Bugs

This document lists open and resolved bugs for threat defense and management center Version 6.2.3. For bugs in earlier releases, see the release notes for those versions. For cloud-delivered Firewall Management Center bugs, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.

Important

We do not list open bugs for patches.

Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool.

Open Bugs

Open Bugs in Version 6.2.3

Table last updated: 2022-11-02

Table 1. Open Bugs in Version 6.2.3
Bug ID	Headline
CSCvf16001	SF Cli - "inside" or "outside" interface capture not giving all options
CSCvh73096	Firepower Management Center does not support userPrincipalName attribute for login with ISE 2.2+
CSCvh89068	Core in Firepower Management Center Perl
CSCvh95960	Using the match keyword in capture command causes IPv6 traffic to be ignored in capture
CSCvi07656	Small number of TLS connections can fail after TLS inspection in Hardware Mode is overloaded
CSCvi10758	With SSL inspection in software mode, a few TLS connections fail to close in a timely manner
CSCvi16024	SSL errors on session resume when server IP address changes - HW mode
CSCvi18123	Firepower Threat Defense show tech-support command output broken on 2100 from CLISH CLI
CSCvi19862	With SSL inspection enabled, TLS traffic throughput can drop following high-availability failover
CSCvi35176	Deployment Failed-Snort Restart Failure- APPLY_APP_CONFIG_APPLICATION_FAILURE SignalAppConfigFailed
CSCvi35588	Deployment failure due to Snort failed to restart PDTS Handle was NULL
CSCvi42539	Decrypted connections fail when SSLv2 is supported but a higher version is negotiated
CSCvi47264	Some indicators may stay pending when consuming TAXII feeds in parallel
CSCvi50731	Unable to delete certificate objects if there were previous used at ISE even it was deleted
CSCvi61411	Routed Threat Defense allows Transparent Configuration, but traffic fails (6.2.3-66) on KVM only
CSCvi62982	Firepower Threat Defense virtual on ESXi Firstboot config does not sync hostname correctly with FQHN
CSCvi63157	Firepower 2110 dropping connections
CSCvi63864	With SSL inspection in hardware mode and Malware protection, secure file transfers occasionally fail
CSCvi66189	CNP has been enabled in Firepower Management Center where it usage Satellite server for license
CSCvi70680	Same groups from different AD not downloaded
CSCvv14442	FMC backup restore fails if it contains files/directories with future timestamps

Resolved Bugs

Resolved Bugs in New Builds

Sometimes we release updated builds. In most cases, only the latest build for each platform is available on the Cisco Support & Download site. If you downloaded an earlier build, do not use it.

You cannot upgrade from one build to another for the same software version. If you are already running an affected build, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco Firepower Hotfix Release Notes for quicklinks to publicly available hotfixes.

Table 2. Version 6.2.3 New Builds
Version	New Build	Released	Platforms: Upgrade	Platforms: Reimage	Resolves
6.2.3.15	39	2020-01-05	FTD/FTDv	—	CSCvs84578: Upgrading FTD on 4100/9300 Platform to 6.2.3.15 break SSHD, preventing FTD instance from booting up CSCvs84713: After upgrading FTD on ASA55XX to 6.2.3.15, cannot SSH to the device CSCvs95725: Virtual FTD Running on 6.2.3.15 blocks SSH request and loses connection with the FMC If you already upgraded your FTD device to Version 6.2.3.15-38, apply Hotfix DW to the device. For more information, see the Software Advisory for CSCvs84578 and CSCvs84713.
6.2.3.14	41	2019-07-03	All	—	CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade If you already upgraded to Version 6.2.3.14-36 and have FTD devices configured for high availability, apply Hotfix CY to the FMC.
6.2.3.11	55	2019-03-17	All	—	Cisco Firepower System User Agent issues. If you already downloaded and installed Version 6.2.3.11-53, contact Cisco TAC for a hotfix.
6.2.3.5	53	2018-11-06	FTD/FTDv	—	CSCvk67239: ASA Firewalls and Firepower Threat Defense devices may traceback and reload when the state of the unit in a Failover pair or multi-unit cluster changes. This also occurred when upgrading from Version 6.2.3.5 to Version 6.2.3.6. For more information, see the Software Advisory for CSCck67239.
6.2.3.2	46	2017-06-27	All	—	CSCvj25386: In some cases, if a device ever ran Version 6.0, upgrading to any version earlier than Version 6.2.2.3 failed. CSCvk06176: Even with this new build, if an FMC ever ran Version 6.2.3-88, the SSE cloud connection drops and telemetry cannot send data after you upgrade. If your FMC is affected, apply Hotfix T.
6.2.3.1	47	2017-06-28	All	—	CSCvj25386: In some cases, if a device ever ran Version 6.0, upgrading to any version earlier than Version 6.2.2.3 failed. CSCvk06176: Even with this new build, if an FMC ever ran Version 6.2.3-88, the SSE cloud connection drops and telemetry cannot send data after you upgrade. If your FMC is affected, apply Hotfix T.
6.2.3.1	45 and 46	2017-06-21	All	—	Component issues.
6.2.3	113	2020-06-01	FMC/FMCv	FMC/FMCv	CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability If you are running an earlier build, apply Hotfix DO.
	111	2019-11-25	—	FTDv: AWS, Azure	Contact Cisco TAC.
	110	2019-06-14	—	—	CSCvn78174: Cisco ASA and Cisco FTD Software TCP Timer Handling Denial of Service Vulnerability
	99	2018-09-07	—	—	Contact Cisco TAC.
	96	2018-07-26	—	—	Contact Cisco TAC.
	92	2018-07-05	—	—	CSCvk06176: SSEConnector is not coming up because of Wrong Executable
	88	2018-06-11	—	—	CSCvj13327: Upgrade to 6.2.3 fails at 600_schema/100_update_database.sh - oom killer invoked
	85	2018-04-09	—	—	Contact Cisco TAC.
	84	2018-04-09	Firepower 7000/8000 NGIPSv	—	CSCvi74560: 6.2.3 does not properly deploy variables in variable sets and causes deploy failure CSCvi74623: 6.2.3 upgrade resets home_net variable to default "any" CSCvi77527: upgrade to 6.2.3 fails with post install database integrity check error
	83	2018-04-02	FTD/FTDv ASA FirePOWER	FTD: Physical platforms FTDv: VMware, KVM Firepower 7000/8000 ASA FirePOWER NGIPSv	Contact Cisco TAC.

Resolved Bugs in Version 6.2.3.18

Table last updated: 2022-02-16

Table 3. Resolved Bugs in Version 6.2.3.18
Bug ID	Headline
CSCvm05464	CVE-2018-5391 Remote denial of service via improper IP fragment handling
CSCvp16933	Cisco Firepower Threat Defense Software Shell Access Vulnerability
CSCvq41939	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DHCP DoS
CSCvx00496	QuoVadis root CA decommission on pix-asa
CSCvx19563	FDM: Need to update various items to use STO Certificate Trust Bundle (QuoVadis Root CA Issue)
CSCvx28070	Update QuoVadis root CA for Smart license as it is getting decommissioned
CSCvx30107	Default trustpoint _SmartCallHome_ServerCA using SHA1 which is not supported
CSCvx32283	Cisco Firepower Management Center Open Redirect Vulnerability
CSCvx46296	Cisco ASA and FTD Software Transparent Mode Denial of Service Vulnerability
CSCvx47895	Cisco ASA Software and FTD Software Identity-Based Rule Bypass Vulnerability
CSCvx52541	Update SSEConnector config to use the CA bundle /etc/ssl/certs.pem
CSCvx55664	Cisco Firepower Management Center Cross-site Scripting Vulnerability
CSCvx57417	Smart Tunnel Code signing certifcate renewal
CSCvy16573	Cisco Firepower Threat Defense Command Injection Vulnerability
CSCvy20504	Cisco ASA and FTD Software Web Services Interface Cross-Site Scripting Vulnerability
CSCvy36910	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS
CSCvy41771	Cisco Firepower Management Center Software Authenticated Directory Traversal Vulnerability
CSCvy58278	Denial of Service vulnerability handling the config-request request
CSCvy80325	Include the ios pem files into the patch upgrade package for vFTD
CSCvy93480	Cisco ASA and FTD Software IKEv2 Site-to-Site VPN Denial of Service Vulnerability
CSCwa46963	Security: CVE-2021-44228 -> Log4j 2 Vulnerability
CSCwa70008	Expired certs cause Security Intel. and malware file preclassification signature updates to fail
CSCwa88571	Unable to register FMC with the Smart Portal

Resolved Bugs in Version 6.2.3.17

Table last updated: 2021-06-14

Table 4. Resolved Bugs in Version 6.2.3.17
Bug ID	Headline
CSCvh64138	FXOS upgrade to 2.3.1.X causes FTD logical device to not come up
CSCvk08565	App-instance in start-failed with "Application Failing to Start by ProcMgr" error on container app
CSCvn82441	[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches
CSCvn95731	ASA traceback and reload on Thread Name SSH
CSCvo60166	KP: Can't login to fxos due to disk full error
CSCvo86940	PROMPTING FOR PASSWORD WHEN TRYING TO CONFIGURE enic, vfio-pci , igb_uio ON BLADE
CSCvp16482	ASA reloads when establishing simultaneous ASDM sessions
CSCvp49481	Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability
CSCvp57643	FTD/ASA - Cluster/HA - Master/Active unit does not update all the route changes to Slaves/Standby
CSCvp93468	Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability
CSCvq43920	Cisco Firepower Threat Defense Software Hidden Commands Vulnerability
CSCvr35872	ASA traceback Thread Name: DATAPATH with PBR configured
CSCvr55973	Unable to ping out of management 1/1 interface on a KP
CSCvr80164	WR6 and WR8 commit id update in CCM layer(sprint 72)
CSCvs45111	WR6 and WR8 commit id update in CCM layer(sprint 75)
CSCvs56888	Cisco Firepower Threat Defense Software TCP Flood Denial of Service Vulnerability
CSCvs81504	WR6 and WR8 commit id update in CCM layer(sprint 77)
CSCvt01282	WR6 and WR8 commit id update in CCM layer(sprint 79)
CSCvt02409	Cisco Firepower Threat Defense Software Inline Pair/Passive Mode DoS Vulnerability
CSCvt13445	Cisco ASA and FTD Software FTP Inspection Bypass Vulnerability
CSCvt18028	Cisco ASA and FTD WebVPN CRLF Injection Vulnerability
CSCvt30731	WR6, WR8 and LTS18 commit id update in CCM layer(sprint 80)
CSCvt31177	Cisco ASA and FTD Software for FP 1000/2100 Series Appliances Secure Boot Bypass Vulns
CSCvt31178	Cisco ASA and FTD Software for FP 1000/2100 Series Appliances Secure Boot Bypass Vulns
CSCvt60190	Cisco ASA and FTD Web Services File Upload Denial of Service Vulnerability
CSCvt70322	Cisco ASA Software and FTD Software Web Services Denial of Service Vulnerability
CSCvt74037	Cisco FXOS Software Command Injection Vulnerability
CSCvt83121	Cisco ASA and FTD Software OSPFv2 Link-Local Signaling Denial of Service Vulnerability
CSCvu15801	Cisco ASA and FTD Software SIP Denial of Service Vulnerability
CSCvu20257	WR6, WR8 and LTS18 commit id update in CCM layer (sprint 85)
CSCvu40531	FXOS LACP packet logging to pktmgr.out and lacp.out fills up /opt/cisco/platform/logs to 100%
CSCvu44910	Cisco ASA Software and FTD Software Web Services Cross-Site Scripting Vulnerability
CSCvu46685	Cisco ASA and FTD Software SSL/TLS Session Denial of Service Vulnerability
CSCvu59817	Cisco ASA and FTD Software SSL VPN Direct Memory Access Denial of Service Vulnerability
CSCvu61919	WR6, WR8 and LTS18 commit id update in CCM layer(sprint 87)
CSCvu75581	Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities
CSCvu75615	Cisco ASA Software and FTD Software WebVPN Portal Access Rule Bypass Vulnerability
CSCvu83309	Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities
CSCvu91097	Cisco Firepower Management Center Software Policy Vulnerability
CSCvv13835	Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities
CSCvv33712	Cisco ASA Software Web-Based Management Interface Reflected Cross-Site Scripting Vulnerabi
CSCvv56644	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS
CSCvv65184	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS
CSCvv79459	WR6, WR8 and LTS18 commit id update in CCM layer (sprint 94, seq 1)
CSCvv95277	FPR2100 High disk usage in partition /opt/cisco/platform/logs due to growth of httpd log files
CSCvw13348	WR6, WR8 and LTS18 commit id update in CCM layer (sprint 98, seq 2)
CSCvw26544	Cisco ASA and FTD Software SIP Denial of Service Vulnerability
CSCvw52609	Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability
CSCvw53796	Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability
CSCvw53884	M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service
CSCvw90923	WR6, WR8 and LTS18 commit id update in CCM layer (sprint 101, seq 4)
CSCvx06920	WR6, WR8 and LTS18 commit id update in CCM layer (sprint 103, seq 5)
CSCvx16700	FXOS clock sync issue during blade boot up due to "MIO DID NOT RESPOND TO FORCED TIME SYNC"

Resolved Bugs in Version 6.2.3.16

Table last updated: 2020-07-13

Table 5. Resolved Bugs in Version 6.2.3.16
Bug ID	Headline
CSCvg84794	All Interfaces does not come up after booting KP ASA image
CSCvj49994	Failed to download FXOS package during upgrade due to no IPv6 address
CSCvm48451	Intrusion Event Performance Graphs load blank on 4100 and 9300
CSCvm84994	SSH idle timeout not working on FTD on Firepower 4100 and Firepower 9300
CSCvm85823	Not able to ssh, ssh_exec: open(pager) error on console
CSCvn93683	ASA: cluster exec show commands not show all output
CSCvo62077	Cisco Firepower Threat Defense Software VPN System Logging Denial of Service Vulnerability
CSCvo78789	Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities
CSCvo80853	Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability
CSCvp04134	Traceback in HTTP Cli Exec when upgrading to 9.12.1
CSCvp16945	Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities
CSCvp16949	Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities
CSCvp45149	Traceback while Reverting the primary system as active
CSCvp49481	Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability
CSCvp55941	FILE RESUME BLOCK being randomly thrown causing access issues on files from SMB share.
CSCvp87623	Upload an update gives "update request entity too large" error when using CAC(HTTPS Client Certs)
CSCvp90847	Refresh Root CAs that SSL uses for resigning in FTD/FMC
CSCvp93468	Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability
CSCvq12070	Not able to establish more than 2 simultaneous ASDM sessions
CSCvq13442	When deleting context the ssh key-exchange goes to Default GLOBALLY!
CSCvq20910	Cisco Firepower 2100 Series Security Appliances ARP Denial of Service Vulnerability
CSCvq35440	Upgrade Enhancements to STRAP verification for anyconnect - Cisco VPN session replay vulnerability
CSCvq36042	lost heartbeat causing reload
CSCvq54034	WRL6 and WRL8 commit-id update in CCM Layer (sprint 65)
CSCvq56257	Cached malware disposition does not always expire as expected
CSCvq66092	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software BGP DoS
CSCvq70485	Slow "securityzones" REST API
CSCvq70775	FPR2100 FTD Standby unit leaking 9K blocks
CSCvq71217	High Disk Utilization due to mysql-server.err failing to rotate after CSCvn30118
CSCvq73534	Cisco ASA Software Kerberos Authentication Bypass Vulnerability
CSCvq73599	Cisco VPN session replay vulnerability : STRAP fix on ASA for SSL(OpenSSL 1.0.2) and SCEP proxy
CSCvq93640	WRL6 and WRL8 commit id update in CCM layer (sprint 67)
CSCvr07419	Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability
CSCvr09748	Cisco FXOS and FTD Software Command Line Interface Arbitrary File Read and Write Vuln
CSCvr11395	Only a subset of devices where deployed from a device group during scheduled deploy
CSCvr17735	SFDataCorrelator high CPU during SI update
CSCvr37502	libexpat Improper Parsing Denial of Service Vulnerability
CSCvr39556	Segfault in libclamav.so (in the context of SFDataCorrelator)
CSCvr49734	Cisco FXOS and UCS Manager Software CLI Command Injection Vulnerability
CSCvr55825	Cisco ASA and FTD Software Path Traversal Vulnerability
CSCvr63941	KP ASA diagnostic-cli channel stops functioning
CSCvr85295	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote
CSCvr86213	CD is required to ignore Cluster-Msg-Delivery-Confirmation in Cluster Node Release Lina State
CSCvr90768	FTD: Deployment through slow links may fail
CSCvr92327	ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533'
CSCvs12288	Snort unexpectedly exits with SSL policy enabled and debug_policy_all
CSCvs19968	Fix consoled from getting stuck and causing HA FTD policy deployment errors.
CSCvs33416	Upgrade Kernel to 4.14.158
CSCvs34844	pm process becomes randomly deadlocked when communicating with hardware.
CSCvs50459	Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability
CSCvs59487	Observed crash in KP device while upgrading to 99.14.1.64 image.
CSCvs60254	libxml2 xmlParseBalancedChunkMemoryRecover Memory Leak Vulnerability
CSCvs61701	DME process crash due to memory leak on Firepower 2100
CSCvs77334	FTD failover due to error "Inspection engine in other unit has failed due to snort and disk failure"
CSCvs84578	Upgrading FTD on 4100/9300 Platform to 6.2.3.15 prevents the FTD instance from booting up
CSCvs84713	Cannot SSH to the device after upgrading FTD on ASA55XX/ISA 3000/FTDv to 6.2.3.15 build 38
CSCvs87168	SNORT Fatal Error due to out of range interface ID
CSCvs94486	CSCvs59487 requires additional fix for resolution
CSCvs98311	FSIC Failure after upgrade from 6.2.3.15-38 > 6.2.3.16-29 in CC Mode
CSCvt03598	Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability
CSCvt15163	Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability
CSCvt39135	snort instances CPU spikes to >90% at low non-SSL traffic with SSL policy applied
CSCvt39299	6.2.3.15 to 6.4.0 upgrade broken for Series-3 Sensors
CSCvt80172	Supervisor software needs to be upgraded to address CVE-2017-11610
CSCvu30830	NGIPS sensor SSH broken due to bad CiscoSSH keywork in sshd_config file

Resolved Bugs in Version 6.2.3.15

Table last updated: 2019-09-17

Table 6. Resolved Bugs in Version 6.2.3.15
Bug ID	Headline
CSCve24102	GUI should allow max 256 addresses per DHCP pool
CSCvg49225	Canceling scheduled FXOS upgrade does not clear the event
CSCvg85687	Error messages seen on console when FXOS boots up
CSCvk43854	Cisco Firepower Threat Defense Detection Engine Policy Bypass Vulnerability
CSCvm64400	IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform
CSCvm68648	review of CVE-2016-8858 (OpenSSH) on Firepower software
CSCvm82966	Linux Kernel 4.14 Vulnerabilities
CSCvn46390	Lina msglayer performance improvements: port Hotfix BO
CSCvn77125	FXOS: copy command should allow for wildcards to transfer multiple files
CSCvo29989	Cisco FirePower Threat Defense Information Disclosure Vulnerability
CSCvo47390	ASA traceback in thread SSH
CSCvo48838	Lina does not properly report the error for configuration line that is too long
CSCvo68184	management-only of diagnostic I/F on secondary FTD get disappeared
CSCvo68448	ASA report SFR module as 'Unresponsive' after reloading ASA module on 5585 platform
CSCvo85861	Propagate link-state not shown in FTD CLI
CSCvo86485	incorrect HTML <base> tag handling by Grammar Based Parser
CSCvo88762	FTD inline/transparent sends packets back through the ingress interface
CSCvo89224	FMC times out after 10 mins to fetch device list for deployment
CSCvo90998	LACPDUs should not be sent to snort for inline-set interfaces
CSCvp07616	[ciam] Python urllib Security Bypass Vulnerablity
CSCvp15176	FTD/ASA installed on firepower devices may report comm failure and assume itself as active/master.
CSCvp16536	ASA traceback and reload observed in Datapath due to SIP inspection.
CSCvp16618	URL inside HTML base tag is not rewritten after it is handled by GBP
CSCvp27263	Multiple ClamAV Vulnerabilities For Cisco Firepower Management Center for pre 6.5.0
CSCvp35141	ASA sends invalid redirect response for POST request
CSCvp35769	[ciam] Apache HTTP Server URL Normalization Denial of Service Vulnerability
CSCvp37779	FTD show tech from troubleshooting files incomplete
CSCvp46150	[ciam] GNU Wget Buffer Overflow Vulnerability
CSCvp48273	[ciam] Linux Kernel cipso_v4_validate Denial of Service Vulnerability
CSCvp49576	FTD Cluster traceback experienced when other unit leaves the Cluster
CSCvp53637	Flows are getting offloaded on inline-sets
CSCvp54261	Audit syslog for SFR module/7000/8000 devices uses TCP instead of UDP for syslog communication
CSCvp55880	Fail-Closed FTD passes packets through on Snort processes down
CSCvp55901	LINA traceback on ASA in HA Active Unit repeatedly
CSCvp58028	natd thread of nfm_exceptiond uses about 90% to 100% CPU time
CSCvp66559	Deploy fails on FTD HA due to exception when parsing big xml response
CSCvp67257	USGv6 Failures From Kernel Upgrade [3.10 to 4.14]
CSCvp67392	ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path Check
CSCvp70699	ASA Failover split brain (both units active) after rebooting a Firepower chassis
CSCvp72244	Evaluate Cisco 8000 series for CVE-2019-11815
CSCvp72488	Firepower: AMP for network connectivity failure after upgrading to 6.3.0.2+
CSCvp83437	serial console/SSH login using local account succeeds but immediately returns to login prompt
CSCvp97061	URL Filtering Shows All URLs as Uncategorized
CSCvp97799	Policy deploy failure 6.5.0-1148 post upgrade with CC mode with openSSL call during SSL pol Export
CSCvp97916	Executing 'failover' twice on active unit, clears interface configuration on standby unit
CSCvp98066	On reset CD not clearing its flags[parseFailoverReqIssued] which prevents further node join attempts
CSCvq00675	Linux Kernel sas_expander.c Race Condition Arbitrary Code Execution ...
CSCvq06790	Snort processes dump core with memory corruption on Series 3 devices
CSCvq13917	ADI does not learn VPN user logins anymore
CSCvq19525	Evaluation of sfims for TCP_SACK
CSCvq19641	Evaluation of Firepower 4k/9k Supervisor for TCP_SACK
CSCvq27010	Memory leak observed when ASA-SFR dataplane communication flaps
CSCvq32681	Fail to Wire configuration disabled for multiple interface-pair inline-sets during FTD upgrades
CSCvq33916	Linkdown between FP 4100 and switch when using 40gb bidi to 40/100 bidi
CSCvq39083	Security Intelligence does not drop HTTPS connections to blacklisted URLs when SSL policy is enabled
CSCvq44665	FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled
CSCvq54242	Warrning "There is an empty group in the source networks" in SSL policy
CSCvq56462	File policy not inspecting some malware document (.doc) and Adobe flash (.swf) files.
CSCvq57710	Firepower Primary Detection Engine process might terminated after Manager upgrade
CSCvq61651	URL DB download failure alerts on FMC; new URL DB updates not taking effect on FMC/FDM
CSCvq65092	Slow device related REST API calls
CSCvq98171	Unable to do Recovery using latest r241 images

Resolved Bugs in Version 6.2.3.14

Table last updated: 2019-07-03

Table 7. Resolved Bugs in Version 6.2.3.14
Bug ID	Headline
CSCvb15074	FMC health notifications for interfaces removed or added out-of-band get stuck
CSCvi63474	Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2
CSCvk69823	FlexConfig objects pushed to device in spite of no changes being made to that on either FMC or FTD
CSCvm70274	tcp proxy: ASA traceback on DATAPATH
CSCvn86777	Deployment on FTD with low memory results on interface nameif to be removed
CSCvo24145	ids_event_alerter high memory usage due to large firewall_rule_cache table
CSCvo33348	Mysql traffic on non standard port is not correctly classified
CSCvo33851	ngfwManager doesn't start if ngfw.properties is empty
CSCvo43679	FTD Lina traceback, due to packet looping in the system by normaliser
CSCvo50168	Audit Log Settings Failing Leading to being unable to edit System Settings
CSCvo60580	ASA traceback and reloads when issuing "show inventory" command
CSCvo60862	Internal Error when editing an Access Control Policy
CSCvo74745	cloud agent core after generating a large number of continuous URL lookups (>30M)
CSCvo90805	Cisco Firepower Management Center RSS Cross-Site Scripting Vulnerabilities
CSCvp16979	ssl and daq debug logs can't be enabled/disabled dynamically
CSCvp18878	ASA: Watchdog traceback in Datapath
CSCvp19549	FTD lina cored with Thread name: cli_xml_server
CSCvp24728	Random SGT tags added by FTD
CSCvp24787	(snort)File is not getting detected when going over HTTPS (SSL Resign)
CSCvp25583	FTD sets automatically metric 0 when we redistribute OSPF into BGP via FMC GUI.
CSCvp29692	FIPS mode gets disabled after rollback from a failed policy deploy
CSCvp33052	Firepower 8000 interfaces might flap due to unhandled resource temporarily unavailable issue
CSCvp43536	On upgraded FMC Device FXOS devices are shown dirty even after successful deployment.
CSCvp54634	Wrong rule matched when using ambiguous DND
CSCvp78197	Policy deployment remove and add back ospf neighbor
CSCvp81967	Slowness in loading Device Management page on FMC when there are over 500 managed devices
CSCvp82945	NAT policy apply failing with error duplicate
CSCvp96934	Ensure Error Message with Dup NATs Is Clear and Actionable
CSCvq13917	6.2.3.13 ADI does not learn VPN user logins anymore
CSCvq34224	Firepower Primary Detection Engine process terminated after Manager upgrade

Resolved Bugs in Version 6.2.3.13

Table last updated: 2019-07-03

Table 8. Resolved Bugs in Version 6.2.3.13
Bug ID	Headline
CSCve13816	MEMCACHED software needs to be upgraded to address several security vulnerabilities
CSCvf83160	Traceback on Thread Name: DATAPATH-2-1785
CSCvg01007	https pdf attachment issues
CSCvg74603	eStreamer archive events are not pruned correctly by diskmanager
CSCvi16224	snmp-server host command for SNMPv3 doesn't apply properly when deploy ASAv VM on NFVIS (KVM) system
CSCvi32569	Excessive logging in mysql-server.err log causes huge log files in FTD
CSCvi59887	OSPF Route may become stale and stuck in the routing table after failover events
CSCvj49623	Memory Leak In Smart Licensing
CSCvk14242	sfstunnel process in FTD is holding large cloud db files that are already deleted
CSCvk26612	"default Keyring's certificate is invalid, reason: expired" health alert
CSCvk29263	SSH session stuck after committing changes within a Configure Session.
CSCvk30739	ASA CP core pinning leads to exhaustion of core-local blocks
CSCvk44166	Cisco ASA and FTD TCP Proxy Denial of Service Vulnerability
CSCvk72958	Qos applied on interfaces doesn't work.
CSCvm00066	ASA is stuck on "reading from flash" for several hours
CSCvm08769	Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail.
CSCvm17985	Initiating write net command with management access for BVI interfaces does not succeed
CSCvm27111	FTD Lina traceback while removing OSPF configuration.
CSCvm36362	Route tracking failure
CSCvm80779	ASA not inspecting H323 H225
CSCvm82290	ASA core blocks depleted when host unreachable in IRB configuration
CSCvm85257	Spin lock traceback when changing vpn-mode with traffic
CSCvm86008	Policy Deployment: Delta config doesn't get copied to running config, LINA config remains unchanged
CSCvm88294	High Disk utilization due to partition force drain not occurring
CSCvn22833	ADI process fails to start on ASA on Firepower 4100
CSCvn30108	The 'show memory' CLI output is incorrect on ASAv
CSCvn30393	ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment
CSCvn31347	ACL Unable to configure an ACL after access-group configuration error
CSCvn32620	IKEv2 Failed to obtain an Other VPN license
CSCvn34246	Loading AC policy editor takes too long, needs loading indicator
CSCvn38453	ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled
CSCvn45750	FMC Audit Logs will only display Admin and System as owners when deploying to 3D devices -GUI/SYSLOG
CSCvn50320	Firepower MySQL Server : Oracle MySQL October 2018 Critical Patch Update
CSCvn55007	DTLS fails after rekey
CSCvn57284	Unsupported EC curve x25519 on FTD
CSCvn66248	Configuring "boot config" has no effect if file was modified off-box and copied back on
CSCvn67137	ASA5506 may slowly leak memory when using NetFlow
CSCvn68527	FPR21xx: AnyConnect assigned addresses not marked allocated on Standby
CSCvn71592	After FMC reboot, intrusion events generated by Snort are not sent to FMC and show up in webGUI
CSCvn73962	ASA 5585 9.8.3.14 traceback in Datapath with ipsec
CSCvn76829	ASA as an SSL Client Memory Leak in Handshake Error path
CSCvn77248	Cisco Secure Boot Hardware Tampering Vulnerability
CSCvn78597	Firepower block page not displayed on MS IE11 and Edge for HTTPS blocked sites when proxy is enabled
CSCvn78674	Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability
CSCvn78870	ASA Multicontext traceback and reload due to allocate-interface out of range command
CSCvn94100	"Process Name: lina" \| ASA traceback caused by Netflow
CSCvn95711	Traceback on Thread Name: Unicorn Admin Handler after adding protocol to IKEV2 ipsec-proposal
CSCvn96898	Memory Leak in DMA_Pool in binsize 1024 with SCP download
CSCvn97591	Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures
CSCvo04444	Ikev2 tunnel creation fails
CSCvo06216	Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961
CSCvo11406	Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability
CSCvo11416	Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability
CSCvo13497	Unable to remove access-list with 'log default' keyword
CSCvo15484	Unable to delete User IOC if user info is inconsistent between mysql & sybase - part fix
CSCvo17033	Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability
CSCvo23222	AnyConnect session rejected due to resource issue in multi context deployments
CSCvo27109	Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6
CSCvo42174	ASA IPSec VPN EAP Fails to Load Valid Certificate in PKI
CSCvo45093	Validation Check when two objects with different name but same network is used in route without ECMP
CSCvo45209	FTD-CLUSTER:Adding new unit in cluster can cause traffic drop
CSCvo51265	SCP large file transfer to the box result in a traceback
CSCvo55151	crypto ipsec inner-routing-lookup should not be allowed to be configured with VTI present
CSCvo56616	Deployment times out in some cases resulting in non-terminated AQ
CSCvo56836	SCALE: with 500+ devices, UMS causes the UI to hang, especially during deploy
CSCvo58847	Enhancement to address high IKE CPU seen due to tunnel replace scenario
CSCvo60627	Policy failing to deploy after adding new cluster unit to setup
CSCvo62060	Telemetry not sent when FMC managing lots of devices
CSCvo66534	Traceback and reload citing Datapath as affected thread
CSCvo70866	SGT tag shows untagged in server packet for every client packet with SGT tag with some value
CSCvo72179	For SMB, remote storage configuration should allow configuring version string with dot(.)
CSCvo72232	ERR_SSL_BAD_RECORD_MAC_ALERT or SSL_ERROR_BAD_MAC_ALERT in the browser
CSCvo74350	ASA may traceback and reload. Potentially related to WebVPN traffic
CSCvo76727	No warning about possible policy deployment failure when in route is more than one object
CSCvo81073	Unable to load Device Management page or upgrade FMC due to missing NGFWHA EO
CSCvo83574	Device goes into a bad state when switching the inline set from TAP mode
CSCvo87930	HTTP with ipv6 using w3m is failing
CSCvo88188	SSL rules with App-ID conditions can limit decryption capability
CSCvo88306	NAT rules can get applied in the wrong order when you have duplicate rules
CSCvo93872	Memory leak while inspecting GTP traffic
CSCvo94486	Snort process exits while processing Security Intelligence.
CSCvp21837	Allow FTDs to perform URL lookups directly without having to go through the FMC
CSCvp42398	Series 3 8250: Upgrade 6.4.0-87 failed at 999_finish/989_flip_mbr.sh
CSCvp54634	Wrong rule matched when using ambiguous DND

Resolved Bugs in Version 6.2.3.12

Table last updated: 2019-05-13

Table 9. Resolved Bugs in Version 6.2.3.12
Bug ID	Headline
CSCvh26064	Unable to use "Change Reconciliation" on 7000/8000 sensors
CSCvj82652	Deployment changes are not pushed to the device due to disk0 mounted on read-only
CSCvk56988	Cisco ClamAV MEW unpacker Denial of Service Vulnerability
CSCvm16724	FXOS ASA/FTD needs means to poll Internal-data interface counters
CSCvm24210	One of the two schedule tasks running on same timestamp fails if they both access the same file
CSCvm35373	Pruner process fails to start due to configuration
CSCvm40545	downgrading FTD twice in a row without updating in between results in wrong lina version
CSCvn07452	712x devices become unstable when switching inline set from TAP to inline
CSCvn09383	Manual URL lookup returns Uncategorized if same URL is entered second time without "www." part
CSCvn38189	SFDataCorrelator is not restarted after backup scripts died
CSCvn46358	overloading of the lina msglyr infra due to the sending of VPN status messages
CSCvn49854	Subsequent HTTP requests not retrieving URL and XFF
CSCvn67570	amp-stunnel.conf does not point to correct amp cloud server post FMC upgrade
CSCvn67888	Object added using REST API result in policy deploy failure
CSCvn72570	Cisco ASA Software and FTD Software VPN SAML Authentication Bypass Vulnerability
CSCvn73848	Snort sessions are timing out earlier than configured idle timeouts.
CSCvn74112	FTDv does not have configuration on initial bringup with mix of vmxnet3 and ixgbevf interfaces
CSCvn75368	FPR platform IPsec VPN goes down intermittently
CSCvn78593	Control-plane ACL doesn't work correctly on FTD
CSCvn82895	Diskmanager may not track all event files
CSCvn87965	While associating FMC with TG account, FMC should not redirect users to TG console
CSCvn99712	Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability
CSCvo02097	Upgrading ASA cluster to 9.10.1.7 cause traceback
CSCvo12057	DHCPRelay does not consume DHCP Offer packet with Unicast flag
CSCvo15545	nfm-burnin.sh system validation test fails for latest NFM release
CSCvo17775	EIGRP breaks when new sub-interface is added and "mac-address auto" is enabled
CSCvo20847	Active FTP fails through Cluster due to xlate allocation corruption upon sync
CSCvo23150	excessive DB queries for user identities causes slowness in user session processing.
CSCvo27164	SFDataCorrelator logs inappropriate "Resuming storage of old events" messages
CSCvo29973	ssl rules with cipher suite conditions can cause unneeded tls 1.3 downgrade
CSCvo31353	SSL connections may fail when URL categories are used and certificate common name doesn't match
CSCvo31953	Memory leak in SFDataCorelator process
CSCvo32329	Deleted realm is causing many user_id's loaded into user_identities cache
CSCvo38051	segfault in ctm_ipsec_pfkey_parse_msg at ctm_ipsec_pfkey.c:602
CSCvo39052	FSIC error after enable the CC mode
CSCvo39094	Delay/Longer processing time to insert policy deploy task after selecting the device for deploy
CSCvo40210	Update Talos RSS feed in dashboard widget
CSCvo43693	FTD HA creation fails due to multiple files modules.tgz and vdb.tgz being transferred from FMC
CSCvo44064	aggressive downgrade action is taken when url look up is pending due to no sni
CSCvo47562	VPN sessions failing due to PKI handles not freed during rekeys
CSCvo50230	SSL Connections to uncategorized URLs may fail repeatedly
CSCvo54799	ssh to device fails due to corrupted devpts entry in fstab
CSCvo55203	Registered devices do not appear in the Device Management page
CSCvo55282	Policy deploy fails when user is able to enter invalid inline port range in AC Rule accidentally
CSCvo56675	ASA or FTD traceback and reload due to failover state change or xlates cleared
CSCvo56895	Some donut charts on the Context Explorer failing to load
CSCvo61091	eStreamer memory and CPU grow when sending NAP policy metadata
CSCvo62031	ASA Traceback and reload while running IKE Debug
CSCvo63240	Smart Tunnel bookmarks don't work after upgrade giving certificate error
CSCvo66920	Enhancement: add counter for Duplicate remote proxy
CSCvo67454	Invalid port range object causes AC policy deploy to fail
CSCvo72462	Do not decrypt rule causes traffic interruptions.

Resolved Bugs in Version 6.2.3.11

Table last updated: 2019-03-13

Table 10. Resolved Bugs in Version 6.2.3.11
Bug ID	Headline
CSCuz28594	Diskmanager - critical alert on /var/storage due to disk manager not pruning till 99%
CSCvi54162	"ha-replace" action not working when peer not present
CSCvi55841	errors saving blacklist config file are not detected
CSCvi62112	Blocking BPDU via FlexConfig on FTD Transparent causes deployment and registration issues
CSCvk06386	FTD Files are Allowed Through Multiple Pre-existing Connections Despite the File Policy Verdict
CSCvm14875	Large number of stale cloudconfig EO causing performance issues
CSCvm58799	During deploy, if multiple Snorts are not responding, recovery takes too long
CSCvm60039	Custom DNS security intelligence feed fail to download intermittently
CSCvm96339	/dev/root partition will fill to 100% due to archive_cache_seed.sensor file
CSCvn10634	Files are not detected in HTTP flows when there's an Out of Order (ACK before actual data)
CSCvn16102	Diskmanager file capture data not increasing for hours at a time
CSCvn17347	Traceback and reload when displaying CPU profiling results
CSCvn38082	FMC should identify and recover from mongo corruption
CSCvn41903	Snort reload fails and causes restart due to dce2-mem-reloader memory adjustments taking too long
CSCvn47788	UI validation fails on a valid hostname IP for Audit Log Host in Firepower platform setting policy
CSCvn48739	FTD show tech taken from CLISH mode and in troubleshoot may be truncated
CSCvn53145	Policy deploy throws "Variable set has invalid execulded values"
CSCvn69019	usernames with single quotes are not written into user_ip_map file
CSCvn72683	FMC webGUI device management page loading time is too long around 45s with 25s fetching license
CSCvn73848	Snort sessions are timing out earlier than configured idle timeouts.
CSCvo00887	ssl client hello should not be modified if "Do Not Decrypt" rule will be the only possible verdict
CSCvo03186	Domain page in Firepower Management Center takes long time to load
CSCvo03808	Deploy from FMC fails due to OOM with no indication of why
CSCvo11077	Memory leak found in IPsec when we establish and terminate a new IKEv1 tunnel.
CSCvo39052	FSIC error after enable the CC mode

Resolved Bugs in Version 6.2.3.10

Table last updated: 2019-02-07

Table 11. Resolved Bugs in Version 6.2.3.10
Bug ID	Headline
CSCuu67159	ASA: traceback in DATAPATH-2-1157
CSCva62256	Appliance status widget taking too long with 500 sensors
CSCvf81672	ASA Routes flushed after failover when etherchannel fails
CSCvg40735	GTP inspection may spike cpu usage
CSCvg56122	SSL handshake fails with large certificate chain size
CSCvi09811	Traceback in DATAPATH, assertion "0" failed: file "./snp_cluster_transport.h", line 480
CSCvi28763	FTD Platform Settings: change default DH-group in SSL custom settings to 2
CSCvi34533	Cannot save modification in Access List if there's no SNMPv3 user defined
CSCvi71622	Traceback in DATAPATH on standby FTD
CSCvi97028	fmc GUI too slow when configuring unreachable syslog server
CSCvj01704	ASA is getting traceback with reboot only on ASA 5585-X after shutdown SFR module
CSCvj65154	FMC failing to communicate with SSM when proxy password contains @ character
CSCvj74643	Enabling Use CAC authentication and authorization on AD breaks RADIUS when changed.
CSCvj87287	simultaneous flood of REST-API requests to FMC results in inaccessibility
CSCvj89445	Inconsistent deployment status on GUI
CSCvj97229	'User Name Template' should be required filed for external authentication object for CAC in FMC
CSCvk18330	Active FTP Data transfers fail with FTP inspection and NAT
CSCvk19946	Sftunnel service broken due to cache archive data flooding
CSCvk39339	Unable to run the scheduling report generation on Japanese FMC
CSCvk40964	Deployment of empty interface config to device lead to traffic outage
CSCvk46038	ERROR: The entitlement is already acquired while the configuration is cached.
CSCvk50815	GTP inspection should not process TCP packets
CSCvk55634	Random policy deployment failure due to stuck notification for policy deployment
CSCvm24706	GTP delete bearer request is being dropped
CSCvm28730	ASA/FTD-LINA Tracebacks observed while getting CPU Profiling information
CSCvm33553	Clock drift causes Heartbeat misses from ndclientd
CSCvm46014	Copy config should not fail if standby device is corrupted on FTD HA
CSCvm55091	HA failed primary unit shows active while "No Switchover" status on FP platforms
CSCvm59983	The file-size directive returns invalid input error and breaks the captures from clish
CSCvm67273	ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136
CSCvm87315	FTD registration can fail because of TID in RegistrationTR::addToLamplighter
CSCvm88004	SSH Service on ASA echoes back each typed/pasted character in its own packet
CSCvn05797	Cisco Firepower Management Center Cross-Site Scripting Vulnerability
CSCvn06618	On LINA config rollback the startup-config is being merged with the default running
CSCvn09322	FTD device rebooted after taking Active State for less than 5 minutes
CSCvn09367	Prevent administrators from installing CXSC module on ASA 5500-X
CSCvn15757	ASA may traceback due to SCTP traffic inspection without NULL check
CSCvn16489	AMP Dynamic Analysis's clouds should be tracked separately for submission rates.
CSCvn19823	ASA : Failed SSL connection not getting deleted and depleting DMA memory
CSCvn20411	Device management page never loads and times out after an error message
CSCvn21899	Firepower: Disable TLS 1.0 permanently for SFTunnel communication
CSCvn23224	FTD-HA forming failed with SNMP configured
CSCvn23254	SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface
CSCvn23701	Deployment failed with - ftp_telnet.conf(4) => Invalid keyword 'memcap' for 'global' configuration.
CSCvn24756	Security intelligence feature can falsely block IP addresses ( URL block )
CSCvn30118	mysql-server.err file is not fully deleted and keeps consuming Firepower disk space
CSCvn32657	ASA traceback when removing interface configuration used in call-home
CSCvn33943	Standby node traceback in wccp_int_statechange() with HA configuration sync
CSCvn36393	exclude tls1.0 and tls1.1 in stunnel config file
CSCvn37829	ASA should allow GCM(SSL) connections to use DMA_ALT1 when primary DMA pool is exhausted
CSCvn38010	Let remove_peers.pl scripts bailout when it is run in FTD HA setup
CSCvn43798	Deleting a domain fails to delete some objects if a Realm is in that domain
CSCvn44201	ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later
CSCvn46474	FP2120 FTD went unresponsive after power outage
CSCvn47599	RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server
CSCvn47800	ASA stops authenticating new AnyConnect connections due to fiber exhaustion
CSCvn48790	Slave node kicked out of cluster if SI task running during policy apply
CSCvn49561	update FireAMP curl calls to use CA path
CSCvn53732	Modified SSL connections that are not decrypted should be closed
CSCvn54347	Entitlement release error in Failover switchover or disband on fp2100/1000 KP/WM
CSCvn56095	selective acking not happening with SSL crypto hardware offload
CSCvn61662	ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading
CSCvn62787	To support multiple retry on devcmd failure to CRUZ during flow table configuration update.
CSCvn63549	Python pop3lib apop() Method Denial of Service Vulnerability
CSCvn64418	ISA3000 interop issue with Nokia 7705 router
CSCvn65575	Snort termination can occur when active authentication is enabled and an SSL policy is not enabled
CSCvn68145	Snort Unexpectedly Exiting when using SSL decryption
CSCvn69213	ASA traceback and reload due to multiple threads waiting for the same lock - watchdog
CSCvn76763	Two versions of messages-X-SNAPSHOT.jar in FTD causes deployment failure
CSCvn77636	ASA/webvpn: FF and Chrome: Bookmark is not rendered with Grammar Based Parser
CSCvn93499	Snort/Data Correlator can crash while exiting on Firepower 4100/9300 devices.

Resolved Bugs in Version 6.2.3.9

Note

Version 6.2.3.9 replaces Version 6.2.3.8, which was removed from the Cisco Support & Download site on 2019-01-07. The issues listed in Resolved Bugs in Version 6.2.3.8 are also fixed in Version 6.2.3.9.

Table last updated: 2019-01-10

Table 12. Resolved Bugs in Version 6.2.3.9
Bug ID	Headline
CSCvn82378	Traffic through ASA/FTD might stop passing upon upgrading FMC to 6.2.3.8-51

Resolved Bugs in Version 6.2.3.8

Note

Version 6.2.3.8 was removed from the Cisco Support & Download site on 2019-01-07. This version is replaced by Version 6.2.3.9. The issues listed here are also fixed in Version 6.2.3.9.

Table last updated: 2019-01-02

Table 13. Resolved Bugs in Version 6.2.3.8
Bug ID	Headline
CSCuy90400	Enhancement to support extended master secret in SSL
CSCvd03903	Firepower is affected by TCP Dump Vulnerability
CSCvd12834	FP Audit Logs do not log passed and failed SSH authentication attempts
CSCve29930	Cannot configure LOM on secondary FMC from HA pair
CSCvf20266	Firepower Management Center System Configuration Email Notification Password Length Too Short
CSCvf57596	After policy deploy has failed, ActionQueueScrape process did not exit
CSCvg10718	Correlation Policy With Traffic Profiles Doesn't Work
CSCvg36254	FTD Diagnostic Interface does Proxy ARP for br1 management subnet
CSCvh13022	SSL decryption is bypassed when client hello payload is < 6 bytes
CSCvh14743	IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.
CSCvi82404	Updating device can fail in 800_post/755_reapply_sensor_policy.pl
CSCvj67258	Change 2-tuple and 4-tuple hash table to lockless
CSCvj97213	ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets
CSCvk20292	FMC in HA mode, Health Policy is missing from Standby FMC when Active FMC failed
CSCvk30775	ENH: Addition of 'show fragment' to 'show tech' output
CSCvk30779	ENH: Addition of 'show ipv6 interface' to 'show tech' output
CSCvk30783	ENH: Addition of 'show aaa-server' to 'show tech' output
CSCvk33923	High disk usage after deleting managed FTD device from FMC
CSCvk51181	FTD IPV6 traffic outage after interface edit and deployment part 1/2
CSCvk62871	Firepower 2100 FTP Client in passive mode is not able to establish data channel with the Server
CSCvk72192	"Free memory" in "show memory" output is wrong as it includes memory utilisation due to overhead
CSCvm10968	CVE-2018-5391 Remote denial of service via improper IP fragment handling
CSCvm43975	Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability
CSCvm47713	SSL policy disallows viewing of PDF on *.lightning.force.com when Chrome browser is used
CSCvm49283	Make Object Group Search Threshold disabled by default, and configurable. Causes outages.
CSCvm53531	Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability
CSCvm56371	ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached
CSCvm56719	Traceback high availability standby unit Thread Name: vpnfol_thread_msg
CSCvm60361	SSH public key auth not working on FTD on 5500
CSCvm62708	SSL connections negotiating NPN can fail with Do Not Decrypt SSL policy
CSCvm64230	verify_firmwareRunning() return code not checked
CSCvm65725	ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG)
CSCvm67704	Memory Leak when handling KRB_ERR_RESPONSE_TOO_BIG (leak in krb5_extract_ticket )
CSCvm76760	FMC - External RADIUS authentication - Text in the "Shell Access Filter" field is not validated
CSCvm78449	Unable to modify access control license entry with log default command
CSCvm80933	ssl policy can match incorrect rule when server uses a cert with wildcard common name
CSCvm81052	local malware detection updates not downloading to FMC due to invalid certificate chain
CSCvm82966	Linux Kernel 3.10.107 Vulnerabilities
CSCvm91280	Intrusion Events Report Date, Hour Of Day, Day Of Week comes in UTC and Time comes in local timezone
CSCvm95669	ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device)
CSCvn03507	"set ip next-hop verify-availability" is removed from route-maps configuration with next deployment
CSCvn03966	FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage.
CSCvn08146	Missing audit detail for changes to x509 certificates and keys
CSCvn09640	FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through
CSCvn09808	Captive portal bltd process fails on startup due to socket permission error
CSCvn11219	Policy deployment failed with error message "Not a directory"
CSCvn31753	ssl inspection policy may cause SEC_ERROR_REUSED_ISSUER_AND_SERIAL browser error

Resolved Bugs in Version 6.2.3.7

Table last updated: 2018-11-15

Table 14. Resolved Bugs in Version 6.2.3.7
Bug ID	Headline
CSCve34221	Internal server error seen on the UI when we enable CC mode
CSCvf54682	sudo : CVE-2017-1000368 : Sudo Parsed tty Information Privilege Escalation Vulnerability
CSCvh14743	IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.
CSCvi97500	AMP Cloud event on Firepower Management Center are seen with different file types
CSCvj14631	Appliance Information Widget shows IPv4 Address disabled if mgmt interface is not eth0
CSCvj58342	Multicast dropped after deleting a security context
CSCvj65064	Firepower 2100: Port-Channel down notification delayed
CSCvj67258	Change 2-tuple and 4-tuple hash table to lockless
CSCvj76858	Policy deployment take long time ~4 hours
CSCvj91795	SSL default policy action is taken when URL category lookup is pending
CSCvj97213	ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets
CSCvj98662	linux hotfix layer directory reorganisation
CSCvk18330	Active FTP Data transfers fail with FTP inspection and NAT
CSCvk30779	ENH: Addition of show ipv6 interface to show tech output
CSCvk31035	KVM (FTD): Mapping web server through outside not working consistent with other platforms
CSCvk33023	Policy deployment failure on Firepower module in cluster or failover
CSCvk48389	[Error: Timed out communicating with DME] when attempting to upgrade
CSCvk56513	Tor not blocked when traffic is passed through proxy.
CSCvk59260	On slower networks deployement may fail with Resource temporarily unavailable exception
CSCvk66529	FTD on FPR 9300 corrupts TCP headers with pre-filter enabled
CSCvk66771	The CPU profiler stops running without having hit the threshold and without collecting any samples.
CSCvk72192	show memory output shows wrong memory
CSCvk76146	Few devices /ngfw partition on 41xx shows 39GB whereas other shows 100 GB
CSCvm03931	software update downloads by Firepower failing due to newer CA certificates not being present
CSCvm04237	BusyBox huft_build Function Denial of Service Vulnerability
CSCvm05464	CVE-2018-5391 Remote denial of service via improper IP fragment handling
CSCvm08500	ASA cmd validation fails when deletion of NAT rule description includes Czech/Slovak characters
CSCvm09040	Resumption attempts for sessions using tickets and known-key action use full handshake
CSCvm19948	ssl connections without SNI could hit incorrect ssl rule
CSCvm32256	Slave unit fails to join FTD cluster when it is in disabled state
CSCvm32613	Format of syslog messages have changed after an update FMC 6.2.3.3 to 6.2.3.4
CSCvm43975	Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability
CSCvm47595	FMC displays connections matching incorrect access control policy when not using SSL Policy
CSCvm49283	Make Object Group Search Threshold disabled by default, and configurable. Causes outages.
CSCvm51395	access control policy deploy fails in fwrulechecker due to memory limit
CSCvm56371	ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached
CSCvm56719	Traceback high availability standby unit Thread Name: vpnfol_thread_msg
CSCvm56851	eStreamer repeatedly exits after error deserializing File event or FireAMP event
CSCvm58672	Unable to deploy SSL policy while SSL Hardware offload feature is enabled
CSCvm60468	Linux Kernel yurex_read Privilege Escalation Vulnerability
CSCvm60548	Security Intelligence synchronization tasks fail
CSCvm60791	Linux Kernel alarm_timer_nsleep() Function Integer Overflow Vulnerab ...
CSCvm64255	SFNotificationd fails to stop
CSCvm65725	ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG)
CSCvm67184	Audit Syslog messages are sent without User information
CSCvm67316	ASA: Add additional IKEv2/IPSec debugging for CSCvm70848
CSCvm67704	Memory Leak when handling KRB_ERR_RESPONSE_TOO_BIG (leak in krb5_extract_ticket )
CSCvm68467	Event alerting process CPU usage delays deployment on busy Firepower 2100
CSCvm71378	Policy Deployment failing due to NAT Rule
CSCvm78449	Unable to modify access control license entry with log default command
CSCvm80874	ASAv/FP2100 Smart Licensing - Unable to register/renew license
CSCvm82492	Snort process taking a long time to exit impacting traffic.
CSCvm82930	FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured
CSCvm96634	Final stage of policy deployment is audit-logged under admin instead of current user
CSCvm96916	FMC is randomly sending strong-encryption-disable to ASA

Resolved Bugs in Version 6.2.3.6

Table last updated: 2018-10-10

Table 15. Resolved Bugs in Version 6.2.3.6
Bug ID	Headline
CSCux69220	WebVPN 'enable intf' with DHCP , CLI missing when ASA boot
CSCve95403	ASA boot loop caused by logs sent after FIPS boot test
CSCvf85831	asdm displays error uploading image
CSCvh16414	Health Monitoring can incorrectly show CPU on FTD as 100% or 150%
CSCvh69117	SFDataCorrelator log spam "Received an unknown event type"
CSCvh98781	ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance'
CSCvi13054	scheduled rule recommendations update fails with "Attempted to store stale object"
CSCvi48170	ASA 9.4.4.8, SNMP causing slow memory leak
CSCvi71761	FTD cli prompt is stuck on Firepower 9300
CSCvi77340	race condition results in user id REST API not functioning
CSCvi90633	Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX
CSCvi98909	RTP packets not matching the rule in AC policy
CSCvj42269	ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101%
CSCvj44032	snort premature connection closure during TCP 4-way teardown
CSCvj47256	ASA SIP and Skinny sessions drop, when two subsequent failovers take place
CSCvj67776	clear crypto ipsec ikev2 commands not replicated to standby
CSCvj72309	FTD does not send Marker for End-of-RIB after a BGP Graceful Restart
CSCvk04592	Flows get stuck in lina conn table in half-closed state
CSCvk12076	AnyConnect client profile doesn't show under group-policy not assigned under a connection profile.
CSCvk14768	ASA traceback with Thread Name: DATAPATH-1-2325
CSCvk23483	Elastic timeout not taking effect and enforcing 600 sec timeout
CSCvk24297	IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled.
CSCvk34648	Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic
CSCvk36087	When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP
CSCvk36733	mac address is flapping on huasan switch when asa etherchannel is configued with active mode
CSCvk38176	Traceback and reload due to GTP inspection and Failover
CSCvk42473	QoS rule evaluation does not re-evaluate flows when applications change
CSCvk43865	Traceback: ASA 9.8.2.28 while doing mutex lock
CSCvk52667	FDM - Deployment is failing after latest SRU update in 6.2.3-83 build.
CSCvk62896	ASA IKEv2 crash while deleting SAs
CSCvk66722	Configuring DHCP option 'false' causes DHCP configuration to be not visible from GUI
CSCvk67239	ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped"
CSCvk68772	FMC UI not accessible if you enable client certificate and then upgrade
CSCvk68809	No soft link for ca-cert.pem file if you upgrade FMC from 5.4.0
CSCvk70676	Clientless webvpn fails when ASA sends HTTP as a message-body
CSCvk72652	FMC does not deploy 'crypto ikev1 am-disable' when aggressive mode is to be disabled
CSCvk74461	LDAP groups download but are not available in GUI
CSCvk76160	Unable to restore on KP 6.2.2.2 using FDM
CSCvk76547	IPS rule with flow established not blocking when retransmitted TCP handshake packets
CSCvm01396	Firepower block page not displayed on browser with proxy settings
CSCvm05821	Sensitive Data Detection being enabled automatically during SRU update
CSCvm07458	Using EEM to track VPN connection events may cause traceback and reload
CSCvm07643	FTD 6.2-Intrusion Events not displaying src and dst port
CSCvm09624	Protocol not updated based on AppID when enforcing IPS rules
CSCvm11389	Small percentage of ECDHE connections fail
CSCvm11714	EIGRP authentication key issue when using special character "&"
CSCvm15880	FPR 9k ASA cluster multicon mode/vpn-mode distribute causes a reboot-loop if transparent mode conf
CSCvm19585	Smart License getting deregistered after upgrade to 6.2.3.5.
CSCvm23370	ASA: Memory leak due to PC cssls_get_crypto_ctxt
CSCvm25972	ASA Traceback: Thread Name NIC Status Poll.
CSCvm26004	Incorrect calculation of AAB in ASA causes random AAB invocations.
CSCvm29973	False positive for DNS SI events!
CSCvm44905	ssl inspection may continue processing a flow without flow information
CSCvm56019	Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser

Resolved Bugs in Version 6.2.3.5

Table last updated: 2018-09-12

Table 16. Resolved Bugs in Version 6.2.3.5
Bug ID	Headline
CSCvb19750	Cisco Firepower Management Center Cross-Site Request Forgery Vulnerability
CSCve39071	Option to disable attempts to connect to the ThreatGRID cloud
CSCve85565	Traceback when syslog sent over VPN tunnel
CSCvg33300	Unable to modify Integer Host Attributes after creating them
CSCvg51412	Unable to establish a estreamer sftunnel between managed device and estreamer client
CSCvg54724	Firepower Dynamic Analysis Association Only Redirects to US address
CSCvg75144	All apps matching the filter deletes all objects
CSCvg91631	URL Reputation shows high risk or Unknown in Encore
CSCvg94363	Prefix List "le 32" does not work on Firepower Threat Defense
CSCvh21219	"set ip next-hop verify-availability" is removed from PBR configuration with next deployment
CSCvh89017	Configure user add command does not accept numeric user
CSCvi01312	webvpn: multiple rendering issues on Confluence and Jira applications
CSCvi31540	Traceback and reload with 'show tech' on ASA with No Payload Encryption (NPE)
CSCvi34164	ASA does not send 104001 and 104002 messages to TCP/UDP syslog
CSCvi37644	PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full."
CSCvi45989	Query Cisco CSI for Unknown URLs option being reset by ASA managed by ASDM (Regression)
CSCvi51370	race condition can result in syslog alerts without rule messages
CSCvi53708	ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config
CSCvi69343	ids_event_processor leaks memory when resetting communications
CSCvi69356	SFDataCorrelator reports "Invalid column value name" error-eStreamer does not work on managed device
CSCvi76808	File detection failing for encrypted SMTP TLS with Decrypt - Known Key SSL rule action
CSCvi79691	LDAP over SSL crypto engine error
CSCvi79999	256 Byte block leak observed due to ARP traffic when using VTI
CSCvi85382	ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed
CSCvi93500	snort's handling of x-forward-for-like headers is incorrect when there are multiple proxies
CSCvi94239	IDSEventAlerter log spam "Unable to get SSL certificate fingerprint"
CSCvi96442	Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master
CSCvi97894	Several hardware rules are truncated when running capture traffic.
CSCvi98424	IDSEventAlerter and IDSEventProcessor stop working and spam logs after file read error
CSCvi99743	Standby traceback in Thread "Logger" after executing "failover active" with telnet access
CSCvj07038	Firepower devices need to trust Threat Grid certificate
CSCvj11442	Firepower Threat Defense: BGP order of deployment operation of neighbor causes failure
CSCvj19835	Decrypted connections using ECDHE-RSA-RC4-SHA cipher fail in the application data phase
CSCvj38002	SNMPv3 user engineID mismatch with Active engineID causes 'user not found' error on SNMP request
CSCvj44517	List of trusted CAs in SSL policy duplicates
CSCvj49452	sftunnel using weak SSL/TLS versions and ciphers
CSCvj54840	create/delete context stress test causes traceback in nameif_install_arp_punt_service
CSCvj65581	Excessive logging from ftdrpcd process on 2100 series appliances
CSCvj67504	Deploy of policy fails when adding users/groups to the ssl policy
CSCvj67740	Static IPv6 route prefix will be removed from the ASA configuration
CSCvj75793	2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage
CSCvj85516	Packet capture fails for interface named "management" on Firepower Threat Defense
CSCvj88514	IP Local pools configured with the same name.
CSCvj91449	ASA traceback when logging host command is enable for IPv6 after each reboot
CSCvj92040	TLS client offers some ciphersuites in CC mode that are not allowed by CC
CSCvj95451	webvpn-l7-rewriter: Bookmark logout fails on IE
CSCvj96173	After upgrading to 6.2.3, FMC still generates sha1 certificate for eStreamer clients
CSCvj97326	Unable to create SSL policy on Firepower Services
CSCvj98964	ASA may traceback due to SCTP traffic
CSCvk01577	Pigtail from CLISH mode in FTD 6.2.3 not allowed
CSCvk01981	users shows up as unknown after user purge
CSCvk06249	SFDataCorrelator alerting can cause deadlock restart when si_uuid not in firewall_rule_cache
CSCvk06336	FMC displays connections matching incorrect access control policy rules packet count is zero
CSCvk06368	Evaluation of FMC kernel vulnerabilities
CSCvk08377	ASA 5525 running 9.8.2.20 memory exhaustion.
CSCvk10252	SI Category may be incorrect for alerts or eStreamer; also performance and memory problems
CSCvk11898	GTP soft traceback seen while processing v2 handoff
CSCvk14910	SFDataCorrelator keeps exiting when processing FireAMP event without agent uuid
CSCvk16568	AppID stop processing traffic if Application ID has been detected
CSCvk17382	Snort exiting unexpectedly while processing rule evaluation.
CSCvk18378	ASA Traceback and reload when executing show process (rip: inet_ntop6)
CSCvk18578	Enabling compression necessary to load ASA SSLVPN login page customization
CSCvk18846	Firepower Management Center WebUI performance degraded due to sfdccsm logging level.
CSCvk19435	Unwanted IE present error when parsing GTP APN Restriction
CSCvk26887	Certificate import from Local CA fails due to invalid Content-Encoding
CSCvk27686	ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH
CSCvk28023	WebVPN: Grammar Based Parser fails to handle META tags
CSCvk30212	FMC negates BGPv6 commands and generates again if neighbor IPv6 address contains leading 0 in group
CSCvk30665	ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops
CSCvk33947	Sensitive Data Threshold Configuration is incorrect
CSCvk35323	With Objects having override configured, copy config was not happening
CSCvk35761	Sensitive Data is not working as expected when processing multiple patterns in a single session.
CSCvk37890	Firepower 2110, Webvpn conditional debugging causes Threat Defense to traceback
CSCvk40332	UDP traffic without zone information will match incorrect AC rule
CSCvk49527	Add application level timeout for switchprimarynode API call
CSCvk50364	NGIPSV "system support capture-traffic" not working for inline-sets
CSCvk50732	AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers
CSCvk52305	Snort process terminated with segfault in daq
CSCvk54078	Firepower Threat Defense high availability Creation with VPN configuration fails
CSCvk54491	Race condition processing Reputation causes Snort process to exit.
CSCvk54779	Async queue issues with fragmented packets leading to block depletion 9344
CSCvk55355	User/group download fails is at least one user belongs to two groups with same common name
CSCvk57516	Firepower Threat Defense: Low DMA memory leading to VPN failures due to incorrect crypto maps
CSCvk58188	Snort configuration validation failed due to Value specified for max_sessions is out of bounds
CSCvk66012	Policy deployment fails if a member of a cluster is shutdown/Disabled on the FMC
CSCvk71511	SFDataCorrelator event backlog grows when event storage is large and device count is high
CSCvk72602	Incorrect TCP checksum causes snort retries
CSCvk73990	Change Reconciliation report: simplify the rule deletion event
CSCvm01497	Scheduled reports not stored in correct domain when using another domain's report template
CSCvm06114	RDP bookmark plugin won't launch
CSCvm16686	Threat Defense interfaces goes down during high availability creation using redundant interface

Resolved Bugs in Version 6.2.3.4

Table last updated: 2018-08-13

Table 17. Resolved Bugs in Version 6.2.3.4
Bug ID	Headline
CSCuy01269	If last entry in rna_client_app_map is a dupe, SFDataCorrelator fails
CSCvd28906	ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory
CSCvd92210	IPV6 addresses not accepted in syslog
CSCvf61852	Threat Intelligence Director (TID) startup causes delay and stalls Tomcat startup
CSCvg28901	Unable to install certificate message when importing certificate to the Firepower Management Center
CSCvg96103	Including a very large HTML page for the Block response causes all Decrypted sites to fail to load.
CSCvh25088	MySQL table secondary_login grows unbounded forever
CSCvh91483	CloudAgent restarts once every minute when URL filtering license is expired or deleted
CSCvi03103	BGP ASN cause policy deployment failures.
CSCvi30280	UserIdentity [ERROR] Error while handling UserLoginInfo message: [1] Invalid Argument
CSCvi34210	Snort match the same connection for U-Turned traffic for different BVI in Transparent Threat Defense
CSCvi44713	show memory binsize and show memory top-usage do not show correct information, all show PC 0x0
CSCvi45807	ASA: dns expire-entry-timer configuration disappears after reboot
CSCvi59968	Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0
CSCvi65512	FTD: AAB might force a snort restart with relatively low load on the system
CSCvi97729	To-the-box traffic being routing out a data interface when failover is transitioning on a New Active
CSCvj15572	Flow-offload rewrite rules not updated when MAC address of interface changes
CSCvj25386	Missing default Identity realm EOs causing upgrade failure
CSCvj44531	Phantom SSL objects and empty deployments to sensors
CSCvj49502	Need client hello transmit info at lower debug level
CSCvj74210	Traceback at ssh when executing show service-policy inspect gtp pdp-context detail
CSCvj75655	External Database is unable to query Connection Events from the Firepower Management Center
CSCvj76748	Need to transition to cloud-sa.amp.sourcefire.com to cloud-sa.amp.cisco.com
CSCvj79729	(2 of 2) high memory usage of user_id/user_group broadcast in SFDataCorrelator(on sensor)
CSCvj91418	Snort uses large amounts of memory when appid is processing NetBIOS traffic.
CSCvj91965	Change Reconciliation reports in Firepower Management Center have certain fields blank
CSCvj93913	SSL Inspection TLS 1.3 downgrade needs to modify client/server random values to be RFC compliant
CSCvj94024	Firepower devices go into full recovery is busy is returned from network cards periodically
CSCvk02250	show memory binsize and show memory top-usage do not show correct information (Complete fix)
CSCvk06160	SFDC repeatedly exits while Initializing OS Vuln Map
CSCvk06176	SSEConnector is not coming up because of Wrong Executable
CSCvk06677	HTTPS sessions sometimes timeout without loading on HW SSL
CSCvk12841	SSL pages not loading when using Internet Explorer or Edge
CSCvk17163	force high availability break to 6.2.2 Firepower Threat Defense device, deployment fails with error
CSCvk17813	Policy deploy may fail with failed to retrieve device running configuration in pair environment
CSCvk19750	Import of .sfo file with large number of local rules taking more than 170+ hours
CSCvk21405	shell application not pin holing new connection from server
CSCvk25729	Large ACL taking long time to compile on boot causing outage
CSCvk27787	Management Center pair: Manage_procs.pl corrupting the cluster.conf file on the Managed Device
CSCvk30228	ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response
CSCvk30778	Client hello digest for for layer 3 and 4 processed twice causing memory leak
CSCvk30865	SSL alert with TLS version other than differing from negotiated version report as corrupt record
CSCvk32718	Event processing slows during file malware attack involving many file events
CSCvk45443	ASA cluster: Traffic loop on CCL with NAT and high traffic
CSCvk59795	Remote access VPN using an OpenLDAP realm/server doesn't use the correct naming attribute

Resolved Bugs in Version 6.2.3.3

Table last updated: 2018-07-11

Table 18. Resolved Bugs in Version 6.2.3.3
Bug ID	Headline
CSCuz96856	New client hello flag for blocked session due to cache inconsistency
CSCvd13180	AVT : Missing Content-Security-Policy Header in ASA 9.5.2
CSCvd76939	ASA policy-map configuration is not replicated to cluster slave
CSCve17484	Intelligent Application Bypass drop percentage does not work on Firepower Threat Defense
CSCve53415	ASA traceback in DATAPATH thread while running captures
CSCvg42033	prune to cleanup unused data in eoattributes table at vms.db to reduce backup file size
CSCvg76652	Default DLY value of port-channel sub interface mismatch
CSCvg90365	icmp/telnet traffic fail by ipv6 address on transparent ASA
CSCvh53276	IPv6 protocol 112 packets passing through L2FW are dropping with Invalid IP length message
CSCvh55035	Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000
CSCvh55340	ASA Running config through REST-API Full Backup does not contain the specified context configuration
CSCvh71738	FQDN object are getting resolved after removing access-group configuration
CSCvh75060	Rest-API gives empty response for certain queries
CSCvh83849	DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping
CSCvh95960	Using the match keyword in capture command causes IPv6 traffic to be ignored in capture
CSCvi07974	Layer 2 traffic should not be hardcoded to be sent to Snort for inspection
CSCvi15830	wrong configurations on Threat Defense device when network group object is used on identity policy
CSCvi16024	SSL errors on session resume when server IP address changes
CSCvi19220	ASA fails to encrypt after performing IPv6 to IPv4 NAT translation
CSCvi36434	Cisco Firepower System Software SSL Denial of Service Vulnerability
CSCvi37374	SSL connections fail to complete when passing through a single inline set multiple times
CSCvi38151	ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs.
CSCvi42008	Stuck uauth entry rejects AnyConnect user connections
CSCvi51515	REST-API:500 Internal Server Error
CSCvi53420	User/Group Download fails when same user is part of multiple groups with comma (,) in common name
CSCvi58032	Management Center Internal Error creates an Auto-NAT rule which causes a policy deployment failure
CSCvi58183	Custom SI feed update in Firepower Management Center is not propagated to managed devices
CSCvi59000	SecGW - Data Loss during ASR
CSCvi59148	Sessions can remain active on managed device if they are from same IP address but different realms
CSCvi62671	users/groups download takes long time in 6.2.2.1 with high number of user/group mappings
CSCvi63968	Internal Error is preventing Policy Validation Cannot save access control policy.
CSCvi70606	ASA 9.6(4): WebVPN page not loading correctly
CSCvi73414	Unable to delete User Indication of Compromise if user info is inconsistent between mysql and sybase
CSCvi80928	HW Mode - SSL errors may occur when resumed sessions are not decrypted
CSCvi89194	pki handles: increase and fail to decrement
CSCvi97479	Snort restart while deploying access control policy changes
CSCvi97721	The memcap for Security Intelligence URL feeds needs to be increased for devices 4GB total memory
CSCvi98251	SMTP: Could not allocate SMTP mempool causing Policy Apply Failure and Snort Outage
CSCvj00918	(1 of 2) high memory usage of user_id/user_group broadcast in SFDataCorrelator(on sensor)
CSCvj06418	Custom SI DNS feed not synced to secondary Firepower Management Center
CSCvj09571	Firepower Management Center UI slow when managing large number of device with classic licenses
CSCvj10011	Management Center: IGMP gets enabled on interfaces which it has been configured but not enabled
CSCvj17609	synchronization failed (Cannot open file) entries in action queue when file is empty
CSCvj22491	Cluster: Enhance ifc monitor debounce-time for interface down->up scenario
CSCvj24036	Messaging on Firepower Management Center UI informing of ports required by RAVPN
CSCvj25386	Missing default Identity realm EOs causing upgrade failure
CSCvj25817	ASA responds to MOBIKE but clears SA due to DPD.
CSCvj26819	modifying ssl_debug settings requires a detection engine restart
CSCvj32264	ASA - zonelabs-integrity : Traceback and High CPU due to Process Integrity FW task
CSCvj33202	Cannot save Intrusion Policy with Firepower recommendations and shared policy layers
CSCvj37448	ASA : Device sends only ID certificate in SSL server certificate packet after reload
CSCvj37858	performance impact from action_queue queries
CSCvj37924	CWE-20: Improper Input Validation
CSCvj39858	Traceback: Thread Name: IPsec message handler
CSCvj40636	S2S VPN support for Firepower Threat Defense Cluster for the classic centralized VPN clustering
CSCvj42450	ASA traceback in Thread Name: DATAPATH-14-17303
CSCvj42680	Slowness due to frequent device registration queries on Firepower Management Center pair
CSCvj44262	portal-access-rule changing from deny to permit
CSCvj45594	SFDataCorrelator core when timing-out old host info on a slow Firepower Management Center
CSCvj46777	Firepower Threat Defense 2100 asa traceback for unknown reason
CSCvj48168	The show memory command returns low used memory numbers
CSCvj48340	ASA memory Leak - snp_svc_insert_dtls_session
CSCvj48931	Firepower recommendation updates task never runs
CSCvj49883	ASA traceback on Firepower Threat Defense 2130-ASA-K9
CSCvj50024	ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure
CSCvj56008	Scansafe feature doesn't work at all for HTTPS traffic
CSCvj56909	ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module
CSCvj56963	Management Center error about Only 8 equal cost routes are allowed when adding the fifth route
CSCvj61367	fast reuse of source port can break ssl inspection
CSCvj67132	Policy deploy failure due to bgp neighbor CLI in wrong order
CSCvj73581	Traceback in cli_xml_server Thread
CSCvj74210	Traceback at ssh when executing show service-policy inspect gtp pdp-context detail
CSCvj79765	Netflow configuration on Active ASA is replicated in upside down order on Standby unit
CSCvj81287	Firepower Threat Defense rejecting syslog server TLS-X509 certificate due to EKU invalid purpose
CSCvj83316	Snort process exits while clearing XFF data.
CSCvj91619	1550 Block Depletions leading to ASA reload.
CSCvj97157	WebPage is not loading due to client rewriter issue on JS files
CSCvk00579	Slowness in the device list getting populated under the Deploy tab
CSCvk06176	SSEConnector is not coming up because of Wrong Executable
CSCvk07522	webvpn: Bookmark fails to render on Firefox and Chrome. IE fine.

Resolved Bugs in Version 6.2.3.2

Table last updated: 2018-06-06

Table 19. Resolved Bugs in Version 6.2.3.2
Bug ID	Headline
CSCuv68725	ASA unable to remove ACE with log disable option
CSCvd13182	AVT : Missing X-Content-Type-Options in ASA 9.5.2
CSCvd44525	ASA show tech some commands twice, show running-config/ak47 detailed/startup-config errors
CSCve94917	Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688
CSCvf18160	ASA traceback on failover sync with WebVPN and shared storage-url config
CSCvf39539	Netflow Returns Large Values for Bytes Sent/Received and IP address switch
CSCvf40179	ERROR: Unable to create crypto map: limit reached, when adding entry
CSCvf82832	ASA : ICMPv6 syslog messages after upgrade to 962.
CSCvf96773	Standby ASA has high CPU usage due to extremely large PAT pool range
CSCvg05442	ASA traceback due to deadlock between DATAPATH and webvpn processes
CSCvg43389	ASA traceback due to 1550 block exhaustion.
CSCvg72879	9.9.1/SecGW: Firepower 4100 w/ subsecond failover may have 10-20% packet loss for few mins
CSCvh14743	IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.
CSCvh23531	ASA TLS client connection fails with software DHE
CSCvh30261	ASA watchdog traceback during context modification/configuration sync
CSCvh47057	ASA - ICMP flow drops with no-adjacency on interface configured in zone when inspection enabled
CSCvh65500	Firepower 2100 Client in FTP active mode is not able to establish control channel with the Server
CSCvh81142	Snort Core Generated while running 6.2.3
CSCvh83934	Memory usage of User-ID component of SNORT exceeds the reserved limit of 10M
CSCvh91053	ASA sending DHCP decline \| not assiging address to AC clients via DHCP
CSCvh91399	upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON)
CSCvh92381	ASA Traceback and goes to boot loop on 9.6.3.1
CSCvi01376	Upon reboot, non-default SSL commands are removed from the Firepower 4100
CSCvi07636	ASA: Traceback in Thread Name UserFromCert
CSCvi08450	CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition
CSCvi09305	Some SSL connections slow or fail under a Do-Not-Decrypt SSL policy action
CSCvi16264	ASA traceback and reload due to watchdog timeout when DATAPATH accesses compiling ACL structure
CSCvi19263	ASA 9.7.1.15 Traceback while releasing a vpn context spin lock
CSCvi22507	IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey
CSCvi23615	Sourcefire.agent_messages table becoming large preventing the agent messages from being consumed
CSCvi33962	WebVPN rewriter: drop down menu doesn't work in BMC Remedy
CSCvi35805	ASA Cut-Through Proxy allowing user to access website, but displaying authentication failed
CSCvi42965	ASA does not report accurate free memory under show memory output
CSCvi45567	Not able to do snmpwalk when snmpv1&2c host group configured.
CSCvi47847	Shell application not pin-holing for new tcp port for data transfer as expected
CSCvi48523	Not able to create SLA Monitor from static route page
CSCvi49383	Azure: ASAv running Cloud high availability gets in a watchdog crash loop
CSCvi55070	IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey
CSCvi57808	Continuously sfdatacorrelator process terminated unexpectedly
CSCvi58089	Memory leak on webvpn
CSCvi58865	SSL policy with URL category rules specifying decryption can cause browser errors
CSCvi63864	With SSL inspection in hardware mode and Malware protection, secure file transfers occasionally fail
CSCvi63888	SSL errors might occur when resumed sessions are not decrypted
CSCvi64007	Zeroize RSA key after Failover causes REST API to fail to changeto System context
CSCvi66905	PIM Auto-RP packets are dropped after cluster master switchover
CSCvi70680	Same groups from different AD not downloaded
CSCvi71039	Firepower Management Center: Change Reconciliation reports are failing intermittently
CSCvi76577	ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group.
CSCvi77352	Illegal update occurs when device removes itself from the cluster
CSCvi82779	ASA generate traceback in DATAPATH thread
CSCvi84315	Unexpected failures on Firepower 2100 Series devices
CSCvi86799	ASA traceback during output of show service-policy with a high number of interfaces and qos
CSCvi87921	ASA self-signed RSA certificate is not allowed for TLS in FIPS mode
CSCvi95544	ASA not matching IPv6 traffic correctly in ACL with any keyword configured
CSCvj05140	Object description is not deployed with associated network object.
CSCvj07038	Firepower devices need to trust Threat Grid certificate
CSCvj07571	Error 500 when saving some correlation policy rules
CSCvj07843	eStreamer using 100% CPU, event processing slows when File/FireAMP events enabled
CSCvj22491	Cluster: Enhance ifc monitor debounce-time for interface down->up scenario
CSCvj26450	ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data.
CSCvj47633	Non-SSL traffic causing SSL inspection to fail
CSCvj56008	Scansafe feature doesn't work at all for HTTPS traffic
CSCvj63196	Workaround for Sybase issue: After snort engine update, policy deployment fail abruptly

Resolved Bugs in Version 6.2.3.1

Table last updated: 2018-05-02

Table 20. Resolved Bugs in Version 6.2.3.1
Bug ID	Headline
CSCvf97979	NAT policy deployment failed during generating delta config after changing security zone in rule.
CSCvg00565	ASA crashes in glib/g_slice when do debug menu self testing
CSCvg36672	Need a way to prioritize user driven deployment tasks in Action Queue
CSCvg65072	Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability
CSCvg78418	Evaluation of FireSIGHT / FirePOWER for Apache/Struts related vulnerabilities
CSCvg84495	Remote access VPN using an OpenLDAP realm/server doesn't use the correct naming attribute
CSCvh05081	ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module
CSCvh22181	Failures loading websites, such as mail sites, using TLS 1.3 with SSL inspection enabled
CSCvh25433	New CLI for Supporting Legacy method SAML Auth using external browser on Endpoint with AC
CSCvh46202	Slow 2048 byte block leak due to fragmented traffic over VPN
CSCvh53616	ASA on Firepower Threat Defense devices traceback due to SSL
CSCvh63903	Failover of IPv6 addresses on 8000 series pair devices may not succeed
CSCvh79732	Cisco Adaptive Security Appliance Denial of Service Vulnerability
CSCvh81474	Need to catch malformed JSON to allow rendering of Deploy button and notifications
CSCvh81737	Cisco Adaptive Security Appliance Denial of Service Vulnerability
CSCvh81870	Cisco Adaptive Security Appliance Denial of Service Vulnerability
CSCvh83012	SFDataCorrelator should not limit rate of duplicate flows
CSCvh99414	NFE failure causes Snort to constantly restart
CSCvi03546	User-IP mapping not updated on managed device due to error in updating current map
CSCvi18602	FSIC failed while downgrade ASA FirePOWER module (5585-x) from 6.2.2.2 to 6.2.2.1
CSCvi34137	With SSL decryption enabled and TCP Segmented HTTP requests, Snort does not capture URI correctly
CSCvi44365	After an upgrade the Firepower 4100 hostname is different than SFCLI hostname
CSCvi49752	sfipproxy may not be written correctly on a sensor when registered to a high availability pair
CSCvi55280	Deployment transcript does not indicate failed command if error is in last CLI of delta
CSCvi80849	Cisco Firepower 2100 Series POODLE TLS security scanner alerts

Resolved Bugs in Version 6.2.3

Table last updated: 2020-04-21

Table 21. Resolved Bugs in Version 6.2.3
Bug ID	Headline
CSCuw57184	Not keep URL entries in cache forever.
CSCuw73747	DST for Europe/Istanbul time zone is now on a different date
CSCux17501	SSL inspection blocks traffic with decryption errors for sites with 3072 bit key RSA certificates
CSCux42313	Cisco ASA module captive portal redirect gets stuck
CSCux61395	UserIDs get lost if an error occurs while streaming to the sensor
CSCuy10223	ASA Security Zone cannot be used in Active Authentication identity rules
CSCuy18154	ADISubscriber shuts down before session receive in SFDataCorrelator
CSCuy21943	Firepower Threat Defense / Unable to deploy after restoring a backup
CSCuy56306	SCP Expect during backup to remote server times out and fails
CSCuy57310	Cisco Adaptive Security Appliance Traffic Flow Confidentiality Denial of Service Vulnerability
CSCuz09515	Active/Passive authentication does not work with predefined objects
CSCuz85967	New added management interface does not have "management-only" configuration
CSCuz92983	Policy deployment fails with mode 10 Gbit Full-Duplex for lag interface
CSCva21702	Traffic capture BPF validation
CSCva34909	DNS blacklist has an 81 character limit
CSCva36446	ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After Successful SSL handshake
CSCva44278	Policy apply fails due to orphaned database objects
CSCvb13949	Readiness Check option should NOT be enabled for VDB updates
CSCvb28202	False warnings in DB Integrity Check for PlatformSettings object
CSCvc03899	Firepower Threat Defense managed by Management Center- High unmanaged disk usage on /ngfw
CSCvc37876	Policy deploy fails due to inconsistency in Primary Threat Defense device pair in the backend
CSCvc44535	Under rare circumstances captive portal is very slow and even unresponsive
CSCvc48180	Application categories and tags are missing in Version 6.1 or 6.2.1
CSCvc48768	Search Option does not work for network objects under NAP editor
CSCvc50598	Comparison reports for intrusion policy between two revisions is not working correctly
CSCvc55341	Intermittent error 500 when trying to review an event from the packet view
CSCvc56921	Altering logging settings like disabling syslog causes IPS and File policies to become disabled
CSCvc65909	ASDM:Importing access control policy leads to duplicate objects
CSCvc77913	Custom configuration for SFDataCorrelator should be checked on updates otherwise it may remain down
CSCvc84585	Firepower sensor will not ingest users from ISE using EAP chaining
CSCvc91092	Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability
CSCvc92934	When SSL decryption is enabled, URL constraints in access control policy are not applied correctly
CSCvd19749	Upgrade from 6.1.0 to 6.1.0.1 failed at 000_start/113_EO_integrity_check.pl
CSCvd28906	ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory
CSCvd29303	Disk status health monitoring should be disabled for virtual ASA 5500-X series
CSCvd32767	Unable to use objects inside IPS rules
CSCvd35049	Hard-coded query limit needed to prevent QueryEngine and Report Generation failures
CSCvd39729	Firepower Enterprise Objects Missing References Causes Multiple Problems
CSCvd51066	URL cloud lookup has URL category as Uncategorized
CSCvd59044	Access Control Policy does not match condition with URL SI lists for HTTPS traffic
CSCvd59268	possible to have data-interfaces + Firepower Management Center from cli_firstboot wizard
CSCvd61462	Partial match of DNS Queries if DNS Feed or DNS List contains single word entry
CSCvd72150	Deleted objects continue to show up as available to add to variable sets on the Management Center UI
CSCvd83845	SafeSearch-specific codes get hit even if SafeSearch rule is disabled in Firepower Management Center
CSCvd84471	Connections not blacklisted by Security Intelligence due to memory (memcap) issues
CSCvd91889	Unable to change logical name of interface and add sub-interface
CSCve00330	Document details on what synchronizes between Firepower Management Centers in High Availabilty
CSCve03600	SMTP traffic prematurely reaching SafeSearch engine rule.
CSCve11879	Ping traffic is dropped for 1 minute during high availability switchover
CSCve12096	Failure on deleting port object used in manual NAT rule
CSCve17433	Policy deployment failing on AWS Firepower Management Center
CSCve23827	Restore from backup fails when clock is behind on restore device
CSCve31929	Firepower Management Center does not show any network discovery data when using security zones
CSCve42340	URL Database Updates Use IP for Proxy Connection in HTTP Header
CSCve42379	SCALE : Avoid queueing Sync Sybase to MySQL task if similar PENDING task already there
CSCve42542	not allowed to choose Firepower Threat Defense as Secondary Peer during High Availability creation
CSCve45573	Internal error message while loading access control policy in Japanese environment
CSCve48087	Deploy policy tab failed to populate the device list from Firepower Management Center
CSCve49433	Threat Defence Platform Settings Policy does not check the NTP input value properly
CSCve49546	Policy apply failed at "FINALIZE" prevents future policy apply from succeeding
CSCve49643	User logins with double byte characters are not recorded on Firepower Management Center correctly
CSCve49722	Can't export if intrusion policy inherits intrusion layer from parent domain
CSCve49778	Threat Defense ICMP platform settings security zones with multiple interfaces not handled properly
CSCve55618	DNS policy generates DNS responses for already generated responses, if it is seen over the wire
CSCve56743	Firepower Threat Defense pair: Snort is dropping traffic inspite of having a trust rule.
CSCve57521	For NGFW rules processing, always use first packet of flow to determine initiator direction
CSCve57858	Sites with large certificate not loading with SSL policy turned on even with "Do not decrypt" action
CSCve60167	Upgrade framework needs to review onbox scripts NEVER_SKIP
CSCve61540	Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities
CSCve73129	DB query does not terminate when upgrade to 6.2.1 fails
CSCve77286	Intrusion policy rule filter is not working properly
CSCve79555	ASA/Threat Defense traceback when clearing capture-assertion "0" failed: mps_hash_table_debug.c file
CSCve84791	Capturing asp-drop causes unexpected ASA failure
CSCve87945	Cannot install new https certificate
CSCve88764	Don't restore Primary Firepower Management Center backup to secondary
CSCve90384	high availability break/Config Deployment fails on 2100 platforms when in secondary is Active
CSCve98443	User Identity count tracking may be incorrect
CSCve98877	Dashboard Drilldown Does Not Match Top Level Report
CSCve99511	Traceback and reload in thread name: sfr-vpn-status-watcher when unit takes active role
CSCve99818	Time window setting for Connection events gets reset to different range
CSCvf01839	vFMC getting logged out for "An unauthorized action has been detected" after some idle time
CSCvf04102	Error generating report preview for Vulnerabilities section
CSCvf06031	After adding a secondary Firepower Threat Defense to cluster, deploy can fail
CSCvf12392	Security Intelligence category may be incorrect in alert response from correlation policy
CSCvf12828	Device stuck at HA state progression failed due to App sync issue on QP FTD HA pair
CSCvf15067	Sync hostname to ASA when device is managed by Firepower Management Center/no manager
CSCvf18641	Connection events are not generated for unmonitored hosts in ND rules
CSCvf18966	Adding Port Group Object to Extended Access Control Entry causes ERROR: Invalid Protocol
CSCvf25032	FMC: Ownership of sydb.out changes to root and prevents vmsDbEngine/dbsrv16 to start
CSCvf25058	Firepower Threat Defense Security Intelligence DNS memcap exceeded health alert
CSCvf25444	Copying Realm and replacing users in SSL policy criteria corrupts policy
CSCvf27979	Unable to view access control policy with the error "End value is less than start value"
CSCvf34791	Install 6.2.2-1290 on an ASA with Firepower Services-- ASA fails unexpectedly.
CSCvf35266	Deployment failure if group policy is unassigned from connection profile and deleted in advanced tab
CSCvf41793	High memory usage of ids_event_processor/ids_event_alerter when threshold.conf file is not pruned
CSCvf42199	Core seen while running snort restart automated regression suite for more than 14 hours.
CSCvf45952	high availability progression failed for secondary when pair is rebooted due to App-sync failure
CSCvf46168	"no capture <name> stop" doesn't change capture status from Stopped
CSCvf46886	Security Analyst User Role not permitted to download file from malware event
CSCvf49737	Add state-checking options on H323 policy inspect map
CSCvf53734	access control rules and Categories duplication on Firepower Management Center UI
CSCvf55897	Disable Intrusion Policy controls on Default action in Access Policy Page
CSCvf56476	DNS Flexconfig removed after enabling LDAPS on Firepower 2120 device
CSCvf56533	Cannot re-register Firepower 9300 cluster to a different Firepower Management Center
CSCvf57862	Snort install silently fails and automatic deploy after Snort is installed is skipped
CSCvf60738	Elektra Registration failures due to RPC call failures
CSCvf61157	Firepower Management Center DB corruption name mismatch
CSCvf64643	ERROR on Firepower Threat Defense device: Captive-portal port not available. Try again
CSCvf64882	Deployment Failing on high availability pair due to Cluster Hold Request Timed Out by ASA
CSCvf64914	updates to local URL filtering database and/or cloud dispositions need to supersede cached data
CSCvf65014	Having custom "End Time" in "Intrusion Events" Analysis returns a blank page with no events
CSCvf65226	OSPF Redistribution command not getting deleted on Firepower Threat Defense device
CSCvf65245	Monitor rule does not log large sessions (such as file transfers)
CSCvf68502	Unable to assign FQDN for hostname in Certificate Signing Request
CSCvf71365	Log appropriate message if SFDataCorrelator exits during startup due to empty VDB tables
CSCvf73465	re-registration failed due to stale entry in ID_MAPPING table post device delete
CSCvf74023	Smart License registration failures when Proxy Authentication is configured on Management Center
CSCvf74113	Firepower Intrusion rule UI policy deploy fails when threshold seconds of rules set to 00, 08, 09
CSCvf75062	Deployment failed with 'ERROR: Trustpoint not enrolled'
CSCvf77836	FTD HA - both devices go into unknown state when HA break is performed
CSCvf78629	Custom Fingerprint GUI offers "Defense Center" instead of "Firepower Management Center" option
CSCvf81725	syncd uses high memory and exits when loading firewall_rule_cache table
CSCvf82315	IP address for 10G interfaces cannot be changed from GUI.
CSCvf91371	Invalid certificate error seen when internal CA is used for SSL Decrypt-Resign rule
CSCvf95633	Management Center: Interface "mac-address-table" command not sent to the Firepower Threat Defense
CSCvf98386	FDM pre-shared key changed to random value after upgrade
CSCvg02051	Large user/group tables due to duplicated entries when group names are not ASCII
CSCvg03671	FMC policy deployment slows down due to multiple failed attempts by Snort to load SI data
CSCvg04309	Micro-Engine failure due to TCAM leads to bb-heath not generating auto-troubleshoot.
CSCvg06811	Add captive_portal.log to logrotate.d
CSCvg09316	Cisco Firepower Threat Defense Software Policy Bypass Vulnerability
CSCvg20782	Identified Vulnerabilities associated with the CVEs from Oracle MySQL Patch Updates
CSCvg21939	Parts of Firepower Management Center GUI not loading in Firefox 56
CSCvg23945	ASA panic/crash spin_lock_fair_mode_enqueue: Lock (mps_shash_bucket_t) is held for a long time
CSCvg24416	FTW inline interfaces do not go into hardware bypass during Firepower 4100 Series
CSCvg24892	6.2.3 Snort configuration validation failed due to ERROR: SMTP: Could not allocate SMTP mempool.
CSCvg27431	Applying large access control policy fails on AWS - 6.2.2.1
CSCvg27511	Network Object - getting 'missing entry' while trying to delete an existing object
CSCvg27590	Daily Change reconciliation report lacks details and users on Firepower 6.2.2
CSCvg29442	When IPSec is enabled, high availability goes in Active-Failed state
CSCvg29791	FlexConfig - System variable should contain subinterface ID
CSCvg30947	more than one default route with same metric allows on Threat Defense device's routing table
CSCvg32590	6.1-6.2.3 upgrade: FTD upgrade failed with /ngfw/var/lib/mysql/sfsnort: not accessible error
CSCvg37391	Migrated access control policy deploy fails since it has FQDN objects
CSCvg37456	Deployment to high availability pair successful on active unit; standby unit will be updated message
CSCvg38612	Upgrade failure from 6.2.0 -> 6.2.3-10646 on FDM
CSCvg38789	Nested entities not deleted when deploying an object
CSCvg39981	Firepower Management Center not displaying Firepower Threat Defense cluster names correctly
CSCvg43759	URL filter matching fails - Two SSL Certificate CNs Concatenated
CSCvg45236	Lower-than-expected 256 byte block count with fast-path pre-filter SSL policy
CSCvg46466	Cisco FMC and Firepower System Software SF Tunnel Control Channel Command Execution Vulnerability
CSCvg47696	Not able to create RA VPN after removing DfltGrpPolicy
CSCvg48363	With verbose SSL logging enabled, logs can consume all available disk space
CSCvg50707	Firepower Threat Defense high availability policy deploy fails with Found more than one NGFW Policy
CSCvg52545	9300 pair NGFWs in inlineIPS mode do not trigger SNAP packet updates with proper VLAN tags
CSCvg58777	Multiple Vulnerabilities in Apache tomcat
CSCvg58825	Report generated from access control policy using object group in sub-domain is blank/0 bytes
CSCvg61624	Deployment fails when Secondary-Active Primary-Disabled (by doing suspend operation in device)
CSCvg61737	Deployement failed due to "Snort validation failed due to Unable to open rules file snort.conf file"
CSCvg61760	Not all the syslog messages on Firepower Threat Defense are available for editing
CSCvg61799	Sysopt permit-vpn behavior change to prevent unintended clear-text traffic
CSCvg62337	Memory calculation in Snort incorrect for Firepower Threat Defense devices
CSCvg66727	sysopt connection tcpmss 0 not removed after removing jumboframe
CSCvg67377	Malware correlation rule is missing Device condition
CSCvg71501	ASA/FTD device needs to be rebooted after adding Base license with export-controlled function
CSCvg73042	SSL Cache missing session info leading to ERR_SSL_PROTOCOL_ERROR in the browser for SSL websites
CSCvg76789	MASTER_KEY_INVALID flow error on FMC shown when having DND on few websites
CSCvg76907	Repeated SFDaco crashes if current_user_ip_map references invalid realm, somehow caused by RA-VPN?
CSCvg78622	Deployment failed in policy and object collection
CSCvg80346	Init Process Respawning on FMCv/FTDv/NGIPSv
CSCvg83924	Traffic not hitting the access control rule which has deprecated Application in it
CSCvg85613	Smart call home does not work properly with HTTP Proxy, when Authentication is turned on
CSCvg86139	After breaking Firepower Threat Defense high availability pair, policy deploy fails
CSCvg86366	Change Reconciliation Report not generated after upgrade
CSCvg87754	Unable to disable certain VPN related Syslog IDs from Management Center (like 402114 or 402119)
CSCvg90403	Blocks of size 80 leak observed when IRB is used in conjunction with multicast traffic
CSCvg93202	Dashboard custom analysis flow_chunk queries block event processing for hours
CSCvg93556	Deployment on a healthy KP HA pair failed with message "ssp_ha_state_improper"
CSCvg94796	Security Intelligence Connection Events showing '0' for Initiator User
CSCvg95046	Customer Success Network fails after upgrade of high-availability Firepower Management Centers
CSCvg98609	Management Center REST API - Threat Defense pairare not reported as targets on GET policyassignments
CSCvg98640	Cluster-Hold-Abort and Cluster-Hold-Timeout during policy deployment not handled correctly
CSCvg99285	[ERROR] Failed to init octeon -- FATAL ERROR: Can't initialize DAQ oct_ssl (-1)
CSCvh01213	An ASA may Traceback and reload when processing traffic
CSCvh03962	Cisco Firepower Management Center Command Injection Vulnerability
CSCvh05658	NAT policy assignment by device group does not update UI after moving device to different group
CSCvh05897	Firepower Threat Defense Cluster Registration with Group may fail
CSCvh07577	Cannot remove "management-access" configuration via flexconfig
CSCvh12923	Need to update docs that Firepower Threat Defense in cluster mode does not support Remote Access VPN
CSCvh14447	Rule parsing error was ignored in 602_log_package.pl.log during Snort update
CSCvh14478	policy deployment fails with QoS policy on firewall rulechecker
CSCvh15228	Firepower Threat Defense Traffic Zone Member Causes Traffic Interruption
CSCvh16252	ASA may traceback and reload in Thread Name: fover_rep during conn replication
CSCvh19991	User/Group Download fails when an Included Group is missing from the AD Server
CSCvh20742	Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability
CSCvh23085	Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities
CSCvh25000	custom user role unable to generate CSV reports without "health" privileges enabled
CSCvh25562	Cannot modify an access control rules / "An internal error occurred" error
CSCvh25977	blank space must be remove at the end of device name - cannot find events
CSCvh26084	SFDataCorrelator core in deserialization of corrupt flow event
CSCvh28733	Firepower Management Center allows wrong NAT rule when switching policy from Static to Dynamic
CSCvh31939	Firepower Management Center allows deleting Interface Object being used in SLA monitor object
CSCvh47069	Firepower Management Center Data purge causes managed sensor to wipe out user sessions upon reboot
CSCvh49388	Cisco FireSIGHT System VPN Policy Bypass Vulnerability
CSCvh49748	Malware.exe getting downloaded in the first try bypassing file detection due to unknown app-id
CSCvh53414	Access control policy deployment failing when object description contains "?" character
CSCvh53597	Policy deploy fails if SSL Policy has deprecated AppDetector
CSCvh53901	SFDataCorrelator cores when reading invalid fingerprint type from database
CSCvh59772	Deployment fails after S2S/RA VPN is deleted/unassigned following some edits and testing on it.
CSCvh59884	Notifications about pruned events contains invalid date/time (Thu Jan 1 00:00:01 1970)
CSCvh62164	ASA standby stuck in Bulk-Sync state with high CPS traffics on active
CSCvh63896	ASA/FTD traceback in threadname CP Processing
CSCvh67237	Policy deployment failing due to incomplete copying of deployment package
CSCvh67930	Management Center doesn't allow site to site tunnel with both IPv4 and IPv6 protected networks
CSCvh68253	Creation of two S2S VPN topologies with the same endpoints (nodes) leads to unpredictable results
CSCvh68311	Cisco Firepower System Software Cross-Origin Domain Protection Vulnerability
CSCvh68521	On 8000 series stack, with "Maint on sec fail" setting enabled, stack health is in compromised state
CSCvh70474	SFDataCorrelator/SFDCNotificationd connection log spam after expiring many hosts
CSCvh73463	Documentation and logs specify Firepower remote storage via SSH uses SCP, when it actually uses SFTP
CSCvh77456	Cisco Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability
CSCvh77845	SSL errors on session resume when server IP address changes
CSCvh78133	Firepower 2100 process_stderr.log getting flooded with errors causing /ngfw high disk
CSCvh79172	Phase-1 solution for momentary traffic drop during ASA policy apply rollback tracked w/ CSCvc56570
CSCvh83145	ASA interface IP and subnet mask changes to 0.0.0.0 0.0.0.0 causing outage of services on interface
CSCvh84511	Cisco FireSIGHT System URL-based Access Control Policy Bypass Vulnerability
CSCvh85246	ssl inspection can be limited by a "do not decrypt" rule specifying one or more common names
CSCvh85580	ids_event_alerter core when processing connection events
CSCvh89340	Cisco Firepower Threat Defense SSL Engine High CPU Denial Of Service Vulnerability
CSCvh90092	AQ task selection ignores few groups when large no of groups present causing 8 hr delays in deploy
CSCvh92840	Failing to deploy after adding a URL literal from REST API
CSCvh95396	Policy deployment failure due to Invalid preprocessor normalize_tcp option 'ftp'
CSCvh95456	Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities
CSCvh95807	SSL FLow Errors reported when accessing ECDSA signed websites
CSCvh95960	Using the "match" keyword in capture command causes IPv6 traffic to be ignored in capture
CSCvh97258	unable to render any of monitoring screens in any browser
CSCvh97594	ssl inspection cache can become unbalanced, leading to premature removal of recently used items
CSCvh97782	KP traceback illegal memory access inside a vendor Modular Exponentiation implementation
CSCvh98781	ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance'
CSCvh98897	Data interfaces on Firepower devices shut down on upgrade failure, causing management interruptions
CSCvi02989	Access control policy not able to be edited or deployed after upgrade to Version 6.2.2.1
CSCvi09340	Policy deployment failed on multiple devices because of large size of policy deployment DB
CSCvi31174	FTD:Deployment takes lot of time when node in cluster is down/unreachable from FMC
CSCvi39938	Traffic outage while downloading large number of users and groups
CSCvi43661	Static Route:Proper Interface is not being assigned while configuring the route, causing problem.
CSCvi44246	Port-channel's subinterfaces share same MAC address on both unit of Threat Defense pair
CSCvi44365	After an upgrade the Firepower 4100 hostname is different than SFCLI hostname
CSCvi54162	"ha-replace" action not working when peer not present
CSCvi58729	6.2.3 Upgrade Resume Fails on KP-Onbox at 200_pre/600_ftd_onbox_data_export.sh
CSCvi59968	Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0
CSCvi74560	6.2.3 does not properly deploy variables in variable sets and causes deploy failure
CSCvi74623	6.2.3 upgrade resets home_net variable to default "any"
CSCvi77527	upgrade to 6.2.3 fails with post install database integrity check error
CSCvi79043	Add warning to configure manager delete/add command
CSCvi80012	CD state incorrect if failover happens during snort policy application on Active FTD
CSCvi80849	Cisco Firepower 2100 Series POODLE TLS security scanner alerts
CSCvj00363	ASA may traceback and reload with combination of packet-tracer and captures
CSCvj05640	Traceback at snmp address not mapped when snmp-server not enabled
CSCvj13327	Upgrade to 6.2.3 fails at 600_schema/100_update_database.sh - oom killer invoked
CSCvj18111	FTD: Flow-preserve N1 flag shouldn't apply for IPS interfaces
CSCvj42450	ASA traceback in Thread Name: DATAPATH-14-17303
CSCvj47119	"clear capture /all" might crash
CSCvj50373	Doc: Table 1 has incorrect information on Configuration Guide Version 6.2.3
CSCvj58342	Multicast dropped after deleting a security context
CSCvj62504	Cisco Firepower 2100 Series Security Appliances Denial of Service Vulnerability
CSCvj65581	Excessive logging from ftdrpcd process on 2100 series appliances
CSCvj72309	FTD does not send Marker for End-of-RIB after a BGP Graceful Restart
CSCvj74210	Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail'
CSCvj82652	Deployment changes are not pushed to the device due to disk0 mounted on read-only
CSCvj85516	Packet capture fails for interface named "management" on Firepower Threat Defense
CSCvj89470	Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability
CSCvj98499	Linux Kernel cdrom_ioctl_media_changed Function Kernel Memory Read Vul
CSCvj98512	Doc: Procedure of changing FTD management IP address should be corrected.
CSCvj99658	ASA/Lina HA failover interface testing rendering control channel unresponsive
CSCvk02250	"show memory binsize" and "show memory top-usage" do not show correct information (Complete fix)
CSCvk04592	Flows get stuck in lina conn table in half-closed state
CSCvk07522	webvpn: Bookmark fails to render on Firefox and Chrome. IE fine.
CSCvk18330	Active FTP Data transfers fail with FTP inspection and NAT
CSCvk18578	Enabling compression necessary to load ASA SSLVPN login page customization
CSCvk20381	Traceback loop seen on fresh ASAv Azure, KVM and VMWare deployments
CSCvk25729	Large ACL taking long time to compile on boot causing outage
CSCvk30228	ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response
CSCvk31035	KVM (FTD): Mapping web server through outside not working consistent with other platforms
CSCvk44166	Cisco ASA and FTD TCP Proxy Denial of Service Vulnerability
CSCvk45443	ASA cluster: Traffic loop on CCL with NAT and high traffic
CSCvk47253	Flow offload for UDP/TCP traffic is not working
CSCvk50732	AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers
CSCvk51181	FTD IPV6 traffic outage after interface edit and deployment part 1/2
CSCvk57516	Low DMA memory leading to VPN failures due to incorrect crypto maps
CSCvk66732	Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability
CSCvk67239	FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped"
CSCvm06114	RDP bookmark plugin won't launch
CSCvm23370	ASA: Memory leak due to PC cssls_get_crypto_ctxt
CSCvm27111	FTD Lina traceback while removing OSPF configuration.
CSCvm31905	OpenSSH Bailout Delaying User Enumeration Vulnerability
CSCvm32267	Not blocking EICAR files through HTTPS connection with SSL policy in place
CSCvm53531	Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability
CSCvm64400	IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform
CSCvm70274	tcp proxy: ASA traceback on DATAPATH
CSCvm72145	Cisco ASA Software and FTD Software MOBIKE Denial of Service Vulnerability
CSCvm80011	FTD Cluster in transparent mode; Inline set: FTP/SCP flows get stalled and never recover.
CSCvm86658	FTD traceback and reload in snap_get_retaddr_mips at snap.h:285
CSCvm91893	FMC does not update time and display events when using sliding time window option for event analysis
CSCvn09322	FTD device rebooted after taking Active State for less than 5 minutes
CSCvn09612	ASA/FTD Connection Idle Timers Not Increasing For Inactive Offloaded Sessions
CSCvn09640	FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through
CSCvn23254	SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface
CSCvn31390	Computing Processor PortSmash Side-Channel Information Disclosure Vuln
CSCvn33943	Standby node traceback in wccp_int_statechange() with HA configuration sync
CSCvn46358	overloading of the lina msglyr infra due to the sending of VPN status messages
CSCvn55563	Port group objects not listed while creating extended access list ( FMC GUI )
CSCvn56095	selective acking not happening with SSL crypto hardware offload
CSCvn69213	ASA traceback and reload due to multiple threads waiting for the same lock - watchdog
CSCvn69270	Add troubleshooting for VPN Client Assignment
CSCvn75368	IPsec VPN goes down intermittently during a re-key
CSCvn76023	Firepower:when deplopy policy, device list is empty with error message "failed to fetch device list"
CSCvn78174	Cisco ASA and Cisco FTD Software TCP Timer Handling Denial of Service Vulnerability
CSCvn78593	Control-plane ACL doesn't work correctly on FTD
CSCvn86777	Deployment on FTD with low memory results on interface nameif to be removed - finetune mmap thresh
CSCvo11077	Cisco ASA Software and FTD Software IKEv1 Denial of Service Vulnerability
CSCvo12985	ASA: EIGRP neighborship formation delayed after failover due to delay in sending out Hello packet
CSCvo39356	Traceback at Thread Name: IP Address Assign
CSCvo41572	FMC shows connection events with packet count as 0
CSCvo43679	FTD Lina traceback, due to packet looping in the system by normaliser
CSCvo47562	VPN sessions failing due to PKI handles not freed during rekeys
CSCvo48838	Lina does not properly report the error for configuration line that is too long
CSCvo56675	ASA or FTD traceback and reload due to failover state change or xlates cleared
CSCvo58847	Enhancement to address high IKE CPU seen due to tunnel replace scenario
CSCvo62031	ASA Traceback and reload while running IKE Debug
CSCvo68184	management-only of diagnostic I/F on secondary FTD get disappeared
CSCvo72462	Do not decrypt rule causes traffic interruptions.
CSCvo88762	FTD inline/transparent sends packets back through the ingress interface
CSCvo90998	LACPDUs should not be sent to snort for inline-set interfaces
CSCvp16536	ASA traceback and reload observed in Datapath due to SIP inspection.
CSCvp18878	ASA: Watchdog traceback in Datapath
CSCvp19549	FTD lina cored with Thread name: cli_xml_server
CSCvp24728	Random SGT tags added by FTD
CSCvp25236	FTD Lina traceback -Thread Name: cli_xml_server
CSCvp30505	FDM Error: There were some connectivity problems while loading archived backups.
CSCvp36425	Cisco ASA & FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability
CSCvp43150	FP9300 Cluster - Master unit does not update all the route changes to slaves
CSCvp45149	Traceback while Reverting the primary system as active
CSCvp47525	Upgrade times out after 1 hour for slow FMC-to-sensor bandwidth
CSCvp49576	FTD traceback due to watchdog on xlate_detach
CSCvp53637	Flows are getting offloaded on inline-sets
CSCvp55880	Fail-Closed FTD passes packets through on Snort processes down
CSCvp55901	LINA traceback on ASA in HA Active Unit repeatedly
CSCvp57643	FP9300 Cluster - Master unit does not update all the route changes to slaves
CSCvp67392	ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path Check
CSCvp70699	ASA Failover split brain (both units active) after rebooting a Firepower chassis
CSCvp81083	ASA/Lina Traceback related to TLS/VPN
CSCvq27010	Memory leak observed when ASA-SFR dataplane communication flaps
CSCvq44665	FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled
CSCvq54034	WRL6 and WRL8 commit-id update in CCM Layer (sprint 65)
CSCvq70775	FPR2100 FTD Standby unit leaking 9K blocks
CSCvq75634	Management interface configuration leads to immediate traceback and reload
CSCvq79042	FQDN ACL entries incomplete due to DNS response from server is large and truncated
CSCvq80735	Cannot add neighbor in BGP when the neighbor is on the same subnet as one interface
CSCvq93640	WRL6 and WRL8 commit id update in CCM layer (sprint 67)
CSCvr21803	Mac address flap on switch with wrong packet injected on ingress FTD interface
CSCvr23986	Cisco ASA & FTD devices may reload under conditions of low memory and frequent complete MIB walks
CSCvr25954	FTD/LINA Standby may traceback and reload during logging command replication from Active
CSCvr27445	App-sync failure if unit tries to join HA during policy deployment
CSCvr68146	Unable to auto-rejoin FTD cluster
CSCvs01422	Lina traceback when changing device mode of FTD
CSCvs03023	Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump
CSCvs26402	NAT policy configuration range limit to be imposed for non service cmds as well
CSCvs59056	ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled
CSCvs80536	FP41xx incorrect interface applied in ASA capture
CSCvs81504	WR6 and WR8 commit id update in CCM layer(sprint 77)
CSCvt06606	Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)
CSCvt28182	sctp-state-bypass is not getting invoked for inline FTD

Cisco Firepower Release Notes, Version 6.2.3

Bias-Free Language

Book Title

Cisco Firepower Release Notes, Version 6.2.3

Chapter Title

Bugs

Results

Chapter: Bugs

Bugs

Open Bugs

Open Bugs in Version 6.2.3

Resolved Bugs

Resolved Bugs in New Builds

Resolved Bugs in Version 6.2.3.18

Resolved Bugs in Version 6.2.3.17

Resolved Bugs in Version 6.2.3.16

Resolved Bugs in Version 6.2.3.15

Resolved Bugs in Version 6.2.3.14

Resolved Bugs in Version 6.2.3.13

Resolved Bugs in Version 6.2.3.12

Resolved Bugs in Version 6.2.3.11

Resolved Bugs in Version 6.2.3.10

Resolved Bugs in Version 6.2.3.9

Resolved Bugs in Version 6.2.3.8

Resolved Bugs in Version 6.2.3.7

Resolved Bugs in Version 6.2.3.6

Resolved Bugs in Version 6.2.3.5

Resolved Bugs in Version 6.2.3.4

Resolved Bugs in Version 6.2.3.3

Resolved Bugs in Version 6.2.3.2

Resolved Bugs in Version 6.2.3.1

Resolved Bugs in Version 6.2.3

Was this Document Helpful?

Contact Cisco