Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall Device Manager
For cloud deployments, see the Cisco Cloud-delivered Firewall Management Center Release Notes or What's New for Security Cloud Control Firewall Management.
Release Dates
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.7.10 |
3200 |
2025-08-18 |
All devices |
|
3089 |
2025-08-11 |
Firewall Management Center |
|
|
7.7.0 |
91 |
2025-03-14 |
Firewall Management Center |
|
89 |
2025-03-05 |
All devices |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
Features
For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
Upgrade Impact
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
The feature descriptions here include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.
Features in Maintenance Releases
Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target.
If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Intrusion Rules and Keywords
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
FlexConfig
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions here include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
Integrations and Logging
These integrations and logging facilities may have new features associated with threat defense and management center releases:
-
Syslog: Cisco Secure Firewall Threat Defense Syslog Messages
-
Cisco Success Network: Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center
-
REST API: Secure Firewall Management Center REST API Quick Start Guide and Cisco Secure Firewall Threat Defense REST API Guide
Firewall Management Center Features in Version 7.7.10
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Features from Earlier Maintenance Releases |
|||
|
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.7.10 also has: |
|
Zero Trust Access |
|||
|
Universal Zero Trust Network Access (universal ZTNA). |
7.7.10 |
7.7.10 |
Universal Zero Trust Network Access (universal ZTNA) is a comprehensive solution that provides secure access to internal network resources based on user identity, trust, and posture. It ensures that access to one application does not implicitly grant access to the entire network, as with remote access VPN. New/modified screens: Requires Cisco Secure Access and Security Cloud Control. Deployment restrictions: Not supported with clustered devices, container instances, or transparent mode. Supported platforms: Secure Firewall 1150, 3100, 4100, 4200, and Firewall Threat Defense Virtual. See: Zero Trust Access |
Firewall Management Center Features in Version 7.7.0
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Features from Earlier Maintenance Releases |
|||
|
Features from earlier maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.7.0 also has:
|
|
Platform |
|||
|
Secure Firewall 1230, 1240, and 1250 (rack-mount). |
7.7.0 |
7.7.0 |
We introduced the Secure Firewall CSF-1230 and CSF-1240:
And the Secure Firewall CSF-1250:
See: Cisco Secure Firewall CSF-1230,CSF-1240, and CSF-1250 Hardware Installation Guide |
|
Optical transceivers for the Secure Firewall 4200. |
7.7.0 |
7.7.0 |
The Secure Firewall 4200 now supports these optical transceivers on the FPR4K-X-NM-2X200/400G network module: QDD-400G-DR4-S, QDD-4x100G-FR-S, QDD-4x100G-LR-S, QDD-400G-SR4.2-BD, QDD-400G-FR4-S, QDD-400G-LR4-S, QDD-400-CUxM, QDD-400-AOCxM, QDD-2X100-LR4-S, QDD-2X100-SR4-S, QDD-4ZQ100-CUxM. See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide |
|
Secure Firewall 1210CP IEEE 802.3bt support (PoE++ and Hi-PoE). |
7.7.0 |
7.7.0 |
We made the following improvements related to support for IEEE 802.3bt:
New/modified screens: New/modified commands: show power inline See: Regular Firewall Interfaces, Cisco Secure Firewall Threat Defense Command Reference |
|
Instances for AWS, Azure, and GCP. |
7.7.0 |
7.7.0 |
We added instances for Firewall Management Center Virtual and Firewall Threat Defense Virtual from the following families:
See: Cisco Secure Firewall Management Center Virtual Getting Started Guide, Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Unattended provisioning for Firewall Threat Defense Virtual for VMware using ISO-based cloud-init seeding. |
7.7.0 |
7.7.0 |
You can now quickly deploy Firewall Threat Defense Virtual for VMware using a text file (day0.iso) that contains initial setup details such as hostname, password, management mode, firewall mode, network settings, and deployment type. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Platform Migration |
|||
|
Migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual 300 for VMware. |
7.7.0 |
Any |
You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for VMware with a 300-device license. See: Cisco Secure Firewall Management Center Model Migration Guide |
|
Device Management |
|||
|
Recovery-config mode for emergency on-device configuration and out-of-band configuration detection on the Firewall Management Center. |
7.7.0 |
7.7.0 |
If you lose the management connection to your device, you can make select configuration changes directly at the device CLI to:
After the management connection is restored, the Firewall Management Center will detect the configuration changes on the device. It does not automatically update the device configuration in the Firewall Management Center; you must view the configuration differences, acknowledge that the device configuration is different, and then manually make the same changes in the Firewall Management Center before you deploy. New/modified screens: New/modified diagnostic CLI (system support diagnostic-cli ) command: configure recovery-config See: Device Settings, Cisco Secure Firewall Threat Defense Command Reference |
|
Interfaces |
|||
|
Sync Device is now Sync Interfaces. |
7.7.0 |
7.7.0 |
Sync Device was changed to Sync Interfaces to indicate that this function is only for interface changes. This function no longer detects changes made to the manager access interface; see . Other out-of-band configuration changes performed at the diagnostic CLI in recovery-config mode need to be discovered at . New/modified screens: See: Interfaces |
|
High Availability/Scalability |
|||
|
Management center high availability enhancements. |
7.7.0 |
Any |
It is now easier to:
New/modified screens: See: High Availability |
|
Threat defense high availability supported with redundant manager access data interfaces. |
7.7.0 |
7.7.0 |
You can now use redundant manager access data interfaces with Firewall Threat Defense high availability. See: High Availability |
|
Autoscale for Firewall Threat Defense Virtual for Azure clusters. |
7.7.0 |
7.7.0 |
We now support autoscale for new Firewall Threat Defense Virtual for Azure clusters. You cannot convert upgraded deployments. Platform restrictions: Not supported with FTDv5 or FTDv10. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
VPN: Remote Access |
|||
|
Geolocation-based RA VPN. |
7.7.0 |
7.7.0 |
You can now allow or block remote access VPN connections based on country or region. Connections that don't meet your location-based criteria are blocked before authentication and logged for auditing purposes. New/modified screens: See: Remote Access VPN |
|
Easily configure posture assessment criteria for dynamic access policies. |
7.7.0 |
Any |
In dynamic access policies (DAP), you can now easily configure posture assessment criteria—that is, file, process, or registry endpoint attributes with unique endpoint IDs that you can then use to configure DAP records. New/modified screens: |
|
Routing |
|||
|
Use PBR to handle traffic based on user-defined domains. |
7.7.0 |
7.7.0 |
You can now use policy based routing to handle traffic based on user-defined domains. Create a basic custom application detector with your domain patterns and the NSG (network service group) tag, then use it in an extended ACL in your PBR policy. See: Policy Based Routing |
|
Access Control: Threat Detection and Application Identification |
|||
|
Easily block traffic based on TLS version and server certificate status. |
7.7.0 |
7.7.0 |
New options in the decryption policy wizard make it easier to block traffic based on TLS version and server certificate status. Enabling these options adds predefined rules that do this. After the policy is created, you can edit, reorder, or delete the rules. New/modified screens: |
|
Use EVE to easily bypass decryption for low-risk connections to trusted URLs. |
7.7.0 |
7.7.0 |
A new Client Threat decryption rule condition and a new option in the decryption policy wizard and make it easier to bypass decryption to trusted URLs for low risk (as identified by EVE) connections. New decryption policies now include predefined rules that do this, using Category (trusted) and Client Threat (low) conditions. The Client Threat condition is new and represents the EVE verdict. For outbound decryption, you enable/disable these rules as part of creating the policy. For inbound decryption, the rules are disabled by default. After the policy is created, you can edit, reorder, or delete the rules. New/modified screens: Version restrictions: You cannot deploy policies with Client Threat rules to older devices. |
|
New EVE exceptions. |
7.7.0 |
7.7.0 |
You can now bypass EVE (encrypted visibility engine) block verdicts based on source network and on destination dynamic attributes. And, when bypassing based on network, you can now use FQDN network objects. Previously, you could only block based on destination network or EVE process name and could not use FQDNs. New/modified screens:
See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
|
EVE dashboard enhancements. |
7.7.0 |
7.7.0 |
The Summary dashboard (the default home page for the Firewall Management Center) now includes encrypted visibility engine information in its own tab, including widgets for discovered processes, threat confidence, malicious processes, and connections with detected process names. The widgets for malicious processes and connections with detected process names are new, and show data from Version 7.7+ devices only. The widgets for discovered processes and threat confidence were previously on the Application Statistics dashboard, and show data from all managed devices. Note that you did modify the EVE tab on the Application Statistics dashboard, the upgrade retains your changes but does not add the new widgets. If you did not modify the tab, it is removed. See: Dashboards |
|
Event Logging and Analysis |
|||
|
SNI information from the ClientHello message in connection events. |
7.7.0 |
7.7.0 |
Connection events now include the TLS Client SNI field, which shows the SNI (server name indication) information from the ClientHello message. This indicates the hostname a client is trying to connect to. |
|
‘Pending Rule Match’ reason in connection events. |
7.7.0 |
Any |
A new connection event reason, Pending Rule Match, marks a connection that ended before it matched any access control role. |
|
Health Monitoring |
|||
|
Get alerts before service authentication certificates expire. |
7.7.0 |
7.7.0 |
To help prevent unexpected service disruptions, a new Certificate Monitoring health module alerts you before service authentication certificates expire on the Firewall Management Center and managed devices. New/modified screens: System ( See: Health |
|
Monitor the event database. |
7.7.0 |
Any |
The Firewall Management Center uses a MonetDB database for firewall events and event-related data like connection summaries. A new MonetDB Statistics health module collects database statistics that you can also see in the health monitor: database size, active connections, memory use, data requests processed, slow-running requests, and so on. This module is enabled for new and upgraded Firewall Management Centers. Troubleshooting best practice is to leave it enabled. New/modified screens: System ( See: Health |
|
Upgrade |
|||
|
Upgrade Firewall Threat Defense or chassis without a manual readiness check. |
7.7.0 |
7.7.0 |
You no longer have to run time-consuming pre-upgrade readiness checks for Firewall Threat Defense or chassis upgrades. Instead, these checks are now regularly run by the system and reported in the health monitor. This allows you to preemptively fix any issues that will block upgrade.
Version restrictions: This feature is supported for upgrades from Version 7.7+. Devices running earlier versions still require the in-upgrade readiness check. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Upgrade Firewall Management Center without a manual readiness check. |
7.7.0 |
Any |
You no longer have to run time-consuming pre-upgrade readiness checks for Firewall Management Center upgrades. Instead, these checks are now regularly run by the system and reported in the health monitor. This allows you to preemptively fix any issues that will block upgrade. Version restrictions: This feature is supported for upgrades from Version 7.7+. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Skip post-upgrade deploy for Firewall Management Center. |
7.7.0 |
Any |
In many cases, you no longer have to deploy to Snort 3 devices after you upgrade the Firewall Management Center. If deploy is required, affected devices are marked out of date (with a few exceptions). Reasons for needing to manually deploy include:
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
SRU update moved out of Firewall Management Center upgrade. |
7.7.0 |
Any |
Upgrade impact. After Firewall Management Center upgrades to Version 7.7+, wait for SRU to install. Instead of upgrading the SRU as part of the upgrade, the system now updates intrusion rules for Snort 2 devices (the SRU) after the upgrade completes and the Firewall Management Center reboots. Although this makes the upgrade itself faster, you cannot update intrusion rules, add devices, or deploy configuration changes while the SRU is updating. This occurs regardless of whether you are managing any Snort 2 devices. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Administration |
|||
|
Cancel Firewall Threat Defense backups, view detailed backup status. |
7.7.0 |
7.7.0 |
The Message Center now displays detailed backup status for the Firewall Management Center and its devices. You can also cancel in-progress device backups. See: Backup/Restore |
|
Restrict Firewall Management Center SAML SSO logins to a subdomain. |
7.7.0 |
Any |
In a multidomain deployment, you can now restrict Firewall Management Center SAML SSO logins to a subdomain. This can only be configured at the global domain level. See: Users |
|
Clear disk space utility. |
7.7.0 |
7.7.0 |
A new utility allows you to click to safely remove unneeded files such as old backups, content updates, and troubleshooting files. Low disk space can reduce performance, prevent upgrade, and increase the risk of accidentally deleting important files when trying to recover space. New/modified screens: We added a Clear disk
space button to the Disk Usage widget on health dashboards:
System ( See: Troubleshooting |
|
New dark theme and theme name changes. |
7.7.0 |
Any |
There are now three themes available for the Firewall Management Center:
To change themes, click your username in the top right corner of the Firewall Management Center web interface. See: Users |
|
Performance and Resiliency |
|||
|
Faster failover for high availability Firewall Threat Defense. |
7.7.0 |
7.7.0 |
With Firewall Threat Defense high availability failover, the new active device generates multicast packets for each MAC address entry and sends them to all bridge group interfaces, which prompts the upstream switches to update their routing tables. This task now runs asynchronously in the data plane, privileging critical failover tasks in the control plane. This makes failover faster, reducing downtime. See: High Availability |
|
Dynamic flow offload for the Secure Firewall 3100/4200. |
7.7.0 |
7.7.0 |
Dynamic flow offload is now supported on the Secure Firewall 3100/4200. Previously, it was only supported on the Firepower 4100/9300. This feature is enabled in new and upgraded deployments. Platform restrictions: Not supported with container instances. See: Prefiltering |
|
Use a loopback interface on Firewall Threat Defense Virtual for GCP to receive health probes from the GCP load balancer. |
7.7.0 |
7.7.0 |
You can now use a dedicated loopback interface on Firewall Threat Defense Virtual for GCP to receive health probes from the GCP load balancer in autoscale deployments. This allows the system to handle health probes more efficiently, improving performance. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Configure Firewall Threat Defense autorecovery from block depletion using FlexConfig. |
7.7.0 |
7.7.0 |
To reduce downtime due to service disruption, a new fault manager monitors block depletion and automatically reloads devices when necessary. In high availability deployments, this triggers failover. Fault monitoring is automatically enabled on new and upgraded devices. To disable, use FlexConfig. New/modified FlexConfig commands:
New/modified Firewall Threat Defense CLI commands: show fault-monitor block-depletion{ status| statistics} Platform restrictions: Not supported for clustered devices. See: Troubleshooting |
|
Troubleshooting |
|||
|
CPU profiler includes application identification statistics. |
7.7.0 |
7.7.0 |
The CPU profiler now includes application identification statistics. That is, you can now see the resources used by processing specific application traffic. After you enable CPU profiling, use the CLI to see results. New/modified CLI commands: system support appid-cpu-profiling status , system support appid-cpu-profiling dump See: Troubleshooting, Cisco Secure Firewall Threat Defense Command Reference |
|
Processing statistics in connection events. |
7.7.0 |
7.7.0 |
To help with performance troubleshooting, connection events now contain two new fields: Inspection Duration (microseconds) and Inspected Packets. |
|
New IP flow statistics. |
7.7.0 |
7.7.0 |
When collecting IP flow statistics from Firewall Threat Defense under the direction of Cisco TAC, a new all parameter logs additional statistics to the specified file: port, protocol, application, cumulative latency, and inspection time. New/modified commands: system support flow-ip-profiling start flow-ip-file filename all { enable| disable} |
|
Cisco RADKit integration. |
7.7.0 |
7.7.0 |
Cisco RADKit integration allows Cisco TAC engineers to remotely connect with your deployment (including sudo access) for an enhanced troubleshooting experience. You control the appliances and duration of access. This also gives you and Cisco TAC access to diagnostic data and logs. New/modified screens: See: Troubleshooting |
|
Security and Hardening |
|||
|
Limited user privileges for Threat Defense CLI Basic user. |
7.7.0 |
7.7.0 |
The scope of the Threat Defense CLI Basic user privilege is now limited to the following commands: dig, ping, traceroute. If you have created users with the Basic privilege, evaluate whether you need to change them to the Config privilege. You can change a user’s privilege level using the configure user access command. |
|
Deprecated Features |
|||
|
Deprecated: Snort 2. |
7.7.0 |
7.7.0 |
Upgrade impact. Cannot upgrade Snort 2 devices. Snort 2 is deprecated. You cannot upgrade a Snort 2 device to Version 7.7.0+. Although you can use a Version 7.7.0+ Firewall Management Center to manage older Snort 2 devices, you should still switch to Snort 3 for improved detection and performance. Deprecated CLI commands: show snort counters , show snort preprocessor-memory-usage . See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
|
Deprecated: Access control policy legacy interface. |
7.7.0 |
Any |
You can no longer use the legacy user interface for access control policies. If you were using it, you switch to the improved user interface introduced in Version 7.2. New/modified screens: Switch to Legacy UI toggle is removed |
Firewall Device Manager Features in Version 7.7.x
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Secure Firewall 1230, 1240, and 1250 (rack-mount). |
We introduced the Secure Firewall CSF-1230 and CSF-1240:
And the Secure Firewall CSF-1250:
See: Cisco Secure Firewall CSF-1230,CSF-1240, and CSF-1250 Hardware Installation Guide |
|
Secure Firewall 1210CP IEEE 802.3bt support (PoE++ and Hi-PoE). |
We made the following improvements related to support for IEEE 802.3bt:
New/modified screens: New/modified commands: show power inline |
|
Instances for AWS, Azure, and GCP. |
We added instances for threat defense virtual from the following families:
See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Unattended provisioning for Firewall Threat Defense Virtual for VMware using ISO-based cloud-init seeding. |
You can now quickly deploy Firewall Threat Defense Virtual for VMware using a text file (day0.iso) that contains initial setup details such as hostname, password, management mode, firewall mode, network settings, and deployment type. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Firewall and IPS Features |
|
|
Hardware bypass support for inline sets. |
If your device model supports hardware bypass, you can now configure it for inline sets containing supported interfaces. We added the Bypass option to inline set configuration. |
|
Deprecated: Snort 2. |
Upgrade impact. Cannot upgrade Snort 2 devices. Snort 2 is deprecated. You cannot upgrade a Snort 2 device to Version 7.7.0+. We removed the ability to switch to Snort 2, as well as the show snort counters and show snort preprocessor-memory-usage commands. Before you upgrade, switch to Snort 3. See the Intrusion Policies chapter in the guide for your current version: Cisco Secure Firewall Device Manager Configuration Guide. |
|
Administrative Features |
|
|
Custom login page. |
You can customize the device manager login page, including adding an image and text to the login page. For example, you can include disclaimers and warnings where the user must agree prior to login. The text is also shown for SSH sessions. We added the following page: . |
|
Custom streaming telemetry using Google Remote Procedure Calls (gRPC). |
You can configure the device to send system health and telemetry data to an external telemetry collector that uses Google Remote Procedure Calls (gRPC) to collect data. You can then use your telemetry collector to monitor the device and integrate with your custom telemetry solution. Use the API to configure this feature: /devicesettings/default/telemetrystreamingconfig. |
|
Performance |
|
|
Faster failover for high availability Firewall Threat Defense. |
With threat defense high availability failover, the new active device generates multicast packets for each MAC address entry and sends them to all bridge group interfaces, which prompts the upstream switches to update their routing tables. This task now runs asynchronously in the data plane, privileging critical failover tasks in the control plane. This makes failover faster, reducing downtime. |
|
High-bandwidth encrypted application traffic bypasses unnecessary intrusion inspection. |
Specific high-bandwidth encrypted application traffic now bypasses unncessary intrusion inspection even if the connection matches an Allow rule. Intrusion rule (LSP) and vulnerability database (VDB) updates can change the applications bypassed but right now they are: AnyConnect, IPsec, iCloud Private Relay, QUIC (including HTTP/3), Secure RTCP. Version restrictions: Requires Version 7.2.10+ / 7.6.1+ / 7.7.0+. |
|
Configure Firewall Threat Defense autorecovery from block depletion using FlexConfig. |
To reduce downtime due to service disruption, a new fault manager monitors block depletion and automatically reloads devices when necessary. In high availability deployments, this triggers failover. Fault monitoring is automatically enabled on new and upgraded devices. To disable, use FlexConfig. New/modified FlexConfig commands:
New/modified threat defense CLI commands: show fault-monitor block-depletion{ status| statistics} |
|
Troubleshooting |
|
|
CPU profiler includes application identification statistics. |
The CPU profiler now includes application identification statistics. After you enable CPU profiling (cpu profile activate ), you can see the resources used by processing specific application traffic. New/modified CLI commands: system support appid-cpu-profiling status , system support appid-cpu-profiling dump |
|
New IP flow statistics. |
When collecting IP flow statistics from Firewall Threat Defense under the direction of Cisco TAC, a new all parameter logs additional statistics to the specified file: port, protocol, application, cumulative latency, and inspection time. New/modified commands: system support flow-ip-profiling start flow-ip-file filename all { enable| disable} |
|
Security and Hardening |
|
|
Limited user privileges for Threat Defense CLI Basic user. |
The scope of the Threat Defense CLI Basic user privilege is now limited to the following commands: dig, ping, traceroute. If you have created users with the Basic privilege, evaluate whether you need to change them to the Config privilege. You can change a user’s privilege level using the configure user access command. |
|
Require the Message-Authenticator attribute in all RADIUS responses. |
Upgrade impact. After upgrade, enable for existing servers. You can now require the Message-Authenticator attribute in all RADIUS responses, ensuring that the threat defense VPN gateway securely verifies every response from the RADIUS server, whether for RA VPN or access to the device itself. The Require Message-Authenticator for all RADIUS Responses option is enabled by default for new RADIUS servers. We also recommend you enable it for existing servers. Disabling it may expose firewalls to potential attacks. New CLI commands: message-authenticator-required Version restrictions: Requires Version 7.0.7+ / 7.2.10+ / 7.6.1+ / 7.7.0+. |
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
 Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target. |
Upgrade Impact Features for Firewall Management Center
|
Target version |
Features with upgrade impact |
|---|---|
|
|
|
|
|
|
|
|
|
Upgrade Impact Features for Firewall Threat Defense with Firewall Management Center
|
Current version |
Features with upgrade impact |
|---|---|
|
7.6.0 and earlier |
|
|
7.6.0 7.4.0–7.4.2 7.3.x 7.2.9 and earlier |
|
|
7.4.0–7.4.1 7.3.x 7.2.9 and earlier |
|
|
7.4.0 and earlier |
|
|
7.3.x and earlier |
|
|
7.2.x and earlier |
|
|
7.2.0–7.2.3 7.1.0–7.1.0.2 7.0.4 and earlier |
|
Upgrade Impact Features for Firewall Threat Defense with Firewall Device Manager
|
Target version |
Features |
|---|---|
|
|
|
|
|
|
|
Upgrade Guidelines
The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade—which can include interruptions to traffic flow and inspection—see the appropriate upgrade guide: For Assistance.
Upgrade Guidelines for Firewall Management Center
|
Current Version |
Guideline |
Details |
|---|---|---|
|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Upgrade Guidelines for Firewall Threat Defense with Firewall Management Center
|
Current Version |
Guideline |
Details |
|---|---|---|
|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Upgrade Guidelines for Firewall Threat Defense with Firewall Device Manager
|
Current Version |
Guideline |
Details |
|---|---|---|
|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
In most cases, we recommend you use the latest build for your FXOS major version.
For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
Upgrade Path
Planning your upgrade path and order is especially important for large deployments, high availability/clustering, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment, or other upgrades. Those scenarios, as well as information on revert and uninstall, are covered in more detail in the upgrade guide: For Assistance.
Choosing your upgrade target
Go directly to the latest maintenance release to minimize upgrade and other impact.
Features, enhancements, and critical fixes can skip "future" releases that are ahead by version, but not by release date. For example, if you are up-to-date within major Version A, upgrading to dot-zero Version B can deprecate features and fixes.
If you cannot go to the latest release, at least make sure your current version was released on a date before your target version. In the following table, confirm your current version is listed next to your target version. If it is not, choose a later target.
|
Target version |
Current version: confirm yours is listed. |
|||||
|---|---|---|---|---|---|---|
|
from 7.2 |
7.3 |
7.4 |
7.6 |
7.7 |
||
|
to 7.7.10 |
2025-08-11 |
7.2.0–7.2.10 |
7.3.0–7.3.1 |
7.4.0–7.4.2 |
7.6.0–7.6.2 |
7.7.0 |
|
to 7.7.0 |
2025-03-05 |
7.2.0–7.2.9 |
7.3.0–7.3.1 |
7.4.0–7.4.2 |
7.6.0 |
— |
Upgrading from a patched deployment
Critical fixes in patches (fourth-digit) releases can also skip future releases. If you depend on these critical fixes, verify that your target version contains them. For a full list of release dates, see Cisco Secure Firewall Management Center New Features by Release or Cisco Secure Firewall Device Manager New Features by Release.
Supported upgrades and downgrades
This section summarizes upgrade and downgrade capability. For help with:
-
Choosing an upgrade target, see Choosing your upgrade target.
-
Upgrade and downgrade procedures, including general guidelines, best practices, and troubleshooting, see the upgrade guide for the version you are currently running: https://www.cisco.com/go/ftd-upgrade.
Supported upgrades
This table shows the supported direct upgrades for Firewall Management Center and Firewall Threat Defense software.
Note |
You can upgrade directly to any major (first and second-digit) or maintenance (third digit) release. Patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release. Although a patched device (fourth-digit) can be managed with an unpatched Firewall Management Center, fully patched deployments undergo enhanced testing. |
For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, Firewall Threat Defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
|
Current version |
Target software version |
||||||
|---|---|---|---|---|---|---|---|
|
to 7.7 |
7.6 |
7.4 * |
7.3 |
7.2 |
7.1 |
7.0 |
|
|
FXOS version for Firepower 4100/9300 chassis upgrades |
|||||||
|
to 2.17 |
2.16 |
2.14 |
2.13 |
2.12 |
2.11 |
2.10 |
|
|
from 7.7 |
YES |
— |
— |
— |
— |
— |
— |
|
from 7.6 |
YES |
YES |
— |
— |
— |
— |
— |
|
from 7.4 |
YES |
YES |
YES |
— |
— |
— |
— |
|
from 7.3 |
YES |
YES |
YES |
YES |
— |
— |
— |
|
from 7.2 |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
from 7.1 |
— |
YES |
YES |
YES |
YES |
YES |
— |
|
from 7.0 |
— |
— |
YES |
YES |
YES |
YES |
YES |
|
from 6.4 |
— |
— |
— |
— |
— |
— |
YES |
* You cannot upgrade Firewall Threat Defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only, and is not supported with Firewall Device Manager. It removes significant features, enhancements, and critical fixes included in earlier versions. Upgrade to a later release.
Supported downgrades
If an upgrade or patch succeeds but the system does not function to your expectations, you may be able to revert (Firewall Threat Defense upgrades) or uninstall (Firewall Threat Defense and Firewall Management Center patches). For general information, particularly on common scenarios where returning to a previous version is not supported or recommended, see the upgrade guide: https://cisco.com/go/ftd-upgrade.
Bugs
For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cisco Cloud-delivered Firewall Management Center Release Notes.
Important |
We do not list open bugs for maintenance releases or patches. |
Important |
Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs in Version 7.7.0
Table last updated: 2025-03-05
|
Bug ID |
Headline |
|---|---|
|
Confusing Verdict for Snort Injects - Change From Block to "Replaced"/"Injected" |
|
|
1240: intermittent exhaustion of asymmetric buffers are observed with teravm tls traffic |
|
|
9.23/SecGW with flow-offload cluster-redirect enabled causes Out of Sequence TCP Packets for TCP 450 |
|
|
Deployment Fails due to Config Error response from LINA |
Resolved Bugs in Version 7.7.10
Resolved Security Bugs in Version 7.7.10
Table last updated: 2025-08-11
|
Bug ID |
Headline |
|---|---|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
Unable to load Extended ACL objects if the count is more than few hundreds |
|
|
Snort3: Malware Policy not detecting file while performing FTP file transfer via Active FTP |
|
|
FMC API put taking long time to update Extended ACL objects when count is huge like hundreds |
|
|
Unable to save the Ext ACL object - "Only Host and Network in IPv4 and IPv6 format are supported." |
|
|
Duplicate ACLs seen on FMC UI when Access Rules are created through API |
|
|
cdFMC deployment randomly removes ACL/crypto maps when deploying in bulk |
|
|
Cleaning of /var/temp backup files post Backup completion not cleaning |
|
|
PAO logic for access rules POST/PUT api call for spaces in ip addresses in ACL rules |
|
|
External auth login with RADIUS to FMC UI may fail if Class attribute is used |
|
|
FMC RADIUS external authentication access requests missing 6 attributes after FMC upgrade |
Resolved Functional Bugs in Version 7.7.10
Table last updated: 2025-08-11
|
Bug ID |
Headline |
|---|---|
|
Write cache is disabled on some FMC M5 appliances |
|
|
FMC action_queue.log cosmetic defect "synchronization" misspelled, Expected "Synchronization" |
|
|
FMC does not support Umbrella with proxy setting |
|
|
Snort returns "Blocked by SSL" with no SSL policy. |
|
|
External Auth on FMC may throw err "Can't use string ("") as a HASH ref while "strict refs" in use" |
|
|
Stale anyconnect entries causing issues with routing |
|
|
Edit search page and unified event viewer very slow to load due to high number of search-related EOs |
|
|
FDM HA Switch : Peer fails to get into Active state due to Interface check |
|
|
ENH: Add a command or a script to regenerate CA Certificate on FTD |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
Set Weight option missing in UI when FTD sensor reverted and re-upgraded |
|
|
FMC GUI does not allow saving ECMP configuration when there is a route leak for a VRF |
|
|
NAT traps have to be rate-limited |
|
|
FMC/FTD: Policy Deployment Fails For Existing FTDv Deployments on Cloud with VNI interfaces |
|
|
Alert user that FDM is not Supported for FTDv in Openstack if they try to enable it |
|
|
snort "exits normally" in loop every 1 min resulting in complete outage |
|
|
FMC displays VPN tunnel status as unknown even when the tunnels are up |
|
|
Discrepency in the unused object count between the FMC UI and API results |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
Memory Blocks 80 and 9344 leak due to priority-queue |
|
|
FIPS self-test failure message needed |
|
|
Use of Named interface in SLA Monitor causing cdFMC migration failure |
|
|
Scale cdFMC:Policy deploy fails when Audit log to Syslog is configured with invalid ipv6 syslog host |
|
|
Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
|
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
Unreachable Hosts and URLs of syslog configuration Block Device Management Page Loading |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
ASA traceback and reload in freeb_core_local_internal |
|
|
Intrusion policy having same name in different Domains causes IPS policy corruption |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
Frequent traceback after upgrading FTD HA |
|
|
Remove the File Capture Disk Manager SILO to prevent captured files from overwhelming the Disk Mgr |
|
|
On FMC, Backend server JVM is running out of memory when policies and objects are huge |
|
|
Send Virtual Tunnel Interface enabled by default on SVTI |
|
|
Mount EFS using NFSv4.1 |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
FTD: deploy failure when configured L2 access-list. "Cannot mix different types of access lists." |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
FMC1600-K9 PDF download failed in deploy tab |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
cdFMC - Unable to save network group object |
|
|
Clearing all non applicable alerts post license registration success |
|
|
show blocks old core local can lead to unexpected reload. |
|
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
|
Banner motd does not display when configured |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
Event-list not deployed when using Enable All Syslog Messages |
|
|
Block S2S and remote access configurations for public cloud cluster |
|
|
FMC UI login fails with "Unable to authorize access." |
|
|
SFDataCorrelator cores after purging orphan hosts |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
FMC does not remove community list override when this is modified. |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
Realm with greater than 16 directories cannot be deployed in RA-VPN for LDAP |
|
|
Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
|
|
ipv6 ping Vrf name changed after xml processing |
|
|
snort3 : FMC connection event logs do not show URL in DNS query using TCP |
|
|
Identity NAT should not throw error due to exceeding threshold if destination only objects expand |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
FMC Not listing the any connect images in RAVPN Wizard and FMT tool |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
Create report option should be hidden from Health Events Page on CDFMC |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
URL getting allowed even with block rule in place. |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
MonetDB Monitor should detect missing columns in stats partitions |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
Community lists should not throw an error until the last item in the list is being deleted |
|
|
Unable to Form HA with Domain Containing "." While Registering FMC |
|
|
sfipproxy prometheus configuration is attempted for not supported models and replaces sfipproxy.conf |
|
|
Exclude perf monitoring files from device backup |
|
|
QUIC: LINA crash in timer with stress test |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for priv 15 users. |
|
|
"Add Device(wizard)" is not working as expected. |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
Enabling debugs with EEM fails |
|
|
Detectors sync issue on FMC upgraded to 7.7 |
|
|
Snort3 crashed because don't fragment bit was set and it did not treat ipv4 fragments as fragments |
|
|
Prune the older files in /ngfw/var/cisco/deploy/pkg/var/cisco/packages |
|
|
FTD - LSP Installation/ Deployment Failure |
|
|
IKEv2 Rekeys fail due to fragmentation during the IKE Rekey |
|
|
Users from legacy radius server can login to Standby FMC domain when MA is enabled |
|
|
False alert "Terminating long running backup" on FMC due to UI backup timeout error. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
FMC removes prefix-list overides used for BGP and installs defaults values by itself. |
|
|
Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
|
|
FTD TS is collecting duplicated data |
|
|
Better handling of invalid/bad data in fleet upgrade workflow. |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
Reduce TS package size |
|
|
debug packet-condition does not work as expected |
|
|
Empty snapshot being sent when when auth-daemon restarts causing user logout |
|
|
auth-daemon process restarts due to race condition |
|
|
REST Api allows to create a realm without a directory configuration |
|
|
Management1 Gateway Configuration Should Be Optional on FPR 4200 Series |
|
|
FMC Site-to-Site Monitoring Dashboard is not working at all |
|
|
TLS.- Outlook only supports TLS 1.2 and not 1.3- FMC uses TLS 1.3 by default |
|
|
LSP upload/download + auto-deploy is failing |
|
|
Disable Reverse Path Filter for Dual Management Interfaces on FPR 4200 Series |
|
|
Active FMC - False alerts of FMC HA in degraded sync state |
|
|
Random QOS policies are getting negatted and added with subsequent deployment |
|
|
cdFMC: Chassis is always seen as " Not synced" in CDO page even though it is connected and up |
|
|
AMP related health alert during upgrade and typo in the alert message |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
show bgp update-group a.b.c.d displays "no such neighbor" when there is a valid neighbor |
|
|
FMC: Media type displayed on the FMC's FCM is not matching CLI after swapping sfps |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
show tech-support fprm detail command is getting stuck for longer duration |
|
|
Snort3 traceback and deployment failure with VDB upgrade |
|
|
Memory leak leading to split brain |
|
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
Installation of Hotfix may fail at 800_post/998_expire_ac_policy.pl on the standby FMC |
|
|
Deployment is failing due to the policy changes report request in progress |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
/mnt/disk0/log folder duplicated on troubleshooting package |
|
|
FTD health metrics show "No data available" on the FMC |
|
|
FMC Rest API returns only the first 1000 network object entries |
|
|
Overrides not working on chained/inherited custom IPS policies |
|
|
Duplicate entries in EventCatalog can cause incorrect unified2 id to be sent |
|
|
Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
|
|
After renewal FMC CA, the certificate cannot be used for ArcSight integration |
|
|
Default Pass action for rules in Snort 3 local rule groups may cause blank error in IPS policies |
|
|
FMC/FDM Client side certificate used to communicate to Talos did not auto-renew correctly |
|
|
cdFMC: Deployment failed due to the deployment manager is not initialized properly |
|
|
/objects/fqdn filter paramaters not working |
|
|
The NAS-IP-Address attribute is missing from the Access-Request in FMC |
|
|
FTD Upgrade Retry failure (Unable to execute Retry after failure in FTD while upgrading to 7.7.10) |
|
|
Deployment Failure in Hub and Spoke VTI Topology with DHCP Configured VPN Interfaces |
|
|
SNMP configuration is not applied consistently across same FTDs type and version |
|
|
3100 Marvell 4.3.14 CPSS patch for the interface mac stuck issue seen with peer switch reloads |
|
|
UEV breaks with duplicate event indexes |
|
|
TLS handshake fails with reverse SSL flow and TSID (TLS Server Identity) enabled |
|
|
Certain special characters or spaces in RADIUS user passwords cause login failure in FMC |
|
|
minidump core file not generating in MI mode |
|
|
Post reposition or move operation fails then if user saves, it would to lead loss of rules & may cause an outage |
|
|
Manual router ID does'nt get displayed in UI for BGP general settings |
|
|
FMC page may get stuck in loading state while trying to fetch BGP configuration |
|
|
SMB remote FMC backups are failing due to relam sync |
|
|
fover_trace.log not rotating and growing to a massive size |
|
|
Do not fail parallel write API call from same user session. Retry should be done internally before failing |
|
|
The total disk keep on increasing on the disk status wizard on the Health Monitor page. |
|
|
Devices show offline due to "Appliance unreachable" due to HMS deadlock inserting to DB |
|
|
Snort2 crashes in loop after FMC upgrade |
|
|
Getting VNI int cannot be configured with proxy enabled error during model migration when proxy is disabled on VNI int |
|
|
Subsequent DNS packets are dropped in a single flow if one domain hits the custom DNS SI block list |
|
|
AMP vault credentials are not persisted after cdFMC upgrade |
|
|
cdFMC DR - cdFMC_Snapshot generation failing while trying to copy sftunnel related files. |
|
|
Deployment is mandatory after FMC upgrade condition should be included in Upgrade code |
|
|
Unable to change few IPS rule actions after upgrading from snort2 to snort3 |
|
|
The "Module run errors" alert on the FMC GUI should be updated to a more contextually relevant message |
|
|
Tunnel Status shows "No Active Data" when spoke behind NAT on S2S Monitoring UI |
|
|
cdFMC returns 403 forbidden error while configuring webhook alerts |
|
|
Domain filter is non-functional under ACP on cisco-jagan-test |
|
|
SSL - Issues with DND a particular site after FTD upgrade on Chrome and Edge post upgrade |
|
|
SFDataCorrelator_user_id_mismatch.log overconsumption of disk |
|
|
Required Horizontal scroll bar in admin/sensor/remote_backup.cgi |
|
|
Internal error when saving local rules in Rule Overrides section of IPS policy |
|
|
cdfmc user-preference issue |
|
|
Vault slowness might cause Auth-Daemon deadlock if lease is denied |
|
|
Scrolling in AC Policy UI may result in UI refreshing and displaying blank page if Mandatory Section is empty |
|
|
cdFMC 7.7.10 email notification stopped working |
|
|
Backup Timeout is not sufficient when FTD backups are huge and low bandwidth |
|
|
FMC Authentication Fails with freeradius, "Invalid NAS IP Address" Error Displays Unexpected IP |
Resolved Bugs in Version 7.7.0
Resolved Security Bugs in Version 7.7.0
Table last updated: 2025-06-17
|
Bug ID |
Headline |
|---|---|
|
Evaluation of WSA for FreeBSD CVE-2018-6922 |
|
|
update RabbitMQ - 3.6.x is EOL |
|
|
SMA: Which appliances are effected Infinite loop in BN_mod_sqrt() (CVE-2022-0778) |
|
|
ASDM Access Issue When SSL VPN And HTTP Server Is Configured On Same Port |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
Evaluate FMC for CVE-2022-42252 |
|
|
WA-B/TPK: "core.sshd" files found on DUT |
|
|
All Cisco EXR products impacted with sudo vulnerability CVE-2023-22809 |
|
|
The public API function BIO_new_NDEF is a helper function used for str |
|
|
Consul and Consul Enterprise allowed an authenticated user with service: |
|
|
Health Monitoring shows Unmanaged devices |
|
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config |
|
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
Evaluation for CVE-2023-38408 on standalone NXOS N9K |
|
|
FMC fails deployment after removing NAT or ACL rule |
|
|
Occasionally External auth may not work after HA failover to Active |
|
|
Cisco FTD TCP/IP Traffic Snort 2/3 Denial of Service Vulnerability |
|
|
evaluate open-vm-tools / VMware Tools on FMC for VMware -- CVE-2023-20900 and VMSA-2023-0019 |
|
|
Evaluation of wsa for HTTP/2 Rapid Reset Attack vulnerability |
|
|
MiniZip in zlib through 1.3 has an integer overflow and resultant heap |
|
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
|
[ENH] FMC to pull FTD device current SRU version rather than device records for SRU deployed. |
|
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
|
Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability |
|
|
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11. |
|
|
[Snort3] - Ignore malformed packets received from lina with wrong dsize |
|
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
Cisco Firepower Management Center Cross Site Scripting Vulnerability |
|
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
|
MonetDB memory usage grows slowly over time |
|
|
Modification of destination entries failed, when SOG and DOG contain same inner object-group |
|
|
Cisco FTD Software and FMC Software Code Injection Vulnerability |
|
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
|
Cisco Firepower Management Center SQL Injection Vulnerabilities |
|
|
HTTP/HTTPS detection for application needs to fail it's detection earlier |
|
|
Impact of CVE-2023-48795 On WSA 15.0.0-337 |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
Push clear configure access-group to avoid error while applying access group on FTD |
|
|
Cisco ASA and FTD FXOS CLI Root Privilege Escalation Vulnerability |
|
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
FMC username enumeration from API response |
|
|
vFMC25 OCI to vFMC300 OCI migration failed 'Migration from Y to a is not allowed.' |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
ASA/FTD Traceback and Reload during ssl session establishment |
|
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
|
Policy cache cleanup thread should cleanup any cache that is left open for a logged out session |
|
|
Backup exits with memory allocation error on 4115 |
|
|
Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability |
|
|
Cisco ASA and FTD NSG Access Control List Bypass Vulnerability |
|
|
Cisco ASA and FTD Software VPN Web Server Limited Information Disclosure Vulnerability |
|
|
Internal cached access-group list maintenance issue with unexpected clear configure access-list |
|
|
Deployment failures seen on FDM related to static routes or ACLs |
|
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
|
SFDataCorrelator high memory usage when restart with large network map hosts |
|
|
Cisco ASA and FTD VPN Web Client Services Cross-Site Scripting Vulnerabilities |
|
|
Can't make any changes on TPK 3110 chassis registered on FMC when chassis under domain |
|
|
Smart license registration failing on FDM post 7.4.1 baseline due to http-proxy |
|
|
Memory manager improvements for webvpn internal lua library |
|
|
Cisco Secure Firewall Management Center Software Command Injection Vulnerability |
|
|
Unable to change authentication methods on default tunnel group when using FDM |
|
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability |
|
|
FMC - plain-text passwords for External Authentication Profile "Radius Server Key" |
|
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
|
Cisco ASA & FTD Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Software IKEv2 VPN Denial of Service Vulnerability |
|
|
Only US region in FDM Cloud Services. |
|
|
Cisco FTD Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vuln |
|
|
FTD is not resolving FQDN for ACLs intermittently |
|
|
Update UI to prevent configuring cipher and/or version filters for Decrypt Resign/Known Key rule |
|
|
Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
|
|
Unable to establish RAVPN session on FTD HA setup |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
Cloud regions dropdown may not show any regions if FMC connectivity is down during upgrade |
|
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
|
Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
|
FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
|
FTD: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
|
FDM: Blast-RADIUS CVE-2024-3596 |
|
|
FTD: Policy deployment failed due to mismatch of checksum. |
|
|
FMC: Blast-RADIUS CVE-2024-3596 |
|
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
|
With CVE-ID cannot search the IPS events on the FMC |
|
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
|
Snort3 reloads when AppID reload and snort restarts are happening simultaneously |
|
|
around 400 tasks were created on primary FMC to install VDB updates on standby FMC |
|
|
vFMC upgrade from 7.6.0-68 to 7.7.0-1358 failed @800_post/890_install_version_masked_apps.pl |
|
|
Long boot time seen with one AC rule having object-group and other plain ACL's |
|
|
Attempting to edit chassis of multinstance FTD gets "Request Timed Out. Retry after sometime." |
|
|
FTD Snort3 traceback in daq_pkt_msg |
|
|
Vulnerabilities in freebsd 13.0 CVE-2024-45287 - libnv |
|
|
Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
|
|
Misconfigured Cross-Origin-Opener-Policy |
|
|
FTD Restore Failing because of no space left on the device |
|
|
cdFMC deployment removes ACL/crypto maps when deploying in bulk |
|
|
FMC is not pushing no-validation-usage to the trustpoint if user not choosing validation usage type |
|
|
Vulnerabilities in openssh 9.1p1 CVE-2023-28531 |
|
|
cdFMC Possible NAT negation during deployment if object being reused in NAT Policy on device & ACL |
|
|
Addressing CVEs reported in unicorn zlib library |
|
|
ARP is silently dropping packet for unreachable next-hops |
|
|
cdFMC deployment randomly removes ACL/crypto maps when deploying in bulk |
Resolved Functional Bugs in Version 7.7.0
Table last updated: 2025-03-14
|
Bug ID |
Headline |
|---|---|
|
cdFMC multiple protected networks with NAT exempt enabled, NAT exempt CLIs are not getting generated |
Table last updated: 2025-08-28
|
Bug ID |
Headline |
|---|---|
|
FTD deployment failing due to "address-pool in use" |
|
|
ENH: Appliance hostname or ip address should be included in FX-OS syslogs |
|
|
FMC: critical processes can not boot up including vmsDBEngine |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
FXOS Major Faults about adapter host and virtual interface being down |
|
|
App-instance showing as Started instead of Online |
|
|
IPTables.conf file is disappearing resulting in backup and restore failure. |
|
|
Deployment fails with internal_errors - Cannot get fresh id |
|
|
FXOS fault F1758 description should not be specific to subinterfaces |
|
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
|
show access-control-config doesn't show NAP/IPS policy name |
|
|
SNORT3: proxy traffic issue on port 80 when tls1.3 inspection enabled |
|
|
FMC - Unable to copy/cut/paste NAT rule |
|
|
Firepower 1000/2100 may boot to ROMMON mode |
|
|
Snort down due to missing lua files because of disabled application detectors (PM side) |
|
|
Search Feature of Large Access Control Policy Not Able to Find Searched-For Values |
|
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
|
cacert.pem on FMC expired and all the devices showing as disabled. |
|
|
FMC to provide health alert 60 days prior to cacert.pem certificate expiry |
|
|
ssl policy errors: Unable to get server certificate's internal cached status |
|
|
Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+. |
|
|
ASA: Delay in new chunk memory allocation when the firewall process a high number of new connections |
|
|
FMC UI Showing inaccurate data in S2S VPN Monitoring page |
|
|
ASA traceback and reload on Datapath process |
|
|
Deployment keep failing due to Config Error -- service-policy policy_map |
|
|
High CPU Utilization on FXOS for processes smConlogger |
|
|
Wrong extranet device name and type showing in S2SVPN listing page |
|
|
Optimization of Side Bar loading for HealthMon page |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
IKEv2 Multi-DVTI Hub Support FTD/ASA |
|
|
ASA/FTD: Improve GTP Inspection Logging |
|
|
ASA/FTD: GTP Inspection engine serviceability |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
[SXP-UserIP Muted Leader]FMC HA Join flushes FW IP_SGT Mapping and restreams in registered sensors. |
|
|
Classic and Unified Events should handle cases when SMC is unreachable |
|
|
Upgrade readiness failed in WM FDM @009_check_snort_preproc.sh but upgrade to 7.3.1-19 passed |
|
|
FPR4100/9300 displays the package-vers as 0.0 after successful firmware upgrade to version 1.0.19 |
|
|
User Group Download fetches less data than available or fails with "Size limit exceeded" error |
|
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
|
|
FMC UI response is very slow: Add health module monitoring FMC ntpd server(s) accessibility |
|
|
Banner login does not display when configured |
|
|
Firepower Chassis Manager is not accessible with ECDSA certificates |
|
|
FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
Deployment fails to FTD when reusing/reassigning existing vlan id to diff interface |
|
|
Health monitoring cores due to health alerts with more than 8 fields |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Readiness check needs to be allowed to run without pausing FMC HA |
|
|
If the user navigate to Packet Tracer from Device Mgmt page, the selected device is incorrect |
|
|
Deployments can cause certain RAVPN users mapping to get removed. |
|
|
Snort down due to missing lua files because of disabled application detectors (VDB side) |
|
|
getting wrong destination zone on traffic causing traffic to match wrong AC rule |
|
|
FMC deploy logs rotating faster because of /internal_rest_api/accesscontrol/rapplicationsavailable |
|
|
DBCheck shouldn't run against MonetDB if user is collecting config backup alone |
|
|
Correlation rule 'Security Intelligence Category' option is missing DNS and URL values |
|
|
Stale anyconnect entries causing issues with routing |
|
|
Error loading data in NAT page - When unused port object is used |
|
|
AC policy change is not reflected in instance page on edit |
|
|
Snort3 TCP flow cache entry growth caused by embryonic connection mismanagement |
|
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues |
|
|
High CPU usage on multiple appliances incorrectly seen on FMC |
|
|
FMC should handle error appropriately when ISE reports error during SXP download |
|
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
|
Identity Policy Active auth snort3 redirect hostname doesn't list all FQDN objects |
|
|
Unable to upload FTD version image to FCM |
|
|
The exclude policy to exclude interface status will be removed on FMC after a while |
|
|
Selecting "All interfaces " under FTD exclude policy for interface status module doesn't work |
|
|
[API] Searching for objects inside groups does not filter in rule editor window |
|
|
FMC VPN Monitoring Dashboard incorrectly shows Standby FTD as VPN Session owner in HA pair |
|
|
FTD: TLS Server Identity does not work if size of client hello more than TCP MSS bytes |
|
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
|
False critical high CPU alerts for FTD device system cores running instantaneous high usage |
|
|
EIGRP flexconfig migration 7.2.0, no CLIs should not be migrated if they are not the default config |
|
|
after HA break, selected list shows both the devices when 1 device selected for upgrade |
|
|
Editing identity nat rule disables "perform route lookup" silently |
|
|
Snort core while running IP Flow Statistics |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
Decrypting engine/ssl connections hang with PKI Interface Error seen |
|
|
HA secondary unit disabled after reboot - Process Manager failed to secure LSP |
|
|
Some Vault secrets including LDAP missing files after upgrade if the Vault token is corrupted |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
Do not enable TLS Server Identity Discovery on FTDv deployed with GWLB |
|
|
Connection events sent to Syslog Server has "unknown" syslog facility |
|
|
FMC-HA page should show LSP version mismatch details. |
|
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
|
Snort blacklisting traffic during deployment |
|
|
FMC should not allow to create faulty snort3 rules with unknown characters |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
ARP learning issues with Multiple-instance running 100G Netmod |
|
|
Lack of validation of string length creating object/category names using API |
|
|
[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
Intermittently flow is getting white-listed by the snort for the unknow app-id traffic. |
|
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
|
FXOS: Alperton 100G NetMod not being acknowledged properly |
|
|
ASA software on FP3110 showing incorrect serial number in show inventory output |
|
|
Snort3 core while running continuous traffic IMS 7.4.1-73 |
|
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
|
FMC Policy Analysis - Broken Redudancy Logic Check |
|
|
snort3 crashes observed due to memory corruption in file api |
|
|
Enhancement for Lina copy operation for startup-config to backup-config.cfg in HA |
|
|
FTD not generating end of connection event after "Deleting Firewall session" |
|
|
Getting an exception on the UI while editing and saving the intrusion policy |
|
|
Policy deployment failed due to "1 errors seen during populateGlobalSnapshot" |
|
|
Snort2:Skip writing malware seed file duing process shutdown |
|
|
Extensive logging for a problematic deployment caused logs to rollover important logs |
|
|
Lina traceback in ZMQ Proxy caused service loss. |
|
|
Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager |
|
|
Policy apply stuck because of NTP time issues (previous deploy done in future timestamp) |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
|
Remote Desktop (RDP) traffic fails with TSID enabled |
|
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
|
Checkbox of Enable autogeneration of MAC addresses not working properly |
|
|
Add support for 10G-T-X module |
|
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
|
FMC SSO timesout when user session is active for more than 1 hr (idle timeout) |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
FMC HA : Redundant FTD registration task failing on secondary FMC when FTD is disconnected. |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
Handle mem leak in callhome test command |
|
|
FTD 4115 in HA crashing due to CLI-XML-SERVER issue |
|
|
Improve CPU utilization in ssl inspection for supported signature algorithm handling |
|
|
FMC Deployment failure in csm_snapshot_error |
|
|
FMC Deployment failed due to internal errors after upgrade |
|
|
SNORT3 - FTD - TSID high cpu, daq polling when ssl enabled is not pulling enough packets |
|
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
|
Diskmanager process terminated unexpectedly |
|
|
FTDvs through put got changed to 100Kbps after upgrade |
|
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
CSF 4200: PSU Fan speed is critical |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
|
FTD: Mariadb might cause OOM due to not-so-effective memory release algorithm in glibc allocator |
|
|
Upgrade from FMC 7.2.4.1 to 7.2.5 failed at 600_schema/000_install_fmc.sh |
|
|
Unexpected high values for DAQ outstanding counter |
|
|
FMC Primary disk degraded error |
|
|
FTD: The crucial upgrade script should not be bypassed by the Upgrade Retry |
|
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
|
Lina core at swapcontext on Standby FTD during policy deployment |
|
|
Bulk FTD backups to be generated in batches internally |
|
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
|
High CPU Utilization alerts caused by the process Telegraf |
|
|
SNMP fails to poll accurate hostname from FMC |
|
|
Cannot configure Correlation rule because there are no values for GID that exceed 2000 |
|
|
Disconnecting RA VPN users from the FMC gui fails. |
|
|
Backup restore: silent failure when the device managed locally |
|
|
Every HA sync attempts to disable URL filtering if already disabled. |
|
|
eStreamer JSON parse error and memory leak |
|
|
FTD: Internal certificate generation results to certificate and private key mismatch |
|
|
FDM Upgrade failure due to expired certificates. |
|
|
FTD installation fails on FPR-2K "Error in App Instance FTD. Available memory not updated by blade" |
|
|
WA MI: Traps(linkup/down) from chassis is not seen on NMS even if unification is enabled |
|
|
crypto_archive file generated after the software upgrade. |
|
|
Random FTD snort3 traceback |
|
|
Init process spikes to 100% CPU usage after a failed backup |
|
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
|
Connection drops during file transfers due to HeartBeat failures |
|
|
Thirty-day automatic upgrade revert-info deletion is not resilient to communication failures |
|
|
FMC clean_revert_backup script fails silently without creating any logs |
|
|
SSX Eventing continues to go to old tenant upon FTD migration to CDO. |
|
|
FTD 1120 Traceback and reload on standby unit with SNMP enabled. |
|
|
Traceback on FP2140 without any trigger point. |
|
|
S2S tunnels shown inactive on FMC dashboard though tunnels are up on FTD due to out-of-order events |
|
|
Daily Change Reconciliation Report Randomly Generating Reports with the same time periods |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
FTD HA sync failure due to "CD App Sync error is Failed to apply SSP config on standby" |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
SFDataCorrelator logs "Killing MySQL connection" every minute, causing performance problems |
|
|
FMC backup fails with "Registration Blocking" failure caused by DCCSM issues |
|
|
Hardware bypass not working as expected in FP3140 |
|
|
Source of the VTI interface is getting empty |
|
|
FMC/cdFMC increase API rate limit |
|
|
Node kicked out of cluster while enabling or disabling rule profiling |
|
|
FMC does not generate email health notifications for Database Integrity Check failures. |
|
|
Capture-traffic Clish command with snort3 not producing a proper resulting capture |
|
|
FMC-4600: Pre-Filter policy is showing as none |
|
|
Fail open snort-down is off in inline pairs despite it being enabled and deployed from FMC |
|
|
FMC: Displaying "missing en-US:BGP" via Deployment Preview when BGP Changes have been Reverted |
|
|
Standby manager addition is failed on Primary FMC due to previous entries in table |
|
|
Stale HA transactions need to be moved to failed and subsequent HA transaction needs to be created |
|
|
Device/port-channel goes down with a core generated for portmanager |
|
|
In FIPS mode, External auth with TLS config enabled, CLI logins are not working (FMC & FTDs) |
|
|
Deployment failed due to missing AnyConnect Profile File |
|
|
FMC error out Invalid IPv4 Network or Host literal from the group while Adding a network in the ACP |
|
|
FTD: Update WM firmware to 1023.0207 |
|
|
User assigned to a read only custom role is not able to view content of intrusion policy for snort2 |
|
|
Log spam in /var/log/messages: Out of range value for column 'map_id' |
|
|
EIGRP migration failed using 'FlexConfig Policies' script failed generating database corruption |
|
|
Error Fetching Data in Exclude Policy Page when non permanent exclude periods are selected |
|
|
Deployment stuck on FMC when device goes down during deploy and doesn't boot up |
|
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
|
File-extracts.logs are not recognised by the diskmanager leading to high disk space |
|
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
|
"boot config" is not working after reload on FPR1140 |
|
|
Unable to SSH into FTD device using External authentication with Radius |
|
|
tls website decryption breaks with ERR_HTTP2_PROTOCOL_ERROR |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
Detailed logging related to reason behind sub-interface admin state change during operations |
|
|
ASA/FTD traceback and reload due to file descriptor limit being exceeded |
|
|
Health Monitor Alerts set in Global are not sending alert from devices assigned in leaf domain |
|
|
Hostnames are replaced with IP addresses in alert email content |
|
|
Module name displayed in the alert got changed and it is differ from the one set in FMC |
|
|
FTD HA should not be created partially on FMC |
|
|
FDM deployment failure |
|
|
Policy Apply failed moving from FDM to FMC |
|
|
Hairpinning of DCE/RPC/FTP traffic during the suboptimal lookup |
|
|
Deployment fails on new AWS FTDv device with "no username admin" |
|
|
FTD HA Failure after SNORT crash. |
|
|
Umbrella Profile and others cleared incorrectly when editing group policy in the UI |
|
|
MonetDB startup enhancement to clean up large files |
|
|
installing GeoDB country code package update to FMC does not automatically push updates to FTDs |
|
|
Deployment fails if Network Discovery policy reference is missing from FMC Database |
|
|
ASA traceback and reload on Thread Name: DATAPATH |
|
|
FMC Validation failure for large object range and success for object network in NAT64 |
|
|
Incorrect health monitor alerts for ISE-PIC connectivity |
|
|
low memory/stress causing traceback in SNMP |
|
|
ISA3000 Traceback and reload boot loop |
|
|
We should be skipping sru_install during for Minor patch upgrades and install only on required basis |
|
|
FMC Deployment preview shows different information before and after FTD deploy |
|
|
Monetdb having 14GB of unknown BAT data causing "High unmanaged disk usage on /Volume" |
|
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
|
API:/operational/commands not working as swagger indicate |
|
|
"Update file is corrupted" for "Download Latest Cisco Firepower Geolocation Database Update." in FMC |
|
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
|
ASA|FTD Traceback & reload in thread name Datapath |
|
|
Event Searching with Objects and Networks Leads to only showing events matching Objects |
|
|
Threat Defense Service Policy - Reset Connection Upon Timeout not working |
|
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
|
FTD 7.4.1 Snort shows 100% utilization even at a low traffic rate |
|
|
Unattended mode FTD upgrade from 741 to 76 fails if upgrade pkg is already copied over to devices |
|
|
Snort3 traceback and restarts with race conditions |
|
|
Misleading Certificate Attribute Checking Under DAP Endpoint Criteria |
|
|
Snort3 traceback in TcpReassembler::scan_data_post_ack |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
Decryption policy page is empty if user that modified/created policy was deleted. |
|
|
Error thrown if Security Analytics user tries to access Packet Capture page |
|
|
7.4 - If policy save in progress deploy might indicate failure for only few devices |
|
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
|
Internal error when attempting to configure PBR in FMC |
|
|
interface idb logging log rotation to FXOS logrotate utility |
|
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
|
Incorrect NAT warnings threshold limit of 131838 IPs |
|
|
Bootstrap after upgrade failed - Resume HA with reason deployment already exists |
|
|
High disk usage caused by large write-ahead log in eventdb |
|
|
ZTNA: FMC pushes incorrect sp-acs-url parameter - "?" encoded as 0x3F |
|
|
ZTNA: FMC doesn't accept IdP with local domain |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Debugs failed to be enabled on SSH session |
|
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
|
SFDataCorrelator timeout thread deadlock detection core on busy FMC |
|
|
Threat Defense Upgrade wizard might incorrectly show clusters/HAs as disabled |
|
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
|
Geodb installation notification is stuck or some tasks wont create a notification in UMS |
|
|
traceback and reload around function HA |
|
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
|
The report doesn't include "Default Variables" information after change "Variable Sets" name |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
Unable to view any events (Connection/Malware/etc) on the FMC Post FMC Upgrade to 7.6 |
|
|
FMC: Packet-tracer showing a "Interface not supported" error for VLAN interfaces |
|
|
Devices might change status to "missing the upgrade package" after Readiness Check is initiated |
|
|
FMC configured DAP rule with Azure IDP SAML attributes does not match |
|
|
Policy deployment failures on TPK MI chassis after redeploying same instance |
|
|
During FMC hardware migration failure encountered due to missing prometheus directories |
|
|
Error logs generated for ssh access to ASA when eddsa is used as kex hostkey |
|
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
|
Creating DAP policy with underscore "_" is not visible as applied to Remote Access VPN policy |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
upgrade of FMC to 7.2.x removes FlexConfig-provided EIGRP authentication from interfaces on FTDs |
|
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
|
standard error (stderr) not inserted into restore.log when restoring FMC backups |
|
|
Device listing taking long due to FTD_HA REST-API delay - Can be seen in loading HealthMon page. |
|
|
Download failed for Available Upgrade Packages |
|
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
|
Unable to delete custom DNS Server Group Object post upgrade 7.2.x |
|
|
Devices in HA pair shows as standalone in Threat Defense Upgrade page |
|
|
FTD: Improve or optimize LSP package verification logic to run it faster |
|
|
Member interface admin status is not updated on Lina after enabling port-channel interface |
|
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
|
Configuring MTU value via CLI does not apply |
|
|
Standby FTD experiencing periodic traceback and reload |
|
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
|
FXOS capture in Container mode behaves erratically |
|
|
CloudAgent Smart Agent Exception - The Smart Agent Manager requires NTP to be running on FDM |
|
|
FDM deployment fails with error "Some interfaces have been added to or removed from the device" |
|
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
|
FMC: Add logging for PM functions |
|
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
|
FMC API Call for Network Object Overrides Returns Different Results for Active vs Standby FW |
|
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
|
Snort stripping packet information and injects its packet with 0 bytes data |
|
|
Unable to send unknown file disposition to ThreatGrid due to mem cache issue |
|
|
MonetDB Monitor triggers for restarting MonetDB based on WAL size are not effective |
|
|
FMC deployment failure due to incorrect error message type sent to FMC |
|
|
Report file generated for AC policy is empty |
|
|
ASA CLI hangs with 'show run' on multiple SSH |
|
|
Traffic incorrectly matches an ALLOW rule with a time-range object after time has expired |
|
|
some stdout logs not rotated by logrotate |
|
|
Upgrade Failed with error "Upgrade failed because of undeployed changes present on the device" |
|
|
Deployment failure due to Rsync-chunk-checksum slowness |
|
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
|
Modify UUID during license communication to avoid disrupting customer's licenses |
|
|
External Radius authentication fails post upgrade if radius key includes special characters |
|
|
VTI tunnel showing incorrect port-channel association info in VPN Monitoring page |
|
|
SFData correlator keep terminating on FTDs configured for IDS |
|
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
|
Automatic VDB/SRU Download Fails Due to Simultaneous Signature Validation |
|
|
Every realm sync indicates an access control policy change |
|
|
ASA:request to add "logging list" option to the "logging history" command. |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
Access to website via Clientless SSL VPN Fails |
|
|
Unable to login to FDM GUI using external user account via RADIUS |
|
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
|
Need to add reasons for blocks in stream |
|
|
Migration of S2S from ASA to FMC across domains |
|
|
Heap-use-after-free in Discovery Filter on Snort shutdown |
|
|
Deployment doesn't timeout as notification (but not started), runs for hours after LSP install |
|
|
Run All function on FMC Health Monitoring page is greyed out after upgrade |
|
|
Lina traceback and reload in Thread Name: cli_xml_request_process |
|
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
|
ASA/FTD Optimise Fail-to-Wire (FTW) modules trigger in Reload/Crash scenarios |
|
|
Fault "Adapter 1/x/y is unreachable" due to connectivity failure between supervisor and VIC adapter |
|
|
FTD: Hostname Missing from Syslog Message |
|
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
|
FMC HA sync status shows failed during VDB/SRU installation on Active and standby FMC |
|
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
|
EIGRP bandwidth is changing after upgrade or after "shutdown"/"no shutdown" commands |
|
|
Tomcat restarts in the middle of the LTP flow due to certificate update |
|
|
ActionQueueScra invoked oom-killer |
|
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
|
Backup failure message doesn't help the user |
|
|
FMC: Multiple Email address in Email Alert not working |
|
|
Snort process spamming syslog-ng messages causing syslog-ng termination |
|
|
VMXNET3 driver is not getting loaded automatically on the bootup for FMCv300 |
|
|
logging list MANAGER_VPN_EVENT_LIST getting removed and re-applied for every deployment |
|
|
Policy deployment failure in standalone FDM due to an interface error |
|
|
Network Risk Report on FMC lacks option to select data source, could cause report generation to fail |
|
|
Backup failures needs to be displayed with the correct state on GUI |
|
|
ASA Checkheaps traceback while entering same engineID twice |
|
|
Backup generation on FDM fails with the error "Unable to backup Legacy data." |
|
|
pmtool restart of monetdb fails to bring up monetdb, too many files in monetdb Volume directory |
|
|
SFDataCorrelator creates huge numbers of to_import files when MonetDB table partition creation fails |
|
|
FMC : Health Monitor Alert is not properly issued regarding disk usage |
|
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
|
Deleting Snort 3 IPS Rule doesn't Generate Audit Log |
|
|
ENH: FTD Add debug message to indicate "No CRL found in User identity Certificate" |
|
|
FTD management interface DHCP server may fail to start causing connectivity issues or showing faults |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
|
FMC Server Certificate shows Only First 20 Objects |
|
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
|
Deployment failure due to exceeding logging event list name size |
|
|
FTW no longer working in NM3 on Warwick |
|
|
FMC: fireamp generating too many logs |
|
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
|
ICMP replies randomly does not reaching the sender node when initiated from the node. |
|
|
Tomcat and Apache maxHeader size should be increased to avoid 413 errors on some FMC pages |
|
|
Unable to remove suppression from snort3 rule once added |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
The secondary device reloaded while rebooting the primary device. |
|
|
FTD - sftunnel unstable connectivity issues when control and event are configured in same subnet |
|
|
Web Contents files appear as text/plain when they should be application/octet-stream |
|
|
Never expiring machine user not logged out at various places |
|
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
|
Applications are incorrectly identified as TOR and blocked by Snort3 |
|
|
FMC-SSE Cloud Configuration SSE Enrollment Failure alert due to empty connector.toml file on the FTD |
|
|
TSS_Daemon process is exiting every minute |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
|
FTD: Primary takes active role after reloading |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
|
Deploy doesnt show up on FMC upon merging unmerged diagnostic on FTD-HA |
|
|
username containing '@' character works for asa login but fails for 'connect fxos' |
|
|
Policy stuck in loading state on FMC UI |
|
|
Change in Application Client Type attribute |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
|
PM restart needs to be blocked or warned the user that it may go for reboot |
|
|
FMC - Inheritance Settings Select Base Policy Menu disappears while scrolling using Light or Dusk UI |
|
|
rna_ip_os_map can grow very large that causes SFDataCorrelator to stop processing events |
|
|
Object optimisation gets disabled on FMC if next deployment is after two hours |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
|
FTDv reloads and generate backtrace after push EIGRP config |
|
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
|
Debug: Eth1/1 flapping unexpectedly |
|
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
|
Snort version mismatch between FTD HA peers resulted from a reboot during a snort toggled deployment |
|
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
|
LSP Deployment fails in multi instance FP 41xx / 93xx |
|
|
Error when running 'show tech-support module detail' on FPR9K |
|
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
|
restored FMC backup devices display as "normal" and "healthy" although without connection with FMC |
|
|
FMC allows loading a binary certificate in the External Authentication Object |
|
|
FMC shows a non-User-Friendly Error during a Policy Deployment failure due to snapshot failure |
|
|
Rest API '/devices/devicerecords' is returning mismatch of values for (RA VPN) policy object id |
|
|
Identity Mapping Filter field gets updated with newly created network objects. |
|
|
Snort3: TCP traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs |
|
|
Validation required incorrect CLI Access Users in External Auth |
|
|
Victoria CP might list all on-board interfaces as L3 mode after base-install |
|
|
SFDataCorrelator memory leak after unregistering an active device |
|
|
3140 3 MI instances upgrade failed |
|
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
|
Wrong IP address on FMC audit logs |
|
|
F1758 FXOS Fault Observed in ASA Appliances Following FXOS Upgrade |
|
|
TLS Secure Client sessions cannot be established on FTD Due to RSA-PSS Signing Algorithm |
|
|
After upgrade FDM deployment fails "Timeout waiting for snort detection engines to process traffic" |
|
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
|
"strong-encryption-disable" pushed from FMC without any change after FMC upgrade |
|
|
VPN config isn't getting sync to leaf domain, when FTD moved to leaf domain |
|
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
|
Disk quota for the corefile should be revisited based on platform |
|
|
Snort3 core in FTD stateful signature evaluation |
|
|
SecureX / Cisco Security Cloud registration fails if FMC is behind a proxy server |
|
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
|
Multiple context interfaces fail to pass traffic |
|
|
Dns-guard prematurely closing conn due to timing condition |
|
|
URL Filtering and Cisco-Intelligence-Feed Download Failure |
|
|
ASA traceback with thread name SSH |
|
|
High latency observed on FPR31xx |
|
|
SFDataCorrelator memory growth when pruning a huge number of old service identities |
|
|
FDM /ngfw/var/sf/fwcfg/zones.conf is empty for 7.3.1 |
|
|
SFDataCorrelator memory growth when processing a huge number of expired user identities |
|
|
FTD compliance mode not accurately shown on FMC for newly registered FTDs |
|
|
FMC 7.3 Deployment failed due to OOM in PBR Configuration |
|
|
FTD: Backups fail on Multi-Instance or standalone with error "Backup died unexpectedly" |
|
|
Additional memory tracking in SFDataCorrelator |
|
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
|
FTD-HA creation is failing because FMC takes longer time to save overrides. |
|
|
FTD-HA upgrade fails to start - Configuration is out of sync between active and standby |
|
|
FMC HM showing "normal" eventhough FTD having Comm Failure |
|
|
IPv6 rule with manual address entry FMC with ::/0 is not working as expected. |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
FTDv - The interface connected to the AWS GW may have connection issues for DHCP or an idle state. |
|
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
|
ACP rule may not get applied post-deployment/Deployment failure due to FXOS- FTD timezone mismatch |
|
|
Unable to add additional LDAP attribue maps on upgraded FMC |
|
|
Internal Certificate Import Error : Failed to validate Cert Based EO: Unsupported Key Type |
|
|
Stale Health Alerts seen on the UMS after model migration |
|
|
High latency observed on FPR42xx |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
SSE connection events, FirewallRuleList field is not sent in proper format |
|
|
All IPV6 BGP routes configured in device flapping |
|
|
Snort creating too many snort-unified log files when frequent policy deploys |
|
|
FMC backup remote server copy to Solar Winds remote server failing after upgrading to 7.x versions. |
|
|
BGP config related to holdtime not being deployed sucessfully |
|
|
object lookup doesn't show referenced policy automatically under object management |
|
|
Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
|
|
Crypto ikev2 policy sequence order alters on interface/sub-interface config changes |
|
|
FMC unable to upload PKCS12 certificate using Passphrase longer than 48 characters in length. |
|
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
|
ASA: Running the failsafe-exit command caused the interface to enter a DISABLED state |
|
|
delay in creating process of Readiness/upgrade post initiating from UI |
|
|
FDM1010E 7.4.1 unable to register to SA, getting "Invalid entitlement tag" |
|
|
FMC HA Wizard shows error "Unable to retrieve high availability status." with other languages |
|
|
False positive ISE bulk download alert error seen on FMC |
|
|
Cleanup stale logrotate files |
|
|
FMC REST API not sending 'deploymentStatus' Attribute |
|
|
FTD HA status in ON Prem FMC is corrupted reporting Secondary as Primary |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
|
FMC only accepts a maximum of 30 characters for shared secret key when connecting to RADIUS server |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
|
High CPU usage in svc_sam_dme process during deployment post breaking cluster or deleting inline-set |
|
|
File descriptor leak when validating upgrade images |
|
|
cEdge URLF feature is not blocking urls with categories |
|
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
|
Deployment failure and rollback when changing parent of subinterface with failover MAC address |
|
|
Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000 |
|
|
Snort3 traceback and reload due to memory corruption in file module |
|
|
Disable health module does not delete UMS messages for that health module. |
|
|
Snmpwalk throws Error messages #"snmp/error: truncating integer value > 32 bits" |
|
|
FMC gets flooded with"Unable to find SSL rule id for policy" if TLS server identity discovery is on |
|
|
OGO changing the order of custom object group contents causing an outage at static NAT |
|
|
Snort3 crashes due to processing pdf tokenizer with no limits. |
|
|
ECDSA certificates are not supported by FMC ISE integration |
|
|
New User activity page does not load because the VPN bytes in and out are long. |
|
|
FMC GUI errors out when searching for Topology Name that has a decimal point in the name |
|
|
Tomcat and VmsBackendServer down post upgrade if a userrole description is too long |
|
|
Some cloud features may not work if FMC SSO feature is toggled ON but not configured |
|
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
|
SNMP host group content change results in SNMP process termination on management interface |
|
|
Snort dropping connections with reason blocked or blacklisted by the firewall preprocessor |
|
|
"FDM Keyring's certificate is invalid, reason: expired" health alert on FMC |
|
|
PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
|
|
Deployment time increased by 30-45 seconds after the upgrade when applying specific Platform Setting |
|
|
sync call got stuck resulting in boot loop |
|
|
VPN status not getting updated on site-to-site monitoring. |
|
|
Deployment failure and rollback when BGP communities added or removed in route-map match clause |
|
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
Snort3: Smaller size packets exceeding the max segment limit cause Snort-block |
|
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
|
tpk_mi upgrade failed from 7.4.1.1 > 7.6.0 000_start/000_00_run_cli_kick_start.sh. |
|
|
Policy Deployment failure in FTD HA node due to timeout for SHOW_XML_REQUEST |
|
|
User group map miss after Hardware FMC model migration from FMC2600 to FMC4700 |
|
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
|
eStreamer memory leak when the FMC receives events from CDO-managed FTDs |
|
|
ENH Logs FP4110 (FXOS 2.10.1.179) Security module stopped responding after device reboot |
|
|
cdFMC and onPrem FMC: Device management / listing is showing chassis url for FPR-1K running 7.4.1 |
|
|
snmpd core seen in ASA/FTD |
|
|
SFDataCorrelator deadlock on reconfigure after RNAStop and monetdb output queue is full |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
[WM RM]The member interface of the Port-channel is missing on the ASA(1G & 10G) post SFP JOJI/reboot |
|
|
IP-SGT mappings on Lina-side are not being removed, when FMC pxGrid connection is disabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
FDM HA deployment fails with 'ApplicationException: Unable to export to database' error |
|
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
|
Rommon Upgrade failed due to mismatch in descriptor table. |
|
|
FAN is working as expected but FAN LED is in off state. |
|
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
|
SFDataCorrelator log spam, repeatedly purging expired services and client apps |
|
|
FMC on upgrade results in FTDv losing its performance tier |
|
|
FTD failed to join FTD-HA after upgrade revert |
|
|
FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser |
|
|
High LINA CPU observed due to NetFlow configuration |
|
|
Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
|
|
Invalid health alert msg - Classic License Expiration Monitor for "License mismatch on stack" on FTD |
|
|
FMC Rest API Internal Server Error when log Interval attribute is not set |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
|
FPR2100-ASA Unable to generate CSR without FXOS IP address on SAN field |
|
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
|
[7.6.0]Radius auth not working with custom secret key |
|
|
FMC Health Monitoring sends incomplete message when language is changed. |
|
|
Larger entries in EoRevisionStore table causing HA Sync to fail mysqldump process |
|
|
FTD /mnt 100% disk utilization due to snort memory mapped files |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
Snort2 SSL decryption with known key fails on Chrome v124 and above. |
|
|
Failsafe mode default values are unattainable on some platforms need adjustment per platform/mode |
|
|
Snort3 crashes while collecting flow-ip-profiling |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
CdFMC: Device migration with RAVPN fails during import |
|
|
FMC: Comments on rule change required not working in Classic Theme Legacy UI |
|
|
Unable to run "nslookup" command on FXOS |
|
|
CD App Sync error on FDM HA after LINA crash |
|
|
disable stat check for file |
|
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
|
cdFMC : AC rule shown as removed in policy preview |
|
|
Access rule name shows "invalid ID" instead of the rule names after patching from 7.2.4 to 7.2.5 |
|
|
FMC got deregistered from Smart License after upgrade |
|
|
Encountering an unknown error [9999] when attempting to modify the identity policy. |
|
|
Classification mismatch between intrusion and correlation events |
|
|
Failure to read the signature keys (mult-instance deployment) |
|
|
Fail to start a disabled container on chassis reboot and misses to log the activity to Heimdall |
|
|
"show inventory" output shows Name: "power supply 0" on Firepower |
|
|
Post upgrade to 7.4.2-S2S tunnel status is showing empty |
|
|
M6 hardware models are hardly storing only a week old health monitoring data |
|
|
CdFMC: FTD Migration Failing on Registration Phase |
|
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
|
Captive portal returns bad request for snort 2 for FMC 7.4.x , FTD version < 7.4 |
|
|
Snort2 - SSL decryption failing and some websites not loading on Chrome v124+ |
|
|
WebVPN connections stuck in CLOSEWAIT state |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
Realm download task failing with ADI process is not currently available |
|
|
Unable to download users/groups getting Failed to get response from ADI. |
|
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
Filtered ACP rules are not greyed out when disabled using Bulk action |
|
|
FTD does not compact files that are used to communicate updates to the SGT/IP mappings |
|
|
FTD Unable to register to FMC due to empty DNS Server configured. |
|
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
|
Loss of interface mapping with security zones after deployment |
|
|
FMC REST API || ICMP objects with no code value breaking GET call and JSON parsing |
|
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
|
On Slow networks, sftunnel continues to label connections as STALE. |
|
|
Upgrade FMC fails while running script 120_check_legacy_private_cloud_for_ampkit.pl |
|
|
Force deploy not re-generating export-cache in the device |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
ADI Session Processing Delays return after upgrade to 7.2.x |
|
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
|
command to print the debug menu setting of service worker |
|
|
FMC - Custom User role VPN allows user to make changes to Site to Site VPN when Modify is unchecked. |
|
|
Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
|
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
|
"Rule Unavailable" for some local intrusion rules may be shown in intrusion event packet view |
|
|
Deploying an authorization server with an LDAP attribute map results in deployment failure. |
|
|
High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
|
|
Accepting duplicate object/group-object into object-group from multiple ssh sessions |
|
|
RC4 ciphers cannot be disabled on FMC/FTD for captive portal authentication with Kerberos |
|
|
Fatal error: Error running script 800_post/100_ftd_onbox_data_import.sh |
|
|
Traceback and reload on active unit due to HA break operation. |
|
|
TCP Session Interrupted if Keep-Alive with 1 Byte is Received |
|
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
|
TS filename still showing the old IP after FMC management IP is changed |
|
|
Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
|
|
