Re: CSCvs40531 - AnyConnect 4.8 is not working on the FPR1000 series

jshojayi1 · ‎02-17-2020

"The bug is fixed in FTD 6.5.0.3." - It's worth mentioning that this patch was pulled from CCO. Please modify this to show that the patch was pulled, so no one goes looking for a patch that doesn't exist anymore or let us know when patch 4 will be released, so that we can plan our updates accordingly. Either way, there's no fix for customers running 6.5 on the 1000 series Firepower firewalls who have Catalina running on Macs that need to use VPN. Downgrading to AnyConnect 4.7 is not an option. There are features, like URL categorization and others, that require 6.5, so down loading to 6.4 is not an option. The only option in many cases is 6.5 with AnyConnect 4.8 and that means we need to know when a patch will be released.

Jens Galsgaard · ‎02-24-2020

What do you mean pulled? Cisco_FTD_SSP_FP1K_Patch-6.5.0.3-30.sh.REL.tar is available on software.cisco.com..

jshojayi1 · ‎02-24-2020

That is an older hot fix release January 3, 2020. It is not patch 3. Patch 3 was released February 3, 2020 and pulled February 4th, 2020.

Please see the release notes https://www.cisco.com/c/en/us/td/docs/security/firepower/650/650x/relnotes/firepower-release-notes-650x.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/650x/relnotes/firepower-release-notes-650x/resolved-issues.html

"Version 6.5.0.3 Resolved Issues

Version 6.5.0.3 for FMCs was removed from the Cisco Support & Download site on 2019-02-04. If you are running this version, it is safe to continue."

Jens Galsgaard · ‎02-24-2020

Are you confusing FMC with FTD?

6.5.0.3 hasn't been revoked for FTD, which is what the bug is about.

jshojayi1 · ‎02-24-2020

Actually it has been revoked. It's right there in the release notes. I supplied the link and the exact verbiage from the release notes stating that Cisco revoked it. Again, it looks like you're confusing a hot fix for the patch. The hot fix you referenced is not the patch.

Yes, I understand what FTD is. This makes my point even more. It doesn't make sense to leave the FTD 6.5 Patch 3 available, when the FMC can only be patched to Patch 2. The FMC must run the same or newer version of code and patch than the firewall.

Jens Galsgaard · ‎02-24-2020

But if the FPR1010 was managed though say FDM, then it would make sense to leave the file available, right?

jshojayi1 · ‎02-25-2020

Yes, that would make sense. However, none of your other messages would make sense, because I posted the Cisco links to release notes and referenced the correct documentation, which included the FMC. It appears you didn't read any of the links or you wouldn't be mentioning FDM.

So back to my original post, it would be helpful for Cisco to respond and let us all know when Patch 3 will be released.

Jens Galsgaard · ‎02-25-2020

For what it is worth, Cisco_Firepower_Mgmt_Center_Hotfix_B-6.5.0.3-3.sh.REL.tar is posted under 6.5.0.2

However I still maintain that bug CSCvs40531 has nothing to do with FMC.

jshojayi1 · ‎02-25-2020

Cisco TAC has provided in writing that this patch is needed for the FMC. Yes, I have a TAC case opened on this, just like the other 73 people who have a TAC case opened on this. There's 74 total TAC cases open for this issue.

It's great to be a part of conversations and to help drive discussion towards resolutions, but let's stay focused on the facts provided by Cisco TAC and the Firepower BU.