Guest

Cisco PIX 500 Series Security Appliances

Field Notice: PIX Firewall E Release Software Bug Fix Integration


Updated March 21, 2002

February 15, 2002



Products Affected

Product

Comments

PIX Firewall Software

5.2(6), 5.2(7), 5.3(2), 5.3(3), 5.3(4), 6.0(1), 6.0(2), 6.0(3), 6.1(1), 6.1(2), 6.1(3),and all intermediate engineering releases

Problem Description

PIX Firewall Software Releases 5.2(7), 5.3(3), 6.0(2) and 6.1(2) recently posted to Cisco.com do not contain most of the bug fixes that were integrated into previous engineering builds since the posting of the previous releases 5.2(6), 5.3(2), 6.0(1) and 6.1(1). The newer releases are essentially the same as the preceding releases with the exception of added support for the 506E and 515E platforms and the few included bug fixes listed below. Any customers running engineering builds based on the previous releases in order to address other DDTSs should not upgrade to the new releases.

Releases 5.2(8), 5.3(4), 6.0(3), and 6.1(3) contain fixes addressing the issues covered in Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities. These releases also do not contain most of the bug fixes which were integrated into previous engineering builds.

Background

The new Cisco.com releases with support for the new PIX 506E and PIX 515E platforms do not contain most of the bug fixes integrated into the previous engineering builds. For example, release 6.1(2) and 6.1(3) do not contain all the fixes integrated into release 6.1(1)110 since release 6.1(1).

See below for a complete listing of all affected releases.

Previous CCO Release

Previous Engineering Builds

New CCO Release

5.2(6)

5.2(6)200

5.2(6)201

5.2(6)202

5.2(7)

5.2(8)

5.3(2)

5.3(2)200

5.3(2)201

5.3(2)202

5.3(2)203

5.3(2)204

5.3(2)205

5.3(3)

5.3(4)

6.0(1)

6.0(1)101

6.0(1)102

6.0(1)103

6.0(1)104

6.0(1)105

6.0(1)106

6.0(1)107

6.0(2)

6.0(3)

6.1(1)

6.1(1)100

6.1(1)101

6.1(1)102

6.1(1)103

6.1(1)104

6.1(1)105

6.1(1)106

6.1(1)107

6.1(1)108

6.1(1)109

6.1(1)110

6.1(2)

6.1(3)

Problem Symptoms

A customer running a previous engineering build such as 6.1(1)103 will lose most of the bug fixes integrated since release 6.1(1) if they upgrade to release 6.1(2) or 6.1(3). Most caveats affecting PIX Firewalls running release 6.1(1) will also affect those running release 6.1(2) or 6.1(3).

For example, a customer who was upgraded from release 6.1(1) to build 6.1(1)110 by the Technical Assistance Center (TAC) in order to fix the symptoms of "High DNS query-rate (more than 4000/second) causes memory exhaustion" (DDTS CSCdw10863) who then upgrades to release 6.1(2) or 6.1(3) will re-encounter this DDTS.

Workaround/Solution

Customers running a previous Cisco.com release such as release 6.1(1) may upgrade to one of the new releases such as release 6.1(2) or 6.1(3). The only bug fixes they will receive are those listed in the DDTS section below.

Customers running a previous engineering build such as 6.1(1)110 must not upgrade to one of the new Cisco.com releases such as release 6.1(2) or 6.1(3), as most of the bug fixes integrated into their previous engineering build will be lost. New engineering builds containing support for the PIX 506E and PIX 515E platforms and the SNMP vulnerability fixes in addition to all bug fixes integrated to date are available through the TAC.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

The following is a list of the bugs fixed in the new Cisco.com release 6.1(2). No bugs were fixed in the other Cisco.com releases.

DDTS

Description

CSCdt58805

pix must not change isakmp lifetime in IKE initiators

CSCdt85435

UNITY_IOS: ios does not renegotiate ipsec sa when pix does

CSCdv42836

IKE continuous channel mode does not work with IOS unity

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: