Bugs

This document lists open and resolved bugs for threat defense and management center Version 6.2.3. For bugs in earlier releases, see the release notes for those versions. For cloud-delivered Firewall Management Center bugs, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.


Important


We do not list open bugs for patches.

Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool.


Open Bugs

Open Bugs in Version 6.2.3

Table last updated: 2022-11-02

Table 1. Open Bugs in Version 6.2.3

Bug ID

Headline

CSCvf16001

SF Cli - "inside" or "outside" interface capture not giving all options

CSCvh73096

Firepower Management Center does not support userPrincipalName attribute for login with ISE 2.2+

CSCvh89068

Core in Firepower Management Center Perl

CSCvh95960

Using the match keyword in capture command causes IPv6 traffic to be ignored in capture

CSCvi07656

Small number of TLS connections can fail after TLS inspection in Hardware Mode is overloaded

CSCvi10758

With SSL inspection in software mode, a few TLS connections fail to close in a timely manner

CSCvi16024

SSL errors on session resume when server IP address changes - HW mode

CSCvi18123

Firepower Threat Defense show tech-support command output broken on 2100 from CLISH CLI

CSCvi19862

With SSL inspection enabled, TLS traffic throughput can drop following high-availability failover

CSCvi35176

Deployment Failed-Snort Restart Failure- APPLY_APP_CONFIG_APPLICATION_FAILURE SignalAppConfigFailed

CSCvi35588

Deployment failure due to Snort failed to restart PDTS Handle was NULL

CSCvi42539

Decrypted connections fail when SSLv2 is supported but a higher version is negotiated

CSCvi47264

Some indicators may stay pending when consuming TAXII feeds in parallel

CSCvi50731

Unable to delete certificate objects if there were previous used at ISE even it was deleted

CSCvi61411

Routed Threat Defense allows Transparent Configuration, but traffic fails (6.2.3-66) on KVM only

CSCvi62982

Firepower Threat Defense virtual on ESXi Firstboot config does not sync hostname correctly with FQHN

CSCvi63157

Firepower 2110 dropping connections

CSCvi63864

With SSL inspection in hardware mode and Malware protection, secure file transfers occasionally fail

CSCvi66189

CNP has been enabled in Firepower Management Center where it usage Satellite server for license

CSCvi70680

Same groups from different AD not downloaded

CSCvv14442

FMC backup restore fails if it contains files/directories with future timestamps

Resolved Bugs

Resolved Bugs in New Builds

Sometimes we release updated builds. In most cases, only the latest build for each platform is available on the Cisco Support & Download site. If you downloaded an earlier build, do not use it.

You cannot upgrade from one build to another for the same software version. If you are already running an affected build, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco Firepower Hotfix Release Notes for quicklinks to publicly available hotfixes.

Table 2. Version 6.2.3 New Builds

Version

New Build

Released

Platforms: Upgrade

Platforms: Reimage

Resolves

6.2.3.15

39

2020-01-05

FTD/FTDv

—

CSCvs84578: Upgrading FTD on 4100/9300 Platform to 6.2.3.15 break SSHD, preventing FTD instance from booting up

CSCvs84713: After upgrading FTD on ASA55XX to 6.2.3.15, cannot SSH to the device

CSCvs95725: Virtual FTD Running on 6.2.3.15 blocks SSH request and loses connection with the FMC

If you already upgraded your FTD device to Version 6.2.3.15-38, apply Hotfix DW to the device. For more information, see the Software Advisory for CSCvs84578 and CSCvs84713.

6.2.3.14

41

2019-07-03

All

—

CSCvq34224: Firepower Primary Detection Engine process terminated after Manager upgrade

If you already upgraded to Version 6.2.3.14-36 and have FTD devices configured for high availability, apply Hotfix CY to the FMC.

6.2.3.11

55

2019-03-17

All

—

Cisco Firepower System User Agent issues.

If you already downloaded and installed Version 6.2.3.11-53, contact Cisco TAC for a hotfix.

6.2.3.5

53

2018-11-06

FTD/FTDv

—

CSCvk67239: ASA Firewalls and Firepower Threat Defense devices may traceback and reload when the state of the unit in a Failover pair or multi-unit cluster changes. This also occurred when upgrading from Version 6.2.3.5 to Version 6.2.3.6.

For more information, see the Software Advisory for CSCck67239.

6.2.3.2

46

2017-06-27

All

—

CSCvj25386: In some cases, if a device ever ran Version 6.0, upgrading to any version earlier than Version 6.2.2.3 failed.

CSCvk06176: Even with this new build, if an FMC ever ran Version 6.2.3-88, the SSE cloud connection drops and telemetry cannot send data after you upgrade. If your FMC is affected, apply Hotfix T.

6.2.3.1

47

2017-06-28

All

—

CSCvj25386: In some cases, if a device ever ran Version 6.0, upgrading to any version earlier than Version 6.2.2.3 failed.

CSCvk06176: Even with this new build, if an FMC ever ran Version 6.2.3-88, the SSE cloud connection drops and telemetry cannot send data after you upgrade. If your FMC is affected, apply Hotfix T.

45 and 46

2017-06-21

All

—

Component issues.

6.2.3

113

2020-06-01

FMC/FMCv

FMC/FMCv

CSCvr95287: Cisco Firepower Management Center LDAP Authentication Bypass Vulnerability

If you are running an earlier build, apply Hotfix DO.

111

2019-11-25

—

FTDv: AWS, Azure

Contact Cisco TAC.

110

2019-06-14

—

—

CSCvn78174: Cisco ASA and Cisco FTD Software TCP Timer Handling Denial of Service Vulnerability

99

2018-09-07

—

—

Contact Cisco TAC.

96

2018-07-26

—

—

Contact Cisco TAC.

92

2018-07-05

—

—

CSCvk06176: SSEConnector is not coming up because of Wrong Executable

88

2018-06-11

—

—

CSCvj13327: Upgrade to 6.2.3 fails at 600_schema/100_update_database.sh - oom killer invoked

85

2018-04-09

—

—

Contact Cisco TAC.

84

2018-04-09

Firepower 7000/8000

NGIPSv

—

CSCvi74560: 6.2.3 does not properly deploy variables in variable sets and causes deploy failure

CSCvi74623: 6.2.3 upgrade resets home_net variable to default "any"

CSCvi77527: upgrade to 6.2.3 fails with post install database integrity check error

83

2018-04-02

FTD/FTDv

ASA FirePOWER

FTD: Physical platforms

FTDv: VMware, KVM

Firepower 7000/8000

ASA FirePOWER

NGIPSv

Contact Cisco TAC.

Resolved Bugs in Version 6.2.3.18

Table last updated: 2022-02-16

Table 3. Resolved Bugs in Version 6.2.3.18

Bug ID

Headline

CSCvm05464

CVE-2018-5391 Remote denial of service via improper IP fragment handling

CSCvp16933

Cisco Firepower Threat Defense Software Shell Access Vulnerability

CSCvq41939

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DHCP DoS

CSCvx00496

QuoVadis root CA decommission on pix-asa

CSCvx19563

FDM: Need to update various items to use STO Certificate Trust Bundle (QuoVadis Root CA Issue)

CSCvx28070

Update QuoVadis root CA for Smart license as it is getting decommissioned

CSCvx30107

Default trustpoint _SmartCallHome_ServerCA using SHA1 which is not supported

CSCvx32283

Cisco Firepower Management Center Open Redirect Vulnerability

CSCvx46296

Cisco ASA and FTD Software Transparent Mode Denial of Service Vulnerability

CSCvx47895

Cisco ASA Software and FTD Software Identity-Based Rule Bypass Vulnerability

CSCvx52541

Update SSEConnector config to use the CA bundle /etc/ssl/certs.pem

CSCvx55664

Cisco Firepower Management Center Cross-site Scripting Vulnerability

CSCvx57417

Smart Tunnel Code signing certifcate renewal

CSCvy16573

Cisco Firepower Threat Defense Command Injection Vulnerability

CSCvy20504

Cisco ASA and FTD Software Web Services Interface Cross-Site Scripting Vulnerability

CSCvy36910

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS

CSCvy41771

Cisco Firepower Management Center Software Authenticated Directory Traversal Vulnerability

CSCvy58278

Denial of Service vulnerability handling the config-request request

CSCvy80325

Include the ios pem files into the patch upgrade package for vFTD

CSCvy93480

Cisco ASA and FTD Software IKEv2 Site-to-Site VPN Denial of Service Vulnerability

CSCwa46963

Security: CVE-2021-44228 -> Log4j 2 Vulnerability

CSCwa70008

Expired certs cause Security Intel. and malware file preclassification signature updates to fail

CSCwa88571

Unable to register FMC with the Smart Portal

Resolved Bugs in Version 6.2.3.17

Table last updated: 2021-06-14

Table 4. Resolved Bugs in Version 6.2.3.17

Bug ID

Headline

CSCvh64138

FXOS upgrade to 2.3.1.X causes FTD logical device to not come up

CSCvk08565

App-instance in start-failed with "Application Failing to Start by ProcMgr" error on container app

CSCvn82441

[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches

CSCvn95731

ASA traceback and reload on Thread Name SSH

CSCvo60166

KP: Can't login to fxos due to disk full error

CSCvo86940

PROMPTING FOR PASSWORD WHEN TRYING TO CONFIGURE enic, vfio-pci , igb_uio ON BLADE

CSCvp16482

ASA reloads when establishing simultaneous ASDM sessions

CSCvp49481

Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability

CSCvp57643

FTD/ASA - Cluster/HA - Master/Active unit does not update all the route changes to Slaves/Standby

CSCvp93468

Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability

CSCvq43920

Cisco Firepower Threat Defense Software Hidden Commands Vulnerability

CSCvr35872

ASA traceback Thread Name: DATAPATH with PBR configured

CSCvr55973

Unable to ping out of management 1/1 interface on a KP

CSCvr80164

WR6 and WR8 commit id update in CCM layer(sprint 72)

CSCvs45111

WR6 and WR8 commit id update in CCM layer(sprint 75)

CSCvs56888

Cisco Firepower Threat Defense Software TCP Flood Denial of Service Vulnerability

CSCvs81504

WR6 and WR8 commit id update in CCM layer(sprint 77)

CSCvt01282

WR6 and WR8 commit id update in CCM layer(sprint 79)

CSCvt02409

Cisco Firepower Threat Defense Software Inline Pair/Passive Mode DoS Vulnerability

CSCvt13445

Cisco ASA and FTD Software FTP Inspection Bypass Vulnerability

CSCvt18028

Cisco ASA and FTD WebVPN CRLF Injection Vulnerability

CSCvt30731

WR6, WR8 and LTS18 commit id update in CCM layer(sprint 80)

CSCvt31177

Cisco ASA and FTD Software for FP 1000/2100 Series Appliances Secure Boot Bypass Vulns

CSCvt31178

Cisco ASA and FTD Software for FP 1000/2100 Series Appliances Secure Boot Bypass Vulns

CSCvt60190

Cisco ASA and FTD Web Services File Upload Denial of Service Vulnerability

CSCvt70322

Cisco ASA Software and FTD Software Web Services Denial of Service Vulnerability

CSCvt74037

Cisco FXOS Software Command Injection Vulnerability

CSCvt83121

Cisco ASA and FTD Software OSPFv2 Link-Local Signaling Denial of Service Vulnerability

CSCvu15801

Cisco ASA and FTD Software SIP Denial of Service Vulnerability

CSCvu20257

WR6, WR8 and LTS18 commit id update in CCM layer (sprint 85)

CSCvu40531

FXOS LACP packet logging to pktmgr.out and lacp.out fills up /opt/cisco/platform/logs to 100%

CSCvu44910

Cisco ASA Software and FTD Software Web Services Cross-Site Scripting Vulnerability

CSCvu46685

Cisco ASA and FTD Software SSL/TLS Session Denial of Service Vulnerability

CSCvu59817

Cisco ASA and FTD Software SSL VPN Direct Memory Access Denial of Service Vulnerability

CSCvu61919

WR6, WR8 and LTS18 commit id update in CCM layer(sprint 87)

CSCvu75581

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities

CSCvu75615

Cisco ASA Software and FTD Software WebVPN Portal Access Rule Bypass Vulnerability

CSCvu83309

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities

CSCvu91097

Cisco Firepower Management Center Software Policy Vulnerability

CSCvv13835

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities

CSCvv33712

Cisco ASA Software Web-Based Management Interface Reflected Cross-Site Scripting Vulnerabi

CSCvv56644

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv65184

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv79459

WR6, WR8 and LTS18 commit id update in CCM layer (sprint 94, seq 1)

CSCvv95277

FPR2100 High disk usage in partition /opt/cisco/platform/logs due to growth of httpd log files

CSCvw13348

WR6, WR8 and LTS18 commit id update in CCM layer (sprint 98, seq 2)

CSCvw26544

Cisco ASA and FTD Software SIP Denial of Service Vulnerability

CSCvw52609

Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability

CSCvw53796

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability

CSCvw53884

M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

CSCvw90923

WR6, WR8 and LTS18 commit id update in CCM layer (sprint 101, seq 4)

CSCvx06920

WR6, WR8 and LTS18 commit id update in CCM layer (sprint 103, seq 5)

CSCvx16700

FXOS clock sync issue during blade boot up due to "MIO DID NOT RESPOND TO FORCED TIME SYNC"

Resolved Bugs in Version 6.2.3.16

Table last updated: 2020-07-13

Table 5. Resolved Bugs in Version 6.2.3.16

Bug ID

Headline

CSCvg84794

All Interfaces does not come up after booting KP ASA image

CSCvj49994

Failed to download FXOS package during upgrade due to no IPv6 address

CSCvm48451

Intrusion Event Performance Graphs load blank on 4100 and 9300

CSCvm84994

SSH idle timeout not working on FTD on Firepower 4100 and Firepower 9300

CSCvm85823

Not able to ssh, ssh_exec: open(pager) error on console

CSCvn93683

ASA: cluster exec show commands not show all output

CSCvo62077

Cisco Firepower Threat Defense Software VPN System Logging Denial of Service Vulnerability

CSCvo78789

Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities

CSCvo80853

Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability

CSCvp04134

Traceback in HTTP Cli Exec when upgrading to 9.12.1

CSCvp16945

Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities

CSCvp16949

Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities

CSCvp45149

Traceback while Reverting the primary system as active

CSCvp49481

Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability

CSCvp55941

FILE RESUME BLOCK being randomly thrown causing access issues on files from SMB share.

CSCvp87623

Upload an update gives "update request entity too large" error when using CAC(HTTPS Client Certs)

CSCvp90847

Refresh Root CAs that SSL uses for resigning in FTD/FMC

CSCvp93468

Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability

CSCvq12070

Not able to establish more than 2 simultaneous ASDM sessions

CSCvq13442

When deleting context the ssh key-exchange goes to Default GLOBALLY!

CSCvq20910

Cisco Firepower 2100 Series Security Appliances ARP Denial of Service Vulnerability

CSCvq35440

Upgrade Enhancements to STRAP verification for anyconnect - Cisco VPN session replay vulnerability

CSCvq36042

lost heartbeat causing reload

CSCvq54034

WRL6 and WRL8 commit-id update in CCM Layer (sprint 65)

CSCvq56257

Cached malware disposition does not always expire as expected

CSCvq66092

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software BGP DoS

CSCvq70485

Slow "securityzones" REST API

CSCvq70775

FPR2100 FTD Standby unit leaking 9K blocks

CSCvq71217

High Disk Utilization due to mysql-server.err failing to rotate after CSCvn30118

CSCvq73534

Cisco ASA Software Kerberos Authentication Bypass Vulnerability

CSCvq73599

Cisco VPN session replay vulnerability : STRAP fix on ASA for SSL(OpenSSL 1.0.2) and SCEP proxy

CSCvq93640

WRL6 and WRL8 commit id update in CCM layer (sprint 67)

CSCvr07419

Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability

CSCvr09748

Cisco FXOS and FTD Software Command Line Interface Arbitrary File Read and Write Vuln

CSCvr11395

Only a subset of devices where deployed from a device group during scheduled deploy

CSCvr17735

SFDataCorrelator high CPU during SI update

CSCvr37502

libexpat Improper Parsing Denial of Service Vulnerability

CSCvr39556

Segfault in libclamav.so (in the context of SFDataCorrelator)

CSCvr49734

Cisco FXOS and UCS Manager Software CLI Command Injection Vulnerability

CSCvr55825

Cisco ASA and FTD Software Path Traversal Vulnerability

CSCvr63941

KP ASA diagnostic-cli channel stops functioning

CSCvr85295

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote

CSCvr86213

CD is required to ignore Cluster-Msg-Delivery-Confirmation in Cluster Node Release Lina State

CSCvr90768

FTD: Deployment through slow links may fail

CSCvr92327

ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533'

CSCvs12288

Snort unexpectedly exits with SSL policy enabled and debug_policy_all

CSCvs19968

Fix consoled from getting stuck and causing HA FTD policy deployment errors.

CSCvs33416

Upgrade Kernel to 4.14.158

CSCvs34844

pm process becomes randomly deadlocked when communicating with hardware.

CSCvs50459

Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability

CSCvs59487

Observed crash in KP device while upgrading to 99.14.1.64 image.

CSCvs60254

libxml2 xmlParseBalancedChunkMemoryRecover Memory Leak Vulnerability

CSCvs61701

DME process crash due to memory leak on Firepower 2100

CSCvs77334

FTD failover due to error "Inspection engine in other unit has failed due to snort and disk failure"

CSCvs84578

Upgrading FTD on 4100/9300 Platform to 6.2.3.15 prevents the FTD instance from booting up

CSCvs84713

Cannot SSH to the device after upgrading FTD on ASA55XX/ISA 3000/FTDv to 6.2.3.15 build 38

CSCvs87168

SNORT Fatal Error due to out of range interface ID

CSCvs94486

CSCvs59487 requires additional fix for resolution

CSCvs98311

FSIC Failure after upgrade from 6.2.3.15-38 > 6.2.3.16-29 in CC Mode

CSCvt03598

Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

CSCvt15163

Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability

CSCvt39135

snort instances CPU spikes to >90% at low non-SSL traffic with SSL policy applied

CSCvt39299

6.2.3.15 to 6.4.0 upgrade broken for Series-3 Sensors

CSCvt80172

Supervisor software needs to be upgraded to address CVE-2017-11610

CSCvu30830

NGIPS sensor SSH broken due to bad CiscoSSH keywork in sshd_config file

Resolved Bugs in Version 6.2.3.15

Table last updated: 2019-09-17

Table 6. Resolved Bugs in Version 6.2.3.15

Bug ID

Headline

CSCve24102

GUI should allow max 256 addresses per DHCP pool

CSCvg49225

Canceling scheduled FXOS upgrade does not clear the event

CSCvg85687

Error messages seen on console when FXOS boots up

CSCvk43854

Cisco Firepower Threat Defense Detection Engine Policy Bypass Vulnerability

CSCvm64400

IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform

CSCvm68648

review of CVE-2016-8858 (OpenSSH) on Firepower software

CSCvm82966

Linux Kernel 4.14 Vulnerabilities

CSCvn46390

Lina msglayer performance improvements: port Hotfix BO

CSCvn77125

FXOS: copy command should allow for wildcards to transfer multiple files

CSCvo29989

Cisco FirePower Threat Defense Information Disclosure Vulnerability

CSCvo47390

ASA traceback in thread SSH

CSCvo48838

Lina does not properly report the error for configuration line that is too long

CSCvo68184

management-only of diagnostic I/F on secondary FTD get disappeared

CSCvo68448

ASA report SFR module as 'Unresponsive' after reloading ASA module on 5585 platform

CSCvo85861

Propagate link-state not shown in FTD CLI

CSCvo86485

incorrect HTML <base> tag handling by Grammar Based Parser

CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

CSCvo89224

FMC times out after 10 mins to fetch device list for deployment

CSCvo90998

LACPDUs should not be sent to snort for inline-set interfaces

CSCvp07616

[ciam] Python urllib Security Bypass Vulnerablity

CSCvp15176

FTD/ASA installed on firepower devices may report comm failure and assume itself as active/master.

CSCvp16536

ASA traceback and reload observed in Datapath due to SIP inspection.

CSCvp16618

URL inside HTML base tag is not rewritten after it is handled by GBP

CSCvp27263

Multiple ClamAV Vulnerabilities For Cisco Firepower Management Center for pre 6.5.0

CSCvp35141

ASA sends invalid redirect response for POST request

CSCvp35769

[ciam] Apache HTTP Server URL Normalization Denial of Service Vulnerability

CSCvp37779

FTD show tech from troubleshooting files incomplete

CSCvp46150

[ciam] GNU Wget Buffer Overflow Vulnerability

CSCvp48273

[ciam] Linux Kernel cipso_v4_validate Denial of Service Vulnerability

CSCvp49576

FTD Cluster traceback experienced when other unit leaves the Cluster

CSCvp53637

Flows are getting offloaded on inline-sets

CSCvp54261

Audit syslog for SFR module/7000/8000 devices uses TCP instead of UDP for syslog communication

CSCvp55880

Fail-Closed FTD passes packets through on Snort processes down

CSCvp55901

LINA traceback on ASA in HA Active Unit repeatedly

CSCvp58028

natd thread of nfm_exceptiond uses about 90% to 100% CPU time

CSCvp66559

Deploy fails on FTD HA due to exception when parsing big xml response

CSCvp67257

USGv6 Failures From Kernel Upgrade [3.10 to 4.14]

CSCvp67392

ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path Check

CSCvp70699

ASA Failover split brain (both units active) after rebooting a Firepower chassis

CSCvp72244

Evaluate Cisco 8000 series for CVE-2019-11815

CSCvp72488

Firepower: AMP for network connectivity failure after upgrading to 6.3.0.2+

CSCvp83437

serial console/SSH login using local account succeeds but immediately returns to login prompt

CSCvp97061

URL Filtering Shows All URLs as Uncategorized

CSCvp97799

Policy deploy failure 6.5.0-1148 post upgrade with CC mode with openSSL call during SSL pol Export

CSCvp97916

Executing 'failover' twice on active unit, clears interface configuration on standby unit

CSCvp98066

On reset CD not clearing its flags[parseFailoverReqIssued] which prevents further node join attempts

CSCvq00675

Linux Kernel sas_expander.c Race Condition Arbitrary Code Execution ...

CSCvq06790

Snort processes dump core with memory corruption on Series 3 devices

CSCvq13917

ADI does not learn VPN user logins anymore

CSCvq19525

Evaluation of sfims for TCP_SACK

CSCvq19641

Evaluation of Firepower 4k/9k Supervisor for TCP_SACK

CSCvq27010

Memory leak observed when ASA-SFR dataplane communication flaps

CSCvq32681

Fail to Wire configuration disabled for multiple interface-pair inline-sets during FTD upgrades

CSCvq33916

Linkdown between FP 4100 and switch when using 40gb bidi to 40/100 bidi

CSCvq39083

Security Intelligence does not drop HTTPS connections to blacklisted URLs when SSL policy is enabled

CSCvq44665

FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled

CSCvq54242

Warrning "There is an empty group in the source networks" in SSL policy

CSCvq56462

File policy not inspecting some malware document (.doc) and Adobe flash (.swf) files.

CSCvq57710

Firepower Primary Detection Engine process might terminated after Manager upgrade

CSCvq61651

URL DB download failure alerts on FMC; new URL DB updates not taking effect on FMC/FDM

CSCvq65092

Slow device related REST API calls

CSCvq98171

Unable to do Recovery using latest r241 images

Resolved Bugs in Version 6.2.3.14

Table last updated: 2019-07-03

Table 7. Resolved Bugs in Version 6.2.3.14

Bug ID

Headline

CSCvb15074

FMC health notifications for interfaces removed or added out-of-band get stuck

CSCvi63474

Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2

CSCvk69823

FlexConfig objects pushed to device in spite of no changes being made to that on either FMC or FTD

CSCvm70274

tcp proxy: ASA traceback on DATAPATH

CSCvn86777

Deployment on FTD with low memory results on interface nameif to be removed

CSCvo24145

ids_event_alerter high memory usage due to large firewall_rule_cache table

CSCvo33348

Mysql traffic on non standard port is not correctly classified

CSCvo33851

ngfwManager doesn't start if ngfw.properties is empty

CSCvo43679

FTD Lina traceback, due to packet looping in the system by normaliser

CSCvo50168

Audit Log Settings Failing Leading to being unable to edit System Settings

CSCvo60580

ASA traceback and reloads when issuing "show inventory" command

CSCvo60862

Internal Error when editing an Access Control Policy

CSCvo74745

cloud agent core after generating a large number of continuous URL lookups (>30M)

CSCvo90805

Cisco Firepower Management Center RSS Cross-Site Scripting Vulnerabilities

CSCvp16979

ssl and daq debug logs can't be enabled/disabled dynamically

CSCvp18878

ASA: Watchdog traceback in Datapath

CSCvp19549

FTD lina cored with Thread name: cli_xml_server

CSCvp24728

Random SGT tags added by FTD

CSCvp24787

(snort)File is not getting detected when going over HTTPS (SSL Resign)

CSCvp25583

FTD sets automatically metric 0 when we redistribute OSPF into BGP via FMC GUI.

CSCvp29692

FIPS mode gets disabled after rollback from a failed policy deploy

CSCvp33052

Firepower 8000 interfaces might flap due to unhandled resource temporarily unavailable issue

CSCvp43536

On upgraded FMC Device FXOS devices are shown dirty even after successful deployment.

CSCvp54634

Wrong rule matched when using ambiguous DND

CSCvp78197

Policy deployment remove and add back ospf neighbor

CSCvp81967

Slowness in loading Device Management page on FMC when there are over 500 managed devices

CSCvp82945

NAT policy apply failing with error duplicate

CSCvp96934

Ensure Error Message with Dup NATs Is Clear and Actionable

CSCvq13917

6.2.3.13 ADI does not learn VPN user logins anymore

CSCvq34224

Firepower Primary Detection Engine process terminated after Manager upgrade

Resolved Bugs in Version 6.2.3.13

Table last updated: 2019-07-03

Table 8. Resolved Bugs in Version 6.2.3.13

Bug ID

Headline

CSCve13816

MEMCACHED software needs to be upgraded to address several security vulnerabilities

CSCvf83160

Traceback on Thread Name: DATAPATH-2-1785

CSCvg01007

https pdf attachment issues

CSCvg74603

eStreamer archive events are not pruned correctly by diskmanager

CSCvi16224

snmp-server host command for SNMPv3 doesn't apply properly when deploy ASAv VM on NFVIS (KVM) system

CSCvi32569

Excessive logging in mysql-server.err log causes huge log files in FTD

CSCvi59887

OSPF Route may become stale and stuck in the routing table after failover events

CSCvj49623

Memory Leak In Smart Licensing

CSCvk14242

sfstunnel process in FTD is holding large cloud db files that are already deleted

CSCvk26612

"default Keyring's certificate is invalid, reason: expired" health alert

CSCvk29263

SSH session stuck after committing changes within a Configure Session.

CSCvk30739

ASA CP core pinning leads to exhaustion of core-local blocks

CSCvk44166

Cisco ASA and FTD TCP Proxy Denial of Service Vulnerability

CSCvk72958

Qos applied on interfaces doesn't work.

CSCvm00066

ASA is stuck on "reading from flash" for several hours

CSCvm08769

Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail.

CSCvm17985

Initiating write net command with management access for BVI interfaces does not succeed

CSCvm27111

FTD Lina traceback while removing OSPF configuration.

CSCvm36362

Route tracking failure

CSCvm80779

ASA not inspecting H323 H225

CSCvm82290

ASA core blocks depleted when host unreachable in IRB configuration

CSCvm85257

Spin lock traceback when changing vpn-mode with traffic

CSCvm86008

Policy Deployment: Delta config doesn't get copied to running config, LINA config remains unchanged

CSCvm88294

High Disk utilization due to partition force drain not occurring

CSCvn22833

ADI process fails to start on ASA on Firepower 4100

CSCvn30108

The 'show memory' CLI output is incorrect on ASAv

CSCvn30393

ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment

CSCvn31347

ACL Unable to configure an ACL after access-group configuration error

CSCvn32620

IKEv2 Failed to obtain an Other VPN license

CSCvn34246

Loading AC policy editor takes too long, needs loading indicator

CSCvn38453

ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled

CSCvn45750

FMC Audit Logs will only display Admin and System as owners when deploying to 3D devices -GUI/SYSLOG

CSCvn50320

Firepower MySQL Server : Oracle MySQL October 2018 Critical Patch Update

CSCvn55007

DTLS fails after rekey

CSCvn57284

Unsupported EC curve x25519 on FTD

CSCvn66248

Configuring "boot config" has no effect if file was modified off-box and copied back on

CSCvn67137

ASA5506 may slowly leak memory when using NetFlow

CSCvn68527

FPR21xx: AnyConnect assigned addresses not marked allocated on Standby

CSCvn71592

After FMC reboot, intrusion events generated by Snort are not sent to FMC and show up in webGUI

CSCvn73962

ASA 5585 9.8.3.14 traceback in Datapath with ipsec

CSCvn76829

ASA as an SSL Client Memory Leak in Handshake Error path

CSCvn77248

Cisco Secure Boot Hardware Tampering Vulnerability

CSCvn78597

Firepower block page not displayed on MS IE11 and Edge for HTTPS blocked sites when proxy is enabled

CSCvn78674

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvn78870

ASA Multicontext traceback and reload due to allocate-interface out of range command

CSCvn94100

"Process Name: lina" | ASA traceback caused by Netflow

CSCvn95711

Traceback on Thread Name: Unicorn Admin Handler after adding protocol to IKEV2 ipsec-proposal

CSCvn96898

Memory Leak in DMA_Pool in binsize 1024 with SCP download

CSCvn97591

Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures

CSCvo04444

Ikev2 tunnel creation fails

CSCvo06216

Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961

CSCvo11406

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvo11416

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvo13497

Unable to remove access-list with 'log default' keyword

CSCvo15484

Unable to delete User IOC if user info is inconsistent between mysql & sybase - part fix

CSCvo17033

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvo23222

AnyConnect session rejected due to resource issue in multi context deployments

CSCvo27109

Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6

CSCvo42174

ASA IPSec VPN EAP Fails to Load Valid Certificate in PKI

CSCvo45093

Validation Check when two objects with different name but same network is used in route without ECMP

CSCvo45209

FTD-CLUSTER:Adding new unit in cluster can cause traffic drop

CSCvo51265

SCP large file transfer to the box result in a traceback

CSCvo55151

crypto ipsec inner-routing-lookup should not be allowed to be configured with VTI present

CSCvo56616

Deployment times out in some cases resulting in non-terminated AQ

CSCvo56836

SCALE: with 500+ devices, UMS causes the UI to hang, especially during deploy

CSCvo58847

Enhancement to address high IKE CPU seen due to tunnel replace scenario

CSCvo60627

Policy failing to deploy after adding new cluster unit to setup

CSCvo62060

Telemetry not sent when FMC managing lots of devices

CSCvo66534

Traceback and reload citing Datapath as affected thread

CSCvo70866

SGT tag shows untagged in server packet for every client packet with SGT tag with some value

CSCvo72179

For SMB, remote storage configuration should allow configuring version string with dot(.)

CSCvo72232

ERR_SSL_BAD_RECORD_MAC_ALERT or SSL_ERROR_BAD_MAC_ALERT in the browser

CSCvo74350

ASA may traceback and reload. Potentially related to WebVPN traffic

CSCvo76727

No warning about possible policy deployment failure when in route is more than one object

CSCvo81073

Unable to load Device Management page or upgrade FMC due to missing NGFWHA EO

CSCvo83574

Device goes into a bad state when switching the inline set from TAP mode

CSCvo87930

HTTP with ipv6 using w3m is failing

CSCvo88188

SSL rules with App-ID conditions can limit decryption capability

CSCvo88306

NAT rules can get applied in the wrong order when you have duplicate rules

CSCvo93872

Memory leak while inspecting GTP traffic

CSCvo94486

Snort process exits while processing Security Intelligence.

CSCvp21837

Allow FTDs to perform URL lookups directly without having to go through the FMC

CSCvp42398

Series 3 8250: Upgrade 6.4.0-87 failed at 999_finish/989_flip_mbr.sh

CSCvp54634

Wrong rule matched when using ambiguous DND

Resolved Bugs in Version 6.2.3.12

Table last updated: 2019-05-13

Table 9. Resolved Bugs in Version 6.2.3.12

Bug ID

Headline

CSCvh26064

Unable to use "Change Reconciliation" on 7000/8000 sensors

CSCvj82652

Deployment changes are not pushed to the device due to disk0 mounted on read-only

CSCvk56988

Cisco ClamAV MEW unpacker Denial of Service Vulnerability

CSCvm16724

FXOS ASA/FTD needs means to poll Internal-data interface counters

CSCvm24210

One of the two schedule tasks running on same timestamp fails if they both access the same file

CSCvm35373

Pruner process fails to start due to configuration

CSCvm40545

downgrading FTD twice in a row without updating in between results in wrong lina version

CSCvn07452

712x devices become unstable when switching inline set from TAP to inline

CSCvn09383

Manual URL lookup returns Uncategorized if same URL is entered second time without "www." part

CSCvn38189

SFDataCorrelator is not restarted after backup scripts died

CSCvn46358

overloading of the lina msglyr infra due to the sending of VPN status messages

CSCvn49854

Subsequent HTTP requests not retrieving URL and XFF

CSCvn67570

amp-stunnel.conf does not point to correct amp cloud server post FMC upgrade

CSCvn67888

Object added using REST API result in policy deploy failure

CSCvn72570

Cisco ASA Software and FTD Software VPN SAML Authentication Bypass Vulnerability

CSCvn73848

Snort sessions are timing out earlier than configured idle timeouts.

CSCvn74112

FTDv does not have configuration on initial bringup with mix of vmxnet3 and ixgbevf interfaces

CSCvn75368

FPR platform IPsec VPN goes down intermittently

CSCvn78593

Control-plane ACL doesn't work correctly on FTD

CSCvn82895

Diskmanager may not track all event files

CSCvn87965

While associating FMC with TG account, FMC should not redirect users to TG console

CSCvn99712

Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability

CSCvo02097

Upgrading ASA cluster to 9.10.1.7 cause traceback

CSCvo12057

DHCPRelay does not consume DHCP Offer packet with Unicast flag

CSCvo15545

nfm-burnin.sh system validation test fails for latest NFM release

CSCvo17775

EIGRP breaks when new sub-interface is added and "mac-address auto" is enabled

CSCvo20847

Active FTP fails through Cluster due to xlate allocation corruption upon sync

CSCvo23150

excessive DB queries for user identities causes slowness in user session processing.

CSCvo27164

SFDataCorrelator logs inappropriate "Resuming storage of old events" messages

CSCvo29973

ssl rules with cipher suite conditions can cause unneeded tls 1.3 downgrade

CSCvo31353

SSL connections may fail when URL categories are used and certificate common name doesn't match

CSCvo31953

Memory leak in SFDataCorelator process

CSCvo32329

Deleted realm is causing many user_id's loaded into user_identities cache

CSCvo38051

segfault in ctm_ipsec_pfkey_parse_msg at ctm_ipsec_pfkey.c:602

CSCvo39052

FSIC error after enable the CC mode

CSCvo39094

Delay/Longer processing time to insert policy deploy task after selecting the device for deploy

CSCvo40210

Update Talos RSS feed in dashboard widget

CSCvo43693

FTD HA creation fails due to multiple files modules*.tgz and vdb*.tgz being transferred from FMC

CSCvo44064

aggressive downgrade action is taken when url look up is pending due to no sni

CSCvo47562

VPN sessions failing due to PKI handles not freed during rekeys

CSCvo50230

SSL Connections to uncategorized URLs may fail repeatedly

CSCvo54799

ssh to device fails due to corrupted devpts entry in fstab

CSCvo55203

Registered devices do not appear in the Device Management page

CSCvo55282

Policy deploy fails when user is able to enter invalid inline port range in AC Rule accidentally

CSCvo56675

ASA or FTD traceback and reload due to failover state change or xlates cleared

CSCvo56895

Some donut charts on the Context Explorer failing to load

CSCvo61091

eStreamer memory and CPU grow when sending NAP policy metadata

CSCvo62031

ASA Traceback and reload while running IKE Debug

CSCvo63240

Smart Tunnel bookmarks don't work after upgrade giving certificate error

CSCvo66920

Enhancement: add counter for Duplicate remote proxy

CSCvo67454

Invalid port range object causes AC policy deploy to fail

CSCvo72462

Do not decrypt rule causes traffic interruptions.

Resolved Bugs in Version 6.2.3.11

Table last updated: 2019-03-13

Table 10. Resolved Bugs in Version 6.2.3.11

Bug ID

Headline

CSCuz28594

Diskmanager - critical alert on /var/storage due to disk manager not pruning till 99%

CSCvi54162

"ha-replace" action not working when peer not present

CSCvi55841

errors saving blacklist config file are not detected

CSCvi62112

Blocking BPDU via FlexConfig on FTD Transparent causes deployment and registration issues

CSCvk06386

FTD Files are Allowed Through Multiple Pre-existing Connections Despite the File Policy Verdict

CSCvm14875

Large number of stale cloudconfig EO causing performance issues

CSCvm58799

During deploy, if multiple Snorts are not responding, recovery takes too long

CSCvm60039

Custom DNS security intelligence feed fail to download intermittently

CSCvm96339

/dev/root partition will fill to 100% due to archive_cache_seed.sensor file

CSCvn10634

Files are not detected in HTTP flows when there's an Out of Order (ACK before actual data)

CSCvn16102

Diskmanager file capture data not increasing for hours at a time

CSCvn17347

Traceback and reload when displaying CPU profiling results

CSCvn38082

FMC should identify and recover from mongo corruption

CSCvn41903

Snort reload fails and causes restart due to dce2-mem-reloader memory adjustments taking too long

CSCvn47788

UI validation fails on a valid hostname IP for Audit Log Host in Firepower platform setting policy

CSCvn48739

FTD show tech taken from CLISH mode and in troubleshoot may be truncated

CSCvn53145

Policy deploy throws "Variable set has invalid execulded values"

CSCvn69019

usernames with single quotes are not written into user_ip_map file

CSCvn72683

FMC webGUI device management page loading time is too long around 45s with 25s fetching license

CSCvn73848

Snort sessions are timing out earlier than configured idle timeouts.

CSCvo00887

ssl client hello should not be modified if "Do Not Decrypt" rule will be the only possible verdict

CSCvo03186

Domain page in Firepower Management Center takes long time to load

CSCvo03808

Deploy from FMC fails due to OOM with no indication of why

CSCvo11077

Memory leak found in IPsec when we establish and terminate a new IKEv1 tunnel.

CSCvo39052

FSIC error after enable the CC mode

Resolved Bugs in Version 6.2.3.10

Table last updated: 2019-02-07

Table 11. Resolved Bugs in Version 6.2.3.10

Bug ID

Headline

CSCuu67159

ASA: traceback in DATAPATH-2-1157

CSCva62256

Appliance status widget taking too long with 500 sensors

CSCvf81672

ASA Routes flushed after failover when etherchannel fails

CSCvg40735

GTP inspection may spike cpu usage

CSCvg56122

SSL handshake fails with large certificate chain size

CSCvi09811

Traceback in DATAPATH, assertion "0" failed: file "./snp_cluster_transport.h", line 480

CSCvi28763

FTD Platform Settings: change default DH-group in SSL custom settings to 2

CSCvi34533

Cannot save modification in Access List if there's no SNMPv3 user defined

CSCvi71622

Traceback in DATAPATH on standby FTD

CSCvi97028

fmc GUI too slow when configuring unreachable syslog server

CSCvj01704

ASA is getting traceback with reboot only on ASA 5585-X after shutdown SFR module

CSCvj65154

FMC failing to communicate with SSM when proxy password contains @ character

CSCvj74643

Enabling Use CAC authentication and authorization on AD breaks RADIUS when changed.

CSCvj87287

simultaneous flood of REST-API requests to FMC results in inaccessibility

CSCvj89445

Inconsistent deployment status on GUI

CSCvj97229

'User Name Template' should be required filed for external authentication object for CAC in FMC

CSCvk18330

Active FTP Data transfers fail with FTP inspection and NAT

CSCvk19946

Sftunnel service broken due to cache archive data flooding

CSCvk39339

Unable to run the scheduling report generation on Japanese FMC

CSCvk40964

Deployment of empty interface config to device lead to traffic outage

CSCvk46038

ERROR: The entitlement is already acquired while the configuration is cached.

CSCvk50815

GTP inspection should not process TCP packets

CSCvk55634

Random policy deployment failure due to stuck notification for policy deployment

CSCvm24706

GTP delete bearer request is being dropped

CSCvm28730

ASA/FTD-LINA Tracebacks observed while getting CPU Profiling information

CSCvm33553

Clock drift causes Heartbeat misses from ndclientd

CSCvm46014

Copy config should not fail if standby device is corrupted on FTD HA

CSCvm55091

HA failed primary unit shows active while "No Switchover" status on FP platforms

CSCvm59983

The file-size directive returns invalid input error and breaks the captures from clish

CSCvm67273

ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136

CSCvm87315

FTD registration can fail because of TID in RegistrationTR::addToLamplighter

CSCvm88004

SSH Service on ASA echoes back each typed/pasted character in its own packet

CSCvn05797

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

CSCvn06618

On LINA config rollback the startup-config is being merged with the default running

CSCvn09322

FTD device rebooted after taking Active State for less than 5 minutes

CSCvn09367

Prevent administrators from installing CXSC module on ASA 5500-X

CSCvn15757

ASA may traceback due to SCTP traffic inspection without NULL check

CSCvn16489

AMP Dynamic Analysis's clouds should be tracked separately for submission rates.

CSCvn19823

ASA : Failed SSL connection not getting deleted and depleting DMA memory

CSCvn20411

Device management page never loads and times out after an error message

CSCvn21899

Firepower: Disable TLS 1.0 permanently for SFTunnel communication

CSCvn23224

FTD-HA forming failed with SNMP configured

CSCvn23254

SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface

CSCvn23701

Deployment failed with - ftp_telnet.conf(4) => Invalid keyword 'memcap' for 'global' configuration.

CSCvn24756

Security intelligence feature can falsely block IP addresses ( URL block )

CSCvn30118

mysql-server.err file is not fully deleted and keeps consuming Firepower disk space

CSCvn32657

ASA traceback when removing interface configuration used in call-home

CSCvn33943

Standby node traceback in wccp_int_statechange() with HA configuration sync

CSCvn36393

exclude tls1.0 and tls1.1 in stunnel config file

CSCvn37829

ASA should allow GCM(SSL) connections to use DMA_ALT1 when primary DMA pool is exhausted

CSCvn38010

Let remove_peers.pl scripts bailout when it is run in FTD HA setup

CSCvn43798

Deleting a domain fails to delete some objects if a Realm is in that domain

CSCvn44201

ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later

CSCvn46474

FP2120 FTD went unresponsive after power outage

CSCvn47599

RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server

CSCvn47800

ASA stops authenticating new AnyConnect connections due to fiber exhaustion

CSCvn48790

Slave node kicked out of cluster if SI task running during policy apply

CSCvn49561

update FireAMP curl calls to use CA path

CSCvn53732

Modified SSL connections that are not decrypted should be closed

CSCvn54347

Entitlement release error in Failover switchover or disband on fp2100/1000 KP/WM

CSCvn56095

selective acking not happening with SSL crypto hardware offload

CSCvn61662

ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading

CSCvn62787

To support multiple retry on devcmd failure to CRUZ during flow table configuration update.

CSCvn63549

Python pop3lib apop() Method Denial of Service Vulnerability

CSCvn64418

ISA3000 interop issue with Nokia 7705 router

CSCvn65575

Snort termination can occur when active authentication is enabled and an SSL policy is not enabled

CSCvn68145

Snort Unexpectedly Exiting when using SSL decryption

CSCvn69213

ASA traceback and reload due to multiple threads waiting for the same lock - watchdog

CSCvn76763

Two versions of messages-X-SNAPSHOT.jar in FTD causes deployment failure

CSCvn77636

ASA/webvpn: FF and Chrome: Bookmark is not rendered with Grammar Based Parser

CSCvn93499

Snort/Data Correlator can crash while exiting on Firepower 4100/9300 devices.

Resolved Bugs in Version 6.2.3.9


Note


Version 6.2.3.9 replaces Version 6.2.3.8, which was removed from the Cisco Support & Download site on 2019-01-07. The issues listed in Resolved Bugs in Version 6.2.3.8 are also fixed in Version 6.2.3.9.


Table last updated: 2019-01-10

Table 12. Resolved Bugs in Version 6.2.3.9

Bug ID

Headline

CSCvn82378

Traffic through ASA/FTD might stop passing upon upgrading FMC to 6.2.3.8-51

Resolved Bugs in Version 6.2.3.8


Note


Version 6.2.3.8 was removed from the Cisco Support & Download site on 2019-01-07. This version is replaced by Version 6.2.3.9. The issues listed here are also fixed in Version 6.2.3.9.


Table last updated: 2019-01-02

Table 13. Resolved Bugs in Version 6.2.3.8

Bug ID

Headline

CSCuy90400

Enhancement to support extended master secret in SSL

CSCvd03903

Firepower is affected by TCP Dump Vulnerability

CSCvd12834

FP Audit Logs do not log passed and failed SSH authentication attempts

CSCve29930

Cannot configure LOM on secondary FMC from HA pair

CSCvf20266

Firepower Management Center System Configuration Email Notification Password Length Too Short

CSCvf57596

After policy deploy has failed, ActionQueueScrape process did not exit

CSCvg10718

Correlation Policy With Traffic Profiles Doesn't Work

CSCvg36254

FTD Diagnostic Interface does Proxy ARP for br1 management subnet

CSCvh13022

SSL decryption is bypassed when client hello payload is < 6 bytes

CSCvh14743

IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.

CSCvi82404

Updating device can fail in 800_post/755_reapply_sensor_policy.pl

CSCvj67258

Change 2-tuple and 4-tuple hash table to lockless

CSCvj97213

ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets

CSCvk20292

FMC in HA mode, Health Policy is missing from Standby FMC when Active FMC failed

CSCvk30775

ENH: Addition of 'show fragment' to 'show tech' output

CSCvk30779

ENH: Addition of 'show ipv6 interface' to 'show tech' output

CSCvk30783

ENH: Addition of 'show aaa-server' to 'show tech' output

CSCvk33923

High disk usage after deleting managed FTD device from FMC

CSCvk51181

FTD IPV6 traffic outage after interface edit and deployment part 1/2

CSCvk62871

Firepower 2100 FTP Client in passive mode is not able to establish data channel with the Server

CSCvk72192

"Free memory" in "show memory" output is wrong as it includes memory utilisation due to overhead

CSCvm10968

CVE-2018-5391 Remote denial of service via improper IP fragment handling

CSCvm43975

Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability

CSCvm47713

SSL policy disallows viewing of PDF on *.lightning.force.com when Chrome browser is used

CSCvm49283

Make Object Group Search Threshold disabled by default, and configurable. Causes outages.

CSCvm53531

Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability

CSCvm56371

ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached

CSCvm56719

Traceback high availability standby unit Thread Name: vpnfol_thread_msg

CSCvm60361

SSH public key auth not working on FTD on 5500

CSCvm62708

SSL connections negotiating NPN can fail with Do Not Decrypt SSL policy

CSCvm64230

verify_firmwareRunning() return code not checked

CSCvm65725

ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG)

CSCvm67704

Memory Leak when handling KRB_ERR_RESPONSE_TOO_BIG (leak in krb5_extract_ticket )

CSCvm76760

FMC - External RADIUS authentication - Text in the "Shell Access Filter" field is not validated

CSCvm78449

Unable to modify access control license entry with log default command

CSCvm80933

ssl policy can match incorrect rule when server uses a cert with wildcard common name

CSCvm81052

local malware detection updates not downloading to FMC due to invalid certificate chain

CSCvm82966

Linux Kernel 3.10.107 Vulnerabilities

CSCvm91280

Intrusion Events Report Date, Hour Of Day, Day Of Week comes in UTC and Time comes in local timezone

CSCvm95669

ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device)

CSCvn03507

"set ip next-hop verify-availability" is removed from route-maps configuration with next deployment

CSCvn03966

FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage.

CSCvn08146

Missing audit detail for changes to x509 certificates and keys

CSCvn09640

FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through

CSCvn09808

Captive portal bltd process fails on startup due to socket permission error

CSCvn11219

Policy deployment failed with error message "Not a directory"

CSCvn31753

ssl inspection policy may cause SEC_ERROR_REUSED_ISSUER_AND_SERIAL browser error

Resolved Bugs in Version 6.2.3.7

Table last updated: 2018-11-15

Table 14. Resolved Bugs in Version 6.2.3.7

Bug ID

Headline

CSCve34221

Internal server error seen on the UI when we enable CC mode

CSCvf54682

sudo : CVE-2017-1000368 : Sudo Parsed tty Information Privilege Escalation Vulnerability

CSCvh14743

IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.

CSCvi97500

AMP Cloud event on Firepower Management Center are seen with different file types

CSCvj14631

Appliance Information Widget shows IPv4 Address disabled if mgmt interface is not eth0

CSCvj58342

Multicast dropped after deleting a security context

CSCvj65064

Firepower 2100: Port-Channel down notification delayed

CSCvj67258

Change 2-tuple and 4-tuple hash table to lockless

CSCvj76858

Policy deployment take long time ~4 hours

CSCvj91795

SSL default policy action is taken when URL category lookup is pending

CSCvj97213

ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets

CSCvj98662

linux hotfix layer directory reorganisation

CSCvk18330

Active FTP Data transfers fail with FTP inspection and NAT

CSCvk30779

ENH: Addition of show ipv6 interface to show tech output

CSCvk31035

KVM (FTD): Mapping web server through outside not working consistent with other platforms

CSCvk33023

Policy deployment failure on Firepower module in cluster or failover

CSCvk48389

[Error: Timed out communicating with DME] when attempting to upgrade

CSCvk56513

Tor not blocked when traffic is passed through proxy.

CSCvk59260

On slower networks deployement may fail with Resource temporarily unavailable exception

CSCvk66529

FTD on FPR 9300 corrupts TCP headers with pre-filter enabled

CSCvk66771

The CPU profiler stops running without having hit the threshold and without collecting any samples.

CSCvk72192

show memory output shows wrong memory

CSCvk76146

Few devices /ngfw partition on 41xx shows 39GB whereas other shows 100 GB

CSCvm03931

software update downloads by Firepower failing due to newer CA certificates not being present

CSCvm04237

BusyBox huft_build Function Denial of Service Vulnerability

CSCvm05464

CVE-2018-5391 Remote denial of service via improper IP fragment handling

CSCvm08500

ASA cmd validation fails when deletion of NAT rule description includes Czech/Slovak characters

CSCvm09040

Resumption attempts for sessions using tickets and known-key action use full handshake

CSCvm19948

ssl connections without SNI could hit incorrect ssl rule

CSCvm32256

Slave unit fails to join FTD cluster when it is in disabled state

CSCvm32613

Format of syslog messages have changed after an update FMC 6.2.3.3 to 6.2.3.4

CSCvm43975

Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability

CSCvm47595

FMC displays connections matching incorrect access control policy when not using SSL Policy

CSCvm49283

Make Object Group Search Threshold disabled by default, and configurable. Causes outages.

CSCvm51395

access control policy deploy fails in fwrulechecker due to memory limit

CSCvm56371

ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached

CSCvm56719

Traceback high availability standby unit Thread Name: vpnfol_thread_msg

CSCvm56851

eStreamer repeatedly exits after error deserializing File event or FireAMP event

CSCvm58672

Unable to deploy SSL policy while SSL Hardware offload feature is enabled

CSCvm60468

Linux Kernel yurex_read Privilege Escalation Vulnerability

CSCvm60548

Security Intelligence synchronization tasks fail

CSCvm60791

Linux Kernel alarm_timer_nsleep() Function Integer Overflow Vulnerab ...

CSCvm64255

SFNotificationd fails to stop

CSCvm65725

ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG)

CSCvm67184

Audit Syslog messages are sent without User information

CSCvm67316

ASA: Add additional IKEv2/IPSec debugging for CSCvm70848

CSCvm67704

Memory Leak when handling KRB_ERR_RESPONSE_TOO_BIG (leak in krb5_extract_ticket )

CSCvm68467

Event alerting process CPU usage delays deployment on busy Firepower 2100

CSCvm71378

Policy Deployment failing due to NAT Rule

CSCvm78449

Unable to modify access control license entry with log default command

CSCvm80874

ASAv/FP2100 Smart Licensing - Unable to register/renew license

CSCvm82492

Snort process taking a long time to exit impacting traffic.

CSCvm82930

FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured

CSCvm96634

Final stage of policy deployment is audit-logged under admin instead of current user

CSCvm96916

FMC is randomly sending strong-encryption-disable to ASA

Resolved Bugs in Version 6.2.3.6

Table last updated: 2018-10-10

Table 15. Resolved Bugs in Version 6.2.3.6

Bug ID

Headline

CSCux69220

WebVPN 'enable intf' with DHCP , CLI missing when ASA boot

CSCve95403

ASA boot loop caused by logs sent after FIPS boot test

CSCvf85831

asdm displays error uploading image

CSCvh16414

Health Monitoring can incorrectly show CPU on FTD as 100% or 150%

CSCvh69117

SFDataCorrelator log spam "Received an unknown event type"

CSCvh98781

ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance'

CSCvi13054

scheduled rule recommendations update fails with "Attempted to store stale object"

CSCvi48170

ASA 9.4.4.8, SNMP causing slow memory leak

CSCvi71761

FTD cli prompt is stuck on Firepower 9300

CSCvi77340

race condition results in user id REST API not functioning

CSCvi90633

Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX

CSCvi98909

RTP packets not matching the rule in AC policy

CSCvj42269

ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101%

CSCvj44032

snort premature connection closure during TCP 4-way teardown

CSCvj47256

ASA SIP and Skinny sessions drop, when two subsequent failovers take place

CSCvj67776

clear crypto ipsec ikev2 commands not replicated to standby

CSCvj72309

FTD does not send Marker for End-of-RIB after a BGP Graceful Restart

CSCvk04592

Flows get stuck in lina conn table in half-closed state

CSCvk12076

AnyConnect client profile doesn't show under group-policy not assigned under a connection profile.

CSCvk14768

ASA traceback with Thread Name: DATAPATH-1-2325

CSCvk23483

Elastic timeout not taking effect and enforcing 600 sec timeout

CSCvk24297

IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled.

CSCvk34648

Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic

CSCvk36087

When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP

CSCvk36733

mac address is flapping on huasan switch when asa etherchannel is configued with active mode

CSCvk38176

Traceback and reload due to GTP inspection and Failover

CSCvk42473

QoS rule evaluation does not re-evaluate flows when applications change

CSCvk43865

Traceback: ASA 9.8.2.28 while doing mutex lock

CSCvk52667

FDM - Deployment is failing after latest SRU update in 6.2.3-83 build.

CSCvk62896

ASA IKEv2 crash while deleting SAs

CSCvk66722

Configuring DHCP option 'false' causes DHCP configuration to be not visible from GUI

CSCvk67239

ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped"

CSCvk68772

FMC UI not accessible if you enable client certificate and then upgrade

CSCvk68809

No soft link for ca-cert.pem file if you upgrade FMC from 5.4.0

CSCvk70676

Clientless webvpn fails when ASA sends HTTP as a message-body

CSCvk72652

FMC does not deploy 'crypto ikev1 am-disable' when aggressive mode is to be disabled

CSCvk74461

LDAP groups download but are not available in GUI

CSCvk76160

Unable to restore on KP 6.2.2.2 using FDM

CSCvk76547

IPS rule with flow established not blocking when retransmitted TCP handshake packets

CSCvm01396

Firepower block page not displayed on browser with proxy settings

CSCvm05821

Sensitive Data Detection being enabled automatically during SRU update

CSCvm07458

Using EEM to track VPN connection events may cause traceback and reload

CSCvm07643

FTD 6.2-Intrusion Events not displaying src and dst port

CSCvm09624

Protocol not updated based on AppID when enforcing IPS rules

CSCvm11389

Small percentage of ECDHE connections fail

CSCvm11714

EIGRP authentication key issue when using special character "&"

CSCvm15880

FPR 9k ASA cluster multicon mode/vpn-mode distribute causes a reboot-loop if transparent mode conf

CSCvm19585

Smart License getting deregistered after upgrade to 6.2.3.5.

CSCvm23370

ASA: Memory leak due to PC cssls_get_crypto_ctxt

CSCvm25972

ASA Traceback: Thread Name NIC Status Poll.

CSCvm26004

Incorrect calculation of AAB in ASA causes random AAB invocations.

CSCvm29973

False positive for DNS SI events!

CSCvm44905

ssl inspection may continue processing a flow without flow information

CSCvm56019

Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser

Resolved Bugs in Version 6.2.3.5

Table last updated: 2018-09-12

Table 16. Resolved Bugs in Version 6.2.3.5

Bug ID

Headline

CSCvb19750

Cisco Firepower Management Center Cross-Site Request Forgery Vulnerability

CSCve39071

Option to disable attempts to connect to the ThreatGRID cloud

CSCve85565

Traceback when syslog sent over VPN tunnel

CSCvg33300

Unable to modify Integer Host Attributes after creating them

CSCvg51412

Unable to establish a estreamer sftunnel between managed device and estreamer client

CSCvg54724

Firepower Dynamic Analysis Association Only Redirects to US address

CSCvg75144

All apps matching the filter deletes all objects

CSCvg91631

URL Reputation shows high risk or Unknown in Encore

CSCvg94363

Prefix List "le 32" does not work on Firepower Threat Defense

CSCvh21219

"set ip next-hop verify-availability" is removed from PBR configuration with next deployment

CSCvh89017

Configure user add command does not accept numeric user

CSCvi01312

webvpn: multiple rendering issues on Confluence and Jira applications

CSCvi31540

Traceback and reload with 'show tech' on ASA with No Payload Encryption (NPE)

CSCvi34164

ASA does not send 104001 and 104002 messages to TCP/UDP syslog

CSCvi37644

PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full."

CSCvi45989

Query Cisco CSI for Unknown URLs option being reset by ASA managed by ASDM (Regression)

CSCvi51370

race condition can result in syslog alerts without rule messages

CSCvi53708

ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config

CSCvi69343

ids_event_processor leaks memory when resetting communications

CSCvi69356

SFDataCorrelator reports "Invalid column value name" error-eStreamer does not work on managed device

CSCvi76808

File detection failing for encrypted SMTP TLS with Decrypt - Known Key SSL rule action

CSCvi79691

LDAP over SSL crypto engine error

CSCvi79999

256 Byte block leak observed due to ARP traffic when using VTI

CSCvi85382

ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed

CSCvi93500

snort's handling of x-forward-for-like headers is incorrect when there are multiple proxies

CSCvi94239

IDSEventAlerter log spam "Unable to get SSL certificate fingerprint"

CSCvi96442

Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master

CSCvi97894

Several hardware rules are truncated when running capture traffic.

CSCvi98424

IDSEventAlerter and IDSEventProcessor stop working and spam logs after file read error

CSCvi99743

Standby traceback in Thread "Logger" after executing "failover active" with telnet access

CSCvj07038

Firepower devices need to trust Threat Grid certificate

CSCvj11442

Firepower Threat Defense: BGP order of deployment operation of neighbor causes failure

CSCvj19835

Decrypted connections using ECDHE-RSA-RC4-SHA cipher fail in the application data phase

CSCvj38002

SNMPv3 user engineID mismatch with Active engineID causes 'user not found' error on SNMP request

CSCvj44517

List of trusted CAs in SSL policy duplicates

CSCvj49452

sftunnel using weak SSL/TLS versions and ciphers

CSCvj54840

create/delete context stress test causes traceback in nameif_install_arp_punt_service

CSCvj65581

Excessive logging from ftdrpcd process on 2100 series appliances

CSCvj67504

Deploy of policy fails when adding users/groups to the ssl policy

CSCvj67740

Static IPv6 route prefix will be removed from the ASA configuration

CSCvj75793

2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage

CSCvj85516

Packet capture fails for interface named "management" on Firepower Threat Defense

CSCvj88514

IP Local pools configured with the same name.

CSCvj91449

ASA traceback when logging host command is enable for IPv6 after each reboot

CSCvj92040

TLS client offers some ciphersuites in CC mode that are not allowed by CC

CSCvj95451

webvpn-l7-rewriter: Bookmark logout fails on IE

CSCvj96173

After upgrading to 6.2.3, FMC still generates sha1 certificate for eStreamer clients

CSCvj97326

Unable to create SSL policy on Firepower Services

CSCvj98964

ASA may traceback due to SCTP traffic

CSCvk01577

Pigtail from CLISH mode in FTD 6.2.3 not allowed

CSCvk01981

users shows up as unknown after user purge

CSCvk06249

SFDataCorrelator alerting can cause deadlock restart when si_uuid not in firewall_rule_cache

CSCvk06336

FMC displays connections matching incorrect access control policy rules packet count is zero

CSCvk06368

Evaluation of FMC kernel vulnerabilities

CSCvk08377

ASA 5525 running 9.8.2.20 memory exhaustion.

CSCvk10252

SI Category may be incorrect for alerts or eStreamer; also performance and memory problems

CSCvk11898

GTP soft traceback seen while processing v2 handoff

CSCvk14910

SFDataCorrelator keeps exiting when processing FireAMP event without agent uuid

CSCvk16568

AppID stop processing traffic if Application ID has been detected

CSCvk17382

Snort exiting unexpectedly while processing rule evaluation.

CSCvk18378

ASA Traceback and reload when executing show process (rip: inet_ntop6)

CSCvk18578

Enabling compression necessary to load ASA SSLVPN login page customization

CSCvk18846

Firepower Management Center WebUI performance degraded due to sfdccsm logging level.

CSCvk19435

Unwanted IE present error when parsing GTP APN Restriction

CSCvk26887

Certificate import from Local CA fails due to invalid Content-Encoding

CSCvk27686

ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH

CSCvk28023

WebVPN: Grammar Based Parser fails to handle META tags

CSCvk30212

FMC negates BGPv6 commands and generates again if neighbor IPv6 address contains leading 0 in group

CSCvk30665

ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops

CSCvk33947

Sensitive Data Threshold Configuration is incorrect

CSCvk35323

With Objects having override configured, copy config was not happening

CSCvk35761

Sensitive Data is not working as expected when processing multiple patterns in a single session.

CSCvk37890

Firepower 2110, Webvpn conditional debugging causes Threat Defense to traceback

CSCvk40332

UDP traffic without zone information will match incorrect AC rule

CSCvk49527

Add application level timeout for switchprimarynode API call

CSCvk50364

NGIPSV "system support capture-traffic" not working for inline-sets

CSCvk50732

AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers

CSCvk52305

Snort process terminated with segfault in daq

CSCvk54078

Firepower Threat Defense high availability Creation with VPN configuration fails

CSCvk54491

Race condition processing Reputation causes Snort process to exit.

CSCvk54779

Async queue issues with fragmented packets leading to block depletion 9344

CSCvk55355

User/group download fails is at least one user belongs to two groups with same common name

CSCvk57516

Firepower Threat Defense: Low DMA memory leading to VPN failures due to incorrect crypto maps

CSCvk58188

Snort configuration validation failed due to Value specified for max_sessions is out of bounds

CSCvk66012

Policy deployment fails if a member of a cluster is shutdown/Disabled on the FMC

CSCvk71511

SFDataCorrelator event backlog grows when event storage is large and device count is high

CSCvk72602

Incorrect TCP checksum causes snort retries

CSCvk73990

Change Reconciliation report: simplify the rule deletion event

CSCvm01497

Scheduled reports not stored in correct domain when using another domain's report template

CSCvm06114

RDP bookmark plugin won't launch

CSCvm16686

Threat Defense interfaces goes down during high availability creation using redundant interface

Resolved Bugs in Version 6.2.3.4

Table last updated: 2018-08-13

Table 17. Resolved Bugs in Version 6.2.3.4

Bug ID

Headline

CSCuy01269

If last entry in rna_client_app_map is a dupe, SFDataCorrelator fails

CSCvd28906

ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory

CSCvd92210

IPV6 addresses not accepted in syslog

CSCvf61852

Threat Intelligence Director (TID) startup causes delay and stalls Tomcat startup

CSCvg28901

Unable to install certificate message when importing certificate to the Firepower Management Center

CSCvg96103

Including a very large HTML page for the Block response causes all Decrypted sites to fail to load.

CSCvh25088

MySQL table secondary_login grows unbounded forever

CSCvh91483

CloudAgent restarts once every minute when URL filtering license is expired or deleted

CSCvi03103

BGP ASN cause policy deployment failures.

CSCvi30280

UserIdentity [ERROR] Error while handling UserLoginInfo message: [1] Invalid Argument

CSCvi34210

Snort match the same connection for U-Turned traffic for different BVI in Transparent Threat Defense

CSCvi44713

show memory binsize and show memory top-usage do not show correct information, all show PC 0x0

CSCvi45807

ASA: dns expire-entry-timer configuration disappears after reboot

CSCvi59968

Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0

CSCvi65512

FTD: AAB might force a snort restart with relatively low load on the system

CSCvi97729

To-the-box traffic being routing out a data interface when failover is transitioning on a New Active

CSCvj15572

Flow-offload rewrite rules not updated when MAC address of interface changes

CSCvj25386

Missing default Identity realm EOs causing upgrade failure

CSCvj44531

Phantom SSL objects and empty deployments to sensors

CSCvj49502

Need client hello transmit info at lower debug level

CSCvj74210

Traceback at ssh when executing show service-policy inspect gtp pdp-context detail

CSCvj75655

External Database is unable to query Connection Events from the Firepower Management Center

CSCvj76748

Need to transition to cloud-sa.amp.sourcefire.com to cloud-sa.amp.cisco.com

CSCvj79729

(2 of 2) high memory usage of user_id/user_group broadcast in SFDataCorrelator(on sensor)

CSCvj91418

Snort uses large amounts of memory when appid is processing NetBIOS traffic.

CSCvj91965

Change Reconciliation reports in Firepower Management Center have certain fields blank

CSCvj93913

SSL Inspection TLS 1.3 downgrade needs to modify client/server random values to be RFC compliant

CSCvj94024

Firepower devices go into full recovery is busy is returned from network cards periodically

CSCvk02250

show memory binsize and show memory top-usage do not show correct information (Complete fix)

CSCvk06160

SFDC repeatedly exits while Initializing OS Vuln Map

CSCvk06176

SSEConnector is not coming up because of Wrong Executable

CSCvk06677

HTTPS sessions sometimes timeout without loading on HW SSL

CSCvk12841

SSL pages not loading when using Internet Explorer or Edge

CSCvk17163

force high availability break to 6.2.2 Firepower Threat Defense device, deployment fails with error

CSCvk17813

Policy deploy may fail with failed to retrieve device running configuration in pair environment

CSCvk19750

Import of .sfo file with large number of local rules taking more than 170+ hours

CSCvk21405

shell application not pin holing new connection from server

CSCvk25729

Large ACL taking long time to compile on boot causing outage

CSCvk27787

Management Center pair: Manage_procs.pl corrupting the cluster.conf file on the Managed Device

CSCvk30228

ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response

CSCvk30778

Client hello digest for for layer 3 and 4 processed twice causing memory leak

CSCvk30865

SSL alert with TLS version other than differing from negotiated version report as corrupt record

CSCvk32718

Event processing slows during file malware attack involving many file events

CSCvk45443

ASA cluster: Traffic loop on CCL with NAT and high traffic

CSCvk59795

Remote access VPN using an OpenLDAP realm/server doesn't use the correct naming attribute

Resolved Bugs in Version 6.2.3.3

Table last updated: 2018-07-11

Table 18. Resolved Bugs in Version 6.2.3.3

Bug ID

Headline

CSCuz96856

New client hello flag for blocked session due to cache inconsistency

CSCvd13180

AVT : Missing Content-Security-Policy Header in ASA 9.5.2

CSCvd76939

ASA policy-map configuration is not replicated to cluster slave

CSCve17484

Intelligent Application Bypass drop percentage does not work on Firepower Threat Defense

CSCve53415

ASA traceback in DATAPATH thread while running captures

CSCvg42033

prune to cleanup unused data in eoattributes table at vms.db to reduce backup file size

CSCvg76652

Default DLY value of port-channel sub interface mismatch

CSCvg90365

icmp/telnet traffic fail by ipv6 address on transparent ASA

CSCvh53276

IPv6 protocol 112 packets passing through L2FW are dropping with Invalid IP length message

CSCvh55035

Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000

CSCvh55340

ASA Running config through REST-API Full Backup does not contain the specified context configuration

CSCvh71738

FQDN object are getting resolved after removing access-group configuration

CSCvh75060

Rest-API gives empty response for certain queries

CSCvh83849

DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping

CSCvh95960

Using the match keyword in capture command causes IPv6 traffic to be ignored in capture

CSCvi07974

Layer 2 traffic should not be hardcoded to be sent to Snort for inspection

CSCvi15830

wrong configurations on Threat Defense device when network group object is used on identity policy

CSCvi16024

SSL errors on session resume when server IP address changes

CSCvi19220

ASA fails to encrypt after performing IPv6 to IPv4 NAT translation

CSCvi36434

Cisco Firepower System Software SSL Denial of Service Vulnerability

CSCvi37374

SSL connections fail to complete when passing through a single inline set multiple times

CSCvi38151

ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs.

CSCvi42008

Stuck uauth entry rejects AnyConnect user connections

CSCvi51515

REST-API:500 Internal Server Error

CSCvi53420

User/Group Download fails when same user is part of multiple groups with comma (,) in common name

CSCvi58032

Management Center Internal Error creates an Auto-NAT rule which causes a policy deployment failure

CSCvi58183

Custom SI feed update in Firepower Management Center is not propagated to managed devices

CSCvi59000

SecGW - Data Loss during ASR

CSCvi59148

Sessions can remain active on managed device if they are from same IP address but different realms

CSCvi62671

users/groups download takes long time in 6.2.2.1 with high number of user/group mappings

CSCvi63968

Internal Error is preventing Policy Validation Cannot save access control policy.

CSCvi70606

ASA 9.6(4): WebVPN page not loading correctly

CSCvi73414

Unable to delete User Indication of Compromise if user info is inconsistent between mysql and sybase

CSCvi80928

HW Mode - SSL errors may occur when resumed sessions are not decrypted

CSCvi89194

pki handles: increase and fail to decrement

CSCvi97479

Snort restart while deploying access control policy changes

CSCvi97721

The memcap for Security Intelligence URL feeds needs to be increased for devices 4GB total memory

CSCvi98251

SMTP: Could not allocate SMTP mempool causing Policy Apply Failure and Snort Outage

CSCvj00918

(1 of 2) high memory usage of user_id/user_group broadcast in SFDataCorrelator(on sensor)

CSCvj06418

Custom SI DNS feed not synced to secondary Firepower Management Center

CSCvj09571

Firepower Management Center UI slow when managing large number of device with classic licenses

CSCvj10011

Management Center: IGMP gets enabled on interfaces which it has been configured but not enabled

CSCvj17609

synchronization failed (Cannot open file) entries in action queue when file is empty

CSCvj22491

Cluster: Enhance ifc monitor debounce-time for interface down->up scenario

CSCvj24036

Messaging on Firepower Management Center UI informing of ports required by RAVPN

CSCvj25386

Missing default Identity realm EOs causing upgrade failure

CSCvj25817

ASA responds to MOBIKE but clears SA due to DPD.

CSCvj26819

modifying ssl_debug settings requires a detection engine restart

CSCvj32264

ASA - zonelabs-integrity : Traceback and High CPU due to Process Integrity FW task

CSCvj33202

Cannot save Intrusion Policy with Firepower recommendations and shared policy layers

CSCvj37448

ASA : Device sends only ID certificate in SSL server certificate packet after reload

CSCvj37858

performance impact from action_queue queries

CSCvj37924

CWE-20: Improper Input Validation

CSCvj39858

Traceback: Thread Name: IPsec message handler

CSCvj40636

S2S VPN support for Firepower Threat Defense Cluster for the classic centralized VPN clustering

CSCvj42450

ASA traceback in Thread Name: DATAPATH-14-17303

CSCvj42680

Slowness due to frequent device registration queries on Firepower Management Center pair

CSCvj44262

portal-access-rule changing from deny to permit

CSCvj45594

SFDataCorrelator core when timing-out old host info on a slow Firepower Management Center

CSCvj46777

Firepower Threat Defense 2100 asa traceback for unknown reason

CSCvj48168

The show memory command returns low used memory numbers

CSCvj48340

ASA memory Leak - snp_svc_insert_dtls_session

CSCvj48931

Firepower recommendation updates task never runs

CSCvj49883

ASA traceback on Firepower Threat Defense 2130-ASA-K9

CSCvj50024

ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure

CSCvj56008

Scansafe feature doesn't work at all for HTTPS traffic

CSCvj56909

ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module

CSCvj56963

Management Center error about Only 8 equal cost routes are allowed when adding the fifth route

CSCvj61367

fast reuse of source port can break ssl inspection

CSCvj67132

Policy deploy failure due to bgp neighbor CLI in wrong order

CSCvj73581

Traceback in cli_xml_server Thread

CSCvj74210

Traceback at ssh when executing show service-policy inspect gtp pdp-context detail

CSCvj79765

Netflow configuration on Active ASA is replicated in upside down order on Standby unit

CSCvj81287

Firepower Threat Defense rejecting syslog server TLS-X509 certificate due to EKU invalid purpose

CSCvj83316

Snort process exits while clearing XFF data.

CSCvj91619

1550 Block Depletions leading to ASA reload.

CSCvj97157

WebPage is not loading due to client rewriter issue on JS files

CSCvk00579

Slowness in the device list getting populated under the Deploy tab

CSCvk06176

SSEConnector is not coming up because of Wrong Executable

CSCvk07522

webvpn: Bookmark fails to render on Firefox and Chrome. IE fine.

Resolved Bugs in Version 6.2.3.2

Table last updated: 2018-06-06

Table 19. Resolved Bugs in Version 6.2.3.2

Bug ID

Headline

CSCuv68725

ASA unable to remove ACE with log disable option

CSCvd13182

AVT : Missing X-Content-Type-Options in ASA 9.5.2

CSCvd44525

ASA show tech some commands twice, show running-config/ak47 detailed/startup-config errors

CSCve94917

Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688

CSCvf18160

ASA traceback on failover sync with WebVPN and shared storage-url config

CSCvf39539

Netflow Returns Large Values for Bytes Sent/Received and IP address switch

CSCvf40179

ERROR: Unable to create crypto map: limit reached, when adding entry

CSCvf82832

ASA : ICMPv6 syslog messages after upgrade to 962.

CSCvf96773

Standby ASA has high CPU usage due to extremely large PAT pool range

CSCvg05442

ASA traceback due to deadlock between DATAPATH and webvpn processes

CSCvg43389

ASA traceback due to 1550 block exhaustion.

CSCvg72879

9.9.1/SecGW: Firepower 4100 w/ subsecond failover may have 10-20% packet loss for few mins

CSCvh14743

IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.

CSCvh23531

ASA TLS client connection fails with software DHE

CSCvh30261

ASA watchdog traceback during context modification/configuration sync

CSCvh47057

ASA - ICMP flow drops with no-adjacency on interface configured in zone when inspection enabled

CSCvh65500

Firepower 2100 Client in FTP active mode is not able to establish control channel with the Server

CSCvh81142

Snort Core Generated while running 6.2.3

CSCvh83934

Memory usage of User-ID component of SNORT exceeds the reserved limit of 10M

CSCvh91053

ASA sending DHCP decline | not assiging address to AC clients via DHCP

CSCvh91399

upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON)

CSCvh92381

ASA Traceback and goes to boot loop on 9.6.3.1

CSCvi01376

Upon reboot, non-default SSL commands are removed from the Firepower 4100

CSCvi07636

ASA: Traceback in Thread Name UserFromCert

CSCvi08450

CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition

CSCvi09305

Some SSL connections slow or fail under a Do-Not-Decrypt SSL policy action

CSCvi16264

ASA traceback and reload due to watchdog timeout when DATAPATH accesses compiling ACL structure

CSCvi19263

ASA 9.7.1.15 Traceback while releasing a vpn context spin lock

CSCvi22507

IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey

CSCvi23615

Sourcefire.agent_messages table becoming large preventing the agent messages from being consumed

CSCvi33962

WebVPN rewriter: drop down menu doesn't work in BMC Remedy

CSCvi35805

ASA Cut-Through Proxy allowing user to access website, but displaying authentication failed

CSCvi42965

ASA does not report accurate free memory under show memory output

CSCvi45567

Not able to do snmpwalk when snmpv1&2c host group configured.

CSCvi47847

Shell application not pin-holing for new tcp port for data transfer as expected

CSCvi48523

Not able to create SLA Monitor from static route page

CSCvi49383

Azure: ASAv running Cloud high availability gets in a watchdog crash loop

CSCvi55070

IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey

CSCvi57808

Continuously sfdatacorrelator process terminated unexpectedly

CSCvi58089

Memory leak on webvpn

CSCvi58865

SSL policy with URL category rules specifying decryption can cause browser errors

CSCvi63864

With SSL inspection in hardware mode and Malware protection, secure file transfers occasionally fail

CSCvi63888

SSL errors might occur when resumed sessions are not decrypted

CSCvi64007

Zeroize RSA key after Failover causes REST API to fail to changeto System context

CSCvi66905

PIM Auto-RP packets are dropped after cluster master switchover

CSCvi70680

Same groups from different AD not downloaded

CSCvi71039

Firepower Management Center: Change Reconciliation reports are failing intermittently

CSCvi76577

ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group.

CSCvi77352

Illegal update occurs when device removes itself from the cluster

CSCvi82779

ASA generate traceback in DATAPATH thread

CSCvi84315

Unexpected failures on Firepower 2100 Series devices

CSCvi86799

ASA traceback during output of show service-policy with a high number of interfaces and qos

CSCvi87921

ASA self-signed RSA certificate is not allowed for TLS in FIPS mode

CSCvi95544

ASA not matching IPv6 traffic correctly in ACL with any keyword configured

CSCvj05140

Object description is not deployed with associated network object.

CSCvj07038

Firepower devices need to trust Threat Grid certificate

CSCvj07571

Error 500 when saving some correlation policy rules

CSCvj07843

eStreamer using 100% CPU, event processing slows when File/FireAMP events enabled

CSCvj22491

Cluster: Enhance ifc monitor debounce-time for interface down->up scenario

CSCvj26450

ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data.

CSCvj47633

Non-SSL traffic causing SSL inspection to fail

CSCvj56008

Scansafe feature doesn't work at all for HTTPS traffic

CSCvj63196

Workaround for Sybase issue: After snort engine update, policy deployment fail abruptly

Resolved Bugs in Version 6.2.3.1

Table last updated: 2018-05-02

Table 20. Resolved Bugs in Version 6.2.3.1

Bug ID

Headline

CSCvf97979

NAT policy deployment failed during generating delta config after changing security zone in rule.

CSCvg00565

ASA crashes in glib/g_slice when do debug menu self testing

CSCvg36672

Need a way to prioritize user driven deployment tasks in Action Queue

CSCvg65072

Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability

CSCvg78418

Evaluation of FireSIGHT / FirePOWER for Apache/Struts related vulnerabilities

CSCvg84495

Remote access VPN using an OpenLDAP realm/server doesn't use the correct naming attribute

CSCvh05081

ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module

CSCvh22181

Failures loading websites, such as mail sites, using TLS 1.3 with SSL inspection enabled

CSCvh25433

New CLI for Supporting Legacy method SAML Auth using external browser on Endpoint with AC

CSCvh46202

Slow 2048 byte block leak due to fragmented traffic over VPN

CSCvh53616

ASA on Firepower Threat Defense devices traceback due to SSL

CSCvh63903

Failover of IPv6 addresses on 8000 series pair devices may not succeed

CSCvh79732

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh81474

Need to catch malformed JSON to allow rendering of Deploy button and notifications

CSCvh81737

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh81870

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh83012

SFDataCorrelator should not limit rate of duplicate flows

CSCvh99414

NFE failure causes Snort to constantly restart

CSCvi03546

User-IP mapping not updated on managed device due to error in updating current map

CSCvi18602

FSIC failed while downgrade ASA FirePOWER module (5585-x) from 6.2.2.2 to 6.2.2.1

CSCvi34137

With SSL decryption enabled and TCP Segmented HTTP requests, Snort does not capture URI correctly

CSCvi44365

After an upgrade the Firepower 4100 hostname is different than SFCLI hostname

CSCvi49752

sfipproxy may not be written correctly on a sensor when registered to a high availability pair

CSCvi55280

Deployment transcript does not indicate failed command if error is in last CLI of delta

CSCvi80849

Cisco Firepower 2100 Series POODLE TLS security scanner alerts

Resolved Bugs in Version 6.2.3

Table last updated: 2020-04-21

Table 21. Resolved Bugs in Version 6.2.3

Bug ID

Headline

CSCuw57184

Not keep URL entries in cache forever.

CSCuw73747

DST for Europe/Istanbul time zone is now on a different date

CSCux17501

SSL inspection blocks traffic with decryption errors for sites with 3072 bit key RSA certificates

CSCux42313

Cisco ASA module captive portal redirect gets stuck

CSCux61395

UserIDs get lost if an error occurs while streaming to the sensor

CSCuy10223

ASA Security Zone cannot be used in Active Authentication identity rules

CSCuy18154

ADISubscriber shuts down before session receive in SFDataCorrelator

CSCuy21943

Firepower Threat Defense / Unable to deploy after restoring a backup

CSCuy56306

SCP Expect during backup to remote server times out and fails

CSCuy57310

Cisco Adaptive Security Appliance Traffic Flow Confidentiality Denial of Service Vulnerability

CSCuz09515

Active/Passive authentication does not work with predefined objects

CSCuz85967

New added management interface does not have "management-only" configuration

CSCuz92983

Policy deployment fails with mode 10 Gbit Full-Duplex for lag interface

CSCva21702

Traffic capture BPF validation

CSCva34909

DNS blacklist has an 81 character limit

CSCva36446

ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After Successful SSL handshake

CSCva44278

Policy apply fails due to orphaned database objects

CSCvb13949

Readiness Check option should NOT be enabled for VDB updates

CSCvb28202

False warnings in DB Integrity Check for PlatformSettings object

CSCvc03899

Firepower Threat Defense managed by Management Center- High unmanaged disk usage on /ngfw

CSCvc37876

Policy deploy fails due to inconsistency in Primary Threat Defense device pair in the backend

CSCvc44535

Under rare circumstances captive portal is very slow and even unresponsive

CSCvc48180

Application categories and tags are missing in Version 6.1 or 6.2.1

CSCvc48768

Search Option does not work for network objects under NAP editor

CSCvc50598

Comparison reports for intrusion policy between two revisions is not working correctly

CSCvc55341

Intermittent error 500 when trying to review an event from the packet view

CSCvc56921

Altering logging settings like disabling syslog causes IPS and File policies to become disabled

CSCvc65909

ASDM:Importing access control policy leads to duplicate objects

CSCvc77913

Custom configuration for SFDataCorrelator should be checked on updates otherwise it may remain down

CSCvc84585

Firepower sensor will not ingest users from ISE using EAP chaining

CSCvc91092

Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability

CSCvc92934

When SSL decryption is enabled, URL constraints in access control policy are not applied correctly

CSCvd19749

Upgrade from 6.1.0 to 6.1.0.1 failed at 000_start/113_EO_integrity_check.pl

CSCvd28906

ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory

CSCvd29303

Disk status health monitoring should be disabled for virtual ASA 5500-X series

CSCvd32767

Unable to use objects inside IPS rules

CSCvd35049

Hard-coded query limit needed to prevent QueryEngine and Report Generation failures

CSCvd39729

Firepower Enterprise Objects Missing References Causes Multiple Problems

CSCvd51066

URL cloud lookup has URL category as Uncategorized

CSCvd59044

Access Control Policy does not match condition with URL SI lists for HTTPS traffic

CSCvd59268

possible to have data-interfaces + Firepower Management Center from cli_firstboot wizard

CSCvd61462

Partial match of DNS Queries if DNS Feed or DNS List contains single word entry

CSCvd72150

Deleted objects continue to show up as available to add to variable sets on the Management Center UI

CSCvd83845

SafeSearch-specific codes get hit even if SafeSearch rule is disabled in Firepower Management Center

CSCvd84471

Connections not blacklisted by Security Intelligence due to memory (memcap) issues

CSCvd91889

Unable to change logical name of interface and add sub-interface

CSCve00330

Document details on what synchronizes between Firepower Management Centers in High Availabilty

CSCve03600

SMTP traffic prematurely reaching SafeSearch engine rule.

CSCve11879

Ping traffic is dropped for 1 minute during high availability switchover

CSCve12096

Failure on deleting port object used in manual NAT rule

CSCve17433

Policy deployment failing on AWS Firepower Management Center

CSCve23827

Restore from backup fails when clock is behind on restore device

CSCve31929

Firepower Management Center does not show any network discovery data when using security zones

CSCve42340

URL Database Updates Use IP for Proxy Connection in HTTP Header

CSCve42379

SCALE : Avoid queueing Sync Sybase to MySQL task if similar PENDING task already there

CSCve42542

not allowed to choose Firepower Threat Defense as Secondary Peer during High Availability creation

CSCve45573

Internal error message while loading access control policy in Japanese environment

CSCve48087

Deploy policy tab failed to populate the device list from Firepower Management Center

CSCve49433

Threat Defence Platform Settings Policy does not check the NTP input value properly

CSCve49546

Policy apply failed at "FINALIZE" prevents future policy apply from succeeding

CSCve49643

User logins with double byte characters are not recorded on Firepower Management Center correctly

CSCve49722

Can't export if intrusion policy inherits intrusion layer from parent domain

CSCve49778

Threat Defense ICMP platform settings security zones with multiple interfaces not handled properly

CSCve55618

DNS policy generates DNS responses for already generated responses, if it is seen over the wire

CSCve56743

Firepower Threat Defense pair: Snort is dropping traffic inspite of having a trust rule.

CSCve57521

For NGFW rules processing, always use first packet of flow to determine initiator direction

CSCve57858

Sites with large certificate not loading with SSL policy turned on even with "Do not decrypt" action

CSCve60167

Upgrade framework needs to review onbox scripts NEVER_SKIP

CSCve61540

Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities

CSCve73129

DB query does not terminate when upgrade to 6.2.1 fails

CSCve77286

Intrusion policy rule filter is not working properly

CSCve79555

ASA/Threat Defense traceback when clearing capture-assertion "0" failed: mps_hash_table_debug.c file

CSCve84791

Capturing asp-drop causes unexpected ASA failure

CSCve87945

Cannot install new https certificate

CSCve88764

Don't restore Primary Firepower Management Center backup to secondary

CSCve90384

high availability break/Config Deployment fails on 2100 platforms when in secondary is Active

CSCve98443

User Identity count tracking may be incorrect

CSCve98877

Dashboard Drilldown Does Not Match Top Level Report

CSCve99511

Traceback and reload in thread name: sfr-vpn-status-watcher when unit takes active role

CSCve99818

Time window setting for Connection events gets reset to different range

CSCvf01839

vFMC getting logged out for "An unauthorized action has been detected" after some idle time

CSCvf04102

Error generating report preview for Vulnerabilities section

CSCvf06031

After adding a secondary Firepower Threat Defense to cluster, deploy can fail

CSCvf12392

Security Intelligence category may be incorrect in alert response from correlation policy

CSCvf12828

Device stuck at HA state progression failed due to App sync issue on QP FTD HA pair

CSCvf15067

Sync hostname to ASA when device is managed by Firepower Management Center/no manager

CSCvf18641

Connection events are not generated for unmonitored hosts in ND rules

CSCvf18966

Adding Port Group Object to Extended Access Control Entry causes ERROR: Invalid Protocol

CSCvf25032

FMC: Ownership of sydb.out changes to root and prevents vmsDbEngine/dbsrv16 to start

CSCvf25058

Firepower Threat Defense Security Intelligence DNS memcap exceeded health alert

CSCvf25444

Copying Realm and replacing users in SSL policy criteria corrupts policy

CSCvf27979

Unable to view access control policy with the error "End value is less than start value"

CSCvf34791

Install 6.2.2-1290 on an ASA with Firepower Services-- ASA fails unexpectedly.

CSCvf35266

Deployment failure if group policy is unassigned from connection profile and deleted in advanced tab

CSCvf41793

High memory usage of ids_event_processor/ids_event_alerter when threshold.conf file is not pruned

CSCvf42199

Core seen while running snort restart automated regression suite for more than 14 hours.

CSCvf45952

high availability progression failed for secondary when pair is rebooted due to App-sync failure

CSCvf46168

"no capture <name> stop" doesn't change capture status from Stopped

CSCvf46886

Security Analyst User Role not permitted to download file from malware event

CSCvf49737

Add state-checking options on H323 policy inspect map

CSCvf53734

access control rules and Categories duplication on Firepower Management Center UI

CSCvf55897

Disable Intrusion Policy controls on Default action in Access Policy Page

CSCvf56476

DNS Flexconfig removed after enabling LDAPS on Firepower 2120 device

CSCvf56533

Cannot re-register Firepower 9300 cluster to a different Firepower Management Center

CSCvf57862

Snort install silently fails and automatic deploy after Snort is installed is skipped

CSCvf60738

Elektra Registration failures due to RPC call failures

CSCvf61157

Firepower Management Center DB corruption name mismatch

CSCvf64643

ERROR on Firepower Threat Defense device: Captive-portal port not available. Try again

CSCvf64882

Deployment Failing on high availability pair due to Cluster Hold Request Timed Out by ASA

CSCvf64914

updates to local URL filtering database and/or cloud dispositions need to supersede cached data

CSCvf65014

Having custom "End Time" in "Intrusion Events" Analysis returns a blank page with no events

CSCvf65226

OSPF Redistribution command not getting deleted on Firepower Threat Defense device

CSCvf65245

Monitor rule does not log large sessions (such as file transfers)

CSCvf68502

Unable to assign FQDN for hostname in Certificate Signing Request

CSCvf71365

Log appropriate message if SFDataCorrelator exits during startup due to empty VDB tables

CSCvf73465

re-registration failed due to stale entry in ID_MAPPING table post device delete

CSCvf74023

Smart License registration failures when Proxy Authentication is configured on Management Center

CSCvf74113

Firepower Intrusion rule UI policy deploy fails when threshold seconds of rules set to 00, 08, 09

CSCvf75062

Deployment failed with 'ERROR: Trustpoint not enrolled'

CSCvf77836

FTD HA - both devices go into unknown state when HA break is performed

CSCvf78629

Custom Fingerprint GUI offers "Defense Center" instead of "Firepower Management Center" option

CSCvf81725

syncd uses high memory and exits when loading firewall_rule_cache table

CSCvf82315

IP address for 10G interfaces cannot be changed from GUI.

CSCvf91371

Invalid certificate error seen when internal CA is used for SSL Decrypt-Resign rule

CSCvf95633

Management Center: Interface "mac-address-table" command not sent to the Firepower Threat Defense

CSCvf98386

FDM pre-shared key changed to random value after upgrade

CSCvg02051

Large user/group tables due to duplicated entries when group names are not ASCII

CSCvg03671

FMC policy deployment slows down due to multiple failed attempts by Snort to load SI data

CSCvg04309

Micro-Engine failure due to TCAM leads to bb-heath not generating auto-troubleshoot.

CSCvg06811

Add captive_portal.log to logrotate.d

CSCvg09316

Cisco Firepower Threat Defense Software Policy Bypass Vulnerability

CSCvg20782

Identified Vulnerabilities associated with the CVEs from Oracle MySQL Patch Updates

CSCvg21939

Parts of Firepower Management Center GUI not loading in Firefox 56

CSCvg23945

ASA panic/crash spin_lock_fair_mode_enqueue: Lock (mps_shash_bucket_t) is held for a long time

CSCvg24416

FTW inline interfaces do not go into hardware bypass during Firepower 4100 Series

CSCvg24892

6.2.3 Snort configuration validation failed due to ERROR: SMTP: Could not allocate SMTP mempool.

CSCvg27431

Applying large access control policy fails on AWS - 6.2.2.1

CSCvg27511

Network Object - getting 'missing entry' while trying to delete an existing object

CSCvg27590

Daily Change reconciliation report lacks details and users on Firepower 6.2.2

CSCvg29442

When IPSec is enabled, high availability goes in Active-Failed state

CSCvg29791

FlexConfig - System variable should contain subinterface ID

CSCvg30947

more than one default route with same metric allows on Threat Defense device's routing table

CSCvg32590

6.1-6.2.3 upgrade: FTD upgrade failed with /ngfw/var/lib/mysql/sfsnort: not accessible error

CSCvg37391

Migrated access control policy deploy fails since it has FQDN objects

CSCvg37456

Deployment to high availability pair successful on active unit; standby unit will be updated message

CSCvg38612

Upgrade failure from 6.2.0 -> 6.2.3-10646 on FDM

CSCvg38789

Nested entities not deleted when deploying an object

CSCvg39981

Firepower Management Center not displaying Firepower Threat Defense cluster names correctly

CSCvg43759

URL filter matching fails - Two SSL Certificate CNs Concatenated

CSCvg45236

Lower-than-expected 256 byte block count with fast-path pre-filter SSL policy

CSCvg46466

Cisco FMC and Firepower System Software SF Tunnel Control Channel Command Execution Vulnerability

CSCvg47696

Not able to create RA VPN after removing DfltGrpPolicy

CSCvg48363

With verbose SSL logging enabled, logs can consume all available disk space

CSCvg50707

Firepower Threat Defense high availability policy deploy fails with Found more than one NGFW Policy

CSCvg52545

9300 pair NGFWs in inlineIPS mode do not trigger SNAP packet updates with proper VLAN tags

CSCvg58777

Multiple Vulnerabilities in Apache tomcat

CSCvg58825

Report generated from access control policy using object group in sub-domain is blank/0 bytes

CSCvg61624

Deployment fails when Secondary-Active Primary-Disabled (by doing suspend operation in device)

CSCvg61737

Deployement failed due to "Snort validation failed due to Unable to open rules file snort.conf file"

CSCvg61760

Not all the syslog messages on Firepower Threat Defense are available for editing

CSCvg61799

Sysopt permit-vpn behavior change to prevent unintended clear-text traffic

CSCvg62337

Memory calculation in Snort incorrect for Firepower Threat Defense devices

CSCvg66727

sysopt connection tcpmss 0 not removed after removing jumboframe

CSCvg67377

Malware correlation rule is missing Device condition

CSCvg71501

ASA/FTD device needs to be rebooted after adding Base license with export-controlled function

CSCvg73042

SSL Cache missing session info leading to ERR_SSL_PROTOCOL_ERROR in the browser for SSL websites

CSCvg76789

MASTER_KEY_INVALID flow error on FMC shown when having DND on few websites

CSCvg76907

Repeated SFDaco crashes if current_user_ip_map references invalid realm, somehow caused by RA-VPN?

CSCvg78622

Deployment failed in policy and object collection

CSCvg80346

Init Process Respawning on FMCv/FTDv/NGIPSv

CSCvg83924

Traffic not hitting the access control rule which has deprecated Application in it

CSCvg85613

Smart call home does not work properly with HTTP Proxy, when Authentication is turned on

CSCvg86139

After breaking Firepower Threat Defense high availability pair, policy deploy fails

CSCvg86366

Change Reconciliation Report not generated after upgrade

CSCvg87754

Unable to disable certain VPN related Syslog IDs from Management Center (like 402114 or 402119)

CSCvg90403

Blocks of size 80 leak observed when IRB is used in conjunction with multicast traffic

CSCvg93202

Dashboard custom analysis flow_chunk queries block event processing for hours

CSCvg93556

Deployment on a healthy KP HA pair failed with message "ssp_ha_state_improper"

CSCvg94796

Security Intelligence Connection Events showing '0' for Initiator User

CSCvg95046

Customer Success Network fails after upgrade of high-availability Firepower Management Centers

CSCvg98609

Management Center REST API - Threat Defense pairare not reported as targets on GET policyassignments

CSCvg98640

Cluster-Hold-Abort and Cluster-Hold-Timeout during policy deployment not handled correctly

CSCvg99285

[ERROR] Failed to init octeon -- FATAL ERROR: Can't initialize DAQ oct_ssl (-1)

CSCvh01213

An ASA may Traceback and reload when processing traffic

CSCvh03962

Cisco Firepower Management Center Command Injection Vulnerability

CSCvh05658

NAT policy assignment by device group does not update UI after moving device to different group

CSCvh05897

Firepower Threat Defense Cluster Registration with Group may fail

CSCvh07577

Cannot remove "management-access" configuration via flexconfig

CSCvh12923

Need to update docs that Firepower Threat Defense in cluster mode does not support Remote Access VPN

CSCvh14447

Rule parsing error was ignored in 602_log_package.pl.log during Snort update

CSCvh14478

policy deployment fails with QoS policy on firewall rulechecker

CSCvh15228

Firepower Threat Defense Traffic Zone Member Causes Traffic Interruption

CSCvh16252

ASA may traceback and reload in Thread Name: fover_rep during conn replication

CSCvh19991

User/Group Download fails when an Included Group is missing from the AD Server

CSCvh20742

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvh23085

Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities

CSCvh25000

custom user role unable to generate CSV reports without "health" privileges enabled

CSCvh25562

Cannot modify an access control rules / "An internal error occurred" error

CSCvh25977

blank space must be remove at the end of device name - cannot find events

CSCvh26084

SFDataCorrelator core in deserialization of corrupt flow event

CSCvh28733

Firepower Management Center allows wrong NAT rule when switching policy from Static to Dynamic

CSCvh31939

Firepower Management Center allows deleting Interface Object being used in SLA monitor object

CSCvh47069

Firepower Management Center Data purge causes managed sensor to wipe out user sessions upon reboot

CSCvh49388

Cisco FireSIGHT System VPN Policy Bypass Vulnerability

CSCvh49748

Malware.exe getting downloaded in the first try bypassing file detection due to unknown app-id

CSCvh53414

Access control policy deployment failing when object description contains "?" character

CSCvh53597

Policy deploy fails if SSL Policy has deprecated AppDetector

CSCvh53901

SFDataCorrelator cores when reading invalid fingerprint type from database

CSCvh59772

Deployment fails after S2S/RA VPN is deleted/unassigned following some edits and testing on it.

CSCvh59884

Notifications about pruned events contains invalid date/time (Thu Jan 1 00:00:01 1970)

CSCvh62164

ASA standby stuck in Bulk-Sync state with high CPS traffics on active

CSCvh63896

ASA/FTD traceback in threadname CP Processing

CSCvh67237

Policy deployment failing due to incomplete copying of deployment package

CSCvh67930

Management Center doesn't allow site to site tunnel with both IPv4 and IPv6 protected networks

CSCvh68253

Creation of two S2S VPN topologies with the same endpoints (nodes) leads to unpredictable results

CSCvh68311

Cisco Firepower System Software Cross-Origin Domain Protection Vulnerability

CSCvh68521

On 8000 series stack, with "Maint on sec fail" setting enabled, stack health is in compromised state

CSCvh70474

SFDataCorrelator/SFDCNotificationd connection log spam after expiring many hosts

CSCvh73463

Documentation and logs specify Firepower remote storage via SSH uses SCP, when it actually uses SFTP

CSCvh77456

Cisco Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability

CSCvh77845

SSL errors on session resume when server IP address changes

CSCvh78133

Firepower 2100 process_stderr.log getting flooded with errors causing /ngfw high disk

CSCvh79172

Phase-1 solution for momentary traffic drop during ASA policy apply rollback tracked w/ CSCvc56570

CSCvh83145

ASA interface IP and subnet mask changes to 0.0.0.0 0.0.0.0 causing outage of services on interface

CSCvh84511

Cisco FireSIGHT System URL-based Access Control Policy Bypass Vulnerability

CSCvh85246

ssl inspection can be limited by a "do not decrypt" rule specifying one or more common names

CSCvh85580

ids_event_alerter core when processing connection events

CSCvh89340

Cisco Firepower Threat Defense SSL Engine High CPU Denial Of Service Vulnerability

CSCvh90092

AQ task selection ignores few groups when large no of groups present causing 8 hr delays in deploy

CSCvh92840

Failing to deploy after adding a URL literal from REST API

CSCvh95396

Policy deployment failure due to Invalid preprocessor normalize_tcp option 'ftp'

CSCvh95456

Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities

CSCvh95807

SSL FLow Errors reported when accessing ECDSA signed websites

CSCvh95960

Using the "match" keyword in capture command causes IPv6 traffic to be ignored in capture

CSCvh97258

unable to render any of monitoring screens in any browser

CSCvh97594

ssl inspection cache can become unbalanced, leading to premature removal of recently used items

CSCvh97782

KP traceback illegal memory access inside a vendor Modular Exponentiation implementation

CSCvh98781

ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance'

CSCvh98897

Data interfaces on Firepower devices shut down on upgrade failure, causing management interruptions

CSCvi02989

Access control policy not able to be edited or deployed after upgrade to Version 6.2.2.1

CSCvi09340

Policy deployment failed on multiple devices because of large size of policy deployment DB

CSCvi31174

FTD:Deployment takes lot of time when node in cluster is down/unreachable from FMC

CSCvi39938

Traffic outage while downloading large number of users and groups

CSCvi43661

Static Route:Proper Interface is not being assigned while configuring the route, causing problem.

CSCvi44246

Port-channel's subinterfaces share same MAC address on both unit of Threat Defense pair

CSCvi44365

After an upgrade the Firepower 4100 hostname is different than SFCLI hostname

CSCvi54162

"ha-replace" action not working when peer not present

CSCvi58729

6.2.3 Upgrade Resume Fails on KP-Onbox at 200_pre/600_ftd_onbox_data_export.sh

CSCvi59968

Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0

CSCvi74560

6.2.3 does not properly deploy variables in variable sets and causes deploy failure

CSCvi74623

6.2.3 upgrade resets home_net variable to default "any"

CSCvi77527

upgrade to 6.2.3 fails with post install database integrity check error

CSCvi79043

Add warning to configure manager delete/add command

CSCvi80012

CD state incorrect if failover happens during snort policy application on Active FTD

CSCvi80849

Cisco Firepower 2100 Series POODLE TLS security scanner alerts

CSCvj00363

ASA may traceback and reload with combination of packet-tracer and captures

CSCvj05640

Traceback at snmp address not mapped when snmp-server not enabled

CSCvj13327

Upgrade to 6.2.3 fails at 600_schema/100_update_database.sh - oom killer invoked

CSCvj18111

FTD: Flow-preserve N1 flag shouldn't apply for IPS interfaces

CSCvj42450

ASA traceback in Thread Name: DATAPATH-14-17303

CSCvj47119

"clear capture /all" might crash

CSCvj50373

Doc: Table 1 has incorrect information on Configuration Guide Version 6.2.3

CSCvj58342

Multicast dropped after deleting a security context

CSCvj62504

Cisco Firepower 2100 Series Security Appliances Denial of Service Vulnerability

CSCvj65581

Excessive logging from ftdrpcd process on 2100 series appliances

CSCvj72309

FTD does not send Marker for End-of-RIB after a BGP Graceful Restart

CSCvj74210

Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail'

CSCvj82652

Deployment changes are not pushed to the device due to disk0 mounted on read-only

CSCvj85516

Packet capture fails for interface named "management" on Firepower Threat Defense

CSCvj89470

Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability

CSCvj98499

Linux Kernel cdrom_ioctl_media_changed Function Kernel Memory Read Vul

CSCvj98512

Doc: Procedure of changing FTD management IP address should be corrected.

CSCvj99658

ASA/Lina HA failover interface testing rendering control channel unresponsive

CSCvk02250

"show memory binsize" and "show memory top-usage" do not show correct information (Complete fix)

CSCvk04592

Flows get stuck in lina conn table in half-closed state

CSCvk07522

webvpn: Bookmark fails to render on Firefox and Chrome. IE fine.

CSCvk18330

Active FTP Data transfers fail with FTP inspection and NAT

CSCvk18578

Enabling compression necessary to load ASA SSLVPN login page customization

CSCvk20381

Traceback loop seen on fresh ASAv Azure, KVM and VMWare deployments

CSCvk25729

Large ACL taking long time to compile on boot causing outage

CSCvk30228

ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response

CSCvk31035

KVM (FTD): Mapping web server through outside not working consistent with other platforms

CSCvk44166

Cisco ASA and FTD TCP Proxy Denial of Service Vulnerability

CSCvk45443

ASA cluster: Traffic loop on CCL with NAT and high traffic

CSCvk47253

Flow offload for UDP/TCP traffic is not working

CSCvk50732

AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers

CSCvk51181

FTD IPV6 traffic outage after interface edit and deployment part 1/2

CSCvk57516

Low DMA memory leading to VPN failures due to incorrect crypto maps

CSCvk66732

Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability

CSCvk67239

FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped"

CSCvm06114

RDP bookmark plugin won't launch

CSCvm23370

ASA: Memory leak due to PC cssls_get_crypto_ctxt

CSCvm27111

FTD Lina traceback while removing OSPF configuration.

CSCvm31905

OpenSSH Bailout Delaying User Enumeration Vulnerability

CSCvm32267

Not blocking EICAR files through HTTPS connection with SSL policy in place

CSCvm53531

Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability

CSCvm64400

IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform

CSCvm70274

tcp proxy: ASA traceback on DATAPATH

CSCvm72145

Cisco ASA Software and FTD Software MOBIKE Denial of Service Vulnerability

CSCvm80011

FTD Cluster in transparent mode; Inline set: FTP/SCP flows get stalled and never recover.

CSCvm86658

FTD traceback and reload in snap_get_retaddr_mips at snap.h:285

CSCvm91893

FMC does not update time and display events when using sliding time window option for event analysis

CSCvn09322

FTD device rebooted after taking Active State for less than 5 minutes

CSCvn09612

ASA/FTD Connection Idle Timers Not Increasing For Inactive Offloaded Sessions

CSCvn09640

FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through

CSCvn23254

SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface

CSCvn31390

Computing Processor PortSmash Side-Channel Information Disclosure Vuln

CSCvn33943

Standby node traceback in wccp_int_statechange() with HA configuration sync

CSCvn46358

overloading of the lina msglyr infra due to the sending of VPN status messages

CSCvn55563

Port group objects not listed while creating extended access list ( FMC GUI )

CSCvn56095

selective acking not happening with SSL crypto hardware offload

CSCvn69213

ASA traceback and reload due to multiple threads waiting for the same lock - watchdog

CSCvn69270

Add troubleshooting for VPN Client Assignment

CSCvn75368

IPsec VPN goes down intermittently during a re-key

CSCvn76023

Firepower:when deplopy policy, device list is empty with error message "failed to fetch device list"

CSCvn78174

Cisco ASA and Cisco FTD Software TCP Timer Handling Denial of Service Vulnerability

CSCvn78593

Control-plane ACL doesn't work correctly on FTD

CSCvn86777

Deployment on FTD with low memory results on interface nameif to be removed - finetune mmap thresh

CSCvo11077

Cisco ASA Software and FTD Software IKEv1 Denial of Service Vulnerability

CSCvo12985

ASA: EIGRP neighborship formation delayed after failover due to delay in sending out Hello packet

CSCvo39356

Traceback at Thread Name: IP Address Assign

CSCvo41572

FMC shows connection events with packet count as 0

CSCvo43679

FTD Lina traceback, due to packet looping in the system by normaliser

CSCvo47562

VPN sessions failing due to PKI handles not freed during rekeys

CSCvo48838

Lina does not properly report the error for configuration line that is too long

CSCvo56675

ASA or FTD traceback and reload due to failover state change or xlates cleared

CSCvo58847

Enhancement to address high IKE CPU seen due to tunnel replace scenario

CSCvo62031

ASA Traceback and reload while running IKE Debug

CSCvo68184

management-only of diagnostic I/F on secondary FTD get disappeared

CSCvo72462

Do not decrypt rule causes traffic interruptions.

CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

CSCvo90998

LACPDUs should not be sent to snort for inline-set interfaces

CSCvp16536

ASA traceback and reload observed in Datapath due to SIP inspection.

CSCvp18878

ASA: Watchdog traceback in Datapath

CSCvp19549

FTD lina cored with Thread name: cli_xml_server

CSCvp24728

Random SGT tags added by FTD

CSCvp25236

FTD Lina traceback -Thread Name: cli_xml_server

CSCvp30505

FDM Error: There were some connectivity problems while loading archived backups.

CSCvp36425

Cisco ASA & FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability

CSCvp43150

FP9300 Cluster - Master unit does not update all the route changes to slaves

CSCvp45149

Traceback while Reverting the primary system as active

CSCvp47525

Upgrade times out after 1 hour for slow FMC-to-sensor bandwidth

CSCvp49576

FTD traceback due to watchdog on xlate_detach

CSCvp53637

Flows are getting offloaded on inline-sets

CSCvp55880

Fail-Closed FTD passes packets through on Snort processes down

CSCvp55901

LINA traceback on ASA in HA Active Unit repeatedly

CSCvp57643

FP9300 Cluster - Master unit does not update all the route changes to slaves

CSCvp67392

ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path Check

CSCvp70699

ASA Failover split brain (both units active) after rebooting a Firepower chassis

CSCvp81083

ASA/Lina Traceback related to TLS/VPN

CSCvq27010

Memory leak observed when ASA-SFR dataplane communication flaps

CSCvq44665

FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled

CSCvq54034

WRL6 and WRL8 commit-id update in CCM Layer (sprint 65)

CSCvq70775

FPR2100 FTD Standby unit leaking 9K blocks

CSCvq75634

Management interface configuration leads to immediate traceback and reload

CSCvq79042

FQDN ACL entries incomplete due to DNS response from server is large and truncated

CSCvq80735

Cannot add neighbor in BGP when the neighbor is on the same subnet as one interface

CSCvq93640

WRL6 and WRL8 commit id update in CCM layer (sprint 67)

CSCvr21803

Mac address flap on switch with wrong packet injected on ingress FTD interface

CSCvr23986

Cisco ASA & FTD devices may reload under conditions of low memory and frequent complete MIB walks

CSCvr25954

FTD/LINA Standby may traceback and reload during logging command replication from Active

CSCvr27445

App-sync failure if unit tries to join HA during policy deployment

CSCvr68146

Unable to auto-rejoin FTD cluster

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs03023

Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump

CSCvs26402

NAT policy configuration range limit to be imposed for non service cmds as well

CSCvs59056

ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

CSCvs80536

FP41xx incorrect interface applied in ASA capture

CSCvs81504

WR6 and WR8 commit id update in CCM layer(sprint 77)

CSCvt06606

Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)

CSCvt28182

sctp-state-bypass is not getting invoked for inline FTD