Guest

Cisco PIX 500 Series Security Appliances

Field Notice: Cisco Secure PIX Firewall: PIX-525 Ethernet EEPROM Programming Issue


Updated October 16, 2002

December 20, 2000



Products Affected

PIX-525

Serial Numbers

Initial units, serial numbers 44480380055 through 44480480044.

Problem Description

When the embedded Ethernet interfaces on an affected PIX-525 (ethernet0 and ethernet1) are set to full-duplex, interface errors occur and throughput is limited. When the interfaces are set to half-duplex, they function normally without error.

The command statement interface ethernet0 100full results in increased interface error statistics, whereas the command interface ethernet0 100basetx does not result in increased interface error statistics. Setting the interface to auto sense via the command statement interface ethernet0 auto may result in errors if the link is negotiated with the neighboring device to full-duplex.

Expansion card interfaces are not affected. These errors do not affect the security of the firewall or network in any way.

Background

Due to a procedural error in manufacturing, a specific Ethernet EEPROM's contents were erased. This resulted in an unstable state in the embedded Ethernet controllers when they are set to full-duplex mode.

There are no design or hardware defects in the affected units. Programming the EEPROM's contents back to the appropriate state completely and permanently resolves the problem.

Problem Symptoms

Interface errors are seen whether monitored on the PIX-525 or the neighboring device connected to the affected interface.

PIX

The PIX-525 shows collisions and other interface errors (shown in bold):

pix-01# show interface ethernet1
     interface ethernet1 "inside" is up, line protocol is up
       Hardware is i82559 ethernet, address is 0002.b834.a75c
       IP address 192.168.0.1, subnet mask 255.255.255.0
       MTU 1500 bytes, BW 100000 Kbit full duplex
             10199 packets input, 14152777 bytes, 0 no buffer
             Received 38 broadcasts, 0 runts, 0 giants
             0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
             10132 packets output, 14153193 bytes, 0 underruns
             0 output errors, 21 collisions, 0 interface resets
             0 babbles, 18 late collisions, 4 deferred
             1 lost carrier, 0 no carrier

Neighboring Device, Such as Catalyst 2948

The following example lists neighboring device errors, such as from the command line on a Cisco Catalyst 2948 (shown in bold):

C2948-01> (enable) show port 2/2
     Port  Name               Status     Vlan       Level  Duplex Speed Type
     ----- ------------------ ---------- ---------- ------ ------ -----------------
      2/2                     connected  1          normal   full   100 10/100BaseTX


     C2948-01> (enable) show port count 2/2
     Port  Align-Err  FCS-Err    Xmit-Err   Rcv-Err    UnderSize
     ----- ---------- ---------- ---------- ---------- ---------
      2/2           -         20          1         21         0
     Port  Single-Col Multi-Coll Late-Coll  Excess-Col Carri-Sen Runts Giants
     ----- ---------- ---------- ---------- ---------- --------- --------- ---------
      2/2           0          0          0          0         1 1         0
     Last-Time-Cleared
     --------------------------
     Tue Nov 21 2000, 08:17:15

Workaround/Solution

Workaround

There are two possible workarounds:

  • Use expansion card interfaces instead of the embedded interfaces.

  • Configure the embedded interfaces to a half-duplex "hardware_speed" setting. See "interface" in the Command Reference document for details.

Solution

The Ethernet EEPROM may be reprogrammed by two means.

  • The "eedisk" utility is available in the PIX Firewall FTP directory. Use passive FTP to connect to ftp.cisco.com using your registered CCO account and then browse to the /cisco/ciscosecure/pix/sepcial/ directory. You cannot use anonymous FTP to access this file. You may need to specify the full path of the file (/cisco/ciscosecure/pix/special/eedisk.bin) in order to download it. Boot the PIX into the ROM monitor mode (registered customers only) (see "Using the monitor Command") and then TFTP the "eedisk" utility to the flash. Once the transfer is complete, the utility asks if you wish to reprogram the onboard Ethernet devices. Answer yes. Once the utility is finished reprogramming the EEPROM, it is necessary to reboot the PIX.

  • The eeprom update command performs the same function as the eedisk utility without requiring access to the ROM monitor mode. The show eeprom command indicates whetner or not the ethernet EEPROM is correctly programmed. A reboot will be necessary if the onboard Ethernet devices are reprogrammed. The eeprom commands exist in PIX Firewall versions 5.3(1) and later, which are available on Cisco.com (registered customers only) . The commands are fully documented in the PIX Firewall Version 6.0 Command Reference (registered customers only) .

Note:?You must have a service contract and be a registered user of Cisco.com to access this software online. Customers without both of these should contact the Technical Assistance Center (TAC) as outlined at the bottom of this notice ot obtain the utility and software upgrade.

PIX Firewall Serial Numbers

PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: