Solved: Re: CSCvn82378 - Traffic through ASA/FTD might stop passing upon upgrading FMC to 6.2.3.8-51 - 2

Lukaszoo · ‎01-14-2019

Ok now that 6.2.3.9 is avail as well as 6.3.0-84; is it more prudent to upgrade to either of those

or backtrack to 6.2.3.7 or lower? Currently only 6.2.3.8 is on FMC. We have experienced the bug a few times now. Also adjusted the File policies for HTTP.

Thank You All.

Mikis Zafeiroudis · ‎01-17-2019

What you saw on Tuesday (6.2.3.9 listed under the affected versions) was a glitch that was fixed after few hours.
What is shown now it is the correct info. 6.2.3.8 is affected by CSCvn82378, while 6.2.3.9 is not affected by CSCvn82378.

View solution in original post

Mikis Zafeiroudis · ‎01-15-2019

Well, I would say it depends:

If I was in 6.2.3.7 and hit a defect that was fixed in 6.2.3.8/6.2.3.9 then I would upgrade to 6.2.3.9
If I was in 6.2.3.8 and was already affected by CSCvn82378 I would go to 6.2.3.9
If I needed a feature from 6.3.x then I would go to 6.3.x, but if possible after applying the general rule of thumb which recommends to wait for the 3rt patch of a new version before jumping into a new train code (in this case 6.3.3.x) unless it is absolutely necessary to upgrade immediately

Lukaszoo · ‎01-15-2019

We were in 6.2.3.8 and hitting the issues. I could not find where the bug was definitively fixed in 6.2.3.9 as the bug writeup stated no versions fixed the issue. I always like to lean forward but not the bleeding edge of a new train - on production systems.
At the moment I backed down to 6.2.3.7 and re applied to sensors running 6.2.3.6 each. ( I hadn't upgraded them yet and I'm thankful I did not as they were going to 6.2.3.8 sometime this week.
Your logic is solid, I just wish I could get the commit the 6.2.3.9 is the in fact fix.
Thanks for helping - much appreciated.
Glen

Lukaszoo · ‎01-15-2019

Now 6.2.3.9 is buggy ? Is there a 6.2.3.10 being worked on for this or a 6.3.1 possibly?

Mikis Zafeiroudis · ‎01-15-2019

Which defect are you referring to?

Lukaszoo · ‎01-17-2019

Hey,

I thought I saw that 6.2.3.9 was included in the affected version list Tuesday afternoon; Thus my curiosity. It is now the fixed version. On Tuesday, while running 6.2.3.8 on FMC I saw traffic passing the firewall without the FMC configured rules being applied (even after redeploying). This was on one of our FW-ASAs. Others were not affected.... When I backed down to 6.2.3.7 on FMC and re-applied to sensors running 6.2.3.6. -all began working normal and has been since.

No FW-ASA configuration was changed. A bit odd; thus my questioning 6.2.3.9...

This may indeed be a separate issue, (and not related to the bug) but I need stability ASAP.

Thanks for all your help and curious if anyone else is seeing any such weirdness.

Mikis Zafeiroudis · ‎01-17-2019

What you saw on Tuesday (6.2.3.9 listed under the affected versions) was a glitch that was fixed after few hours.
What is shown now it is the correct info. 6.2.3.8 is affected by CSCvn82378, while 6.2.3.9 is not affected by CSCvn82378.

steeda · ‎02-05-2019

This bug is present in 6.3 as well. FMC 6.3.0-84 and FTD 6.3 running on a 4110 I hit it every 4 or 5 hours. Total blackhole. Luckily I had an SSH rule to hit the CLI of the FTD directly and reboot it. Only way to "fix" it. Since then I have disable file policy and added Hotfix B to the FTD. Scared to put the file policy back.

It is INSANE how unstable this platform is.