Avatar

On March 29, Cisco became aware of several customer outages involving different releases and models of Cisco ASA and Cisco Firepower Threat Defense (FTD) appliances. Cisco has published a Field Notice urging Cisco customers who are running specific releases of software to reboot their devices to prevent a device from hanging and stop passing traffic.

The issue is documented in Cisco Bug ID CSCvd78303.

Cisco ASA and Cisco FTD devices are affected by a functional software defect that will cause the device to stop passing traffic after 213 days after of uptime. The affected software versions are listed in the Field Notice.

The issue is due to a software regression bug introduced when addressing Cisco bug ID CSCva03607. The current issue impact is limited to device operability and it is not a vulnerability, nor is there continued exposure to the vulnerability that was already addressed. This issue cannot be triggered by a threat actor.

Workarounds Are Available

Updated software versions that address this issue will be published in the coming weeks. Cisco is proactively notifying customers of available workarounds that mitigate this issue.

To mitigate the risk and impact of device stop passing traffic, Cisco urges customers to proactively reboot their Cisco ASA or FTD devices that are running affected versions, and those rebooted devices should have fixes available before they are at risk of the issue again.

To display the device uptime, use the show version | grep up command, as shown below:

You can also use the show asp drop command over a console connection to detect the reason for packets being dropped. In this case the show asp drop command will indicate the drop reason as “punt rate limit exceeded“, as shown below:

 

If you have deployed Cisco ASAs in failover mode, you can first perform the reboot on the standby unit, and then reboot the primary, in order to minimize downtime.

Similarly, you can refer to the “Perform Zero-Downtime Upgrades for Failover Pairs” section of the following document when ultimately upgrading the firewall:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111867-asa-failover-upgrade.html#zerotime

Cisco Support

Cisco is always transparent and committed to supporting customers when there is potential for an urgent issue in one of our products. We work hard to avoid issues with our technology, but in the event that something arises, we ensure that our customers have the information they need to keep their network running smoothly. If you require further assistance, or if you have any further questions regarding this issue, please contact the Cisco Technical Assistance Center (TAC) at any of the methods listed on the Cisco Support page:
http://cisco.com/go/tac



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations