Guest

Cisco PIX 500 Series Security Appliances

Field Notice: PIX 515 NMI Exception Crash


Updated May 3, 2002

October 18, 2001



Products Affected

Product

Comments

PIX-515

PIX 515 Firewall (including all bundles)

PIX-515-DC

PIX 515 DC Firewall (including all bundles)

Serial Numbers

Sequential numbers:

  • From 44403010000 To 44403529999

  • From 44404010000 To 44404529999

  • From 44405010000 To 44405399999

  • From 44480010000 To 44480529999

  • From 44481010000 To 44481399999

Problem Description

Some PIX 515 systems are subject to crashing due to a Non Maskeable Interrupt exception error. The NMI is brought on by very specific network traffic conditions, and this failure has been seen in less than one percent of the systems produced prior to October 2, 2001. PIX 515 systems which have not yet experienced the symptoms described below will in all likelihood never experience this problem.

This failure occurs regardless of the PIX OS version installed.

Background

It is unknown what particular traffic conditions generate a NMI exception error, however the PIX 515 has been redesigned to recover from such errors without a crash.

Problem Symptoms

The PIX 515 crashes, with the text "vector 0x00000002" appearing in the traceback logged to the console port. The system may or may not reboot and come back into operation on its own after the crash.

Sample console output:

Traceback:
0: 80001efb
1: 00000000
vector 0x00000002
? ? ? edi 0x00000000
? ? ? esi 0x00000000
? ? ? ebp 0x807707b4

Note:?Crashes which result in tracebacks without the text "vector 0x00000002" are not due to NMI exceptions and will not be resolved by hardware replacement.

Workaround/Solution

The solution is to replace the failed hardware.

PIX 515 systems manufactured as of October 2nd, 2001 are free of this problem. A global purge of the service depot stock has been completed as of October 26th, 2001 and standard PIX 515 RMA's are also now free of this problem.

Customers who wish to replace one or more of their systems which are failing due to the problem described in this field notice should contact the Technical Assistance Center by following the instructions at the end if this notice and request a standard RMA.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCds25307 (registered customers only)

NMI (vector 0x0000002 in traceback) during large file transfer.

How To Identify Hardware Levels

The presence of a version tracking label on the underside or backside of the PIX 515 chassis with version "800-05622-02 A0" or later indicates that this system contains the NMI exception handling correction. This label is placed on newly manufactured systems as well as those reworked by Service to contain the correction, so this indication holds true even for systems with serial numbers in the affected range.

Note:?Some systems reworked by Service to contain the correction are labeled "800-05626-03 A0".

PIX 515 Version Tracking Label

fn15369_1.jpg

fn15369_2.jpg

fn15369_3.jpg

Related Field Notices

Field Notice

Problem Summary

PIX 515 and 506 Hang

Some PIX 515 systems will hang and become unresponsive, typically triggered by higher traffic throughput levels. PIX 506 systems may also be affected, however they are rarely used in environments where traffic throughput levels will reach the levels necessary to induce the hang.

Incorrect PIX-1FE Fast Ethernet Interface Card

Between 7/30/2001 and 8/9/2001 some PIX-1FE cards shipped from Cisco contained the i82550 Ethernet controller chip. This chip is not supported by the PIX operating system and these cards may not function properly when installed in PIX firewalls.

PIX-515 Ethernet Controller Issue

Under moderate to heavy network load conditions (when traffic exceeds 20 to 30 mbit/second), the onboard ethernet0 interface of an affected PIX 515 may intermittently stop transmitting packets that it receives. As a side effect it is possible that the system memory will eventually be exhausted, which in turn may cause a crash or failover (depending on the configuration). After such a crash, the unit may occasionally hang during the subsequent automatic reboot.

PIX-515 Defective AC Power Supply

The power supply in an affected AC PIX-515 may short out if the unit is turned on its side during operation.

PIX Firewall Serial Numbers

PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: