Firepower Release Notes, Version 6.6.1 and 6.6.3

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.
3
First Published: 2020-09-08
Last Modified: 2021-03-15
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2020–2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 Welcome to Version 6.6.x 1
About the Release Notes 1

Release Dates 1
CHAPTER 2 Compatibility 3
Firepower Management Centers 3
Firepower Devices 4
Manager-Device Compatibility 6
Web Browser Compatibility 7
Screen Resolution Requirements 8
CHAPTER 3 Features and Functionality 11
Features for Firepower Management Center Deployments 11

New Features in FMC Version 6.6.3 12
Deprecated Features in FMC Version 6.6.1 13
Features for Firepower Device Manager Deployments 13

About Deprecated FlexConfig Commands 13
Intrusion Rules and Keywords 14
How-To Walkthroughs for the FMC 14
Sharing Data with Cisco 15
CHAPTER 4 Upgrade the Software 17
Upgrade Checklist 17
New Guidelines for Version 6.6.x 22
Previously Published Guidelines 22

FMCv Requires 28 GB RAM for Upgrade 23
Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

iii
Contents
Firepower 1000 Series Devices Require Post-Upgrade Power Cycle 24

Historical Data Removed During FTD/FDM Upgrade 24
New URL Categories and Reputations 24
Pre-Upgrade Actions for URL Categories and Reputations 26
Post-Upgrade Actions for URL Categories and Reputations 27
Guidelines for Rules with Merged URL Categories 28
TLS Crypto Acceleration Enabled/Cannot Disable 30
Readiness Check May Fail on FMC, NGIPSv 31
RA VPN Default Setting Change Can Block VPN Traffic 31
Security Intelligence Enables Application Identification 31
Update VDB after Upgrade to Enable CIP Detection 32
Invalid Intrusion Variable Sets Can Cause Deploy Failure 32
Minimum Version to Upgrade 33
Time Tests and Disk Space Requirements 33
About Time Tests 33
About Disk Space Requirements 34
Version 6.6.3 Time and Disk Space 35
Version 6.6.1 Time and Disk Space 36
Traffic Flow, Inspection, and Device Behavior 36
FTD Upgrade Behavior: Firepower 4100/9300 Chassis 36
FTD Upgrade Behavior: Other Devices 39
ASA FirePOWER Upgrade Behavior 41
NGIPSv Upgrade Behavior 41
Upgrade Instructions 42
Upgrade Packages 43
CHAPTER 5 Freshly Install the Software 45
Deciding to Freshly Install 45

Guidelines for Fresh Installs 47
Unregistering Smart Licenses 48
Unregister a Firepower Management Center 49
Unregister an FTD Device Using FDM 50
Installation Instructions 50

iv
Contents
CHAPTER 6 Documentation 53
Documentation Roadmaps 53
CHAPTER 7 Resolved Issues 55
Searching for Resolved Issues 55

Resolved Issues in New Builds 56
Version 6.6.3 Resolved Issues 56
Version 6.6.1 Resolved Issues 69
CHAPTER 8 Known Issues 79
Searching for Known Issues 79
CHAPTER 9 For Assistance 81
Online Support Resources 81

Contact Cisco 81

v
Contents

vi
CHAPTER 1
Welcome to Version 6.6.x
Thank you for choosing Firepower.
• About the Release Notes, on page 1
• Release Dates, on page 1
About the Release Notes

The release notes provide critical and release-specific information, including upgrade warnings and behavior
changes. Read this document even if you are familiar with Firepower releases and have previous experience
upgrading Firepower deployments.
For links to upgrade and installation instructions, see:
• Upgrade Instructions, on page 42
• Installation Instructions, on page 50
Release Dates
For a list of all platforms available with this version, see Compatibility, on page 3.
Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is available
on the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloaded
an earlier build, do not use it. For more information, see Resolved Issues in New Builds, on page 56.
Table 1: Version 6.6.0/6.6.x Dates
Version Build Date Platforms
6.6.3 80 2020-03-11 All
6.6.2 — — Not available.
6.6.1 91 2020-09-20 All
90 2020-09-08 —

1
Welcome to Version 6.6.x
Release Dates
6.6.0 90 2020-05-08 Firepower 4112
2020-04-06 FMC/FMCv
All devices except Firepower 4112
Table 2: Version 6.6.x Patch Dates
6.6.0.1 7 2020-07-22 All

2
CHAPTER 2
Compatibility
For general Firepower compatibility information see:
• Cisco Firepower Compatibility Guide: Detailed compatibility information for all supported Firepower
versions, including links to end-of-sale and end-of-life announcements for deprecated platforms.
• Cisco NGFW Product Line Software Release and Sustaining Bulletin: Support timelines for the Cisco
Next Generation Firewall product line, including management platforms and operating systems.
For compatibility information for this Firepower version, see:

• Firepower Management Centers, on page 3
• Firepower Devices, on page 4
• Manager-Device Compatibility, on page 6
• Web Browser Compatibility, on page 7
• Screen Resolution Requirements, on page 8
Firepower Management Centers

The Firepower Management Center (FMC) is a fault-tolerant, purpose-built network appliance that provides
a centralized management console for your Firepower deployment. Firepower Management Center Virtual
(FMCv) brings full firewall management functionality to virtualized environments.
Firepower Management Center

The following FMC platforms are supported in this release:
• FMC 1600, 2600, 4600
• FMC 1000, 2500, 4500
• FMC 2000, 4000
We recommend you keep the BIOS and RAID controller firmware up to date. For more information, see the
Cisco Firepower Compatibility Guide.
Firepower Management Center Virtual

The following FMCv implementations are supported in this release:

3
Compatibility
Firepower Devices
• FMCv for Amazon Web Services (AWS)

• FMCv for Microsoft Azure
• FMCv for OpenStack
• FMCv for Kernel-based virtual machine (KVM)
• FMCv and FMCv 300 for VMware vSphere/VMware ESXi 6.5, 6.7, or 7.0
• FMCv and FMCv 300 for VMware vSphere/VMware ESXi 6.0, 6.5, or 6.7
For supported FMCv instances, see the Cisco Firepower Management Center Virtual Getting Started Guide.
Firepower Devices
Cisco Firepower devices monitor network traffic and decide whether to allow or block specific traffic based
on a defined set of security rules. Some Firepower devices run Firepower Threat Defense (FTD) software;
some run NGIPS/ASA FirePOWER software. Some can run either—but not both at the same time.
The following tables list the device platforms supported in this release, along with any (separately upgradeable)
OS/hypervisor requirements. For versions and builds of bundled operating systems, see the Bundled Components
information in the Cisco Firepower Compatibility Guide.
Note These are the supported devices for this release. Even if an older device has reached EOL and you can no
longer upgrade, you can still manage that device with a newer FMC, up to a few versions ahead. Similarly,
newer versions of ASDM can manage older ASA FirePOWER modules. For supported management methods,
including backwards compatibility, see Manager-Device Compatibility, on page 6.
Firepower Threat Defense Devices
Table 3: FTD in Version 6.6.0/6.6.x
FTD Platform OS/Hypervisor Additional Details
Firepower 1010, 1120, 1140, 1150 — —

Firepower 2110, 2120, 2130, 2140
Firepower 4110, 4120, 4140, 4150 FXOS 2.8.1.105 or later build Upgrade FXOS first.
Firepower 4112, 4115, 4125, 4145 To resolve issues, you may need to
upgrade FXOS to the latest build.
Firepower 9300: SM-24, SM-36,
To help you decide, see the Cisco
SM-44 modules
FXOS Release Notes, 2.8(1).
Firepower 9300: SM-40, SM-48,
SM-56 modules

4
Compatibility
Firepower Devices
FTD Platform OS/Hypervisor Additional Details
ASA 5508-X, 5516-X — Although you do not separately

upgrade the OS on these devices in
ASA 5525-X, 5545-X, 5555-X
FTD deployments, you should
ISA 3000 make sure you have the latest
ROMMON image on the ISA 3000,
ASA 5508-X and 5516-X. See the
instructions in the Cisco ASA and
Firepower Threat Defense Reimage
Guide.
Firepower Threat Defense Virtual Any of: For supported instances, see the
(FTDv) appropriate FTDv Getting Started
• AWS: Amazon Web Services
guide.
• Azure: Microsoft Azure
• KVM: Kernel-based Virtual
Machine
• VMware vSphere/VMware
ESXi 6.0, 6.5, or 6.7
NGIPS/ASA FirePOWER Devices
Table 4: NGIPS/ASA FirePOWER in Version 6.6.0/6.6.x
NGIPS Platform OS/Hypervisor Additional Details
ASA 5508-X, 5516-X ASA 9.5(2) to 9.15(x) There is wide compatibility

between ASA and ASA
ISA 3000
FirePOWER versions. However,
ASA 5525-X, 5545-X, 5555-X ASA 9.5(2) to 9.14(x) upgrading allows you to take
advantage of new features and
resolved issues. See the Cisco ASA
Upgrade Guide for order of
operations.
You should also make sure you
have the latest ROMMON image
on the ISA 3000, ASA 5508-X and
5516-X. See the instructions in the
Cisco ASA and Firepower Threat
Defense Reimage Guide.
NGIPSv VMware vSphere/VMware ESXi For supported instances, see the
6.0, 6.5, or 6.7 Cisco Firepower NGIPSv Quick
Start Guide for VMware.

5
Compatibility
Manager-Device Compatibility
Manager-Device Compatibility
Firepower Management Center
All Firepower devices support remote management with a Firepower Management Center (FMC), which can
manage multiple devices. The FMC must run the same or newer version as its managed devices. You cannot
upgrade a device past the FMC. Even for maintenance (third-digit) releases, you must upgrade the FMC first.
A newer FMC can manage older devices up to a few major versions back, as listed in the following table.
However, we recommend you always update your entire deployment. New features and resolved issues often
require the latest release on both the FMC and its managed devices.
Table 5: FMC-Device Compatibility
FMC Version Oldest Device Version You Can Manage
6.7.0 or any 6.7.x maintenance release 6.3.0
6.5.0 6.2.3
6.4.0 6.1.0
6.3.0 6.1.0
6.2.3 6.1.0
Firepower Device Manager and Cisco Defense Orchestrator

As an alternative to an FMC, Firepower Threat Defense devices support FDM and CDO management:
• Firepower Device Manager (FDM) can manage a single FTD device.
FDM lets you configure the basic features of the software that are most commonly used for small or
mid-size networks.
• Cisco Defense Orchestrator (CDO) is cloud-based and can manage multiple FTD devices.
CDO allows you to establish and maintain consistent security policies across your deployment without
using an FMC. Although some configurations still require FDM, CDO allows you to establish and
maintain consistent security policies across multiple FTD devices.
All FTD devices support CDO concurrently with FDM local management. Because FDM is built into FTD,
and because CDO is a cloud-based product, there is no concept of manager-device compatibility in this type
of deployment.
Adaptive Security Device Manager

ASA with FirePOWER Services is an ASA firewall that runs Firepower NGIPS software as a separate
application, also called the ASA FirePOWER module. You can use Cisco Adaptive Security Device Manager
(ASDM) to manage both applications.

6
Compatibility
Web Browser Compatibility
In most cases, newer ASDM versions are backwards compatible with all previous ASA versions. However,
there are some exceptions. For example, ASDM 7.13(1) can manage an ASA 5516-X on ASA 9.10(1). ASDM
7.13(1) and ASDM 7.14(1) did not support ASA 5512-X, 5515-X, 5585-X, and ASASM; you must upgrade
to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support. For details, see Cisco ASA Compatibility.
A newer ASA FirePOWER module requires a newer version of ASDM, as listed in the following table.
Table 6: ASDM-ASA FirePOWER Compatibility
ASA FirePOWER Version Minimum ASDM Version
6.5.0 7.13.1
6.4.0 7.12.1
6.3.0 7.10.1
6.2.3 7.9.2
Web Browser Compatibility

Browsers Tested with Firepower Web Interfaces
Firepower web interfaces are tested with the latest versions of the following popular browsers, running on
currently supported versions of macOS and Microsoft Windows:
• Google Chrome
• Mozilla Firefox
• Microsoft Internet Explorer 11 (Windows only)
If you encounter issues with any other browser, or are running an operating system that has reached end of
life, we ask that you switch or upgrade. If you continue to encounter issues, contact Cisco TAC.
Note We do not perform extensive testing on this Firepower version with Apple Safari or Microsoft Edge, nor do
we test Microsoft Internet Explorer with FMC walkthroughs. However, Cisco TAC welcomes feedback on
issues you encounter.
Browser Settings and Extensions

Regardless of browser, you must make sure JavaScript, cookies, and TLS v1.2 remain enabled.
If you are using Microsoft Internet Explorer 11:
• For the Check for newer versions of stored pages browsing history option, choose Automatically.
• Disable the Include local directory path when uploading files to server custom security setting.

7
Compatibility
Screen Resolution Requirements
• Enable Compatibility View for the Firepower web interface IP address/URL.
Note that some browser extensions can prevent you from saving values in fields like the certificate and key
in PKI objects. These extensions include, but are not limited to, Grammarly and Whatfix Editor. This happens
because these extensions insert characters (such as HTML) in the fields, which causes the system to see them
invalid. We recommend you disable these extensions while you’re logged into Firepower appliances.
Securing Communications
When you first log in to a Firepower web interface, the system uses a self-signed digital certificate to secure
web communications. Your browser should display an untrusted authority warning, but also should allow you
to add the certificate to the trust store. Although this will allow you to continue to the Firepower web interface,
we do recommend that you replace the self-signed certificate with a certificate signed by a globally known
or internally trusted certificate authority (CA).
To begin replacing the self-signed certificate:
• FMC: Select System > Configuration, then click HTTPS Certificates.
• FDM: Click Device, then the System Settings > Management Access link, then the Management Web
Server tab.
For detailed procedures, see the online help or the configuration guide for your Firepower product.
Note If you do not replace the self-signed certificate:

• Google Chrome does not cache static content, such as images, CSS, or JavaScript. Especially in low
bandwidth environments, this can extend page load times.
• Mozilla Firefox can stop trusting the self-signed certificate when the browser updates. If this happens,
you can refresh Firefox, keeping in mind that you will lose some settings; see Mozilla's Refresh Firefox
support page.
Browsing from a Firepower-Monitored Network

Many browsers use Transport Layer Security (TLS) v1.3 by default. If you are using an SSL policy to handle
encrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites that
support TLS v1.3 may fail to load.
For more information, see the software advisory titled: Failures loading websites using TLS 1.3 with SSL
inspection enabled.

Table 7: Screen Resolution Requirements for Firepower User Interfaces
Interface Resolution
Firepower Management Center 1280 x 720
Firepower Device Manager 1024 x 768

8
Compatibility
Interface Resolution
ASDM managing an ASA FirePOWER module 1024 x 768
Firepower Chassis Manager for Firepower 4100/9300 chassis 1024 x 768

9
Compatibility

10
CHAPTER 3
Features and Functionality
Maintenance releases contain new features, functionality, and behavior changes related to urgent or resolved
issues.
Note These release notes list the new and deprecated features in this series of maintenance releases, including
upgrade impact. If your upgrade skips versions, see the appropriate Cisco Firepower Release Notes for historical
feature information and upgrade impact.
• Features for Firepower Management Center Deployments, on page 11

• Features for Firepower Device Manager Deployments, on page 13
• About Deprecated FlexConfig Commands, on page 13
• Intrusion Rules and Keywords, on page 14
• How-To Walkthroughs for the FMC, on page 14
• Sharing Data with Cisco, on page 15
Features for Firepower Management Center Deployments
Note Version 6.6.0/6.6.x is the last release to support the Cisco Firepower User Agent software as an identity source.
You cannot upgrade an FMC with user agent configurations to Version 6.7.0+. You should switch to Cisco
Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC). This will also allow you to take advantage
of features that are not available with the user agent. To convert your license, contact Sales.
For more information, see the End-of-Life and End-of-Support for the Cisco Firepower User Agent
announcement and the Firepower User Identity: Migrating from User Agent to Identity Services Engine
TechNote.

11
New Features in FMC Version 6.6.3
New Features in FMC Version 6.6.3

Table 8:
Feature Description
Upgrades postpone Upgrade impact.

scheduled tasks
Upgrades now postpone scheduled tasks. Any task scheduled to begin during
the upgrade will begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running
tasks are complete. Tasks running when the upgrade begins are
stopped, become failed tasks, and cannot be resumed.
Note that this feature is supported for Firepower appliances running Version
6.6.3+. It is not supported for upgrades to Version 6.6.3, unless you are
upgrading from Version 6.4.0.10 or any later patch.
Appliance Configuration Version 6.6.3 improves device memory management and introduces a new
Resource Utilization health health module: Appliance Configuration Resource Utilization.
module
This health module alerts when the size of your deployed configurations puts
the device at risk of running out of memory. If this happens, re-evaluate your
configurations. Most often you can reduce the number or complexity of access
control rules or intrusion policies. For information on best practices for access
control, see the Firepower Management Center Configuration Guide.
Note To use this health module, you must upgrade both the FMC and its
devices to Version 6.6.3, then reapply health policies to the devices.
Although the upgrade process automatically adds and enables this
health module in all health policies, you must manually apply the
health policy before the module can start working.
This module is not supported in Version 6.7.0. Support will return in later
releases.

12
Deprecated Features in FMC Version 6.6.1
Deprecated Features in FMC Version 6.6.1

Table 9:
Feature Upgrade Impact Description
Custom intrusion None. In Version 6.6.0, the FMC began rejecting custom (local)
rule import does not intrusion rule imports entirely if there were rule collisions.
fail when rules Version 6.6.1 deprecates this feature, and returns to the
collide pre-Version 6.6.0 behavior of silently skipping the rules that
cause collisions.
Note that a collision occurs when you try to import an intrusion
rule that has the same SID/revision number as an existing rule.
You should always make sure that updated versions of custom
rules have new revision numbers. We recommend you read the
best practices for importing local intrusion rules in the Firepower
Management Center Configuration Guide.
Version 6.7.0 adds a warning for rule collisions in a later release.
Features for Firepower Device Manager Deployments

There are no new or deprecated features for FDM deployments in Version 6.6.x maintenance releases.
About Deprecated FlexConfig Commands

This document lists deprecated FlexConfig objects and commands along with the other deprecated features
for each version. For a full list of prohibited commands, including those prohibited when FlexConfig was
introduced, see your configuration guide.
Caution In most cases, your existing FlexConfig configurations continue to work post-upgrade and you can still deploy.
However, in some cases, using deprecated commands can cause deployment issues.
About FlexConfig
Some Firepower Threat Defense features are configured using ASA configuration commands. Beginning with
Version 6.2.0 (FMC deployments) or Version 6.2.3 (FDM deployments), you can use Smart CLI or FlexConfig
to manually configure various ASA features that are not otherwise supported in the web interface.
FTD upgrades can add GUI or Smart CLI support for features that you previously configured using FlexConfig.
This can deprecate FlexConfig commands that you are currently using; your configurations are not automatically
converted. After the upgrade, you cannot assign or create FlexConfig objects using the newly deprecated
commands.

13
Intrusion Rules and Keywords
After the upgrade, examine your FlexConfig policies and objects. If any contain commands that are now
deprecated, messages indicate the problem. We recommend you redo your configuration. When you are
satisfied with the new configuration, you can delete the problematic FlexConfig objects or commands.
Intrusion Rules and Keywords

Upgrades can import and auto-enable intrusion rules.
Intrusion rule updates (SRUs) provide new and updated intrusion rules and preprocessor rules, modified states
for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that
are not supported in your current Firepower version, that rule is not imported when you update the SRU.
After you upgrade the Firepower software and those keywords become supported, the new intrusion rules are
imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events
and affecting traffic flow.
Supported keywords depend on the Snort version included with your Firepower software:
• FMC: Choose Help > About.
• FTD with FDM: Use the show summary CLI command.
• ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration > System Information.
You can also find your Snort version in the Bundled Components section of the Cisco Firepower Compatibility
Guide.
The Snort release notes contain details on new keywords. You can read the release notes on the Snort download
page: https://www.snort.org/downloads.
How-To Walkthroughs for the FMC

FMC walkthroughs (also called how-tos) guide you through a variety of basic tasks such as device setup and
policy configuration. Just click How To at the bottom of the browser window, choose a walkthrough, and
follow the step-by-step instructions.
Note FMC walkthroughs are tested on the Firefox and Chrome browsers. If you encounter issues with a different
browser, we ask that you switch to Firefox or Chrome. If you continue to encounter issues, contact Cisco
TAC.
The following table lists some common problems and solutions. To end a walkthrough at any time, click the
x in the upper right corner.
Table 10: Troubleshooting Walkthroughs
Problem Solution
Cannot find the How To link to Make sure walkthroughs are enabled. From the drop-down list under
start walkthroughs. your username, select User Preferences then click How-To Settings.

14
Sharing Data with Cisco
Problem Solution
Walkthrough appears when you do If a walkthrough appears when you do not expect it, end the walkthrough.
not expect it.
Walkthrough disappears or quits If a walkthrough disappears:

suddenly.
• Move your pointer.
Sometimes the FMC stops displaying an in-progress walkthrough.
For example, pointing to a different top-level menu can make this
happen.
• Navigate to a different page and try again.
If moving your pointer does not work, the walkthrough may have
quit.
Walkthrough is out of sync with the If a walkthrough is out of sync, you can:
FMC:
• Attempt to continue.
• Starts on the wrong step.
For example, if you enter an invalid value in a field and the FMC
• Advances prematurely. displays an error, the walkthrough can prematurely move on. You
may need to go back and resolve the error to complete the task.
• Will not advance.
• End the walkthrough, navigate to a different page, and try again.
Sometimes you cannot continue. For example, if you do not click
Next after you complete a step, you may need to end the
walkthrough.

Some features involve sharing data with Cisco.
Web Analytics tracking

In Version 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, including
but not limited to page interactions, browser versions, product versions, user location, and management IP
addresses or hostnames of your FMCs.
Web analytics tracking is on by default (and by accepting the Version 6.5.0+ EULA you consent to web
analytics tracking), but you can opt out at any time after you complete initial setup.
Note Upgrades to Version 6.2.3 through 6.6.x can enable (or reenable) web analytics tracking. This can occur even
if your current setting is to opt out. If you do not want Cisco to collect this data, opt out after upgrading.
Upgrades to 6.7.0+ respect your current setting.

15
Cisco Success Network

In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential
to provide you with technical support.
During initial setup and upgrades, you may be asked to accept or decline participation. You can also opt in
or out at any time.
Cisco Support Diagnostics (FMC only)

In Version 6.5.0+, Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration
and operational health data to Cisco, and processes that data through our automated problem detection system,
allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essential
information from your devices during the course of a TAC case.
During initial setup and upgrades, you may be asked to accept or decline participation. You can also opt in
or out at any time.

16
CHAPTER 4
Upgrade the Software
This chapter provides critical and release-specific information.
• Upgrade Checklist, on page 17
• New Guidelines for Version 6.6.x, on page 22
• Previously Published Guidelines, on page 22
• Minimum Version to Upgrade, on page 33
• Time Tests and Disk Space Requirements, on page 33
• Traffic Flow, Inspection, and Device Behavior, on page 36
• Upgrade Instructions, on page 42
• Upgrade Packages, on page 43
Upgrade Checklist
This checklist highlights actions that can prevent common upgrade issues. However, we still recommend you
refer to the appropriate upgrade or configuration guide for full instructions: Upgrade Instructions, on page
42.
Important At all times during the process, make sure that the appliances in your deployment are successfully
communicating and that there are no issues reported. Do not deploy changes to or from, manually reboot, or
shut down an upgrading appliance. Do not restart an upgrade in progress. The upgrade process may appear
inactive during prechecks; this is expected. If you encounter issues with the upgrade, including a failed upgrade
or unresponsive appliance, contact Cisco TAC.
Planning and Feasibility

Careful planning and preparation can help you avoid missteps.

17
Upgrade Checklist
Table 11:
✓ Action/Check
Assess your deployment.

Before you upgrade any Firepower appliance, determine the current state of your deployment.
Understanding where you are determines how you get to where you want to go.
In addition to current version and model information, determine if your devices are configured for high
availability/scalability, and if they are deployed passively, as an IPS, as a firewall, and so on.
Plan your upgrade path.

This is especially important for multi-appliance deployments, multi-hop upgrades, or situations where
you need to upgrade operating systems or hosting environments, all while maintaining deployment
compatibility.
Always know which upgrade you just performed and which you are performing next.
Note In Firepower Management Center deployments, you usually upgrade the FMC, then its
managed devices. However, in some cases you may need to upgrade devices first.
Read all upgrade guidelines and plan configuration changes.

Especially with major upgrades, upgrading may cause or require significant configuration changes
either before or after upgrade.
Upgrade guidelines can appear in multiple places. Make sure you read them all. They include:
• New Guidelines for Version 6.6.x, on page 22: Important upgrade guidelines that are new or
specific to this release.
• Previously Published Guidelines, on page 22: Older guidelines that may apply to your upgrade.
• Known Issues, on page 79: Be prepared to work around any bugs that affect upgrade.
• Features and Functionality, on page 11: New and deprecated features can require pre- or
post-upgrade configuration changes, or even prevent upgrade.
Important If your upgrade skips versions, you may also be directed to older release notes or other
resources for historical guidelines and upgrade impact.
Check appliance access.

Firepower devices can stop passing traffic during the upgrade (depending on interface configurations),
or if the upgrade fails. Before you upgrade a Firepower device, make sure traffic from your location
does not have to traverse the device itself to access the device's management interface. In FMC
deployments, you should also able to access the FMC management interface without traversing the
device.

18
Upgrade Checklist
✓ Action/Check
Check bandwidth.
Make sure your management network has the bandwidth to perform large data transfers.
In FMC deployments, if you transfer an upgrade package to a managed device at the time of upgrade,
insufficient bandwidth can extend upgrade time or even cause the upgrade to time out. Whenever
possible, copy upgrade packages to managed devices before you initiate the device upgrade.
See Guidelines for Downloading Data from the Firepower Management Center to Managed Devices
(Troubleshooting TechNote).
Schedule maintenance windows.

Schedule maintenance windows when they will have the least impact, considering the tasks you must
perform, any effect on traffic flow and inspection, and the time the upgrade is likely to take.
Upgrade Packages
To upgrade Firepower software, the upgrade package must be on the appliance. Upgrade packages are available
for download on the Cisco Support & Download site.
Table 12:
✓ Action/Check
Upload upgrade packages.

In FMC deployments, upload FMC and all Classic device (ASA FirePOWER, NGIPSv) upgrade
packages to the FMC. For FTD devices, you can either upload upgrade packages to the FMC, or
configure your own internal web server as the source for FTD upgrade packages.
We then recommend you copy packages to managed devices before you initiate the device upgrade.
For the Firepower 4100/9300, we strongly recommend (and sometimes require) you do this before you
begin the required companion FXOS upgrade.
Backups
The ability to recover from a disaster is an essential part of any system maintenance plan.

19
Upgrade Checklist
Table 13:
✓ Action/Check
Perform backups.
Back up before and after upgrade, when supported:
• Before upgrade: If an upgrade fails catastrophically, you may have to reimage and restore.
Reimaging returns most settings to factory defaults, including the system password. If you have
a recent backup, you can return to normal operations more quickly.
• After upgrade: This creates a snapshot of your freshly upgraded deployment. In FMC deployments,
we recommend you back up the FMC after you upgrade its managed devices, so your new FMC
backup file 'knows' that its devices have been upgraded.
Caution We strongly recommend you back up to a secure remote location and verify transfer success.
Backups left on an appliance may be deleted, either manually or by the upgrade process,
which purges locally stored backups. And especially because backup files are unencrypted,
do not allow unauthorized access. If backup files are modified, the restore process will fail.
Backup and restore can be a complex process. You do not want to skip any steps or ignore security or
licensing concerns. For detailed information on requirements, guidelines, limitations, and best practices
for backup and restore, see the configuration guide for your Firepower product.
Associated Upgrades
Because operating system and hosting environment upgrades can affect traffic flow and inspection, perform
them in a maintenance window.
Table 14:
✓ Action/Check
Upgrade FXOS on the Firepower 4100/9300.

If needed, upgrade FXOS before you upgrade the Firepower software. This is usually a requirement
for major upgrades, but very rarely for maintenance releases and patches. To avoid interruptions in
traffic flow and inspection, upgrade FXOS in FTD high availability pairs and inter-chassis clusters one
chassis at a time.
Upgrade ASA on ASA with FirePOWER Services.

If desired, upgrade ASA. There is wide compatibility between ASA and ASA FirePOWER versions.
However, upgrading allows you to take advantage of new features and resolved issues.
For standalone ASA devices, upgrade the ASA FirePOWER module just after you upgrade ASA and
reload.
For ASA clusters and failover pairs, to avoid interruptions in traffic flow and inspection, fully upgrade
these devices one at a time. Upgrade the ASA FirePOWER module just before you reload each unit to
upgrade ASA.

20
Upgrade Checklist
Final Checks
A set of final checks ensures you are ready to upgrade the Firepower software.
Table 15:
✓ Action/Check
Check configurations.
Make sure you have made any required pre-upgrade configuration changes, and are prepared to make
required post-upgrade configuration changes.
Check NTP synchronization.

Make sure Firepower appliances are synchronized with any NTP server you are using to serve time.
Being out of sync can cause upgrade failure. In FMC deployments, the Time Synchronization Status
health module does alert if clocks are out of sync by more than 10 seconds, but you should still check
manually.
To check time:
• FMC: Choose System > Configuration > Time.
• Devices: Use the show time CLI command.
Check disk space.

Run a disk space check for the Firepower software upgrade. Without enough free disk space, the upgrade
fails.
Deploy configurations.
Deploying configurations before you upgrade reduces the chance of failure.
Check running tasks.

Make sure essential tasks are complete before you upgrade, including the final deploy. Tasks running
when the upgrade begins are stopped, become failed tasks, and cannot be resumed. We also recommend
you check for tasks that are scheduled to run during the upgrade, and cancel or postpone them.
Note In some deployments, upgrades automatically postpone scheduled tasks. Any task scheduled
to begin during the upgrade will begin five minutes after the post-upgrade reboot.
This feature is currently supported for FMCs running Version 6.4.0.10 and later patches,
Version 6.6.3 and later maintenance releases, and Version 6.7.0+. Note that this feature is
supported for all upgrades from a supported version. This feature is not supported for upgrades
to a supported version from an unsupported version.
Run Firepower software readiness checks.

We recommend readiness checks, when supported. Readiness checks assess your preparedness for a
Firepower software upgrade.

21
New Guidelines for Version 6.6.x
New Guidelines for Version 6.6.x

There are no upgrade guidelines that apply specifically to Version 6.6.x maintenance releases.
Previously Published Guidelines

This checklist contains upgrade guidelines that are new or specific to Version 6.6.0. Review these guidelines
if you are currently running Version 6.2.3 through 6.5.0.
Table 16: Version 6.6.0 New Guidelines
✓ Guideline Platforms Upgrading From Directly To
FMCv Requires 28 GB RAM for FMCv 6.2.3 through 6.6.0+

Upgrade, on page 23 6.5.0.x
This checklist contains older upgrade guidelines. Review these guidelines if you are currently running Version
6.2.3 through 6.4.0.
Table 17: Version 6.6.0 Previously Published Guidelines
Firepower 1000 Series Devices Require Firepower 1000 6.4.0.x 6.5.0+

Post-Upgrade Power Cycle, on page 24 series
Historical Data Removed During FTD with FDM 6.2.3 through 6.5.0+
FTD/FDM Upgrade, on page 24 6.4.0.x
New URL Categories and Reputations, Any 6.2.3 through 6.5.0+

on page 24 6.4.0.x
TLS Crypto Acceleration Firepower 2100 6.2.3 through 6.4.0+

Enabled/Cannot Disable, on page 30 series 6.3.0.x
Firepower
4100/9300
Readiness Check May Fail on FMC, FMC 6.1.0 through 6.3.0+

NGIPSv, on page 31 6.1.0.6
NGIPSv
6.2.0 through
6.2.0.6
6.2.1
6.2.2 through
6.2.2.4
6.2.3 through
6.2.3.4

22
FMCv Requires 28 GB RAM for Upgrade
RA VPN Default Setting Change Can FTD with FMC 6.2.0 through 6.3.0+
Block VPN Traffic, on page 31 6.2.3.x
Security Intelligence Enables FMC deployments 6.1.0 through 6.3.0+

Application Identification, on page 31 6.2.3.x
Update VDB after Upgrade to Enable Any 6.1.0 through 6.3.0+

CIP Detection, on page 32 6.2.3.x
Invalid Intrusion Variable Sets Can Any 6.1.0 through 6.3.0+

Cause Deploy Failure, on page 32 6.2.3.x
FMCv Requires 28 GB RAM for Upgrade

Deployments: FMCv
Upgrading from: Version 6.2.3 through 6.5.0.x
Directly to: Version 6.6.0+
All FMCv implementations now have the same RAM requirements: 32 GB recommended, 28 GB required
(64 GB for FMCv 300). Upgrades to Version 6.6.0+ will fail if you allocate less than 28 GB to the virtual
appliance. After upgrade, the health monitor will alert if you lower the memory allocation.
These new memory requirements enforce uniform requirements across all virtual environments, improve
performance, and allow you to take advantage of new features and functionality. We recommend you do not
decrease the default settings. To improve performance, you can increase a virtual appliance’s memory and
number of CPUs, depending on your available resources. For details on FMCv memory requirements, see the
Cisco Firepower Management Center Virtual Getting Started Guide.
Note As of the Version 6.6.0 release, lower-memory instance types for cloud-based FMCv deployments (AWS,
Azure) are fully deprecated. You cannot create new FMCv instances using them, even for earlier Firepower
versions. You can continue running existing instances.
This table summarizes pre-upgrade requirements for lower-memory FMCv deployments.
Table 18: FMCv Memory Requirements for Version 6.6.0+ Upgrades
Platform Pre-Upgrade Action Details
VMware Allocate 28 GB minimum/32 GB recommended. Power off the virtual machine first.
For instructions, see the VMware
documentation.
KVM Allocate 28 GB minimum/32 GB recommended. For instructions, see the documentation for your
KVM environment.

23
Firepower 1000 Series Devices Require Post-Upgrade Power Cycle
Platform Pre-Upgrade Action Details
AWS Resize instances: Stop the instance before you resize. Note that
when you do this, data on the instance store
• From c3.xlarge to c3.4xlarge.
volume is lost, so migrate your instance
• From c3.2.xlarge to c3.4xlarge. store-backed instance first. Additionally, if your
management interface does not have an Elastic
• From c4.xlarge to c4.4xlarge. IP address, its public IP address is released.
• From c4.2xlarge to c4.4xlarge. For instructions, see the documentation on
changing your instance type in the AWS user
We also offer a c5.4xlarge instance for new guide for Linux instances.
deployments.
Azure Resize instances: Use the Azure portal or PowerShell. You do not
need to stop the instance before you resize, but
• From Standard_D3_v2 to
stopping may reveal additional sizes. Resizing
Standard_D4_v2.
restarts a running virtual machine.
For instructions, see the Azure documentation
on resizing a Windows VM.
Firepower 1000 Series Devices Require Post-Upgrade Power Cycle

Deployments: Firepower 1000 series
Upgrading from: Version 6.4.0.x
Version 6.5.0 introduces an FXOS CLI 'secure erase' feature for Firepower 1000/2100 and Firepower 4100/9300
series devices.
For Firepower 1000 series devices, you must power cycle the device after you upgrade to Version 6.5.0+ for
this feature to work properly. The automatic reboot is not sufficient. Other supported devices do not require
the power cycle.
Historical Data Removed During FTD/FDM Upgrade

Deployments: Firepower Device Manager
Upgrading from: Version 6.2.3 through 6.4.x
Directly to: 6.5.0+
All historical report data is removed during the upgrade due to a database schema change. After the upgrade,
you cannot query historical data, nor view historical data in dashboards.
New URL Categories and Reputations

Deployments: Any
Upgrading from: Version 6.2.3 through 6.4.0.x

24
New URL Categories and Reputations
Cisco Talos Intelligence Group (Talos) has introduced new categories and renamed reputations to classify
and filter URLs. For detailed lists of category changes, see the Cisco Firepower Release Notes, Version 6.5.0.
For descriptions of the new URL categories, see the Talos Intelligence Categories site.
Also new are the concepts of uncategorized and reputationless URLs, although rule configuration options
stay the same:
• Uncategorized URLs can have a Questionable, Neutral, Favorable, or Trusted reputation.
You can filter Uncategorized URLs but you cannot further constrain by reputation. These rules will
match all uncategorized URLs, regardless of reputation.
Note that there is no such thing as an Untrusted rule with no category. Otherwise uncategorized URLs
with an Untrusted reputation are automatically assigned to the new Malicious Sites threat category.
• Reputationless URLs can belong to any category.
You cannot filter reputationless URLs. There is no option in the rule editor for 'no reputation.' However,
you can filter URLs with Any reputation, which includes reputationless URLs. These URLs must also
be constrained by category. There is no utility to an Any/Any rule.
The following table summarizes the changes on upgrade. Although they are designed for minimal impact and
will not prevent post-upgrade deploy for most customers, we strongly recommend you review these release
notes and your current URL filtering configuration. Careful planning and preparation can help you avoid
missteps, as well as reduce the time you spend troubleshooting post-upgrade.
Table 19: Deployment Changes on Upgrade
Change Details
Modifies URL rule The upgrade modifies URL rules to use the nearest equivalents in the new category
categories. set, in the following policies:
• Access control
• SSL
• QoS (FMC only)
• Correlation (FMC only)
These changes may create redundant or preempted rules, which can slow
performance. If your configuration includes merged categories, you may
experience minor changes to the URLs that are allowed or blocked.
Renames URL rule The upgrade modifies URL rules to use the new reputation names:
reputations.
1. Untrusted (was High Risk)
2. Questionable (was Suspicious sites)
3. Neutral (was Benign sites with security risks)
4. Favorable (was Benign sites)
5. Trusted (was Well Known)

25
Pre-Upgrade Actions for URL Categories and Reputations
Change Details
Clears the URL cache. The upgrade clears the URL cache, which contains results that the system
previously looked up in the cloud. Your users may temporarily experience slightly
longer access times for URLs that are not in the local data set.
Labels 'legacy' events. For already-logged events, the upgrade labels any associated URL category and
reputation information as Legacy. These legacy events will age out of the
database over time.
Pre-Upgrade Actions for URL Categories and Reputations

Before upgrade, take the following actions.
Table 20: Pre-Upgrade Actions
Action Details
Make sure your The system must be able to communicate with the following Cisco resources
appliances can reach after the upgrade:
Talos resources.
• https://regsvc.sco.cisco.com/ — Registration
• https://est.sco.cisco.com/ — Obtain certificates for secure communications
• https://updates-talos.sco.cisco.com/ — Obtain client/server manifests
• http://updates.ironport.com/ — Download database (note: uses port 80)
• https://v3.sds.cisco.com/ — Cloud queries
The cloud query service also uses the following IP address blocks:
• IPv4 cloud queries:
• 146.112.62.0/24
• 146.112.63.0/24
• 146.112.255.0/24
• 146.112.59.0/24
• IPv6 cloud queries:

• 2a04:e4c7:ffff::/48
• 2a04:e4c7:fffe::/48

26
Post-Upgrade Actions for URL Categories and Reputations
Action Details
Identify potential rule Understand the upcoming changes. Examine your current URL filtering
issues. configuration and determine what post-upgrade actions you will need to take (see
the next section).
Note You may want to modify URL rules that use deprecated categories
now. Otherwise, rules that use them will prevent deploy after the
upgrade.
In FMC deployments, we recommend you generate an access control policy
report, which provides details on the policy's current saved configuration,
including access control rules and rules in subordinate policies (such as SSL).
For each URL rule, you can see the current categories, reputations, and associated
rule actions. On the FMC, choose Policies > Access Control , then click the
report icon ( ) next to the appropriate policy.
Post-Upgrade Actions for URL Categories and Reputations

After upgrade, you should reexamine your URL filtering configuration and take the following actions as soon
as possible. Depending on deployment type and the changes made by the upgrade, some — but not all —
issues may be marked in the GUI. For example, in access control policies on FMC/FDM, you can click Show
Warnings (FMC) or Show Problem Rules (FDM).
Table 21: Post-Upgrade Actions
Action Details
Remove deprecated categories The upgrade does not modify URL rules that use deprecated categories.
from rules. Required. Rules that use them will prevent deploy.
On the FMC, these rules are marked.
Create or modify rules to include Most of the new categories identify threats. We strongly recommend
the new categories. you use them.
On the FMC, these new categories are not marked after this upgrade,
but Talos may add additional categories in the future. When that happens,
new categories are marked.
Evaluate rules changed as a result Each rule that included any of the affected categories now include all
of merged categories. of the affected categories. If the original categories were associated with
different reputations, the new rule is associated with the broader, more
inclusive reputation. To filter URLs as before, you may have to modify
or delete some configurations; see Guidelines for Rules with Merged
URL Categories, on page 28.
Depending on what changed and how your platform handles rule
warnings, changes may be marked. For example, the FMC marks wholly
redundant and wholly preempted rules, but not rules that have partial
overlap.

27
Guidelines for Rules with Merged URL Categories
Action Details
Evaluate rules changed as a result The upgrade replaces each old, single category in URL rules with all
of split categories. the new categories that map to the old one. This will not change the way
you filter URLs, but you can modify affected rules to take advantage of
the new granularity.
These changes are not marked.
Understand which categories were Although no action is required, you should be aware of these changes.
renamed or are unchanged.
These changes are not marked.
Evaluate how you handle Even though it is now possible to have uncategorized and reputationless
uncategorized and reputationless URLs, you cannot still cannot filter uncategorized URLs by reputation,
URLs. nor can you filter reputationless URLs.
Make sure that rules that filter by the Uncategorized category, or by
Any reputation, will behave as you expect.

When you examine your URL filtering configuration before the upgrade, determine which of the following
scenarios and guidelines apply to you. This will ensure that your post-upgrade configuration is as you expect,
and that you can take quick action to resolve any issues.
Table 22: Guidelines for Rules with Merged URL Categories
Guideline Details
Rule Order Determines When considering rules that include the same category, remember that traffic
Which Rule Matches Traffic matches the first rule in the list that includes the condition.
Categories in the Same Rule Merging categories in a single rule will merge into a single category in the
vs Categories in Different rule. For example, if Category A and Category B are merging to become
Rules Category AB, and you have a rule with both Category A and Category B, then
after merge the rule will have a single Category AB.
Merging categories in different rules will result in separate rules with the same
category in each rule after the merge. For example, if Category A and Category
B are merging to become Category AB, and you have Rule 1 with Category
A and Rule 2 with Category B, then after merge Rule 1 and Rule 2 will each
include Category AB. How you choose to resolve this situation depends on
the rule order, on the actions and reputation levels associated with the rules,
on the other URL categories included in the rule, and on the non-URL
conditions that are included in the rule.
Associated Action If merged categories in different rules were associated with different actions,
then after merge you may have two or more rules with different actions for the
same category.

28
Guideline Details
Associated Reputation Level If a single rule includes categories that were associated with different reputation
levels before merging, the merged category will be associated with the more
inclusive reputation level. For example, if Category A was associated in a
particular rule with Any reputation and Category B was associated in the
same rule with reputation level 3 - Benign sites with security risks, then after
merge Category AB in that rule will be associated with Any reputation.
Duplicate and Redundant After merge, different rules may have the same category associated with
Categories and Rules different actions and reputation levels.
Redundant rules may not be exact duplicates, but they may no longer match
traffic if another rule earlier in the rule order matches instead. For example, if
you have pre-merge Rule 1 with Category A that applies to Any Reputation,
and Rule 2 with Category B that applies only to Reputation 1-3, then after
merge, both Rule 1 and Rule 2 will have Category AB, but Rule 2 will never
match if Rule 1 is higher in the rule order.
On the FMC, rules with an identical category and reputation will show a
warning. However, these warnings will not indicate rules that include the same
category but a different reputation.
Caution: Consider all conditions in the rule when determining how to resolve
duplicate or redundant categories.
Other URL Categories in a Rules with merged URLs may also include other URL categories. Therefore,
Rule if a particular category is duplicated after merge, you may want to modify
rather than delete these rules.
Non-URL Conditions in a Rules with merged URL categories may also include other rule conditions,
Rule such as application conditions. Therefore, if a particular category is duplicated
after merge, you may want to modify rather than delete these rules.
The examples in the following table use Category A and Category B, now merged into Category AB. In
two-rule examples, Rule 1 comes before Rule 2.
Table 23: Examples of Rules with Merged URL Categories
Scenario Before Upgrade After Upgrade

Merged categories Rule 1 has Category A and Category B. Rule 1 has Category AB.
in the same rule
Merged categories Rule 1 has Category A. Rule 1 has Category AB.

in different rules
Rule 2 has Category B. Rule 2 has Category AB.
The specific result varies by the rules' order
in the list, reputation levels, and associated
actions. You should also consider all other
conditions in the rule when determining
how to resolve any redundancy.

29
TLS Crypto Acceleration Enabled/Cannot Disable
Scenario Before Upgrade After Upgrade

Merged categories Rule 1 has Category A set to Allow. Rule 1 has Category AB set to Allow.
in different rules
Rule 2 has Category B set to Block. Rule 2 has Category AB set to Block.
have different
actions (Reputation is the same) Rule 1 will match all traffic for this
category.
(Reputation is the
same) Rule 2 will never match traffic, and will
display a warning indicator if you show
warnings after merge, because both
category and reputation are the same.
Merged categories Rule 1 includes: Rule 1 includes Category AB with

in the same rule Reputation Any.
Category A with Reputation Any
have different
reputation levels Category B with Reputation 1-3
Merged categories Rule 1 includes Category A with Rule 1 includes Category AB with
in different rules Reputation Any. Reputation Any.
have different
Rule 2 includes Category B with Rule 2 includes Category AB with
reputation levels
Reputation 1-3. Reputation 1-3.
Rule 1 will match all traffic for this
category.
Rule 2 will never match traffic, but you
will not see a warning indicator because
the reputations are not identical.
TLS Crypto Acceleration Enabled/Cannot Disable

Deployments: Firepower 2100 series, Firepower 4100/9300 chassis
Upgrading from: Version 6.1.0 through 6.3.x
SSL hardware acceleration has been renamed TLS crypto acceleration.
Depending on the device, TLS crypto acceleration might be performed in software or in hardware. The upgrade
automatically enables acceleration on all eligible devices, even if you previously disabled the feature manually.
In most cases you cannot configure this feature; it is automatically enabled and you cannot disable it.
Upgrading to Version 6.4.0: If you are using the multi-instance capability of the Firepower 4100/9300 chassis,
you can use the FXOS CLI to enable TLS crypto acceleration for one container instance per module/security
engine. Acceleration is disabled for other container instances, but enabled for native instances.
Upgrading to Version 6.5.0+: If you are using the multi-instance capability of the Firepower 4100/9300
chassis, you can use the FXOS CLI to enable TLS crypto acceleration for multiple container instances (up to
16) on a Firepower 4100/9300 chassis. New instances have this feature enabled by default. However, the
upgrade does not enable acceleration on existing instances. Instead, use the config hwCrypto enable CLI
command.

30
Readiness Check May Fail on FMC, NGIPSv
Readiness Check May Fail on FMC, NGIPSv

Deployments: FMC, NGIPSv
Upgrading from: Version 6.1.0 through 6.1.0.6, Version 6.2.0 through 6.2.0.6, Version 6.2.1, Version 6.2.2
through 6.2.2.4, and Version 6.2.3 through 6.2.3.4
You cannot run the readiness check on the listed models when upgrading from one of the listed Firepower
versions. This occurs because the readiness check process is incompatible with newer upgrade packages.
Table 24: Patches with Readiness Checks for Version 6.3.0+
Readiness Check Not Supported First Patch with Fix

6.1.0 through 6.1.0.6 6.1.0.7
6.2.0 through 6.2.0.6 6.2.0.7
6.2.1 None. Upgrade to Version 6.2.3.5+.
6.2.2 through 6.2.2.4 6.2.2.5
6.2.3 through 6.2.3.4 6.2.3.5
RA VPN Default Setting Change Can Block VPN Traffic

Deployments: Firepower Threat Defense configured for remote access VPN
Upgrading from: Version 6.2.x
Directly to: Version 6.3+
Version 6.3 changes the default setting for a hidden option, sysopt connection permit-vpn. Upgrading can
cause your remote access VPN to stop passing traffic. If this happens, use either of these techniques:
• Create a FlexConfig object that configures the sysopt connection permit-vpn command. The new default
for this command is no sysopt connection permit-vpn.
This is the more secure method to allow traffic in the VPN, because external users cannot spoof IP
addresses in the remote access VPN address pool. The downside is that the VPN traffic will not be
inspected, which means that intrusion and file protection, URL filtering, or other advanced features will
not be applied to the traffic.
• Create access control rules to allow connections from the remote access VPN address pool.
This method ensures that VPN traffic is inspected and advanced services can be applied to the connections.
The downside is that it opens the possibility for external users to spoof IP addresses and thus gain access
to your internal network.
Security Intelligence Enables Application Identification

Deployments: Firepower Management Center
Upgrading from: Version 6.1 through 6.2.3.x

31
Update VDB after Upgrade to Enable CIP Detection
Directly to: Version 6.3+

In Version 6.3, Security Intelligence configurations enable application detection and identification. If you
disabled discovery in your current deployment, the upgrade process may enable it again. Disabling discovery
if you don't need it (for example, in an IPS-only deployment) can improve performance.
To disable discovery you must:
• Delete all rules from your network discovery policy.
• Use only simple network-based conditions to perform access control: zone, IP address, VLAN tag, and
port. Do not perform any kind of application, user, URL, or geolocation control.
• (NEW) Disable network and URL-based Security Intelligence by deleting all whitelists and blacklists
from your access control policy's Security Intelligence configuration, including the default Global lists.
• (NEW) Disable DNS-based Security Intelligence by deleting or disabling all rules in the associated DNS
policy, including the default Global Whitelist for DNS and Global Blacklist for DNS rules.
Update VDB after Upgrade to Enable CIP Detection

Deployments: Any
Upgrading from: Version 6.1.0 through 6.2.3.x, with VDB 299+
If you upgrade while using vulnerability database (VDB) 299 or later, an issue with the upgrade process
prevents you from using CIP detection post-upgrade. This includes every VDB released from June 2018 to
now, even the latest VDB.
Although we always recommend you update the vulnerability database (VDB) to the latest version after you
upgrade, it is especially important in this case.
To check if you are affected by this issue, try to configure an access control rule with a CIP-based application
condition. If you cannot find any CIP applications in the rule editor, manually update the VDB.
Invalid Intrusion Variable Sets Can Cause Deploy Failure

Deployments: Any
Upgrading from: Version 6.1 through 6.2.3.x
For network variables in an intrusion variable set, any IP addresses you exclude must be a subset of the IP
addresses you include. This table shows you examples of valid and invalid configurations.
Valid Invalid
Include: 10.0.0.0/8 Include: 10.1.0.0/16
Exclude: 10.1.0.0/16 Exclude: 172.16.0.0/12
Exclude: 10.0.0.0/8

32
Minimum Version to Upgrade
Before Version 6.3.0, you could successfully save a network variable with this type of invalid configuration.
Now, these configurations block deploy with the error: Variable set has invalid excluded
values.
If this happens, identify and edit the incorrectly configured variable set, then redeploy. Note that you may
have to edit network objects and groups referenced by your variable set.
Minimum Version to Upgrade

You can upgrade directly to Version 6.6.x as follows. You do not need to be running any specific maintenance
release or patch level.
Table 25: Minimum Version to Upgrade Firepower Software to Version 6.6.x
Platform Minimum Version
Firepower Management Center 6.2.3
Firepower devices with FMC 6.2.3

FXOS 2.8.1.105 or later build required for Firepower 4100/9300.
Firepower devices with FDM 6.2.3
ASA FirePOWER with ASDM 6.3.0

Due to CSCvu50400, you should not upgrade ASA FirePOWER with
ASDM directly from Version 6.2.3.x to 6.6.0. Although the upgrade
will succeed, you will experience significant performance issues and
must contact Cisco TAC for a fix. You should instead upgrade to any
intermediate release, then to Version 6.6.0. Or, you can upgrade directly
from Version 6.2.3.x → Version 6.6.1 or any other Version 6.6.x
maintenance release.
Time Tests and Disk Space Requirements

To upgrade a Firepower appliance, you must have enough free disk space or the upgrade fails. When you use
the Firepower Management Center to upgrade a managed device, the FMC requires additional disk space for
the device upgrade package (unless you configure an internal web server where your devices can get the
package; requires FTD Version 6.6.0+) .
You must also have enough time to perform the upgrade.
We provide reports of in-house time and disk space tests for reference purposes.
About Time Tests

Time values are based on in-house tests.
Although we report the slowest time of all upgrades tested for a particular platform/series, your upgrade will
likely take longer than the provided times for multiple reasons, as follows.

33
About Disk Space Requirements
Table 26: Time Test Conditions
Condition Details
Deployment Values are from tests in a Firepower Management Center deployment.

Raw upgrade times for remotely and locally managed devices are similar, given similar
conditions.
Versions For major upgrades, we test upgrades from all eligible previous major versions.
For patches, we test upgrades from the base version.
Models In most cases, we test on the lowest-end models in each series, and sometimes on
multiple models in a series.
Virtual settings We test with the default settings for memory and resources.
High availability Unless otherwise noted, we test on standalone devices.

and scalability
In a high availability or clustered configuration, devices upgrade one at a time to
preserve continuity of operations, with each device operating in maintenance mode
while it upgrades. Upgrading a device pair or entire cluster, therefore, takes longer
than upgrading a standalone device.
Configurations We test on appliances with minimal configurations and traffic load.

Upgrade time can increase with the complexity of your configurations, size of event
databases, and whether/how those things are affected by the upgrade. For example, if
you use a lot of access control rules and the upgrade needs to make a backend change
to how those rules are stored, the upgrade can take longer.
Components Values represent only the time it takes for the Firepower software upgrade script. They
do not include time for:
• Operating system upgrades.
• Transferring upgrade packages.
• Readiness checks.
• VDB and intrusion rule (SRU) updates.
• Deploying configurations.
• Reboots, although reboot time may be provided separately.
About Disk Space Requirements

Space estimates are the largest reported for all upgrades. For releases after early 2020, they are:
• Not rounded up (under 1 MB).
• Rounded up to the next 1 MB (1 MB - 100 MB).
• Rounded up to the next 10 MB (100 MB - 1GB).

34
Version 6.6.3 Time and Disk Space
• Rounded up to the next 100 MB (greater than 1 GB).

Table 27: Version 6.6.3 Time and Disk Space
Platform Disk Space Disk Space: FMC /var Upgrade Time Reboot Time
FMC 15.1 GB in /var — 60 min 28 min

23 MB in /
FMCv: VMware 6.0 23.7 GB in /var — 43 min 8 min

29 MB in /
Firepower 1000 series 9.7 GB in /ngfw/var 1 GB 21 min 16 min

400 MB in /ngfw
Firepower 2100 series 10.1 GB in /ngfw/var 1 GB 21 min 13 min

450 MB in /ngfw
Firepower 4100 series 8.9 GB in /ngfw/var 970 MB 11 min 9 min

11 MB in /ngfw
Firepower 4100 series 10.9 GB in /ngfw/var 970 MB 10 min 7 min

container instance
10 MB in /ngfw
Firepower 9300 10.1 GB in /ngfw/var 970 MB 14 min 10 min

11 MB in /ngfw
ASA 5500-X series with FTD 8.5 GB in /ngfw/var 1.2 GB 20 min 19 min
756 KB in /ngfw
FTDv: VMware 6.0 7.7 GB in /ngfw/var 1.2 GB 19 min 12 min

756 KB in /ngfw
ASA FirePOWER 11.4 GB in /var 1.3 GB 59 min 16 min

26 MB in /
NGIPSv: VMware 6.0 7.4 GB in /var 870 MB 13 min 8 min

21 MB in /

35

Table 28: Version 6.6.1 Time and Disk Space
Platform Space on /Volume Space on / Space on FMC Upgrade Time Reboot Time
FMC 18.6 GB 23 MB — 54 min 14 min
FMCv: VMware 6.0 15.8 GB 58 MB — 56 min 13 min
Firepower 1000 series 10.8 GB 400 MB 1.1 GB 20 min 17 min
Firepower 2100 series 10.9 GB 450 MB 1.1 GB 16 min 21 min
Firepower 4100 series 9.7 GB 10 MB 1 GB 15 min 14 min
Firepower 4100 series 11.2 GB 9 MB 1 GB 10 min 13 min

container instance
Firepower 9300 9.8 GB 11 MB 1 GB 15 min 15 min
ASA 5500-X series with 9.3 GB 1 MB 1.2 GB 21 min 24 min

FTD
FTDv: VMware 6.0 9.3 GB 1 MB 1.2 GB 18 min 19 min
ASA FirePOWER 12.3 GB 26 MB 1.4 GB 72 min 23 min
NGIPSv: VMware 6.0 7.1 GB 54 MB 860 MB 14 min 20 min
Traffic Flow, Inspection, and Device Behavior

You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:
• When a device is rebooted.
• When you upgrade the operating system or virtual hosting environment on a device.
• When you upgrade the Firepower software on a device, or uninstall a patch.
• When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).
Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive,
IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing any
upgrade or uninstall in a maintenance window or at a time when any interruption will have the least impact
on your deployment.
FTD Upgrade Behavior: Firepower 4100/9300 Chassis

This section describes device and traffic behavior when you upgrade a Firepower 4100/9300 chassis with
FTD.

36
Firepower 4100/9300 Chassis: FXOS Upgrade

Upgrade FXOS on each chassis independently, even if you have inter-chassis clustering or high availability
pairs configured. How you perform the upgrade determines how your devices handle traffic during the FXOS
upgrade.
Table 29: Traffic Behavior During FXOS Upgrade
Deployment Method Traffic Behavior
Standalone — Dropped.
High availability Best Practice: Update FXOS on the Unaffected.

standby, switch active peers, upgrade the
new standby.
Upgrade FXOS on the active peer before Dropped until one peer is online.
the standby is finished upgrading.
Inter-chassis cluster Best Practice: Upgrade one chassis at a Unaffected.

(6.2+) time so at least one module is always
online.
Upgrade chassis at the same time, so all Dropped until at least one module is online.
modules are down at some point.
Intra-chassis cluster Hardware bypass enabled: Bypass: Passed without inspection.

(Firepower 9300 Standby or Bypass-Force. (6.1+)
only)
Hardware bypass disabled: Bypass: Dropped until at least one module is online.
Disabled. (6.1+)
No hardware bypass module. Dropped until at least one module is online.
Standalone FTD Device: Firepower Software Upgrade

Firepower devices/security modules operate in maintenance mode while they upgrade. Entering maintenance
mode at the beginning of the upgrade causes a 2-3 second interruption in traffic inspection. Interface
configurations determine how a standalone device handles traffic both then and during the upgrade.
Table 30: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device
Interface Configuration Traffic Behavior

Firewall interfaces Routed or switched including Dropped.
EtherChannel, redundant, subinterfaces.
Switched interfaces are also known as
bridge group or transparent interfaces.

37

IPS-only interfaces Inline set, hardware bypass force-enabled: Passed without inspection until you either
Bypass: Force (6.1+). disable hardware bypass, or set it back to
standby mode.
Inline set, hardware bypass standby mode: Dropped during the upgrade, while the
Bypass: Standby (6.1+). device is in maintenance mode. Then,
passed without inspection while the device
completes its post-upgrade reboot.
Inline set, hardware bypass disabled: Dropped.

Bypass: Disabled (6.1+).
Inline set, no hardware bypass module. Dropped.
Inline set, tap mode. Egress packet immediately, copy not

inspected.
Passive, ERSPAN passive. Uninterrupted, not inspected.
High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower software
on devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices
operate in maintenance mode while they upgrade.
The standby device upgrades first. The devices switch roles, then the new standby upgrades. When the upgrade
completes, the devices' roles remain switched. If you want to preserve the active/standby roles, manually
switch the roles before you upgrade. That way, the upgrade process switches them back.
Clusters: Firepower Software Upgrade

on devices in Firepower Threat Defense clusters. To ensure continuity of operations, they upgrade one at a
time. The data security module or modules upgrade first, then the control module. Security modules operate
in maintenance mode while they upgrade.
During the control security module upgrade, although traffic inspection and handling continues normally, the
system stops logging events. Events for traffic processed during the logging downtime appear with out-of-sync
timestamps after the upgrade is completed. However, if the logging downtime is significant, the system may
prune the oldest events before they can be logged.
Traffic Behavior During Deployment

You deploy configurations multiple times during the upgrade process. Snort typically restarts during the first
deployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,
you modify specific policy or device configurations. For more information, see Configurations that Restart
the Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, including
those configured for HA/scalability. Interface configurations determine whether traffic drops or passes without
inspection during the interruption.

38
FTD Upgrade Behavior: Other Devices
Table 31: Traffic Behavior During FTD Deployment

IPS-only interfaces Inline set, Failsafe enabled or disabled Passed without inspection.
(6.0.1–6.1).
A few packets might drop if Failsafe is
disabled and Snort is busy but not down.
Inline set, Snort Fail Open: Down: Dropped.

disabled (6.2+).
Inline set, Snort Fail Open: Down: Passed without inspection.

enabled (6.2+).

inspected.

This section describes device and traffic behavior when you upgrade Firepower Threat Defense on Firepower
1000/2100 series, ASA 5500-X series, ISA 3000, and FTDv.
Standalone FTD Device: Firepower Software Upgrade

Firepower devices operate in maintenance mode while they upgrade. Entering maintenance mode at the
beginning of the upgrade causes a 2-3 second interruption in traffic inspection. Interface configurations
determine how a standalone device handles traffic both then and during the upgrade.
Table 32: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device


39
IPS-only interfaces Inline set, hardware bypass force-enabled: Passed without inspection until you either
Bypass: Force (Firepower 2100 series, disable hardware bypass, or set it back to
6.3+). standby mode.
Inline set, hardware bypass standby mode: Dropped during the upgrade, while the
Bypass: Standby (Firepower 2100 series, device is in maintenance mode. Then,
6.3+). passed without inspection while the device
completes its post-upgrade reboot.
Inline set, hardware bypass disabled: Dropped.

Bypass: Disabled (Firepower 2100 series,
6.3+).
Inline set, no hardware bypass module. Dropped.

inspected.
High Availability Pairs: Firepower Software Upgrade

on devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices
operate in maintenance mode while they upgrade.
The standby device upgrades first. The devices switch roles, then the new standby upgrades. When the upgrade
completes, the devices' roles remain switched. If you want to preserve the active/standby roles, manually
switch the roles before you upgrade. That way, the upgrade process switches them back.

Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, including
those configured for HA/scalability. Interface configurations determine whether traffic drops or passes without
inspection during the interruption.
Table 33: Traffic Behavior During FTD Deployment


40
ASA FirePOWER Upgrade Behavior
IPS-only interfaces Inline set, Failsafe enabled or disabled Passed without inspection.
(6.0.1–6.1).
A few packets might drop if Failsafe is
disabled and Snort is busy but not down.
Inline set, Snort Fail Open: Down: Dropped.

disabled (6.2+).
Inline set, Snort Fail Open: Down: Passed without inspection.

enabled (6.2+).

inspected.
ASA FirePOWER Upgrade Behavior

Your ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the module
handles traffic during the Firepower software upgrade, including when you deploy certain configurations that
restart the Snort process.
Table 34: Traffic Behavior During ASA FirePOWER Upgrade
Traffic Redirection Policy Traffic Behavior

Fail open (sfr fail-open) Passed without inspection
Fail closed (sfr fail-close) Dropped
Monitor only (sfr {fail-close}|{fail-open} Egress packet immediately, copy not inspected
monitor-only)
Traffic Behavior During ASA FirePOWER Deployment

Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWER
module.
Additionally, restarting the Snort process interrupts traffic inspection. Your service policies determine whether
traffic drops or passes without inspection during the interruption.
NGIPSv Upgrade Behavior

This section describes device and traffic behavior when you upgrade NGIPSv.

41
Upgrade Instructions
Firepower Software Upgrade

Interface configurations determine how NGIPSv handles traffic during the upgrade.
Table 35: Traffic Behavior During NGIPSv Upgrade

Inline Dropped
Inline, tap mode Egress packet immediately, copy not inspected
Passive Uninterrupted, not inspected

Additionally, restarting the Snort process interrupts traffic inspection. Interface configurations determine
whether traffic drops or passes without inspection during the interruption.
Table 36: Traffic Behavior During NGIPSv Deployment

Inline, Failsafe enabled or disabled Passed without inspection
A few packets might drop if Failsafe is disabled and
Snort is busy but not down.
Inline, tap mode Egress packet immediately, copy bypasses Snort
Passive Uninterrupted, not inspected
Upgrade Instructions
The release notes do not contain upgrade instructions. After you read the guidelines and warnings in these
release notes, see one of the following documents.
Table 37: Firepower Upgrade Instructions
Task Guide
Upgrade FMC deployments. Cisco Firepower Management Center Upgrade Guide
Upgrade Firepower Threat Defense Cisco Firepower Threat Defense Configuration Guide for Firepower
Software with FDM. Device Manager
See the System Management chapter in the guide for the FTD version
you are currently running—not the version you are upgrading to.

42
Upgrade Packages
Task Guide
Upgrade FXOS on a Firepower Cisco Firepower 4100/9300 Upgrade Guide

4100/9300 chassis.
Upgrade ASA FirePOWER Cisco ASA Upgrade Guide

modules with ASDM.
Upgrade the ROMMON image on Cisco ASA and Firepower Threat Defense Reimage Guide
the ISA 3000, ASA 5508-X and
See the Upgrade the ROMMON Image section. You should always make
5516-X.
sure you have the latest image.
Upgrade Packages
Upgrade packages are available on the Cisco Support & Download site.
• Firepower Management Center, including FMCv: https://www.cisco.com/go/firepower-software
• Firepower Threat Defense (ISA 3000): https://www.cisco.com/go/isa3000-software
• Firepower Threat Defense (all other models, including FTDv): https://www.cisco.com/go/ftd-software
• ASA with FirePOWER Services (ASA 5500-X series): https://www.cisco.com/go/asa-firepower-sw

• ASA with FirePOWER Services (ISA 3000): https://www.cisco.com/go/isa3000-software
• NGIPSv: https://www.cisco.com/go/ngipsv-software
To find a Firepower software upgrade package, select or search for your Firepower appliance model, then
browse to the Firepower software download page for your current version. Available upgrade packages are
listed along with installation packages, hotfixes, and other applicable downloads.
Tip An FMC with internet access can download Firepower maintenance releases (Version 6.6.x third-digit upgrades)
directly from Cisco, about two weeks after they become available for manual download. Direct download
from Cisco is not supported for:
• Major releases.
• Most patches to Version 6.6 or later.
• In FDM or ASDM deployments.
You use the same upgrade package for all Firepower models in a family or series. Upgrade package file names
reflect the platform, package type (upgrade, patch, hotfix), and Firepower version. Note that maintenance
releases use the upgrade package type.
For example:
• Package: Cisco_Firepower_Mgmt_Center_Upgrade-6.6.0-999.sh.REL.tar

43
Upgrade Packages
• Platform: Firepower Management Center

• Package type: Upgrade
• Version and build: 6.6.0-999
• File extension: sh.REL.tar
So that Firepower can verify that you are using the correct files, upgrade and hotfix packages are signed
archives. Do not untar signed (.tar) packages.
Note After you upload a signed upgrade package, the GUI can take several minutes to load as the system verifies
the package. To speed up the display, remove packages after you no longer need them.
Table 38: Firepower Software Upgrade Packages
Platform Package
FMC/FMCv Cisco_Firepower_Mgmt_Center
Firepower 1000 series Cisco_FTD_SSP-FP1K
Firepower 2100 series Cisco_FTD_SSP-FP2K
Firepower 4100/9300 chassis Cisco_FTD_SSP
ASA 5500-X series with FTD Cisco_FTD

ISA 3000 with FTD
FTDv
ASA FirePOWER Cisco_Network_Sensor
NGIPSv Cisco_Firepower_NGIPS_Virtual
Operating System Upgrade Packages

For information on operating system upgrade packages, see the planning topics in the following guides:
• Cisco ASA Upgrade Guide, for ASA OS
• Cisco Firepower 4100/9300 Upgrade Guide, for FXOS

44
CHAPTER 5
Freshly Install the Software
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases.
We do not provide installation packages for patches. To run a particular patch, install the appropriate major
or maintenance release, then apply the patch.
• Deciding to Freshly Install, on page 45
• Guidelines for Fresh Installs, on page 47
• Unregistering Smart Licenses, on page 48
• Installation Instructions, on page 50
Deciding to Freshly Install

Use this table to identify scenarios where you need to freshly install (also called reimaging). Note that for
Firepower devices, in all of these scenarios—including switching device management between local and
remote—you will lose device configurations.
Note Address licensing concerns before you reimage or switch management. If you are using Cisco Smart Licensing,
you may need to unregister from the Cisco Smart Software Manager (CSSM) to avoid accruing orphan
entitlements. These can prevent you from reregistering.

45
Deciding to Freshly Install
Table 39: Scenarios: Do You Need a Fresh Install?
Scenario Solution Cisco Smart Licensing

Upgrade FMC-managed The upgrade path from older versions can include Removing devices from the FMC
devices from a much older intermediate versions. Especially in larger deployments unregisters them. Reassign licenses after
Firepower version. where you must alternate FMC and device upgrade, this you re-add the devices.
multi-step process can be time consuming.
To save time, you can reimage older devices instead of
upgrading:
1. Remove the devices from the FMC.
2. Upgrade the FMC only to its target version.
3. Reimage the devices.
4. Re-add the devices to the FMC.
Change FTD management Use the configure manager CLI command; see Cisco Unregister the device before you switch
from FDM to FMC (local to Firepower Threat Defense Command Reference. management. Reassign its license after you
remote). add it to the FMC.
Change FTD management Use the configure manager CLI command; see Cisco Remove the device from the FMC to
from FMC to FDM (remote Firepower Threat Defense Command Reference. unregister it. Reregister using FDM.
to local).
Exception: The device is running or was upgraded from
Version 6.0.1. In this case, reimage.
Change ASA FirePOWER Start using the other management method. Contact Sales for new Classic licenses.
management between ASA FirePOWER licenses are associated
ASDM and FMC. with a specific manager.
Replace ASA Reimage. Convert Classic to Smart licenses; see the

FirePOWERwith FTD on Firepower Management Center
the same physical device. Configuration Guide.
Replace NGIPSv with Reimage. Contact Sales for new Smart licenses.
FTDv.
Uninstall an FTD patch with Reimage. Unregister the device before you reimage.
FDM. Reregister after.
You cannot uninstall patches in FDM deployments.
Return to a previous major Reimage. Do not unregister before you reimage, and
or maintenance release. do not remove devices from the FMC. If
You cannot uninstall major or maintenance upgrades. If
you do, you must unregister again after you
possible, restore from backup.
restore, then re-register.
Instead, revert any licensing changes made
since you took the backup. After the restore
completes, reconfigure licensing. If you
notice licensing conflicts or orphan
entitlements, contact Cisco TAC.

46
Guidelines for Fresh Installs
Scenario Solution Cisco Smart Licensing

Restore a failed FMC or In an RMA scenario, the replacement will arrive Do not unregister before you reimage, and
FTD device from backup. configured with factory defaults. However, if the do not remove devices from the FMC. If
replacement is already configured, we recommend you you do, you must unregister again after you
reimage before you restore. restore, then re-register.
Instead, revert any licensing changes made
since you took the backup. After the restore
completes, reconfigure licensing. If you
notice licensing conflicts or orphan
entitlements, contact Cisco TAC.
Guidelines for Fresh Installs

Reimaging Firepower 1000/2100 Series Devices to Earlier Major Versions
We recommend that you perform complete reimages of Firepower 1000/2100 series devices. If you use the
erase configuration method, FXOS may not revert along with the Firepower Threat Defense software. This
can cause failures, especially in high availability deployments.
For more information, see the reimage procedures in the Cisco FXOS Troubleshooting Guide for the Firepower
1000/2100 Series Running Firepower Threat Defense.
Reimage Checklist
Reimaging returns most settings to factory defaults, including the system password. This checklist highlights
actions that can prevent common reimage issues. However, this checklist is not comprehensive. Refer to the
appropriate installation guide for full instructions: Installation Instructions, on page 50.
Table 40:
✓ Action/Check
Check appliance access.

If you do not have physical access to an appliance, the reimage process lets you keep management
network settings. This allows you to connect to the appliance after you reimage to perform the initial
configuration. If you delete network settings, you must have physical access to the appliance. You
cannot use Lights-Out Management (LOM).
Note Reimaging to an earlier version automatically deletes network settings. In this rare case, you
must have physical access.
For devices, make sure traffic from your location does not have to traverse the device itself to access
the device's management interface. In FMC deployments, you should also able to access the FMC
management interface without traversing the device.

47
Unregistering Smart Licenses
✓ Action/Check
Perform backups.
Back up before reimaging, when supported.
Note that if you are reimaging so that you don't have to upgrade, due to version restrictions you cannot
use a backup to import your old configurations. You must recreate your configurations manually.
Caution We strongly recommend you back up Firepower appliances to a secure remote location and
verify transfer success. Reimaging returns most settings to factory defaults, including the
system password. It deletes any backups left on the appliance. And especially because backup
files are unencrypted, do not allow unauthorized access. If backup files are modified, the
restore process will fail.
Backup and restore can be a complex process. You do not want to skip any steps or ignore security or
licensing concerns. For detailed information on requirements, guidelines, limitations, and best practices
for backup and restore, see the configuration guide for your Firepower product.
Determine if you must remove devices from FMC management.

If you plan to manually configure the reimaged appliance, remove devices from remote management
before you reimage:
• If you are reimaging the FMC, remove all its devices from management.
• If you are reimaging a single device or switching from remote to local management, remove that
one device.
If you plan to restore from backup after reimaging, you do not need to remove devices from remote
management.
Address licensing concerns.

Before you reimage any Firepower appliance, address licensing concerns. You may need to unregister
from the Cisco Smart Software Manager (CSSM) to avoid accruing orphan entitlements, which can
prevent you from reregistering. Or, you may need to contact Sales for new licenses.
For more information, see:
• Deciding to Freshly Install
• Cisco Firepower System Feature Licenses Guide
• Frequently Asked Questions (FAQ) about Firepower Licensing
• Licensing information in the configuration guide for your Firepower product.
Unregistering Smart Licenses

Firepower Threat Defense devices, whether locally (Firepower Device Manager) or remotely (Firepower
Management Center) managed, use Cisco Smart Licensing. To use licensed features, you must register with
Cisco Smart Software Manager (CSSM). If you later decide to reimage or switch management, you must
unregister to avoid accruing orphan entitlements. These can prevent you from reregistering.

48
Unregister a Firepower Management Center
Note If you need to restore an FMC or FTD device from backup, do not unregister before you reimage, and do not
remove devices from the FMC. Instead, revert any licensing changes made since you took the backup. After
the restore completes, reconfigure licensing. If you notice licensing conflicts or orphan entitlements, contact
Cisco TAC.
Unregistering removes an appliance from your virtual account, unregisters it from the cloud and cloud services,
and releases associated licenses so they can be can be reassigned. When you unregister an appliance, it enters
Enforcement mode. Its current configuration and policies continue to work as-is, but you cannot make or
deploy any changes.
Manually unregister from CSSM before you:
• Reimage a Firepower Management Center that manages FTD devices.
• Shut down the source Firepower Management Center during model migration.
• Reimage a Firepower Threat Defense device that is locally managed by FDM.
• Switch a Firepower Threat Defense device from FDM to FMC management.
Automatically unregister from CSSM when you remove a device from the FMC so you can:
• Reimage an Firepower Threat Defense device that is managed by an FMC.
• Switch a Firepower Threat Defense device from FMC to FDM management.
Note that in these two cases, removing the device from the FMC is what automatically unregisters the device.
You do not have to unregister manually as long as you remove the device from the FMC.
Tip Classic licenses for NGIPS devices are associated with a specific manager (ASDM/FMC), and are not controlled
using CSSM. If you are switching management of a Classic device, or if you are migrating from an NGIPS
deployment to an FTD deployment, contact Sales.
Unregister a Firepower Management Center

Unless you plan to restore from backup, unregister a Firepower Management Center from CSSM before you
reimage. This also unregisters any managed Firepower Threat Defense devices.
If the FMC is configured for high availability, licensing changes are automatically synchronized. You do not
need to unregister the other FMC.
Step 1 Log into the Firepower Management Center.

Step 2 Choose System > Licenses > Smart Licenses.
Step 3 Next to Smart License Status, click Stop Sign ( ).

Step 4 Read the warning and confirm that you want to unregister.

49
Unregister an FTD Device Using FDM
Unregister an FTD Device Using FDM

Unregister locally managed Firepower Threat Defense devices from the Cisco Smart Software Manager before
you either reimage or switch to remote (FMC) management.
If the device is configured for high availability, you must log into the other unit in the high availability pair
to unregister that unit.
Step 1 Log into the Firepower Device Manager.

Step 2 Click Device, then click View Configuration in the Smart License summary.
Step 3 Select Unregister Device from the gear drop-down list.
Step 4 Read the warning and confirm that you want to unregister.
Installation Instructions
The release notes do not contain installation instructions. Instead, see one of the following documents.
Installation packages are available on theCisco Support & Download site.
Table 41: Firepower Management Center Installation Instructions
FMC Platform Guide
FMC 1600, 2600, 4600 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started
Guide
FMC 1000, 2500, 4500 Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started
Guide
FMC 2000, 4000 Cisco Firepower Management Center 750, 1500, 2000, 3500 and 4000 Getting
Started Guide
FMCv and FMCv 300 Cisco Firepower Management Center Virtual Getting Started Guide
Table 42: Firepower Threat Defense Installation Instructions
FTD Platform Guide
Firepower 1000/2100 series Cisco ASA and Firepower Threat Defense Reimage Guide
Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 Series
Running Firepower Threat Defense
Firepower 4100/9300 chassis Cisco Firepower 4100/9300 FXOS Configuration Guides: Image Management
chapters
Cisco Firepower 4100 Getting Started Guide
Cisco Firepower 9300 Getting Started Guide
ASA 5500-X series Cisco ASA and Firepower Threat Defense Reimage Guide

50
FTD Platform Guide
ISA 3000 Cisco ASA and Firepower Threat Defense Reimage Guide
FTDv: AWS Cisco Firepower Threat Defense Virtual for the AWS Cloud Getting Started
Guide
FTDv: Azure Cisco Firepower Threat Defense Virtual for the Microsoft Azure Cloud Quick
Start Guide
FTDv: KVM Cisco Firepower Threat Defense Virtual for KVM Getting Started Guide
FTDv: VMware Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide
Table 43: NGIPSv and ASA FirePOWER Installation Instructions
NGIPS Platform Guide
NGIPSv Cisco Firepower NGIPSv Quick Start Guide for VMware
ASA FirePOWER Cisco ASA and Firepower Threat Defense Reimage Guide
ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide:
Managing the ASA FirePOWER Module

51

52
CHAPTER 6
Documentation
We update Firepower documentation if a maintenance release requires it.
• Documentation Roadmaps, on page 53
Documentation Roadmaps
Documentation roadmaps provide links to currently available and legacy documentation:
• Navigating the Cisco Firepower Documentation
• Navigating the Cisco ASA Series Documentation
• Navigating the Cisco FXOS Documentation

53
Documentation
Documentation Roadmaps

54
CHAPTER 7
Resolved Issues
For your convenience, these release notes list the resolved bugs for each maintenance release.
Note Each list is auto-generated once and is not subsequently updated. Depending on how and when a bug was
categorized or updated in our system, it may not appear in the release notes. You should regard the Cisco Bug
Search Tool as the 'source of truth.'
For resolved issues, see:

• Searching for Resolved Issues, on page 55
• Resolved Issues in New Builds, on page 56
• Version 6.6.3 Resolved Issues, on page 56
• Version 6.6.1 Resolved Issues, on page 69
Searching for Resolved Issues

If you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of resolved
bugs for Firepower products. You can constrain searches to bugs affecting specific Firepower platforms and
versions. You can also search by bug ID, or for specific keywords.
These general queries display resolved bugs for Firepower products running Version 6.6.x maintenance
releases:
• Firepower Management Center
• Firepower Management Center Virtual
• Firepower Threat Defense
• Firepower Threat Defense Virtual
• ASA with FirePOWER Services
• NGIPSv

55
Resolved Issues
Resolved Issues in New Builds
Resolved Issues in New Builds

Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is available
on the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloaded
an earlier build, do not use it.
You cannot upgrade from one build to another for the same Firepower version. If a new build would fix your
issue, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco Firepower
Hotfix Release Notes for quicklinks to publicly available Firepower hotfixes.
Use this table to determine if a new build is available for your platform.
Table 44: Version 6.6.x New Builds
Version New Build Released Platforms Resolves
6.6.1 91 2020-09-16 All CSCvv69991: FTD stuck in Maintenance Mode after

upgrade to 6.6.1
If you are already experiencing this issue, contact
Cisco TAC.
If you successfully upgraded or reimaged an FTD
device to Version 6.6.1-90, apply Hotfix 6.6.1-A. Do
not configure the device as a NetFlow exporter until
you apply the hotfix.
It is safe to continue running Version 6.6.1-90 on all
FMCs, ASA FirePOWER modules, and NGIPSv.
For details, see Software Advisory: Inoperable FTD
Device/NetFlow Exporter after Reboot.
Version 6.6.3 Resolved Issues

Table 45: Version 6.6.3 Resolved Issues
Bug ID Headline
CSCvm82290 ASA core blocks depleted when host unreachable in IRB/TFW configuration
CSCvs50274 ASA5506 to the box icmp request packets intermittently dropped
CSCuw51499 TCM doesn't work for ACE addition/removal, ACL object/object-group edits
CSCvs85595 awk:fatal msg getting displayed while unit is syncing
CSCvt09940 Cisco Firepower 4110 ICMP Flood Denial of Service Vulnerability
CSCvt48260 Standby unit traceback at fover_parse and boot loop when detecting Active unit
CSCvt64952 "Show crypto accelerator load-balance detail" has missing and undefined output

56
Resolved Issues
Bug ID Headline
CSCvt75760 Traceback/Page-fault in Clientless WebVPN due to HTTP cleanup
CSCvt92077 Ping Failure on ASAv - 9.13 after CAT9k reboot
CSCvu23539 Inner Flow: LU flag3 overlap
CSCvu27868 ASA: Lack of specific syslog messages to external IPv6 logging server after ASA
upgrade
CSCvu33992 traceback: ASA reloaded lina_sigcrash+1394
CSCvu36302 %ASA-3-737403 is used incorrectly when vpn-addr-assign local reuse-delay is

configured
CSCvv02925 OSPF neighbourship is not establising
CSCvv17585 Netflow template not sent under certain circumstances
CSCvv43484 ASA stops processing RIP packets after system upgrade
CSCvv48594 Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection
CSCvv49800 ASA/FTD: HA switchover doesn't happen with graceful reboot of firepower chassis
CSCvv58605 ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki
global table in MTX
CSCvv63412 ASA dropping all traffic with reason "No route to host" when tmatch compilation is
ongoing
CSCvv72466 OSPF network commands go missing in the startup-config after upgrading the ASA
CSCvv89400 ASA SNMPv3 Poll fails when using AES 256
CSCvw22986 Secondary unit stuck in Bulk sync infinitely due to interface of Primary stuck in init
state
CSCvw24556 TCP File transfer (Big File) not properly closed when Flow offload is enabled
CSCvw32518 ASASM traceback and reload after upgrade up to 9.12(4)4 and higher
CSCvw53884 M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years
in service
CSCvs68576 Deploy failure when deleting auto nat rule due to double negate
CSCvu95109 KVM/KP FDM upgrade from 6.6 - 6.7.0 failed due to diskspace.
/ngfw/var/cisco/deploy/fdm
CSCvv20450 FMC 6.4 to 6.7 upgrade fails "Error running script

500_rpms/110_generate_dbaccess.sh"
CSCvv70096 Snort 2: Memory Leak in SSL Decrypt & Resign Processing

57
Resolved Issues
Bug ID Headline
CSCvv87495 FMC randomly become unresponsive (no SSH or GUI) - Error 500
CSCvv91486 Memory leak during reload in stream
CSCvw03229 Device doesn't send malware/connection events after upgrade from 6.4 to 6.6.1
CSCvw37369 In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK
CSCvw85377 URL is not updated in the access policy URL filtering rule
CSCvs13204 ASAv failover traffic on SR-IOV interfaces might be dropped due to interface-down
CSCvs79606 "dns server-group DefaultDNS" cli not getting negated
CSCvt13822 ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry
CSCvt17912 stress, pushing platform limits causing segfault/reload in lina_free_exec_st
CSCvt61196 ASA on multicontext mode, deleting a context does not delete the SSH keys.
CSCvt95176 readfilemap.c in expat before 2.1.0 allows context-dependent attackers
CSCvu06767 Lina cores on multi-instance causing a boot loop on both logical-devices
CSCvu16423 ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread
CSCvu17852 Current connection count is negative on 'show service policy' when connection limit
is set in MPF
CSCvu43355 FTD Lina traceback in datapath due to double free
CSCvu44135 syslog 710004 not generated when SSH management connection limit exceeded
CSCvu70931 Cluster / aaa-server key missing after "no key config-key" is entered
CSCvu89110 ASA: Block new conns even when the "logging permit-hostdown" is set & TCP syslog
is down
CSCvv09396 Stale VPN routes for L2TP, after the session was terminated
CSCvv12857 ASA gets frozen after crypto engine failure
CSCvv15572 ASA traceback observed when "config-url" is entered while creating new context
CSCvv32425 ASA traceback when running show asp table classify domain permit
CSCvv40195 Syslog trap is missing log content
CSCvv66005 ASA traceback and reload on inspect esmtp
CSCvv66920 Inner flow: U-turn GRE flows trigger incorrect connection flow creation
CSCvw07000 Snort busy drops with PDTS Tx queue stuck
CSCvw12100 ASA stale VPN Context seen for site to site and AnyConnect sessions

58
Resolved Issues
Bug ID Headline
CSCvw27301 IKEv2 with EAP, MOBIKE status fails to be processed.
CSCvw44122 ASA: "class-default" class-map redirecting non-DNS traffic to DNS inspection engine
CSCvw59035 Connection issues to directly connected IP from FTD BVI address
CSCvw64623 Standby ASA linkdown SNMPtrap sent from standby interface with active IP address
CSCvw87788 ASA traceback and reload webvpn thread
CSCvw98840 ASA: dACL with no IPv6 entries is not applied to v6 traffic after CoA
CSCvx26221 Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on
FP1k and 5508
CSCvt43136 Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability
CSCvt48601 Cisco Firepower Manament Center Software Stored Cross-Site Scripting Vulnerability
CSCvt69260 connection event shows old device name
CSCvt70854 6.6.0-90: [Firepower 1010] Tomcat restarted during SRU update because of out of
memory
CSCvt99020 Cisco Firepower Manament Center Software Stored Cross-Site Scripting Vulnerability
CSCvv26683 "configure high-availability disable" command when executed from CLI causes
exception in next HAJoin
CSCvv45106 CSD does not start on 2100 due to missing csd-service.json file
CSCvv55271 REST API to fetch Audit logs from FMC returns only the first 25 entries with or
without startIndex
CSCvv57476 CSS Styles loading issue in Chrome 85, IE and Edge browsers
CSCvv58604 Reset not sent when traffic matches AC-policy configured with block/reset and SSL
inspection
CSCvv74951 Disable memory cgroups when running the system upgrade scripts
CSCvv92897 System might hit previously missing memcap limits on upgrade to version 6.6.0
CSCvv98534 Failed upgrade does not create audit messages in syslog
CSCvw03256 FMC dashboard shows "No Data" for intrusion table when 'Message' Field is Selected
CSCvw05415 FDM: Edit to object group does not update in S2S VPN match criteria version of object
CSCvg73237 ENH: Configure CAC as an absolute value as well instead of just percentage of total
VPN capacity.
CSCvn12453 Implement debug menu command to show RX ring number a flow is hashed to

59
Resolved Issues
Bug ID Headline
CSCvq81410 ASA::Unable to execute any ASA command via http using safari browser.
CSCvs84542 ASA traceback with thread: idfw_proc
CSCvs99356 Snort2: on SSP platforms large files download takes time with ssl policy configured
CSCvt11302 On FPR devices when FIPS is enabled cannot create webtype ACLs
CSCvt22356 Health-check monitor-interface debounce-time in ASA Cluster resets to 9000ms after

ASA reboot
CSCvt33785 IPSec SAs are not being created for random VPN peers
CSCvt41357 "no logging permit-hostdown" does not block connections when syslog host is
inaccessible
CSCvt42610 Observed memory leak during SNMP polling
CSCvt71529 ASA traceback and reload during SSL handshake
CSCvt80134 WebVPN rewriter fails to parse data from SAP Netweaver.
CSCvu08339 FTD Inline-set bridge group ID set to 0 with tap-mode off
CSCvu27287 Scheduled Backup failing over SCP via EEM
CSCvu55469 FTD - Connection idle timeout doesn't reset
CSCvu98505 ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set
correctly
CSCvv20405 WEBVPN: ERROR: Invalid tunnel group name on Multi-Context ASA
CSCvv50338 Traceback Cluster unit on snpi_nat_xlate_destroy+2508
CSCvv63208 ASA 5506/5508 - SNMP polling fails following reboot but restores after some time
CSCvv67398 Inspect-snmp drops thru-the-box snmp paks if snmp is disabled
CSCvw54640 FPR-4150 - ASA traceback and reload with thread name DATAPATH
CSCvw58414 Name of anyconnect custom attribute of type dynamic-split-exclude-domains is changed

after reload
CSCvx09535 ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers
reload
CSCvt00255 Upgrade kernel to cpe:2.3:o:linux:linux_kernel:4.14.187:
CSCvu98780 FTD-API: CDO template apply is triggering rule delete bug
CSCvv22208 In onbox mode, zones.conf didn't roll back when deployment fails
CSCvv36915 "Show NTP" command does not work on multi-instance FTD

60
Resolved Issues
Bug ID Headline
CSCvv63227 SLA stopped working on upgraded setup
CSCvv67754 Memory calculations are producing incorrect results leading to higher memory usage
in snort.
CSCvw88467 estreamer to query ids_event_msg_map from mysql instead of sybase
CSCvq47743 AnyConnect and Management Sessions fail to connect after several weeks
CSCvf88062 CTM: Nitrox S/G lengths need to be validated
CSCvs85196 ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed
by inspection
CSCvt76688 The syslog message 201008 should include reason of drop when TCP server is down
CSCvt88454 using Clientless portal, there is a character string that does not match the set language
CSCvv07864 Multicast EIGRP traffic not seen on internal FTD interface
CSCvv10778 Traceback in threadname DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4
CSCvv19230 ASAv Anyconnect users unexpectedly disconnect with reason: Idle Timeout
CSCvv41453 Removing static ipv6 route from management-only route table affects data traffic
CSCvv57590 ASA: ACL compilation takes more time on standby
CSCvv73017 Traceback due to fover and ssh thread
CSCvv86861 Observed crash in KP in timer while running VPN, EMIX and SNMP traffic for
overnight.
CSCvv90181 No deployment failure reason in transcript if 'show running-config' is running during

deployment
CSCvw28814 SNMP process crashed, while upgrading the QP to v9.14.1.109
CSCvw42999 9.10.1.11 ASA on FPR2110 traceback and reloads randomly
CSCvw51985 ASA: AnyConnect sessions cannot be resumed due to ipv6 DACL failure
CSCvw53255 FTD/ASA HA: Standby Unit FXOS is still able to forward traffic even after failover
due to traceback
CSCvw74940 ASA traceback in IKE Daemon and reload
CSCvo57004 Analyze Hit Counts displaying timestamps in UTC instead of the configured user time
zone.
CSCvp10079 DB switch role failed on FMC HA switch
CSCvr02310 Server Hello is dropped when TLS1.3 is the only accepted TLS version with DND
rule

61
Resolved Issues
Bug ID Headline
CSCvs47365 Event rate seen on FMC slows down or stops coming from devices using FXOS 2.9.1
update
CSCvt34973 SFNotificationd may cause excessive logging in 'messages' files
CSCvt61370 Events may stop coming from a device due to a communication deadlock
CSCvu30756 User Identity does not correctly handle identical sessions in different netmaps
CSCvu33591 FPWR 4100 - Snort down due to corrupt files under /var/sf/fwcfg/
CSCvu35768 After upgrade FMC from 6409-59 to 6.6.0-90 unable to log UI using Radius external
user in subdomain.
CSCvv04441 ngfw.rules mismatch between Primary and Secondary FTD HA when RA-VPN is
configured before upgrade
CSCvv19573 Deployment is failed when an interface associated in static route update with
management-only
CSCvv21045 Database may stop accepting new connections causing event processing to stop
CSCvv40961 http-proxy setting causing upgrade failure
CSCvw07352 SFDataCorrelator log spam, metadata fails after Sybase connection status 0
CSCvu71324 ASA: Automatic DENY rule applied in multiple contexts due to the use of the
dhcp-network-scope
CSCvv14621 Reword the error message displayed in case of command replication timeout in cluster
CSCvv29687 Rate-limit syslogs 780001/780002 by default on ASA
CSCvv43885 'show sctp' command is unavailable when carrier license is out of compliance
CSCvv49698 ASA Anyconnect url-redirect not working for ipv6
CSCvv62305 ASA traceback and reload in fover_parse when attempting to join the failover pair.
CSCvv80782 Traceback leads to the purg_process
CSCvv86926 Unexpected traceback and reload on FTD creating a Core file
CSCvv88017 ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections
across the tunnel
CSCvv94165 FTD 6.6 : High CPU spikes on snmpd process
CSCvw26171 ASA syslog traceback while strncpy NULL string passed from SSL library
CSCvw63862 ASA: Random L2TP users cannot access resources due to stale ACL filter entries
CSCvw97821 ASA: VPN traffic does not pass if no dACL is provided in CoA

62
Resolved Issues
Bug ID Headline
CSCvt01938 show ntp asking the password to get the output
CSCvt66875 AppId caches proxy IP instead of tunneled IP for ultrasurf
CSCvt72683 NAT policy configuration after NAT policy deployment on FP 8130 is not seen
CSCvt87074 Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.
CSCvu93834 FDM/FTD-API: Password cannot be changed on standby for the admin user
CSCvv40916 3 min delay caused by AbstractBaseDeploymentValidationHandler.validatePreApply

during deploy.
CSCvv60849 Memory cgroup limits should be adjusted to avoid Snort D-state
CSCvw21628 Upgrade from pre-6.6.x to 6.6.x and above breaks Intrusion Event Packet-Drill down
CSCvw22546 Cannot change DH Group by using API on locally managed FTD
CSCvw28894 SFDataCorrelator slow startup and vuln remap due to duplicate entries in vuln tables
CSCvw83498 FTD-API: LDAP Attribute map not handlign ldapValue including a space
CSCvo11165 Language translation table for webvpn should be updated
CSCvr35872 ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22
CSCvr85295 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software
Remote
CSCvs72450 FXOS - Recover hwclock of service module from corruption due to simultaneous write
collision
CSCvs72378 ASDM session being abruptly terminated when switching between different contexts
CSCvt18199 IPv6 Nat rejected with error "overlaps with inside standby interface address" for
Standalone ASA
CSCvu82738 The drop rate in show interface for inline sets is incorrect
CSCvu83389 ASA drops GTPV1 Forward relocation Request message with Null TEID
CSCvu84066 bfd map source address with /32 mask is not working
CSCvv34140 ASA IKEv2 VTI - Failed to request SPI from CTM as responder
CSCvv89708 ASA/FTD may traceback in thread name fover_FSM_thread and reload
CSCvw26331 ASA traceback and reload on Thread Name: ci/console
CSCvw36662 TACACS+ ASCII password change request not handled properly
CSCvw48517 DAP stopped working after upgrading the ASA to 9.13(1)13

63
Resolved Issues
Bug ID Headline
CSCvw50679 ASA/FTD may traceback and reload during upgrade
CSCvw51307 ASA/FTD traceback and reload in process name "Lina"
CSCvh75756 Duplicate preprocessor keyword: ssl
CSCvs91270 Inspect Interruption - Error in deployment page.
CSCvt26530 FTD failed over due to 'Inspection engine in other unit has failed due to snort failure'
CSCvv04023 FDM (On box manager)Traffic not hit in the proper rule because interface is removed
from zones.conf
CSCvv08244 Firepower module may block trusted HTTPS connections matching 'Do not decrypt'
SSL decryption rule
CSCvv69015 CSD does not respond to Troubleshoot requests on 6.6.X
CSCvv73540 Create a monitor to drop file cache once it exceeds a certain limit
CSCvw38810 FTD in AWS: Disk Manager process does not start after upgrade to 6.6.1
CSCvw41728 Unable to configure syslog via CLI on FTD
CSCvu68529 Embryonic connections limit does not work consistently
CSCvv31629 Intermittently embedded ping reply over GRE drops on FTD cluster if traffic passes
asymmetrically.
CSCvv69991 FTD stuck in Maintenance Mode after upgrade to 6.6.1
CSCvp47536 AAA requests on FTD not following V-routes learned from RRI
CSCvs91389 FTD Traceback Lina process
CSCvt04560 SCTP heartbeats failing across the firewall in Cluster deploymnet.
CSCvt27585 Observed traceback on 2100 while performing Failover Switch from Standby.
CSCvt40306 ASA:BVI interface of standby unit stops responding after reload
CSCvu58153 Display RADIUS port representation as little-endian instead of big-endian
CSCvv87232 ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process
CSCvv90720 ASA/FTD: Mac address-table flap seen on connected switch after a HA switchover
CSCvv94701 ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long
time to recover.
CSCvw00161 ASA traceback and reload due to VPN thread on firepower 2140
CSCvw12008 ASA traceback and reload while executing "show tech-support" command

64
Resolved Issues
Bug ID Headline
CSCvw21844 FTD traceback and reload on DATAPATH thread when processing encapsulated flows
CSCvw37259 VPN syslogs are generated at a rate of 600/s until device goes into a hang state
CSCvx09248 SNMP walk for v2 and v3 fails with No Such Object available on this agent at this
OID is seen
CSCvt29771 invalid Response message when we change the security zone from the object
management page
CSCvt89183 FDM unable to load CA signed certificate via Management Web Server
CSCvu75315 Report does not show intrusion events on bar and pie charts after upgrade to 6.6.0
CSCvu79102 FTD-API/FDM: HA Synchronization Status Fails on Standby
CSCvv40316 FDM - Unable to add the BGP 11th neighbor using smart CLI routing object
CSCvx09324 Config Import fails when named/unnamed SubInterface inside the unnamed
Etherchannel interface
CSCvu45822 ASA experienced a traceback and reloaded
CSCvv04584 Multicast traffic is being dropped with the resson no-mcast-intrf
CSCvg69380 ASA - rare cp processing corruption causes console lock
CSCvt73407 TACACS Fallback authorization fails for Username enable_15 on ASA device.
CSCvu29660 Block exhaustion snapshot not created when available blocks goes to zero
CSCvu97764 FTD in TAP mode won't capture on egress interfaces
CSCvv36518 ASA: Extended downtime after reload after CSCuw51499 fix
CSCvv36725 ASA logging rate-limit 1 5 message ... limits to 1 message in 10 seconds instead of 5
CSCvv37108 ASA silently dropping OSPF LS Update messages from neighbors
CSCvv52591 DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN

connections to fail
CSCvv67500 ASA 9.12 random traceback and reload in DATAPATH
CSCvw45863 ASAv snmp traceback on reload
CSCvw47321 IPSec transport mode traffic corruption for inbound traffic for some FPR platforms
CSCvw51462 IPv4 Default Tunneled Route Rejected
CSCvw53427 ASA Fails to process HTTP POST with SAML assertion containing multiple query
parameters
CSCvw84786 ASA traceback and reload on Thread name snmp_alarm_thread

65
Resolved Issues
Bug ID Headline
CSCvr55741 FMC shows policies out of date after successful deploy
CSCvt31292 FTD device might not send events to SSE
CSCvu63397 Integer overflow (in FileExtract Health Alert) causes log spam "file capture perf stats"
CSCvu82272 Upgrade on Firepower Management Center may fail due to inactive stale entries of
managed devices
CSCvu85421 deployment failure with the message: no crypto map s2sCryptoMap interface inside
CSCvv59676 Snort2: Implement aggressive pruning for certificate cache for TLS to free up memory
CSCvv79705 Upgrade to 6.6.0 or 6.6.1 failed on 800_post/100_ftd_onbox_data_import.sh due to

NPE on POE
CSCvw49531 Applications are being misclassified after VDB upgrade.
CSCvw60741 "show version" gives no output after upgrading to 6.6.1
CSCvv23370 Observed traceback in FPR2130 while running webVPN, SNMP related traffic.
CSCvv28997 ASA Traceback and reload on thread name Crypto CA
CSCvv44051 Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP

passenger flows
CSCvv44270 ASAv5 reloads without traceback.
CSCvv54831 ASA traceback and reload when running Packet Tracer commands
CSCvo34210 ASA running 9.6.4.20 Traceback in threadname Unicorn Proxy Thread
CSCvt15163 Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability
CSCvu48886 FTD deployment failure when removing non-default "crypto ikev2 limit
max-in-negotiation-sa"
CSCvu93278 Observed crash in KP while working on AnyConnect-IKEv2 scaled connections.
CSCvv16082 stress/low memory: assert: mh->mh_mem_pool > MEMPOOL_UNDEFINED &&

mh->mh_mem_pool < MEMPOOL_MAX_TYPE
CSCvv25394 After upgrade ASA swapped names for disks, disk0 became disk1 and vice versa.
CSCvv58332 ASA/FTD is reading BGP MP_REACH_NLRI attribute's next-hop bytes in reverse

order
CSCvw16619 Offloaded traffic not failed over to secondary route in ECMP setup
CSCvw19907 restart of snmpd for agx communication fail to snmp-sa
CSCvw31569 Director/Backup flows are left behind and traffic related to this flow is blackholed

66
Resolved Issues
Bug ID Headline
CSCvw43486 ASA/FTD Traceback and reload during PBR configuration change
CSCvt39292 LDAPS External users can't 'sudo su' on Firepower 4110
CSCvt86467 c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mcha
CSCvu85381 HA Re-formation fails following a policy deploy failure on standby
CSCvv09477 Vulnerability in the MySQL Server product of Oracle MySQL (component:
CSCvv43771 Unable to select multiple devices for scheduled backups
CSCvv43864 Preview change log is blank when changes are made to the policy
CSCvv51623 Manual-NAT-rule is moved to before-auto-nat-section inLina's running config after

deployment.
CSCvv62931 FTD does not send Server Hello & Server Certificate to the client when
src.port==dst.port
CSCvw23286 High CPU usage my Mysql on FMC due to database optimizer exiting prematurely
CSCvw38870 FMC upgrade to 6.7.0 failed at 800_post/1027_ldap_external_auth_fix.pl
CSCvw66953 upgrade failing when converting URL categories to Beaker
CSCvx01381 FMC GUI year drop-down list for Manual Time set up only listing until 2020
CSCvu43827 ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or
"fover_FSM_thread"
CSCvu48285 ASA configured with TACACS REST API: /cli api fail with "Command authorization
failed" message
CSCvv02245 ASA 'session sfr' command disconnects from FirePOWER module for initial setup
CSCvv08684 Cluster site-specific MAC addresses not rewritten by flow-offload
CSCvv34003 snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning value of 0 for .16
and .17
CSCvv57842 WebSSL clientless user accounts being locked out on 1st bad password
CSCvr33428 FMC generates Connection Events from a SYN flood attack
CSCvs07922 Active ASA generates logging messages with incorrect IP for WebVPN with IPv6
CSCvs81763 vFTD not able to pass vlan tagged traffic (trunk mode)
CSCvt56923 FTD manual certificate enrollment fails with "&" (ampersand) in Organisation subject
field
CSCvt70664 ASA: acct-session-time accounting attribute missing from Radius Acct-Requests for
AnyConnect

67
Resolved Issues
Bug ID Headline
CSCvt70879 "clear configure access-list" on ACL used for vpn-filter breaks access to resources
CSCvt89790 Setting "snmp-server location" sets same value for "snmp-server contact" as well on
ASA 9.14.1
CSCvt97205 SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA
9.14.1
CSCvt99137 With huge FTP traffic in cluster, the SEC_FLOW messages are in a retransmit loop
CSCvu40834 Fix merge damage for calendar update on native SSP platforms
CSCvu59573 Group-URL starting with "admin" does not work properly
CSCvu98222 FTD Lina engine may traceback in datapath after enabling SSL decryption policy
CSCvu98468 SDI: SDI File doesn't get synced to the standby if new device joins in Failover
CSCvv37629 Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing probable
traffic issue
CSCvv53696 ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user
CSCvv87496 ASA cluster members 2048 block depletion due to "VPN packet redirect on peer"
CSCvw22881 radius_rcv_auth can shoot up control plane CPU to 100%.
CSCvw30252 ASA/FTD may traceback and reload due to memory corruption in SNMP
CSCvw83572 BVI HTTP/SSH access is not working in versions 9.14.1.30 or above
CSCvw83780 Standby FTD 6.6.1 core at Process Name: lina
CSCvx09123 M500IT Model Solid State Drives on ISA3000 may go unresponsive after 3.2 Years
in service
CSCvx17785 Crash seen consistently by adding/removing acl & entering into route-map command
CSCvv55066 FPR1010: Internal-Data0/0 and data interfaces are flapping during SMB file transfer
CSCvs71969 Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass Vulnerability
CSCvt15056 SFR managed by ASDM: System policy does not apply.
CSCvt80172 Supervisor software needs to be upgraded to address CVE-2017-11610
CSCvu17819 Upgrade to 6.7.0 for SSH RBAC on vFTD is failing
CSCvu32449 FDM: AnyConnect "Validation failed due to duplicate name:"
CSCvv25839 reCAPTCHA is not working when SSl decryption is enable.
CSCvv46490 Policy Deployment Failure on FMC due to ERROR in SnortAttribConfig

68
Resolved Issues
Bug ID Headline
CSCvw62820 memcached 1.5.6 or higher update

Table 46: Version 6.6.1 Resolved Issues
Caveat ID Number Description
CSCtb41710 ASA revocation-check to fall back to none only if CDP is unavailable
CSCvb92169 ASA should provide better fragment-related logs and ASP drop reasons
CSCvh19161 ASA/FTD traceback and reload in Thread Name: SXP CORE
CSCvk51778 "show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up

Driver/ioctl error logs
CSCvn64647 ASA traceback and reload due to tcp_retrans_timeout internal thread handling
CSCvn82441 [SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches
CSCvn93683 ASA: cluster exec show commands not show all output
CSCvn95731 ASA traceback and reload on Thread Name SSH
CSCvq87625 ENH: Addition of 'show run all sysopt' to 'show tech' output
CSCvq93836 ENH: Addition of 'show logging setting' to 'show tech' output
CSCvr02080 CPU Hogs observed in CERT API process while decoding the CRL with large number
of entries in it
CSCvr15503 ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for
the ASA
CSCvr57051 Policy deployment failed with error "Can't use an undefined value as a HASH reference
"
CSCvr58411 RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE
is added or deleted
CSCvr60195 ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec'
CSCvr98881 Traceback: FTD ZeroMQ memory assertion
CSCvr99642 ASA traceback and reload multiple times with trace "webvpn_periodic_signal"
CSCvs09533 FP2100: Traceback and reload when processing traffic through more than two inline
sets

69
Resolved Issues
CSCvs21705 admin user is not authorized to access the device routing configuration inside the
domain.
CSCvs33852 After upgrade to version 9.6.4.34 is not possible to add an access-group
CSCvs38785 Inconsistent timestamp format in syslog
CSCvs39253 Firepower 7000 & 8000 cannot sent emails on version 6.4
CSCvs41883 Deployment fails after upgrading to 6.4.0.x if ND policy refs are missing
CSCvs45111 WR6 and WR8 commit id update in CCM layer(sprint 75)
CSCvs52108 ASA Traceback Due to Umbrella Inspection
CSCvs55603 ICMP Reply Dropped when matched by ACL
CSCvs59056 ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn
is Enabled
CSCvs64510 Deployment failure with message (Can't call method "binip" on unblessed reference)
CSCvs72393 FPR1010 temperature thresholds should be changed
CSCvs73754 ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical
interface
CSCvs79023 ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection
CSCvs82829 Calls fail once anyconnect configuration is added to the site to site VPN tunnel
CSCvs88413 Port-channel bundling is failing after upgrade to 9.8 version
CSCvs90100 ASA/FTD may traceback and reload in Thread Name 'License Thread'
CSCvs94061 NTP script error leading to clock drift and traffic interruption
CSCvs97863 Reduce number of fsync calls during close in flash file system
CSCvt00113 ASA/FTD traceback and reload due to memory leak in SNMP community string
CSCvt01282 WR6 and WR8 commit id update in CCM layer(sprint 79)
CSCvt01397 Deployment is marked as success although LINA config was not pushed
CSCvt02409 9.12.2.151 snp_cluster_ingress traceback on FPR9300 3-node cluster nested VLAN

traffic
CSCvt03598 Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal
Vulnerability
CSCvt05862 IPv6 DNS server resolution fails when the server is reachable over the management
interface.

70
Resolved Issues
CSCvt06606 Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)
CSCvt06841 Incorrect access-list hitcount seen when configuring it with a capture on ASA
CSCvt11742 ASA/FTD may traceback and reload in Thread Name 'ssh'
CSCvt12463 ASA: Traceback in thread Unicorn Admin Handler
CSCvt13730 FP1010 / 2100 - FTD: Management port down/down after FTD upgrade to release
6.6.0
CSCvt15062 FTD 2100: Packet drops during the transition of BYPASS to NON-BYPASS when
device is rebooted
CSCvt16642 FMC not sending some audit messages to remote syslog server
CSCvt18337 Failover got disabled on HA node after upgrade
CSCvt20709 Wrong direction in SSL-injected RESET causes it to exit through wrong interface,
causing MAC flap
CSCvt21041 FTD Traceback in thread 'ctm_ipsec_display_msg'
CSCvt23643 VPN failover recovery is taking approx. 30 seconds for data to resume
CSCvt24328 FTD: Traceback and reload related to lina_host_file_open_raw function
CSCvt26031 ASAv Unable to register smart licensing with IPv6
CSCvt26067 Active FTP fails when secondary interface is used on FTD
CSCvt28182 sctp-state-bypass is not getting invoked for inline FTD
CSCvt29049 FPR2100 - ASA in Appliance Mode - SNMP Delay
CSCvt30731 WR6, WR8 and LTS18 commit id update in CCM layer(sprint 80)
CSCvt34894 Snort consumes excessive memory which is leading to performance problems.
CSCvt35233 Excessive logging from the daq modules process_snort_verdict verdict blacklist
CSCvt35945 Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8
train
CSCvt36542 Multi-context ASA/LINA on FPR not sending DHCP release message
CSCvt37881 Block page for https not working
CSCvt38279 Erase disk0 on ISA3000 causes file system not supported
CSCvt39135 snort instances CPU spikes to >90% at low non-SSL traffic with SSL policy applied
CSCvt39349 Registration of device should be allowed as long as deploy status = DEPLOYED or

FAILED

71
Resolved Issues
CSCvt41333 Dynamic RRI route is not destroyed when IKEv2 tunnel goes down
CSCvt43967 Pad packets received from RA tunnel which are less than or equal 46 bytes in length
with zeros
CSCvt45206 Event search may fail when searching events that existed before upgrade
CSCvt45863 Crypto ring stalls when the length in the ip header doesn't match the packet length
CSCvt46289 ASA LDAPS connection fails on Firepower 1000 Series
CSCvt46830 FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto
CSCvt50528 Warning Message for default settings with Installation of Certificates in ASA/FTD -
CLI
CSCvt50946 Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008
CSCvt51346 PKI-CRL: Memory Leak on Download and Clear Large CRL
CSCvt51348 PKI-CRL: Memory Leak on Download Large CRL in loop without clearing it
CSCvt51349 Fragmented packets forwarded to fragment owner are not visible on data interface
captures
CSCvt51987 Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56
CSCvt52607 Reduce SSL HW mode flow table memory usage to reduce the probability of Snort
going in D state
CSCvt52782 ASA traceback Thread name - webvpn_task
CSCvt53640 ASA5585 traceback and reload after upgrading SFR from 6.4.0 to 6.4.0.9-34
CSCvt54182 LINA cores are generated when FTD is configured to do SSL decryption.
CSCvt59015 KP IOQ driver. Add defensive parameter and state checks.
CSCvt59770 FTD: Failure to retrieve certificate via SCEP will cause outage
CSCvt61370 Events may stop coming from a device due to a communication deadlock
CSCvt63484 ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process
CSCvt64035 remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around
CSCvt64270 ASA is sending failover interface check control packets with a wrong destination mac
address
CSCvt64822 ASA may traceback and unexpectedly reload after SSL handshake
CSCvt65982 Route Fallback doesn't happen on Slave unit, upon RRI route removal.
CSCvt66351 NetFlow reporting impossibly large flow bytes

72
Resolved Issues
CSCvt68131 FTD traceback and reload on thread "IKEv2 Mgd Timer Thread"
CSCvt68294 Adjust Firepower 4120 Maximum VPN Session Limit to 20,000
CSCvt68819 Copy to clipboard may fail when copying events that existed before upgrade
CSCvt73806 FTD traceback and reload on FP2120 LINA Active Box. VPN
CSCvt75241 Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100
CSCvt75741 Get netsnmp-5.8 compiled with AES 192/256 support
CSCvt79777 duplicate ip addresses in sfipproxy.conf
CSCvt79988 Policy deployment failure due to snmp configuration after upgrading FMC to 6.6
CSCvt80126 ASA traceback and reload for the CLI "show asp table socket 18421590 det"
CSCvt83133 Unable to access anyconnect webvpn portal from google chrome using group-url
CSCvt85815 Policy Deployment fails after enabling "Sensitive Data Detection"
CSCvt86188 SNMP traps can't be generated via diagnostic interface
CSCvt90330 ASA traceback and reload with thread name coa_task
CSCvt91258 FDM: None of the NTP Servers can be reached - Using Data interfaces as Management
Gateway
CSCvt91521 Crypto accelerator bias setting should be included in show tech
CSCvt92647 Connectivity over the state link configured with IPv6 addresses is lost after upgrading
the ASA
CSCvt93142 ASA should allow null sequence encoding in certificates for client authentication.
CSCvt93177 Disable Full Proxy to Light Weight Proxy by Default. (FP2LWP) on FTD Devices
CSCvt95517 Certificate mapping for AnyConnect on FTD stops working.
CSCvt97917 ASAv on AWS 9.13.1.7 BYOL image cannot be enabled for PLR
CSCvt98599 IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number
of sessions
CSCvu00112 tsd0 not reset when ssh quota limit is hit in ci_cons_shell
CSCvu01039 Traceback: Modifying FTD inline-set tap-mode configuration with active traffic
CSCvu03107 AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting
CSCvu03562 Device loses ssh connectivity when username and password is entered
CSCvu03675 FPR2100: ASA console may hang & become unresponsive in low memory conditions

73
Resolved Issues
CSCvu04279 ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS
CSCvu05180 aaa-server configuration missing on the FTD after a Remote Access VPN policy
deployment
CSCvu05216 cert map to specify CRL CDP Override does not allow backup entries
CSCvu05336 ASAv - Traceback and reload on SNMP process
CSCvu05821 Timestamp format will be shown always in UTC
CSCvu07602 FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload
CSCvu07880 ASA on QP platforms display wrong coredump filesystem space (50 GB)
CSCvu08013 DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently.
CSCvu09199 Push upgrade image is taking 30 mins for 6.6.0 ftd image on 6.7.0 FMC
CSCvu10053 ASA traceback and reload on function snmp_master_callback_thread
CSCvu10900 Tons of ssl-certs-unified.log files, contributing to 9GB in troubleshoot
CSCvu12039 Slave unit might fail to synchronize SCTP configuration from the cluster master after
bootup
CSCvu12248 ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN
CSCvu12307 FTD-HA: "ERROR: The specified AnyConnect Client image does not exist."
CSCvu12684 HKT - Failover time increases with upgrade to 9.8.4.15
CSCvu13287 FDM unable to import certificate with no subject or issuer - fails upgrade as well
CSCvu15611 FTD-HA: Standby failed to join HA "CD App Sync error is App Config Apply Failed"
CSCvu17924 FTD failover units traceback and reload on DATAPATH
CSCvu17965 ASA generated a traceback and reloaded when changing the port value of a manual
nat rule
CSCvu18510 MonetDB's eventdb crash causes loss of connection events on FMC 6.6.0
CSCvu20007 Config_XML_Response from LINA is not in the correct format,Lina reporting as No

memory available.
CSCvu20257 WR6, WR8 and LTS18 commit id update in CCM layer (sprint 85)
CSCvu23289 Disk filled by numerous neostore.transaction.db.* files, causing neo4j issues
CSCvu25030 FTD 6.4.0.8 traceback & reload on thread name : CP processing
CSCvu26296 ASA interface ACL dropping snmp control-plane traffic from ASA

74
Resolved Issues
CSCvu26561 WebVPN SSO Gives Unexpected Results when Integrated with Kerberos
CSCvu26658 SFDataCorrelator can drop events during backup operations
CSCvu29145 Snort flow IP profiling cannot be enabled using command 'system support
flow-ip-profiling start'
CSCvu29395 Traceback observed while performing master role change with active IGMP joins
CSCvu30512 PKI-CRL: Traceback observed while clearing CRL with memory tracking enabled
CSCvu32698 ASA Crashes in SNMP while joining the cluster when key config-key
password-encryption" is present
CSCvu34413 SSH keys lost in ASA after reload
CSCvu36539 Upgrade will fail if a smart licensed device is upgraded from 6.2.2 -> 6.4.0 -> 6.6.0.
CSCvu37547 Memory leak: due to resource-limit MIB handler, eventually causing reload
CSCvu38795 FTD firewall unit cannot join the cluster after a traceback due to invalid interface
GOID entry
CSCvu40213 ASA traceback in Thread Name kerberos_recv
CSCvu40324 ASA traceback and reload with Flow lookup calling traceback
CSCvu40398 ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS
CSCvu40531 FXOS LACP packet logging to pktmgr.out and lacp.out fills up /opt/cisco/platform/logs
to 100%
CSCvu42434 ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA
CSCvu43924 GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope
CSCvu45748 ASA traceback in threadname 'ppp_timer_thread'
CSCvu49625 [PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup
unnecessarily
CSCvu53258 FMC pushes certificate map incorrectly to lina
CSCvu53585 Elektra onbox policy deployment failure after upgrade to 6.6.0
CSCvu55843 ASA traceback after TACACS authorized user made configuration changes
CSCvu57834 syslog-ng process utilizing 100% CPU
CSCvu60011 FTD: Snort policy changes deployed to a HA on failed state are not fully synced
CSCvu61704 ASA high CPU with intel_82576_check_link_thread impacting on overall unit

performance

75
Resolved Issues
CSCvu63458 FPR2100: Show crash output on show tech does not display outputs from most recent
tracebacks
CSCvu65070 Lina 9.14: Improve debug snmp framework to use agentx and avoid SIGHUP
CSCvu65688 IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite
CSCvt98599
CSCvu65843 FP2100: Fiber SFP Interfaces down due to autonegotiation changes in 6.6.0
CSCvu65936 FDM 6.6.0 upgrade(or)configImport fail with EtherChannelInterface as failoverlink

validation failure
CSCvu66119 URL rules are incorrectly promoted on series 3 resulting in traffic matching the wrong
rule.
CSCvu70529 Binary rules (SO rules) are not loaded when snort reloads
CSCvu72094 ASA traceback and reload on thread name DATAPATH
CSCvu72278 In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS fra
CSCvu72280 The compile_bracket_matchingpath function in pcre_jit_compile.c in PCR
CSCvu72658 AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently
CSCvu73207 DSCP values not preserved in DTLS packets towards AnyConnect users
CSCvu75594 FTD: Traceback and reload when changing capture buffer options on a already applied
capture
CSCvu75930 Service module not returning error to supervisor when SMA resources are depleted
CSCvu75993 Transparent Traffic doesn't pass on FTDv deployed in KVM (Routed mode)
CSCvu77095 ASA unable to delete ACEs with remarks and display error "Specified remark does
not exist"
CSCvu78721 Cannot change (modify) interface speed after upgrade
CSCvu79125 Advanced Malware Risk Report Generation Failed
CSCvu80143 Snmpd not coming back up after traceback in 9.14.1.12
CSCvu82918 HA sync fails on standby with unexpected error
CSCvu83178 EIGRP summary route not being replicated to standby and causing outage after
switchover
CSCvu83599 ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread
CSCvu90727 Native VPN client with EAP-TLS authentication fails to connect to ASA
CSCvu91105 High unmanaged disk usage on /ngfw due to large process_stdout.log file

76
Resolved Issues
CSCvu98197 HTTPS connections matching 'Do not decrypt' SSL decryption rule may be blocked
CSCvu98708 ASA: HA : SNMP poll failing on the standby on IPv6 interface
CSCvv03130 'show banner' command on FTD clish does not return any output
CSCvv04092 Attempting to view events generates incorrect sql
CSCvv09944 Lina Traceback during FTD deployment when WCCP config is being pushed
CSCvv10948 FDM upgrade - There are no visible pending changes on UI -- but upgrade is not
starting
CSCvv12273 SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns
noSuchObject
CSCvv12943 Threat data is missing GID:SID fields in FDM 6.5+ versions, it was present in 6.4
(CDO Impacting)
CSCvv12988 tomcat does not recover gracefully after getting killed during backup
CSCvv14442 FMC backup restore fails if it contains files/directories with future timestamps
CSCvv17434 Kenton5508 upgrade from 6.2.3 -> 6.6.1-50 has failed
CSCvv21782 6.6.1: Prefilter Policy value shown as Invalid ID for all the traffic in ASA SFR Platform
CSCvv26786 ASA traceback and reload unexpectedly on "Process Name: lina"
CSCvv26845 ASA: Watchdog Traceback and reload on SNMP functions
CSCvv27750 High unmanaged disk usage on /ngfw due to logs not rotating
CSCvv29275 FMC OSPF area limits until 49 entries. Upon adding 50th entry, process gets disabled
automatically
CSCvv30371 SNMP: Memory leak in VPN polling
CSCvv31334 Lina traceback and reload seen on trying to Switch peer on KP HA with 6.6.1-63 (lock
nested crash)
CSCvv33013 FDM: Unable to add the secret key with the character ^ @ _
CSCvv33621 vftd: diskmanager monitoring doesnt work correctly on upgrade
CSCvv69991 FTD stuck in Maintenance Mode after upgrade to 6.6.1

77
Resolved Issues

78
CHAPTER 8
Known Issues
We do not list known issues for maintenance releases.
If your upgrade skips versions, you should read the known issues for the major versions you are skipping.
See the appropriate Cisco Firepower Release Notes.
• Searching for Known Issues, on page 79
Searching for Known Issues

If you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of open
bugs for Firepower products. You can constrain searches to bugs affecting specific Firepower platforms and
versions. You can also search by bug ID, or for specific keywords.
These general queries display open bugs for Firepower products running Version 6.6.x maintenance releases:
• Firepower Management Center
• Firepower Management Center Virtual
• Firepower Threat Defense
• Firepower Threat Defense Virtual
• ASA with FirePOWER Services
• NGIPSv

79
Known Issues
Searching for Known Issues

80
CHAPTER 9
For Assistance
Thank you for choosing Firepower.
• Online Support Resources, on page 81
• Contact Cisco, on page 81
Online Support Resources

Cisco provides online resources to download documentation, software, and tools, to query bugs, and to open
service requests. Use these resources to install and configure Firepower software and to troubleshoot and
resolve technical issues.
• Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
• Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
• Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
• Documentation for this release: Documentation, on page 53
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
• Email Cisco TAC: [email protected]
• Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
• Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts

81
For Assistance
Contact Cisco

82

Firepower Release Notes, Version 6.6.1 and 6.6.3

Uploaded by

Copyright:

Available Formats

Firepower Release Notes, Version 6.6.1 and 6.6.3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firepower Release Notes, Version 6.6.1 and 6.6.3

Uploaded by

Copyright:

Available Formats

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.

CHAPTER 1 Welcome to Version 6.6.x 1

About the Release Notes 1

CHAPTER 3 Features and Functionality 11

Features for Firepower Management Center Deployments 11

Deprecated Features in FMC Version 6.6.1 13

Features for Firepower Device Manager Deployments 13

CHAPTER 4 Upgrade the Software 17

Previously Published Guidelines 22

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

Firepower 1000 Series Devices Require Post-Upgrade Power Cycle 24

CHAPTER 5 Freshly Install the Software 45

Deciding to Freshly Install 45

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

CHAPTER 7 Resolved Issues 55

Searching for Resolved Issues 55

CHAPTER 8 Known Issues 79

Searching for Known Issues 79

CHAPTER 9 For Assistance 81

Online Support Resources 81

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

About the Release Notes

Table 1: Version 6.6.0/6.6.x Dates

Version Build Date Platforms

6.6.3 80 2020-03-11 All

6.6.2 — — Not available.

6.6.1 91 2020-09-20 All

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

Version Build Date Platforms

6.6.0 90 2020-05-08 Firepower 4112

Table 2: Version 6.6.x Patch Dates

Version Build Date Platforms

6.6.0.1 7 2020-07-22 All

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

For compatibility information for this Firepower version, see:

Firepower Management Centers

Firepower Management Center

Firepower Management Center Virtual

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

• FMCv for Amazon Web Services (AWS)

Firepower Threat Defense Devices

Table 3: FTD in Version 6.6.0/6.6.x

FTD Platform OS/Hypervisor Additional Details

Firepower 1010, 1120, 1140, 1150 — —

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

FTD Platform OS/Hypervisor Additional Details

ASA 5508-X, 5516-X — Although you do not separately

NGIPS/ASA FirePOWER Devices

Table 4: NGIPS/ASA FirePOWER in Version 6.6.0/6.6.x

NGIPS Platform OS/Hypervisor Additional Details

ASA 5508-X, 5516-X ASA 9.5(2) to 9.15(x) There is wide compatibility

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3

Table 5: FMC-Device Compatibility

FMC Version Oldest Device Version You Can Manage

6.7.0 or any 6.7.x maintenance release 6.3.0

6.6.0 or any 6.6.x maintenance release 6.2.3

Firepower Device Manager and Cisco Defense Orchestrator

Adaptive Security Device Manager

Cisco Firepower Release Notes, Version 6.6.1 and 6.6.3