Network technologies and trends

Apr 6 2017   11:08AM GMT

Cisco have issues with certain software versions of ASA and Firepower appliances as it drops traffic after 213 days

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
ASA
Blog
bug
Cisco
console
Firewalls
HTTPS
Reboot
Security
SSH
vulnerabilities

Cisco released a field notice and also published a  blog about the latest bug found in Cisco ASA and certain versions of Firepower appliances, according to Cisco the bug CSCvd 78303 has no vulnerabilities rather it’s a “functional software defect”.

The impact of this bug is so disruptive,  it stops passing network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime of a device. Which can have a huge impact on any production network and can bring down services.

The affected device will not receive or respond to ARP packets. Which in turn not only affects the  transient traffic, but also affects the SSH, HTTPS and Telnet traffic, which is mainly used for administration purpose of the device. However console access is not affected.

The affected versions of ASA and Firepower are follows:

ASA version 9.1 releases 9.1(7)8 and higher

ASA version 9.2 releases 9.2(4)15 and higher

ASA version 9.4 releases 9.4(3)5 and higher including 9.4(4)

ASA version 9.5 releases 9.5(3) and higher

ASA version 9.6 releases 9.6(2)1 and higher including 9.6(3)

ASA version 9.7 releases 9.7(1) and higher

FTD version 6.1 releases 6.1.0.1 and higher

FTD version 6.2 releases 6.2.0 and higher

One way to prevent the issue is to reboot the device, however the reboot will not solve the issue permanently and its going to reoccur after  approximately 213 days and 12 hours.

Officially Cisco has is yet to provide a fix. Still its not clear which ASA or FTD version will fix this bug.

However upon opening the TAC case it was recommended the bug has been fixed in the following ASA versions 9.4(4.5), 9.7(1.4) ,9.6(3.1) and 9.5(3.8). One cannot take this as on official answer, however this was recommended to us from Cisco TAC.

One has to keep a close eye on what Cisco is going to recommend for this issue, however the best approach is to open a TAC case with Cisco and seek their opinion.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: