Cisco Firepower 4100/9300 FXOS Release Notes, 2.3(1)
This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.3(1).
Use this release note as a supplement with the other documents listed in the documentation roadmap:
 Note |
The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product. |
Introduction
The Cisco Firepower security appliance is a next-generation platform for network and content security solutions. The Firepower security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The Firepower security appliance provides the following features:
-
Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
-
Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
-
FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
-
FXOS REST API—Allows users to programmatically configure and manage their chassis.
What's New
New Features in FXOS 2.3.1.190
Cisco FXOS 2.3.1.190 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.190).
New Features in FXOS 2.3.1.180
Cisco FXOS 2.3.1.180 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.180).
New Features in FXOS 2.3.1.179
Cisco FXOS 2.3.1.179 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.179).
New Features in FXOS 2.3.1.173
Cisco FXOS 2.3.1.173 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.173).
New Features in FXOS 2.3.1.166
Cisco FXOS 2.3.1.166 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.166).
New Features in FXOS 2.3.1.155
Cisco FXOS 2.3.1.155 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.155).
New Features in FXOS 2.3.1.145
Cisco FXOS 2.3.1.145 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.145).
New Features in FXOS 2.3.1.144
Cisco FXOS 2.3.1.144 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.144).
New Features in FXOS 2.3.1.130
Cisco FXOS 2.3.1.130 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.130).
New Features in FXOS 2.3.1.111
Cisco FXOS 2.3.1.111 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.111).
New Features in FXOS 2.3.1.110
Cisco FXOS 2.3.1.110 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.110).
New Features in FXOS 2.3.1.99
Cisco FXOS 2.3.1.99 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.99).
New Features in FXOS 2.3.1.93
Cisco FXOS 2.3.1.93 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.93).
New Features in FXOS 2.3.1.91
Cisco FXOS 2.3.1.91 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.91).
New Features in FXOS 2.3.1.88
Cisco FXOS 2.3.1.88 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.88).
New Features in FXOS 2.3.1.75
Cisco FXOS 2.3.1.75 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.75).
New Features in FXOS 2.3.1.73
Cisco FXOS 2.3.1.73 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.73).
New Features in FXOS 2.3.1.66
Cisco FXOS 2.3.1.66 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.66).
New Features in FXOS 2.3.1.58
Cisco FXOS 2.3.1.58 introduces the following new features in addition to the features included in earlier releases:
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.58).
New Features in FXOS 2.3.1.56
Warning: FXOS 2.3.1.56, which was briefly available on Cisco.com, is no longer supported. If you initially installed Firepower Threat Defense Version 6.0.1 on a Firepower 9300 or 4100 series device and have never reinstalled the Firepower software (you have only upgraded), upgrading to FXOS 2.3.1.56 disables the Firepower Threat Defense application. This may interrupt traffic on your network. If this happens to you, upgrade FXOS from Version 2.3.1.56 to Version 2.3.1.58 to restore Firepower Threat Defense functionality. For more information, see CSCvh64138 in the Cisco Bug Search Tool.
Cisco FXOS 2.3.1.56 introduces the following new features:
-
Support for ASA 9.9(1).
-
Support for Radware DefensePro 8.13.
-
Adds variable core allocation option for the installation of Radware DefensePro. When enabled, this feature allows you to optimize Radware DefensePro install performance.
-
The FXOS upgrade procedure no longer requires that you download the logical device CSP after upgrading the FXOS platform bundle. You can download any CSP onto your system before upgrading your FXOS to 2.3(1).
-
The Firepower 10G and 40G network modules now support hot swapping.
-
Improvements to the management of logical devices after creation:
-
After modifying the logical device using Firepower Chassis Manager to assign a new management IP address and bootstrap keys, Firepower Chassis Manager no longer automatically restarts the application.
-
If you make changes to a logical device that require a restart, Firepower Chassis Manager will notify you and allow you to restart after saving or delay restart until you initiate later.
-
You can now restart an application from the Firepower Chassis Manager Logical Devices page.
-
If you modify bootstrap information for a logical device using the FXOS CLI, you will not be notified when you must clear the management bootstrap and restart the application.
-
-
Improvements to the management of clusters:
-
Adds additional support for determining the time and the reason for application cluster state change; for example, when and why an application joins or leaves the cluster.
-
Adds additional support for identifying significant application state change, including online, offline, not-responding, install-failed, start-failed, stop-failed, update-failed, and unsupported.
-
-
Adds additional support for determining and reporting on the health of security modules.
-
For Firepower 9300/4100 series security appliances with an ASA security module, the flow off-loading feature has been improved to support 4 million bidirectional or 8 million unidirectional off-loaded flows.
-
Adds SNMP Support for network modules. Information about network modules are available by querying the ENTITY-MIB (OID 1.3.6.1.2.1.47), the IF-MIB (OID 1.3.6.1.2.1.31), and the CISCO-FIREPOWER-EQUIPMENT-MIB (OID 1.3.6.1.4.1.9.9.826.1.20).
-
Adds support for Smart Agent Strong Encryption even after connection to CSSM/CSSM On-Prem is lost. This allows a Firepower 9300/4100 series security appliance to remain in its last known export compliance state, even if the connection to Cisco Smart Software Manager is lost for an extended period.
-
Adds option to configure the minimum Transport Layer Security (TLS) version allowed when communicating with external devices.
-
The uplink port status of the management port on the Firepower 9300/4100 series security appliance is now synchronized with the management interface status in the applications running on it.
-
Fixes for various problems (see Resolved Bugs in FXOS 2.3.1.56).
Software Download
You can download software images for FXOS and supported applications from one of the following URLs:
-
Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
-
Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
Important Notes
-
When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application. Note that this issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.
-
Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.
-
When upgrading a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide ( http://www.cisco.com/go/firepower9300-install) or Cisco Firepower 4100 Series Hardware Installation Guide ( http://www.cisco.com/go/firepower4100-install), the fault(s) will be cleared automatically and no additional action is required.
Adapter Bootloader Upgrade
FXOS 2.3(1) contains additional testing to verify the security module adapters on your security appliance. After installing FXOS 2.3.1.58 or later, you might receive a critical fault similar to the following on your security appliance indicating that you should update the firmware for your security module adapter:
Critical F1715 2017-05-11T11:43:33.121 339561 Adapter 1 on Security Module 1 requires a critical firmware upgrade. Please see Adapter Bootloader Upgrade instructions in the FXOS Release Notes posted with this release.
If you receive the above message, use the following procedure to update the boot image for your adapter:
-
Connect to the FXOS CLI on your Firepower security appliance. For instructions, see the “Accessing the FXOS CLI” topic in the Cisco FXOS CLI Configuration Guide or the Cisco FXOS Firepower Chassis Manager Configuration Guide (see Related Documentation).
-
Enter the adapter mode for the adapter whose boot image you are updating:
fxos-chassis# scope adapter 1/security_module_number/adapter_number
-
Enter show image to view the available adapter images and to verify that fxos-m83-8p40-cruzboot.4.0.1.62.bin is available to be installed:
fxos-chassis /chassis/server/adapter # show image Name Type Version --------------------------------------------- -------------------- ------- fxos-m83-8p40-cruzboot.4.0.1.62.bin Adapter Boot 4.0(1.62) fxos-m83-8p40-vic.4.0.1.51.gbin Adapter 4.0(1.51) -
Enter update boot-loader to update the adapter boot image to version 4.0.1.62:
fxos-chassis /chassis/server/adapter # update boot-loader 4.0(1.62) Warning: Please DO NOT reboot blade or chassis during upgrade, otherwise, it may cause adapter to become UNUSABLE! After upgrade has completed, blade will be power cycled automatically fxos-chassis /chassis/server/adapter* # commit-buffer -
Enter show boot-update status to monitor the update status:
fxos-chassis /chassis/server/adapter # show boot-update status State: Updating fxos-chassis /chassis/server/adapter # show boot-update status State: Ready -
Enter show version detail to verify that the update was successful:
Note
Your show version detail output might differ from the following example. However, verify that Bootloader-Update-Status is “Ready” and that Bootloader-Vers is 4.0(1.62).
fxos-chassis /chassis/server/adapter # show version detail Adapter 1: Running-Vers: 5.2(1.2) Package-Vers: 2.2(2.17) Update-Status: Ready Activate-Status: Ready Bootloader-Update-Status: Ready Startup-Vers: 5.2(1.2) Backup-Vers: 5.0(1.2) Bootloader-Vers: 4.0(1.62)
System Requirements
You can access the Firepower Chassis Manager using the following browsers:
-
Mozilla Firefox—Version 42 and later
-
Google Chrome—Version 47 and later
-
Microsoft Internet Explorer—Version 11 and later
We tested FXOS 2.3(1) using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. We anticipate that future versions of these browsers will also work. However, if you experience any browser-related issues, we suggest you revert to one of the tested versions.
Upgrade Instructions
For complete information on how to upgrade FXOS on your Firepower 4100/9300 device, see the Cisco Firepower 4100/9300 Upgrade Guide.
Note |
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device. |
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs
The following table lists select bugs open at the time of this Release Note publication:
| Identifier | Description |
|---|---|
| CSCus73654 | ASA do not mark management-only for the mgmt interface assign by LD |
| CSCuu33739 | Physical interface speeds in port-channel are incorrect |
| CSCuw31077 | Filter applied to a interface should be validated |
| CSCux37821 | Platform settings auth the order field shows only lowest-available |
| CSCux63101 | All memory(s) under Memory array shows as unknown in operable column |
| CSCux77947 | Pcap file size not updated properly when data sent at high rate |
| CSCux98517 | Un-decorating data port for VDP should be allowed from Chassis Manager |
| CSCuy21573 | Chassis Manager: Sorting Broken in Updates Page |
| CSCuz93180 | AAA LDAP configuration does not preserve information if validation fails |
| CSCva86452 | link flap on switch connected to 10G and 40G SR FTW card on power off |
| CSCvb52076 | Link flap on link partner with Watford 1G-Copper FTW module during boot up |
| CSCvc03494 | Radware vDP cannot be added into APSolute Vision. As a workaround, you must manually download the device driver and install it into Vision. |
| CSCvc44522 | Log Capacity on Management controller Server1/1 is very low Warning |
| CSCvd34042 | MIO has rebooted while testing the packet capture with 92.2.1.1821 |
| CSCvd90177 | Blade went to fault state after doing a MIO reload on QP-D with FXOS 2.2.1.57 |
| CSCve07226 | QP-D & QP-C Slot stuck at restart state after doing “reset hard-reset-immediate” |
| CSCvf16473 | LLDP packets not captured on MIO |
| CSCvf70180 | FCM is sending the DNS search domain list to ASDM instead of just one domain |
| CSCvf94658 | SSH is not accessible to the device after erase configuration |
| CSCvg54742 | FTW - Traffic loss seen when chassis shutdown gracefully from FXOS GUI |
| CSCvg57022 | Chassis Mgr:Incorrect timezone on login detail information |
| CSCvg57037 | Chassis Mgr:Password “Set:Yes” or No appears at incorrect place (Japanese language) |
| CSCvg62443 | Chassis Manger UI (Logical Devices page) doesn't show correct IP of FTD device |
| CSCvg65185 | Error message contains html syntax strings. |
| CSCvg67730 | put cap on blade core files so as to avoid incomplete blade tech-support due to low disk space |
| CSCvg68299 | FXOS chassis manager interface gets disassociated from FTD after a failover |
| CSCvg70522 | FXOS - Unable to connect by telnet when internet connectivity is lost |
| CSCvg71168 | asa is started even on a failed security module |
| CSCvg72548 | Double VLAN headers observed in Maverick front and backplane packet captures |
| CSCvg72559 | Enabling packet capture with IPv6 filter failed |
Resolved Bugs in FXOS 2.3.1.216
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.216:
|
Identifier |
Description |
|---|---|
|
Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 |
Resolved Bugs in FXOS 2.3.1.215
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.215:
|
Identifier |
Description |
|---|---|
|
FXOS upgrade to 2.3.1.X causes FTD logical device to not come up |
|
|
PROMPTING FOR PASSWORD WHEN TRYING TO CONFIGURE enic, vfio-pci , igb_uio ON BLADE |
|
|
"Link not connected" error after reboot when using QSFP-40G-LR4 transceiver on FPR9K-NM-4X40G |
|
|
FXOS dynamically learning mac-address of external machine causing outage |
|
|
Upgrade : FSM status can show incorrect value after upgrade |
|
|
Cisco FXOS and NX-OS Software UDLD DoS and Arbitrary Code Execution Vulnerability |
|
|
Cisco FXOS and NX-OS Software UDLD DoS and Arbitrary Code Execution Vulnerability |
|
|
"Link not connected" error when using WSP-Q40GLR4L transceiver and Arista switch |
|
|
FXOS clock sync issue during blade boot up due to "MIO DID NOT RESPOND TO FORCED TIME SYNC" |
|
|
FP93K // 2.3.1.144 // SSH sessions not clearing. More than 32 FPRM CLI sessions are not allowed |
|
|
syslog-ng startup is delayed for 60 seconds, resulting in logger.1 error messages |
|
|
Need to update cert with fractional second |
|
|
QuoVadis root CA decommission on Firepower 9300/4100 Supervisor |
|
|
"System does not allow more than 16 TPs" on 2.3.1.213 |
|
|
MIO SSD upgraded to wrong firmware version. |
|
|
ASA app install failed due to START_FAILED Process_Start_attempt_failed |
|
|
Make sure MIO reboot in case of firmware upgrade is graceful |
|
|
After fxos upgrade to 2.8.1.121, CCL traffic or data traffic not forwarded by switch |
|
|
Need to support firmware upgrade for SSD in FXOS |
Resolved Bugs in FXOS 2.3.1.190
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.190:
|
Identifier |
Description |
|---|---|
|
FXOS Hostname has an "-A" appended by default |
|
|
App-instance in start-failed with "Application Failing to Start by ProcMgr" error on container app |
|
|
Firepower 4100 series all FTW interfaces link flap at the same time but occur rarely |
|
|
FP 4120 svc_sam_dcosAG crashed with crash type:139 |
|
|
FXOS: svc_sam_dcosAG process crash on FirePower 4100/9300 |
|
|
FXOS ASA race condition leading to cluster join failure and network outage |
|
|
FXOS portAG memory leak during periodical interface polls |
Resolved Bugs in FXOS 2.3.1.180
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.180:
|
Identifier |
Description |
|---|---|
|
FXOS displays a WSP-Q40GLR4L transceiver from show interface as type QSFP-40G-LR4 |
|
|
"Link not connected" error after reboot when using WSP-Q40GLR4L transceiver on FPR9K-NM-4X40G |
Resolved Bugs in FXOS 2.3.1.179
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.179:
|
Identifier |
Description |
|---|---|
|
Cisco FXOS and NX-OS CDP Arbitrary Code Execution and DoS Vulnerability |
|
|
FXOS L3 Egress Object Resource Leak due to Port-Channel Member Interface Flaps |
Resolved Bugs in FXOS 2.3.1.173
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.173:
|
Identifier |
Description |
|---|---|
|
FXOS: Change FSM:FAILED fault severity from Critical to Info |
|
|
Firepower Chassis Reloads due to License Manager |
|
|
SSH idle timeout not working on FTD on Firepower 4100 and Firepower 9300 |
|
|
FXOS randomly shows one NTP server as 'Unreachable Or Invalid NTP Server' once added 4 NTP servers |
|
|
Multicast MAC not programmed on chassis upon app reboot or cluster rejoin |
|
|
Data interfaces bring up delayed after chassis reboot |
|
|
FPR-4110: FXOS CLI crash in feature-mgr process |
|
|
FPR-4100: FXOS CLI crash with fwm hap reset |
|
|
DME process crash due to memory leak on Firepower 9300/4100 |
Resolved Bugs in FXOS 2.3.1.166
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.166:
|
Identifier |
Description |
|---|---|
|
Error messages seen on console when FXOS boots up |
|
|
FXOS: copy command should allow for wildcards to transfer multiple files |
|
|
Propagate link-state not shown in FTD CLI |
|
|
FTD/ASA installed on firepower devices may report comm failure and assume itself as active/master. |
|
|
[ciam] Apache HTTP Server URL Normalization Denial of Service Vulnerability |
|
|
serial console/SSH login using local account succeeds but immediately returns to login prompt |
|
|
Evaluation of Firepower 4k/9k Supervisor for TCP_SACK |
|
|
Linkdown between FP 4100 and switch when using 40gb bidi to 40/100 bidi |
Resolved Bugs in FXOS 2.3.1.155
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.155:
| Identifier | Description |
|---|---|
| CSCvg72204 | SNMPv3 users created for noauth aren't present in FXOS CLI config, only at scope monitoring and GUI |
| CSCvg72259 | Disabling and re-enabling SNMP via GUI wipes out all the users auth and privacy hashes from FXOS CLI |
| CSCvh70046 | MIO does not respond when we interrupt the startup configuration after erase config |
| CSCvj98499 | Linux Kernel cdrom_ioctl_media_changed Function Kernel Memory Read Vul |
| CSCvk62910 | App upgrade fails with error "Job type is wrong.(sam:dme:SdAppInstanceUpgradeApplication:Upgrade) |
| CSCvk69480 | FXOS Cannot create a Local Username with at least one capital letter |
| CSCvk70849 | FCM GUI authentication fails with "Unable to Login. Authentication failed" if the password >32 chars |
| CSCvm53282 | FTD: Routing tables added by ICMP redirects gets stuck in routing table cache forever |
| CSCvn11768 | Application CSP should not be deleted if application instance references it |
| CSCvn24594 | add NTPDATE update of blade sysclock from the supervisor before starting NTPD |
| CSCvn36413 | upgrade-recovery corner case for specific versioning format/naming |
| CSCvn42582 | FXOS "Reminder to trigger an export" is changed from disable to enable after reboot |
| CSCvn78014 | Graceful shutdown is not working on data port. |
| CSCvn90701 | Errors that occur during FTD install are not logged |
| CSCvo75349 | FXOS Blade CRUZ FW coredump due to a memory corruption |
| CSCvo93924 | FTD may not become online after installing vDP |
| CSCvp21561 | Cruz Adaptor crash |
| CSCvp40260 | Prevent STP and FC frames from being sent to SUP CPU |
Resolved Bugs in FXOS 2.3.1.145
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.145:
| Identifier | Description |
|---|---|
| CSCvo87116 | MTS messages stuck in AppAG recv_q |
| CSCvo90987 | Enhancement for debugging link down/flap issues for bcm_usd.log files on customer units |
Resolved Bugs in FXOS 2.3.1.144
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.144:
| Identifier | Description |
|---|---|
| CSCvf57881 | Firepower Supervisor: Log only valid usernames for failed login attempts |
| CSCvi24516 | Blade stuck in fault state after doing an upgrade |
| CSCvk26936 | Graceful shutdown is not working as expected |
| CSCvk35425 | "System halted" messages didn't appear after graceful shutdown via CLI or chassis manager |
| CSCvk47441 | FXOS 4100/9300: icmp redirect get stuck in FXOS OOB management routing table forever |
| CSCvk60985 | Machine Check events logged. Possible hardware issue. FXOS Blade: mcelog support |
| CSCvm72541 | Speed is 0 in interfaceMapping message if a port-channel's status is down |
| CSCvm76266 | Lina traceback in Thread Name: cli_xml_server |
| CSCvn17585 | FXOS: Unexpected reload due to dcosAG crash |
| CSCvn46577 | Some SSH sessions to FXOS are not timed out by absolute/session timeout |
| CSCvn64163 | ASA's fail to reboot after power cycle if disk is FSCK'd |
| CSCvn77641 | SSP fail to wire ports cannot recover |
| CSCvn90677 | During FTD install, setting the disk partition size can silently fail |
| CSCvn98401 | Many 0-byte files in /opt/cisco/platform/logs/corruptConfigs causes LACP problems and instability |
| CSCvo10712 | SMA creates a new file every minute if cspCfgXml is corrupted |
| CSCvo28623 | ssp_admin_status.sh detects left over metadata json file after failed upgrade |
| CSCvo28634 | MIO reports incorrect status to the app-instance |
| CSCvo58998 | FXOS Cruz Adapter doesn't validate data sent by logical device causing dropped offloaded packets |
Resolved Bugs in FXOS 2.3.1.130
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.130:
| Identifier | Description |
|---|---|
| CSCvg99960 | SSH login failure with remote authentication occasionally. |
| CSCvj58802 | M4 Blade BIOS SM 24/36/44: BIOS NVRAM corruption with CID keys overlapped |
| CSCvj82302 | Owner of the connection going to DISABLED state on running traffic with MIO traffic capture enabled |
| CSCvm73853 | Firepower Chassis Reloads on License Manager running in FXOS 2.2.2.26 |
| CSCvn02835 | Port-type in ExternalPortLink not set correctly when upgrading to 2.3.1 |
| CSCvn48162 | NTP communication errors may cause duplicate entries in iptables resulting in HB errors |
| CSCvn56156 | Silent packet drops may occur on FXOS platforms due to classifier table entry corruption |
Resolved Bugs in FXOS 2.3.1.111
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.111:
| Identifier | Description |
|---|---|
| CSCvn23221 | Cruz ASIC crash due to ecpumgr assertion panic |
Resolved Bugs in FXOS 2.3.1.110
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.110:
| Identifier | Description |
|---|---|
| CSCvh66227 | QP: After disk failure, ASA leaves and rejoins cluster repeatedly |
| CSCvh71878 | aaaRole operation priv occasionally sees 'operations' causing import to fail |
| CSCvi07713 | RestoreApp and UpdateApp FSM are deprecated but fault can still be seen |
| CSCvi47523 | SSP-NTP: ssp-ntp script monitoring script enhancements for XRU, KP |
| CSCvj06276 | FXOS: Cannot retrieve correct disk usage value (/dev/sdaX) by snmpwalk |
| CSCvj35396 | Failure on Associate Bmc Config Pnu OS on 2.3.1 |
| CSCvj65253 | "System halted." message not printed after graceful shutdown |
| CSCvj66002 | devcmd error messages are shown in the logs |
| CSCvk42561 | BEMS841608 : MIO crash when packet capture is started from FCM. |
| CSCvk76146 | Few devices /ngfw partition on 41xx shows 39GB whereas other shows 100 GB |
| CSCvm05464 | CVE-2018-5391 Remote denial of service via improper IP fragment handling |
| CSCvm21278 | Evaluation of ssp for CVE-2018-5391 (FragmentSmack) |
| CSCvm33545 | Clock drift in the system causes ndmain to report the service down status |
| CSCvm54875 | /etc/init.d/sendsigs on blade infra is incorrectly integrated |
| CSCvm81014 | FP9300/FP4100 Smart Licensing - Unable to register FXOS devices Smart Licensing |
Resolved Bugs in FXOS 2.3.1.99
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.99:
| Identifier | Description |
|---|---|
| CSCvg03807 | Apache HTTP Server Options Request Processing Information Disclosure Vulnerability |
| CSCvg72175 | SNMP trap hosts defined by hostname aren't propagated to FXOS configuration |
| CSCvh51597 | Option to include domain name / FQDN in system name when queried by SNMP |
| CSCvh66227 | QP: After disk failure, ASA leaves and rejoins cluster repeatedly |
| CSCvi01474 | DME traceback seen when upgrading to 9.9.1.3 |
| CSCvi41789 | FXOS might crash in "fcpc hap reset" service |
| CSCvi80806 | FP9300 unexpected reload due to service "lldp" hap failure |
| CSCvi87967 | Radius/TACACS shared key should not be enforced to a minimum of characters. |
| CSCvi91153 | [FSM.FAILED]. external aaa server configuration" health alert |
| CSCvj07879 | Firepower (FP) 9300 Chassis goes into unstable state when issued a "shutdown" from the GUI |
| CSCvj09999 | SNMPv3 polling from certain NMS doesn't work with privacy enabled for the snmpv3 user |
| CSCvj54937 | FCM GUI, NTP status Unreachable/Invalid when using NTP domain which resolves to multiple IP. |
| CSCvj59623 | Unable to connect to ftd using "connect ftd" command |
| CSCvj77506 | FXOS: Interface counters might report incorrect values for packets,bytes and |
| CSCvj87632 | chassis memory leak while handling bad xml content (SMA sent bad xml format to serviceOrchAG) |
| CSCvk24376 | Chassis Manager Packet Captures are not bidirectional |
| CSCvk25776 | Prevent situations like failover split brain and shutdown blade completely if one Cruz fails |
| CSCvk48580 | FXOS : Disable LLDP |
Resolved Bugs in FXOS 2.3.1.93
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.93:
| Identifier | Description |
|---|---|
| CSCvk19056 | Cruz adapter kernel panic at sock_poll |
| CSCvk25751 | Cruz mcp crash with dcem-linkstats command |
| CSCvk25762 | Cruz adapter doesn't recover after the crash |
| CSCvk27410 | cruz kernel corefiles lost after transferred to MIO |
Resolved Bugs in FXOS 2.3.1.91
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.91:
| Identifier | Description |
|---|---|
| CSCvi58843 | Increase system resiliency when sam.config is not accessible |
| CSCvj66002 | devcmd error messages are shown in the logs |
Resolved Bugs in FXOS 2.3.1.88
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.88:
| Identifier | Description |
|---|---|
| CSCvi05189 | FPR4100/9300:Adapter uplink interface on security module showing link state unavailable |
| CSCvi12081 | Port-channel Bandwidth not updating on asa app when we remove a 10G interface from port channel |
| CSCvi47523 | SSP-NTP: ssp-ntp script monitoring script enhancements for XRU, KP |
| CSCvj19412 | FXOS 2.3.1.x : AAA TACACS+not working when username contains some special characters or only numbers |
| CSCvj48872 | Apache Remote Web Server is affected by multiple vulnerabilities on the FXOS Version 2.3(1.73) |
Resolved Bugs in FXOS 2.3.1.75
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.75:
| Identifier | Description |
|---|---|
| CSCvh91287 | Adjust minimum fan PWM on thermal policy |
| CSCvi61729 | Error writing nvram:/startup-config (No space left on device) |
| CSCvi93470 | FXOS brings up port-channel prior to logical device |
| CSCvj07877 | syslog messages logfile is not rotated properly |
Resolved Bugs in FXOS 2.3.1.73
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.73:
| Identifier | Description |
|---|---|
| CSCvf81997 | QP backplane went down after repeating cluster bundle/de-bundle |
| CSCvh13415 | ASA:OpenSSL Vulnerabilities CVE-2017-3737 and CVE-2017-3738 |
| CSCvh21120 | Clustering configuration on the chassis is missing or incomplete; clustering is disable |
| CSCvh26578 | Cruz firmware in R231 is from wrong branch |
| CSCvh60428 | FXOS upgrade from 2.2.1.66 to 2.2.2 or 2.3.1 hangs at fabric-interconnect Failed until reboot. |
| CSCvh75946 | App-instance should be enabled if it was mistakenly disabled by blacklist in old bundle |
| CSCvh96609 | BGP peering flaps during cluster upgrade |
Resolved Bugs in FXOS 2.3.1.66
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.66:
| Identifier | Description |
|---|---|
| CSCuw44001 | Address CIAM CVE-2015-5621 in Net-SNMP Master Agent |
| CSCva78506 | GNU glibc __libc_use_alloca Policy Denial of Service Vulnerability |
| CSCvg59491 | Etherchannel between FXOS chassis may get stuck in "Suspended" state after reloading simultaneously |
| CSCvg81822 | FXOS NTP Client chooses IPv4 over Ipv6 when Dual Stack Server Resolution is returned |
| CSCvg81882 | Utilizing FQDN for IPv6 NTP Server causes false "Unreachable or Invalid" state |
| CSCvg87518 | Ethanalyzer command on FX-OS prompts for password when tacacs authentication is enabled |
| CSCvh52142 | Do not block users' change on FTD's startup version |
Resolved Bugs in FXOS 2.3.1.58
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.58:
| Identifier | Description |
|---|---|
| CSCvh64138 | FXOS upgrade to 2.3.1.X causes FTD logical device to not come up |
Resolved Bugs in FXOS 2.3.1.56
The following table lists the previously release-noted and customer-found defects that were resolved in FXOS 2.3.1.56:
| Identifier | Description |
|---|---|
| CSCuy98317 | Unable to soft dissociate intf from LD, if LD name has - |
| CSCuz94799 | ENH: Radius Shared Secret in FXOS limited to 63 characters |
| CSCvb41860 | In Asa mgmt inteface showing up even after disable mgmt interface in MIO |
| CSCvb65011 | EntityPhysical MIB has the Sup serial number for the chassis |
| CSCvb96329 | ENH: FPRM brief techsupport needs a revisit to include information relevant to FXOS platforms |
| CSCvc14775 | App-instance stuck at Not Responding if downgraded from FXOS 2.0.1.86 + ASA 9.6.2 to FXOS 1.1.4.140 |
| CSCvc16980 | For CSP image integrity, the Validation State for the FXOS images should be shown as “None” initially |
| CSCvc38482 | ENH: Chassis Manager UI needs message re: setting NTP for SSP FTDs |
| CSCvd35538 | Syslog: Too many semaphore lock related info |
| CSCvd36238 | TLS: Support configuring TLS versions for Apache |
| CSCvd43782 | LACP port-channel through FXOS does not come up |
| CSCvd48719 | FTD logical device not allowing user to provide FMC hostname instead of ip |
| CSCvd51929 | Last uploaded fxos platform-bundle shows "blank" for Image Integrity |
| CSCvd58911 | Chassis reboots while copying large (5GB) files to /bootflash |
| CSCvd63389 | FXOS may show thermal condition due to loss of connectivity with blade |
| CSCvd70434 | Validation error in chassis manager when assigning data int to logical device that was a mgmt int |
| CSCvd71958 | FXOS 9300/4100: no fault or indication Security Module is in fail-safe mode |
| CSCvd75663 | Help files not loading when we click on ? mark |
| CSCvd88338 | Switch configuration failed - Error: unknown - delete Ipmc ipmc-group 5 |
| CSCvd89895 | FP4100 FXOS 2.1.1.73 ecmp-groups to “del” state intermittently after link shut/unshut |
| CSCvd97962 | Cisco ASA Next-Generation Firewall Services Local Management Filtering Bypass Vulnerability |
| CSCve02820 | Damaged EPM resistor causes chassis reboot after SFP/QSFP OIR |
| CSCve03660 | Cisco FXOS and NX-OS Authentication, Authorization, and Accounting Denial of Service Vulnerability |
| CSCve13142 | BCM SDK migration from v6.3.4 to v6.5.8 |
| CSCve14981 | FPR4100: insufficient max memory for appAG |
| CSCve16011 | ASA Install Failed with Error message “CSP reached max-app-limit -Install Rejected” |
| CSCve16901 | Generation of device troubleshoot files on FMC causes core.ucssh files at FTD |
| CSCve24820 | Chassis Mgr: Console authentication box not showing 'TACACS' after new login |
| CSCve58269 | NTP: change v2 to v3 |
| CSCve60384 | FEX messages on boot and CLI on FP4100 should not be there |
| CSCve61193 | FXOS should not return any value for not supported MIB 'CISCO-CONFIG-MAN-MIB' |
| CSCve95234 | Unable to collect blade logs. Support send_diag_archive' command failed |
| CSCve97137 | Apache HTTP Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability |
| CSCvf02982 | xml file import failure occur when between Port-channel and ASA or FTD are associated. |
| CSCvf07255 | Application is not coming up after powering the chassis “off” and then “on” |
| CSCvf14733 | NTP server status does not show correctly for IPv6 |
| CSCvf18549 | Need to port parent fix CSCvc53424 to SSP |
| CSCvf54485 | FXOS: FTW 1G EPM packets with frame size greater than 1554 is getting dropped. |
| CSCvf60220 | Mgmt interface nameif “Diagnostic” getting removed after swapping mgmt interface from LD |
| CSCvf63171 | SNMP walk not working FXOS Software Version2.2.1.66 |
| CSCvf65919 | FP9300 chassis running fxos 2.1.1.73 reloaded due to license manager service. |
| CSCvf70505 | FPR Chassis manager continues contacting previous TACACS server configured after it is deleted. |
| CSCvf71068 | Output of “show snmp internal oids supported” for OIDs 1.3.6.1.4.1.9.9.826. is incorrect |
| CSCvf79289 | FCM Export Configuration doesn't download XML file on IE11 |
| CSCvf95185 | FXOS - Unable to clear SSH host key in local-mgmt CLI |
| CSCvf97337 | Chassis manger show configuration button broken |
| CSCvg00589 | FPR4100/9300: FTW feature failing when MIO shuts down/rebooted causing packet loss. |
| CSCvg02469 | Prevent potential Assertion core for empty CRL filename |
| CSCvg03555 | NTP status becomes Unreachable/Invalid after sometime |
| CSCvg05392 | ndmain.log file needs to change timestamp to include date and match other logs |
| CSCvg15516 | Evaluate Red Hat Linux CVE-2017-1000253 Vulnerability |
| CSCvg15519 | Evaluate Red Hat Linux CVE-2017-1000253 Vulnerability |
| CSCvg19034 | FP9300 unexpected reload due to service “pfma” hap |
| CSCvg24820 | ASA app-instance running 9.6.1 is disabled when upgrading from 2.0(1.37) to 2.0(1.149) |
| CSCvg25443 | FTD App Instance goes unresponsive after NTP synchronisation completes on FXOS |
| CSCvg34848 | NTP Server information not loading when using FQDN for ipv6 |
| CSCvg54622 | KP-HA:Secondary shows as “Unknown” and Deployment fails after that. |
Related Documentation
For additional information on the Firepower 9300 or 4100 series security appliance and FXOS, see Navigating the Cisco FXOS Documentation.
Online Resources
Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure Firepower software and to troubleshoot and resolve technical issues.
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Feedback