This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.12.0.
Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:
 Note |
The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product. |
Introduction
The Cisco security appliance is a next-generation platform for network and content security solutions. The security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The security appliance provides the following features:
-
Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
-
Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
-
FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
-
FXOS REST API—Allows users to programmatically configure and manage their chassis.
What's New
New Features in FXOS 2.12.1.84
Fixes for various problems (see Resolved bugs in FXOS 2.12.1.84).
New Features in FXOS 2.12.1.72
Fixes for various problems (see Resolved bugs in FXOS 2.12.1.72).
New Features in FXOS 2.12.1.48
Fixes for various problems (see Resolved bugs in FXOS 2.12.1.48).
New Features in FXOS 2.12.1.29
Fixes for various problems (see Resolved bugs in FXOS 2.12.1.29).
New Features in FXOS 2.12.0.498
Fixes for various problems (see Resolved bugs in FXOS 2.12.0.498).
New Features in FXOS 2.12.0.467
Fixes for various problems (see Resolved Bugs in FXOS 2. 12.0.467).
New Features in FXOS 2.12.0.450
Fixes for various problems (see Resolved Bugs in FXOS 2. 12.0.450).
New Features in FXOS 2.12.0.432
Fixes for various problems (see Resolved Bugs in FXOS 2. 12.0.432).
New Features in FXOS 2.12.0.31
Fixes for various problems (see Resolved Bugs in FXOS 2.8.0.31).
Cisco FXOS 2.12.0 introduces the following new features:
| Feature | Description |
|---|---|
| QOS CLIs |
You can now use the Show interface ethernet <slot> <port> match statistics CLI to track the intermediate drops happening on the TCAM You can now police the traffic queues using the Show interface ethernet <slot> <port> policer statistics police CLI to prevent the exorbitant traffic rates going through strict priority queues You can now control the traffic rates using the show queuing interface ethernet <slot> <port> CLI during congestion to prevent loss of data packets |
|
Switch packet path |
You can now debug switch packet path issue for the Secure Firewall 3100 devices |
|
ASA and FTD SNMP Unification |
You can now configure the Admin Instance drop-down menu for SNMP unification of ASA and FTD devices. |
Software Download
You can download software images for FXOS and supported applications from one of the following URLs:
-
Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
-
Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
Important Notes
-
In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.
-
When you configure Radware DefensePro (vDP) in a service chain on a currently running threat defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the threat defense application instance before installing the Radware DefensePro application.
Note
This issue and workaround apply to all supported releases of Radware DefensePro service chaining with threat defense on Firepower 4110 and 4120 devices.
-
Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.
-
When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.
System Requirements
-
You can access the chassis manager using the following browsers:
-
Mozilla Firefox—Version 42 and later
-
Google Chrome—Version 47 and later
-
Microsoft Internet Explorer—Version 11 and later
We tested FXOS 2.12.0 using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.
-
Upgrade Instructions
You can upgrade your Firepower 9300 or Firepower 4100 series security appliance directly to FXOS 2.12.0 if it is currently running FXOS version 2.2(2) or later. Before you upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.12.0, first upgrade to FXOS 2.2(2), or verify that you are currently running FXOS 2.2(2).
For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.
Installation Notes
-
An upgrade to FXOS 2.12.0 can take up to 45 minutes. Plan your upgrade activity accordingly.
-
If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.
-
If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.
-
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Resolved and Open Bugs
The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can Cisco.com. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in FXOS 2.12.0.31
The following table lists the open bugs in FXOS 2.12.0.31:
|
Caveat ID Number |
Description |
|---|---|
|
BC01_IBMC01_showTechSupport_log core generated while collecting techsupport logs |
Resolved bugs in FXOS 2.12.0.31
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.31:
|
Caveat ID Number |
Description |
|---|---|
|
ENH: FPR 4100/9300 bcm_usd process logs to support possible RCA |
|
|
Upgrade to 2.10.1.166 causes degraded SM - Unrecognized Firmware format |
|
|
Multi-instance internal portchannel VLANs may be misprogrammed causing traffic loss |
|
|
FXOS Operational State:Thermal-problem intermittently |
|
|
ENH: Prevent CCL IP addressing on the 169.254.x.x subnet on cluster creation |
|
|
Need show command to see the details of transceiver of FXOS mgmt port via CLI |
|
|
App-instance startup version is ignored and set to running-version after copy config |
|
|
Uploading firmware triggers data port-channel to flap |
|
|
Portmanager/LACP improvement to capture logging events on external event restarts |
|
|
Cisco FXOS and NX-OS Software Cisco Discovery Protocol Service Denial of Service |
|
|
FPR 4100 saw an unexpected reload with reason "Reset triggered due to HA policy of Reset" |
|
|
Serviceability Request - Add error message that FXOS firmware is not fully activated |
|
|
FXOS process core pruned/deleted from system files (no validation) |
|
|
FXOS System temporary directory usage is unexpectedly high |
|
|
FXOS may display fault F1256 about missing local disk 0 |
|
|
SSH access with public key authentication requires user password |
|
|
Chassis SSD firmware upgrade may be prevented improperly |
|
|
Disk utilization increasing /var/tmp in FPR4150-ASA chassis |
|
|
Need show command to see the details of FPGA version on Firepower devices |
|
|
FXOS traceback and reload due Service "ascii-cfg" sent SIGABRT for not setting heartbeat. |
|
|
FXOS is not rotating log files for partition opt_cisco_platform_logs |
|
|
CIAM: Apache-http-server CVE-2021-44790 and CVE-2021-44224 |
|
|
FXOS | high Align-Err counter on port-channel48 |
|
|
FXOS A crafted request uri-path can cause mod_proxy to forward the request to an origin server... |
|
|
ENH: FP 4100/9300 - FTD and FXOS SNMP unification |
|
|
Fault F0736 should not be generated due to unreacheable default gateway |
|
|
ENH: Include dmesg -T command output in FXOS show-tech files |
|
|
RM 1120 Port state going down, speed is 100/10 and duplex full/Half, speed and duplexmismatchpresent |
|
|
nvram logs consistently written every 2 seconds causing high disk utilization |
Resolved bugs in FXOS 2.12.0.432
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.432:
|
Caveat ID Number |
Description |
|---|---|
|
Shutdown command reboots instead of shutting the FP1k device down. |
|
|
ASA snmpd Traceback & cores on an active unit |
|
|
Data interfaces are not coming up on KP device after deploying 9.18.0.114 image |
|
|
Kilburn Park freezes / crashes on netboot system load |
|
|
Unable to login on FTD using external authentication after upgrade from 7.0.1--->7.2.-1947 |
|
|
MIO: No blade reboot during CATERR if fault severity is non-Severe or CATERR sensor is different |
|
|
sfp-detect not working correctly on fixed and epm ports |
|
|
Root shell injection in security module "support fileview" command |
|
|
Upgrade fail & App Instance fail to start with err "CSP_OP_ERROR. CSP signature verification error." |
|
|
FDM 1010 device management interface not reflecting the correct status |
|
|
ASAconsole.log files fail to rotate |
|
|
Chassis and application sets the time to Jan 1, 2010 after reboot |
|
|
TPK netmod OIR fills log with error messages until complete |
|
|
Update CiscoSSL to 1.1.1o.7.3sp.143 |
|
|
FTDv on Azure - Traceback on Thread PTHREAD |
|
|
Update certificate bundle for 7.2 release |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (seq 26) |
|
|
ASAv SSH session getting terminated with ospf network command using Azure / Azure Stack hub |
|
|
FXOS: Support a single PID type for FPR3100 platforms |
|
|
ENH: Fail-to-Wire feature switching standby/bypass from CLI |
|
|
WM11xx: Getting "ERROR: waiting for fxos_log_shutdown" during shutdown. |
|
|
3140 - Platform fault - Code: F1374 - Severity: Critical |
|
|
FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports |
|
|
FXOS: Third-party interop between Ciena Waveserver with firepower chassis. |
|
|
Portmanager/LACP improvement to capture logging events on external event restarts |
|
|
FXOS misses logs to diagnose root cause of module show-tech file generation failure |
|
|
FIPS self-tests must be run when CC mode is enabled - files are missing |
|
|
FXOS is not rotating log files for partition opt_cisco_platform_logs |
|
|
FPR1010 - No ARP on switchport VLAN interface after portmanager DIED event |
|
|
The smConLogger traceback is caused by memory leak. |
|
|
Update the entity mib with new EPM details for WA-B/TPK |
|
|
Warn when TPK borough/temple fpga versions are below minimum |
|
|
FPR3100: 8x1G copper netmod may incorrectly report obsolete firmware on boot |
|
|
FXOS should check reference clock stratum instead of NTP server's local clock stratum |
|
|
ENH: FCM should include option for modifying the interface 'link debounce time' |
|
|
REST API Support for debounce time configuration |
|
|
TPK Ctrl-FPGA version check broken |
Resolved bugs in FXOS 2.12.0.450
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.450:
|
Caveat ID Number |
Description |
|---|---|
|
CIAM: expat - CVE-2022-25235 and others |
|
|
Evaluation of ssp for Dirty Pipe vulnerability |
|
|
CIAM: python CVE-2015-20107 |
|
|
TPK 3140 Maryland: %ERROR% - Switch device not found! during reboot |
|
|
CIAM: zlib - CVE-2018-25032 |
|
|
CIAM: glibc 2.33 CVE-2022-23219 and others |
|
|
CIAM: libxml - CVE-2022-23308 |
|
|
CIAM: apache-http-server - CVE-2022-31813 and Others |
|
|
CIAM: curl - CVE-2022-22576 and others |
|
|
25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC |
|
|
WR6, WR8 commit id update in CCM layer(Seq 30) |
|
|
Firepower 9300 chassis troubleshoot file caused outage |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 32) |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 33) |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 34) |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 35) |
|
|
In TPK 3110, baseline boot from rommon failed as "unable to unlock or revert SED" |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36) |
|
|
CIAM: strongswan - CVE-2021-45079 |
|
|
Upgrade to CiscoSSL FOM 7.3sp and CiscoSSL 1.1.1o.7.3sp.143-fips in SSP MIO |
|
|
Lina traceback and core file size is beyond 40G and compression fails on FTD |
|
|
Azure ASA NIC MAC address for Gigeth 0/1 and 0/2 become out of order when adding interfaces |
|
|
FMC - Editing member interfaces on port-channel is stuck on "Updating interface" window |
|
|
FXOS does not send any syslog messages when the duplex changes to "Half Duplex" |
|
|
FCM smart license error when smart licensing reports synced |
|
|
FP2100/FP1000: Built-in RJ45 ports randomly not coming up after portmanager restart events |
|
|
KP FDM-HA is in suspended state with no failover after reverting from 7.3 to 7.1 |
|
|
Registering the device for Telemetry is failing in DEV images due to missing security certificates |
|
|
TPK: DME error for invalid card id with SwitchCardPowerCtrlModule |
|
|
vFMC WebUI inaccessible after CC mode was enabled in 7.3.0-1553: ERR_CONNECTION_REFUSED |
|
|
Getting portmanager Died Error after installing 7.3.x build on wm1010 |
|
|
Unable to configure domain\username under cfg-export-policy in FXOS |
|
|
FMC allows shell access for user name with "." but external authentication will fail |
|
|
Fail-To-Wire interfaces flaps intermittently due to watchdog timeout in KP platform |
|
|
FTW: port pairs unexpectedly going to bypass due to failure |
|
|
WA: portmanager sfp OIR routine uses insufficient table for module debounce |
|
|
Update msmtp driver to fix FMC SMTP email send failures |
|
|
FXOS changes for CSCvy86319 - Data are not getting destroy after formatting disk0 on ISA3K |
|
|
FTD upgrade fails - not enough disk space from old FXOS bundles in distributables partition |
|
|
/var/tmp partition fullness warning on FXOS |
|
|
FXOS:after fxos config import new port-channel creation causing existing port-channel flap |
|
|
3140 - Platform fault - Code: F1374 - Severity: Critical |
|
|
TPK: SFP insertion events are missed for base fiber ports including mgmt port. |
|
|
The interface's LED remains green blinking when the optical fiber is unplugged on FPR1150 |
|
|
KP - Add DMA memory segments to corefile generated by livecore |
|
|
SNMP: FMC doesn't reply to OID 1.3.6.1.2.1.25.3.3.1.2 |
|
|
[IMS_7_3_0] core.portmgr_ipc found on WM1010 during redeploy all policies |
|
|
FXOS partition opt_cisco_platform_logs on FP1K/FPR2K may go Full due to ucssh_*.log |
|
|
FXOS is not rotating log messages files for partition opt_cisco_platform_logs |
|
|
[FTDv/Kenton/ISA3k - FXOS] Add sshd monitor capability to restart sshd in case it fails. |
|
|
TPK svc_sam_statsAG memory leak |
|
|
RMU read stale entries on the int ctrl link between x86 Denverton CPU and Marvel 88E6390X switch |
|
|
Telemetry stays in enabled state even after SL is deregistered from CLI |
|
|
Autopsy Uncore utility support for Vermont branch |
|
|
WM 1150: Upgrade to asa image "99.16.4.24-198" fails on Wm1150 platform |
|
|
FXOS upgrade to 2.11 is stuck |
|
|
MIO is not able to register. appAG process issue |
|
|
link state propagation stops working when performing full chassis reboot |
|
|
ENH - Setting the zmqio sched policy and priority for MIO heartbeat channel |
|
|
FXOS: FPR-X-NM-8X10G ports 7 and 8 are unconfigurable. |
Resolved bugs in FXOS 2.12.0.467
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.467:
|
Caveat ID Number |
Description |
|---|---|
|
In addition to the c_rehash shell command injection identified in CVE-2022-1292 |
|
|
FPR4100/9300 Blade discovery may hang due to internal communication failure with blade adapter |
|
|
FMC allowing explicit format version of EC parameters with syslog over TLS in CC mode |
|
|
LTS18 and LTS21 commit id update in CCM layer (seq 39) |
|
|
Remote user login via SSH access with password authentication method fails after FXOS upgrade |
|
|
FXOS not responding to SSH connection |
|
|
for system processes limit the CPUs used to the number of system CPUs |
|
|
No input validation for logical device DNS servers in bootstrap configuration on chassis manager |
|
|
Adding forceReboot option for bundle install REST API |
|
|
FXOS SWIMS Engine update to version 3.0.4 |
|
|
Livecore does not return proper error code when there is no space |
|
|
Potential memory leak in svc_sam_envAG process |
|
|
SNM trace logs have incorrect timestamps |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40) |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 41) |
|
|
R2130 use the Wind River CIS_LTS21_R2130 OS branch for the 7.3.0 Beta2 release. |
Resolved bugs in FXOS 2.12.0.498
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.498:
|
Caveat ID Number |
Description |
|---|---|
|
ASA goes to failsafe mode after FXOS upgrade |
|
|
Duplicate log entry for /mnt/disk0/log/asa_snmp.log |
|
|
QP MI FTD HA pair goes to disabled state |
|
|
Add abort in switch_driver to crash portmanager in case udbs are corrupted |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
ASA MIO-blade heartbeat failure due to kernel crash, leads to MEZZ core |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
30+ seconds data loss when unit re-join cluster |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 42) |
|
|
The Standby device going in failed state due to snort heartbeat failure |
|
|
41xx: Blade does not capture or log a reboot signal |
|
|
Bad code change to portmgr_ipc.c |
|
|
The standby device going in failed state due to snort heartbeat failure( Precommit Build Failure) |
|
|
7.4.0-1603 WA/TPK-HA Traffic doesn't work for non static mac address interface |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
8x10Gb netmod fails to come online |
|
|
FTD upgrade failure at "999_finish/999_zz_install_bundle.sh" due to bad key cert |
|
|
ssp abort/reload: terminate called after throwing an instance of 'Stb::bad_alloc' from overload.cpp |
|
|
Port-channel down with Suspended status on member-ports |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
Missing warning message when upgrading FXOS |
|
|
SA for msglyr and switch/src/HAL_Layer code |
|
|
system_pid_specific_misc_defs.json has incorrect system cores for TPK |
|
|
Modify tech-support to capture additional debug info (show portmanager switch vlans) |
|
|
[IMS_7_3_0]REST_API:Network::getMTU [ERROR] when setting network information during firstboot |
|
|
Null pointer check missing in sfp display routine |
|
|
OIR errors in portmgr.out |
|
|
Ping to ipv6 gw with system fails, works without it |
|
|
WA-B: ASA show env command displays PSU information incorrectly |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
FPR3100: 4x40 network module LEDs do not blink with traffic |
|
|
KP- FTP under local-mgmt not working |
|
|
LLDP:Neighbors not getting discovered on the first breakout port without deleting the lldp config |
|
|
LLDP::Removing a member port from the port channel completely removes the lldp neighbors |
|
|
Upgrade request errors flood portmgr.out after netmod removal |
|
|
FAN LED flashing amber on FPR2100 |
|
|
npu accel - nam_client ipc_recv_timeouts - effects FXOS npu-accel local-mgmt, lina stats calls |
|
|
FPR-X-NM-6X1SX-F not recognized on FP3100 or FP4200 |
|
|
Audit log is missing for Mgmt port change |
|
|
Interface speed is not updated on FTD |
|
|
Improve CLI options for management IP with dhcp option |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
|
stdout_env_manager.log is full of unknown board type 3 messages |
|
|
sr_build.log has the same three messages repeated every minute |
|
|
svc_sam_serviceOrchAG.log is filled with repeating worthless messages every minute |
|
|
3105: F78672 after a reboot |
|
|
LTS18 CCM Sequence number 44 to update the libjitterentropy to version 3.4.1 |
|
|
Workaround to fix build breakage introduced by Wind River CCM commit |
|
|
Reduce fault severity level for RAID degrade due to disk is still in spare state |
|
|
FTD - %FTD-3-199015: port-manager: Error: DOM Block Read failure, port X, st = X log false/positive |
|
|
disk-controller remove/remove-secure description doesn't match |
|
|
JENT: Add JENT library to fxos to support KP. |
|
|
Telemetry registration is failing in 2.13. |
|
|
Supervisor does not reboot unresponsive module/blade due to CATERR with minor severity sensor ID 50 |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
|
Non-zero input discards in MI CCL interface |
|
|
Sometimes device goes for reboot, when powering on of alperton netmod in 4100 device |
|
|
CSSMGR_log core found while testing snmp trap on 2.8.1.184 |
|
|
Update Broadcom SDK patch for field alert notification for Trident2 |
|
|
SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications |
|
|
Enhance to log FTW kicking delay and compensate the delay for kicking |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 45) |
|
|
Statsclient hap reset and boot loop after enabling SNMP unification in 92.13 |
Resolved bugs in FXOS 2.12.1.29
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.29:
|
Identifier |
Headline |
|---|---|
|
Deploy failure seen as "argument content is null" in 730. |
|
|
FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm. |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob. |
|
|
Workaround to set hwclock from ntp logs on low end platforms. |
|
|
Interface remains DOWN in an Inline-set with propagate link state. |
|
|
vFTD sshd silent crash, possibly due to probes in Azure with LB. |
|
|
WR6, LTS18 and LTS21 commit id update in CCM layer (Seq 46). |
|
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops". |
|
|
Need to use CiscoSSL with FOM 7.3 for Intel Builds. |
|
|
node is leaving TPK cluster due to interface health check failure. |
|
|
Unnecessary FAN error logs needs to be removed from thermal file. |
|
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed. |
|
|
High CPU Utilization on FXOS for processes smConlogger. |
|
|
SNMP on SFR module goes down and won't come back up. |
|
|
Upgrade third-party component rng-tools to latest 6.16 version. |
|
|
Enh: Add timestamp in interface IPC message. |
|
|
portmanager.sh outputing continuous bash warnings to log files. |
|
|
TPK 2.12 MGMT Port not able to ping gateway after application installation. |
|
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config. |
|
|
Attempt go 1.19.4 in LTS18 Branches but go back to 1.12.12 release. |
|
|
TPK/WA - OSPF packets land in multiple RX rings. |
|
|
Brentwood and Maryland squelch settings modification missing from _X netmod variants. |
|
|
ENH: Include exported chassis configuration in chassis show-tech file. |
|
|
modify tech-support to capture additional debug info (control link register details). |
|
|
ENH: Need to preserve topout.log to contain data of last 5 days minimum. |
|
|
ENH: FXOS need to track Security Module for Disk quota exceeded related issue. |
|
|
ENH: TPK show portmanager counters to dump counters for default drop rules. |
|
|
core.svc_sam_dcosAG file seen on device after erase configuration |
|
|
After upgrade ha interface remains down on one node. |
|
|
MI information is missing in tech-support |
|
|
Universal p4tickets are in plaintext in source code |
|
|
Include output of 'show storage detail command in FPR3100 FPRM/tech_support_brief file |
|
|
Include output of 'show slot expand detail' command in FPR3100 tech_support_brief file |
Resolved bugs in FXOS 2.12.1.48
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.48:
|
Caveat ID Number |
Description |
|---|---|
|
FXOS CLI to show last programming changes |
|
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
|
ENH: F1661 More details on failure reason and log location |
|
|
SSHd cores found after Azure VPN Performance test |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
"show ntp all" logs are not clear enough and lead to uncertainty and confusion |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
FXOS needs to provide a command that will display the total power on hours of chassis/blade |
|
|
WM/TPK/WA "FTD only": Packet drops observed after removing PC member from Port-channel |
|
|
The FMC is showing "The password encryption key has not been set" alert for a Firepower 1100/2100 and Secure Firewall 3100 series devices |
|
|
FXOS: svc_sam_dcosAG process getting crashed repeatedly on FirePower 4100 |
|
|
Secure Firewall 3100 MI: ftd instance failed to come online after chassis reboot |
|
|
Firepower 1000 Switchport passing CDP traffic |
|
|
Upgrade to CiscoSSH 1.12.39 in FXOS |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
FXOS: Alperton 100G NetMod not being acknowledged properly |
|
|
JENT: Expand JENT library support to CiscoSSL for all FXOS targets |
|
|
Secure Firewall 3100/4200 - Incorrect 'Management1/1' interface status on Lina & FTD |
|
|
FTD snmpd process traceback and restart |
|
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
|
FXOS should display ROMMON logs |
|
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
|
Switch ports in Trunk mode do not pass vlan traffic after power loss |
|
|
CCM ID 53 - WR8, LTS18, LTS21 |
Resolved bugs in FXOS 2.12.1.72
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.72:
|
Caveat ID Number |
Description |
|---|---|
|
FXOS Major Faults about adapter host and virtual interface being down. |
|
|
Management UI presents self-signed certificate rather than custom CA signed one after upgrade. |
|
|
WM1010E standby fails to re-join HA with msg "CD App Sync error is SSP Config Generation Failure". |
|
|
Logical app will trigger a boot in failsafe mode due to a large configuration. |
|
|
Hardware bypass not working as expected in FP3140. |
|
|
SSH key-based login is not working in ASAv loaded with default configuration on GCP. |
|
|
Upgrade to CiscoSSH 1.13.46 in FXOS address CVE-2023-48795. |
|
|
TPK/kp/WM: unable to copy techsupport/ts/core files to the server. |
|
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144. |
|
|
ASA not updating Timezone despite taking commands. |
|
|
CCM ID 63 - LTS18 |
|
|
Upgrade to CiscoSSL 1.1.1v.7.3.338-fips in SSP MIO. |
|
|
FTD/ASA system clock resets to year 2023. |
|
|
Timezone not working correctly on 9300/4100 platforms |
Resolved bugs in FXOS 2.12.1.84
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.84:
|
Identifier |
Headline |
|---|---|
|
FTD: Primary takes active role after reloading |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
An issue was discovered in the Linux kernel before 6.3.3. There is an |
|
|
some stdout logs not rotated by logrotate |
|
|
MSP Quota setting for instances is not correct |
|
|
Twisted is an event-based framework for internet applications. Prior t |
|
|
FXOS does not retry NTP sync with servers |
|
|
App-instance showing as Started instead of Online |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
|
CCM ID 63 - LTS18 |
|
|
FXOS fault F1758 description should not be specific to subinterfaces |
|
|
Faulty input validation in the core of Apache allows malicious or expl |
|
|
In GNU tar before 1.35, mishandled extension attributes in a PAX archi |
|
|
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of |
|
|
CCM ID 62 - LTS18 |
|
|
A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI |
|
|
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6 |
|
|
The DNS message parsing code in 'named' includes a section whose compu |
|
|
21xx: debug log process hangs preventing recovery from stuck writing operations |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
Vulnerabilities in linux-kernel CVE-2023-52439 |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
urllib3 is a user-friendly HTTP client library for Python. urllib3 doe |
|
|
An issue was discovered in drivers/input/input.c in the Linux kernel b |
|
|
An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl |
|
|
less through 653 allows OS command execution via a newline character i |
|
|
The iconv() function in the GNU C Library versions 2.39 and older may |
|
|
Unable to upload FTD version image to FCM |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, |
|
|
Vulnerabilities in linux-kernel CVE-2023-52435 |
|
|
In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scrip |
|
|
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 |
|
|
linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den |
|
|
In the Linux kernel, the following vulnerability has been resolved: B |
|
|
Requests is a HTTP library. Prior to 2.32.0, when making requests thro |
|
|
wall in util-linux through 2.40, often installed with setgid tty permi |
|
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
|
A bug in QEMU could cause a guest I/O operation otherwise addressed to |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super |
|
|
In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro |
|
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The i |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
A memory leak problem was found in ctnetlink_create_conntrack in net/n |
|
|
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
In the Linux kernel, the following vulnerability has been resolved: B |
|
|
ASA crashed with Saml scenarios |
|
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
|
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause inva |
|
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The n |
|
|
An out-of-memory flaw was found in libtiff that could be triggered by |
|
|
FTD : Management interface showing down despite being up and operational |
|
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
|
Time sync status and error message do not elaborate NTP server rejection case |
|
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
|
The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
HTTP Response splitting in multiple modules in Apache HTTP Server allo |
|
|
A denial of service vulnerability due to a deadlock was found in sctp_ |
|
|
High latency observed on FPR3120 |
|
|
Failed to transfer new image file to FPR2130 and traceback was observed |
|
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
In the Linux kernel, the following vulnerability has been resolved: H |
|
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
|
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL |
|
|
A vulnerability was found in GnuTLS. The response times to malformed c |
|
|
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and |
|
|
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/ |
|
|
nscd: netgroup cache may terminate daemon on memory allocation failure |
|
|
nscd: Stack-based buffer overflow in netgroup cache If the Name Servi |
|
|
Suppress "End of script output before headers" syslog on FXOS |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
|
FPR3100 : 25G SFP Interfaces not coming up after reboot |
|
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The x |
|
|
Python 3.x through 3.10 has an open redirection vulnerability in lib/h |
|
|
A flaw was found in glibc. In an uncommon situation, the gaih_inet fun |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
CCM ID 67 - LTS18 |
|
|
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue |
Related Documentation
For additional information on the Firepower 9300 or 4100 series security appliance and FXOS, see Navigating the Cisco FXOS Documentation.
Online Resources
Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure FXOS software and to troubleshoot and resolve technical issues.
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Feedback