Archive for month: April, 2017

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Products Affected

Problem Description

All Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) devices that run the affected software versions do not pass network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

In the near term, immediately reboot the deployed security appliances in order to prevent this issue.

Background

On March 29, 2017 Cisco became aware of an issue that affects all Cisco ASA and Cisco FTD security appliances that run certain versions of software. The affected versions of software cause the security appliance to stop passing network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

The issue detailed in this Field Notice is not a security vulnerability and there is no associated risk to the integrity of the security appliance.

Problem Symptoms

The Cisco ASA and Cisco FTD security appliances stop passing all network traffic.

Entering the show asp drop command over the console port will indicate that packets are being dropped due to the reason punt-rate-limit-exceeded.

Workaround/Solution

In order to mitigate the risk and impact of the device not passing network traffic, Cisco urges customers to proactively reboot their Cisco ASA and Cisco FTD security appliances that run affected versions of the software.

For customers with failover configurations, it is recommended to reboot the standby devices first, make them active after they complete booting, and then reboot the formerly active devices. Customers with clustering configurations should remove one slave at a time from the cluster, reboot them, and rejoin them until each slave has been rebooted. Then, move the master to one of the rebooted devices and then remove that device from the cluster, reboot it, and then have it rejoin.

The reboot of the security appliance must be performed prior to 213 days 12 hours of uptime. After the reboot, the security appliance avoids an encounter with this issue for another 213 days 12 hours.

Enter the show version | grep up command in order to display the uptime of the security appliance.

The output is shown here:

ciscoasa# show version | grep up
Config file at boot was "startup-config"
ciscoasa up 210 days 11 hours
failover cluster up 210 days 11 hours

The device can be rebooted with one of these methods.

For ASA security appliances:
CLI – Enter the reload command in privileged mode.
ASDM GUI – Choose Tools > System Reload.

For FTD security appliances:
CLI – Enter the reboot command in privileged mode.
Firepower Management Center – Choose Devices > Device Management, double-click FTD, then choose the Device tab. In the System section, click the Restart Device icon.

For both ASA and FTD security appliances, a physical power-cycle can be used in order to perform a reboot.

Updated ASA and FTD software versions that address this issue will be published in the coming weeks and will be available from the Cisco Software Download Center.

CDETS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.