This document contains release information for Cisco Firepower eXtensible Operating System (FXOS) 2.12.0.

Use these Release Notes as a supplement with the other documents listed in the documentation roadmap:


Note


The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.


Introduction

The Cisco security appliance is a next-generation platform for network and content security solutions. The security appliance is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

The security appliance provides the following features:

  • Modular chassis-based security system—Provides high performance, flexible input/output configurations, and scalability.

  • Chassis Manager—Graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.

  • FXOS CLI—Provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.

  • FXOS REST API—Allows users to programmatically configure and manage their chassis.

What's New

New Features in FXOS 2.12.1.84

Fixes for various problems (see Resolved bugs in FXOS 2.12.1.84).

New Features in FXOS 2.12.1.72

Fixes for various problems (see Resolved bugs in FXOS 2.12.1.72).

New Features in FXOS 2.12.1.48

Fixes for various problems (see Resolved bugs in FXOS 2.12.1.48).

New Features in FXOS 2.12.1.29

Fixes for various problems (see Resolved bugs in FXOS 2.12.1.29).

New Features in FXOS 2.12.0.498

Fixes for various problems (see Resolved bugs in FXOS 2.12.0.498).

New Features in FXOS 2.12.0.467

Fixes for various problems (see Resolved Bugs in FXOS 2. 12.0.467).

New Features in FXOS 2.12.0.450

Fixes for various problems (see Resolved Bugs in FXOS 2. 12.0.450).

New Features in FXOS 2.12.0.432

Fixes for various problems (see Resolved Bugs in FXOS 2. 12.0.432).

New Features in FXOS 2.12.0.31

Fixes for various problems (see Resolved Bugs in FXOS 2.8.0.31).

Cisco FXOS 2.12.0 introduces the following new features:

Table 1. New Features in FXOS 2.12.0
Feature Description
QOS CLIs

You can now use the Show interface ethernet <slot> <port> match statistics CLI to track the intermediate drops happening on the TCAM

You can now police the traffic queues using the Show interface ethernet <slot> <port> policer statistics police CLI to prevent the exorbitant traffic rates going through strict priority queues

You can now control the traffic rates using the show queuing interface ethernet <slot> <port> CLI during congestion to prevent loss of data packets

Switch packet path

You can now debug switch packet path issue for the Secure Firewall 3100 devices

ASA and FTD SNMP Unification

You can now configure the Admin Instance drop-down menu for SNMP unification of ASA and FTD devices.

Software Download

You can download software images for FXOS and supported applications from one of the following URLs:

For information about the applications that are supported on a specific version of FXOS, see the Cisco FXOS Compatibility guide at this URL:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

Important Notes

  • In FXOS 2.4(1) or later, if you are using an IPSec secure channel in FIPS mode, the IPSec peer entity must support RFC 7427.

  • When you configure Radware DefensePro (vDP) in a service chain on a currently running threat defense application on a Firepower 4110 or 4120 device, the installation fails with a fault alarm. As a workaround, stop the threat defense application instance before installing the Radware DefensePro application.


    Note


    This issue and workaround apply to all supported releases of Radware DefensePro service chaining with threat defense on Firepower 4110 and 4120 devices.


  • Firmware Upgrade—We recommend upgrading your Firepower 4100/9300 security appliance with the latest firmware. For information about how to install a firmware update and the fixes included in each update, see https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/firmware-upgrade/fxos-firmware-upgrade.html.

  • When you upgrade a network or security module, certain faults are generated and then cleared automatically. These include a “hot swap not supported” fault or a “module removed when in online state” fault. If you have followed the appropriate procedures, as described in the Cisco Firepower 9300 Hardware Installation Guide or Cisco Firepower 4100 Series Hardware Installation Guide, the fault(s) are cleared automatically and no additional action is required.

System Requirements

  • You can access the chassis manager using the following browsers:

    • Mozilla Firefox—Version 42 and later

    • Google Chrome—Version 47 and later

    • Microsoft Internet Explorer—Version 11 and later

    We tested FXOS 2.12.0 using Mozilla Firefox version 42, Google Chrome version 47, and Internet Explorer version 11. Other versions of these browsers are expected to work. However, if you experience any browser-related issues, we suggest you use one of the tested versions.

Upgrade Instructions

You can upgrade your Firepower 9300 or Firepower 4100 series security appliance directly to FXOS 2.12.0 if it is currently running FXOS version 2.2(2) or later. Before you upgrade your Firepower 9300 or Firepower 4100 series security appliance to FXOS 2.12.0, first upgrade to FXOS 2.2(2), or verify that you are currently running FXOS 2.2(2).

For upgrade instructions, see the Cisco Firepower 4100/9300 Upgrade Guide.

Installation Notes

  • An upgrade to FXOS 2.12.0 can take up to 45 minutes. Plan your upgrade activity accordingly.

  • If you are upgrading a Firepower 9300 or Firepower 4100 series security appliance that is running a standalone logical device or if you are upgrading a Firepower 9300 security appliance that is running an intra-chassis cluster, traffic does not traverse through the device while it is upgrading.

  • If you are upgrading a Firepower 9300 or a Firepower 4100 series security appliance that is part of an inter-chassis cluster, traffic does not traverse through the device being upgraded while it is upgrading. However, the other devices in the cluster continue to pass traffic.

  • Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.

Resolved and Open Bugs

The resolved and open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note


You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can Cisco.com.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in FXOS 2.12.0.31

The following table lists the open bugs in FXOS 2.12.0.31:

Caveat ID Number

Description

CSCwc03242

BC01_IBMC01_showTechSupport_log core generated while collecting techsupport logs

Resolved bugs in FXOS 2.12.0.31

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.31:

Caveat ID Number

Description

CSCvy83696

ENH: FPR 4100/9300 bcm_usd process logs to support possible RCA

CSCwa03285

Upgrade to 2.10.1.166 causes degraded SM - Unrecognized Firmware format

CSCwa85297

Multi-instance internal portchannel VLANs may be misprogrammed causing traffic loss

CSCvu36664

FXOS Operational State:Thermal-problem intermittently

CSCvx76651

ENH: Prevent CCL IP addressing on the 169.254.x.x subnet on cluster creation

CSCvz01271

Need show command to see the details of transceiver of FXOS mgmt port via CLI

CSCvz94217

App-instance startup version is ignored and set to running-version after copy config

CSCwa52215

Uploading firmware triggers data port-channel to flap

CSCwb84638

Portmanager/LACP improvement to capture logging events on external event restarts

CSCvz72467

Cisco FXOS and NX-OS Software Cisco Discovery Protocol Service Denial of Service

CSCwa55772

FPR 4100 saw an unexpected reload with reason "Reset triggered due to HA policy of Reset"

CSCvu76180

Serviceability Request - Add error message that FXOS firmware is not fully activated

CSCvy83657

FXOS process core pruned/deleted from system files (no validation)

CSCvz14640

FXOS System temporary directory usage is unexpectedly high

CSCvz50201

FXOS may display fault F1256 about missing local disk 0

CSCvy48764

SSH access with public key authentication requires user password

CSCvy95497

Chassis SSD firmware upgrade may be prevented improperly

CSCvy80380

Disk utilization increasing /var/tmp in FPR4150-ASA chassis

CSCvz01285

Need show command to see the details of FPGA version on Firepower devices

CSCvz94740

FXOS traceback and reload due Service "ascii-cfg" sent SIGABRT for not setting heartbeat.

CSCwb74357

FXOS is not rotating log files for partition opt_cisco_platform_logs

CSCwa62167

CIAM: Apache-http-server CVE-2021-44790 and CVE-2021-44224

CSCvz71282

FXOS | high Align-Err counter on port-channel48

CSCvz91266

FXOS A crafted request uri-path can cause mod_proxy to forward the request to an origin server...

CSCvt13808

ENH: FP 4100/9300 - FTD and FXOS SNMP unification

CSCvx04995

Fault F0736 should not be generated due to unreacheable default gateway

CSCvy81369

ENH: Include dmesg -T command output in FXOS show-tech files

CSCwb15170

RM 1120 Port state going down, speed is 100/10 and duplex full/Half, speed and duplexmismatchpresent

CSCwb73356

nvram logs consistently written every 2 seconds causing high disk utilization

Resolved bugs in FXOS 2.12.0.432

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.432:

Caveat ID Number

Description

CSCvy99348

Shutdown command reboots instead of shutting the FP1k device down.

CSCwb49416

ASA snmpd Traceback & cores on an active unit

CSCwb90940

Data interfaces are not coming up on KP device after deploying 9.18.0.114 image

CSCwc03510

Kilburn Park freezes / crashes on netboot system load

CSCwb62059

Unable to login on FTD using external authentication after upgrade from 7.0.1--->7.2.-1947

CSCwb70030

MIO: No blade reboot during CATERR if fault severity is non-Severe or CATERR sensor is different

CSCwb93924

sfp-detect not working correctly on fixed and epm ports

CSCwc02133

Root shell injection in security module "support fileview" command

CSCwc41590

Upgrade fail & App Instance fail to start with err "CSP_OP_ERROR. CSP signature verification error."

CSCvz74356

FDM 1010 device management interface not reflecting the correct status

CSCwa90735

ASAconsole.log files fail to rotate

CSCwa99171

Chassis and application sets the time to Jan 1, 2010 after reboot

CSCwb83756

TPK netmod OIR fills log with error messages until complete

CSCwc08094

Update CiscoSSL to 1.1.1o.7.3sp.143

CSCwb58007

FTDv on Azure - Traceback on Thread PTHREAD

CSCwa71071

Update certificate bundle for 7.2 release

CSCwb41361

WR8, LTS18 and LTS21 commit id update in CCM layer (seq 26)

CSCwb25246

ASAv SSH session getting terminated with ospf network command using Azure / Azure Stack hub

CSCwc45356

FXOS: Support a single PID type for FPR3100 platforms

CSCwa88148

ENH: Fail-to-Wire feature switching standby/bypass from CLI

CSCwb10884

WM11xx: Getting "ERROR: waiting for fxos_log_shutdown" during shutdown.

CSCwb94573

3140 - Platform fault - Code: F1374 - Severity: Critical

CSCwb97486

FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports

CSCwb27099

FXOS: Third-party interop between Ciena Waveserver with firepower chassis.

CSCwb84638

Portmanager/LACP improvement to capture logging events on external event restarts

CSCwb01633

FXOS misses logs to diagnose root cause of module show-tech file generation failure

CSCwb12465

FIPS self-tests must be run when CC mode is enabled - files are missing

CSCwb74357

FXOS is not rotating log files for partition opt_cisco_platform_logs

CSCwb95787

FPR1010 - No ARP on switchport VLAN interface after portmanager DIED event

CSCwb57988

The smConLogger traceback is caused by memory leak.

CSCwb85516

Update the entity mib with new EPM details for WA-B/TPK

CSCwb89065

Warn when TPK borough/temple fpga versions are below minimum

CSCwc37196

FPR3100: 8x1G copper netmod may incorrectly report obsolete firmware on boot

CSCwb02689

FXOS should check reference clock stratum instead of NTP server's local clock stratum

CSCwb40662

ENH: FCM should include option for modifying the interface 'link debounce time'

CSCwb46385

REST API Support for debounce time configuration

CSCwb85391

TPK Ctrl-FPGA version check broken

Resolved bugs in FXOS 2.12.0.450

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.450:

Caveat ID Number

Description

CSCwb12119

CIAM: expat - CVE-2022-25235 and others

CSCwb24367

Evaluation of ssp for Dirty Pipe vulnerability

CSCwb70138

CIAM: python CVE-2015-20107

CSCwc30692

TPK 3140 Maryland: %ERROR% - Switch device not found! during reboot

CSCwb44662

CIAM: zlib - CVE-2018-25032

CSCwb62105

CIAM: glibc 2.33 CVE-2022-23219 and others

CSCwb71554

CIAM: libxml - CVE-2022-23308

CSCwc30239

CIAM: apache-http-server - CVE-2022-31813 and Others

CSCwc34082

CIAM: curl - CVE-2022-22576 and others

CSCwc75082

25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC

CSCwb80192

WR6, WR8 commit id update in CCM layer(Seq 30)

CSCwb84967

Firepower 9300 chassis troubleshoot file caused outage

CSCwc08676

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 32)

CSCwc25207

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 33)

CSCwc46569

WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 34)

CSCwc60907

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 35)

CSCwc69036

In TPK 3110, baseline boot from rommon failed as "unable to unlock or revert SED"

CSCwc83037

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36)

CSCwb71582

CIAM: strongswan - CVE-2021-45079

CSCwb83166

Upgrade to CiscoSSL FOM 7.3sp and CiscoSSL 1.1.1o.7.3sp.143-fips in SSP MIO

CSCwc03393

Lina traceback and core file size is beyond 40G and compression fails on FTD

CSCwc08374

Azure ASA NIC MAC address for Gigeth 0/1 and 0/2 become out of order when adding interfaces

CSCwd07413

FMC - Editing member interfaces on port-channel is stuck on "Updating interface" window

CSCvz19364

FXOS does not send any syslog messages when the duplex changes to "Half Duplex"

CSCwb21037

FCM smart license error when smart licensing reports synced

CSCwb80108

FP2100/FP1000: Built-in RJ45 ports randomly not coming up after portmanager restart events

CSCwb95383

KP FDM-HA is in suspended state with no failover after reverting from 7.3 to 7.1

CSCwc25523

Registering the device for Telemetry is failing in DEV images due to missing security certificates

CSCwc31619

TPK: DME error for invalid card id with SwitchCardPowerCtrlModule

CSCwc47386

vFMC WebUI inaccessible after CC mode was enabled in 7.3.0-1553: ERR_CONNECTION_REFUSED

CSCwc51827

Getting portmanager Died Error after installing 7.3.x build on wm1010

CSCwc61106

Unable to configure domain\username under cfg-export-policy in FXOS

CSCwc75061

FMC allows shell access for user name with "." but external authentication will fail

CSCwc76195

Fail-To-Wire interfaces flaps intermittently due to watchdog timeout in KP platform

CSCwd08626

FTW: port pairs unexpectedly going to bypass due to failure

CSCwd09546

WA: portmanager sfp OIR routine uses insufficient table for module debounce

CSCvz42084

Update msmtp driver to fix FMC SMTP email send failures

CSCvz44638

FXOS changes for CSCvy86319 - Data are not getting destroy after formatting disk0 on ISA3K

CSCwb57524

FTD upgrade fails - not enough disk space from old FXOS bundles in distributables partition

CSCwb73678

/var/tmp partition fullness warning on FXOS

CSCwb88090

FXOS:after fxos config import new port-channel creation causing existing port-channel flap

CSCwb94573

3140 - Platform fault - Code: F1374 - Severity: Critical

CSCwb94980

TPK: SFP insertion events are missed for base fiber ports including mgmt port.

CSCwc08683

The interface's LED remains green blinking when the optical fiber is unplugged on FPR1150

CSCwc29384

KP - Add DMA memory segments to corefile generated by livecore

CSCwc37061

SNMP: FMC doesn't reply to OID 1.3.6.1.2.1.25.3.3.1.2

CSCwc41591

[IMS_7_3_0] core.portmgr_ipc found on WM1010 during redeploy all policies

CSCwc46847

FXOS partition opt_cisco_platform_logs on FP1K/FPR2K may go Full due to ucssh_*.log

CSCwc60463

FXOS is not rotating log messages files for partition opt_cisco_platform_logs

CSCwc94062

[FTDv/Kenton/ISA3k - FXOS] Add sshd monitor capability to restart sshd in case it fails.

CSCwc94670

TPK svc_sam_statsAG memory leak

CSCvz77202

RMU read stale entries on the int ctrl link between x86 Denverton CPU and Marvel 88E6390X switch

CSCwb77818

Telemetry stays in enabled state even after SL is deregistered from CLI

CSCwc77879

Autopsy Uncore utility support for Vermont branch

CSCwc32584

WM 1150: Upgrade to asa image "99.16.4.24-198" fails on Wm1150 platform

CSCwb48166

FXOS upgrade to 2.11 is stuck

CSCwb66175

MIO is not able to register. appAG process issue

CSCwc76849

link state propagation stops working when performing full chassis reboot

CSCwc26489

ENH - Setting the zmqio sched policy and priority for MIO heartbeat channel

CSCwc74905

FXOS: FPR-X-NM-8X10G ports 7 and 8 are unconfigurable.

Resolved bugs in FXOS 2.12.0.467

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.467:

Caveat ID Number

Description

CSCwc37695

In addition to the c_rehash shell command injection identified in CVE-2022-1292

CSCwc82169

FPR4100/9300 Blade discovery may hang due to internal communication failure with blade adapter

CSCwd31427

FMC allowing explicit format version of EC parameters with syslog over TLS in CC mode

CSCwd34662

LTS18 and LTS21 commit id update in CCM layer (seq 39)

CSCwb89257

Remote user login via SSH access with password authentication method fails after FXOS upgrade

CSCwc57204

FXOS not responding to SSH connection

CSCwc87441

for system processes limit the CPUs used to the number of system CPUs

CSCwd06758

No input validation for logical device DNS servers in bootstrap configuration on chassis manager

CSCwd37560

Adding forceReboot option for bundle install REST API

CSCwd45784

FXOS SWIMS Engine update to version 3.0.4

CSCwd45904

Livecore does not return proper error code when there is no space

CSCwd47340

Potential memory leak in svc_sam_envAG process

CSCwb52656

SNM trace logs have incorrect timestamps

CSCwd47481

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40)

CSCwd65327

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 41)

CSCwc96726

R2130 use the Wind River CIS_LTS21_R2130 OS branch for the 7.3.0 Beta2 release.

