On March 29, Cisco became aware of several customer outages involving different releases and models of Cisco ASA and Cisco Firepower Threat Defense (FTD) appliances. Cisco has published a Field Notice urging Cisco customers who are running specific releases of software to reboot their devices to prevent a device from hanging and stop passing traffic.
The issue is documented in Cisco Bug ID CSCvd78303.
Cisco ASA and Cisco FTD devices are affected by a functional software defect that will cause the device to stop passing traffic after 213 days after of uptime. The affected software versions are listed in the Field Notice.
The issue is due to a software regression bug introduced when addressing Cisco bug ID CSCva03607. The current issue impact is limited to device operability and it is not a vulnerability, nor is there continued exposure to the vulnerability that was already addressed. This issue cannot be triggered by a threat actor.
Updated software versions that address this issue will be published in the coming weeks. Cisco is proactively notifying customers of available workarounds that mitigate this issue.
To mitigate the risk and impact of device stop passing traffic, Cisco urges customers to proactively reboot their Cisco ASA or FTD devices that are running affected versions, and those rebooted devices should have fixes available before they are at risk of the issue again.
To display the device uptime, use the show version | grep up command, as shown below:
omar-asa(config)# show version | grep up Config file at boot was "startup-config" omar-asa up 14 days 19 hours omar-asa(config)#
You can also use the show asp drop command over a console connection to detect the reason for packets being dropped. In this case the show asp drop command will indicate the drop reason as “punt rate limit exceeded“, as shown below:
...output omitted for brevity... Phase: 3 Type: CP-PUNT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ffffff12345, priority=0, domain=punt, deny=false hits=976969, user_data=0x123458212260, cs_id=0x0, l3_type=0x608 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=outside, output_ifc=any Result: Action: drop Drop-reason: (punt-rate-limit) Punt rate limit exceeded
If you have deployed Cisco ASAs in failover mode, you can first perform the reboot on the standby unit, and then reboot the primary, in order to minimize downtime.
Similarly, you can refer to the “Perform Zero-Downtime Upgrades for Failover Pairs” section of the following document when ultimately upgrading the firewall:
Cisco is always transparent and committed to supporting customers when there is potential for an urgent issue in one of our products. We work hard to avoid issues with our technology, but in the event that something arises, we ensure that our customers have the information they need to keep their network running smoothly. If you require further assistance, or if you have any further questions regarding this issue, please contact the Cisco Technical Assistance Center (TAC) at any of the methods listed on the Cisco Support page:
Do you have questions or want to let TLS.NET take care of it? Contact us