Guest

Cisco PIX 500 Series Security Appliances

PIX Hardware Troubleshooting

Document ID: 21501

Updated: Feb 02, 2006

   Print

Introduction

This document helps troubleshoot potential hardware issues with the Cisco Secure PIX Firewall series. It can help to identify which component might be causing a hardware failure, based on the type of error that the PIX experiences. PIX does not support Online Insertion and Removal (OIR) and needs a minimum of two interfaces for normal operation.

Prerequisites

Requirements

Readers of this document should have knowledge of these topics:

  • Identify the software version that runs on the PIX. Use the show version command to determine the software release on the PIX.

    Tip: Connect your PC to the console port of the PIX using a rolled cable, and apply the correct terminal emulator settings for console connections.

  • Identify the PIX model.

    If you run software version 5.0(1) or later, you can find the model by using the show version command.

    pixfirewall(config)#show version 
    
    Cisco PIX Firewall Version 6.2(1) 
    ... 
    <output deleted for brevity>... 
    pixfirewall up 22 hours 15 mins 
    Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz

    If you run a software version below 5.0(1), look at the physical unit to see what model it is. Hardware installation guides for the respective software versions contain screen shots of various PIX models.

  • How long did the PIX work before you started to have trouble?

  • What has changed (RAM upgrade, software upgrade, configuration) since the PIX last worked?

  • It is also important to keep note of any changes made while you attempt to rectify the problem.

Components Used

The information in this document applies to all Cisco Secure PIX Firewall series that include the platforms listed here:

  • 501

  • 506/506E

  • 510

  • 520

  • 515/515E

  • 525

  • 535

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

PIX Boot Sequence

This section describes the steps that a PIX completes when it is powered on. Use it to verify that the basic PIX hardware components work correctly to ensure minimal operation.

For a PIX that functions normally, this sequence of events takes place when the PIX is powered on. Follow the steps in the order listed, using the suggested solutions listed in this document to help you resolve any issues.

  1. Fan starts to operate.

  2. Console messages start to appear.

  3. Power LED is lit.

  4. Console prompt is seen.

  5. ACT and/or Network LED on Network Interface Card(s) (NICs) is lit.

    You can also verify these items:

    • Does the disk drive work (for earlier PIX models with disk drives)?

    • Does the drive light come on (for earlier PIX models with disk drives)?

    • Is the problem observed with no or light traffic through the PIX?

Suggested Solution if Fan Does Not Start to Operate

  • Check the power source and the power switch on the PIX.

  • Try to change the power outlets.

  • If you use an Uninterrupted Power Supply (UPS), verify whether or not the PIX works if it is not connected to a UPS.

  • Try another device in the suspect outlet.

Suggested Solution if Console Messages Do Not Appear

  • Is the console cable the correct one? To make sure it is the correct one, check whether or not the console cable and the PC serial port work on another device, such as a Cisco IOS® router. If another device is not available, compare the ends of the cable side by side. The cable should be rolled, with the wire colors exactly reversed. If necessary, also check whether or not the console port works with a different PC.

  • Apply the correct terminal emulator settings for console connections.

  • The memory in the PIX might not be seated properly. If this is the case, the fan functions but the PIX itself does not. Verify that the memory is seated properly.

  • Check whether or not the PIX finds the Flash and RAM at this stage. See the sample output for PIX under normal operation.

If you still have issues after you check these items, you might have a faulty unit.

Suggested Solution if Power LED Is Not Lit

Check the power source. If the fan operates but the LED is not lit, it could be an LED issue.

Suggested Solution if ACT and/or Network LED on NIC Card(s) Is Not Lit

  • Check whether or not the network cable is connected.

  • Make sure a straight through cable is used for hub or switch connection. Otherwise, a crossover cable is used.

  • Try to change cables.

  • Try to reseat/swap the NICs.

  • If there are more than two NICs, does the PIX boot without problem when the third NIC is removed or if the NICs are swapped?

  • If you still experience troubles, check for any Field Notices available for your NIC or PIX Firewall model.

Identify the Issue

In powering on, the PIX might potentially experience one of these possible issues:

  • PIX Hang—There is no output on the serial console, such as no PIX EXEC prompt or no response to input on the serial console.