Resolved bugs in FXOS 2.12.0.498

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.0.498:

Caveat ID Number

Description

CSCwe07734

ASA goes to failsafe mode after FXOS upgrade

CSCwb24306

Duplicate log entry for /mnt/disk0/log/asa_snmp.log

CSCwc49353

QP MI FTD HA pair goes to disabled state

CSCwc83495

Add abort in switch_driver to crash portmanager in case udbs are corrupted

CSCwd58188

Inline-pair's state could not able to auto recover from hardware-bypass to standby mode.

CSCwd68346

ASA MIO-blade heartbeat failure due to kernel crash, leads to MEZZ core

CSCwd72680

FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy.

CSCwd74839

30+ seconds data loss when unit re-join cluster

CSCwd89349

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 42)

CSCwd95415

The Standby device going in failed state due to snort heartbeat failure

CSCwd96766

41xx: Blade does not capture or log a reboot signal

CSCwd99885

Bad code change to portmgr_ipc.c

CSCwe14619

The standby device going in failed state due to snort heartbeat failure( Precommit Build Failure)

CSCwe20714

7.4.0-1603 WA/TPK-HA Traffic doesn't work for non static mac address interface

CSCwe24532

Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/

CSCwe25025

8x10Gb netmod fails to come online

CSCwe30653

FTD upgrade failure at "999_finish/999_zz_install_bundle.sh" due to bad key cert

CSCwe32394

ssp abort/reload: terminate called after throwing an instance of 'Stb::bad_alloc' from overload.cpp

CSCwe51412

Port-channel down with Suspended status on member-ports

CSCvx71936

FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices

CSCwa75392

Missing warning message when upgrading FXOS

CSCwb30042

SA for msglyr and switch/src/HAL_Layer code

CSCwc10545

system_pid_specific_misc_defs.json has incorrect system cores for TPK

CSCwc12719

Modify tech-support to capture additional debug info (show portmanager switch vlans)

CSCwc34801

[IMS_7_3_0]REST_API:Network::getMTU [ERROR] when setting network information during firstboot

CSCwc69977

Null pointer check missing in sfp display routine

CSCwc83851

OIR errors in portmgr.out

CSCwd10139

Ping to ipv6 gw with system fails, works without it

CSCwd12978

WA-B: ASA show env command displays PSU information incorrectly

CSCwd43666

Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log

CSCwd53448

FPR3100: 4x40 network module LEDs do not blink with traffic

CSCwd56266

KP- FTP under local-mgmt not working

CSCwd56462

LLDP:Neighbors not getting discovered on the first breakout port without deleting the lldp config

CSCwd68159

LLDP::Removing a member port from the port channel completely removes the lldp neighbors

CSCwd82787

Upgrade request errors flood portmgr.out after netmod removal

CSCwd92804

FAN LED flashing amber on FPR2100

CSCwd95063

npu accel - nam_client ipc_recv_timeouts - effects FXOS npu-accel local-mgmt, lina stats calls

CSCwe02421

FPR-X-NM-6X1SX-F not recognized on FP3100 or FP4200

CSCwe13577

Audit log is missing for Mgmt port change

CSCwe18145

Interface speed is not updated on FTD

CSCwe21569

Improve CLI options for management IP with dhcp option

CSCwe22302

Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated

CSCwe32972

stdout_env_manager.log is full of unknown board type 3 messages

CSCwe33910

sr_build.log has the same three messages repeated every minute

CSCwe33943

svc_sam_serviceOrchAG.log is filled with repeating worthless messages every minute

CSCwe36758

3105: F78672 after a reboot

CSCwe48918

LTS18 CCM Sequence number 44 to update the libjitterentropy to version 3.4.1

CSCwe59989

Workaround to fix build breakage introduced by Wind River CCM commit

CSCwe63794

Reduce fault severity level for RAID degrade due to disk is still in spare state

CSCwb88729

FTD - %FTD-3-199015: port-manager: Error: DOM Block Read failure, port X, st = X log false/positive

CSCwe24440

disk-controller remove/remove-secure description doesn't match

CSCwe34512

JENT: Add JENT library to fxos to support KP.

CSCwd35074

Telemetry registration is failing in 2.13.

CSCwd99813

Supervisor does not reboot unresponsive module/blade due to CATERR with minor severity sensor ID 50

CSCwe33130

Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79

CSCvx62999

Non-zero input discards in MI CCL interface

CSCwb40008

Sometimes device goes for reboot, when powering on of alperton netmod in 4100 device

CSCwb80881

CSSMGR_log core found while testing snmp trap on 2.8.1.184

CSCwc79216

Update Broadcom SDK patch for field alert notification for Trident2

CSCwe22152

SNMPD cores seen in in snmp_sess_close and notifyTable_register_notifications

CSCwe19968

Enhance to log FTW kicking delay and compensate the delay for kicking

CSCwe59809

WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 45)

CSCwc49180

Statsclient hap reset and boot loop after enabling SNMP unification in 92.13

Resolved bugs in FXOS 2.12.1.29

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.29:

Identifier

Headline

CSCwb75786

Deploy failure seen as "argument content is null" in 730.

CSCwd34288

FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm.

CSCwd94183

Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob.

CSCwe30867

Workaround to set hwclock from ntp logs on low end platforms.

CSCwe74916

Interface remains DOWN in an Inline-set with propagate link state.

CSCwe88600

vFTD sshd silent crash, possibly due to probes in Azure with LB.

CSCwe93802

WR6, LTS18 and LTS21 commit id update in CCM layer (Seq 46).

CSCwf08515

FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops".

CSCwf014729

Need to use CiscoSSL with FOM 7.3 for Intel Builds.

CSCwf17858

node is leaving TPK cluster due to interface health check failure.

CSCwc76419

Unnecessary FAN error logs needs to be removed from thermal file.

CSCwd67101

FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed.

CSCwd81123

High CPU Utilization on FXOS for processes smConlogger.

CSCwe50993

SNMP on SFR module goes down and won't come back up.

CSCwe70472

Upgrade third-party component rng-tools to latest 6.16 version.

CSCwe90524

Enh: Add timestamp in interface IPC message.

CSCwf03490

portmanager.sh outputing continuous bash warnings to log files.

CSCwf16278

TPK 2.12 MGMT Port not able to ping gateway after application installation.

CSCwf22483

SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config.

CSCwf37871

Attempt go 1.19.4 in LTS18 Branches but go back to 1.12.12 release.

CSCwf40113

TPK/WA - OSPF packets land in multiple RX rings.

CSCwf18647

Brentwood and Maryland squelch settings modification missing from _X netmod variants.

CSCvz91293

ENH: Include exported chassis configuration in chassis show-tech file.

CSCwc12716

modify tech-support to capture additional debug info (control link register details).

CSCwd34920

ENH: Need to preserve topout.log to contain data of last 5 days minimum.

CSCwe45653

ENH: FXOS need to track Security Module for Disk quota exceeded related issue.

CSCwe79517

ENH: TPK show portmanager counters to dump counters for default drop rules.

CSCwe64773

core.svc_sam_dcosAG file seen on device after erase configuration

CSCwe83544

After upgrade ha interface remains down on one node.

CSCwa98094

MI information is missing in tech-support

CSCwf16886

Universal p4tickets are in plaintext in source code

CSCvz69950

Include output of 'show storage detail command in FPR3100 FPRM/tech_support_brief file

CSCwb06934

Include output of 'show slot expand detail' command in FPR3100 tech_support_brief file

Resolved bugs in FXOS 2.12.1.48

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.48:

Caveat ID Number

Description

CSCwe87745

FXOS CLI to show last programming changes

CSCwf57856

FXOS Traceback and reload caused by leak on MTS buffer queue

CSCwh22888

FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors

CSCwb71519

ENH: F1661 More details on failure reason and log location

CSCwh82859

SSHd cores found after Azure VPN Performance test

CSCvx44261

SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors

CSCwf82279

Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages

CSCwa65801

"show ntp all" logs are not clear enough and lead to uncertainty and confusion

CSCwh04730

ASA/FTD HA checkheaps crash where memory buffers are corrupted

CSCwe81841

FXOS needs to provide a command that will display the total power on hours of chassis/blade

CSCwf36066

WM/TPK/WA "FTD only": Packet drops observed after removing PC member from Port-channel

CSCwh54477

The FMC is showing "The password encryption key has not been set" alert for a Firepower 1100/2100 and Secure Firewall 3100 series devices

CSCwh55178

FXOS: svc_sam_dcosAG process getting crashed repeatedly on FirePower 4100

CSCwc48701

Secure Firewall 3100 MI: ftd instance failed to come online after chassis reboot

CSCwf95288

Firepower 1000 Switchport passing CDP traffic

CSCwh17366

Upgrade to CiscoSSH 1.12.39 in FXOS

CSCwh18967

Include "show env tech" in FXOS FPRM troubleshoot

CSCwh24321

FXOS: Alperton 100G NetMod not being acknowledged properly

CSCwf44354

JENT: Expand JENT library support to CiscoSSL for all FXOS targets

CSCwf55654

Secure Firewall 3100/4200 - Incorrect 'Management1/1' interface status on Lina & FTD

CSCwf63589

FTD snmpd process traceback and restart

CSCwh09113

FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop"

CSCwb97626

FXOS should display ROMMON logs

CSCwf35500

FXOS/SSP: System should provide better visibility of DIMM Correctable error events

CSCwf88124

Switch ports in Trunk mode do not pass vlan traffic after power loss

CSCwh02371

CCM ID 53 - WR8, LTS18, LTS21

Resolved bugs in FXOS 2.12.1.72

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.72:

Caveat ID Number

Description

CSCvx69675

FXOS Major Faults about adapter host and virtual interface being down.

CSCwf99303

Management UI presents self-signed certificate rather than custom CA signed one after upgrade.

CSCwi60249

WM1010E standby fails to re-join HA with msg "CD App Sync error is SSP Config Generation Failure".

CSCwi22296

Logical app will trigger a boot in failsafe mode due to a large configuration.

CSCwi13134

Hardware bypass not working as expected in FP3140.

CSCwi34600

SSH key-based login is not working in ASAv loaded with default configuration on GCP.

CSCwi62683

Upgrade to CiscoSSH 1.13.46 in FXOS address CVE-2023-48795.

CSCwi10927

TPK/kp/WM: unable to copy techsupport/ts/core files to the server.

CSCwf11877

TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144.

CSCwe93736

ASA not updating Timezone despite taking commands.

CSCwi80465

CCM ID 63 - LTS18

CSCwh53276

Upgrade to CiscoSSL 1.1.1v.7.3.338-fips in SSP MIO.

CSCwi90399

FTD/ASA system clock resets to year 2023.

CSCwf62228

Timezone not working correctly on 9300/4100 platforms

Resolved bugs in FXOS 2.12.1.84

The following table lists the previously release-noted and customer-found bugs that were resolved in FXOS 2.12.1.84:

Identifier

Headline

CSCwj14927

FTD: Primary takes active role after reloading

CSCwe82107

health alert for [FSM:STAGE:FAILED]: external aaa server configuration

CSCwi60430

CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us

CSCwk64418

NTP is not synchronising when using SHA-1 authentication

CSCwi24007

An issue was discovered in the Linux kernel before 6.3.3. There is an

CSCwi84615

some stdout logs not rotated by logrotate

CSCwi56743

MSP Quota setting for instances is not correct

CSCwi24116

Twisted is an event-based framework for internet applications. Prior t

CSCwb02701

FXOS does not retry NTP sync with servers

CSCvx74133

App-instance showing as Started instead of Online

CSCwk44245

In the Linux kernel, the following vulnerability has been resolved: i

CSCwk44246

In the Linux kernel, the following vulnerability has been resolved: i

CSCwi78370

41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795

CSCwi80465

CCM ID 63 - LTS18

CSCvz59859

FXOS fault F1758 description should not be specific to subinterfaces

CSCwj89050

Faulty input validation in the core of Apache allows malicious or expl

CSCwj89051

In GNU tar before 1.35, mishandled extension attributes in a PAX archi

CSCwj89054

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of

CSCwi75967

CCM ID 62 - LTS18

CSCwj43466

A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI

CSCwj08023

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6

CSCwj08021

The DNS message parsing code in 'named' includes a section whose compu

CSCwk59458

21xx: debug log process hangs preventing recovery from stuck writing operations

CSCwj89404

In the Linux kernel, the following vulnerability has been resolved: b

CSCwk57933

Vulnerabilities in linux-kernel CVE-2023-52439

CSCwj89402

In the Linux kernel, the following vulnerability has been resolved: n

CSCwh94193

urllib3 is a user-friendly HTTP client library for Python. urllib3 doe

CSCwi78191

An issue was discovered in drivers/input/input.c in the Linux kernel b

CSCwi78193

An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl

CSCwj89447

less through 653 allows OS command execution via a newline character i

CSCwj89445

The iconv() function in the GNU C Library versions 2.39 and older may

CSCwf64429

Unable to upload FTD version image to FCM

CSCwk64709

FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space)

CSCwi01323

SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero

CSCwj09999

FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU)

CSCwh48776

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18,

CSCwk57949

Vulnerabilities in linux-kernel CVE-2023-52435

CSCwi36244

In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scrip

CSCwi92932

copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1

CSCwi92930

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den

CSCwk25759

In the Linux kernel, the following vulnerability has been resolved: B

CSCwk25756

Requests is a HTTP library. Prior to 2.32.0, when making requests thro

CSCwj89434

wall in util-linux through 2.40, often installed with setgid tty permi

CSCwk25755

In the Linux kernel, the following vulnerability has been resolved: n

CSCwj43355

A bug in QEMU could cause a guest I/O operation otherwise addressed to

CSCwe21884

Write wrapper around "kill" command to log who is calling it

CSCwi85951

A use-after-free flaw was found in the __ext4_remount in fs/ext4/super

CSCwi85953

In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro

CSCwj69632

Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110

CSCwj12924

A flaw was found in the Netfilter subsystem in the Linux kernel. The i

CSCwk62296

Address SSP OpenSSH regreSSHion vulnerability

CSCwi92924

A memory leak problem was found in ctnetlink_create_conntrack in net/n

CSCwi92927

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab

CSCwi36311

use kill tree function in SMA instead of SIGTERM

CSCwj89425

In the Linux kernel, the following vulnerability has been resolved: B

CSCwh19613

ASA crashed with Saml scenarios

CSCwk75035

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul

CSCwk75033

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause inva

CSCwh81366

[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use

CSCwh43230

Strong Encryption license is not getting applied to ASA firewalls in HA.

CSCwh94029

A flaw was found in the Netfilter subsystem in the Linux kernel. The n

CSCwj08153

An out-of-memory flaw was found in libtiff that could be triggered by

CSCwk14685

FTD : Management interface showing down despite being up and operational

CSCwk62297

Evaluation of ssp for OpenSSH regreSSHion vulnerability

CSCwh27886

Chassis Manager shows HTTP 500 Internal Server error in specific cases

CSCwj89417

In the Linux kernel, the following vulnerability has been resolved: d

CSCwb02741

Time sync status and error message do not elaborate NTP server rejection case

CSCwi79120

some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI

CSCwk50044

The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex

CSCwj08083

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1

CSCwj89315

HTTP Response splitting in multiple modules in Apache HTTP Server allo

CSCwj08066

A denial of service vulnerability due to a deadlock was found in sctp_

CSCwj38928

High latency observed on FPR3120

CSCwf99434

Failed to transfer new image file to FPR2130 and traceback was observed

CSCwk22993

In the Linux kernel, the following vulnerability has been resolved: t

CSCwf27337

KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall

CSCwj89406

In the Linux kernel, the following vulnerability has been resolved: b

CSCwk25764

In the Linux kernel, the following vulnerability has been resolved: H

CSCwk25762

In the Linux kernel, the following vulnerability has been resolved: i

CSCwk25761

In the Linux kernel, the following vulnerability has been resolved: b

CSCwi78206

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL

CSCwi78200

A vulnerability was found in GnuTLS. The response times to malformed c

CSCwk75036

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and

CSCwk50055

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo

CSCwi04351

FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh

CSCwk75030

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/

CSCwk05828

nscd: netgroup cache may terminate daemon on memory allocation failure

CSCwk05826

nscd: Stack-based buffer overflow in netgroup cache If the Name Servi

CSCwi59271

Suppress "End of script output before headers" syslog on FXOS

CSCwj49958

Crypto IPSEC Negotiation Failing At "Failed to compute a hash value"

CSCwi31480

Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge

CSCwk84221

FPR3100 : 25G SFP Interfaces not coming up after reboot

CSCwh94116

A flaw was found in the Netfilter subsystem in the Linux kernel. The x

CSCwi23964

Python 3.x through 3.10 has an open redirection vulnerability in lib/h

CSCwh71262

A flaw was found in glibc. In an uncommon situation, the gaih_inet fun

CSCwi53987

SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1

CSCwj14028

CCM ID 67 - LTS18

CSCwi00713

A memory leak flaw was found in Libtiff's tiffcrop utility. This issue

Online Resources

Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open service requests. Use these resources to install and configure FXOS software and to troubleshoot and resolve technical issues.

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact Cisco

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.