FTD : Management interface showing down despite being up and operational |
|
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
|
Re-Registering the FMC with on-Prem server is getting failed |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
|
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
|
FMC Users page in sub domain does not load |
|
|
Add warning message when configuring CCL MTU |
|
|
Radius server configuration for FTD external authentication is not deployed to FTD. |
|
|
Upgrade readiness fails due to snort plugins |
|
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
|
Remove SGT frames/packets to allow VTI decryption |
|
|
Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
|
|
FMC - Add warning message when configuring CCL MTU |
|
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
|
No devices listed in Packet Tracer "Select Device" dropdown |
|
|
Backups may fail on remote storage when the filebackup.tar contents are so huge |
|
|
EventHandler may not send events to the FMC when Snort wrote many zero-length snort-unified files |
|
|
FTD cannot obtain the VPN route if answer only is configured with reverse route injection enabled |
|
|
temporary backups files shouldn't be kept on remote storage and do not parse other format files |
|
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
|
CDO: Chassis onboarding to CDO is failing with hostname |
|
|
FMC 7.2.5 Showing incorrect data of FTD HA at 6.6.5 under fleet upgrade |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Safety Net for Infinite Recursion Crashes due to Bad Stream TCP State in (IDS)Post-ACK mode |
|
|
FTD memory depletion resulting in traceback and reload |
|
|
SFDataCorrelator stops receiving events on a device channel when the other channel blocks |
|
|
FTD 7.4.1.x sends NAS-IP-Address:0.0.0.0 in Radius Request packet as network interface |
|
|
AppIdSessionData causes snort3 to crash 7.2.6 |
|
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
|
Enable logs to identify corrupted policy when deployment fails with "SNAPSHOT_PG_TIMESTAMP_ERROR" |
|
|
256/1550 block depletion process fover_thread |
|
|
FMC "java.lang.OutOfMemoryError: Java heap space" errors in feed_data_manager.log |
|
|
SNMP for mgmt0/diagnostic outgoing traffic is missing |
|
|
Devices not listed to add a data node when creating a cluster because of OS version mismatch |
|
|
TLS Client Hello packet is dropped by snort |
|
|
FMC Management workflow issue: Cannot remove NetworkObject from group and delete it in same ticket |
|
|
Standard Access List Objects can be written with leading whitespace |
|
|
victoria-DT CX: support of 10 port-channel intf on 1220 CX model |
|
|
Health Alerts are generating for sub interface even when main interface is excluded. |
|
|
ISE connection status health alerts on FMC with ise services down |
|
|
Dangling interfaces exists in SecurityZone/Interface group and interface |
|
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
|
Update Fan RPM Thresholds for 42xx platforms |
|
|
High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops) |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
FTD lost connection with cdFMC after FTD backup Restoration |
|
|
if conn_meta null, dont send packet to snort |
|
|
FMC should not take a policy backup during patch / Hotfix installations. |
|
|
Endpoint Assessment features are not enabled when HostScan package is modified via FMC |
|
|
Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
|
|
WebEx traffic not getting bypassed in snort3 (allow rules) |
|
|
FMC REST API calls to get AC policy data times out, AC policy GUI slowness with larger rule query |
|
|
ASA/FTD may traceback and reload |
|
|
ASA to FTD migration via FMT causes improper configuration of interface groups in FMC backend config |
|
|
Need to Protect LINA from getting killed by OOM |
|
|
Changes made on health policy are not being saved |
|
|
Zone Based AC rule has missing interface mapping |
|
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
|
ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
|
|
CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT |
|
|
FTD/FxOS - Upgrade/erase configuration result in App-instance 'Operational State: Starting' |
|
|
Potential upgrade failure in 800_post/890_install_version_masked_apps.pl |
|
|
NAT Exemptions in UI will not load when object group is added as protected network |
|
|
FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring |
|
|
Standby HA FMC entering standalone mode - /var/tmp/compliance.rules which was created was invalid. |
|
|
API call for ftdallinterfaces returns an inaccurate "self" element. |
|
|
Unable to upgrade cluster with status "cluster/HA pair is not eligible' |
|
|
FMC can not connect to private AMP when proxy is enabled in management interface |
|
|
Empty network objects cause cdFMC migration to fail |
|
|
GRE traffic getting dropped after failover |
|
|
IPv6 SSL Anyconnect access blocked in HA pair |
|
|
Instrument new logs in the startup process to collect more information |
|
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
|
Exception raised while fetching telemetry data from the FMC |
|
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
|
Incorrect network module slot and status information in "show module" command output |
|
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
|
Terminating Active sessions from new UI Layout throws error- "Error while terminating session" |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
Failover prompt shows state active while the firewall is in Negotiation |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
DAP policies not working with attribute TRUE/FALSE |
|
|
Failures and records are not seen in "show failover statistics" after simulating failures |
|
|
Certificate validation fails with trustpool when FIPS is enabled |
|
|
FMC: API interface settings differ from GUI settings for Diagnostic Interface |
|
|
FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
|
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
|
vFTD upgraded to 7.7.0: Module Compilation Error Health coming |
|
|
FMC in CC-mode audit over syslog not working |
|
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
|
FTDv traceback in Thread name - PTHREAD |
|
|
Policy deployment fails due to mismatch in 'ip local pool' command between fmc and lina config |
|
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
|
ASA/FTD: Memory Exhaustion due to Threat-Detection |
|
|
FTD does not mark stuck ongoing deployments as failed leading to subsequent deployment failures |
|
|
Empty user attributes in LDAP causes partial user/group download |
|
|
Health alert seen on FMCs : URL/LSP-via Beaker3 |
|
|
Partition "/opt/cisco/config" gets full due to btmp file not getting logrotated |
|
|
snort2 'ids_event_msg_map' clean up is not happening when import sfo fails during cdFMC migration. |
|
|
FMC: Not receiving any Email Alert after upgrade |
|
|
Policy export fails with error "Unable to process the policy information for Export" |
|
|
FTD upgrade to 7.4.2 via FDM is blocked |
|
|
VPN Client Application version and OS is not displayed for the FTD Standby peer under User Activity |
|
|
Unable to create MI FTD in TPK chassis |
|
|
Scheduled backups fail to execute on other cluster nodes when there is a change on the control node |
|
|
CSDAC connectors not coming up after FMC upgrade |
|
|
Source Port and Destination Port are swapped during the evaluation of SID |
|
|
'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete |
|
|
cdFMC: tmp_cisco is consuming high boot volume space for the cdFMC tenants |
|
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
|
|
Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
|
|
Partial configuration gets lost for a HA FTD pair, if FMC connectivity is lost during upgrade |
|
|
Keep a FMC backup locally until we copy the file to remote server successfully |
|
|
Search Index shouldn't be failed if any of the port object value is invalid |
|
|
Backup_info table is not being pruned, causing DB queries to slow down |
|
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
|
Configure External Storage fails second time with same backup profile |
|
|
Radius Authentication test fails due to missing radclient command |
|
|
Update dynamic-config-json and reloadLina on FTD when (de)activating custom detector with NSG tag. |
|
|
Device traceback and reload thrice with Panic at spin_lock_fair_mode_enqueu and nlp_init(). |
|
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
|
FMC allows uploading a binary certificate in Identity Certificate import |
|
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
|
FMC - Predeploy validation should error and block deployment if VPN Certificate is in failed state. |
|
|
RAVPN Certificate Group Map get removed after it is modified on the FMC |
|
|
Large number of stats files can cause events to be delayed |
|
|
FTD: Process sftunnel exited unexpectedly with a core file generated |
|
|
Lina traceback and reload in data-path thread |
|
|
Excessive logging of "vpn:vpn [INFO] device" messages in /var/log/messages file |
|
|
Unstable HA causing depolyment failure |
|
|
IPv6 Neighbor Discovery failure on shared interface in multi instance setup |
|
|
FTD upgrade failure due to multiple DB folders in /ngfw/var/cisco/deploy/tmp_bundle/db/ path |
|
|
FP4245 - NPU Accelerator changed speed of 100Gb interface to 10Mb |
|
|
CLI "ssl server-max-version" Can't be deployed Via Flex Config |
|
|
ASA|FTD Traceback & reload in process name lina |
|
|
Document NAT warning "The NAT rule exceeds the threshold limit of 131,838 IP addresses.." |
|
|
Increase memory usage leading to tracebacks in Lina. |
|
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
|
Snort3 file detection fails with asymmetric traffic in IDS passive mode |
|
|
VPN Topology status shows No Active Data in the S2S VPN Dashboard |
|
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
|
Continuous loading state and PolicyRPC call remains in pending |
|
|
Generated Crypto checksum changes without configuration change |
|
|
Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
|
|
CGroups errors in ASA Syslog during every reboot |
|
|
ldap.conf does not get generated using hostname |
|
|
df commands are getting stuck at times due to mount storage points |
|
|
DVTI: Provide info / warning message about interface shut and no shut upon DVTI config modification |
|
|
Log spam and possible network slowness due to failed dns lookups for syslog server |
|
|
SNMP trap OID changed after upgrade |
|
|
Readiness check should be in place for larger undo/ibdata log files |
|
|
Unsupported characters in Azure Display Name causes errors in Access Control Policy |
|
|
Correlation Fails to Detect Connection Duration |
|
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
|
fix to remove space characters in auth object names during FMC upgrade may cause upgrade failure |
|
|
"custom workflow" GUI show Error 500, after create an custom workflow with Chineses description |
|
|
Browser redirects to blank page when the user clicks the WebVPN bookmark |
|
|
FMC GUI has a limitation to display only 50 SSH rules for FTD (Under platform settings >> SSH) |
|
|
Connection been logged for rules with no logging enabled |
|
|
QoS policy editor on FMC GUI lacks functional pagination when QoS policy has more than 50 rules |
|
|
Prefilter policy not getting applied to child ACP when inherited from base policy |
|
|
The ASA's OSPF routing table is not properly synchronized with the neighbors |
|
|
Increase timeout for SFTunnel Connection Check requests |
|
|
Add connection status file for marking slow SFTunnel connections |
|
|
FTD logs should contain the certificate name or files which are corrupt |
|
|
FMC Health Plug-in for NTPD status analysis is not using localized data |
|
|
SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect |
|
|
FXOS MTU Handling for Front Panel and Uplink Ports on Firepower devices require improvement |
|
|
FMC Does Not Accept Valid IP Range Format in Access List under system configuration settings |
|
|
ibdatafix script needs to address cfgdb if the FMC is running version 7.3 or higher. |
|
|
Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
|
|
FTD Vault process exits every 1 minute: "Process vaultApp (23597) exited normally: 256" |
|
|
FTD - Â Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
|
Platform settings policy hidden on UI |
|
|
SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured |
|
|
hostname/IP Address field does not accept domains ending in a number |
|
|
FMC4700 displays premature fan speed alerts |
|
|
Not able to disable PLR post enabling it without name resolution available |
|
|
FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
|
|
FTD Secondary Unit got stuck in Bulk sync state. |
|
|
After FMC upgrade results in standby FTDv losing its performance tier for FTD HA |
|
|
Crash handler notification for snort3 failure not being sent in MI setup. |
|
|
ASA/FTD will allow local IP pool with invalid netmask |
|
|
NAT Rules Before deleted when policy is saved on FMC |
|
|
REST Calls from CDO to cdFMC are failing randomly with null/empty response |
|
|
Objects get duplicated when policy imported using 'Replace Existing' option |
|
|
TACACS+ traffic is dropped by TLS Server Identity in XTLS module |
|
|
PDTS write from Daq can fail when PDTS buffer is full and it would eventually lead block depletion |
|
|
File Download fails intermittently with malware & file policy configured |
|
|
Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
|
|
FTD/ASA may traceback and reload in DATAPATH thread |
|
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
|
|
FTD inline-set ignore reverse flag for inject/rewrite |
|
|
cdFMC: unable to modify the VTI interfaces due to Tunnel type is missing in DB |
|
|
FTD upgrade may fail in 901_reapply_sensor_policy.pl if policy_deployment.db is corrupt/unavailable |
|
|
ID attribute of other device during copying config via REST API POST can remove original config |
|
|
FMC Deployment Failure When Modifying NAT Policy with Block Allocation and Round-Robin Enabled |
|
|
FMC: Unable to save interface config as save button is greyed out |
|
|
FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
|
|
Show mod functionality needs to be fixed after change was reverted in CSCwk63011 due to regression |
|
|
DNS settings removed in post-upgrade deployment |
|
|
ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
|
|
enhance sma 2nd cruz heartbeat logging |
|
|
ha-mode graceful-restart is missing in advanced preview |
|
|
ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
|
|
100GB interface flaps with Innolight QSFPs in both ends |
|
|
Deployment transcript showing "Enable management access: false" |
|
|
Not able to remove or clear Fault "The password encryption key has not been set." |
|
|
FMC Upgrade Fails at 39% 600_schema/103_csm_cfgdbmigration.sh |
|
|
ASA/FTD may traceback and reload in Thread Name "fover_parse" |
|
|
TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link |
|
|
show run access-list command returns warning |
|
|
Issues with extdb Omniquery execution |
|
|
Snort3 crash on TLS cert have same issuer and common name,but sign algo and public key are different |
|
|
FMC: Unable to select Secure Client Images in RAVPN Wizard |
|
|
snort2 instances restart unexpectedly with OOM during policy deployment |
|
|
FMC AzureAD User/Groups Download Failing: too many SQL variable |
|
|
SQLNet traffic getting dropped intermittently in Clustering data unit. |
|
|
ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
|
|
DAP Cert Serial Number check field should be freeform instead of hex format on FMC |
|
|
FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
|
|
Incompatible members warning message after Po member interface flaps unable to rejoin Po |
|
|
Snort 3 rules display discrepancy in the GUI of FMC. |
|
|
Refresh of Inventory shows incorrect message "Device is not reachable" with sftuunel is UP |
|
|
FMC DHCP Relay Agents and Servers doesn't show in the UI or allow any changes |
|
|
In RAVPN policy edit action getting stuck, when editing LDAP attribute maps |
|
|
ASA traceback and reload on thread snmp_inspect |
|
|
FMC not sending/synchronizing the RADIUS config file to the FTDs |
|
|
Deployment failing with "no nameif" on the failover interface |
|
|
VDB upgrade is failing on longevity setup |
|
|
ASA traceback and reload due to stack overflow while using APCF file |
|
|
ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
|
|
Global search of the objects not working due to stale domain id reference |
|
|
FTD Lina process is brought down if mysql/mariadb is restarted for any reason post FTD startup |
|
|
Snort3 blocking ESMTP traffic intermittently and trigger IPS signatures 124:3:2 and 124:1:2 |
|
|
NAT traps have to be rate-limited |
|
|
Deployment failure is not getting listed on the deployment history |
|
|
Upgrade Resume is failing when user triggered Resume after 7.7.0 Build to Build Upgrade failure |
|
|
Policy Deployment Hung at 5/8% Deployment - Collecting policies and objects |
|
|
On cdFMC FTD-HA pair standby node has stale Interface status health alert |
|
|
License showing diffrent tier in FMC UI |
|
|
Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
|
|
SFDataCorrelator cores while calling DCEControlMessageReconfigure |
|
|
External auth (Radius) User unable to login to FTD due to mismatched cases during initial login |
|
|
FMC does not clear old Intrusion Policy recommendations when they are regenerated |
|
|
Registration Cleanup Should NOT Run if the peers Directory Cannot Be Opened |
|
|
FMC Remote Storage Error: Use of uninitialized value $^WARNING_BITS in bitwise xor (^) |
|
|
deregistering FMC from smart licensing may result in double consumption of FTD Base licenses |
|
|
ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
|
|
Secondary FMC indicates the FTD is still upgrading, despite the upgrade being completed. |
|
|
Access Control Policy export fails due to dangling object on Intrusion Policy Recommendations |
|
|
ENH: FMC API: Threat Defense Upgrade Options skip automatic generating of troubleshooting files |
|
|
PBR with default next-hop not allowed without next hop |
|
|
FMC is sending a wrong value for engineID in SNMPv3 traps |
|
|
4200/3100/1200 hardware allow to change AppAgent timer |
|
|
'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
|
|
Deployment failed with the reason "Error-no dhcpd enable inside" |
|
|
GTP inspection drops packet with error Reason:(IE-Type:CAUSE(2) IE is missing) |
|
|
GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
|
|
FTD HA Standby Reloads Repeatedly After Upgrade to 7.4.2.1 |
|
|
FQDNs are unresolved via DNS on data interface after reboot or traceback |
|
|
LINA core observed pointing to "IP RIB Update" thread |
|
|
FMCv is incompatible with certain KVM hypervisor software versions |
|
|
Identity Mapping Filter shows blank, even though there is a selected network object. |
|
|
Secure Client Connection Profile Address Pool not Shown |
|
|
ADI crashes on FTD due to both FMC ADIs going unmuted |
|
|
Copy/Paste for a rule on any UI page other than page 1 results in policy UI loading back to page 1. |
|
|
FTD device stuck in rommon mode after pressing reset button |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
|
|
cdFMC,SFOExport files are not cleared in tmp folder leading to high disk utilisation. |
|
|
GTP inspection not allowing GTP data packets if session create response has cause type 18 |
|
|
When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
|
|
Unity style enrollment after registering to the AMPkit portal |
|
|
ASAv traceback seen when doing testing for Anyconnect |
|
|
ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
|
|
FTD HA active node interfaces went down after failed policy deploy |
|
|
vertical scroll bar missing in Available Rules modal in correlation policy editor in most UI themes |
|
|
cdFMC 7.6 not pruning SRU packages, causing device to reach maximum storage space |
|
|
FlexConfig objects Policy_Based_Routing and Policy_Based_Routing_Clear cause deployment failure |
|
|
ADI on FTD does not stop after a crash |
|
|
FTD deployment fails with error "Snort command failed due to bad config" |
|
|
Unable to Delete Radius Authenticated User from FDM UI |
|
|
ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
|
|
Intrusion rule recommendations fail to apply when "Generate" option is used and then applied later |
|
|
Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption |
|
|
FTD cluster to traceback and reload after extended PAT is enabled |
|
|
Validation errors after updating Hub and Spoke topology. |
|
|
ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
|
|
FMC: Enable validation of "Comment" Field under Automating Policy Deployment Tasks |
|
|
FTD reload with traceback on swapcontext function |
|
|
FMC RAVPN Active Session termination throws error- "Error while terminating session" |
|
|
Syslog servers below in FTD logging send hostname info as per emblem config for first syslog server |
|
|
ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
|
|
cdFMC- Post device migration deployment validation indicates security zones are missing interfaces |
|
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
|
Unable to add Data nodes to Existing Cluster setup during cluster app-sync phase |
|
|
Critical health alert, module SMART_LICENSE Smart Licensing Agent is not running |
|
|
Admin users are prompted to change local password when authenticating to external server |
|
|
HA would bring data interfaces up while moving from cold standby to failed state |
|
|
Large number of stale revisions in CloudConfig affects FMC performance. |
|
|
ASA may traceback and reload in Thread Name 'ssh' |
|
|
Discrepancy in VPN bytes with RA VPN user activity report |
|
|
FDM is not pushing the trusted CA certificate to the FTD if validation usage not chosen |
|
|
FTD: Management0/0 status went down, line protocol is up after upgrade |
|
|
GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
|
|
FMC does not delete intrusion rules from database when they are removed from LSP |
|
|
Can't delete IPS policy when Workflow Mode is enabled |
|
|
Configure Multi-Instance in Secure Firewall 3100 Series using patched versions of code |
|
|
FTD: Snort AppID Misclassifies NetBIOS-ssn Traffic as Unknown |
|
|
ASA booting process may freeze when including 'no pim' or 'no igmp' config |
|
|
Secure Client External Browser package Image shown 2 same packages |
|
|
FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
|
|
Jumbo frame packets are being fragmented |
|
|
Generic error thrown when a user tries to access Packet-Capture page |
|
|
Extended PAT configuration can be enabled on clustered devices when FMC UI states it will be ignored |
|
|
Radius user ssh login fails with error: username is not defined with a service type that is valid |
|
|
Newline character in interface description results in deployment failure |
|
|
Snort3 crash in js norm with out-of-range exception during unescaping |
|
|
Traceback and reload due to webvpn dtls flow offload enabled |
|
|
MI: Instances going in split brain when assigned RP with CPU cores between 14-70 on FPR42xx |
|
|
FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
|
|
FMC Management workflow issue: Cannot remove NetworkObject from group and delete it in same ticket |
|
|
Traceback and reload in Thread Name Datapath |
|
|
correlation rules with access control rule name condition will not properly save on standby FMC |
|
|
Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
|
|
Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
|
|
Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
|
|
SMB remote backup failure due to realm sync |
|
|
nat divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
|
|
LSP deployment fails in MI environments following a patch or hotfix installation failure. |
|
|
Raw coredump file not getting deleted on vFTD even after compressed core generation |
|
|
Intenal error seen when trying to include domains in dynamic split tunneling of custom attribute |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
|
|
FMC to warn users when deploying other configs alongside FlexConfig. |
|
|
HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
|
|
Fatal error while upgrading at 000_start/120_check_legacy_private_cloud_for_ampkit.pl. |
|
|
MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
|
|
recurring GeoDB updates may fail to install when scheduled at the same time of day as rule updates |
|
|
FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
|
|
Coverity System SA warnings 2024-09-09, Coverity Defects 922530 922529 922528 922630 921809 921808 |
|
|
FMC can generate health alerts when ntp temporary switches to HW local clock from external server |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
FMC UI becomes unresponsive when converting and downloading Snort 2 rules |
|
|
LINA may observe random traceback with Netflow configured |
|
|
Multi-Instance in Secure Firewall not updating sftunnel certificates |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
Frequent traceback after upgrading FTD HA |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
JBDC client throwing error on certain queries after upgrade |
|
|
Modify memory allocation for policy deployment subgroup |
|
|
Application Name Change in VDB Not Reflected During Event Processing |
|
|
Snort3: TCP Midstream Traffic on ACK Normalized by snort and blocked by the Stream Preprocessor |
|
|
Deploy Preview comparison PDF report not getting generated |
|
|
FMC : OSPF setting screen cannot be opened in FMC English UI |
|
|
Deploy preview fails if device is moved from one domain to another domain |
|
|
Health Monitoring UI high-availability widget shows incorrect device information for primary device |
|
|
FTD registration to FMC gets hung when RabbitMQ is down. |
|
|
EventHandler not restarted after running system support reset-event-bookmarks on FTD 7.2 and above |
|
|
Snort3 traceback and reload due to memory corruption caused by a double free operation |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
show blocks old core local can lead to crash. |
|
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
|
False alerts of FMC HA in degraded sync state |
|
|
FMC backup failed while cfgdb dump after upgrading FMC to 7.4.2.1 |
|
|
Banner motd does not display when configured |
|
|
After upgrading FMC, deployment fails because of high SI Objects |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
RAVPN Active session UI on Security Cloud control not showing all active sessions. |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
FMC User permissions allows user to Suspend HA even when "Modify Devices" is not selected |
|
|
Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
|
|
Very High threat confidence is displayed for the threat score 98 |
|
|
extdb query error when ordering by count(*) |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
User gets Global Dashboard with unauthorized error when authorized only for a subdomain |
|
|
FMC managing various lower version vFTDs throws Event Handler errors |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
Unknown disposition files take a long time receive status and threat score. |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
FTD data unit in cluster experienced traceback and rebooted |
|
|
Debuggability: FP2100 port-channel interfaces flap after upgrade |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for priv 15 users. |
|
|
Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
Enabling debugs with EEM fails |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
debug packet-condition does not work as expected |
|
|
Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series |
|
|
AC policy with Network Group Override object causes deployment failure/rules missing |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
Memory leak leading to split brain |
|
|
Port-channel member interface flap renders it as an inactive member |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
Traffic failure due to 9344 blocks leak |
|
|
FTD: Large Delay in packets being inspected by snort |
|
|
Unable to validate change ticket: |
|
|
snmp_logging_thread is utilizing high CPU in control plane |
|
|
FMC SSL Policy Advanced Settings Changes by 'Admin' Users Not Visible to 'Read-only' Users |
|
|
FPR1010 Ethernet1/1 trunk port is not passing vlan traffic after reload |
|
|
BFD flap due to ASA not processing incoming BFD packets after unrelated BFD peers go down |
|
|
SNMP polling to chassis is unsuccessful with FTD Multi-instance in HA used as SNMP agent |
|
|
TPK: Marvell 4.3.14 CPSS patch for the interface mac stuck issue seen with peer switch reloads |
|
|
Portscan event in FMC displays incorrect source/destination when set to 'low' setting |
|
|
BFD packets are not dropped for single-hop BFD sessions received via alternate path |
|
|
Local user details not replicated to data nodes in a cluster setup. |
|
|
backout change preventing enabling clustering in FIPS mode |
|
|
LINA stays inactive without reloading after traceback if crash occurs on non-CP thread |
For Assistance
Upgrade Guides
In Firewall Management Center deployments, the Firewall Management Center must run the same or newer maintenance (third-digit) release as its managed devices. Upgrade the Firewall Management Center first, then devices. Use the upgrade guide for the version you are currently running—not your target version.
|
Platform |
Upgrade Guide |
Link |
|---|---|---|
|
Firewall Management Center |
Firewall Management Center version you are currently running. |
https://cisco.com/go/fmc-upgrade |
|
Firewall Threat Defense with Firewall Management Center |
Firewall Management Center version you are currently running. |
https://cisco.com/go/ftd-fmc-upgrade |
|
Firewall Threat Defense with device manager |
Firewall Threat Defense version you are currently running. |
https://cisco.com/go/ftd-fdm-upgrade |
|
Firewall Threat Defense with Cloud-Delivered Firewall Management Center |
Cloud-Delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier Firewall Threat Defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
|
Platform |
Install Guide |
Link |
|---|---|---|
|
Firewall Management Center hardware |
Getting started guide for your Firewall Management Center hardware model. |
|
|
Firewall Management Center Virtual |
Getting started guide for the Firewall Management Center Virtual. |
|
|
Firewall Threat Defense hardware |
Getting started or reimage guide for your device model. |
|
|
Firewall Threat Defense Virtual |
Getting started guide for your Firewall Threat Defense Virtual version. |
|
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
|
FXOS for the Firepower 1000 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
More Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: https://cisco.com/go/threatdefense-77-docs
-
Cisco Support & Download site: https://cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Feedback