Cisco Firepower 4100/9300 FXOS Release Notes, 2.3(1)

This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.3(1).

Use this release note as a supplement with the other documents listed in the documentation roadmap:


Note

The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.


Introduction

The Cisco Firepower security appliance is a next-generation platform for network and content security solutions. The Firepower security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

The Firepower security appliance provides the following features:

  • Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.

  • Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.

  • FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.

  • FXOS REST API—Allows users to programmatically configure and manage their chassis.

What's New

New Features in FXOS 2.3.1.190

Cisco FXOS 2.3.1.190 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.190).

New Features in FXOS 2.3.1.180

Cisco FXOS 2.3.1.180 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.180).

New Features in FXOS 2.3.1.179

Cisco FXOS 2.3.1.179 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.179).

New Features in FXOS 2.3.1.173

Cisco FXOS 2.3.1.173 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.173).

New Features in FXOS 2.3.1.166

Cisco FXOS 2.3.1.166 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.166).

New Features in FXOS 2.3.1.155

Cisco FXOS 2.3.1.155 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.155).

New Features in FXOS 2.3.1.145

Cisco FXOS 2.3.1.145 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.145).

New Features in FXOS 2.3.1.144

Cisco FXOS 2.3.1.144 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.144).

New Features in FXOS 2.3.1.130

Cisco FXOS 2.3.1.130 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.130).

New Features in FXOS 2.3.1.111

Cisco FXOS 2.3.1.111 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.111).

New Features in FXOS 2.3.1.110

Cisco FXOS 2.3.1.110 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.110).

New Features in FXOS 2.3.1.99

Cisco FXOS 2.3.1.99 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.99).

New Features in FXOS 2.3.1.93

Cisco FXOS 2.3.1.93 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.93).

New Features in FXOS 2.3.1.91

Cisco FXOS 2.3.1.91 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.91).

New Features in FXOS 2.3.1.88

Cisco FXOS 2.3.1.88 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.88).

New Features in FXOS 2.3.1.75

Cisco FXOS 2.3.1.75 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.75).

New Features in FXOS 2.3.1.73

Cisco FXOS 2.3.1.73 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.73).

New Features in FXOS 2.3.1.66

Cisco FXOS 2.3.1.66 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.66).

New Features in FXOS 2.3.1.58

Cisco FXOS 2.3.1.58 introduces the following new features in addition to the features included in earlier releases:

Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.58).

New Features in FXOS 2.3.1.56

Warning: FXOS 2.3.1.56, which was briefly available on Cisco.com, is no longer supported. If you initially installed Firepower Threat Defense Version 6.0.1 on a Firepower 9300 or 4100 series device and have never reinstalled the Firepower software (you have only upgraded), upgrading to FXOS 2.3.1.56 disables the Firepower Threat Defense application. This may interrupt traffic on your network. If this happens to you, upgrade FXOS from Version 2.3.1.56 to Version 2.3.1.58 to restore Firepower Threat Defense functionality. For more information, see CSCvh64138 in the Cisco Bug Search Tool.

Cisco FXOS 2.3.1.56 introduces the following new features:

  • Support for ASA 9.9(1).

  • Support for Radware DefensePro 8.13.

  • Adds variable core allocation option for the installation of Radware DefensePro. When enabled, this feature allows you to optimize Radware DefensePro install performance.

  • The FXOS upgrade procedure no longer requires that you download the logical device CSP after upgrading the FXOS platform bundle. You can download any CSP onto your system before upgrading your FXOS to 2.3(1).

  • The Firepower 10G and 40G network modules now support hot swapping.

  • Improvements to the management of logical devices after creation:

    • After modifying the logical device using Firepower Chassis Manager to assign a new management IP address and bootstrap keys, Firepower Chassis Manager no longer automatically restarts the application.

    • If you make changes to a logical device that require a restart, Firepower Chassis Manager will notify you and allow you to restart after saving or delay restart until you initiate later.

    • You can now restart an application from the Firepower Chassis Manager Logical Devices page.

    • If you modify bootstrap information for a logical device using the FXOS CLI, you will not be notified when you must clear the management bootstrap and restart the application.

  • Improvements to the management of clusters:

    • Adds additional support for determining the time and the reason for application cluster state change; for example, when and why an application joins or leaves the cluster.

    • Adds additional support for identifying significant application state change, including online, offline, not-responding, install-failed, start-failed, stop-failed, update-failed, and unsupported.

  • Adds additional support for determining and reporting on the health of security modules.

  • For Firepower 9300/4100 series security appliances with an ASA security module, the flow off-loading feature has been improved to support 4 million bidirectional or 8 million unidirectional off-loaded flows.

  • Adds SNMP Support for network modules. Information about network modules are available by querying the ENTITY-MIB (OID 1.3.6.1.2.1.47), the IF-MIB (OID 1.3.6.1.2.1.31), and the CISCO-FIREPOWER-EQUIPMENT-MIB (OID 1.3.6.1.4.1.9.9.826.1.20).

  • Adds support for Smart Agent Strong Encryption even after connection to CSSM/CSSM On-Prem is lost. This allows a Firepower 9300/4100 series security appliance to remain in its last known export compliance state, even if the connection to Cisco Smart Software Manager is lost for an extended period.

  • Adds option to configure the minimum Transport Layer Security (TLS) version allowed when communicating with external devices.

  • The uplink port status of the management port on the Firepower 9300/4100 series security appliance is now synchronized with the management interface status in the applications running on it.

  • Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.56).

Software Download

You can download software images for FXOS and supported applications from one of the following URLs:

For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

Important Notes

  • When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application. Note that this issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.

  • Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.

  • When upgrading a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide ( http://www.cisco.com/go/firepower9300-install) or Cisco Firepower 4100 Series Hardware Installation Guide ( http://www.cisco.com/go/firepower4100-install), the fault(s) will be cleared automatically and no additional action is required.

Adapter Bootloader Upgrade

FXOS 2.3(1) contains additional testing to verify the security module adapters on your security appliance. After installing FXOS 2.3.1.58 or later, you might receive a critical fault similar to the following on your security appliance indicating that you should update the firmware for your security module adapter:

Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.

If you receive the above message, use the following procedure to update the boot image for your adapter:

  1. Connect to the FXOS CLI on your Firepower security appliance. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).

  2. Enter the adapter mode for the adapter whose boot image you are updating:

    fxos-chassis# scope adapter 1/security_module_number/adapter_number

  3. Enter show image to view the available adapter images and to verify that fxos-m83-8p40-cruzboot.4.0.1.62.bin is available to be installed:

    fxos-chassis /chassis/server/adapter # show image
    Name Type Version
    
    --------------------------------------------- -------------------- -------
    
    fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62)
    
    fxos-m83-8p40-vic.4.0.1.51.gbin Adapter 4.0(1.51)
  4. Enter update boot-loader to update the adapter boot image to version 4.0.1.62:

    fxos-chassis /chassis/server/adapter # update boot-loader 4.0(1.62)
    Warning: Please DO NOT reboot blade or chassis during upgrade, otherwise, it may cause adapter to become UNUSABLE!
    After upgrade has completed, blade will be power cycled automatically
    fxos-chassis /chassis/server/adapter* # commit-buffer
  5. Enter show boot-update status to monitor the update status:

    fxos-chassis /chassis/server/adapter # show boot-update status
    State: Updating
    fxos-chassis /chassis/server/adapter # show boot-update status
    State: Ready
  6. Enter show version detail to verify that the update was successful:


    Note

    Your show version detail output might differ from the following example. However, verify that Bootloader-Update-Status is “Ready” and that Bootloader-Vers is 4.0(1.62).


    fxos-chassis /chassis/server/adapter # show version detail
    Adapter 1:
    Running-Vers: 5.2(1.2)
    Package-Vers: 2.2(2.17)
    Update-Status: Ready
    Activate-Status: Ready
    Bootloader-Update-Status: Ready
    Startup-Vers: 5.2(1.2)
    Backup-Vers: 5.0(1.2)
    Bootloader-Vers: 4.0(1.62)

System Requirements

You can access the Firepower Chassis Manager using the following browsers:

  • Mozilla Firefox—Version 42 and later

  • Google Chrome—Version 47 and later

  • Microsoft Internet Explorer—Version 11 and later

We tested FXOS 2.3(1) using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. We anticipate that future versions of these browsers will also work. However, if you experience any browser-related issues, we suggest you revert to one of the tested versions.

Upgrade Instructions

For complete information on how to upgrade FXOS on your Firepower 4100/9300 device, see the Cisco Firepower 4100/9300 Upgrade Guide.


Note

Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.


Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs

The following table lists select bugs open at the time of this Release Note publication:

Table 1. Open Bugs Affecting FXOS 2.3(1)
Identifier Description
CSCus73654 ASA do not mark management-only for the mgmt interface assign by LD
CSCuu33739 Physical interface speeds in port-channel are incorrect
CSCuw31077 Filter applied to a interface should be validated
CSCux37821 Platform settings auth the order field shows only lowest-available
CSCux63101 All memory(s) under Memory array shows as unknown in operable column
CSCux77947 Pcap file size not updated properly when data sent at high rate
CSCux98517 Un-decorating data port for VDP should be allowed from Chassis Manager
CSCuy21573 Chassis Manager: Sorting Broken in Updates Page
CSCuz93180 AAA LDAP configuration does not preserve information if validation fails
CSCva86452 link flap on switch connected to 10G and 40G SR FTW card on power off
CSCvb52076 Link flap on link partner with Watford 1G-Copper FTW module during boot up
CSCvc03494 Radware vDP cannot be added into APSolute Vision. As a workaround, you must manually download the device driver and install it into Vision.
CSCvc44522 Log Capacity on Management controller Server1/1 is very low Warning
CSCvd34042 MIO has rebooted while testing the packet capture with 92.2.1.1821
CSCvd90177 Blade went to fault state after doing a MIO reload on QP-D with FXOS 2.2.1.57
CSCve07226 QP-D & QP-C Slot stuck at restart state after doing “reset hard-reset-immediate”
CSCvf16473 LLDP packets not captured on MIO
CSCvf70180 FCM is sending the DNS search domain list to ASDM instead of just one domain
CSCvf94658 SSH is not accessible to the device after erase configuration
CSCvg54742 FTW - Traffic loss seen when chassis shutdown gracefully from FXOS GUI
CSCvg57022 Chassis Mgr:Incorrect timezone on login detail information
CSCvg57037 Chassis Mgr:Password “Set:Yes” or No appears at incorrect place (Japanese language)
CSCvg62443 Chassis Manger UI (Logical Devices page) doesn't show correct IP of FTD device
CSCvg65185 Error message contains html syntax strings.
CSCvg67730 put cap on blade core files so as to avoid incomplete blade tech-support due to low disk space
CSCvg68299 FXOS chassis manager interface gets disassociated from FTD after a failover
CSCvg70522 FXOS - Unable to connect by telnet when internet connectivity is lost
CSCvg71168 asa is started even on a failed security module
CSCvg72548 Double VLAN headers observed in Maverick front and backplane packet captures
CSCvg72559 Enabling packet capture with IPv6 filter failed

Resolved Bugs in FXOS 2.3.1.216

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.216:

Table 2. Resolved Bugs in FXOS 2.3.1.216

Identifier

Description

CSCvx73164

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

Resolved Bugs in FXOS 2.3.1.215

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.215:

Table 3. Resolved Bugs in FXOS 2.3.1.215

Identifier

Description

CSCvh64138

FXOS upgrade to 2.3.1.X causes FTD logical device to not come up

CSCvo86940

PROMPTING FOR PASSWORD WHEN TRYING TO CONFIGURE enic, vfio-pci , igb_uio ON BLADE

CSCvu11868

"Link not connected" error after reboot when using QSFP-40G-LR4 transceiver on FPR9K-NM-4X40G

CSCvu94706

FXOS dynamically learning mac-address of external machine causing outage

CSCvv85742

Upgrade : FSM status can show incorrect value after upgrade

CSCvv96092

Cisco FXOS and NX-OS Software UDLD DoS and Arbitrary Code Execution Vulnerability

CSCvw38984

Cisco FXOS and NX-OS Software UDLD DoS and Arbitrary Code Execution Vulnerability

CSCvw62255

"Link not connected" error when using WSP-Q40GLR4L transceiver and Arista switch

CSCvx16700

FXOS clock sync issue during blade boot up due to "MIO DID NOT RESPOND TO FORCED TIME SYNC"

CSCvt18178

FP93K // 2.3.1.144 // SSH sessions not clearing. More than 32 FPRM CLI sessions are not allowed

CSCvx09212

syslog-ng startup is delayed for 60 seconds, resulting in logger.1 error messages

CSCvv51433

Need to update cert with fractional second

CSCvx13861

QuoVadis root CA decommission on Firepower 9300/4100 Supervisor

CSCvx88998

"System does not allow more than 16 TPs" on 2.3.1.213

CSCvx90804

MIO SSD upgraded to wrong firmware version.

CSCvx61452

ASA app install failed due to START_FAILED Process_Start_attempt_failed

CSCvo14325

Make sure MIO reboot in case of firmware upgrade is graceful

CSCvv09719

After fxos upgrade to 2.8.1.121, CCL traffic or data traffic not forwarded by switch

CSCvv05277

Need to support firmware upgrade for SSD in FXOS

Resolved Bugs in FXOS 2.3.1.190

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.190:

Table 4. Resolved Bugs in FXOS 2.3.1.190

Identifier

Description

CSCvf38144

FXOS Hostname has an "-A" appended by default

CSCvk08565

App-instance in start-failed with "Application Failing to Start by ProcMgr" error on container app

CSCvt20235

Firepower 4100 series all FTW interfaces link flap at the same time but occur rarely

CSCvt39897

FP 4120 svc_sam_dcosAG crashed with crash type:139

CSCvt68486

FXOS: svc_sam_dcosAG process crash on FirePower 4100/9300

CSCvu27487

FXOS ASA race condition leading to cluster join failure and network outage

CSCvv66837

FXOS portAG memory leak during periodical interface polls

Resolved Bugs in FXOS 2.3.1.180

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.180:

Table 5. Resolved Bugs in FXOS 2.3.1.180

Identifier

Description

CSCvt06091

FXOS displays a WSP-Q40GLR4L transceiver from show interface as type QSFP-40G-LR4

CSCvt34160

"Link not connected" error after reboot when using WSP-Q40GLR4L transceiver on FPR9K-NM-4X40G

Resolved Bugs in FXOS 2.3.1.179

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.179:

Table 6. Resolved Bugs in FXOS 2.3.1.179

Identifier

Description

CSCvr37151

Cisco FXOS and NX-OS CDP Arbitrary Code Execution and DoS Vulnerability

CSCvs92044

FXOS L3 Egress Object Resource Leak due to Port-Channel Member Interface Flaps

Resolved Bugs in FXOS 2.3.1.173

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.173:

Table 7. Resolved Bugs in FXOS 2.3.1.173

Identifier

Description

CSCvg29876

FXOS: Change FSM:FAILED fault severity from Critical to Info

CSCvi48404

Firepower Chassis Reloads due to License Manager

CSCvm84994

SSH idle timeout not working on FTD on Firepower 4100 and Firepower 9300

CSCvn11962

FXOS randomly shows one NTP server as 'Unreachable Or Invalid NTP Server' once added 4 NTP servers

CSCvq17910

Multicast MAC not programmed on chassis upon app reboot or cluster rejoin

CSCvr01651

Data interfaces bring up delayed after chassis reboot

CSCvr24920

FPR-4110: FXOS CLI crash in feature-mgr process

CSCvr40573

FPR-4100: FXOS CLI crash with fwm hap reset

CSCvs39368

DME process crash due to memory leak on Firepower 9300/4100

Resolved Bugs in FXOS 2.3.1.166

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.166:

Table 8. Resolved Bugs in FXOS 2.3.1.166

Identifier

Description

CSCvg85687

Error messages seen on console when FXOS boots up

CSCvn77125

FXOS: copy command should allow for wildcards to transfer multiple files

CSCvo85861

Propagate link-state not shown in FTD CLI

CSCvp15176

FTD/ASA installed on firepower devices may report comm failure and assume itself as active/master.

CSCvp35769

[ciam] Apache HTTP Server URL Normalization Denial of Service Vulnerability

CSCvp83437

serial console/SSH login using local account succeeds but immediately returns to login prompt

CSCvq19641

Evaluation of Firepower 4k/9k Supervisor for TCP_SACK

CSCvq33916

Linkdown between FP 4100 and switch when using 40gb bidi to 40/100 bidi

Resolved Bugs in FXOS 2.3.1.155

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.155:

Table 9. Resolved Bugs in FXOS 2.3.1.155
Identifier Description
CSCvg72204 SNMPv3 users created for noauth aren't present in FXOS CLI config, only at scope monitoring and GUI
CSCvg72259 Disabling and re-enabling SNMP via GUI wipes out all the users auth and privacy hashes from FXOS CLI
CSCvh70046 MIO does not respond when we interrupt the startup configuration after erase config
CSCvj98499 Linux Kernel cdrom_ioctl_media_changed Function Kernel Memory Read Vul
CSCvk62910 App upgrade fails with error "Job type is wrong.(sam:dme:SdAppInstanceUpgradeApplication:Upgrade)
CSCvk69480 FXOS Cannot create a Local Username with at least one capital letter
CSCvk70849 FCM GUI authentication fails with "Unable to Login. Authentication failed" if the password >32 chars
CSCvm53282 FTD: Routing tables added by ICMP redirects gets stuck in routing table cache forever
CSCvn11768 Application CSP should not be deleted if application instance references it
CSCvn24594 add NTPDATE update of blade sysclock from the supervisor before starting NTPD
CSCvn36413 upgrade-recovery corner case for specific versioning format/naming
CSCvn42582 FXOS "Reminder to trigger an export" is changed from disable to enable after reboot
CSCvn78014 Graceful shutdown is not working on data port.
CSCvn90701 Errors that occur during FTD install are not logged
CSCvo75349 FXOS Blade CRUZ FW coredump due to a memory corruption
CSCvo93924 FTD may not become online after installing vDP
CSCvp21561 Cruz Adaptor crash
CSCvp40260 Prevent STP and FC frames from being sent to SUP CPU

Resolved Bugs in FXOS 2.3.1.145

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.145:

Table 10. Resolved Bugs in FXOS 2.3.1.145
Identifier Description
CSCvo87116 MTS messages stuck in AppAG recv_q
CSCvo90987 Enhancement for debugging link down/flap issues for bcm_usd.log files on customer units

Resolved Bugs in FXOS 2.3.1.144

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.144:

Table 11. Resolved Bugs in FXOS 2.3.1.144
Identifier Description
CSCvf57881 Firepower Supervisor: Log only valid usernames for failed login attempts
CSCvi24516 Blade stuck in fault state after doing an upgrade
CSCvk26936 Graceful shutdown is not working as expected
CSCvk35425 "System halted" messages didn't appear after graceful shutdown via CLI or chassis manager
CSCvk47441 FXOS 4100/9300: icmp redirect get stuck in FXOS OOB management routing table forever
CSCvk60985 Machine Check events logged. Possible hardware issue. FXOS Blade: mcelog support
CSCvm72541 Speed is 0 in interfaceMapping message if a port-channel's status is down
CSCvm76266 Lina traceback in Thread Name: cli_xml_server
CSCvn17585 FXOS: Unexpected reload due to dcosAG crash
CSCvn46577 Some SSH sessions to FXOS are not timed out by absolute/session timeout
CSCvn64163 ASA's fail to reboot after power cycle if disk is FSCK'd
CSCvn77641 SSP fail to wire ports cannot recover
CSCvn90677 During FTD install, setting the disk partition size can silently fail
CSCvn98401 Many 0-byte files in /opt/cisco/platform/logs/corruptConfigs causes LACP problems and instability
CSCvo10712 SMA creates a new file every minute if cspCfgXml is corrupted
CSCvo28623 ssp_admin_status.sh detects left over metadata json file after failed upgrade
CSCvo28634 MIO reports incorrect status to the app-instance
CSCvo58998 FXOS Cruz Adapter doesn't validate data sent by logical device causing dropped offloaded packets

Resolved Bugs in FXOS 2.3.1.130

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.130:

Table 12. Resolved Bugs in FXOS 2.3.1.130
Identifier Description
CSCvg99960 SSH login failure with remote authentication occasionally.
CSCvj58802 M4 Blade BIOS SM 24/36/44: BIOS NVRAM corruption with CID keys overlapped
CSCvj82302 Owner of the connection going to DISABLED state on running traffic with MIO traffic capture enabled
CSCvm73853 Firepower Chassis Reloads on License Manager running in FXOS 2.2.2.26
CSCvn02835 Port-type in ExternalPortLink not set correctly when upgrading to 2.3.1
CSCvn48162 NTP communication errors may cause duplicate entries in iptables resulting in HB errors
CSCvn56156 Silent packet drops may occur on FXOS platforms due to classifier table entry corruption

Resolved Bugs in FXOS 2.3.1.111

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.111:

Table 13. Resolved Bugs in FXOS 2.3.1.111
Identifier Description
CSCvn23221 Cruz ASIC crash due to ecpumgr assertion panic

Resolved Bugs in FXOS 2.3.1.110

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.110:

Table 14. Resolved Bugs in FXOS 2.3.1.110
Identifier Description
CSCvh66227 QP: After disk failure, ASA leaves and rejoins cluster repeatedly
CSCvh71878 aaaRole operation priv occasionally sees 'operations' causing import to fail
CSCvi07713 RestoreApp and UpdateApp FSM are deprecated but fault can still be seen
CSCvi47523 SSP-NTP: ssp-ntp script monitoring script enhancements for XRU, KP
CSCvj06276 FXOS: Cannot retrieve correct disk usage value (/dev/sdaX) by snmpwalk
CSCvj35396 Failure on Associate Bmc Config Pnu OS on 2.3.1
CSCvj65253 "System halted." message not printed after graceful shutdown
CSCvj66002 devcmd error messages are shown in the logs
CSCvk42561 BEMS841608 : MIO crash when packet capture is started from FCM.
CSCvk76146 Few devices /ngfw partition on 41xx shows 39GB whereas other shows 100 GB
CSCvm05464 CVE-2018-5391 Remote denial of service via improper IP fragment handling
CSCvm21278 Evaluation of ssp for CVE-2018-5391 (FragmentSmack)
CSCvm33545 Clock drift in the system causes ndmain to report the service down status
CSCvm54875 /etc/init.d/sendsigs on blade infra is incorrectly integrated
CSCvm81014 FP9300/FP4100 Smart Licensing - Unable to register FXOS devices Smart Licensing

Resolved Bugs in FXOS 2.3.1.99

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.99:

Table 15. Resolved Bugs in FXOS 2.3.1.99
Identifier Description
CSCvg03807 Apache HTTP Server Options Request Processing Information Disclosure Vulnerability
CSCvg72175 SNMP trap hosts defined by hostname aren't propagated to FXOS configuration
CSCvh51597 Option to include domain name / FQDN in system name when queried by SNMP
CSCvh66227 QP: After disk failure, ASA leaves and rejoins cluster repeatedly
CSCvi01474 DME traceback seen when upgrading to 9.9.1.3
CSCvi41789 FXOS might crash in "fcpc hap reset" service
CSCvi80806 FP9300 unexpected reload due to service "lldp" hap failure
CSCvi87967 Radius/TACACS shared key should not be enforced to a minimum of characters.
CSCvi91153 [FSM.FAILED]. external aaa server configuration" health alert
CSCvj07879 Firepower (FP) 9300 Chassis goes into unstable state when issued a "shutdown" from the GUI
CSCvj09999 SNMPv3 polling from certain NMS doesn't work with privacy enabled for the snmpv3 user
CSCvj54937 FCM GUI, NTP status Unreachable/Invalid when using NTP domain which resolves to multiple IP.
CSCvj59623 Unable to connect to ftd using "connect ftd" command
CSCvj77506 FXOS: Interface counters might report incorrect values for packets,bytes and
CSCvj87632 chassis memory leak while handling bad xml content (SMA sent bad xml format to serviceOrchAG)
CSCvk24376 Chassis Manager Packet Captures are not bidirectional
CSCvk25776 Prevent situations like failover split brain and shutdown blade completely if one Cruz fails
CSCvk48580 FXOS : Disable LLDP

Resolved Bugs in FXOS 2.3.1.93

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.93:

Table 16. Resolved Bugs in FXOS 2.3.1.93
Identifier Description
CSCvk19056 Cruz adapter kernel panic at sock_poll
CSCvk25751 Cruz mcp crash with dcem-linkstats command
CSCvk25762 Cruz adapter doesn't recover after the crash
CSCvk27410 cruz kernel corefiles lost after transferred to MIO

Resolved Bugs in FXOS 2.3.1.91

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.91:

Table 17. Resolved Bugs in FXOS 2.3.1.91
Identifier Description
CSCvi58843 Increase system resiliency when sam.config is not accessible
CSCvj66002 devcmd error messages are shown in the logs

Resolved Bugs in FXOS 2.3.1.88

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.88:

Table 18. Resolved Bugs in FXOS 2.3.1.88
Identifier Description
CSCvi05189 FPR4100/9300:Adapter uplink interface on security module showing link state unavailable
CSCvi12081 Port-channel Bandwidth not updating on asa app when we remove a 10G interface from port channel
CSCvi47523 SSP-NTP: ssp-ntp script monitoring script enhancements for XRU, KP
CSCvj19412 FXOS 2.3.1.x : AAA TACACS+not working when username contains some special characters or only numbers
CSCvj48872 Apache Remote Web Server is affected by multiple vulnerabilities on the FXOS Version 2.3(1.73)

Resolved Bugs in FXOS 2.3.1.75

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.75:

Table 19. Resolved Bugs in FXOS 2.3.1.75
Identifier Description
CSCvh91287 Adjust minimum fan PWM on thermal policy
CSCvi61729 Error writing nvram:/startup-config (No space left on device)
CSCvi93470 FXOS brings up port-channel prior to logical device
CSCvj07877 syslog messages logfile is not rotated properly

Resolved Bugs in FXOS 2.3.1.73

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.73:

Table 20. Resolved Bugs in FXOS 2.3.1.73
Identifier Description
CSCvf81997 QP backplane went down after repeating cluster bundle/de-bundle
CSCvh13415 ASA:OpenSSL Vulnerabilities CVE-2017-3737 and CVE-2017-3738
CSCvh21120 Clustering configuration on the chassis is missing or incomplete; clustering is disable
CSCvh26578 Cruz firmware in R231 is from wrong branch
CSCvh60428 FXOS upgrade from 2.2.1.66 to 2.2.2 or 2.3.1 hangs at fabric-interconnect Failed until reboot.
CSCvh75946 App-instance should be enabled if it was mistakenly disabled by blacklist in old bundle
CSCvh96609 BGP peering flaps during cluster upgrade

Resolved Bugs in FXOS 2.3.1.66

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.66:

Table 21. Resolved Bugs in FXOS 2.3.1.66
Identifier Description
CSCuw44001 Address CIAM CVE-2015-5621 in Net-SNMP Master Agent
CSCva78506 GNU glibc __libc_use_alloca Policy Denial of Service Vulnerability
CSCvg59491 Etherchannel between FXOS chassis may get stuck in "Suspended" state after reloading simultaneously
CSCvg81822 FXOS NTP Client chooses IPv4 over Ipv6 when Dual Stack Server Resolution is returned
CSCvg81882 Utilizing FQDN for IPv6 NTP Server causes false "Unreachable or Invalid" state
CSCvg87518 Ethanalyzer command on FX-OS prompts for password when tacacs authentication is enabled
CSCvh52142 Do not block users' change on FTD's startup version

Resolved Bugs in FXOS 2.3.1.58

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.58:

Table 22. Resolved Bugs in FXOS 2.3.1.58
Identifier Description
CSCvh64138 FXOS upgrade to 2.3.1.X causes FTD logical device to not come up

Resolved Bugs in FXOS 2.3.1.56

The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.56:

Table 23. Resolved Bugs in FXOS 2.3.1.56
Identifier Description
CSCuy98317 Unable to soft dissociate intf from LD, if LD name has -
CSCuz94799 ENH: Radius Shared Secret in FXOS limited to 63 characters
CSCvb41860 In Asa mgmt inteface showing up even after disable mgmt interface in MIO
CSCvb65011 EntityPhysical MIB has the Sup serial number for the chassis
CSCvb96329 ENH: FPRM brief techsupport needs a revisit to include information relevant to FXOS platforms
CSCvc14775 App-instance stuck at Not Responding if downgraded from FXOS 2.0.1.86 + ASA 9.6.2 to FXOS 1.1.4.140
CSCvc16980 For CSP image integrity, the Validation State for the FXOS images should be shown as “None” initially
CSCvc38482 ENH: Chassis Manager UI needs message re: setting NTP for SSP FTDs
CSCvd35538 Syslog: Too many semaphore lock related info
CSCvd36238 TLS: Support configuring TLS versions for Apache
CSCvd43782 LACP port-channel through FXOS does not come up
CSCvd48719 FTD logical device not allowing user to provide FMC hostname instead of ip
CSCvd51929 Last uploaded fxos platform-bundle shows "blank" for Image Integrity
CSCvd58911 Chassis reboots while copying large (5GB) files to /bootflash
CSCvd63389 FXOS may show thermal condition due to loss of connectivity with blade
CSCvd70434 Validation error in chassis manager when assigning data int to logical device that was a mgmt int
CSCvd71958 FXOS 9300/4100: no fault or indication Security Module is in fail-safe mode
CSCvd75663 Help files not loading when we click on ? mark
CSCvd88338 Switch configuration failed - Error: unknown - delete Ipmc ipmc-group 5
CSCvd89895 FP4100 FXOS 2.1.1.73 ecmp-groups to “del” state intermittently after link shut/unshut
CSCvd97962 Cisco ASA Next-Generation Firewall Services Local Management Filtering Bypass Vulnerability
CSCve02820 Damaged EPM resistor causes chassis reboot after SFP/QSFP OIR
CSCve03660 Cisco FXOS and NX-OS Authentication, Authorization, and Accounting Denial of Service Vulnerability
CSCve13142 BCM SDK migration from v6.3.4 to v6.5.8
CSCve14981 FPR4100: insufficient max memory for appAG
CSCve16011 ASA Install Failed with Error message “CSP reached max-app-limit -Install Rejected”
CSCve16901 Generation of device troubleshoot files on FMC causes core.ucssh files at FTD
CSCve24820 Chassis Mgr: Console authentication box not showing 'TACACS' after new login
CSCve58269 NTP: change v2 to v3
CSCve60384 FEX messages on boot and CLI on FP4100 should not be there
CSCve61193 FXOS should not return any value for not supported MIB 'CISCO-CONFIG-MAN-MIB'
CSCve95234 Unable to collect blade logs. Support send_diag_archive' command failed
CSCve97137 Apache HTTP Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability
CSCvf02982 xml file import failure occur when between Port-channel and ASA or FTD are associated.
CSCvf07255 Application is not coming up after powering the chassis “off” and then “on”
CSCvf14733 NTP server status does not show correctly for IPv6
CSCvf18549 Need to port parent fix CSCvc53424 to SSP
CSCvf54485 FXOS: FTW 1G EPM packets with frame size greater than 1554 is getting dropped.
CSCvf60220 Mgmt interface nameif “Diagnostic” getting removed after swapping mgmt interface from LD
CSCvf63171 SNMP walk not working FXOS Software Version2.2.1.66
CSCvf65919 FP9300 chassis running fxos 2.1.1.73 reloaded due to license manager service.
CSCvf70505 FPR Chassis manager continues contacting previous TACACS server configured after it is deleted.
CSCvf71068 Output of “show snmp internal oids supported” for OIDs 1.3.6.1.4.1.9.9.826. is incorrect
CSCvf79289 FCM Export Configuration doesn't download XML file on IE11
CSCvf95185 FXOS - Unable to clear SSH host key in local-mgmt CLI
CSCvf97337 Chassis manger show configuration button broken
CSCvg00589 FPR4100/9300: FTW feature failing when MIO shuts down/rebooted causing packet loss.
CSCvg02469 Prevent potential Assertion core for empty CRL filename
CSCvg03555 NTP status becomes Unreachable/Invalid after sometime
CSCvg05392 ndmain.log file needs to change timestamp to include date and match other logs
CSCvg15516 Evaluate Red Hat Linux CVE-2017-1000253 Vulnerability
CSCvg15519 Evaluate Red Hat Linux CVE-2017-1000253 Vulnerability
CSCvg19034 FP9300 unexpected reload due to service “pfma” hap
CSCvg24820 ASA app-instance running 9.6.1 is disabled when upgrading from 2.0(1.37) to 2.0(1.149)
CSCvg25443 FTD App Instance goes unresponsive after NTP synchronisation completes on FXOS
CSCvg34848 NTP Server information not loading when using FQDN for ipv6
CSCvg54622 KP-HA:Secondary shows as “Unknown” and Deployment fails after that.

Online Resources

Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure Firepower software and to troubleshoot and resolve technical issues.

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.