  • PIX Crash—The PIX experiences a reboot or reload while either doing a specific action or randomly.

  • PIX Crash and Boot Loop—The PIX can be stuck in a continuous loop with an error message scrolling.

PIX Hang

If you suspect a PIX hang, check to see if any specific event, such as a high load, may have caused the hang. In such a case, a reload normally clears the problem.

If the PIX hangs frequently, capture the output of the show traffic command at regular intervals. Note that you need to issue a clear traffic command on the PIX prior to collecting these statistics. Submit this information to Cisco Technical Support by opening a TAC case (registered customers only) .

PIX Crash

A PIX crash refers to a situation where the system has detected an unrecoverable error and has restarted itself. When the PIX reboots, it returns to a normal state. A normal state means that the PIX is functional, passes traffic, and that you are able to gain access to the PIX.

You can confirm whether a PIX rebooted by issuing the show version command and looking for the uptime. To check why the PIX rebooted, attach a PC to the console of the PIX Firewall. This enables capturing of the log messages (typically called tracebacks) the next time the PIX reboots. An example traceback is shown here:

Traceback: 
0: 8010278c 
1: 80094107 
2: 8009beb6 
3: 800a5389 
4: 800a95fb 
5: 8008f9c4 
6: 8000279b 
7: 00000000 
<output deleted for brevity>

Customers can look for any known bugs for the specific PIX software release you run using the Bug Toolkit (registered customers only) . Compare the traceback with that of the bug to see if they are the same. If a fix is available, upgrade the PIX to the software release in which the fix is present. If a bug fix is not available, or if you do not find anything related in the Bug Toolkit, open a TAC case (registered customers only) with the information you gathered described earlier in this document. Capture the complete traceback before you open the case.

PIX Crash and Boot Loop

When a PIX experiences a continuous/boot loop, you cannot gain access to the PIX and error messages scroll until the unit is powered off. A continuous loop might be due to a hardware issue. The Example System Messages section of this document shows an example of a good boot and two examples of a bad boot due to hardware problems.

Customers can look for any known bugs for the specific PIX software release you are running using the Bug Toolkit (registered customers only) . Compare the traceback with that of the bug to see if they are same. If a fix is available, upgrade the PIX to the software release in which the fix is present. If a bug fix is not available, or if you do not find anything related in the Bug Toolkit, open a TAC case (registered customers only) case with the information you gathered earlier in this document. Capture the complete traceback before you open the case.

Example System Messages

Normal PIX Operation

This is sample output from a PIX 515 booting under normal operation:

PhoenixPICOBIOS 4.0 Release 6.0 
Copyright 1985-1998 Phoenix Technologies Ltd. 
All Rights Reserved 

Build Time: 04/27/99 17:08:34 
Polaris BIOS Version 0.09 
CPU = Pentium with MMX  200 MHz 
640K System RAM Passed 
31M Extended RAM Passed 
0512K Cache SRAM Passed 
System BIOS shadowed 
PIX BIOS (4.0) #38: Tue Apr 27 12:45:23 PDT 1999 
    timhahn@irp-view5:/vws/dry/timhahn/trunk/loader 
Platform PIX-515 
Flash=i28F640J5 @ 0x300 

Use BREAK or ESC to interrupt flash boot. 
Reading 1528320 bytes of image from flash. 
##################################################### 
# 
32MB RAM 
Flash=i28F640J5 @ 0x300 
BIOS Flash=AT29C257 @ 0xfffd8000 
mcwa i82559 Ethernet at irq 11  MAC: 0050.54fe.ea30 
mcwa i82559 Ethernet at irq 10  MAC: 0050.54fe.ea31 
mcwa i82558 Ethernet at irq  7  MAC: 0090.2742.fbbe 

  ----------------------------------------------------------------------- 
                               ||        || 
                               ||        || 
                              ||||      |||| 
                          ..:||||||:..:||||||:.. 
                         c i s c o S y s t e m s 
                        Private Internet eXchange 
  ----------------------------------------------------------------------- 
                        Cisco PIX Firewall 

Cisco PIX Firewall Version 6.2(1) 
Licensed Features: 
Failover:           Enabled 
VPN-DES:            Enabled 

VPN-3DES:           Enabled 
Maximum Interfaces: 6 
Cut-through Proxy:  Enabled 
Guards:             Enabled 
URL-filtering:      Enabled 
Inside Hosts:       Unlimited 
Throughput:         Unlimited 
IKE peers:          Unlimited 
  

  ****************************** Warning ******************************* 
  Compliance with U.S. Export Laws and Regulations - Encryption. 

