Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2852
Views
15
Helpful
3
Replies

uptime of 213 days considered harmful

Go to solution
James Leinweber
Enthusiast
Enthusiast

‎03-31-2017 10:38 AM - edited ‎03-12-2019 02:09 AM

Most of the current ASA/Firepower firmwares have a bug where the stop processing ARP packets after 213 days of uptime. Bit me Wednesday, ouch!  The workaround is to schedule a reload before that happens.  No security implications.

Field notice:

    http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64291.html

Bug:
    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd78303

-- Jim Leinweber, State Lab of Hygiene

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

‎03-31-2017 08:29 PM

Yes I saw that as well.

Note that all of the affected versions were released sometime after September 2016. If you are running older code, the bug does not affect you.

Cisco is building interim releases to patch the bug. They are identified on the BugID page. They have not been released just yet as they need to go through final QC and then get deployed to the CDN prior to showing up on the downloads area.

Here is the current list of patched interim releases to watch for (as of ca. midnight 31 March 2016):

9.7(1.4)
9.6(3.1)
9.5(3.8)
9.4(4.5)
9.2(4.20)
9.1(7.16)

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

‎03-31-2017 08:29 PM

Yes I saw that as well.

Note that all of the affected versions were released sometime after September 2016. If you are running older code, the bug does not affect you.

Cisco is building interim releases to patch the bug. They are identified on the BugID page. They have not been released just yet as they need to go through final QC and then get deployed to the CDN prior to showing up on the downloads area.

Here is the current list of patched interim releases to watch for (as of ca. midnight 31 March 2016):

9.7(1.4)
9.6(3.1)
9.5(3.8)
9.4(4.5)
9.2(4.20)
9.1(7.16)

Go to solution
antonkolev
Beginner
Beginner

‎05-23-2017 06:29 AM

what was the behavior  at the time of happening ? 

Did you had dhcprelay or dhcp server running on the ASA . Did you had any routeable subnets on the ASA - Are those worked ? Did you have two ASA active /passive 

0 Helpful

Go to solution
James Leinweber
Enthusiast
Enthusiast
In response to antonkolev

‎05-23-2017 09:00 AM

In my case I had two standalone ASA 5525-X devices, both with dhcprelay but not dhcp server, both in routed mode.  The failure behavior was quite consistent with the Cisco bug report that ARP processing was broken after 213 days uptime, and I was running one of the affected releases.  ping to the on-link LAN firewall address started failing, packets stopped flowing between directly attached subnets, etc.

-- Jim Leinweber

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents