Re: Cisco Firepower 1120 - CRYPTO: Random Number Generator error

kpep · ‎02-10-2020

Hi All

We have been having continuous issues with the Firepower 1120 firewalls at one of our sites.

Basically when we see the above error in the logs it takes anywhere from a few days to a few weeks before the anyconnect services fail - forcing us to reload the firewall. The TAC team advised us to upgrade the code levels which did not make a difference,

Sometimes this error appears 100K + times a day in the FTD log prior to requiring a reload . We have just opened a new case for this issue.

Browsing the cisco forums it appears this may be a hardware issue.

Just want to know if anyone else has experience this issue? And what did you do to get it resolved?

thaknownone · ‎03-18-2020

I also have this problem. Two customers are having issues with Anyconnect not working after around the two week mark. Just performing a failover will resolve the issue. I have a TAC case created and I am working with them on that. This bug has occurred on a 1010 and a 1120 on 6.4.0.6-6.4.0.8 code. I say bug because I have a strong feeling that it is a bug but I do not have a bug ID yet.

Chakshu Piplani · ‎04-06-2020

Hi,

This might be due to defect CSCvs91869.

Please check the defect, match the conditions and symptoms and let me know if they match.

Regards,

Chakshu

mgomez · ‎04-15-2020

@Chakshu Piplani I have a related problem however my AnyConnect clients are able to still establish a VPN connection.

I have an HA pair of 1140 FTDs and my issue I see is just a random failure of one of the HA pairs and a restart of that 1140.

I am getting the error CRYPTO: Random Number Generator error however I am also running AnyConnect 4.8 which is affected by bug CSCvs40531 and is not fixed until release 6.4.0.8 or 6.5.0.3 however both of those builds don't address this other bug CSCvs91869 as what you have pointed out.

I am being told that 6.6.0 will address both bugs CSCvs40531 and CSCvs91869 however CSCvs91869 is not listed as a resolved bug in the release notes.

Can you confirm?

thaknownone · ‎04-15-2020

Don't upgrade your 1140s to 6.4.0.8. There is another bug that prevents 4.8 Anyconnect clients from connecting to a 1000 series device. You will need to downgrade your firewalls or all clients to 4.7 Anyconnect. The bug CSCvs9189 is a brand new bug and I have been told it should be fixed it 6.4.0.9. There is a possibility they will release a hot fix as well since its critical. This bug affects the newly released 6.6 as well. So I would not rush to upgrade.

Chakshu Piplani · ‎04-15-2020

6.6 has ASA version as 9.14(1.1)

Source:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

According release notes of 9.14.1

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html

Defect CSCvs91869 is fixed, the name is different but the ID is same.

You can ignore that, as the bug was recently modified.

So in short CSCvs91869 is fixed in 6.6

HTH

Chakshu

thaknownone · ‎04-15-2020

I reviewed the email I received from TAC and you are correct. I misread it the first time. 6.6 does have the fix so you could upgrade to that if you wanted.

ryan14 · ‎04-21-2020

Hi, did you get a resolution from Cisco on this?

mgomez · ‎05-10-2020

The fix I received from Cisco to resolve the bug for this particular thread while maintaining use of AnyConnect 4.8 is to upgrade to 6.6.0.

gyanendrasingh · ‎04-23-2020

I too have the same issue but my hardware is ASA-5585-X.

As per TAC "FTD has a lina engine so most of the defects that apply to the lina engine(ASA) would apply to the FTD" so the same bug-id would be applicable in this case as well.

I have asked TAC to link my ASA's software code 9.6(4)34 to this bug-id, but they suggested to subscribe to the bug notification instead.