  This product performs encryption and is regulated for export 
  by the US Government. 

  This product is not authorized for use by persons located 
  outside the United States and Canada that do not have prior 
  approval from Cisco Systems, Inc. or the US Government. 

  This product may not be exported outside the US and Canada 
  either by physical or electronic means without PRIOR approval 
  of Cisco Systems, Inc. or the US Government. 

  Persons outside the US and Canada may not re-export, resell 
  or transfer this product by either physical or electronic means 
  without prior approval of Cisco Systems, Inc. or the US 
  Government. 
  ******************************* Warning ******************************* 

Copyright (c) 1996-2002 by Cisco Systems, Inc. 

                Restricted Rights Legend 

Use, duplication, or disclosure by the Government is 
subject to restrictions as set forth in subparagraph 
(c) of the Commercial Computer Software - Restricted 
Rights clause at FAR sec. 52.227-19 and subparagraph 
(c) (1) (ii) of the Rights in Technical Data and Computer 
Software clause at DFARS sec. 252.227-7013. 

                Cisco Systems, Inc. 
                170 West Tasman Drive 
                San Jose, California 95134-1706 
  

Cryptochecksum(unchanged): d32550f0 c52eaa1b 952dabc8 6e7b6ea3 
199002: PIX startup completed.  Beginning operation. 
Type help or '?' for a list of available commands. 

non-PIX-1GE-66 Message on the PIX

WARNING: A non-PIX-1GE-66 Gigabit Ethernet card was found in slot 0. 
WARNING: This combination is not recommended and will reduce the overall 
WARNING: performance of the system.  Remove this card and replace it with 
WARNING: a PIX-1GE-66 Gigabit Ethernet card for optimal performance. 

Solution: This message can be seen if a 33 MHz Gigabet Ethernet card is used in a 66 MHz bus slot. It does not appear on a PIX 535 unit as shipped from Cisco but can appear if the slower card has been moved from a 33 MHz bus slot on the left to one of the four 66 MHz bus slots on the right. For performance reasons, only 66 MHz cards should be used in these 66MHz bus slots.

Only One NIC Used

An internal error occurred.  Specifically, a programming assertion was 
violated.  Copy the error message exactly as it appears, and get the 
output of the show version command and the contents of the configuration 
file.  Then call your technical support representative. 
 
assertion "PifCount >= 2 && PifCount <= MAX_PIFS" failed: file "pixmain.c", 
line 219 

An internal error occurred.  Specifically, a programming assertion was 
violated.  Copy the error message exactly as it appears, and get the 
output of the show version command and the contents of the configuration 
file.  Then call your technical support representative. 

Assertion"(unsigned)ifc < PifCount" failed: file "pixmain.c", line 547 
Panic: pix/intf1 - Cannot open interface card 1 (en_3com/1) 
0x807c14c8: 0x00000000 
0x807c14c4: 0x00000001 
0x807c14c0: 0x80069e1c 
0x807c14bc: 0x00000000 

<output deleted for brevity>

Solution: Use a minimum of two interfaces.

Summary

If you have identified a component that needs to be replaced, contact your Cisco partner or reseller to request a replacement for the hardware component that causes the issue. If you have a support contract directly with Cisco, use the Cisco.com Case Open Tool to open a TAC case (registered customers only) and request a hardware replacement. Make sure you attach this information:

  • Console captures that show the complete error messages or tracebacks.

  • Console captures that show the troubleshooting steps taken and the boot sequence during each step.

  • The hardware component that failed and the serial number for the chassis.

  • Troubleshooting logs.

  • Output from the show tech command.

If you have been unable to identify your hardware issue in this document, refer to PIX 500 Series Firewall Field Notices to look at additional known hardware problems.

Related Information

Updated: Feb 02, 2006
Document ID: 21501