Guest

Cisco PIX 500 Series Security Appliances

Field Notice: PIX 515 and 506 Hang


Updated May 3, 2002

October 18, 2001



Products Affected

Product

Comments

PIX-515

PIX 515 Firewall (including all bundles)

PIX-515-DC

PIX 515 DC Firewall (including all bundles)

PIX-506

PIX 506 Firewall

Serial Numbers

Sequential #

44405200000 - 44405399999

44481200000 - 44481399999

Problem Description

Some PIX 515 systems will hang and become unresponsive, typically triggered by higher traffic throughput levels. PIX 506 systems may also be affected, however they are rarely used in environments where traffic throughput levels will reach the levels necessary to induce the hang.

This failure occurs regardless of the PIX OS version installed.

Background

A new component source was introduced to the 515 and 506 production in May 2001. The new component's timing was slightly different than that on previous units. This timing differential leads to instabilities in the system and creates the potential for a system hang.

On October 2, 2001 this timing error was corrected in production.

Problem Symptoms

When the PIX hangs, all interfaces stop passing traffic and the console port becomes unresponsive. No crash or stack trace is seen on the console port, and the system does not reboot on its own. The only way to return the unit to operation is by manually resetting the power.

If a stack trace is reported on the console port or if the system reboots on its own then this failure is not being experienced and further troubleshooting should be performed on the configuration and software.

Workaround/Solution

Workaround

The only potential workaround is to reduce the traffic throughput level to the point where the hang does not occur. Levels under 15 mbit/second may be sufficiently low, however this varies from unit to unit and it may be impossible to avoid the hang on some units. You may be able to reduce the traffic levels by hard coding all interfaces to 10BaseT, or via means external to the PIX.

Solution

The solution is to replace the failed hardware.

PIX 515 and 506 systems manufactured as of October 2nd, 2001 are free of this problem. A global purge of the service depot stock has been completed as of October 26th, 2001. All PIX systems replaced by the return materials authorization (RMA) process are free of this problem.

Customers who wish to replace one or more of their systems which are failing due to the problem described in this field notice should contact the Technical Assistance Center by following the instructions at the end if this notice and request a standard RMA.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCds19881

PIX 515 hangs and does not respond to console access no traffic pass.

How To Identify Hardware Levels

The presence of a version tracking label on the underside or backside of the PIX 515 chassis with version "800-05622-02 A0" or later indicates that this system contains the timing correction. This label is placed on newly manufactured systems as well as those reworked by Service to contain the timing correction, so this indication holds true even for systems with serial numbers in the affected range.

Note that some systems reworked by Service to contain the timing correction are labeled "800-05626-03 A0".

PIX 515 Version Tracking Label

fn15369_1.jpg

fn15369_2.jpg

fn15369_3.jpg

The presence of a version tracking label on the underside of the PIX 506 chassis with version "800-06929-03 A0" or later indicates that this system contains the timing correction. This label is placed on newly manufactured systems as well as those reworked by Service to contain the timing correction, so this indication holds true even for systems with serial numbers in the affected range.

PIX 506 Version Tracking Label

fn15490_1.jpg

fn15490_2.jpg

Related Field Notices

Field Notice

Problem Summary

PIX 506 Power Reset

Some PIX 506 systems may power reset themselves and either reboot or freeze due to a poor internal power cable connection.

PIX 515 NMI Exception Crash

Some PIX 515 systems are subject to crashing due to a Non Maskeable Interrupt exception error. The NMI is brought on by very specific network traffic conditions, and this failure has been seen in less than one percent of the systems produced prior to October 2, 2001. PIX 515 systems which have not yet experienced the symptoms described below will in all likelihood never experience this problem.

Incorrect PIX-1FE Fast Ethernet Interface Card

Between 7/30/2001 and 8/9/2001 some PIX-1FE cards shipped from Cisco contained the i82550 Ethernet controller chip. This chip is not supported by the PIX operating system and these cards may not function properly when installed in PIX firewalls.

PIX-515 Ethernet Controller Issue

Under moderate to heavy network load conditions (when traffic exceeds 20 to 30 mbit/second), the onboard ethernet0 interface of an affected PIX 515 may intermittently stop transmitting packets that it receives. As a side effect it is possible that the system memory will eventually be exhausted, which in turn may cause a crash or failover (depending on the configuration). After such a crash, the unit may occasionally hang during the subsequent automatic reboot.

PIX-515 Defective AC Power Supply

The power supply in an affected AC PIX-515 may short out if the unit is turned on its side during operation.

PIX Firewall Serial Numbers

PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: