Re: CSCwa08262 also affect FTD

mathieu.morier · ‎12-20-2021

This bug is also present in FTD 6.6.5.1 and 7.0.1 as of December 2021

But 6.7.0 to 6.7.0.2 don't have this bug.

So on FTD if you use Radius to map group policy, stay on 6.6.4 or go to 6.7.0.2

Had this problem on FTD after upgrading 6.6.4 to 6.6.5.1 ( Ticket # 692751355 ) and tested 7.0.1 with a FTD virtual machine.

Up to now 6.7.0.2 are ok and map correctly the group policy !

Grant-Security/Network Analyst · ‎01-04-2022

I was told to upgrade to 6.7, this is not an option since we still have two ASA's with FirePower. Cisco needs to release a patch for the problem they broke.

Hulta · ‎01-05-2022

Group mapping worked for me on version 6.6.5 but stopped working when applying patch 6.6.5.1

mathieu.morier · ‎04-05-2022

Look like 6.6.5.2 correct the issue and is avail since March 24 2022, but can't confirm if any 7.x version have a patch for this bug ( CSCwa08262 )

tvotna · ‎05-23-2022

This bug was fixed in ASA 9.16.2.10 and it appears that FTD 7.0.2 is needed, because it's bundled with higher version:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/compatibility/threat-defense-compatibility.html#id_67425

This doc confirms:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/bugs.html?dtid=osscdc000283#Cisco_Reference.dita_bb2b4dac-c7d8-4a43-b188-041e3aa2f6df

HTH

m.yost · ‎05-23-2022

I'm having eerily similar issues with my FTD 1140 running 7.0.1.1 code. The bug says that the output of the "show vpnsession-db anyconnect" command will show the correct mapped Group Policy however in my situation it shows the Default Group Policy. My problem is also intermittent. We had the issue about 2 weeks ago where users were being placed into the Default Group Policy even though we confirmed the RADIUS server was sending the correct Class attribute value then all the sudden it resolved itself only to come back today which is when I found this bug. I just don't know if this is the bug I am experiencing because the symptom output doesn't match 100%. I opened a TAC case to confirm.