Guest

Cisco PIX 500 Series Security Appliances

Field Notice: Cisco Secure PIX Firewall: PIX-515 Ethernet Controller Issue


Updated May 3, 2002

December 31, 1999



Products Affected

Product

Comments

PIX-515

Serial number ranges described below in "How To Identify Hardware Levels"

PIX-515-R-BUN

Serial number ranges described below in "How To Identify Hardware Levels"

PIX-515-UR-BUN

Serial number ranges described below in "How To Identify Hardware Levels"

PIX-515-FO-BUN

Serial number ranges described below in "How To Identify Hardware Levels"

PIX-515-DC

Serial number ranges described below in "How To Identify Hardware Levels"

Problem Description

Under moderate to heavy network load conditions (when traffic exceeds 20 to 30 mbit/second), the onboard ethernet0 interface of an affected PIX 515 may intermittently stop transmitting packets that it receives. As a side effect it is possible that the system memory will eventually be exhausted, which in turn may cause a crash or failover (depending on the configuration). After such a crash, the unit may occasionally hang during the subsequent automatic reboot.

Other interfaces are not affected.

Background

A hardware defect in the initial PIX 515 units creates the potential for traffic to fail through the on-board ethernet0 interface (the default outside interface). While the condition is in no way hazardous, it can cause the ethernet0 interface to stop transmitting packets until reset by the PIX software (see the Workaround section of this Field Notice for further details).

At no point during this condition is the PIX more vulnerable to any form of compromise than if the condition did not exist. All security policies implemented by the PIX Firewall continue to be applied throughout this condition.

Problem Symptoms

To verify existence of the problem, use the show interface e0 command repeatedly. Packet counts will not increment between successive outputs of the command (shown in bold):

pix#show interface e0
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0050.54fe.f8e4
  IP address 192.168.10.10, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        369836379 packets input, 3638117586 bytes, 6304 no buffer
        Received 109786 broadcasts, 0 runts, 0 giants
        4 input errors, 0 CRC, 0 frame, 4 overrun, 0 ignored, 0 abort
        309409498 packets output, 1353799512 bytes, 0 underruns

pix#show interface e0
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0050.54fe.f8e4
  IP address 192.168.10.10, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        369836379 packets input, 3638117586 bytes, 6304 no buffer
        Received 109786 broadcasts, 0 runts, 0 giants
        4 input errors, 0 CRC, 0 frame, 4 overrun, 0 ignored, 0 abort
        309409498 packets output, 1353799512 bytes, 0 underruns

pix#show interface e0
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0050.54fe.f8e4
  IP address 192.168.10.10, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        369836379 packets input, 3638117586 bytes, 6304 no buffer
        Received 109786 broadcasts, 0 runts, 0 giants
        4 input errors, 0 CRC, 0 frame, 4 overrun, 0 ignored, 0 abort
        309409498 packets output, 1353799512 bytes, 0 underruns

Workaround/Solution

Workaround

This condition may be alleviated by upgrading your PIX Firewall software to one of the following versions:

  • If you are running software version 4.4(1) or 4.4(2), upgrade to version 4.4(3) or higher. Currently version 4.4(7) is recommended and available on CCO to customers with support contracts.

  • If you are running software version 5.0(1) or 5.0(2), upgrade to version 5.0(3) or higher. Currently versions 5.1(4) and 5.2(4) are recommended and available on CCO to customers with support contracts.

Contact the Cisco Technical Assistance Center (TAC) for further information or if you do not have a support contract and wish to upgrade to one of these revisions. Mention this Field Notice as proof of entitlement to the software upgrade.

Once the upgraded software is installed, it will detect the Ethernet interface problem as it occurs and reset it to a normal state after packets to be transmitted are queued for more than three seconds. There should be minimal difference in performance noted by end users or the PIX Firewall administrator. However, heavy network load conditions may cause the interfaces to stop transmitting packets despite the software upgrades.

The show interface e0 command will reflect any interface resets as follows (shown in bold):

pix# show interface e0
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0050.54fe.f8e4
  IP address 192.168.10.10, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        1184342 packets input, 1222298001 bytes, 0 no buffer
        Received 26 broadcasts, 27 runts, 0 giants
        4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort
        1310091 packets output, 547097270 bytes, 0 underruns
        0 output errors, 28075 collisions, 2 interface resets
        0 babbles, 0 late collisions, 117573 deferred
        0 lost carrier, 0 no carrier

Interface resets may occur under normal traffic conditions. However, if there are more than twenty resets over a 24-hour period then it is probable that the unit in question is affected by the hardware defect and should be replaced under the upgrade program described below.

Solution

If you have a unit with a serial number in the affected range which is experiencing the symptoms outlined in this Field Notice, contact the Technical Assistance Center (TAC) to request a return materials authorization (RMA) to replace the unit.

Notes

PIX 515 units dispatched from service depots to fulfill RMA replacements prior to September 2000 may be affected by this fault. From September 2000 forward all units in the service depots have been reworked. PIX 515 units dispatched from service depots after September 2000 will not exhibit this fault, even if their serial number falls within the affected range.

When you request a new PIX 515 through the upgrade program it is shipped with a default software image. Other software version images are available on CCO to customers with support contracts.

The upgrade units do not contain 3DES VPN feature activation keys.

Contact the TAC for further information, if you require a 3DES VPN feature activation key, or if you do not have a support contract and wish to upgrade to a different revision or obtain a DES VPN feature activation key. Please have your previous unit's serial number at hand to speed the entitlement verification for the 3DES VPN feature activation key.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCdp32325 (registered customers only)

PIX runs out of buffers, then all stop

CSCds19881 (registered customers only)

Ver 4.4(5) crash and Ver 5.1(2) hangs PIX-515

CSCdp67668 (registered customers only)

System hang on stress test during crash dump

How To Identify Hardware Levels

Only units manufactured in 1999 and early 2000 are affected. They may be identified by their serial numbers:

Year Manufactured

Serial Numbers

Affected?

1999

44403010000 through 44403529999

Yes

2000 (early)

44404010000 through 44404169999

Yes

2000 (early)

44480010000 through 44480169999

Yes

2000 (later)

44404170000 through 44404529999

No

2000 (later)

44480170000 through 44480529999

No

2001

444050000 and later

No

2001

444810000 and later

No

PIX 515 units dispatched from service depots after September 2000 will not exhibit this fault, even if their serial number falls within the affected range.

PIX Firewall Serial Numbers

PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: