Release Notes for the Cisco Secure Firewall ASA, 9.22(x)
This document contains release information for ASA software version 9.22(x).
 Note |
9.22(1) was not released. The first release was 9.22(1.1). |
Important Notes
-
No support in ASA 9.22(1) and later for the Firepower 2100—ASA 9.20(x) is the last supported version.
-
Smart licensing default transport changed in 9.22—In 9.22, the smart licensing default transport changed from Smart Call Home to Smart Transport. You can configure the ASA to use Smart Call Home if necessary using the transport type callhome command. When you upgrade to 9.22, the transport is automatically changed Smart Transport. If you downgrade, the transport is set back to Smart Call Home, and if you want to use Smart Transport, you need to specify transport type smart .
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.22(1.1)
Released: September 16, 2024
Note |
9.22(1) was not released. |
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
Secure Firewall 1210/1220 |
The Secure Firewall 1210/1220 is a compact desktop firewall with a built-in switch and, depending on the model, Power over Ethernet+ (PoE+).
|
||
|
ASA Virtual Supports Dual-Arm Deployment Mode on AWS with GWLB |
ASA Virtual now supports the dual-arm deployment mode on AWS with GWLB. This mode enables ASA Virtual to directly forward internet-bound traffic to the internet through the internet gateway after traffic inspection, while also performing network address translation (NAT). The dual-arm mode differs from the single-arm mode, which helps in routing inspected outbound traffic back to the GWLB, and then to the internet through the internet gateway. The dual-arm mode supports forwarding of inspected traffic from ASA Virtual to the internet in both single VPC and multiple VPC network environments. The advantages of the dual-arm mode in ASA Virtual are:
For more information, see Cisco Secure Firewall ASA Virtual Getting Started Guide, 9.22. |
||
|
Deploy the Cisco Secure Firewall ASA container (ASAc) in a Kubernetes or Docker Environment |
A container is a software package that bundles up code and associated requirements such as system libraries, system tools, default settings, and so on, to ensure that the application runs successfully in a computing environment. You can deploy the ASA container (ASAc) in an open-source Kubernetes or Docker environment. |
||
|
ASA Virtual on VMware ESXi support |
ASA Virtual on VMware now supports ESXi version 8.0. For more information, see Cisco Secure Firewall ASA Virtual Getting Started Guide, 9.22. |
||
|
Firewall Features |
|||
|
Object group search optimization. |
The object group search feature has been enhanced to reduce object lookup time when evaluating access control rules to match connections and to reduce CPU overhead. There are no changes to configuring object group search, the optimized behavior happens automatically. We added the following commands in the device CLI, or enhanced command output: clear asp table network-object , debug ac logs , packet-tracer , show access-list , show asp table network-group , show object-group . |
||
|
High Availability and Scalability Features |
|||
|
Secure Firewall 3100 and 4200 maximum cluster nodes increased to 16. |
For the Secure Firewall 3100 and 4200, the maximum nodes were increased from 8 to 16. |
||
|
Secure Firewall 3100 and 4200 cluster Individual interface mode |
Individual interfaces are normal routed interfaces, each with their own Local IP address used for routing. The Main cluster IP address for each interface is a fixed address that always belongs to the control node. When the control node changes, the Main cluster IP address moves to the new control node, so management of the cluster continues seamlessly. Load balancing must be configured separately on the upstream switch. New/Modified commands: cluster interface-mode individual |
||
|
ASA Virtual Clustering deployment support on the AWS Multi-Availability Zone |
You can now deploy and configure the ASA virtual cluster across multiple availability zones in an AWS region. The cluster also has dynamic scaling capability (Autoscale), which helps in scaling up or scaling down virtual devices based on demand. Extending the ASA virtual cluster across multiple availability zones in an AWS region enables continuous traffic inspection and dynamic scaling during disaster recovery. For more information, see Deploy a Cluster for the ASA Virtual in a Public Cloud. |
||
|
License Features |
|||
|
Smart Transport is the default Smart Licensing transport |
Smart Licensing now uses Smart Transport as the default transport. You can optionally enable the former type, Smart Call Home, if necessary. New/Modified commands: transport proxy , transport type , transport url |
||
|
ASAvU (Unlimited) license to deploy ASA virtuals with 32 cores and 64 cores |
ASAvU license achieves maximum throughput on deployments with 32 cores and 64 cores and is supported only on VMware and KVM. New/Modified commands: throughput level unlimited |
||
|
Administrative, Monitoring, and Troubleshooting Features |
|||
|
Disable the USB port (disk1) |
By default, the type-A USB port (disk1) is enabled and could not be disabled. You can now disable USB port access for security purposes on the following models:
This setting is stored in firmware and requires a reload. Moreover, if the USB port is disabled and you downgrade to a version that does not support this feature, the port will remain disabled and you cannot re-enable it without erasing the NVRAM.
New/Modified commands: usb-port disable , show usb-port |
||
|
VPN Features |
|||
|
DTLS Crypto Acceleration |
Cisco Secure Firewall 4200 and 3100 series support DTLS cryptographic acceleration. The hardware performs DTLS encryption and decryption, and improves the throughput of the DTLS-encrypted and DTLS-decrypted traffic. The hardware also performs optimization of the egress-encrypted packets to improve latency. New/Modified commands: flow-offload-dtls , flow-offload-dtls egress-optimization |
||
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Upgrade Path: ASA Appliances
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.
Note |
ASA 9.20 was the final version for the Firepower 2100. ASA 9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300. ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.20 |
— |
Any of the following: → 9.22 |
|
9.19 |
— |
Any of the following: → 9.22 → 9.20 |
|
9.18 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 |
|
9.17 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.13 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 |
|
9.12 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 |
|
9.10 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 → 9.8 |
|
9.6 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 → 9.8 |
|
9.5 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 → 9.8 |
|
9.4 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 → 9.8 |
|
9.3 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 → 9.8 |
|
9.2 |
— |
Any of the following: → 9.22 → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.14 → 9.12 → 9.8 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.6 → 9.1(7.4) |
|
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) → 9.0(4) |
|
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12 → 9.8 → 9.1(7.4) |
|
8.3 |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.2 and earlier |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
Upgrade Path: ASA Logical Devices for the Firepower 4100/9300
For upgrading, see the following guidelines:
-
FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. When upgrading from versions earlier than 2.2.2, you need to upgrade to each intermediate version. Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:
-
FXOS 2.2→FXOS 2.11 (the highest version that supports 9.8)
-
ASA 9.8→ASA 9.17 (the highest version supported by 2.11)
-
FXOS 2.11→FXOS 2.13
-
ASA 9.17→ASA 9.19
-
-
Threat Defense: Interim upgrades may be required for threat defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the management center upgrade guide for your version.
-
ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.
|
FXOS Version |
Model |
ASA Version |
Threat Defense Version |
||||
|---|---|---|---|---|---|---|---|
|
2.16 |
Firepower 4112 |
9.22 (recommended) 9.20 9.19 9.18 9.17 |
7.6 (recommended) 7.4 7.3 7.2 7.1 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.22 (recommended) 9.20 9.19 9.18 9.17 |
7.6 (recommended) 7.4 7.3 7.2 7.1 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.14(1) |
Firepower 4112 |
9.20 (recommended) 9.19 9.18 9.17 9.16 9.14 |
7.4 (recommended) 7.3 7.2 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.20 (recommended) 9.19 9.18 9.17 9.16 9.14 |
7.4 (recommended) 7.3 7.2 7.1 7.0 6.6 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.13 |
Firepower 4112 |
9.19 (recommended) 9.18 9.17 9.16 9.14 |
7.3 (recommended) 7.2 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.19 (recommended) 9.18 9.17 9.16 9.14 |
7.3 (recommended) 7.2 7.1 7.0 6.6 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.12 |
Firepower 4112 |
9.18 (recommended) 9.17 9.16 9.14 |
7.2 (recommended) 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.18 (recommended) 9.17 9.16 9.14 9.12 |
7.2 (recommended) 7.1 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.18 (recommended) 9.17 9.16 9.14 9.12 |
7.2 (recommended) 7.1 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.11 |
Firepower 4112 |
9.17 (recommended) 9.16 9.14 |
7.1 (recommended) 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.17 (recommended) 9.16 9.14 9.12 |
7.1 (recommended) 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.17 (recommended) 9.16 9.14 9.12 9.8 |
7.1 (recommended) 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.10
|
Firepower 4112 |
9.16 (recommended) 9.14 |
7.0 (recommended) 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.16 (recommended) 9.14 9.12 |
7.0 (recommended) 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.16 (recommended) 9.14 9.12 9.8 |
7.0 (recommended) 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.9 |
Firepower 4112 |
9.14 |
6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.14 9.12 |
6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.14 9.12 9.8 |
6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.8 |
Firepower 4112 |
9.14 |
6.6
|
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.14 (recommended) 9.12
|
6.6 (recommended)
6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.14 (recommended) 9.12 9.8 |
6.6 (recommended)
6.4 6.2.3 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.6(1.157)
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.12
|
6.4 |
||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.12 (recommended) 9.8 |
6.4 (recommended) 6.2.3 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.6(1.131) |
Firepower 9300 SM-48 Firepower 9300 SM-40 |
9.12 |
Not supported |
||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.12 (recommended) 9.8 |
||||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.3(1.73) |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8
|
6.2.3 (recommended)
|
||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.3(1.66) 2.3(1.58) |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8
|
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.2 |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8 |
Threat Defense versions are EoL |
||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
Note on Downgrades
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.22(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
4200: After rommon reboot device went to failsafe mode |
|
|
1210 CX: sma reported fault: Lina has started, but is not yet running |
Resolved Bugs in Version 9.22(1.1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
FXOS Major Faults about adapter host and virtual interface being down |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
App-instance showing as Started instead of Online |
|
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
|
PLR license reservation for ASAv5 is requesting ASAv10 |
|
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
|
ASA: FPR11xx: Loss of NTP sync following a reload after upgrade |
|
|
Some syslogs for AnyConnect SSL are generated in admin context instead of user context |
|
|
Tune throttling flow control on syslog-ng destinations |
|
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
ASA/FTD stuck after crash and reboot |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
Prevention of RSA private key leaks regardless of root cause. |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
logging/syslog is impacted by SNMP traps and logging history |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
ASA/FTD: Traceback and reload in Thread Name: EIGRP-IPv4 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
User with no vpn-filter may get additional access when per-user-override is set |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
FTD: Traceback & reload in process name lina |
|
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
256 / 1550 Block leak with TLS1.3 session |
|
|
ASA restore is not applying vlan configuration |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
ASA traceback and reload on Datapath process |
|
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
|
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
Port-channel member port status flag and membership status are Down if LACPDUs are not received |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
30+ seconds data loss when unit re-join cluster |
|
|
Cisco ASA and FTD ICMPv6 Message Processing Denial of Service Vulnerability |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
MI FTD running 7.0.4 is on High disk utilization |
|
|
High CPU Utilization on FXOS for processes smConlogger |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
Traffic fails in Azure ASAv Clustering after "timeout conn" seconds |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
ASA: After upgrade cannot connect via ssh to interface |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
FAN LED flashing amber on FPR2100 |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
The Standby Device going in failed state due to snort heartbeat failure |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
FPR41xx/9300: Blade does not capture or log a reboot signal |
|
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
|
Cisco ASA and FTD Software VPN Packet Validation Vulnerability |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
ASA/FTD may traceback and reload after a reload with DHCPv6 configured |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
FTD/ASA traceback and reload during to tmatch compilation process |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
Nodes randomly fail to join cluster due to internal clustering error |
|
|
FTD: HA crash and interfaces down on FPR4200 |
|
|
High Lina memory use due to leaked SSL handles |
|
|
Secondary state flips between Ready & Failed when node is rebooted and mgmt interface is shutdown |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IP SLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
ASA/FTD: Improve GTP Inspection Logging |
|
|
ASA/FTD: GTP Inspection engine serviceability |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Traffic drop when primary device is active |
|
|
Cisco ASA and FTD Software Remote Access SSL VPN Multiple Certificate Auth Bypass |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 43) |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
8x10Gb netmod fails to come online |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' when checking Geneve capture |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Multiple traceback seen on standby unit. |
|
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
|
|
FTD upgrade from 7.0 to 7.2.x and traceback/reload due to management-access enabled |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
|
The public API function BIO_new_NDEF is a helper function used for str |
|
|
Management interface link status not getting synced between FXOS and ASA |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Protocol Down with lower CPU instances on ESXi 8 for ASAv and FTDv |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
CCM seq 45 - WR6, WR8, LTS18 and LTS21. |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
ASA/FTD may traceback and reload |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
Connections not replicated to Standby FTD |
|
|
FTD Crash in Thead Name: CP Processing |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
|
Unable to login to FTD using external authentication |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
ASA/FTD: Traceback and reload due to high rate of SCTP traffic |
|
|
ASA traceback and reload with process name: cli_xml_request_process |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
Firepower Chassis Manager is not accessible with ECDSA certificates |
|
|
Notification Daemon false alarm of Service Down |
|
|
CVIM Console getting stuck in "Booting the kernel" page |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Threat-detection does not allow to clear individual IPv6 entries |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
ASA not updating Timezone despite taking commands |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
|
ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory. |
|
|
Cisco FTD Software Software for Cisco Firepower 2100 Series Inspection Rules DoS Vulnerability |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
portmanager.sh outputing continuous bash warnings to log files |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
3100 unit failed to join the cluster with error "configured object (sys/switch-A/slot-2) not found" |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
Setting heartbeat timeout to 6sec for Firepower 4100 and 9300 |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
LSP version not updated to latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build. |
|
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
ASA accepts replayed SAML assertions for RA VPN authentication |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
node is leaving TPK cluster due to interface health check failure |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
ASA/FTD : Packet-tracer may displays incorrect ACL rule, though produces correct verdict. |
|
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
Update Configuration State if sync is skipped |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FTD: GRE traffic is not being load balanced between CPU cores |
|
|
ASA: Traceback and reload while updating ACLs on ASA |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
ASA/FTD: Traceback and reload with Thread Name 'PTHREAD' |
|
|
access-list: Cannot mix different types of access lists. |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
Change in syslog message ASA-3-202010 |
|
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
Wyoming/SFCN ASA: Wrong values shown DBRG in show crypto ssl objects CLI |
|
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
|
|
Remove Priority-queue command from FTD|| Priority-queue command causes silent egress packet drops |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
2100 Reload due to internal links going down and NPU disconnection |
|
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
vFTD runs out of memory and goes to failed state |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
FXOS Traceback and reload caused by leak on MTS buffer queue |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory on certain platforms |
|
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
|
Failover: standby unit traceback and reload during modifying access-lists |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
FTD snmpd process traceback and restart |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
Firewall Traceback and reload due to SNMP thread |
|
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
FMC process ssp_snmp_trap_fwdr high memory utilization |
|
|
azure vftd node traceback while loading multiple network-service objects during ns_reload. |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
FTD: SNMP not working on management interface |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
Cisco ASA Software and FTD Software SAML Assertion Hijack Vulnerability |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason |
|
|
Switch ports in trunk mode may not pass vlan traffic after power loss or reboot |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
|
FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FPR1k Switchport passing CDP traffic |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
Failed to transfer new image file to FPR2130 and traceback was observed |
|
|
Traceback @<capture_file_show+605 at ../infrastructure/capture/capture_file_finesse.c:282> |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
|
ARP learning issues with Multiple-instance running 100G Netmod |
|
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
|
Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
|
Logging improvement for messages exchange between LinaConfigTool and xml server |
|
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
|
ASA traceback when re-configuring access-list |
|
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
PAC Key file missing on standby on reload |
|
|
FXOS: Alperton 100G NetMod not being acknowledged properly |
|
|
ASA software on FP3110 showing incorrect serial number in show inventory output |
|
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
ASA: Traceback and reload when switching from single to multiple mode |
|
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
|
Ping to the configured systemIP on management interface getting failed in cluster setup. |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
|
ASA traceback due to panic event during SNMP configuration |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload while running show inventory |
|
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
|
ASA:Management access via IPSec tunnel is NOT working |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
FXOS: svc_sam_dcosAG process getting crashed repeatedly on FirePower 4100 |
|
|
After rebooting, the future date set on the FPR2100 platform is not reflected (set clock manually) |
|
|
ASA does not sent 'warmstart' snmp trap |
|
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
|
Source NAT Rule performing incorrect translation due to interface overload |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
|
Lina core at snp_nat_xlate_verify_magic.part and soft traces |
|
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
Configuring and unconfiguring "match ip address test" may lead to traceback |
|
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
|
FTD: Traceback and Reload in Process Name: lina |
|
|
Configuration to disable TLS1.3 |
|
|
FTD-HA does not fail over sometimes when snort3 crashes |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
|
Community string sent from router is not matching ASA |
|
|
ASA/FTD may traceback and reload due to watchdog time exceeding the default 15 seconds |
|
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
|
CSF 4200: PSU Fan speed is critical |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
Coverity 886745: OVERRUN in verify_generic_signature |
|
|
ASA traceback under match_partial_keyword during CPU profiling |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
|
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
|
VTI tunnel goes down due to route change detected in VRF scenario |
|
|
In FPR4200/FPR3100-cluster observed core file ?core.lina? observed on device reboot. |
|
|
FTD installation fails on FPR-2K "Error in App Instance FTD. Available memory not updated by blade" |
|
|
FTD: Traceback in threadname cli_xml_request_process |
|
|
Firewall shows misleading SCP file copy failure reasons |
|
|
crypto_archive file generated after the software upgrade. |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
|
ASA: Traceback and reload during tests of High number of traffic flows and syslog messages |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
|
FTD 1120 standby sudden reboot |
|
|
SNMP Unresponsive when snmp-server host specified |
|
|
Traceback on FP2140 without any trigger point. |
|
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
|
Hardware bypass not working as expected in FP3140 |
|
|
Config-url is accepting directory as the config file |
|
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
|
ASA traceback and reload during ACL configuration modification |
|
|
Firewall traceback and reload due to SSH thread |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
|
FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
|
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
|
ASA: The logical device may boot into failsafe mode because of an large configuration. |
|
|
Device/port-channel goes down with a core generated for portmanager |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
ASA : Modifying a route-map in one context affects other contexts |
|
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
|
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
|
PSU fan shows critical in show environment output while operating normally |
|
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
|
ipv6 table flush exception when cli_firstboot installs bootstrap configuration multi instance |
|
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
Detailed logging related to reason behind sub-interface admin state change during operations |
|
|
Policy Apply failed moving from FDM to FMC |
|
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
|
ASA traceback and reload on Thread Name: DATAPATH |
|
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
|
low memory/stress causing traceback in SNMP |
|
|
ISA3000 Traceback and reload boot loop |
|
|
Snort3 traceback with fqdn traffics |
|
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
|
FTD drops double tagged BPDUs. |
|
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
|
ASA|FTD Traceback & reload in thread name Datapath |
|
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
|
Unable to Synch more then 100 environment-data with data unit |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
|
interface idb logging log rotation to FXOS logrotate utility |
|
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
Debugs failed to be enabled on SSH session |
|
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
|
Null pointer dereference in SNMP that results in traceback and reload |
|
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
|
traceback and reload around function HA |
|
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
Policy deployment failures on TPK MI chassis after redeploying same instance |
|
|
Error logs generated for ssh access to ASA when eddsa is used as kex hostkey |
|
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
|
Standby FTD experiencing periodic traceback and reload |
|
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
|
ASDM connection lost issue is observed in ASAv device due to config issue |
|
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
|
ASA CLI hangs with 'show run' on multiple SSH |
|
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
Access to website via Clientless SSL VPN Fails |
|
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
|
FTD: Hostname Missing from Syslog Message |
|
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
|
EIGRP bandwidth is changing after upgrade or after "shutdown"/"no shutdown" commands |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
|
ASA Checkheaps traceback while entering same engineID twice |
|
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
|
ENH: FTD Add debug message to indicate "No CRL found in User identity Certificate" |
|
|
Intermittent loss of management traffic due to DHCP service failing to start |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
|
FTW no longer working in NM3 on Warwick |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
|
ICMP replies randomly does not reaching the sender node when initiated from the node. |
|
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
The secondary device reloaded while rebooting the primary device. |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
Web Contents files appear as text/plain when they should be application/octet-stream |
|
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
|
username containing '@' character works for asa login but fails for 'connect fxos' |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
|
FTDv reloads and generate backtrace after push EIGRP config |
|
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
|
Error when running 'show tech-support module detail' on FPR9K |
|
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
|
TLS Secure Client sessions cannot be established on FTD Due to RSA-PSS Signing Algorithm |
|
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
|
Disk quota for the corefile should be revisited based on platform |
|
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
|
Multiple context interfaces fail to pass traffic |
|
|
Dns-guard prematurely closing conn due to timing condition |
|
|
ASA traceback with thread name SSH |
|
|
High latency observed on FPR3120 |
|
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
|
Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client. |
|
|
ASA traceback and reload when accessing file system from ASDM |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
All IPV6 BGP routes configured in device flapping |
|
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
|
ASA: Running the failsafe-exit command caused the interface to enter a DISABLED state |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
|
Snmpwalk throws Error messages #"snmp/error: truncating integer value > 32 bits" |
|
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
|
SNMP host group content change results in SNMP process termination on management interface |
|
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
|
FAN is working as expected but FAN LED is in off state. |
|
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
|
High LINA CPU observed due to NetFlow configuration |
|
|
Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
|
FPR2100-ASA Unable to generate CSR without FXOS IP address on SAN field |
|
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
Failsafe mode default values are unattainable on some platforms need adjustment per platform/mode |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
Unable to run "nslookup" command on FXOS |
|
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
|
"show inventory" output shows Name: "power supply 0" on Firepower |
|
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
|
WebVPN connections stuck in CLOSEWAIT state |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
|
command to print the debug menu setting of service worker |
|
|
Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
|
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
|
Traceback and reload on active unit due to HA break operation. |
|
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
|
Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
|
|
FTD : Management interface showing down despite being up and operational |
|
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort Crash in FTD HA |
|
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
|
Add warning message when configuring CCL MTU |
|
|
Radius server configuration for FTD external authentication is not deployed to FTD. |
|
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
|
256/1550 block depletion process fover_thread |
|
|
High cpu on "update block depletion" causing BGP flap terminated on FTD |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1756' |
|
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
|
IPv6 SSL Anyconnect access blocked in HA pair |
|
|
Instrument new logs in the startup process to collect more information |
|
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
Failover prompt shows state active while the firewall is in Negotiation |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
|
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
Cisco General Terms
The Cisco General Terms (including other related terms) governs the use of Cisco software. You can request a physical copy from Cisco Systems, Inc., P.O. Box 641387, San Jose, CA 95164-1387. Non-Cisco software purchased from Cisco is subject to applicable vendor license terms. See also: https://cisco.com/go/generalterms.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback