose IMDSv2 Required. We also recommend you switch your upgraded instances. Platform restrictions: Not available for Firewall Management Center Virtual 300 See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide and Cisco Secure Firewall Management Center Virtual Getting Started Guide |
Device Management |
|||
Device templates. |
7.6.0 |
7.4.1 |
Device templates allow you to deploy multiple branch devices with pre-provisioned initial device configurations (zero-touch provisioning). You can also apply configuration changes to multiple devices with different interface configurations, and clone configuration parameters from existing devices. Restrictions: You can use device templates to configure a device as a spoke in a site-to-site VPN topology, but not as a hub. A device can be part of multiple hub-and-spoke site-to-site VPN topologies. New/modified screens: Supported platforms: Firepower 1000/2100, Secure Firewall 1200/3100. Note that Firepower 2100 support is for Firewall Threat Defense 7.4.1–7.4.x only; those devices cannot run Version 7.6.0. |
Serial-number registration (zero-touch provisioning) supported from an on-prem Firewall Management Center. |
7.6.0 |
Mgmt. center must be publicly reachable: 7.2.0 Restriction removed: 7.2.4/7.4.0 |
You can now register a device using its serial number from an on-prem Firewall Management Center. With templates (requires Firewall Threat Defense 7.4.1+ on the device), you can register multiple devices at once. This feature was previously known as low-touch provisioning. Requires Cisco Security Cloud. For upgraded Firewall Management Centers, your existing Security Cloud Control integration continues to work until you enable Cisco Security Cloud. New/modified screens: Supported platforms: Firepower 1000/2100, Secure Firewall 1200/3100. Note that Firepower 2100 support is for Firewall Threat Defense 7.4.1–7.4.x only; those devices cannot run Version 7.6.0. See: Device Management |
AAA for user-defined VRF interfaces. |
7.6.0 |
7.6.0 |
A device's authentication, authorization, and accounting (AAA) is now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. The default is to use the management interface. In device platform settings, you can now associate a security zone or interface group having the VRF interface, with a configured external authentication server. New/modified screens: See: Enable Virtual-Router-Aware Interface for External Authentication of Platform |
Delete is now Unregister on the device management page. |
7.6.0 |
Any |
The Delete menu choice was renamed to Unregister to better indicate that the device, high-availability pair, or cluster is being unregistered from the Firewall Management Center and not deleted from the high availability pair or cluster or having its configuration erased. The device, high-availability pair, or cluster continues to pass traffic until it is re-registered. New/modified screens: See: Device Management |
High Availability/Scalability: Firewall Threat Defense |
|||
Multi-instance mode for the Secure Firewall 4200. |
7.6.0 |
7.6.0 |
Multi-instance mode is now supported on the Secure Firewall 4200. |
Multi-instance mode conversion in the Firewall Management Center for the Secure Firewall 3100/4200. |
7.6.0 |
7.6.0 |
You can now register an application-mode device to the Firewall Management Center and then convert it to multi-instance mode without having to use the CLI. New/modified screens: |
16-node clusters for the Secure Firewall 3100/4200. |
7.6.0 |
7.6.0 |
For the Secure Firewall 3100 and 4200, the maximum nodes were increased from 8 to 16. |
Individual interface mode for Secure Firewall 3100/4200 clusters. |
7.6.0 |
7.6.0 |
Individual interfaces are normal routed interfaces, each with their own local IP address used for routing. The main cluster IP address for each interface is a fixed address that always belongs to the control node. When the control node changes, the main cluster IP address moves to the new control node, so management of the cluster continues seamlessly. Load balancing must be configured separately on the upstream switch. Restrictions: Not supported for container instances. New/modified screens: See: Clustering for the Secure Firewall 3100/4200 and Address Pools |
MTU ping test on cluster node join |
7.6.0 |
7.6.0 |
When a node joins the cluster, it checks MTU compatibility by sending a ping to the control node with a packet size matching the cluster control link MTU. If the ping fails, a notification is generated so you can fix the MTU mismatch on connecting switches and try again. See: Clustering for the Secure Firewall 3100/4200, Clustering for Threat Defense Virtual in a Private Cloud, Clustering for Threat Defense Virtual in a Public Cloud, Clustering for the Firepower 4100/9300 |
SD-WAN |
|||
SD-WAN wizard. |
7.6.0 |
Hub: 7.6.0 Spoke: 7.3.0 |
A new wizard allows you to easily configure VPN tunnels between your centralized headquarters and remote branch sites. New/modified screens: |
Access Control: Threat Detection and Application Identification |
|||
Snort ML: neural network-based exploit detector. |
7.6.0 |
7.6.0 with Snort 3 |
A new Snort 3 inspector, snort_ml, uses neural network-based machine learning (ML) to detect known and 0-day attacks without needing multiple preset rules. The inspector subscribes to HTTP events and looks for the HTTP URI, which in turn is used by a neural network to detect exploits (currently limited to SQL injections). The new inspector is currently disabled in all default policies except maximum detection. A new intrusion rule, GID:411 SID:1, generates an event when the snort_ml detects an attack. This rule is also currently disabled in all default policies except maximum detection. |
Bypass EVE block verdict for trusted traffic. |
7.6.0 |
Any with Snort 3 |
You can now bypass EVE (encrypted visibility engine) block verdicts for known trusted traffic, based on destination network or EVE process name. Connections that bypass EVE in this way have the new EVE Exempted reason. New/modified screens:
|
Easily bypass decryption for sensitive and undecryptable traffic. |
7.6.0 |
Any |
It is now easier to bypass decryption for sensitive and undecryptable traffic, which protects users and improves performance. New decryption policies now include predefined rules that, if enabled, can automatically bypass decryption for sensitive URL categories (such as finance or medical), undecryptable distinguished names, and undecryptable applications. Distinguished names and applications are undecryptable typically because they use TLS/SSL certificate pinning, which is itself not decryptable. For outbound decryption, you enable/disable these rules as part of creating the policy. For inbound decryption, the rules are disabled by default. After the policy is created, you can edit, reorder, or delete the rules entirely. New/modified screens: |
QUIC decryption. |
7.6.0 |
7.6.0 with Snort 3 |
You can configure the decryption policy to apply to sessions running on the QUIC protocol. QUIC decryption is disabled by default. You can selectively enable QUIC decryption per decryption policy and write decryption rules to apply to QUIC traffic. By decrypting QUIC connections, the system can then inspect the connections for intrusion, malware, or other issues. You can also apply granular control and filtering of decrypted QUIC connections based on specific criteria in the access control policy. We modified the decryption policy Advanced Settings to include the option to enable QUIC decryption. |
Allow Cisco Talos to conduct advanced threat hunting and intelligence gathering using your traffic. |
7.6.0 |
7.6.0 with Snort 3 |
Upgrade impact. Upgrade enables telemetry. You can help Talos (Cisco’s threat intelligence team) develop a more comprehensive understanding of the threat landscape by enabling threat hunting telemetry. With this feature, events from special intrusion rules are sent to Talos to help with threat analysis, intelligence gathering, and development of better protection strategies. This setting is enabled by default in new and upgraded deployments. New/modified screens: System ( |
Access Control: Identity |
|||
Passive identity agent for Microsoft AD. |
7.6.0 |
Any |
This feature is introduced. Passive Identity Agent version 1.1 is compatible with 7.6.0 and later and adds the following:
The Passive Identity Agent identity source sends session data from Microsoft Active Directory (AD) to the Firewall Management Center. Passive identity agent software is supported on:
|
Microsoft Azure AD realms for active or passive authentication. |
7.6.0 |
Active: 7.6.0 with Snort 3 Passive: 7.4.0 with Snort 3 |
You can now use Microsoft Azure Active Directory (AD) realms for active and passive authentication:
We use SAML (Security Assertion Markup Language) to establish a trust relationship between a service provider (the devices that handle authentication requests) and an identity provider (Azure AD). Upgrade impact. If you had a Microsoft Azure AD realm configured before the upgrade, it is displayed as a SAML - Azure AD realm configured for passive authentication. All previous user session data is preserved. New/modified screens: New/modified CLI commands: none |
New connectors for Cisco Secure Dynamic Attributes Connector. |
7.6.0 |
Any |
Cisco Secure Dynamic Attributes Connector now supports AWS security groups, AWS service tags, and Cisco Cyber Vision. Version restrictions: For on-prem Cisco Secure Dynamic Attributes Connector integrations, requires Version 3.0. See: AWS service groups connector, AWS service tags connector, Cisco Cyber Vision connector |
Easily configure an ISE identity source. |
7.6.0 |
7.6.0 |
The system can use External RESTful Services (ERS) Operator user credentials to log into a Cisco ISE Primary Authentication Node (PAN), download certificates, and configure the identity source. Restrictions: Not supported for ISE-PIC. |
Event Logging and Analysis |
|||
MITRE and other enrichment information in connection events. |
7.6.0 |
7.6.0 with Snort 3 |
MITRE and other enrichment information in connection events makes it easy to access contextual information for detected threats. This includes information from Talos and from the encrypted visibility engine (EVE). For EVE enrichment, you must enable EVE. Connection events have two new fields, available in both the unified and classic event viewers:
The new Talos Connectivity Status health module monitors Firewall Management Center connectivity with Talos, which is required for this feature. For the specific internet resources required, see Internet Access Requirements. See: Connection and Security-Related Connection Event Fields |
Easily filter unified events by event type. |
7.6.0 |
Any |
The unified events viewer now has buttons under the Search field that allow you to quickly filter by event type. See: Unified Events |
Health Monitoring |
|||
Collect health data without alerting. |
7.6.0 |
Any |
You can now disable health alerts/health alert sub-types for ASP Drop, CPU, and Memory health modules, while continuing to collect health data. This allows you to minimize health alert noise and focus on the most critical issues. New/modified screens: In any health policy (System ( See: Health |
Apply a default health policy upon device registration. |
7.6.0 |
Any |
You can now choose a default health policy to apply upon device registration. On the health policy page, the policy name indicates which is the default. If you want to use a different policy for a specific device post-registration, change it there. You cannot delete the default device health policy. New/modified screens: System ( |
Deployment and Policy Management |
|||
Policy Analyzer & Optimizer for access control. |
From mgmt. center: 7.6.0 From Security Cloud Control: 7.2.0 |
Any |
The Policy Analyzer & Optimizer evaluates access control policies for anomalies such as redundant or shadowed rules, and can take action to fix discovered anomalies. You can launch the access control Policy Analyzer & Optimizer directly from a Version 7.6+ Firewall Management Center; this requires Cisco Security Cloud. For Versions 7.2–7.4 Firewall Management Centers, use Security Cloud Control. New/modified screens:
See: Identifying and Fixing Anomalies with Policy Analyzer & Optimizer |
Upgrade |
|||
Improved upgrade process for high availability Firewall Management Centers. |
7.6.0 |
Any |
Upgrading high availability Firewall Management Centers is now easier:
Note that although you can complete most of the upgrade process from one peer (we recommend the standby), you do have to log into the second peer to actually initiate its upgrade. New/modified screens: System ( Version restrictions: This feature applies to upgrades from Version 7.6.0 and later, not to 7.6.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Generate and download post-upgrade configuration change reports from the Firewall Threat Defense and chassis upgrade wizards. |
7.6.0 |
Any |
You can now generate and download post-upgrade configuration change reports from the Firewall Threat Defense and chassis upgrade wizards, as long as you have not cleared your upgrade workflow. Previously, you used the Advanced Deploy screens to generate the reports and the Message Center to download them. Note that you can still use this method, which is useful if you want to quickly generate change reports for multiple devices, or if you cleared your workflow. New/modified screens: See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Administration |
|||
Cisco AI Assistant for Security. |
7.6.0 |
Any |
The Cisco AI Assistant for Security can answer questions about your devices and policies and query documentation and reference materials, streamlining your workflow and boosting overall efficiency. Requires Cisco Security Cloud. See: Use Cisco AI Assistant for Security to Manage Your Threat Defense Devices Effectively |
Cisco Security Cloud replaces SecureX. |
7.6.0 |
Any |
Upgrade impact. Enable Cisco Security Cloud after upgrade. Remove the SecureX Firefox Extension. Registering an on-prem Firewall Management Center to the Cisco Security Cloud gives you access to the latest services such as the Cisco AI Assistant for Security, Policy Analyzer & Optimizer, and Cisco XDR Automation (replaces SecureX orchestration). With a Cisco Security Cloud account, you also have a centralized view of your inventory, and can easily perform Zero-Touch Provisioning, establish consistent policies across Firewall Management Centers, send events to the cloud, and enrich your threat hunts and investigations. New/modified screens: Deprecated screens:
See: Integrate Management Center with the Cisco Security Cloud |
Change management ticket takeover; more features in the approval workflow. |
7.6.0 |
Any user |
You can now take over another user’s ticket. This is useful if a ticket is blocking other updates to a policy and the user is unavailable. These features are now included in the approval workflow: decryption policies, DNS policies, file and malware policies, network discovery, certificates and certificate groups, cipher suite lists, Distinguished Name objects, Sinkhole objects. See: Change Management |
Reporting usability improvements. |
7.6.0 |
Any |
When including a table in a report, it's now easier to add, delete, sort, and move columns. New/modified screens:
See: Modify Fields in the Report Template Table Format Sections |
New theme for the Firewall Management Center. |
7.6.0 |
Any |
We introduced a new left-hand navigation theme for the Firewall Management Center. To try it, click your user name in the top right corner and select the New theme. We also deprecated the Classic theme. If you were using the Classic theme, the upgrade switches you to the Light theme. |
Subscribe to Cisco newsletters and other product-related communications. |
7.6.0 |
Any |
Provide an email address to receive sales and product renewal conversations, new release adoption newsletters, and other product-related communications from Cisco. Each Firewall Management Center internal user has their own email address. New/modified screens: System ( |
Updated internet access requirements for URL filtering. |
7.6.0 |
Any |
Upgrade impact. The system connects to new resources. The system now requires access to *.talos.cisco.com for URL filtering data. It no longer requires access to regsvc.sco.cisco.com. For a full list of resources required for this feature, see Internet Access Requirements. |
Updated internet access requirements for intrusion rule updates. |
7.6.0 |
Any |
Upgrade impact. The system connects to new resources. The system now requires access to the following resources to download intrusion rules:
It no longer requires access to talosintelligence.com. |
Performance |
|||
Hardware DTLS 1.2 crypto acceleration for the Secure Firewall 3100/4200. |
7.6.0 |
7.6.0 with Snort 3 |
The Secure Firewall 3100/4200 now supports DTLS 1.2 cryptographic acceleration and egress optimization, which improves throughput of DTLS-encrypted and decrypted traffic. This is automatically enabled on new and upgraded devices. To disable, use FlexConfig. New/modified FlexConfig commands: flow-offload-dtls , flow-offload-dtls egress-optimization , show flow-offload-dtls |
Object group search performance enhancements. |
7.6.0 |
Any |
Object group search is now faster and uses fewer CPU resources. New CLI commands: clear asp table network-object , show asp table network-object , debug acl ogs Modified CLI comments (enhanced output): , packet-tracer , show access-list , show object-group See: Configure Object Group Search and Cisco Secure Firewall Threat Defense Command Reference |
Troubleshooting |
|||
Troubleshoot Snort 3 performance issues with a CPU and rule profiler. |
7.6.0 |
7.6.0 with Snort 3 |
New CPU and rule profilers help you troubleshoot Snort 3 performance issues. You can now monitor:
New/modified screens: Platform restrictions: Not supported for container instances. See: Advanced Troubleshooting for the Secure Firewall Threat Defense Device |
Receive additional Firewall Threat Defense troubleshooting syslogs, and view them as unified events. VPN troubleshooting syslogs moved. |
7.6.0 |
Any with Snort 3 |
You can now configure Firewall Threat Defense to send all device troubleshooting syslogs (instead of just VPN troubleshooting syslogs) to the Firewall Management Center. New/modified screens:
See: Configure Syslog Logging for Threat Defense Devices and View Troubleshooting Syslogs in the Secure Firewall Management Center |
Application detection debug logs in connection-based troubleshooting. |
7.6.0 |
7.6.0 with Snort 3 |
For connection-based troubleshooting, you can now collect debug logs from application detectors. New/modified CLI commands: debug packet-module appid enables and sets the severity level for application detector debug logs. You can choose 3 (error), 4 (warning), or 7 (debug). See: Connection-Based Troubleshooting and Cisco Secure Firewall Threat Defense Command Reference |
Packet tracer improvements. |
7.6.0 |
Varies. |
Packet tracker improvements allow you to:
New/modified commands:
See: Packet Tracer and Cisco Secure Firewall Threat Defense Command Reference |
Cisco Success Network and Cisco Support Diagnostics are enabled by default. |
7.6.0 |
Any |
Upgrade impact. Upgrade opts into Cisco Success Network and Cisco Support Diagnostics. Cisco Success Network and Cisco Support Diagnostics are now opt-out, instead of opt-in. If you were previously opted out, upgrade changes that. Also, you can no longer opt out when you register the Firewall Management Center to the Cisco Smart Software Manager (CSSM). You can still opt out on .See: Integrate Management Center with the Cisco Security Cloud |
Deprecated Features |
|||
End of support: Firepower 2110, 2120, 2130, 2140. |
— |
7.6.0 |
You cannot run Version 7.6+ on the Firepower 2110, 2120, 2130, or 2140. Although a newer Firewall Management Center can manage older devices, the Version 7.6 documentation only includes features supported in Version 7.6 Firewall Threat Defense. For features that are only supported with older devices, refer to the Firewall Management Center guide that matches your Firewall Threat Defense version. |
End of management support: ASA FirePOWER and NGIPSv. |
7.6.0 |
— |
You cannot manage Classic devices (ASA FirePOWER and NGIPSv) with a Version 7.6+ Firewall Management Center. This is because Classic devices cannot be upgraded past Version 7.0, and a Version 7.6 Firewall Management Center can only manage devices as far back as Version 7.1. New/modified screens: For new and upgraded Firewall Management Centers, Classic-specific configurations and screens are removed. This includes platform settings, NAT, syslog logging, licensing, and so on. In some cases, creating Firewall Threat Defense configurations is quicker because you do not have to begin by selecting a device type. |
Deprecated: Copy upgrade packages ("peer-to-peer sync") from device to device. |
7.6.0 |
7.6.0 |
You can no longer use the Firewall Threat Defense CLI to copy upgrade packages between devices over the management network. If you have limited bandwidth between the Firewall Management Center and its devices, configure devices to get upgrade packages directly from an internal web server. Deprecated CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status |
End of support: analytics-only capabilities with the full range of Firewall Threat Defense devices supported with Cloud-Delivered Firewall Management Center. |
Any |
7.2.0 |
If you are co-managing Version 7.0.x devices with Cloud-Delivered Firewall Management Center and an on-prem analytics-only Firewall Management Center, you cannot upgrade the analytics Firewall Management Center to Version 7.6 (which would allow you to add Version 7.6 devices) until you upgrade the older devices to 7.2+, or replace or remove them. See: Cisco Secure Firewall Management Center Compatibility Guide |
Firewall Device Manager Features in Version 7.6.x
Feature |
Description |
---|---|
Platform Features |
|
Secure Firewall 1200. |
We introduced the Secure Firewall 1200, which includes these models:
See: Cisco Secure Firewall CSF-1210CE, CSF-1210CP, and CSF-1220CX Hardware Installation Guide |
Disable the front panel USB-A port on the Firepower 1000 and Secure Firewall 3100. |
You can now disable the front panel USB-A port on the Firepower 1000 and Secure Firewall 3100. By default, the port is enabled. New/modified CLI commands: system support usb show , system support usb port disable , system support usb port enable |
IMDSv2 support for AWS deployments. |
Threat defense virtual for AWS now supports Instance Metadata Service Version 2 (IMDSv2), a security improvement over IMDSv1. When you enable the instance metadata service on AWS, IMDSv2 Optional mode is still the default, but we recommend you choose IMDSv2 Required. We also recommend you switch your upgraded instances. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
End of support: Firepower 2110, 2120, 2130, 2140. |
You cannot run Version 7.6+ on the Firepower 2110, 2120, 2130, or 2140. |
Firewall and IPS Features |
|
Object group search performance enhancements. |
Object group search is now faster and uses fewer resources. New CLI commands: clear asp table network-object , show asp table network-group Modified CLI comments (enhanced output): debug acl logs , packet-tracer , show access-list , show object-group |
Administrative and Troubleshooting Features |
|
Updated internet access requirements for URL filtering. |
Upgrade impact. The system connects to new resources. The system now requires access to *.talos.cisco.com for URL filtering data. It no longer requires access to regsvc.sco.cisco.com. |
Updated internet access requirements for intrusion rule updates. |
Upgrade impact. The system connects to new resources. The system now requires access to the following resources to download intrusion rules:
It no longer requires access to talosintelligence.com. |
Canadian French translation for Firewall Device Manager. |
Firewall Device Manager includes a Canadian French version in addition to English, Chinese, Japanese, and Korean. You must select Canadian French as the browser language. You cannot see the French version by selecting any other type of French. |
Require the Message-Authenticator attribute in all RADIUS responses. |
Upgrade impact. After upgrade, enable for existing servers. You can now require the Message-Authenticator attribute in all RADIUS responses, ensuring that the threat defense VPN gateway securely verifies every response from the RADIUS server, whether for RA VPN or access to the device itself. The Require Message-Authenticator for all RADIUS Responses option is enabled by default for new RADIUS servers. We also recommend you enable it for existing servers. Disabling it may expose firewalls to potential attacks. New CLI commands: message-authenticator-required Version restrictions: Requires Version 7.0.7+ / 7.2.10+ / 7.6.1+ / 7.7.0+. |
Performance Features |
|
Hardware DTLS 1.2 crypto acceleration for the Secure Firewall 3100. |
The Secure Firewall 3100 now supports DTLS 1.2 cryptographic acceleration and egress optimization, which improves throughput of DTLS-encrypted and decrypted traffic. This is automatically enabled on new and upgraded devices. To disable, use FlexConfig. New/modified FlexConfig commands: flow-offload-dtls , flow-offload-dtls egress-optimization , show flow-offload-dtls |
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
![]() Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target. |
Upgrade Impact Features for Firewall Management Center
Target version |
Features with upgrade impact |
---|---|
|
|
|
|
|
|
|
|
|
|
|
Upgrade Impact Features for Firewall Threat Defense with Firewall Management Center
Current version |
Features with upgrade impact |
---|---|
7.6.0 7.4.0–7.4.2 7.3.x 7.2.9 and earlier |
|
7.4.0–7.4.1 7.3.x 7.2.9 and earlier |
|
7.4.0 and earlier |
|
7.3.x and earlier |
|
7.2.x and earlier |
|
7.2.0–7.2.3 7.1.0–7.1.0.2 7.0.4 and earlier |
|
7.1.x and earlier |
|
Upgrade Impact Features for Firewall Threat Defense with Firewall Device Manager
Target version |
Features |
---|---|
|
|
|
|
|
|
|
Upgrade Guidelines
The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade—which can include interruptions to traffic flow and inspection—see the appropriate upgrade guide: For Assistance.
Upgrade Guidelines for Firewall Management Center
Current Version |
Guideline |
Details |
---|---|---|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Upgrade Guidelines for Firewall Threat Defense with Firewall Management Center
Current Version |
Guideline |
Details |
---|---|---|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Upgrade Guidelines for Firewall Threat Defense with Firewall Device Manager
Current Version |
Guideline |
Details |
---|---|---|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
In most cases, we recommend you use the latest build for your FXOS major version.
For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
Upgrade Path
Planning your upgrade path and order is especially important for large deployments, high availability/clustering, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment, or other upgrades. Those scenarios, as well as information on revert and uninstall, are covered in more detail in the upgrade guide: For Assistance.
Choosing your upgrade target
Go directly to the latest maintenance release to minimize upgrade and other impact.
Features, enhancements, and critical fixes can skip "future" releases that are ahead by version, but not by release date. For example, if you are up-to-date within major Version A, upgrading to dot-zero Version B can deprecate features and fixes.
If you cannot go to the latest release, at least make sure your current version was released on a date before your target version. In the following table, confirm your current version is listed next to your target version. If it is not, choose a later target.
Target version |
Current version: confirm yours is listed. |
|||||
---|---|---|---|---|---|---|
from 7.1 |
7.2 |
7.3 |
7.4 |
7.6 |
||
to 7.6.2 |
2025-08-11 |
7.1.0 |
7.2.0–7.2.10 |
7.3.0–7.3.1 |
7.4.0–7.4.2 |
7.6.0–7.6.1 |
to 7.6.1 |
2025-06-02 |
7.1.0 |
7.2.0–7.2.10 |
7.3.0–7.3.1 |
7.4.0–7.4.2 |
7.6.0 |
to 7.6.0 |
2024-09-16 |
7.1.0 |
7.2.0–7.2.8 |
7.3.0–7.3.1 |
7.4.0–7.4.2 |
— |
Upgrading from a patched deployment
Critical fixes in patches (fourth-digit) releases can also skip future releases. If you depend on these critical fixes, verify that your target version contains them. For a full list of release dates, see Cisco Secure Firewall Management Center New Features by Release or Cisco Secure Firewall Device Manager New Features by Release.
Supported upgrades and downgrades
This section summarizes upgrade and downgrade capability. For help with:
-
Choosing an upgrade target, see Choosing your upgrade target.
-
Upgrade and downgrade procedures, including general guidelines, best practices, and troubleshooting, see the upgrade guide for the version you are currently running: https://www.cisco.com/go/ftd-upgrade.
Supported upgrades
This table shows the supported direct upgrades for Firewall Management Center and Firewall Threat Defense software.
![]() Note |
You can upgrade directly to any major (first and second-digit) or maintenance (third digit) release. Patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release. Although a patched device (fourth-digit) can be managed with an unpatched Firewall Management Center, fully patched deployments undergo enhanced testing. |
For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, Firewall Threat Defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
Current version |
Target software version |
||||||
---|---|---|---|---|---|---|---|
to 7.7 |
7.6 |
7.4 * |
7.3 |
7.2 |
7.1 |
7.0 |
|
FXOS version for Firepower 4100/9300 chassis upgrades |
|||||||
to 2.17 |
2.16 |
2.14 |
2.13 |
2.12 |
2.11 |
2.10 |
|
from 7.7 |
YES |
— |
— |
— |
— |
— |
— |
from 7.6 |
YES |
YES |
— |
— |
— |
— |
— |
from 7.4 |
YES |
YES |
YES |
— |
— |
— |
— |
from 7.3 |
YES |
YES |
YES |
YES |
— |
— |
— |
from 7.2 |
YES |
YES |
YES |
YES |
YES |
— |
— |
from 7.1 |
— |
YES |
YES |
YES |
YES |
YES |
— |
from 7.0 |
— |
— |
YES |
YES |
YES |
YES |
YES |
from 6.4 |
— |
— |
— |
— |
— |
— |
YES |
* You cannot upgrade Firewall Threat Defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only, and is not supported with Firewall Device Manager. It removes significant features, enhancements, and critical fixes included in earlier versions. Upgrade to a later release.
Supported downgrades
If an upgrade or patch succeeds but the system does not function to your expectations, you may be able to revert (Firewall Threat Defense upgrades) or uninstall (Firewall Threat Defense and Firewall Management Center patches). For general information, particularly on common scenarios where returning to a previous version is not supported or recommended, see the upgrade guide: https://cisco.com/go/ftd-upgrade.
Bugs
For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cisco Cloud-delivered Firewall Management Center Release Notes.
![]() Important |
We do not list open bugs for maintenance releases or patches. |
![]() Important |
Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs in Version 7.6.0
Table last updated: 2024-09-19
Bug ID |
Headline |
---|---|
UDP throughput highly variable on snort reload |
|
low memory/stress causing block double free and reload |
|
FMC - SDWAN - Same IKE identity issues between multiple topologies |
|
CSCwk48461 |
Cannot create 1024 subinterfaces on Secure Firewall 1200 when unnamed interfaces/etherchannels exist |
SDWAN: Same spoke in another topology with different community causes issues in route redistribution |
|
CSCwk90798 |
FMC HA role switch secondary FMC does not get event configuration and threat hunting is lost on FTD |
CSCwk98275 |
Unable to trigger second immediate backup after first scheduled backup completed |
Traffic on port-channel/port-channel subinterfaces not working with device template registration |
|
CSCwm38714 |
Change management: Error in save of SD-WAN topology if security zone is added inline in the wizard |
Break FTD-HA pair fails on MI app |
|
CSCwm44162 |
Child domain template adding through Global Device wizard page is not working |
CSCwm44656 |
Erroneous message - Interface 'management0' has no link - during device onboarding |
Edit configuration on Secure Firewall 3100 L3 Cluster fails with BGP enabled |
|
Policy deploy failing constantly after changing interface nameif if interface used in SAML CP rule |
|
Policy deployment failing constantly on Secure Firewall cluster data node post cluster break |
|
Secure Firewall 1200: sma reported fault: Lina has started, but is not yet running |
|
SSL Server check-box is missing only in default new theme for Device- >Certificates- > Add New Cert |
Resolved Bugs in Version 7.6.2
Resolved Security Bugs in Version 7.6.2
Table last updated: 2025-08-11
Bug ID |
Headline |
---|---|
External auth login with RADIUS to FMC UI may fail if Class attribute is used |
|
FMC RADIUS external authentication access requests missing 6 attributes after FMC upgrade |
Resolved Functional Bugs in Version 7.6.2
Table last updated: 2025-08-11
Bug ID |
Headline |
---|---|
Upgrading a standalone 2110 from 6.6.7-223 to 7.2.8-25 causes "Interface Modified" alert on FMC |
|
Intf Link down (Init, mac-link-down) seen - EtherChannel Membership in Down/Down/Down state after unplug/replug of the cable |
|
Ensure the watchdog triggers even if a single snort3 thread becomes unresponsive. |
|
The NAS-IP-Address attribute is missing from the Access-Request in FMC |
|
FTD MI: SNMP polling fails to work after upgrade |
|
Tmatch memory is mostly consumed by ARP-DP. |
|
FTD: Injected/Trimmed packets dropped by LINA due to invalid-ip-length |
|
standby FMC may fail to copy Talos certificate from active FMC to replace expired/missing cert |
Resolved Bugs in Version 7.6.1
Table last updated: 2025-06-02
Bug ID |
Headline |
---|---|
OpenPrinting CUPS is a standards-based, open source printing system fo |
|
A flaw was found in GLib. GVariant deserialization fails to validate t |
|
A flaw was found in GLib. GVariant deserialization is vulnerable to a |
|
A flaw was found in glib, where the gvariant deserialization code is v |
|
A flaw was found in GLib. The GVariant deserialization code is vulnerable |
|
A flaw was found in GLib. GVariant deserialization is vulnerable to an |
|
An issue in the CPIO command of Busybox v1.33.2 allows attackers to ex |
|
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue |
|
LibTIFF is vulnerable to an integer overflow. This flaw allows remote |
|
A vulnerability was found in libtiff due to multiple potential integer |
|
An issue was discovered in the Linux kernel through 6.5.9. During a ra |
|
Twisted is an event-based framework for internet applications. Prior t |
|
cryptography is a package designed to expose cryptographic primitives |
|
This flaw allows a malicious HTTP server to set "super cookies" in cur |
|
A vulnerability was found in GnuTLS. The response times to malformed c |
|
linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den |
|
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 |
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
Vim before 9.0.2142 has a stack-based buffer overflow due to a set language map error |
|
A DMA reentrancy issue leading to a use-after-free error was found in |
|
A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI |
|
Deployment failures seen on FDM related to static routes or ACLs |
|
FMC - plain-text passwords for External Authentication Profile "Radius Server Key" |
|
In the Linux kernel, partitioning error existed CVE-2023-52458 |
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vuln |
|
A flaw has been discovered in GnuTLS where an application crash can be |
|
nscd: Stack-based buffer overflow in netgroup cache If the Name Servi |
|
nscd: Null pointer crashes after notfound response If the Name Servic |
|
nscd: netgroup cache may terminate daemon on memory allocation failure |
|
nscd: netgroup cache assumes NSS callback uses in-buffer strings The |
|
FTD is not resolving FQDN for ACLs intermittently |
|
Update UI to prevent configuring cipher and/or version filters for Decrypt Resign/Known Key rule |
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: H |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
Vulnerabilities in linux-kernel CVE-2023-52435 |
|
Vulnerabilities in linux-kernel CVE-2023-52463 |
|
urllib3 is a user-friendly HTTP client library for Python. When using |
|
FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
FTD: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
FDM: Blast-RADIUS CVE-2024-3596 |
|
FMC: Blast-RADIUS CVE-2024-3596 |
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
Custom rule with "metadata:impact_flag red" in Snort3 not detected as Impact Level 1 |
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
vFMC upgrade from 7.6.0-68 to 7.7.0-1358 failed @800_post/890_install_version_masked_apps.pl |
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
In the Linux kernel, for ata: libata-core: Fix null pointer dereference on error |
|
In the Linux kernel, for tcp_metrics: validate source addr length |
|
In the Linux kernel, the following vulnerability has been resolved: c |
|
Jinja is an extensible templating engine. Special placeholders in the |
|
Jinja is an extensible templating engine. The 'xmlattr' filter in affe |
|
Vim is an open source command line text editor. Vim < v9.1.0647 has do |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.5 |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
Attempting to edit chassis of multinstance FTD gets "Request Timed Out. Retry after sometime." |
|
A null pointer dereference flaw was found in the hugetlbfs_fill_super |
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
In the Linux kernel, nvme: avoid double free special payload on discard request retry |
|
In the Linux kernel fix a possible io_uring deadlock |
|
In the Linux kernel, the following vulnerability has been resolved: p |
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
In the Linux kernel, the following vulnerability has been resolved: c |
|
FTD Snort3 traceback in daq_pkt_msg |
|
Misconfigured Cross-Origin-Opener-Policy |
|
Additional tab/space added in ACL logging messages in EMBLEM format causing ingestion issues |
|
In the Linux kernel, for filelock: Remove locks reliably when fcntl/close race is detected |
|
In the Linux kernel, within mm: avoid overflows in dirty throttling logic |
|
A flaw was found in the python-cryptography package. This issue may al |
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, for dma: fix call order in dmam_free_coherent dmam_free_coherent() |
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
Fix a Linux kernel file access permissions access check error |
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
Fix linux kernel divide by zero error when calling ioctl TIOCSSERIAL with bad baud rate |
|
FTD Restore Failing because of no space left on the device |
|
In the Linux kernel, the following vulnerability has been resolved: g |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: v |
|
In the Linux kernel, the following vulnerability has been resolved: x |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: m |
|
In the Linux kernel, the following vulnerability has been resolved: f |
|
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not |
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
In the Linux kernel, the following vulnerability has been resolved: K |
|
In the Linux kernel, the following vulnerability has been resolved: P |
|
Redis is an open source, in-memory database that persists on disk. Aut |
|
Redis is an open source, in-memory database that persists on disk. An |
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
In the Linux kernel, the following vulnerability has been resolved: r |
|
In the Linux kernel, the following vulnerability has been resolved: e |
|
There is a MEDIUM severity vulnerability affecting CPython. Regul |
|
There is a LOW severity vulnerability affecting CPython, specifically |
|
CVE-2022-48975: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47659: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47660: linux-kernel: In the Linux kernel, the following vuln... |
|
FMC is not pushing no-validation-usage to the trustpoint if user not choosing validation usage type |
|
CVE-2024-38538: linux-kernel: In the Linux kernel, the following vuln... |
|
cdFMC Possible NAT negation during deployment if object being reused in NAT Policy on device & ACL |
|
CVE-2023-52498: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2023-52572: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2023-52615: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-26595: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-46777: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47668: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47679: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47684: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47692: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47693: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47701: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47705: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47737: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-47742: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49858: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49860: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49875: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49878: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49881: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49882: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49883: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49884: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49889: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49948: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49949: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49954: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49955: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49959: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-26958: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49983: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-49995: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-50036: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-50083: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-50131: linux-kernel: In the Linux kernel, the following vuln... |
|
CVE-2024-50151: linux-kernel: In the Linux kernel, the following vuln... |
|
Lina interface fragment db queue size is incorrectly stuck at 4294967295 - ASA/FTD |
|
Unable to load Extended ACL objects if the count is more than few hundreds |
|
Snort3: Malware Policy not detecting file while performing FTP file transfer via Active FTP |
|
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici a |
|
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici c |
|
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attac |
|
FMC API put taking long time to update Extended ACL objects when count is huge like hundreds |
Table last updated: 2025-06-02
Bug ID |
Headline |
---|---|
FTD deployment failing due to "address-pool in use" |
|
Write cache is disabled on some FMC M5 appliances |
|
ENH: Monitor Internal Data interface 'no buffer' counter in Health Monitor > Interfaces |
|
Firepower 1000/2100 may boot to ROMMON mode |
|
Search Feature of Large Access Control Policy Not Able to Find Searched-For Values |
|
Deployment is blocked if custom IPS rules exist and varset variables are missing |
|
FMC to provide health alert 60 days prior to cacert.pem certificate expiry |
|
FMC does not support Umbrella with proxy setting |
|
Wrong extranet device name and type showing in S2SVPN listing page |
|
Snort returns "Blocked by SSL" with no SSL policy. |
|
Banner login does not display when configured |
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
Stale anyconnect entries causing issues with routing |
|
Snort3 TCP flow cache entry growth caused by embryonic connection mismanagement |
|
[API] Searching for objects inside groups does not filter in rule editor window |
|
FMC VPN Monitoring Dashboard incorrectly shows Standby FTD as VPN Session owner in HA pair |
|
EIGRP flexconfig migration 7.2.0, no CLIs should not be migrated if they are not the default config |
|
ENH: FMC External Authentication doesn't work for SSH when configured with IPv6. |
|
FMC should not allow to create faulty snort3 rules with unknown characters |
|
[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
|
Snort3 core while running continuous traffic IMS 7.4.1-73 |
|
FMC Policy Analysis - Broken Redudancy Logic Check |
|
Remote Desktop (RDP) traffic fails with TSID enabled |
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
Rule with same name exists when trying to edit ACP rules |
|
Lina core at swapcontext on Standby FTD during policy deployment |
|
Last seen is incorrectly updated in some scenarios in the new UI Users Active Sessions |
|
FMC: Displaying "missing en-US:BGP" via Deployment Preview when BGP Changes have been Reverted |
|
Deployment failed due to missing AnyConnect Profile File |
|
FMC error out Invalid IPv4 Network or Host literal from the group while Adding a network in the ACP |
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
Misleading Certificate Attribute Checking Under DAP Endpoint Criteria |
|
Device listing taking long due to FTD_HA REST-API delay - Can be seen in loading HealthMon page. |
|
FMC deployment failure due to incorrect error message type sent to FMC |
|
Backup failure message doesn't help the user |
|
Network Risk Report on FMC lacks option to select data source, could cause report generation to fail |
|
Tomcat and Apache maxHeader size should be increased to avoid 413 errors on some FMC pages |
|
FTD - sftunnel unstable connectivity issues when control and event are configured in same subnet |
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
BGP as-override support for all deployments |
|
Deploy doesnt show up on FMC upon merging unmerged diagnostic on FTD-HA |
|
Snort version mismatch between FTD HA peers resulted from a reboot during a snort toggled deployment |
|
Allow additional search capabilities within applications section in Access control policy |
|
Validation required incorrect CLI Access Users in External Auth |
|
ACP rule may not get applied post-deployment/Deployment failure due to FXOS- FTD timezone mismatch |
|
Snort3 traceback and reload due to memory corruption in file module |
|
Some cloud features may not work if FMC SSO feature is toggled ON but not configured |
|
PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
|
cdFMC and onPrem FMC: Device management / listing is showing chassis url for FPR-1K running 7.4.1 |
|
Fail to start a disabled container on chassis reboot and misses to log the activity to Heimdall |
|
Post upgrade to 7.4.2-S2S tunnel status is showing empty |
|
On Slow networks, sftunnel continues to label connections as STALE. |
|
Upgrade FMC fails while running script 120_check_legacy_private_cloud_for_ampkit.pl |
|
Upgrade readiness fails due to snort plugins |
|
Remove SGT frames/packets to allow VTI decryption |
|
FTD cannot obtain the VPN route if answer only is configured with reverse route injection enabled |
|
ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread. |
|
AppIdSessionData causes snort3 to crash 7.2.6 |
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
if conn_meta null, dont send packet to snort |
|
Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
|
WebEx traffic not getting bypassed in snort3 (allow rules) |
|
ASA to FTD migration via FMT causes improper configuration of interface groups in FMC backend config |
|
Zone Based AC rule has missing interface mapping |
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
Potential upgrade failure in 800_post/890_install_version_masked_apps.pl |
|
NAT Exemptions in UI will not load when object group is added as protected network |
|
FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring |
|
ENH: FMC support for DHCP relay on VTI/physical interfaces in ECMP zone |
|
App instance stuck in STOP_FAILED with error message |
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
Terminating Active sessions from new UI Layout throws error- "Error while terminating session" |
|
FMC: API interface settings differ from GUI settings for Diagnostic Interface |
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
FTDv traceback in Thread name - PTHREAD |
|
SDWAN: Same spoke in another topology with different community causes issues in route redistribution |
|
Policy deployment fails due to mismatch in 'ip local pool' command between fmc and lina config |
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
ASA/FTD: Memory Exhaustion due to Threat-Detection |
|
Improve logging for LDAPS SSL errors |
|
FMC : DAP configuration "laggy/hangs" when trying to configure via FMC. |
|
snort2 'ids_event_msg_map' clean up is not happening when import sfo fails during cdFMC migration. |
|
Policy export fails with error "Unable to process the policy information for Export" |
|
FTD upgrade to 7.4.2 via FDM is blocked |
|
Scheduled backups fail to execute on other cluster nodes when there is a change on the control node |
|
CSDAC connectors not coming up after FMC upgrade |
|
Source Port and Destination Port are swapped during the evaluation of SID |
|
'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete |
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
|
Partial configuration gets lost for a HA FTD pair, if FMC connectivity is lost during upgrade |
|
Keep a FMC backup locally until we copy the file to remote server successfully |
|
Search Index shouldn't be failed if any of the port object value is invalid |
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
FMC allows uploading a binary certificate in Identity Certificate import |
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
FMC - Predeploy validation should error and block deployment if VPN Certificate is in failed state. |
|
RAVPN Certificate Group Map get removed after it is modified on the FMC |
|
FTD: Process sftunnel exited unexpectedly with a core file generated |
|
Lina traceback and reload in data-path thread |
|
Excessive logging of "vpn:vpn [INFO] device" messages in /var/log/messages file |
|
Unstable HA causing depolyment failure |
|
IPv6 Neighbor Discovery failure on shared interface in multi instance setup |
|
FTD upgrade failure due to multiple DB folders in /ngfw/var/cisco/deploy/tmp_bundle/db/ path |
|
CLI "ssl server-max-version" Can't be deployed Via Flex Config |
|
Packet captures from FMC GUI doesn't warn the user about an adverse impact on FTD device performance |
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
Snort3 file detection fails with asymmetric traffic in IDS passive mode |
|
VPN Topology status shows No Active Data in the S2S VPN Dashboard |
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
Continuous loading state and PolicyRPC call remains in pending |
|
Configure manager command hangs without any output on a TPK in native mode (FTD) |
|
Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
|
CGroups errors in ASA Syslog during every reboot |
|
df commands are getting stuck at times due to mount storage points |
|
DVTI: Provide info / warning message about interface shut and no shut upon DVTI config modification |
|
Log spam and possible network slowness due to failed dns lookups for syslog server |
|
Change df commands to use local file system only option |
|
Readiness check should be in place for larger undo/ibdata log files |
|
Unsupported characters in Azure Display Name causes errors in Access Control Policy |
|
Correlation Fails to Detect Connection Duration |
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
"custom workflow" GUI show Error 500, after create an custom workflow with Chineses description |
|
Browser redirects to blank page when the user clicks the WebVPN bookmark |
|
FMC GUI has a limitation to display only 50 SSH rules for FTD (Under platform settings >> SSH) |
|
QoS policy editor on FMC GUI lacks functional pagination when QoS policy has more than 50 rules |
|
Prefilter policy not getting applied to child ACP when inherited from base policy |
|
The ASA's OSPF routing table is not properly synchronized with the neighbors |
|
Increase timeout for SFTunnel Connection Check requests |
|
Add connection status file for marking slow SFTunnel connections |
|
FTD logs should contain the certificate name or files which are corrupt |
|
SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect |
|
FMC Does Not Accept Valid IP Range Format in Access List under system configuration settings |
|
Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
|
FTD Vault process exits every 1 minute: "Process vaultApp (23597) exited normally: 256" |
|
FTD - Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
Platform settings policy hidden on UI |
|
SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured |
|
hostname/IP Address field does not accept domains ending in a number |
|
FMC4700 displays premature fan speed alerts |
|
LINA may traceback in Thread Name: Datapath with NAT config |
|
FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
|
FTD Secondary Unit got stuck in Bulk sync state. |
|
After FMC upgrade results in standby FTDv losing its performance tier for FTD HA |
|
Crash handler notification for snort3 failure not being sent in MI setup. |
|
ASA/FTD will allow local IP pool with invalid netmask |
|
NAT Rules Before deleted when policy is saved on FMC |
|
REST Calls from CDO to cdFMC are failing randomly with null/empty response |
|
Objects get duplicated when policy imported using 'Replace Existing' option |
|
TACACS+ traffic is dropped by TLS Server Identity in XTLS module |
|
S2S VPN config removed unexpectedly after deployment |
|
PDTS write from Daq can fail when PDTS buffer is full and it would eventually lead block depletion |
|
File Download fails intermittently with malware & file policy configured |
|
FTD wizard on active HA FMC show an error message that refers the other manager as "analytics FMC" |
|
Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
|
FTD/ASA may traceback and reload in DATAPATH thread |
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
|
Child domain template adding through Global Device wizard page is not working |
|
FTD inline-set ignore reverse flag for inject/rewrite |
|
FTD upgrade may fail in 901_reapply_sensor_policy.pl if policy_deployment.db is corrupt/unavailable |
|
ID attribute of other device during copying config via REST API POST can remove original config |
|
FMC Deployment Failure When Modifying NAT Policy with Block Allocation and Round-Robin Enabled |
|
FMC: Unable to save interface config as save button is greyed out |
|
ENH: Provide option independently enable/disable HM for physical and sub interfaces |
|
FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
|
DNS settings removed in post-upgrade deployment |
|
ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
|
enhance sma 2nd cruz heartbeat logging |
|
ha-mode graceful-restart is missing in advanced preview |
|
ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
|
100GB interface flaps with Innolight QSFPs in both ends |
|
SSL Server check-box is missing only in default new theme for Device->Certificates-> Add New Cert |
|
SSH access with public key authentication fails after FXOS upgrade |
|
Deployment transcript showing "Enable management access: false" |
|
Not able to remove or clear Fault "The password encryption key has not been set." |
|
FMC Upgrade Fails at 39% 600_schema/103_csm_cfgdbmigration.sh |
|
ASA/FTD may traceback and reload in Thread Name "fover_parse" |
|
TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link |
|
FMC Health Policy doesnt have an export import button since version 7.4.x |
|
show run access-list command returns warning |
|
Issues with extdb Omniquery execution |
|
Snort3 crash on TLS cert have same issuer and common name,but sign algo and public key are different |
|
FMC AzureAD User/Groups Download Failing: too many SQL variable |
|
SQLNet traffic getting dropped intermittently in Clustering data unit. |
|
ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
|
EventHandler can block when multiple SSE consumers are enabled |
|
DAP Cert Serial Number check field should be freeform instead of hex format on FMC |
|
Set Weight option missing in UI when FTD sensor reverted and re-upgraded |
|
FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
|
Incompatible members warning message after Po member interface flaps unable to rejoin Po |
|
Snort 3 rules display discrepancy in the GUI of FMC. |
|
Refresh of Inventory shows incorrect message "Device is not reachable" with sftuunel is UP |
|
FMC DHCP Relay Agents and Servers doesn't show in the UI or allow any changes |
|
In RAVPN policy edit action getting stuck, when editing LDAP attribute maps |
|
ASA traceback and reload on thread snmp_inspect |
|
FMC not sending/synchronizing the RADIUS config file to the FTDs |
|
Unable to login to FMC via external LDAP User post FMC Migration. |
|
VDB upgrade is failing on longevity setup |
|
ASA traceback and reload due to stack overflow while using APCF file |
|
ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
|
Global search of the objects not working due to stale domain id reference |
|
FTD Lina process is brought down if mysql/mariadb is restarted for any reason post FTD startup |
|
Snort3 blocking ESMTP traffic intermittently and trigger IPS signatures 124:3:2 and 124:1:2 |
|
NAT traps have to be rate-limited |
|
Scheduled tasks do not run when interval is set to 24 hours but do when set to 1 days |
|
FMC/FTD: Policy Deployment Fails For Existing FTDv Deployments on Cloud with VNI interfaces |
|
Policy Deployment Hung at 5/8% Deployment - Collecting policies and objects |
|
On cdFMC FTD-HA pair standby node has stale Interface status health alert |
|
Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
|
SFDataCorrelator cores while calling DCEControlMessageReconfigure |
|
External auth (Radius) User unable to login to FTD due to mismatched cases during initial login |
|
[ENH] Alert user that FDM is not Supported for FTDv in Openstack if they try to enable it |
|
FMC does not clear old Intrusion Policy recommendations when they are regenerated |
|
Registration Cleanup Should NOT Run if the peers Directory Cannot Be Opened |
|
FMC Remote Storage Error: Use of uninitialized value $^WARNING_BITS in bitwise xor (^) |
|
ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
|
Secondary FMC indicates the FTD is still upgrading, despite the upgrade being completed. |
|
ENH: FMC API: Threat Defense Upgrade Options skip automatic generating of troubleshooting files |
|
PBR with default next-hop not allowed without next hop |
|
FMC is sending a wrong value for engineID in SNMPv3 traps |
|
'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
|
Deployment failed with the reason "Error-no dhcpd enable inside" |
|
GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
|
LINA core observed pointing to "IP RIB Update" thread |
|
FMCv is incompatible with certain KVM hypervisor software versions |
|
Identity Mapping Filter shows blank, even though there is a selected network object. |
|
ADI crashes on FTD due to both FMC ADIs going unmuted |
|
Copy/Paste for a rule on any UI page other than page 1 results in policy UI loading back to page 1. |
|
FTD device stuck in rommon mode after pressing reset button |
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
|
Memory Blocks 80 and 9344 leak due to priority-queue |
|
GTP inspection not allowing GTP data packets if session create response has cause type 18 |
|
When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
|
Unity style enrollment after registering to the AMPkit portal |
|
ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
|
FTD HA active node interfaces went down after failed policy deploy |
|
FTD syslog-over-TLS allowing too many curves in CC mode |
|
Use of Named interface in SLA Monitor causing cdFMC migration failure |
|
vertical scroll bar missing in Available Rules modal in correlation policy editor in most UI themes |
|
Connection events is not seeing on FMC UI for vFTD after ZeroMQ send error |
|
FlexConfig objects Policy_Based_Routing and Policy_Based_Routing_Clear cause deployment failure |
|
ADI on FTD does not stop after a crash |
|
FPR9K-SM-56 module intermittently lock up and cause traffic impact. |
|
ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
|
Intrusion rule recommendations fail to apply when "Generate" option is used and then applied later |
|
Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption |
|
FTD cluster to traceback and reload after extended PAT is enabled |
|
Validation errors after updating Hub and Spoke topology. |
|
ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
|
FTD reload with traceback on swapcontext function |
|
ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
|
cdFMC- Post device migration deployment validation indicates security zones are missing interfaces |
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
Unable to add Data nodes to Existing Cluster setup during cluster app-sync phase |
|
Critical health alert, module SMART_LICENSE Smart Licensing Agent is not running |
|
Admin users are prompted to change local password when authenticating to external server |
|
HA would bring data interfaces up while moving from cold standby to failed state |
|
Large number of stale revisions in CloudConfig affects FMC performance. |
|
ASA may traceback and reload in Thread Name 'ssh' |
|
Discrepancy in VPN bytes with RA VPN user activity report |
|
FTD: Management0/0 status went down, line protocol is up after upgrade |
|
GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
|
Can't delete IPS policy when Workflow Mode is enabled |
|
FTD: Snort AppID Misclassifies NetBIOS-ssn Traffic as Unknown |
|
Push messages including UMS are broken when the FMC is reached on port 443 |
|
ASA booting process may freeze when including 'no pim' or 'no igmp' config |
|
FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
|
Jumbo frame packets are being fragmented |
|
Generic error thrown when a user tries to access Packet-Capture page |
|
Radius user ssh login fails with error: username is not defined with a service type that is valid |
|
Snort3 crash in js norm with out-of-range exception during unescaping |
|
Traceback and reload due to webvpn dtls flow offload enabled |
|
MI: Instances going in split brain when assigned RP with CPU cores between 14-70 on FPR42xx |
|
FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
|
Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
|
Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
|
Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
|
Serviceability : FQDN Packet based debug and capture trace support |
|
Intenal error seen when trying to include domains in dynamic split tunneling of custom attribute |
|
Undefined value in port object on access policy page with new UI |
|
Deployment fails on 55recalculate_arc.pl when resizing instance cores |
|
FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
|
HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
|
SAML SSO Test Configuration and SSO login doesn't work even after a successful configuration |
|
MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface |
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
|
recurring GeoDB updates may fail to install when scheduled at the same time of day as rule updates |
|
FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
|
Coverity System SA warnings 2024-09-09, Coverity Defects 922530 922529 922528 922630 921809 921808 |
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
ASA 21xx: 'sh environment temperature' shows incorrect temperature values |
|
FMC UI becomes unresponsive when converting and downloading Snort 2 rules |
|
LINA may observe random traceback with Netflow configured |
|
Misleading information message in decryption policy creation wizard for decryption exclusions |
|
Frequent traceback after upgrading FTD HA |
|
Send Virtual Tunnel Interface enabled by default on SVTI |
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
Modify memory allocation for policy deployment subgroup |
|
Application Name Change in VDB Not Reflected During Event Processing |
|
Snort3: TCP Midstream Traffic on ACK Normalized by snort and blocked by the Stream Preprocessor |
|
FMC : OSPF setting screen cannot be opened in FMC English UI |
|
Deploy preview fails if device is moved from one domain to another domain |
|
Health Monitoring UI high-availability widget shows incorrect device information for primary device |
|
FTD registration to FMC gets hung when RabbitMQ is down. |
|
EventHandler cores during startup when sending events to syslog or SNMP for a huge number of rules |
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
FMC Health Monitor (HM) graph shows incorrect number of Snort and System CPU cores |
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
False alerts of FMC HA in degraded sync state |
|
FMC backup failed while cfgdb dump after upgrading FMC to 7.4.2.1 |
|
Banner motd does not display when configured |
|
After upgrading FMC, deployment fails because of high SI Objects |
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
Event-list not deployed when using Enable All Syslog Messages |
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
FMC does not remove community list override when this is modified. |
|
Realm with greater than 16 directories cannot be deployed in RA-VPN for LDAP |
|
Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
|
Identity NAT should not throw error due to exceeding threshold if destination only objects expand |
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
Last synchronization time in the FMC HA page shows 'Data unavailable' in language other than English |
|
Unknown disposition files take a long time receive status and threat score. |
|
ASA: Traceback and Reload Under Thread Name SSH |
|
Nitrox Engine (Crypto Accelerator) problem affecting crypto hardware offload on FPR3100 platforms |
|
Community lists should not throw an error until the last item in the list is being deleted |
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
Malware block not happening due to malware cloud lookup timeout |
|
Snort3 stream inspector flow stash is not cleared when flow data is cleared |
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
Traceback and reload during the deployment after disabling FQDNs. |
|
Snort3 crashed because don't fragment bit was set and it did not treat ipv4 fragments as fragments |
|
Prune the older files in /ngfw/var/cisco/deploy/pkg/var/cisco/packages |
|
Users from legacy radius server can login to Standby FMC domain when MA is enabled |
|
FMC removes prefix-list overides used for BGP and installs defaults values by itself. |
|
Port scan alerts not getting generated for custom configuration |
|
Empty snapshot being sent when when auth-daemon restarts causing user logout |
|
auth-daemon process restarts due to race condition |
|
TLS.- Outlook only supports TLS 1.2 and not 1.3- FMC uses TLS 1.3 by default |
|
Active FMC - False alerts of FMC HA in degraded sync state |
|
Random QOS policies are getting negatted and added with subsequent deployment |
|
AMP related health alert during upgrade and typo in the alert message |
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
Snort3 traceback and deployment failure with VDB upgrade |
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
FTD health metrics show "No data available" on the FMC |
|
FMC Client side certificate used to communicate to Talos did not auto-renew correctly |
|
FPR1010 Ethernet1/1 trunk port is not passing vlan traffic after reload |
|
3100 Marvell 4.3.14 CPSS patch for the interface mac stuck issue seen with peer switch reloads |
|
Certain special characters or spaces in RADIUS user passwords cause login failure in FMC |
|
minidump core file not generating in MI mode |
|
fover_trace.log not rotating and growing to a massive size |
|
Getting VNI int cannot be configured with proxy enabled error during model migration when proxy is disabled on VNI int |
|
SFF_SFP_10G_25G_CSR_S V03 modules from Finisar ports bouncing when connected together |
Resolved Bugs in Version 7.6.0
Table last updated: 2025-03-25
Bug ID |
Headline |
---|---|
ASDM Access Issue When SSL VPN And HTTP Server Is Configured On Same Port |
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
Prevention of RSA private key leaks regardless of root cause. |
|
User with no vpn-filter may get additional access when per-user-override is set |
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
Evaluate FMC for CVE-2022-42252 |
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
Cisco ASA and FTD ICMPv6 Message Processing Denial of Service Vulnerability |
|
Cisco ASA and FTD AnyConnect Access Control List Bypass Vulnerability |
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
Cisco ASA and FTD Software VPN Packet Validation Vulnerability |
|
Multiple Cisco Products Snort 3 Access Control Policy Bypass Vulnerability |
|
Cisco ASA and FTD Software Remote Access SSL VPN Multiple Certificate Auth Bypass |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 43) |
|
Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
|
User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
|
The public API function BIO_new_NDEF is a helper function used for str |
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
CCM seq 45 - WR6, WR8, LTS18 and LTS21. |
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
Snort3 out of memory and process exit unexpectedly due to memory not released by flows |
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
Consul and Consul Enterprise allowed an authenticated user with service: |
|
Cisco FTD Software SSL/TLS URL Category and Snort 3 Detection Engine Bypass and DOS Vulnerability |
|
ASA traceback and reload with process name: cli_xml_request_process |
|
Health Monitoring shows Unmanaged devices |
|
Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
Threat-detection does not allow to clear individual IPv6 entries |
|
Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability |
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
Cisco FTD Software Software for Cisco Firepower 2100 Series Inspection Rules DoS Vulnerability |
|
LSP version not updated to latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build. |
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
ASA accepts replayed SAML assertions for RA VPN authentication |
|
ASA/FTD : Packet-tracer may displays incorrect ACL rule, though produces correct verdict. |
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config |
|
Cisco ASA and FTD AnyConnect Access Control List Bypass Vulnerability |
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
ASA: Traceback and reload while updating ACLs on ASA |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
ASA/FTD: Traceback and reload with Thread Name 'PTHREAD' |
|
Wyoming/SFCN ASA: Wrong values shown DBRG in show crypto ssl objects CLI |
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
Cisco ASA Software and FTD Software SAML Assertion Hijack Vulnerability |
|
CDFMC: VDB version rolling back to old version after performing Disaster Recovery |
|
Multiple Cisco Products Snort Rate Filter Bypass Vulnerability |
|
Traceback @<capture_file_show+605 at ../infrastructure/capture/capture_file_finesse.c:282> |
|
Cisco FTD TCP/IP Traffic Snort 2/3 Denial of Service Vulnerability |
|
Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
|
FMC fails deployment after removing NAT or ACL rule |
|
Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability |
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
ASA: Traceback and reload when switching from single to multiple mode |
|
Occasionally External auth may not work after HA failover to Active |
|
Cisco FTD TCP/IP Traffic Snort 2/3 Denial of Service Vulnerability |
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
evaluate open-vm-tools / VMware Tools on FMC for VMware -- CVE-2023-20900 and VMSA-2023-0019 |
|
Cisco Firepower Threat Defense Software for Firepower 2100 Series TLS Denial of Service Vu |
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
[ENH] FMC to pull FTD device current SRU version rather than device records for SRU deployed. |
|
Cisco ASA webvpn XSS Vulnerability |
|
ASA traceback and reload during ACL configuration modification |
|
FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
|
Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
ACP rule is deleted when discarding changes, post rule reposition. |
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
Cisco Firepower Threat Defense Software Geolocation ACL Bypass Vulnerability |
|
Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability |
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11. |
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
Cisco Firepower Management Center Cross Site Scripting Vulnerability |
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
MonetDB memory usage grows slowly over time |
|
Modification of destination entries failed, when SOG and DOG contain same inner object-group |
|
Cisco FTD Software and FMC Software Code Injection Vulnerability |
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
HTTP/HTTPS detection for application needs to fail it's detection earlier |
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
Push clear configure access-group to avoid error while applying access group on FTD |
|
Cisco ASA and FTD FXOS CLI Root Privilege Escalation Vulnerability |
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
FMC username enumeration from API response |
|
vFMC25 OCI to vFMC300 OCI migration failed 'Migration from Y to a is not allowed.' |
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
ASA/FTD Traceback and Reload during ssl session establishment |
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
Policy cache cleanup thread should cleanup any cache that is left open for a logged out session |
|
Backup exits with memory allocation error on 4115 |
|
Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability |
|
Cisco ASA and FTD NSG Access Control List Bypass Vulnerability |
|
Cisco ASA and FTD Software VPN Web Server Limited Information Disclosure Vulnerability |
|
Internal cached access-group list maintenance issue with unexpected clear configure access-list |
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
SFDataCorrelator high memory usage when restart with large network map hosts |
|
Cisco ASA and FTD VPN Web Client Services Cross-Site Scripting Vulnerabilities |
|
Can't make any changes on TPK 3110 chassis registered on FMC when chassis under domain |
|
Smart license registration failing on FDM post 7.4.1 baseline due to http-proxy |
|
Memory manager improvements for webvpn internal lua library |
|
Cisco Secure Firewall Management Center Software Command Injection Vulnerability |
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
Cisco ASA and FTD Software IKEv2 VPN Denial of Service Vulnerability |
|
Cisco FTD Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vuln |
|
FTD is not resolving FQDN for ACLs intermittently |
|
Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
|
Unable to establish RAVPN session on FTD HA setup |
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
Cloud regions dropdown may not show any regions if FMC connectivity is down during upgrade |
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
|
Address SSP OpenSSH regreSSHion vulnerability |
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
Huge deployment failed using customer configs due to mismatch of checksum. |
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
With CVE-ID cannot search the IPS events on the FMC |
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
Snort3 reloads when AppID reload and snort restarts are happening simultaneously |
|
Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
|
Misconfigured Cross-Origin-Opener-Policy |
|
Unused vulnerable version of Highcharts referenced by GWT and TID pages |
|
Addressing CVEs reported in unicorn zlib library |
Table last updated: 2025-03-25
Bug ID |
Headline |
---|---|
ENH: Appliance hostname or ip address should be included in FX-OS syslogs |
|
FMC: critical processes can not boot up including vmsDBEngine |
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
FXOS Major Faults about adapter host and virtual interface being down |
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
App-instance showing as Started instead of Online |
|
IPTables.conf file is disappearing resulting in backup and restore failure. |
|
Deployment fails with internal_errors - Cannot get fresh id |
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
Getting Unprocessable URL categories objects when using API call |
|
PLR license reservation for ASAv5 is requesting ASAv10 |
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
NTP will not change to *(synced) status after upgrade to asa-9.15.1/9.16.1.28 from asa-9.14.3 |
|
show access-control-config doesn't show NAP/IPS policy name |
|
ASA: FPR11xx: Loss of NTP sync following a reload after upgrade |
|
Some syslogs for AnyConnect SSL are generated in admin context instead of user context |
|
Tune throttling flow control on syslog-ng destinations |
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
"SFDataCorrelator:Parser [ERROR] Syntax error" on FTD device |
|
ASA/FTD stuck after crash and reboot |
|
Microsoft update traffic blocked with Snort version 3 Malware inspection |
|
SNORT3: proxy traffic issue on port 80 when tls1.3 inspection enabled |
|
ASA/FTD Traceback and reload in Process Name: lina |
|
snort3 crashinfo sometimes fails to collect all frames |
|
FMC - Unable to copy/cut/paste NAT rule |
|
Firepower 1000/2100 may boot to ROMMON mode |
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
Snort down due to missing lua files because of disabled application detectors (PM side) |
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
ASA/FTD may traceback and reload in Thread Name: fover_health_monitoring_thread |
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
logging/syslog is impacted by SNMP traps and logging history |
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
User/group download may fail if a different realm is changed and saved |
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
cacert.pem on FMC expired and all the devices showing as disabled. |
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
ASA/FTD: Traceback and reload in Thread Name: EIGRP-IPv4 |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
FTD: Traceback & reload in process name lina |
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
ssl policy errors: Unable to get server certificate's internal cached status |
|
SSL Policy DND default Rule fails on error unsupported cipher suite and SKE error. |
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
256 / 1550 Block leak with TLS1.3 session |
|
ASA restore is not applying vlan configuration |
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+. |
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
Disable asserts in FTD production builds |
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
FMC UI Showing inaccurate data in S2S VPN Monitoring page |
|
ASA Connections stuck in idle state when DCD is enabled |
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
AC clients fail to match DAP rules due to attribute value too large |
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
ASA traceback and reload on Datapath process |
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
Port-channel member port status flag and membership status are Down if LACPDUs are not received |
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
30+ seconds data loss when unit re-join cluster |
|
FTD with Snort3 might have memory corruption BT in snort file with same IP traffic scaling |
|
ASA may traceback and reload with multiple input/output error messages |
|
Deployment keep failing due to Config Error -- service-policy policy_map |
|
MI FTD running 7.0.4 is on High disk utilization |
|
Snort drops Bomgar application packets with Early Application Detection enabled |
|
High CPU Utilization on FXOS for processes smConlogger |
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
Snort outputs massive volume of packet events - IPS event view may show "No Packet Information" |
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
Snort3 stream core found init_tcp_packet_analysis |
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
Cut-Through Proxy does not work with HTTPS traffic |
|
Enhance logging mechanism for syslogs |
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
Traffic fails in Azure ASAv Clustering after "timeout conn" seconds |
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
ASA: After upgrade cannot connect via ssh to interface |
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
FAN LED flashing amber on FPR2100 |
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
The Standby Device going in failed state due to snort heartbeat failure |
|
Primary ASA traceback upon rebooting the secondary |
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
ASA is unexpected reload when doing backup |
|
FPR41xx/9300: Blade does not capture or log a reboot signal |
|
Optimization of Side Bar loading for HealthMon page |
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
ASA/FTD may traceback and reload after a reload with DHCPv6 configured |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
FTD traceback and reload while deploying PAT POOL |
|
Need to provide rate-limit on "logging history <mode>" |
|
FTD/ASA traceback and reload during to tmatch compilation process |
|
Unexpected "No Traffic" health alert on Standby HA Data Interface where no data flows |
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
FPR1120:connections are getting teardown after switchover in HA |
|
None option under trustpoint doesn't work when CRL check is failing |
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
FTD is dropping GRE traffic from WSA |
|
ASA binding with LDAP as authorization method with missing configuration |
|
Identity network filter not removed from FTD |
|
ASA: Traceback and reload while processing SNMP packets |
|
Nodes randomly fail to join cluster due to internal clustering error |
|
FTD: HA crash and interfaces down on FPR4200 |
|
High Lina memory use due to leaked SSL handles |
|
Secondary state flips between Ready & Failed when node is rebooted and mgmt interface is shutdown |
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
IKEv2 Multi-DVTI Hub Support FTD/ASA |
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
FTD: IP SLA Pre-emption not working even when destination becomes reachable |
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
Application management interface may be down causing management connectivity failures |
|
cdFMC : User with VPN Sessions Manager Role can't access cdFMC |
|
null connection error seen in logs |
|
ASA/FTD: Improve GTP Inspection Logging |
|
ASA/FTD: GTP Inspection engine serviceability |
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
Traffic drop when primary device is active |
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
Multicast connection built or teardown syslog messages may not always be generated |
|
Write wrapper around "kill" command to log who is calling it |
|
Snort3: Process in D state resulting in OOM with jemalloc memory manager |
|
SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications |
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
Unexpected firewalls reloads with traceback. |
|
[SXP-UserIP Muted Leader]FMC HA Join flushes FW IP_SGT Mapping and restreams in registered sensors. |
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
8x10Gb netmod fails to come online |
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
rpc service detector causing snort traceback due to universal address being an empty string |
|
Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed |
|
ASA Traceback & reload citing thread name: asacli/0 |
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
Copy and pasting rules is broken and give blank error message in ID policy |
|
LINA traceback with icmp_thread |
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
Primary Unit lost all HA config after FTD HA upgrade |
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
ASA/FTD Show chunkstat top command implementation |
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
Traffic drops with huge rule evaluation on snort |
|
dvti memory leak on mp_counter_alloc |
|
Workaround to set hwclock from ntp logs on low end platforms |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' when checking Geneve capture |
|
changing time window settings in FMC GUI event viewers may not work with FMC integrated with SecureX |
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
TLS Server Identity may cause certain clients to produce mangled Client Hello |
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
Multiple traceback seen on standby unit. |
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version |
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
Classic and Unified Events should handle cases when SMC is unreachable |
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
FTD upgrade from 7.0 to 7.2.x and traceback/reload due to management-access enabled |
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
Management interface link status not getting synced between FXOS and ASA |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
Protocol Down with lower CPU instances on ESXi 8 for ASAv and FTDv |
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
ASA/FTD traceback in snp_tracer_format_route |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
Need fault/error for invalid firmware MF-111-234949 |
|
Post backup restore multiple processes are not up. No errors are observed during backup or restore. |
|
Cluster hardening fixes |
|
ASA/FTD may traceback and reload |
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
Snort3 fails to match SMTPS traffic to ACP rules |
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
Connections not replicated to Standby FTD |
|
FTD Crash in Thead Name: CP Processing |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
Unable to login to FTD using external authentication |
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
Interface remains DOWN in an Inline-set with propagate link state |
|
ndclientd error message 'Local Disk is full' needs to provide mount details which is full |
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
FPR4100/9300 displays the package-vers as 0.0 after successful firmware upgrade to version 1.0.19 |
|
User Group Download fetches less data than available or fails with "Size limit exceeded" error |
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Prune target should account for the allocated memory from the thread pruned |
|
asa_snmp.log is not rotated, resulting in large file size |
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
ASA/FTD: Traceback and reload due to high rate of SCTP traffic |
|
FMC UI response is very slow: Add health module monitoring FMC ntpd server(s) accessibility |
|
Banner login does not display when configured |
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
Firepower Chassis Manager is not accessible with ECDSA certificates |
|
Notification Daemon false alarm of Service Down |
|
CVIM Console getting stuck in "Booting the kernel" page |
|
Username-from-certificate feature cannot extract the email attribute |
|
Unable to Access FMC GUI when using Certificate Authentication |
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
Elephant flow detection disabled on FMC, getting enabled on FTD after random deployment |
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
Snort3 is crashing frequently on cd_pdts.so |
|
FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
FTD returns no output of "show elephant-flow status" when efd.lua file's content is empty |
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
ASA not updating Timezone despite taking commands |
|
Deployment fails to FTD when reusing/reassigning existing vlan id to diff interface |
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
Connection events incorrectly show OVERSUBSCRIPTION flow message for passive interface traffic |
|
Health monitoring cores due to health alerts with more than 8 fields |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
Snort3 cores seen in certain conditions with traffic |
|
ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory. |
|
snort3 - missing necessary counters for RNA statistics |
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
Add knob to pause/resume file specific logging in asa log infra. |
|
FTD: Unable to process a TLS1.2 website with TLS Server Identity with client generating SSL Errors |
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
TCP ping is completely broken starting in 9.18.2 |
|
Snort3 Crash in SslServiceDetector after call from nss_passwd_lookup |
|
portmanager.sh outputing continuous bash warnings to log files |
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
3100 unit failed to join the cluster with error "configured object (sys/switch-A/slot-2) not found" |
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
Readiness check needs to be allowed to run without pausing FMC HA |
|
Setting heartbeat timeout to 6sec for Firepower 4100 and 9300 |
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
Lina traceback and reload due to fragmented packets |
|
If the user navigate to Packet Tracer from Device Mgmt page, the selected device is incorrect |
|
FTD : Traceback in ZMQ running 7.3.0 |
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144 |
|
ASA sends OCSP request without user-agent and host |
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
Deployments can cause certain RAVPN users mapping to get removed. |
|
Snort down due to missing lua files because of disabled application detectors (VDB side) |
|
ASA Traceback and reload citing process name 'lina' |
|
getting wrong destination zone on traffic causing traffic to match wrong AC rule |
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
TCP normalizer needs stats that show actions like packet drops |
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
ASAv in Hyper-V drops packets on management interface |
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
FMC deploy logs rotating faster because of /internal_rest_api/accesscontrol/rapplicationsavailable |
|
Failure to remove snort stat files older than 70 days |
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
node is leaving TPK cluster due to interface health check failure |
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
DBCheck shouldn't run against MonetDB if user is collecting config backup alone |
|
Correlation rule 'Security Intelligence Category' option is missing DNS and URL values |
|
MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason |
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
Update Configuration State if sync is skipped |
|
crashhandler running with test mode snort |
|
Stale anyconnect entries causing issues with routing |
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
Error loading data in NAT page - When unused port object is used |
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
AC policy change is not reflected in instance page on edit |
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
Snort3 crash found during cleaning up a CHP object |
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues |
|
High CPU usage on multiple appliances incorrectly seen on FMC |
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
Firewall may drop packets when routing between global or user VRFs |
|
ASA access-list entries have the same hash after upgrade |
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
FTD: GRE traffic is not being load balanced between CPU cores |
|
FMC should handle error appropriately when ISE reports error during SXP download |
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
access-list: Cannot mix different types of access lists. |
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
Change in syslog message ASA-3-202010 |
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
WINSCP and SFTP detectors do not work as expected |
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
ASA/FTD may traceback and reload citing process name "lina" |
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
|
Old LSP packages are not pruned causing high disk utilization |
|
Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates |
|
Remove Priority-queue command from FTD|| Priority-queue command causes silent egress packet drops |
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
DNS cache entry exhaustion leads to traceback |
|
2100 Reload due to internal links going down and NPU disconnection |
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
FMC config archives retention reverts to default if ca_purge tool was used prior to 7.2.4 upgrade |
|
vFTD runs out of memory and goes to failed state |
|
ASA Traceback & reload on process name lina due to memory header validation |
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
Identity Policy Active auth snort3 redirect hostname doesn't list all FQDN objects |
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory on certain platforms |
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
Failover: standby unit traceback and reload during modifying access-lists |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
Firepower reloads unexpectedly with a traceback |
|
FTD snmpd process traceback and restart |
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
The exclude policy to exclude interface status will be removed on FMC after a while |
|
Selecting "All interfaces " under FTD exclude policy for interface status module doesn't work |
|
Firewall Traceback and reload due to SNMP thread |
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
FTD: TLS Server Identity does not work if size of client hello more than TCP MSS bytes |
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
Add meaningful logs when the maximums system limit rules are hit |
|
Avoid both the devices in HA sends events to FMC |
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
Dumping of last 20 rmu request response packets failed |
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
FMC QoS dashboard does not show QoS rule matched |
|
False critical high CPU alerts for FTD device system cores running instantaneous high usage |
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
FMC process ssp_snmp_trap_fwdr high memory utilization |
|
azure vftd node traceback while loading multiple network-service objects during ns_reload. |
|
after HA break, selected list shows both the devices when 1 device selected for upgrade |
|
Snort3 core in navl seen during traffic flow |
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
Editing identity nat rule disables "perform route lookup" silently |
|
FTD: SNMP not working on management interface |
|
Snort2 engine is crashing after enabling TLS Server Identity Discovery feature |
|
Snort core while running IP Flow Statistics |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
Decrypting engine/ssl connections hang with PKI Interface Error seen |
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason |
|
FPR 1010 - Switch ports in trunk mode may not pass vlan traffic after power loss or reboot |
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
Traceback: CdFMC - Edit of network object (network/host/range/fqdn) override throws internal error |
|
HA secondary unit disabled after reboot - Process Manager failed to secure LSP |
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
Some Vault secrets including LDAP missing files after upgrade if the Vault token is corrupted |
|
FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
FPR1k Switchport passing CDP traffic |
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
Failed to transfer new image file to FPR2130 and traceback was observed |
|
FTD /ngfw disk space full from Snort3 url db files |
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
Do not enable TLS Server Identity Discovery on FTDv deployed with GWLB |
|
Snort crash in active response |
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
ASA traceback on Lina process with FREEB and VPN functions |
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
Snort blacklisting traffic during deployment |
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
Max Detect on Detection is blocking some ping traffic |
|
Incorrect exit interface choose for VTI traffic next-hop |
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
ARP learning issues with Multiple-instance running 100G Netmod |
|
Packet drop due to unexpected-packet drop reason if route to destination is missing in egress VRF |
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
Lack of validation of string length creating object/category names using API |
|
Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side |
|
[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
Intermittently flow is getting white-listed by the snort for the unknow app-id traffic. |
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
Logging improvement for messages exchange between LinaConfigTool and xml server |
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
ASA traceback when re-configuring access-list |
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
PAC Key file missing on standby on reload |
|
SYSLOG UDP: One of syslog server is not getting the syslog message with userVRF |
|
FXOS: Alperton 100G NetMod not being acknowledged properly |
|
ASA software on FP3110 showing incorrect serial number in show inventory output |
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
SQL packets involved in large query is drop by SNORT3 with reason snort-block |
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
Firewall Blocking packets after failover due to IP <-> SGT mappings |
|
snort3 crashes observed due to memory corruption in file api |
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
Ping to the configured systemIP on management interface getting failed in cluster setup. |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
Enhancement for Lina copy operation for startup-config to backup-config.cfg in HA |
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
FTD not generating end of connection event after "Deleting Firewall session" |
|
Getting an exception on the UI while editing and saving the intrusion policy |
|
Policy deployment failed due to "1 errors seen during populateGlobalSnapshot" |
|
Fover_trace log repeatedly seen |
|
Snort2:Skip writing malware seed file duing process shutdown |
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
ASA traceback due to panic event during SNMP configuration |
|
Syslogs over management interface don't go through loggerd after FTD reboot or lina reload |
|
Large file download failed due to hitting the max segment limit |
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
Extensive logging for a problematic deployment caused logs to rollover important logs |
|
Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager |
|
Policy apply stuck because of NTP time issues (previous deploy done in future timestamp) |
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
ENH - Exempt TSID probe from going through EVE inspection |
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
ASA/FTD may traceback and reload while running show inventory |
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
Add support for 10G-T-X module |
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
FMC SSO timesout when user session is active for more than 1 hr (idle timeout) |
|
ASA:Management access via IPSec tunnel is NOT working |
|
FMC HA : Redundant FTD registration task failing on secondary FMC when FTD is disconnected. |
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
Handle mem leak in callhome test command |
|
FMC 4600 v7.2.4 EVE dashboard widget showing corrupt data |
|
After rebooting, the future date set on the FPR2100 platform is not reflected (set clock manually) |
|
Improve CPU utilization in ssl inspection for supported signature algorithm handling |
|
FMC Deployment failure in csm_snapshot_error |
|
ASA does not sent 'warmstart' snmp trap |
|
FMC Deployment failed due to internal errors after upgrade |
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
SNORT3 - FTD - TSID high cpu, daq polling when ssl enabled is not pulling enough packets |
|
Source NAT Rule performing incorrect translation due to interface overload |
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
Lina core at snp_nat_xlate_verify_magic.part and soft traces |
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
Configuring and unconfiguring "match ip address test" may lead to traceback |
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
Configuration to disable TLS1.3 |
|
Diskmanager process terminated unexpectedly |
|
FTD-HA does not fail over sometimes when snort3 traceback |
|
ASA: Traceback and reload when restore configuration using CLI |
|
FTDvs through put got changed to 100Kbps after upgrade |
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
Community string sent from router is not matching ASA |
|
ASA/FTD may traceback and reload due to watchdog time exceeding the default 15 seconds |
|
Large policy deployment fails due to abort as no progress |
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
CSF 4200: PSU Fan speed is critical |
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
Unable to create VRF via FDM in Firepower 3105 device |
|
Coverity 886745: OVERRUN in verify_generic_signature |
|
ASA traceback under match_partial_keyword during CPU profiling |
|
FTD: Mariadb might cause OOM due to not-so-effective memory release algorithm in glibc allocator |
|
Snort3 dropping IP protocol 51 |
|
Upgrade from FMC 7.2.4.1 to 7.2.5 failed at 600_schema/000_install_fmc.sh |
|
Unexpected high values for DAQ outstanding counter |
|
FMC Primary disk degraded error |
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
FTD: The crucial upgrade script should not be bypassed by the Upgrade Retry |
|
ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
|
Snort generating an excessive number of snort-unified log files with zero bytes |
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
Lina core at swapcontext on Standby FTD during policy deployment |
|
Bulk FTD backups to be generated in batches internally |
|
Need to update ins (In Sequence) and oos (Out Of Sequence) packets correctly for use by firewall |
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
High CPU Utilization alerts caused by the process Telegraf |
|
SNMP fails to poll accurate hostname from FMC |
|
VTI tunnel goes down due to route change detected in VRF scenario |
|
Cannot configure Correlation rule because there are no values for GID that exceed 2000 |
|
In FPR4200/FPR3100-HA/cluster observed crashinfo/corefile.lina observed on device reboot. |
|
Disconnecting RA VPN users from the FMC gui fails. |
|
Backup restore: silent failure when the device managed locally |
|
Every HA sync attempts to disable URL filtering if already disabled. |
|
eStreamer JSON parse error and memory leak |
|
FTD: Internal certificate generation results to certificate and private key mismatch |
|
WA MI: Management1/2 nameif not configured in routed instance, blocking HA deployment from FMC |
|
FDM Upgrade failure due to expired certificates. |
|
FTD installation fails on FPR-2K "Error in App Instance FTD. Available memory not updated by blade" |
|
FTD: Traceback in threadname cli_xml_request_process |
|
Firewall shows misleading SCP file copy failure reasons |
|
crypto_archive file generated after the software upgrade. |
|
Random FTD snort3 traceback |
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
Init process spikes to 100% CPU usage after a failed backup |
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
ASA: Traceback and reload during tests of High number of traffic flows and syslog messages |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Connection drops during file transfers due to HeartBeat failures |
|
Thirty-day automatic upgrade revert-info deletion is not resilient to communication failures |
|
FMC clean_revert_backup script fails silently without creating any logs |
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
SSX Eventing continues to go to old tenant upon FTD migration to CDO. |
|
FTD 1120 Traceback and reload on standby unit with SNMP enabled. |
|
SNMP Unresponsive when snmp-server host specified |
|
Traceback on FP2140 without any trigger point. |
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
Daily Change Reconciliation Report Randomly Generating Reports with the same time periods |
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
FTD HA sync failure due to "CD App Sync error is Failed to apply SSP config on standby" |
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
SFDataCorrelator logs "Killing MySQL connection" every minute, causing performance problems |
|
FMC backup fails with "Registration Blocking" failure caused by DCCSM issues |
|
Cisco Secure Access: Occasional traffic loss occurring through FWaaS |
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
Hardware bypass not working as expected in FP3140 |
|
Source of the VTI interface is getting empty |
|
Config-url is accepting directory as the config file |
|
FMC/cdFMC increase API rate limit |
|
Node kicked out of cluster while enabling or disabling rule profiling |
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
Management access over VPN not working when NAT exempt is configured with any->any |
|
FMC does not generate email health notifications for Database Integrity Check failures. |
|
Capture-traffic Clish command with snort3 not producing a proper resulting capture |
|
Firewall traceback and reload due to SSH thread |
|
FMC-4600: Pre-Filter policy is showing as none |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
Fail open snort-down is off in inline pairs despite it being enabled and deployed from FMC |
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
ASA: The logical device may boot into failsafe mode because of an large configuration. |
|
HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx |
|
Standby manager addition is failed on Primary FMC due to previous entries in table |
|
Stale HA transactions need to be moved to failed and subsequent HA transaction needs to be created |
|
Device/port-channel goes down with a core generated for portmanager |
|
In FIPS mode, External auth with TLS config enabled, CLI logins are not working (FMC & FTDs) |
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
ASA : Modifying a route-map in one context affects other contexts |
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
FTD: Update WM firmware to 1023.0207 |
|
User assigned to a read only custom role is not able to view content of intrusion policy for snort2 |
|
Log spam in /var/log/messages: Out of range value for column 'map_id' |
|
EIGRP migration failed using 'FlexConfig Policies' script failed generating database corruption |
|
Error Fetching Data in Exclude Policy Page when non permanent exclude periods are selected |
|
Deployment stuck on FMC when device goes down during deploy and doesn't boot up |
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
File-extracts.logs are not recognised by the diskmanager leading to high disk space |
|
PSU fan shows critical in show environment output while operating normally |
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
ipv6 table flush exception when cli_firstboot installs bootstrap configuration multi instance |
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
Unable to SSH into FTD device using External authentication with Radius |
|
tls website decryption breaks with ERR_HTTP2_PROTOCOL_ERROR |
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
use kill tree function in SMA instead of SIGTERM |
|
Detailed logging related to reason behind sub-interface admin state change during operations |
|
ASA/FTD traceback and reload due to file descriptor limit being exceeded |
|
Health Monitor Alerts set in Global are not sending alert from devices assigned in leaf domain |
|
Hostnames are replaced with IP addresses in alert email content |
|
Module name displayed in the alert got changed and it is differ from the one set in FMC |
|
FTD HA should not be created partially on FMC |
|
FDM deployment failure |
|
Policy Apply failed moving from FDM to FMC |
|
Hairpinning of DCE/RPC/FTP traffic during the suboptimal lookup |
|
Deployment fails on new AWS FTDv device with "no username admin" |
|
FTD HA Failure after SNORT crash. |
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
