Cisco Firepower 4100/9300 FXOS Release Notes, 2.11(1)
This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.11(1).
Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:
 Note |
The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product. |
Introduction
The Cisco security appliance is a next-generation platform for network and content security solutions. The security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The security appliance provides the following features:
-
Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.
-
Firepower Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
-
FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
-
FXOS REST API—Allows users to programmatically configure and manage their chassis.
What's New
Cisco FXOS 2.11.1 introduces the following:
New Features in FXOS 2.11.1.205
Fixes for various problems (see Resolved bugs in FXOS 2.11.1.205).New Features in FXOS 2.11.1.200
Fixes for various problems (see Resolved Bugs in FXOS 2.11.1.200).New Features in FXOS 2.11.1.182
Fixes for various problems (see Resolved Bugs in FXOS 2.11.1.182).New Features in FXOS 2.11.1
Cisco FXOS 2.11.1 introduces the following new features:
| Feature | Description |
|---|---|
| Integration of MIO health with existing health monitoring infra and FMC UI |
You can now use the newly added scope health monitoring policy CLI to enable or disable the health monitoring and set the required fault threshold for each type of resource. You can also use the show storage CLI to display the partitions and current disk usage in a disk. |
Software Download
You can download software images for FXOS and supported applications from one of the following URLs:
-
Firepower 9300 — https://software.cisco.com/download/type.html?mdfid=286287252
-
Firepower 4100 — https://software.cisco.com/download/navigator.html?mdfid=286305164
For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
Important Notes
-
In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.
-
When you configure Radware DefensePro (vDP) in a service chain on a currently running Firepower Threat Defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the Firepower Threat Defense application instance before installing the Radware DefensePro application.
Note
This issue and workaround apply to all supported releases of Radware DefensePro service chaining with Firepower Threat Defense on Firepower 4110 and 4120 devices.
-
Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.
-
When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.
System Requirements
-
You can access the Firepower Chassis Manager using the following browsers:
-
Mozilla Firefox—Version 42 and later
-
Google Chrome—Version 47 and later
-
Microsoft Internet Explorer—Version 11 and later
We tested FXOS 2.11(1) using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.
-
Upgrade Instructions
You can upgrade your Firepower 9300 or Firepower 4100 series security appliance directly to FXOS 2.11(1) if it is currently running FXOS version 2.2(2) or later. Before you upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.11(1), first upgrade to FXOS 2.2(2), or verify that you are currently running FXOS 2.2(2).
For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.
Installation Notes
-
An upgrade to FXOS 2.11(1) can take up to 45 minutes. Plan your upgrade activity accordingly.
-
If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.
-
If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.
-
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Resolved and Open Bugs
The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Resolved bugs in FXOS 2.11.1.200
|
Identifier |
Headline |
|---|---|
|
FXOS: FPR-X-NM-8X10G ports 7 and 8 are unconfigurable. |
|
|
FXOS: Support a single PID type for Secure Firewall 3100 platforms. |
|
|
TPK Netmods - Debug Proto card ACT2 authentication failures. |
|
|
Remote user log in via SSH access with password authentication method fails after FXOS upgrade. |
|
|
Adding forceReboot option for bundle install REST API. |
|
|
FXOS SWIMS Engine update to version 3.0.4. |
Resolved bugs in FXOS 2.11.1.182
|
Identifier |
Headline |
|---|---|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 125, seq 21). |
|
|
CIAM: expat - CVE-2022-25235 and others |
|
|
CIAM: python - CVE-2022-0391 |
|
|
CIAM: strongswan - CVE-2021-45079 |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 124, seq 20). |
|
|
CIAM: Apache-http-server CVE-2021-44790 and CVE-2021-44224. |
|
|
CIAM: python CVE-2015-20107 |
|
|
Disk corruption occurs when /mnt/disk0 partition is full and blade is rebooted. |
|
|
Reject the NTP server on the MIO side when the stratum value is higher than device can handle. |
|
|
The interface's LED remains green blinking when the optical fiber is unplugged on FPR1150. |
|
|
FXOS should check reference clock stratum instead of NTP server's local clock stratum. |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 34). |
|
|
ASA running on SSP platform generate critical error "[FSM:FAILED]: sam:dme:MgmtIfSwMgmtOobIfConfig". |
|
|
MIO: No blade reboot during CATERR if fault severity is non-Severe or CATERR sensor is different. |
|
|
CIAM: bind 9.11.4 |
|
|
Cisco FXOS Software Command Injection Vulnerability. |
|
|
Upgrade fail App Instance fail to start with err "CSP_OP_ERROR. CSP signature verification error." |
|
|
ENH: FCM should include option for modifying the interface 'link debounce time' |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (seq 26). |
|
|
Tune throttling flow control on syslog-ng destinations. |
|
|
CIAM: libxml - CVE-2022-23308 |
|
|
CIAM: cpio 2.12 |
|
|
FXOS: Third-party interop between Ciena Waveserver with firepower chassis. |
|
|
WR8 and LTS18 commit id update in CCM layer (seq 24) |
|
|
CIAM: expat multiple Vulnerabilities |
|
|
FXOS misses logs to diagnose root cause of module show-tech file generation failure |
|
|
CIAM: mod-security - CVE-2021-42717 |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 124, seq 19) |
|
|
CIAM: zlib - CVE-2018-25032 |
|
|
WM 1010 HA Failover is not successful when we give failover active in secondary. |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 32) |
|
|
Multi-instance internal portchannel VLANs may be misprogrammed causing traffic loss |
|
|
WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 25) |
|
|
ASA installation/upgrade fails due to internal error "Available resources not updated by module" |
|
|
Evaluation of ssp for vulnerabilities resolved in Apache httpd 2.4.53 |
|
|
LTS18 commit id update in CCM layer (seq 27) |
|
|
FIPS self-tests must be run when CC mode is enabled - files are missing |
|
|
The smConLogger traceback is caused by memory leak. |
|
|
Uploading firmware triggers data port-channel to flap |
|
|
TPK/KP/WM-RM: Assign FXOS interface MAC address to LLDP linux interfaces |
|
|
Cisco FXOS and NX-OS Software CDP DoS and Arbitrary Code Execution Vulnerability |
|
|
CIAM: expat - CVE-2022-23852 |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 121, seq 18) |
|
|
CIAM: glibc 2.33 CVE-2022-23219 and others |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 33) |
|
|
Upgrade to CiscoSSL FOM 7.3sp and CiscoSSL 1.1.1o.7.3sp.143-fips in SSP MIO |
|
|
FXOS upgrade to 2.11 is stuck |
|
|
ENH: Fail-to-Wire feature switching standby/bypass from CLI |
|
|
Evaluation of ssp for Dirty Pipe vulnerability |
|
|
WM11xx: Getting "ERROR: waiting for fxos_log_shutdown" during shutdown. |
|
|
Update certificate bundle for 7.2 release. |
|
|
WR8 and LTS18 commit id update in CCM layer (sprint 126, seq 22). |
|
|
Interface is down after RBD wizard CLI execution. |
|
|
FXOS changes to provide dmidecode access to container. |
|
|
Update CiscoSSL to 1.1.1o.7.3sp.143 |
|
|
Integrate SSD firmware image into lfbff_parser. |
|
|
"zgrep" tool missing from ftd 2100 models. |
|
|
Add strace to internal debug builds. |
|
|
USB kernel modules required for FMC. |
|
|
NBN: New PSU PID support in MIO. |
|
|
Update LTS18 to RCPL 24. |
|
|
Move 7.1 branches to the LTS18 code base. |
|
|
FXOS changes for CSCvy86319 - Data are not getting destroy after formatting disk0 on ISA3K. |
|
|
FXOS: WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. |
|
|
Back out CSCvy28132 as eBPF is not needed in FXOS for 7.1 or 7.2. |
|
|
Swapping different speed ftw causes admin speed issues. |
|
|
TPK 3120 in 7.1.0.2-16, interface went down with 1016 sub-interfaces, HA changed to Failed. |
|
|
Kilburn Park freezes / crashes on netboot system load. |
|
|
ASAconsole.log files fail to rotate. |
|
|
Cisco FXOS Software Command Injection Vulnerability. |
|
|
Root shell injection in security module "support fileview" command. |
|
|
Chassis and application sets the time to Jan 1, 2010 after reboot |
Resolved bugs in FXOS 2.11.1.154
The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.11.1.154:
|
Caveat ID Number |
Description |
|---|---|
|
Firepower may reboot for no apparent reason |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 94, seq 1) |
|
|
VIC adapter kernel crash at boot |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer (sprint 98, seq 2) |
|
|
Memory leak : DME process may traceback generating core on Firepower 4100/9300 (M5 series only) |
|
|
MIO crashed due to HA policy of Reset with Service: bcm_usd hap reset |
|
|
"Link not connected" error when using WSP-Q40GLR4L transceiver and Arista switch |
|
|
FXOS upgrade does not do proper compatibility check for FTD image |
|
|
ASA upgrade failed with: "CSP directory does not exist - STOP_FAILED Application_Not_Found" |
|
|
FXOS clock sync issue during blade boot up due to "MIO DID NOT RESPOND TO FORCED TIME SYNC" |
|
|
ENH: add a way to disable the FQDN check |
|
|
ma_ctx*.log consuming high diskspace on FPR4100/FPR9300 despite the fix forCSCvx33904 CSCvx07389 |
|
|
Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privile |
|
|
Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 |
|
|
top.log file missing and sftop process exiting every minute on FDM after FXOS 2.10.1 upgrade |
|
|
WR6, WR8 and LTS18 commit id update in CCM layer(sprint 110, seq 10) |
|
|
When ASA upgrade fails, version status is desynched between platform and application |
|
|
SSH access with public key authentication requires user password |
|
|
Chassis SSD firmware upgrade may be prevented improperly |
|
|
In WM-1010 model, after upgrading ASA app, device going for fail safe mode |
|
|
Confusing message about 'without removing the physical hardware' during Acknowledge Security Module |
|
|
FCM should say is not possible to change AAA server when same protocol is configured for Auth |
|
|
FXOS - AAA/RADIUS - NAS-IP Field set to 127.0.01 |
|
|
FXOS A crafted request uri-path can cause mod_proxy to forward the request to an origin server... |
|
|
FXOS Crash- %SYSMGR-2-HEARTBEAT_FAILURE: Service "ascii-cfg" sent SIGABRT for not setting heartbeat |
|
|
MsgLayer[PID]: Error : Msglyr::ZMQWrapper::registerSender() : Failed to bind ZeroMQ Socket |
|
|
FTD/ASA creates coredump file with "!" character in filename (zmq changes (fxos) for CSCvv40406 ) |
|
|
Message appearing constantly on diagnostic-cli |
|
|
4100/9300: Cannot associate port channel / interface to App |
|
|
CRUZ paloview is not accessible on release build |
|
|
SSH access with public key authentication fails after FXOS upgrade |
|
|
FXOS upgrade fails with error "does not support application instances of deployment type container" |
|
|
Pre-login-banner not showing on FCM WebUI |
|
|
FXOS show fault warning code F4526902 |
|
|
Evaluation of ssp for OpenSSL March 2021 vulnerabilities |
|
|
Unable to save new cluster node configs on FCM due to java error |
|
|
FPR4100/9300 IPv6 config cannot be applied using Rest API LTP on 9300/4100 Supervisor |
|
|
Firepower memory leak in svc_sam_dcosAG |
|
|
Radius Key with the ASCII character " configured on FXOS does not work after chassis reload. |
|
|
FXOS reporting old FTD version after FTD upgrade to 6.7.0 |
|
|
Lina traceback and core file size is beyond 40G and compression fails. |
|
|
FXOS Apache HTTP Server Multiple Vulnerabilities (CVE-2020-11993) and (CVE-2020-9490) |
|
|
Disk utilization increasing /var/tmp in FPR4150-ASA chassis |
|
|
FXOS process core pruned/deleted from system files (no validation) |
|
|
ma_ctx files with '.backup' extension seen after applying the workaround for CSCvx29429 |
|
|
FXOS may display fault F1256 about missing local disk 0 |
|
|
SNMP OID HOST-RESOURCES-MIB (1.3.6.1.2.1.25) does not exist on FMC |
|
|
Snmpd core files generated on FTD |
|
|
App-instance startup version is ignored and set to running-version after copy config |
Open Bugs in FXOS 2.11.1.154
The following table lists the open bugs in FXOS 2.11.1.154:
|
Caveat ID Number |
Description |
|---|---|
|
FTD device stuck with "watchdog: BUG: soft lockup - CPU#0 stuck" error on console |
|
|
SFDatacorrelator exits - missing libgnutls.so - on new installation or after FTD upgrade |
|
|
Disk corruption occurs when /mnt/disk0 partition is full and blade is rebooted |
|
|
FTD app-instance start-failed with STOP_FAILED CSP_Stop_App_Error |
|
|
Firepower configured in inline-pair interfaces are admin and link down |
|
|
FXOS may display fault F1758 about external port conflict with application |
|
|
Chassis local date and time may drift back to midnight Jan 1 2015 after reboot |
Resolved bugs in FXOS 2.11.1.205
|
Identifier |
Headline |
|---|---|
|
Unable to configure domain\username under cfg-export-policy in FXOS. |
|
|
Supervisor does not reboot unresponsive module/blade due to CATERR with minor severity sensor ID 50. |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79. |
|
|
CIAM: apache-http-server - CVE-2022-31813 and Others. |
|
|
CIAM: curl - CVE-2022-22576 and others. |
|
|
CIAM: libtirpc - CVE-2021-46828. |
|
|
CIAM: zlib - CVE-2022-37434. |
|
|
Refresh the ios.pem. |
|
|
stdout_env_manager.log is full of Unknown board type 3 messages. |
|
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config. |
|
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues. |
|
|
FCM: jacoco lib needs upgrade. |
|
|
MIO is not able to register. appAG process issue. |
|
|
No input validation for logical device DNS servers in bootstrap configuration on chassis manager. |
|
|
FPR 4100 saw an unexpected reload with reason "Reset triggered due to HA policy of Reset". |
|
|
FPR4100/9300 High traffic redirected to CPU causes internal communication failure with blade adapter. |
|
|
FPR4K/FPR9K: Generating FXOS Chassis show tech may result to flap of 40Gig Netmod Port. |
|
|
Universal p4tickets are in plaintext in source code. |
Related Documentation
For additional information on the Firepower 9300 or 4100 series security appliance and FXOS, see Navigating the Cisco FXOS Documentation.
Online Resources
Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure FXOS software and to troubleshoot and resolve technical issues.
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Feedback