Version 6.7.0 Resolved Issues
| Bug ID | Headline |
|---|---|
|
Clustering: Overlapping PAT IPs in NAT rules prevent xlates from replicating |
|
|
Editing SNMP/Syslog/Email Alert Configuration causes in use count to increase |
|
|
False positive alerts for High Unmanaged Disk usage on /Volume |
|
|
https pdf attachment issues |
|
|
Need to update Online documentation for Archive Inspection feature limitations |
|
|
Firepower 2100 Client in FTP active mode is not able to establish control channel with the Server |
|
|
Shell application not detected through Firepower |
|
|
ENH: FDM should allow custom non-UDP/TCP 443 port for webvpn/AnyConnect |
|
|
DOC: Need explanation about App and URL inspection of HTTPS traffic on each Firepower version |
|
|
No validation err when changing host thats part of a group object used in a routing policy, to Range |
|
|
Import fails when Flex Config contains a Security Zone. |
|
|
Cisco FTD Software SMB Protocol Preprocessor Detection Engine Low System Memory DoS Vuln |
|
|
AppID stop processing traffic if Application ID has been detected |
|
|
shell application not pin holing new connection from server |
|
|
Unable to configure SSH option for Remote Storage |
|
|
Tor not blocked when traffic is passed through proxy. |
|
|
Firepower 2100 FTP Client in passive mode is not able to establish data channel with the Server |
|
|
Standby FMC sending Flood of SNMP traps |
|
|
SNMP OID for SystemUpTime show incorrect value |
|
|
ENH: FlexConfig should not blacklist crypto commands |
|
|
Subsequent HTTP requests not retrieving URL and XFF |
|
|
Scheduled deployment task on KP devices were stuck for more than 50+ hours. |
|
|
Firepower block page not displayed on MS IE11 and Edge for HTTPS blocked sites when proxy is enabled |
|
|
FTD registered to FMC returns "Service Unavailable" |
|
|
Mysql traffic on non standard port is not correctly classified |
|
|
Manage the sfhassd thread CPU affinity to match the Snort CPU affinity |
|
|
Fail to update login history when converting TempID to RealID. 1x log per ID, history lost |
|
|
OpenSSL vulnerability CVE-2019-1559 on SFOS |
|
|
TLS 1.3 traffic whitelisted by SSL preprocessor when pending for AppID |
|
|
Cisco Firepower Threat Defense Software Non-Standard Protocol Detection Bypass Vuln |
|
|
Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability |
|
|
Failed to load error on Intelligence Page for FMC for CAC User |
|
|
ENH:Need the ability to disable auto negotiation in SFP - Fp2k |
|
|
Fault Related to Unhealthy module FlexFlash Controller 1 old Firmware |
|
|
IPSEC SA is deleted by failover which is caused by link down |
|
|
Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass Vulnerability |
|
|
Dynamic flow-offload can't be disabled |
|
|
ASA traceback and reload for the CLI "Show nat pool" |
|
|
NGFWHA Missing EO UUID on FMC |
|
|
Fxos Snmp-user is not persistent after reboot |
|
|
Fail-to-Wire ports showing down for FPR2100, FTW configuration API takes long to finish |
|
|
Cisco Firepower 2100 Series Security Appliances ARP Denial of Service Vulnerability |
|
|
Phase 3 of policy deployment takes a long time due to only working on 10 packages at a time |
|
|
Policy deployment failed with error "Can't use an undefined value as a HASH reference " |
|
|
Provide the backup and restore steps for FMC in high availability deployment mode |
|
|
DNS Application Detector sometimes fails to detect DNS traffic |
|
|
FXOS fault F0479 Virtual Interface link state is down |
|
|
Cannot update Security intelligence when AC Policy is imported to FMC with cloud feeds disabled |
|
|
AppAG encoding for FXOS logical device bootstrap |
|
|
ASA Traceback/pagefault in Datapath due to re_multi_match_ascii |
|
|
CD is required to ignore Cluster-Msg-Delivery-Confirmation in Cluster Node Release Lina State |
|
|
Traceback: FTD ZeroMQ memory assertion |
|
|
Snort file mempool corruption leads to performance degradation and process failure. |
|
|
TunnelClient for CSM_CCMservice on ngfwManager not reading ACK sent from CSM_CCM service on FMC |
|
|
REST API Network Object Validation |
|
|
Fix consoled from getting stuck and causing HA FTD policy deployment errors. |
|
|
admin user is not authorized to access the device routing configuration inside the domain. |
|
|
Hub and spoke VPN, dynamic crypto map, auto-generated PSK is the same for static and dynamic peers |
|
|
Warning about not supported bypass revocation checking for FTD 6.5 and higher |
|
|
Known Key SSL decryption and connections can fail when servers are using unsupported TLS options |
|
|
Continuous link flapping leading to snm_log corefile |
|
|
Reviewed intrusion events belonging to a subdomain show the reviewer as Unknown |
|
|
Firepower 7000 & 8000 cannot sent emails on version 6.4 |
|
|
DME process may traceback due to memory leak on Firepower 4100/9300 |
|
|
FTD not sending system syslog messages in CC mode |
|
|
Deployment fails after upgrading to 6.4.0.x if ND policy refs are missing |
|
|
hostname transmission: Hostname is null, Device sends hostname as "none" to SA |
|
|
Gratuitous logging of string: "Memory stats information for preprocessor is NULL" |
|
|
user download may fail due to password not sent |
|
|
After FXOS upgrade, App Instance failed to start with Checksum Verification Fail |
|
|
FMC: PPPoE password restrictions are too strict; should match the underlying code |
|
|
Reconciliation report not displaying all the networks when adding a large object group |
|
|
Firewall engine debug logs being produced in syslog without actually enabling debugs. |
|
|
Remove unsupported fast mode lacppolicy configuration from FXOS on Firepower 2100 |
|
|
Deployment failure with message (Can't call method "binip" on unblessed reference) |
|
|
Deploy failure when deleting auto nat rule due to double negate |
|
|
FMC upgrade [6.2.3.10 to 6.4.0] got stuck at 400_run_troubleshoot.sh, upgrade was hung |
|
|
Cisco Firepower Management Center Cross-Site Scripting Vulnerability |
|
|
Firepower FTD transparent does not decode non-ip packets |
|
|
FTD registration state shows "pending" after a backup is restored |
|
|
SNMP not working over Management Interface in 6.6.0-1430 |
|
|
Remove CCL MTU Pop-Up Warning When Editing Data Interfaces |
|
|
Object validation is validating interfaces from different devices. |
|
|
Unable to supress Audit logs on the FMC |
|
|
rule impact regeneration should not terminated on single rule errors |
|
|
FXOS 8x1G FTW continuous link flap |
|
|
Inspect Interruption - Error in deployment page. |
|
|
FXOS L3 Egress Object Resource Leak due to Port-Channel Member Interface Flaps |
|
|
wrong impact flag for local rules with impact flag not red |
|
|
NTP script error leading to clock drift and traffic interruption |
|
|
FMC is unable to detect classic licenses intermittently |
|
|
Deployment is marked as success although LINA config was not pushed |
|
|
VLAN interfaces should be configurable for DHCP-related configuration on an FMC |
|
|
When vlan encapsulation is exceeded decoding errors are depleting disk space. |
|
|
FXOS displays a WSP-Q40GLR4L transceiver from show interface as type QSFP-40G-LR4 |
|
|
FTW watch-dog kick delays which might cause inline sets to go down/Bypass-Fail |
|
|
SFDataCorrelator:FPReplicationCommunicationRabbit unable to connect without restarting sfipproxy |
|
|
DomainSearchNameValidator class needs updated regex for DOMAIN_NAME_PATTERN |
|
|
Validation Check when two objects with different mask but same network is used in route without ECMP |
|
|
Running the migration script exits with an out of memory error |
|
|
FTD 2100: Packet drops during the transition of BYPASS to NON-BYPASS when device is rebooted |
|
|
FMC not sending some audit messages to remote syslog server |
|
|
log rotation for ngfw-onbox logs NOT happening at expected log size |
|
|
OSPF multicast mac getting removed from l2-table causing OSPF to fail |
|
|
Failover got disabled on HA node after upgrade |
|
|
Firepower 4100 series all FTW interfaces link flap at the same time but occur rarely |
|
|
Wrong direction in SSL-injected RESET causes it to exit through wrong interface, causing MAC flap |
|
|
Inconsistent allocation of cores for snort and lina between instances |
|
|
Auto Deploy fails after Restore if FDM cannot reach update server |
|
|
Deprecated Flexconfig should block deployment not just warn |
|
|
sru and tid update failures caused by missing rabbitmq device accounts |
|
|
FTD failed over due to 'Inspection engine in other unit has failed due to snort failure' |
|
|
"Link not connected" error after reboot when using WSP-Q40GLR4L transceiver on FPR9K-NM-4X40G |
|
|
Snort consumes excessive memory which is leading to performance problems. |
|
|
SFNotificationd may cause excessive logging in 'messages' files |
|
|
Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities |
|
|
FPR4100/9300: Packet drops during the transition of BYPASS to NON-BYPASS when device is rebooted |
|
|
Excessive logging from the daq modules process_snort_verdict verdict blacklist |
|
|
Excessive logging of lua detector invalid LUA (null) |
|
|
FDM deployment error if 2nd tunnel has overlapping crypto ACL |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS Vuln |
|
|
Block page for https not working |
|
|
serviceability - when breaking FMC HA EOs authority stays with former primary |
|
|
Erase disk0 on ISA3000 causes file system not supported |
|
|
LDAPS External users can't 'sudo su' on Firepower 4110 |
|
|
Registration of device should be allowed as long as deploy status = DEPLOYED or FAILED |
|
|
FP 4120 svc_sam_dcosAG crashed with crash type:139 |
|
|
ASA:BVI interface of standby unit stops responding after reload |
|
|
Event search may fail when searching events that existed before upgrade |
|
|
clish configure ssh-accesslist command fails silently if iptables is corrupt |
|
|
EventHandler does not process connection events after CLI command to enable/disable ramdisk |
|
|
Standby unit traceback at fover_parse and boot loop when detecting Active unit |
|
|
Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI |
|
|
Handling license cleanup |
|
|
Interfaces page from Objects section of the FMC does not load (domains page is likely affected also) |
|
|
Reduce SSL HW mode flow table memory usage to reduce the probability of Snort going in D state |
|
|
AMP cloud lookup using legacy port on upgraded FDM, 6.6.0-1621 |
|
|
Cisco Firepower Management Center Software Denial of Service Vulnerability |
|
|
FDM: Deploy fails with: Missing license for object: Sensitive_data requires the URLFILTERING license |
|
|
extra "Local Disk 3" displayed on FPR9300 (improved solution) |
|
|
FTD: Failure to retrieve certificate via SCEP will cause outage |
|
|
ASA on multicontext mode, deleting a context does not delete the SSH keys. |
|
|
Deployment should not fail for special characters in rule comments |
|
|
Events may stop coming from a device due to a communication deadlock |
|
|
Disk Usage Health monitor not working for any appliance without 2 Hard Drives |
|
|
FMC -Deployment Failure- Anyconnect - "Certificate Map" using "DC (Domain Component)" to match cert. |
|
|
Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability |
|
|
restore is failing with error unable to extract metadata |
|
|
FXOS: svc_sam_dcosAG process crash on FirePower 4100/9300 |
|
|
connection event shows old device name |
|
|
"clear configure access-list" on ACL used for vpn-filter breaks access to resources |
|
|
NAT policy configuration after NAT policy deployment on FP 8130 is not seen |
|
|
Handling for longer header length messages going from DAQ to Oct driver |
|
|
Configuring logical name as TRUE or FALSE on interface disappears all static routes from FMC UI |
|
|
Instance start failed due to VNIC configuration error |
|
|
GET to ../deployment/deployabledevices fails with 500 internal error on 6.2.3.13 FMC. |
|
|
duplicate ip addresses in sfipproxy.conf |
|
|
FTD upgrade incorrectly declared successful despite failure due to IO errors |
|
|
Policy deployment failure due to snmp configuration after upgrading FMC to 6.6 |
|
|
Memcached software needs to be upgraded to address CVE-2018-1000115 |
|
|
Supervisor software needs to be upgraded to address CVE-2017-11610 |
|
|
Cisco ASA and FTD Software OSPFv2 Link-Local Signaling Denial of Service Vulnerability |
|
|
Unable to access anyconnect webvpn portal from google chrome using group-url |
|
|
Policy Deployment fails after enabling "Sensitive Data Detection" |
|
|
Web Analytics (Google Analytics) is re-enabled after major upgrade |
|
|
Deployment failing with error : Input line size exceeded available buffer |
|
|
FDM: None of the NTP Servers can be reached - Using Data interfaces as Management Gateway |
|
|
Disable Full Proxy to Light Weight Proxy by Default. (FP2LWP) on FTD Devices |
|
|
FMC shouldn't allow a second upgrade on same device if upgrade is going on |
|
|
Invalid gid permissions causing HA sync and device registration issues |
|
|
Add RabbitMQ log cleaning exception to avoid process restart |
|
|
Snort taking long time to terminate, because of too many async sessions |
|
|
cert map to specify CRL CDP Override does not allow backup entries |
|
|
FTD HA configuration lost on FMC after FMC upgrade from 6.4.0.7 to 6.5.0.4 |
|
|
During reimage FMC will get stuck in a loop when using FTP transfer without password |
|
|
DNS data collected and exported multiple times while same DNS policy referenced in many ACP's |
|
|
FDM: Default Action's logging doesn't reflect on LINA side |
|
|
Tons of ssl-certs-unified.log files, contributing to 9GB in troubleshoot |
|
|
"Link not connected" error after reboot when using QSFP-40G-LR4 transceiver on FPR9K-NM-4X40G |
|
|
FTD-HA: "ERROR: The specified AnyConnect Client image does not exist." |
|
|
ASA5506/5508/5516 devices not booting up properly / Boot loop |
|
|
FDM unable to import certificate with no subject or issuer - fails upgrade as well |
|
|
Unable to stop config database error during FMC HA sync |
|
|
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, pa |
|
|
FTD-HA: Standby failed to join HA "CD App Sync error is App Config Apply Failed" |
|
|
Data Correlator terminated unexpectedly on FMC during CheckClientAppVulnerability |
|
|
An extra whitespace in cluster group name of FTD causing Slave to be kicked out. |
|
|
Disk filled by numerous neostore.transaction.db.* files, causing neo4j issues |
|
|
SFDataCorrelator can drop events during backup operations |
|
|
Block exhaustion snapshot not created when available blocks goes to zero |
|
|
Document all 3 URL entry options for "Manual URL Filtering" |
|
|
Document syntax and semantics of URL when "Enter URL" textbox of "Add Rule" is used |
|
|
Document "URL Object" format and feature operation |
|
|
Document "URL List and Feeds Object" format and feature operation of "Security Intelligence" |
|
|
User Identity does not correctly handle identical sessions in different netmaps |
|
|
DOC: File policy automatically enables inline normalization with Normalize TCP Payload option |
|
|
FDM: AnyConnect "Validation failed due to duplicate name:" |
|
|
Upgrade will fail if a smart licensed device is upgraded from 6.2.2 -> 6.4.0 -> 6.6.0. |
|
|
FXOS LACP packet logging to pktmgr.out and lacp.out fills up /opt/cisco/platform/logs to 100% |
|
|
ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread" |
|
|
Elektra onbox policy deployment failure after upgrade to 6.6.0 |
|
|
Firepower 4100 FTP Client in EPSV passive mode is not able to establish data channel with the Server |
|
|
Add hardware requirement for FMC HA |
|
|
Cisco Firepower Management Center CWE-772 - Slow HTTP POST vulnerability |
|
|
FTD - Connection idle timeout doesn't reset |
|
|
Snort down: Reconfiguring Detection Error |
|
|
syslog-ng process utilizing 100% CPU |
|
|
Display RADIUS port representation as little-endian instead of big-endian |
|
|
Editing the IP in a Radius Server Group object results in unintended values for the IP address |
|
|
[DOC] Route-map object Set Clauses do not include EIGRP k-values. |
|
|
FMC unable to switch from MD5 and DES under SNMP3 settings despite not being supported |
|
|
FDM 6.6.0 upgrade(or)configImport fail with EtherChannelInterface as failoverlink validation failure |
|
|
URL rules are incorrectly promoted on series 3 resulting in traffic matching the wrong rule. |
|
|
Binary rules (SO rules) are not loaded when snort reloads |
|
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerabilities |
|
|
FTP to FileZilla miscategorized as SMTP |
|
|
FTD-API/FDM: Smart License Base License is Lost |
|
|
Upgrade on Firepower Management Center may fail due to inactive stale entries of managed devices |
|
|
Light Theme UI FMC - SFR Module long delay loading Interfaces Page |
|
|
Encoded Rule Plugin SID: value, GID: 3 not registered properly. Disabling this rule |
|
|
HA sync fails on standby with unexpected error |
|
|
ASA drops GTPV1 Forward relocation Request message with Null TEID |
|
|
Number Of URLs in Security Intelligence for URL List file may not appear in new UI (Ligth Theme) |
|
|
Site to Site Dynamic crypto map deployed below RA VPN Dynamic Crypto map |
|
|
Unable to deploy if device with same UUID is trying to connect |
|
|
HA Re-formation fails following a policy deploy failure on standby |
|
|
Deployment gets stuck when HA continually changes state due to interface monitoring |
|
|
FMC REST API user permission for GET taskstatus |
|
|
Snort restarts repeatedly when new custom apps are identified using nmap |
|
|
Not able to remove FQDN object once it is assigned within a NAT group |
|
|
HTTPS connections matching 'Do not decrypt' SSL decryption rule may be blocked |
|
|
OSPF neighbourship is not establising |
|
|
NTP "Server Status" is blank in Firepower Chassis Manager when more than one NTP server configured |
|
|
vFTD on VMware documentation should recommend disabling hyperthreading |
|
|
FDM upgrade - There are no visible pending changes on UI -- but upgrade is not starting |
|
|
Lina side of changes required for bug CSCvr98881 in unified-logging. |
|
|
tomcat does not recover gracefully after getting killed during backup |
|
|
CPU load graph may show incomplete CPU data for longer time period selected |
|
|
FMC backup restore fails if it contains files/directories with future timestamps |
|
|
FXOS sending additional internal VLAN TAG leading to ARP update failure on devices. |
|
|
Cisco Firepower Management Center Software Common Access Card Authentication Bypass Vuln |
|
|
Bad uip snapshot and log file causes FTD to repeatedly requests catchup, and exhausts file handlers |
|
|
CAC login button doesn't appear on new UI, after session timeout |
|
|
Database doesn't accept any new connections causing event processing to stop |
|
|
6.6.1: Prefilter Policy value shown as Invalid ID for all the traffic in ASA SFR Platform |
|
|
Observed traceback in FPR2130 while running webVPN, SNMP related traffic. |
|
|
"configure high-availability disable" command when executed from CLI causes exception in next HAJoin |
|
|
ProcessMetadata for intrusion event uses wrong local_sid constraint to lookup entry |
|
|
FMC - High Availabilty page not loading after Migration from Virtual to Physical device |
|
|
File names not showing up correctly for the file events for decrypted ssl traffic |
|
|
FDM: Unable to add the secret key with the character ^ @ _ |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 92) |
|
|
"Show NTP" command does not work on multi-instance FTD |
|
|
FDM UI fails to load after an upgrade |
|
|
FDM - Unable to add the BGP 11th neighbor using smart CLI routing object |
|
|
Preview change log is blank when changes are made to the policy |
|
|
Version 6.6.0.1 FTD Upgrade with FDM Suspends HA |
|
|
Upgrade to 660 fails in HA standby device managed through data interface |
|
|
DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail |
|
|
FPR1010: Internal-Data0/0 and data interfaces are flapping during SMB file transfer |
|
|
CSS Styles loading issue in Chrome 85, IE and Edge browsers |
|
|
Reset not sent when traffic matches AC-policy configured with block/reset and SSL inspection |
|
|
DOC: Documentation incorrectly states Logging Events to Ramdisk is not enabled on lower end devices |
|
|
DOC: FTD Improve Platform Settings DNS Resolution configuration guide |
|
|
Snort 2: Memory Leak in SSL Decrypt & Resign Processing |
|
|
Create a monitor to drop file cache once it exceeds a certain limit |
|
|
Disable memory cgroups when running the system upgrade scripts |
|
|
Upgrade to 6.6.0 or 6.6.1 failed on 800_post/100_ftd_onbox_data_import.sh |
|
|
Memory leak during reload in stream |
|
|
FMC: Unable to save interface config and "An internal error occurred while processing your request" |
|
|
Unable to edit Site-to-Site VPN configuration by a leaf domain admin user |
|
|
SFDataCorrelator log spam, metadata fails after Sybase connection status 0 |
|
|
In Firepower Module 6.3, app status is down after restore |
Feedback