Umbrella Profile and others cleared incorrectly when editing group policy in the UI |
|
MonetDB startup enhancement to clean up large files |
|
installing GeoDB country code package update to FMC does not automatically push updates to FTDs |
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
Deployment fails if Network Discovery policy reference is missing from FMC Database |
|
ASA traceback and reload on Thread Name: DATAPATH |
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
FMC Validation failure for large object range and success for object network in NAT64 |
|
Incorrect health monitor alerts for ISE-PIC connectivity |
|
low memory/stress causing traceback in SNMP |
|
ISA3000 Traceback and reload boot loop |
|
We should be skipping sru_install during for Minor patch upgrades and install only on required basis |
|
FMC Deployment preview shows different information before and after FTD deploy |
|
Monetdb having 14GB of unknown BAT data causing "High unmanaged disk usage on /Volume" |
|
Snort3 traceback with fqdn traffics |
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
FTD drops double tagged BPDUs. |
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
API:/operational/commands not working as swagger indicate |
|
"Update file is corrupted" for "Download Latest Cisco Firepower Geolocation Database Update." in FMC |
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
ASA|FTD Traceback & reload in thread name Datapath |
|
Event Searching with Objects and Networks Leads to only showing events matching Objects |
|
Threat Defense Service Policy - Reset Connection Upon Timeout not working |
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
FTD 7.4.1 Snort shows 100% utilization even at a low traffic rate |
|
Unattended mode FTD upgrade from 741 to 76 fails if upgrade pkg is already copied over to devices |
|
Snort3 traceback and restarts with race conditions |
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
Unable to Synch more then 100 environment-data with data unit |
|
Snort3 traceback in TcpReassembler::scan_data_post_ack |
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
Decryption policy page is empty if user that modified/created policy was deleted. |
|
Error thrown if Security Analytics user tries to access Packet Capture page |
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
7.4 - If policy save in progress deploy might indicate failure for only few devices |
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
Internal error when attempting to configure PBR in FMC |
|
interface idb logging log rotation to FXOS logrotate utility |
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
Incorrect NAT warnings threshold limit of 131838 IPs |
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
Bootstrap after upgrade failed - Resume HA with reason deployment already exists |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
High disk usage caused by large write-ahead log in eventdb |
|
ZTNA: FMC pushes incorrect sp-acs-url parameter - "?" encoded as 0x3F |
|
ZTNA: FMC doesn't accept IdP with local domain |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Debugs failed to be enabled on SSH session |
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
SFDataCorrelator timeout thread deadlock detection core on busy FMC |
|
Threat Defense Upgrade wizard might incorrectly show clusters/HAs as disabled |
|
Null pointer dereference in SNMP that results in traceback and reload |
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
Geodb installation notification is stuck or some tasks wont create a notification in UMS |
|
traceback and reload around function HA |
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
Flow velocity metric in IAB settings is incorrect. |
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
The report doesn't include "Default Variables" information after change "Variable Sets" name |
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
Unable to view any events (Connection/Malware/etc) on the FMC Post FMC Upgrade to 7.6 |
|
FMC: Packet-tracer showing a "Interface not supported" error for VLAN interfaces |
|
Devices might change status to "missing the upgrade package" after Readiness Check is initiated |
|
FMC configured DAP rule with Azure IDP SAML attributes does not match |
|
Policy deployment failures on TPK MI chassis after redeploying same instance |
|
During FMC hardware migration failure encountered due to missing prometheus directories |
|
Error logs generated for ssh access to ASA when eddsa is used as kex hostkey |
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
Creating DAP policy with underscore "_" is not visible as applied to Remote Access VPN policy |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
upgrade of FMC to 7.2.x removes FlexConfig-provided EIGRP authentication from interfaces on FTDs |
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
standard error (stderr) not inserted into restore.log when restoring FMC backups |
|
Download failed for Available Upgrade Packages |
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
Unable to delete custom DNS Server Group Object post upgrade 7.2.x |
|
Devices in HA pair shows as standalone in Threat Defense Upgrade page |
|
FTD: Improve or optimize LSP package verification logic to run it faster |
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
Configuring MTU value via CLI does not apply |
|
Standby FTD experiencing periodic traceback and reload |
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
ASDM connection lost issue is observed in ASAv device due to config issue |
|
CloudAgent Smart Agent Exception - The Smart Agent Manager requires NTP to be running on FDM |
|
FDM deployment fails with error "Some interfaces have been added to or removed from the device" |
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
FMC: Add logging for PM functions |
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
FMC API Call for Network Object Overrides Returns Different Results for Active vs Standby FW |
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
Snort stripping packet information and injects its packet with 0 bytes data |
|
Unable to send unknown file disposition to ThreatGrid due to mem cache issue |
|
MonetDB Monitor triggers for restarting MonetDB based on WAL size are not effective |
|
Report file generated for AC policy is empty |
|
ASA CLI hangs with 'show run' on multiple SSH |
|
Traffic incorrectly matches an ALLOW rule with a time-range object after time has expired |
|
some stdout logs not rotated by logrotate |
|
Upgrade Failed with error "Upgrade failed because of undeployed changes present on the device" |
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
Modify UUID during license communication to avoid disrupting customer's licenses |
|
External Radius authentication fails post upgrade if radius key includes special characters |
|
VTI tunnel showing incorrect port-channel association info in VPN Monitoring page |
|
SFData correlator keep terminating on FTDs configured for IDS |
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
Automatic VDB/SRU Download Fails Due to Simultaneous Signature Validation |
|
Every realm sync indicates an access control policy change |
|
ASA:request to add "logging list" option to the "logging history" command. |
|
FTD/ASA system clock resets to year 2023 |
|
Access to website via Clientless SSL VPN Fails |
|
Unable to login to FDM GUI using external user account via RADIUS |
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
Need to add reasons for blocks in stream |
|
Migration of S2S from ASA to FMC across domains |
|
Heap-use-after-free in Discovery Filter on Snort shutdown |
|
Deployment doesn't timeout as notification (but not started), runs for hours after LSP install |
|
Run All function on FMC Health Monitoring page is greyed out after upgrade |
|
Lina traceback and reload in Thread Name: cli_xml_request_process |
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
FTD: Hostname Missing from Syslog Message |
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
EIGRP bandwidth is changing after upgrade or after "shutdown"/"no shutdown" commands |
|
Tomcat restarts in the middle of the LTP flow due to certificate update |
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
FMC: Multiple Email address in Email Alert not working |
|
Snort process spamming syslog-ng messages causing syslog-ng termination |
|
VMXNET3 driver is not getting loaded automatically on the bootup for FMCv300 |
|
logging list MANAGER_VPN_EVENT_LIST getting removed and re-applied for every deployment |
|
Policy deployment failure in standalone FDM due to an interface error |
|
Backup failures needs to be displayed with the correct state on GUI |
|
ASA Checkheaps traceback while entering same engineID twice |
|
Backup generation on FDM fails with the error "Unable to backup Legacy data." |
|
pmtool restart of monetdb fails to bring up monetdb, too many files in monetdb Volume directory |
|
SFDataCorrelator creates huge numbers of to_import files when MonetDB table partition creation fails |
|
FMC : Health Monitor Alert is not properly issued regarding disk usage |
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
Deleting Snort 3 IPS Rule doesn't Generate Audit Log |
|
ENH: FTD Add debug message to indicate "No CRL found in User identity Certificate" |
|
Intermittent loss of management traffic due to DHCP service failing to start |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
FMC Server Certificate shows Only First 20 Objects |
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
Deployment failure due to exceeding logging event list name size |
|
FTW no longer working in NM3 on Warwick |
|
FMC: fireamp generating too many logs |
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
ICMP replies randomly does not reaching the sender node when initiated from the node. |
|
BBManager text based search - lucene |
|
Unable to remove suppression from snort3 rule once added |
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
The secondary device reloaded while rebooting the primary device. |
|
Web Contents files appear as text/plain when they should be application/octet-stream |
|
Never expiring machine user not logged out at various places |
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
Applications are incorrectly identified as TOR and blocked by Snort3 |
|
FMC-SSE Cloud Configuration SSE Enrollment Failure alert due to empty connector.toml file on the FTD |
|
TSS_Daemon process is exiting every minute |
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
username containing '@' character works for asa login but fails for 'connect fxos' |
|
Policy stuck in loading state on FMC UI |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
PM restart needs to be blocked or warned the user that it may go for reboot |
|
FMC - Inheritance Settings Select Base Policy Menu disappears while scrolling using Light or Dusk UI |
|
rna_ip_os_map can grow very large that causes SFDataCorrelator to stop processing events |
|
Object optimisation gets disabled on FMC if next deployment is after two hours |
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
FTDv reloads and generate backtrace after push EIGRP config |
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
Debug: Eth1/1 flapping unexpectedly |
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
LSP Deployment fails in multi instance FP 41xx / 93xx |
|
Error when running 'show tech-support module detail' on FPR9K |
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
restored FMC backup devices display as "normal" and "healthy" although without connection with FMC |
|
FMC allows loading a binary certificate in the External Authentication Object |
|
FMC shows a non-User-Friendly Error during a Policy Deployment failure due to snapshot failure |
|
Rest API '/devices/devicerecords' is returning mismatch of values for (RA VPN) policy object id |
|
Identity Mapping Filter field gets updated with newly created network objects. |
|
Snort3: TCP traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs |
|
Victoria CP might list all on-board interfaces as L3 mode after base-install |
|
SFDataCorrelator memory leak after unregistering an active device |
|
3140 3 MI instances upgrade failed |
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
Wrong IP address on FMC audit logs |
|
TLS Secure Client sessions cannot be established on FTD Due to RSA-PSS Signing Algorithm |
|
After upgrade FDM deployment fails "Timeout waiting for snort detection engines to process traffic" |
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
"strong-encryption-disable" pushed from FMC without any change after FMC upgrade |
|
VPN config isn't getting sync to leaf domain, when FTD moved to leaf domain |
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
Disk quota for the corefile should be revisited based on platform |
|
Snort3 core in FTD stateful signature evaluation |
|
SecureX / Cisco Security Cloud registration fails if FMC is behind a proxy server |
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
Multiple context interfaces fail to pass traffic |
|
Dns-guard prematurely closing conn due to timing condition |
|
URL Filtering and Cisco-Intelligence-Feed Download Failure |
|
ASA traceback with thread name SSH |
|
High latency observed on FPR31xx |
|
SFDataCorrelator memory growth when pruning a huge number of old service identities |
|
FDM /ngfw/var/sf/fwcfg/zones.conf is empty for 7.3.1 |
|
SFDataCorrelator memory growth when processing a huge number of expired user identities |
|
FTD compliance mode not accurately shown on FMC for newly registered FTDs |
|
FMC 7.3 Deployment failed due to OOM in PBR Configuration |
|
FTD: Backups fail on Multi-Instance or standalone with error "Backup died unexpectedly" |
|
Additional memory tracking in SFDataCorrelator |
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
FTD-HA creation is failing because FMC takes longer time to save overrides. |
|
FTD-HA upgrade fails to start - Configuration is out of sync between active and standby |
|
IPv6 rule with manual address entry FMC with ::/0 is not working as expected. |
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
FTDv - The interface connected to the AWS GW may have connection issues for DHCP or an idle state. |
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
Unable to add additional LDAP attribue maps on upgraded FMC |
|
Internal Certificate Import Error : Failed to validate Cert Based EO: Unsupported Key Type |
|
Stale Health Alerts seen on the UMS after model migration |
|
ASA traceback and reload when accessing file system from ASDM |
|
High latency observed on FPR42xx |
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
Add support for new Cloud SSX regions for India and Australia |
|
SSE connection events, FirewallRuleList field is not sent in proper format |
|
All IPV6 BGP routes configured in device flapping |
|
Snort creating too many snort-unified log files when frequent policy deploys |
|
FMC backup remote server copy to Solar Winds remote server failing after upgrading to 7.x versions. |
|
BGP config related to holdtime not being deployed sucessfully |
|
object lookup doesn't show referenced policy automatically under object management |
|
Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
|
Crypto ikev2 policy sequence order alters on interface/sub-interface config changes |
|
FMC unable to upload PKCS12 certificate using Passphrase longer than 48 characters in length. |
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
ASA: Running the failsafe-exit command caused the interface to enter a DISABLED state |
|
delay in creating process of Readiness/upgrade post initiating from UI |
|
FDM1010E 7.4.1 unable to register to SA, getting "Invalid entitlement tag" |
|
FMC HA Wizard shows error "Unable to retrieve high availability status." with other languages |
|
False positive ISE bulk download alert error seen on FMC |
|
Cleanup stale logrotate files |
|
FMC REST API not sending 'deploymentStatus' Attribute |
|
FTD HA status in ON Prem FMC is corrupted reporting Secondary as Primary |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
FMC only accepts a maximum of 30 characters for shared secret key when connecting to RADIUS server |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
High CPU usage in svc_sam_dme process during deployment post breaking cluster or deleting inline-set |
|
File descriptor leak when validating upgrade images |
|
cEdge URLF feature is not blocking urls with categories |
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
Deployment failure and rollback when changing parent of subinterface with failover MAC address |
|
Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000 |
|
Disable health module does not delete UMS messages for that health module. |
|
Snmpwalk throws Error messages #"snmp/error: truncating integer value > 32 bits" |
|
FMC gets flooded with"Unable to find SSL rule id for policy" if TLS server identity discovery is on |
|
OGO changing the order of custom object group contents causing an outage at static NAT |
|
Snort3 crashes due to processing pdf tokenizer with no limits. |
|
Autodeployment failing on cdFMC v20240307 when onboarding a 1010 v7.2.5 |
|
ECDSA certificates are not supported by FMC ISE integration |
|
New User activity page does not load because the VPN bytes in and out are long. |
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
FMC GUI errors out when searching for Topology Name that has a decimal point in the name |
|
Tomcat and VmsBackendServer down post upgrade if a userrole description is too long |
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
SNMP host group content change results in SNMP process termination on management interface |
|
Snort dropping connections with reason blocked or blacklisted by the firewall preprocessor |
|
"FDM Keyring's certificate is invalid, reason: expired" health alert on FMC |
|
PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
|
Deployment time increased by 30-45 seconds after the upgrade when applying specific Platform Setting |
|
sync call got stuck resulting in boot loop |
|
VPN status not getting updated on site-to-site monitoring. |
|
Deployment failure and rollback when BGP communities added or removed in route-map match clause |
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
Snort3: Smaller size packets exceeding the max segment limit cause Snort-block |
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
tpk_mi upgrade failed from 7.4.1.1 > 7.6.0 000_start/000_00_run_cli_kick_start.sh. |
|
Policy Deployment failure in FTD HA node due to timeout for SHOW_XML_REQUEST |
|
User group map miss after Hardware FMC model migration from FMC2600 to FMC4700 |
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
eStreamer memory leak when the FMC receives events from CDO-managed FTDs |
|
ENH Logs FP4110 (FXOS 2.10.1.179) Security module stopped responding after device reboot |
|
snmpd core seen in ASA/FTD |
|
SFDataCorrelator deadlock on reconfigure after RNAStop and monetdb output queue is full |
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
FDM HA deployment fails with 'ApplicationException: Unable to export to database' error |
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
FAN is working as expected but FAN LED is in off state. |
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
SFDataCorrelator log spam, repeatedly purging expired services and client apps |
|
FMC on upgrade results in FTDv losing its performance tier |
|
FTD failed to join FTD-HA after upgrade revert |
|
FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser |
|
High LINA CPU observed due to NetFlow configuration |
|
Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
|
Invalid health alert msg - Classic License Expiration Monitor for "License mismatch on stack" on FTD |
|
FMC Rest API Internal Server Error when log Interval attribute is not set |
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
FPR2100-ASA Unable to generate CSR without FXOS IP address on SAN field |
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
[7.6.0]Radius auth not working with custom secret key |
|
FMC Health Monitoring sends incomplete message when language is changed. |
|
Larger entries in EoRevisionStore table causing HA Sync to fail mysqldump process |
|
FTD /mnt 100% disk utilization due to snort memory mapped files |
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
Snort2 SSL decryption with known key fails on Chrome v124 and above. |
|
Failsafe mode default values are unattainable on some platforms need adjustment per platform/mode |
|
Snort3 crashes while collecting flow-ip-profiling |
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
CdFMC: Device migration with RAVPN fails during import |
|
FMC: Comments on rule change required not working in Classic Theme Legacy UI |
|
Unable to run "nslookup" command on FXOS |
|
CD App Sync error on FDM HA after LINA crash |
|
disable stat check for file |
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
cdFMC : AC rule shown as removed in policy preview |
|
Access rule name shows "invalid ID" instead of the rule names after patching from 7.2.4 to 7.2.5 |
|
FMC got deregistered from Smart License after upgrade |
|
Encountering an unknown error [9999] when attempting to modify the identity policy. |
|
Classification mismatch between intrusion and correlation events |
|
Failure to read the signature keys (mult-instance deployment) |
|
Fail to start a disabled container on chassis reboot and misses to log the activity to Heimdall |
|
"show inventory" output shows Name: "power supply 0" on Firepower |
|
M6 hardware models are hardly storing only a week old health monitoring data |
|
CdFMC: FTD Migration Failing on Registration Phase |
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
Captive portal returns bad request for snort 2 for FMC 7.4.x , FTD version < 7.4 |
|
Snort2 - SSL decryption failing and some websites not loading on Chrome v124+ |
|
WebVPN connections stuck in CLOSEWAIT state |
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
Realm download task failing with ADI process is not currently available |
|
Unable to download users/groups getting Failed to get response from ADI. |
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
Filtered ACP rules are not greyed out when disabled using Bulk action |
|
FTD does not compact files that are used to communicate updates to the SGT/IP mappings |
|
FTD Unable to register to FMC due to empty DNS Server configured. |
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
Loss of interface mapping with security zones after deployment |
|
FMC REST API || ICMP objects with no code value breaking GET call and JSON parsing |
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
Force deploy not re-generating export-cache in the device |
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
ADI Session Processing Delays return after upgrade to 7.2.x |
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
command to print the debug menu setting of service worker |
|
FMC - Custom User role VPN allows user to make changes to Site to Site VPN when Modify is unchecked. |
|
Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
"Rule Unavailable" for some local intrusion rules may be shown in intrusion event packet view |
|
Deploying an authorization server with an LDAP attribute map results in deployment failure. |
|
High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
|
Accepting duplicate object/group-object into object-group from multiple ssh sessions |
|
RC4 ciphers cannot be disabled on FMC/FTD for captive portal authentication with Kerberos |
|
Fatal error: Error running script 800_post/100_ftd_onbox_data_import.sh |
|
Traceback and reload on active unit due to HA break operation. |
|
TCP Session Interrupted if Keep-Alive with 1 Byte is Received |
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
TS filename still showing the old IP after FMC management IP is changed |
|
Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
|
FTD : Management interface showing down despite being up and operational |
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
FMC Users page in sub domain does not load |
|
Add warning message when configuring CCL MTU |
|
Radius server configuration for FTD external authentication is not deployed to FTD. |
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
Remove SGT frames/packets to allow VTI decryption |
|
FMC - Add warning message when configuring CCL MTU |
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
No devices listed in Packet Tracer "Select Device" dropdown |
|
Backups may fail on remote storage when the filebackup.tar contents are so huge |
|
EventHandler may not send events to the FMC when Snort wrote many zero-length snort-unified files |
|
temporary backups files shouldn't be kept on remote storage and do not parse other format files |
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
FMC 7.2.5 Showing incorrect data of FTD HA at 6.6.5 under fleet upgrade |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Safety Net for Infinite Recursion Crashes due to Bad Stream TCP State in (IDS)Post-ACK mode |
|
FTD memory depletion resulting in traceback and reload |
|
SFDataCorrelator stops receiving events on a device channel when the other channel blocks |
|
FTD 7.4.1.x sends NAS-IP-Address:0.0.0.0 in Radius Request packet as network interface |
|
ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread. |
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
Enable logs to identify corrupted policy when deployment fails with "SNAPSHOT_PG_TIMESTAMP_ERROR" |
|
256/1550 block depletion process fover_thread |
|
FMC "java.lang.OutOfMemoryError: Java heap space" errors in feed_data_manager.log |
|
TLS Client Hello packet is dropped by snort |
|
FMC Management workflow issue: Cannot remove NetworkObject from group and delete it in same ticket |
|
Standard Access List Objects can be written with leading whitespace |
|
Health Alerts are generating for sub interface even when main interface is excluded. |
|
ISE connection status health alerts on FMC with ise services down |
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
Update Fan RPM Thresholds for 42xx platforms |
|
High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops) |
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
FTD lost connection with cdFMC after FTD backup Restoration |
|
FMC should not take a policy backup during patch / Hotfix installations. |
|
Endpoint Assessment features are not enabled when HostScan package is modified via FMC |
|
Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
|
FMC REST API calls to get AC policy data times out, AC policy GUI slowness with larger rule query |
|
ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1756' |
|
Need to Protect LINA from getting killed by OOM |
|
Changes made on health policy are not being saved |
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
cdFMC Fails to configure-geneve-encapsulation on interface |
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
|
CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT |
|
FTD/FxOS - Upgrade/erase configuration result in App-instance 'Operational State: Starting' |
|
Unable to deploy changes to migrated 7.0.x version of 21xx 11xx FTD-HA pair to cdFMC from onprem |
|
FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring |
|
Standby HA FMC entering standalone mode - /var/tmp/compliance.rules which was created was invalid. |
|
API call for ftdallinterfaces returns an inaccurate "self" element. |
|
Unable to upgrade cluster with status "cluster/HA pair is not eligible' |
|
FMC can not connect to private AMP when proxy is enabled in management interface |
|
Empty network objects cause cdFMC migration to fail |
|
GRE traffic getting dropped after failover |
|
IPv6 SSL Anyconnect access blocked in HA pair |
|
Instrument new logs in the startup process to collect more information |
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
During migration to cdFMC from onPrem, certain objects are having inconsistency between CSM and EO |
|
Exception raised while fetching telemetry data from the FMC |
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
Incorrect network module slot and status information in "show module" command output |
|
App instance stuck in STOP_FAILED with error message |
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
NTP is not synchronising when using SHA-1 authentication |
|
Failover prompt shows state active while the firewall is in Negotiation |
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
DAP policies not working with attribute TRUE/FALSE |
|
Certificate validation fails with trustpool when FIPS is enabled |
|
FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
FMC in CC-mode audit over syslog not working |
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
FTDv traceback in Thread name - PTHREAD |
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
ASA/FTD: Memory Exhaustion due to Threat-Detection |
|
FTD does not mark stuck ongoing deployments as failed leading to subsequent deployment failures |
|
Empty user attributes in LDAP causes partial user/group download |
|
Health alert seen on FMCs : URL/LSP-via Beaker3 |
|
Partition "/opt/cisco/config" gets full due to btmp file not getting logrotated |
|
FMC: Not receiving any Email Alert after upgrade |
|
FTD upgrade to 7.4.2 via FDM is blocked |
|
VPN Client Application version and OS is not displayed for the FTD Standby peer under User Activity |
|
Unable to create MI FTD in TPK chassis |
|
Database corruption due to VPN objects post migration to cdFMC |
|
'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete |
|
cdFMC: tmp_cisco is consuming high boot volume space for the cdFMC tenants |
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
|
Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
|
Backup_info table is not being pruned, causing DB queries to slow down |
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
Configure External Storage fails second time with same backup profile |
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
Large number of stats files can cause events to be delayed |
|
Lina traceback and reload in data-path thread |
|
Unstable HA causing depolyment failure |
|
IPv6 Neighbor Discovery failure on shared interface in multi instance setup |
|
FP4245 - NPU Accelerator changed speed of 100Gb interface to 10Mb |
|
ASA|FTD Traceback & reload in process name lina |
|
Document NAT warning "The NAT rule exceeds the threshold limit of 131,838 IP addresses.." |
|
Increase memory usage leading to tracebacks in Lina. |
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
Generated Cryptochecksum changes without configuration change |
|
Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
|
CGroups errors in ASA Syslog during every reboot |
|
ldap.conf does not get generated using hostname |
|
SNMP trap OID changed after upgrade |
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
fix to remove space characters in auth object names during FMC upgrade may cause upgrade failure |
|
Browser redirects to blank page when the user clicks the WebVPN bookmark |
|
Connection been logged for rules with no logging enabled |
|
cdFMC:Deployment fail for FTD's with DAP configured |
|
The ASA's OSPF routing table is not properly synchronized with the neighbors |
|
SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect |
|
FXOS MTU Handling for Front Panel and Uplink Ports on Firepower devices require improvement |
|
Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
|
FTD - Â Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured |
|
LINA may traceback in Thread Name: Datapath with NAT config |
|
FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
|
FTD Secondary Unit got stuck in Bulk sync state. |
|
ASA/FTD will allow local IP pool with invalid netmask |
|
Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
|
FTD/ASA may traceback and reload in DATAPATH thread |
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
|
FTD inline-set ignore reverse flag for inject/rewrite |
|
Import / Export is not blocked from On-Prem FMC to cdFMC |
|
cdFMC: unable to modify the VTI interfaces due to Tunnel type is missing in DB |
|
FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
|
Show mod functionality needs to be fixed after change was reverted in CSCwk63011 due to regression |
|
ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
|
enhance sma 2nd cruz heartbeat logging |
|
ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
|
100GB interface flaps with Innolight QSFPs in both ends |
|
Device Status shows Online in CDO Inventory when not online |
|
SSH access with public key authentication fails after FXOS upgrade |
|
Not able to remove or clear Fault "The password encryption key has not been set." |
|
ASA/FTD may traceback and reload in Thread Name "fover_parse" |
|
TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link |
|
show run access-list command returns warning |
|
SQLNet traffic getting dropped intermittently in Clustering data unit. |
|
ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
|
Enable NFS Client 4.1 in the kernel to debug NFS and EFS mount issues: SIGKILL(9) to stunnel |
|
FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
|
Incompatible members warning message after Po member interface flaps unable to rejoin Po |
|
RAID did not upgrade correctly with EZ_BIOSUPDATE-7.2.99.99-6 |
|
ASA traceback and reload on thread snmp_inspect |
|
ASA traceback and reload due to stack overflow while using APCF file |
|
ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
|
NAT traps have to be rate-limited |
|
Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
|
ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
|
4200/3100/1200 hardware allow to change AppAgent timer |
|
'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
|
GTP inspection drops packet with error Reason:(IE-Type:CAUSE(2) IE is missing) |
|
GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
|
FTD HA Standby Reloads Repeatedly After Upgrade to 7.4.2.1 |
|
LINA core observed pointing to "IP RIB Update" thread |
|
FTD device stuck in rommon mode after pressing reset button |
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
|
cdFMC,SFOExport files are not cleared in tmp folder leading to high disk utilisation. |
|
Memory Blocks 80 and 9344 leak due to priority-queue |
|
GTP inspection not allowing GTP data packets if session create response has cause type 18 |
|
When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
|
ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
|
FPR9K-SM-56 module intermittently lock up and cause traffic impact. |
|
ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
|
Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption |
|
FTD cluster to traceback and reload after extended PAT is enabled |
|
ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
|
FTD reload with traceback on swapcontext function |
|
Syslog servers below in FTD logging send hostname info as per emblem config for first syslog server |
|
ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
|
Device migration to cdFMC importing policy based routing incorrectly |
|
memory fragmentation resulted in hugepages unavailable for lina |
|
Admin users are prompted to change local password when authenticating to external server |
|
HA would bring data interfaces up while moving from cold standby to failed state |
|
ASA may traceback and reload in Thread Name 'ssh' |
|
Discrepancy in VPN bytes with RA VPN user activity report |
|
FTD: Management0/0 status went down, line protocol is up after upgrade |
|
GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
|
ERROR: cannot set default route for broadcast packets. |
|
ASA booting process may freeze when including 'no pim' or 'no igmp' config |
|
FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
|
Jumbo frame packets are being fragmented |
|
Traceback and reload due to webvpn dtls flow offload enabled |
|
MI: Instances going in split brain when assigned RP with CPU cores between 14-70 on FPR42xx |
|
FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
|
Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
|
Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
|
Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
|
HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
|
MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface |
|
Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
|
FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
ASA 21xx: 'sh environment temperature' shows incorrect temperature values |
|
LINA may observe random traceback with Netflow configured |
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
Asia/Bangkog timezone option not listed in ASA running on firepower1k |
|
Banner motd does not display when configured |
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
Occasionaly, 'show chunkstat top-usage' output does not show all entries |
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
ASA: Traceback and Reload Under Thread Name SSH |
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
Command authorization fallback to Local only works for priv 15 users. |
|
Traceback and reload during the deployment after disabling FQDNs. |
|
Enabling debugs with EEM fails |
For Assistance
Upgrade Guides
In Firewall Management Center deployments, the Firewall Management Center must run the same or newer maintenance (third-digit) release as its managed devices. Upgrade the Firewall Management Center first, then devices. Use the upgrade guide for the version you are currently running—not your target version.
Platform |
Upgrade Guide |
Link |
---|---|---|
Firewall Management Center |
Firewall Management Center version you are currently running. |
https://cisco.com/go/fmc-upgrade |
Firewall Threat Defense with Firewall Management Center |
Firewall Management Center version you are currently running. |
https://cisco.com/go/ftd-fmc-upgrade |
Firewall Threat Defense with device manager |
Firewall Threat Defense version you are currently running. |
https://cisco.com/go/ftd-fdm-upgrade |
Firewall Threat Defense with Cloud-Delivered Firewall Management Center |
Cloud-Delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier Firewall Threat Defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
Platform |
Install Guide |
Link |
---|---|---|
Firewall Management Center hardware |
Getting started guide for your Firewall Management Center hardware model. |
|
Firewall Management Center Virtual |
Getting started guide for the Firewall Management Center Virtual. |
|
Firewall Threat Defense hardware |
Getting started or reimage guide for your device model. |
|
Firewall Threat Defense Virtual |
Getting started guide for your Firewall Threat Defense Virtual version. |
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
FXOS for the Firepower 1000 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
More Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: https://cisco.com/go/threatdefense-76-docs
-
Cisco Support & Download site: https://cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts