This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.13.0.
Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:
Note |
The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product. |
Introduction
The Cisco security appliance is a next-generation platform for network and content security solutions. The security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The security appliance provides the following features:
-
Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
-
Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
-
FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
-
FXOS REST API—Allows users to programmatically configure and manage their chassis.
What's New
New Features in FXOS 2.13.0.272
Fixes for various problems ( see Resolved bugs in Resolved bugs in FXOS 2.13.0.272)
New Features in FXOS 2.13.0.243
Fixes for various problems ( see Resolved bugs in Resolved bugs in FXOS 2.13.0.243)
New Features in FXOS 2.13.0.212
Fixes for various problems ( see Resolved bugs in FXOS 2.13.0.212)
Cisco FXOS 2.13.0 introduces the following new features:
Feature | Description |
---|---|
IPv6 Ready Logo Certification |
The following CLIs are added to set certain sysctl.conf variables that will persist after a reboot:
The show ipv6-if output is updated to display the following fields:
|
Memory leak detection in MIO |
You can now debug the memory leak of each process using the scope mem-leak-logging command. |
Memory leak detection in Secure Firewall 3100 |
You can now debug the memory leak process by enabling the mem-leak-feature. |
Single image for Secure Firewall 3100 |
To reimage your Secure Firewall 3100 device to FTD 7.3.0 version, you must have ROMMON version 1.1.08 or above. If the current ROMMON version is less than 1.1.08, you must upgrade ROMMON by upgrading to ASA 9.19 or later. Or using FMC or FDM to upgrade FTD to 7.3.0. |
FTD configuration using CDO |
You can now configure FTD device using CDO. |
Software Download
You can download software images for FXOS and supported applications from one of the following URLs:
-
Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
-
Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
Important Notes
-
In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.
-
Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.
-
When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.
-
Beginning with version 2.13, the following platforms are unsupported:
-
Firepower 9300 SM-24 security module
-
Firepower 9300 SM-36 security module
-
Firepower 9300 SM-44 security module
-
Firepower 4110
-
Firepower 4120
-
Firepower 4140
-
Firepower 4150
Note
You will recieve an error when installing or running threat defense intances on these platforms running with FXOS 2.13. We recommend you to use the supported FXOS version or change the hardware. For more information on FXOS versions and supported hardwares, see Cisco Firepower 4100/9300 FXOS Compatibility.
-
-
From FXOS 2.13 release, the set maxfailedlogins command no longer works. The value can still be set, but if you try to log in a greater number of times than the already set value with an invalid password, you are not locked out. For compatibility, a similar command, set max-login-attempts, is available under scope security. This command also prevents logging in after a certain number of failed attempts but sets the value for all users. These commands are only available for Firepower 2100 platform mode and do not affect other platforms.
System Requirements
-
You can access the Firepower Chassis Manager using the following browsers:
-
Mozilla Firefox—Version 42 and later
-
Google Chrome—Version 47 and later
-
Microsoft Internet Explorer—Version 11 and later
We tested FXOS 2.13.0 using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.
-
Upgrade Instructions
You can upgrade your Firepower 9300 or Firepower 4100 series security appliance directly to FXOS 2.13.0 if it is currently running FXOS version 2.2(2) or later. Before you upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.13.0, first upgrade to FXOS 2.2(2), or verify that you are currently running FXOS 2.2(2).
For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.
Installation Notes
-
An upgrade to FXOS 2.13.0 can take up to 45 minutes. Plan your upgrade activity accordingly.
-
If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.
-
If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.
-
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Resolved Bugs in 2.13.0
The resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Resolved bugs in FXOS 2.13.0.272
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.13.0.272:
Identifier |
Headline |
---|---|
KP/WM: Getting \"RotatingLogProvider: Internal Error:\" after login to the device |
|
FPR4K/FPR9K: Generating FXOS Chassis show tech may result to flap of 40Gig Netmod Port |
|
FPR4100/9300 High traffic redirected to CPU causes internal communication failure with blade adapter |
|
Telemetry registration is failing in 2.13. |
|
Firepower Chassis Manager is not accessible with ECDSA certificates |
|
WM1010: \"Show techsupport fprm brief\" is taking more time (approx 15 mins) than expected |
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
Switch ports in Trunk mode do not pass vlan traffic after power loss |
|
Remove iotop.cfg from meta-local-dev linux-yocto.bbappend |
|
CCM ID 53 - WR8, LTS18, LTS21 |
|
FPR1010 in HA failed to send or receive to GARP/ARP with error \"edsa_rcv: out_drop\" |
|
ARP learning issues with Multiple-instance running 100G Netmod |
|
Upgrade to CiscoSSH 1.12.39 in FXOS |
|
ASA crashed with Saml scenarios |
|
CCM ID 54 - WR8, LTS18, LTS21 update -- (BREAKS LTS21 while WR8 and LTS18 are good) |
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
FXOS: svc_sam_dcosAG process getting crashed repeatedly on FirePower 4100 |
|
Jitterentropy changes in LTS18 and later branches causing FTD build failure |
|
CCM seq 57 - LTS21 |
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
SSH key-based login is not working in ASAv loaded with default config on GCP |
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
CIAM: linux-kernel 5.10.79 CVE-2022-30594 |
|
CIAM: libtirpc - CVE-2021-46828 |
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
CIAM: zlib - CVE-2022-37434 |
|
Vulnerabilities in sqlite - CVE-2022-35737 and others | |
High CPU Utilization on FXOS for processes smConlogger |
|
Write wrapper around \"kill\" command to log who is calling it |
|
Install the 'perf' tool as part of the FXOS for FTD. |
|
Upgrade third-party component rng-tools to latest 6.16 version |
|
FXOS: need add tracefs into release build |
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config |
|
WM/TPK/WA \"FTD only\": Packet drops observed after removing PC member from Port-channel |
|
Add iotop to FXOS branches before FXOS 2.14 |
|
JENT: Expand JENT library support to CiscoSSL for all FXOS targets |
|
FTD snmpd process traceback and restart |
|
FMC process ssp_snmp_trap_fwdr high memory utilization |
|
Avoid RADWARE start failure in FXOS 2.13 starting in June 2024 |
|
Debug logging command tcam option is not working on wm1010 |
|
Fxos.sh in branches before R2140 is missing the fxos-compat volume |
|
FPR1k Switchport passing CDP traffic |
|
Remove old iotop 0.6 version |
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
Error while Clean up phy port mapping for all ports in TPK |
|
FTD SSH External authentication shows \"pam_radius verify_packet: Bad code\" 7.4.0-1928 |
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
Commit-buffer should not be disabled in appliance mode for UCSM memory leak detection feature |
|
During secure erase reboot process, observed an ERROR : Timeout Waiting for fxos_log_shutdown. |
|
Add the jemalloc library to the FTD units |
|
In LTP debug mode while doing 'show_mgmt_port' missing inet address |
|
Revmove Local HTMLDOC Recipe |
|
CCM Seq 59 - LTS21 |
|
WM RM:100% System CPU usage for Core 0 on WM platform |
|
JENT: Add JENT library to fxos to support KP. |
|
Upgrade the lldpd component to version 1.0.16 |
|
Remove local patch CSCwh06501.patch once it is managed by CCM |
|
Update FXOS CIAM scripts |
|
Update CIAM scripts to include CVE ID in arttributes and add WR_CASE_PENDING attribute |
|
Update CCM Layer Infrastructure |
|
FXOS CIAM Bug Filling Script Fails to wait for Bug to be Filed |
|
Add support for 7zip into FMC |
|
SSP MIO: Swims Token support in signing image |
|
Backout CL3419025 from fxplatform/liverpool/FXOS_2_10_1 |
Resolved bugs in FXOS 2.13.0.243
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.13.0.243:
Identifier |
Headline |
---|---|
724-118: portmgr_discover_epm: Card discovery failure - failed to detect EPM card type. |
|
Failing to set DNS, hostname and IP on TPK 3130. |
|
Add abort in switch_driver to crash portmanager in case udbs are corrupted. |
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure. |
|
FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm. |
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
30+ seconds data loss when unit re-join cluster. |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 42). |
|
ASA: After upgrade cannot connect via ssh to interface. |
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob. |
|
Link Up seen for a few seconds on FPR1010 during bootup. |
|
Supervisor does not reboot unresponsive module/blade due to CATERR with minor severity sensor ID 50. |
|
Bad code change to portmgr_ipc.c. |
|
Application Instance fails install sporadically. |
|
TPK MGMT Port not able to ping gateway after application installation. |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 43). |
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/. |
|
Read factory reset register twice as workaround for random factory reset. |
|
FTD upgrade failure at "999_finish/999_zz_install_bundle.sh" due to bad key cert. |
|
Workaround to set hwclock from ntp logs on low end platforms. |
|
ssp abort/reload: terminate called after throwing an instance of 'Stb::bad_alloc' from overload.cpp. |
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79. |
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset. |
|
FP1K/2K/3K devices unable to receive unicast traffic. |
|
Port-channel down with Suspended status on member-ports. |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 45). |
|
core.svc_sam_dcosAG file seen on device after erase configuration. |
|
Unable to login to FTD using external authentication. |
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD. |
|
Interface remains DOWN in an Inline-set with propagate link state. |
|
After upgrade ha interface remains down on one node. |
|
vFTD sshd silent crash, possibly due to probes in Azure with LB. |
|
Notification Daemon false alarm of Service Down. |
|
WR6, LTS18 and LTS21 commit id update in CCM layer (Seq 46). |
|
WM : Lina core file is truncated. |
|
After ASA upgrade device going to failsafe with error"fxos_api_xml_decode: XML_Parse return error". |
|
Back out FXOS changes made to CSCwd89848 to avoid build compatibility issue between FXOS and LINA. |
|
3100 unit failed to join the cluster with error "configured object (sys/switch-A/slot-2) not found". |
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops". |
|
Need to use CiscoSSL with FOM 7.3 for Intel Builds. |
|
node is leaving TPK cluster due to interface health check failure. |
|
KP/WM: Management interface operation state is still up even after "shut" command. |
|
SSH login not working after upgrading from 99-18-1-186 to 99-20-0-245. |
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade. |
|
LTS21 commit id update in CCM layer (Seq 49). |
|
[IMS_7_4_0] KP HA disabled after reboot: CD App Sync error Failed to apply SSP config on standby. |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 50). |
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices. |
|
sspos_snmp_suba core seen during longevity test on FP1K. |
|
TPK: failed to show open-network-ports in container deploymode. |
|
system_pid_specific_misc_defs.json has incorrect system cores for TPK. |
|
[IMS_7_3_0]REST_API:Network::getMTU [ERROR] when setting network information during firstboot. |
|
Null pointer check missing in sfp display routine. |
|
OIR errors in portmgr.out. |
|
25G CU SFPs not working in Brentwood 8x25G netmod. |
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices. |
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log. |
|
FPR3100: 4x40 network module LEDs do not blink with traffic. |
|
KP- FTP under local-mgmt not working. |
|
LLDP:Neighbors not getting discovered on the first breakout port without deleting the lldp config. |
|
Use freeradius-client provided by Wind River. |
|
Use ghostscript-fonts provided by Wind River. |
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed. |
|
LLDP::Removing a member port from the port channel completely removes the lldp neighbors. |
|
Port-channel member port status flag and membership status are Down if LACPDUs are not received. |
|
MI FTD running 7.0.4 is on High disk utilization. |
|
Upgrade request errors flood portmgr.out after netmod removal. |
|
FAN LED flashing amber on FPR2100. |
|
Create local_User is not getting locked even after setting maximum-login attempts. |
|
FPR-X-NM-6X1SX-F not recognized on FP3100 or FP4200. |
|
Improve CLI options for management IP with dhcp option. |
|
SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications. |
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated. |
|
Refresh the ios.pem. |
|
stdout_env_manager.log is full of Unknown board type 3 messages. |
|
stdout_00aa_ssp_syslog.log is full of crond is running messages. |
|
3105: F78672 after a reboot. |
|
SSH External authentication shows "pam_radius verify_packet: Bad code" using radius 7.4.0-1672 |
|
LTS18 CCM Sequence number 44 to update the libjitterentropy to version 3.4.1. |
|
WM default log level is set to critical. |
|
Management interface link status not getting synced between FXOS and ASA. |
|
SNMP on SFR module goes down and won't come back up. |
|
Block "create device-manager" command under ASA/FTD native mode. |
|
Reduce fault severity level for RAID degrade due to disk is still in spare state. |
|
Weekly Coverity System SA warnings 2023-03-20, Coverity Defects 878323. |
|
On WA/TPK when management1/1 is down, lina diagnostic in both CMI/non-CMI mode is UP. |
|
TPK-CCmode: Error: tamm_espi_read 0, 0xb2c000: 769-TAM_ERROR_DEVICE_NOT_REGISTERED. |
|
logger.1: send message failed: Resource temporarily unavailable logs were seen after reload 7.2.4-94. |
|
LLDP::Neighbors info is not getting discovered on all the member port of a port channel interface. |
|
Enh: Add timestamp in interface IPC message. |
|
FXOS REST API: Unable to create a keyring with type "ecdsa". |
|
ASA not updating Timezone despite taking commands. |
|
2100: Check poshd running state FXOS 2.13/2.14 for Power switch toggle graceful shutdowns. |
|
Lost Management access to 3110 (Native mode). |
|
portmanager.sh outputing continuous bash warnings to log files. |
|
Speedcap of PC member interfaces not updated post EPM OIR. |
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144. |
|
LTS21 python3-funcsigs build issue. |
|
Need jemalloc library in windriver OS. |
|
FXOS: show portchannel summary shows incorrect interfaces when using breakout ports. |
|
Fix CiscoSSL Recipe Name in R2130. |
|
Display SNMP Debug menu 4 command as part of show-tech fprm for FTD. |
|
Move to go 1.19.4 in LTS21 Branches. |
|
TPK/WA - OSPF packets land in multiple RX rings. |
|
port-manager: The devNum 0 has not initialized the fwd module. |
|
KC25/KC50 support for 0x500_000a firmware. |
|
FCM: jacoco lib needs upgrade. |
|
FXOS raises a fault for administratively disabled management interface. |
|
DME log flooding in certain scenario. |
|
RMU Dump capture missing code. |
|
Livecore changes to support live snapshot feature. |
|
LTS21 commit id update in CCM layer (Seq 52). |
|
Brentwood and Maryland squelch settings modification. |
|
disk-controller remove/remove-secure description doesn't match. |
|
3100: Insmod Errors observed on console. |
|
Brentwood and Maryland squelch settings modification missing from _X netmod variants. |
|
Universal p4tickets are in plaintext in source code. |
|
Rework CiscoSSL Recipe. |
|
ENH: Include output of 'show storage detail' command in FPR3100 FPRM/tech_support_brief file. |
|
ENH: Include output of 'show slot expand detail' command in FPR3100 tech_support_brief file. |
|
modify tech-support to capture additional debug info (control link register details). |
|
TPK/WA enh - add Marvell LuaCLI "show tail-drop-allocated buffers all" to tech-support. |
|
switch diagnostic enhancement default event configuration. |
|
Update Corona CIAM scripts. |
|
ENH: Include Ethernet port ID in "show portmanager switch status". |
|
ENH: TPK show portmanager counters to dump counters for default drop rules. |
|
Requirement: Log rotate utility needs to handle the rotating of the asa-appagent.log file. |
|
Enable debug logging for switch driver WM-1010. |
|
Recovery from RMU failures due to control link going to bad state. |
|
ENH: Migrate fover trace logging log rotation to FXOS logrotate utility. |
|
WM RM - Switch Diagnostics - events, logging & action. |
|
wa/tpk: FXOS changes for unified pkt-capture support for capturing switch dropped packets. |
|
Fix firmware packing tools build issue due to python version change. |
|
Perforce upgrade requires changes where P4PORT is being set. |
|
removal of hash at the end of the marvel build. |
Resolved bugs in FXOS 2.13.0.212
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.13.0.212:
Caveat ID Number |
Description |
---|---|
LTS18 and LTS21 commit id update in CCM layer (seq 39) |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40) |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 41) |
|
cdc_ether.ko missing from LTS21 based FMC builds |
|
FPR 3100: the 'show local-user detail' with unexpected "Error opening the tally file" |
|
MIO is not able to register. appAG process issue |
|
MIO LTS21: Prune redundant libcurl.so.4.7.0 |
|
No input validation for logical device DNS servers in bootstrap configuration on chassis manager |
|
Potential memory leak in svc_sam_envAG process |
|
WA_B/TPK. Dual range(10/25) SFP is not working with 8*10g netmod with sfp-detect speed |
|
Platform faults related to management interface |
|
3100 enters failsafe mode due to NPU version mismatch |
|
SNM trace logs have incorrect timestamps |
|
Local disk-0 displayed on fpr9300 |
|
Remote user login via SSH access with password authentication method fails after FXOS upgrade |
Related Documentation
For additional information on the Firepower 9300 or 4100 series security appliance and FXOS, see Navigating the Cisco FXOS Documentation.
Online Resources
Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure FXOS software and to troubleshoot and resolve technical issues.
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.