User Guide for Cisco Security MARS Local Controller, Release 5.3.x
System Maintenance
Download this chapter
System MaintenanceSystem Maintenance
give_us_feedback

Table Of Contents

System Maintenance

Setting Runtime Logging Levels

Viewing the MARS Backend Log Files

View the Backend Log

Viewing the Audit Trail

View an Audit Trail

Retrieving Raw Messages

About Raw Message Size Limitations and Storage Location

Retrieve Raw Messages From Archive Server

Retrieve Raw Messages From a Local Controller

Change the Default Password of the Administrator Account

Understanding Certificate and Fingerprint Validation and Management

Setting the Global Certificate and Fingerprint Response

Upgrading from an Expired Certificate or Fingerprint

Upgrade a Certificate or Fingerprint Interactively

Upgrade a Certificate Manually

Upgrade a Fingerprint Manually

Monitoring Certificate Status and Changes

Hardware Maintenance Tasks—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2

Field Replaceable Units

Removing and Replacing the Front Bezel

Removing the Chassis Cover

Replacing the RAID Battery Backup Unit

Procedure to Replace the Raid Battery Backup Unit

Hard Drive Troubleshooting and Replacement

Hard Drive Status LEDs

Partition Checking

Overview of RAID Subsystem

Hotswapping Hard Drives

Failed Hard Drive Alert

Viewing RAID Array Status with the raidstatus CLI Command

Hard Drive Slot Number Diagrams

Procedure to Hotswap a Hard Drive

Hotswap CLI Example

Replacing a Hard Drive in the Hard Drive Carrier

Hot-swapping a Power Supply Unit

Installing the Inline Modem Filter

Diagnostic Beep Codes

Safety Information

Intended Application Uses

Equipment Handling Practices

Power and Electrical Warnings

Power Cord Warnings

System Access Warnings

Rack Mount Warnings

Electrostatic Discharge (ESD)

Battery Replacement

Cooling and Airflow

Laser Peripherals or Devices


System Maintenance

Revised: April 5, 2007, OL-14675-02

Much of the system maintenance information for the MARS Appliance is provided exclusively in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System.

The MARS Appliance requires little maintenance. To perform maintenance tasks, you can use the CLI or the web interface as needed. Some hardware maintenance tasks require physical access to the MARS Appliance.

This chapter contains the following sections:

Setting Runtime Logging Levels

Viewing the MARS Backend Log Files

Viewing the Audit Trail

Retrieving Raw Messages

Change the Default Password of the Administrator Account

Understanding Certificate and Fingerprint Validation and Management

Hardware Maintenance Tasks—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2

For information about upgrading, backing up, and restoring data on the MARS Appliance, see the following sections of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System:

Performing Command Line Administration Tasks, page 6-1

Checklist for Upgrading the Appliance Software, page 6-6

Configuring and Performing Appliance Data Backups, page 6-25

Recovery Management, page 6-38

Setting Runtime Logging Levels

To set the appliance's runtime logging levels, navigate to Admin > System Maintenance > Set Runtime Logging Levels. For typical use, it is best to leave this page set to its defaults.

When you have made your selections, click the Change Logging Levels button.

The following log levels are available:

Fatal. Enables fatal logging messages. Fatal messages record very severe error events that will likely lead the application to abort.

Error. Enables error and fatal logging messages. Error messages record error events that might still allow the application to continue running.

Warn. Enables warning, error, and fatal logging messages. Warning messages record potentially harmful situations.

Info. Enables informational, warning, error, and fatal logging messages. Informational messages highlight the progress of the application at coarse-grained level.

Debug. Enables debug, informational, warning, error, and fatal logging messages. Debug messages record fine-grained informational events that are most useful to debug an application.

Trace. Enables trace, debug, information, warning, error, and fatal logging messages. Trace messages record finer-grained informational events than debug messages.

Viewing the MARS Backend Log Files

To view the appliance's log files or to change their levels or source, navigate to Admin > System Maintenance > View Log Files.

Figure 26-1 Backend log viewing options

You can view the appliance's back-end logs either by selecting a number of days, hours, and minutes or you can view logs by selecting a start and ending date and time.

You can select the levels of logs that you want. Your choices are: All, Fatal, Error, Warn, Info, and Debug.

You can also choose the source of the files that you want to view. Select either Backend or GUI.

View the Backend Log

Step 1 Click the appropriate radio button:

Last: The present time minus the number of days, hours, and minutes entered.

Start/End: Absolute literal time ranges defined by the date to the minute.

Step 2 Select user, group, etc.

Step 3 Select the source.

Step 4 Click Submit.

Viewing the Audit Trail

You can track the activities of the appliance's users by analyzing the appliance's log files. To set the appliance's audit trail logs, navigate to Admin > System Maintenance > View Audit Trail. For typical use, it is best to leave this page set to its defaults.

You can view the user audit trails either by selecting a number of days, hours, and minutes, or you can view a specific interval by selecting a start and ending date and time.

View an Audit Trail

Step 1 Click the appropriate radio button:

Last: DD-HH-MM

Start/End: YY-MM-DD-HH-MM

Step 2 From the list, select the user or user group.

Step 3 Click Submit.

Retrieving Raw Messages

You can retrieve raw messages from either an archive server (see Configuring and Performing Appliance Data Backups, page 6-25) or from the local files (database in 4.2x and earlier) running on the Local Controller. These two method offer different advantages:

Archive server. Retrieving raw messages, or event data, from an archive server is much faster than retrieving from the database. Therefore, it is the recommended option if it is available and it covers the time period you are investigating. However, this option is only available if you have enabled data archiving and waited the requisite time for the initial archival operation to occur; it is a scheduled operation that runs nightly around 2:00 a.m. Once the initial archive is performed, the event data is written to the archive server frequently, often within 5 to 8 minutes after the MARS Appliance receives the message. That data is not archived in real-time identifies another limitation to this option, and that is the historical period that can be studied. If you need to view data that is more current than an hour old, you should select the Database option to ensure that correct data is retrieved. For all other periods, the archive server option is recommended. To enable archiving, see Configuring and Performing Appliance Data Backups, page 6-25.

Local Files (was Database in 4.2.x and earlier). Retrieving event data from the local files provides slower performance than the archive server. However, it provides access to the most current data received. When you select this option, you can specify where you want the retrieved records to be written: in the default local directory or the a remote server, if one is available.

This section contains the following topics:

About Raw Message Size Limitations and Storage Location

Retrieve Raw Messages From Archive Server

Retrieve Raw Messages From a Local Controller

About Raw Message Size Limitations and Storage Location

Prior to the 5.2.4 release, the storage of raw message data in the local database was restricted to 500 KB per message. Beginning with 5.2.4, the raw message size is stored in local files that can be up to 1.5 MB without being truncated. Each MARS Appliance model has dedicated disk space reserved for arbitrary-sized raw message files. When the upper limit of this storage size is reached, the pnarchiver process moves the raw messages and assocaited index files to the remote NFS server, if configured. If not NFS server is configured, then the raw message files are purged, oldest data first (first in, first out). When the database is purged, the corresponding raw message files are also purged.

The raw message files are archived under /pnarchive/DATA_POOL. These the DATA_POOL directory contains a dated directories under which the raw message files created on that date are compressed and saved. An example /pnarchive/DATA_POOL/<date> directory listing follows: 

	2007-02-10

	2007-02-11

The file names use the following format: 

	[dbversion]-[productversion]-[serialno]_[StartTime]_[EndTime].gz

For example, the ./pnarchive/DATA_POOL/2007-02-12/ES listing reveals: 

	ix-5248-524-1171238692_2007-02-12-00-04-46_2007-02-12-01-04-51.gz

	rm-5248-524-1171238692_2007-02-12-00-04-46_2007-02-12-01-04-51.gz

Note Those files beginning with "ix" are index files, and those beginning with "rm" are the raw message files.

Retrieve Raw Messages From Archive Server

Use this selection if archiving is enabled.

To retrieve event data from an archive server, follow these steps:

Step 1 Click Admin > System Maintenance > Retrieve Raw Messages.

Figure 26-2 Retrive Raw Messages Page (4.2.x)

Figure 26-3 Retrive Raw Messages Page (5.2.x)

Step 2 Specify the time range by specifying values in the Start and End fields.

Step 3 Verify that Retrieve Data From Archived Files is selected.

The data will be retrieved from the server identified under Admin > System Maintenance > Data Archiving.

Step 4 Click Submit.

Note While MARS is generating your files, you can still use the system for other tasks.

Result: The Retrieving Progress 0% screen appears. When the operation is complete, the Raw Message Files screen appears, identifying a new Gzip archive file with a filename based on specified time range.

Step 5 To download and view the generated raw message file, click Click Here to Download next to the filename.

The filename adheres to the following syntax: YYYY-MM-DD-HH-MM-SS_YYYY-MM-DD-HH-MM-SS.gz.

Step 6 Use WinZip or another archive expansion program to extract the contents of the Gzip archive file.

Step 7 Once the textfile is extracted from the GNU Zip archive format, its contents resemble the following: 

33750»Wed Jul 27 16:16:06 PDT 2005»BR-FW-1»10.4.1.1 Mon Jan 6 11:05:34 2003 <134>Jan 06 
2003 11:03:53: %PIX-6-302001: Built inbound TCP connection 21000 for faddr 10.1.2.4/9000 
gaddr 10.1.5.20/80 laddr 10.1.5.20/80

where it reads: device ID>>date>>device name>>raw message.

Note If you see Chinese or other unfamiliar characters in the resulting text file, please use Microsoft Internet Explorer to view the file and verify that the Western European ISO or Western European Windows encoding value is selected (View > Encoding). The "»" sign appears correctly as a separator when a compatible encoding is selected.

Retrieve Raw Messages From a Local Controller

Use this selection if archiving is not enabled or if you need to view event data that was received within the past hour.

Note For versions prior to 5.2.4, raw messages are retrieved from the database. Begining with the 5.2.4 release, event data is stored in local files that allow for raw messages up to 1.5 MB.

To retrieve event data from the Local Controller, follow these steps:

Step 1 Click Admin > System Maintenance > Retrieve Raw Messages.

Figure 26-4 Retrive Raw Messages Page (4.2.x)

Figure 26-5 Retrive Raw Messages Page (5.2.x)

Step 2 Specify the time range by specifying values in the Start and End fields.

Step 3 Select Retrieve from Local Files. (This option was Retrieve Data from DB in 4.2.x and earlier.)

Step 4 Select one of the following options:

Save to Local. This option retrieves the data from the local files (or database in 4.2.x and earlier) and stores it on the local appliance.

Save to Remote. This option retrieves the data from the local files (or database in 4.2.x and earlier) and stores it on the archive server, as identified under Admin > System Maintenance > Data Archiving.

Step 5 Review the Cached Files time range information, and then do one of the following:

If you want data from within this time range, you do not need for Force Generate Files.

If you want data that does not fall within the Cached Files time range, select the Force Generate Files check box.

If there is no cached file information, select the Force Generate Files check box.

If no cached file data is shown, then no previous queries have been performed and stored. For example, if you preform three separate queries, using time range A, from the local files (or database in 4.2.x and earlier) using the time range, saving the files to the local MARS Appliance. If you later specify the same time range A and do the retrieval again but you do not clear the Force generate files check box, the system performs the query, generating the file again. However, if you have already retrieved and stored some data before, you can specify to retrieve them from those saved files by clearing the Force generate files check box.

Step 6 Enter the maximum number of retrieved files to retain in the Maximum No. of Files field.

This value refers to the maximum number of event files to be generated for this query.

Note Requesting large numbers of files can take some time.

Step 7 Select the list of devices for which you want to pull event data in the Reporting Devices list.

You can select a specific device by name or All Devices.

Step 8 Click Submit.

Note While MARS is generating your files, you can still use the system for other tasks.

Result: The Retrieving Progress 0% screen appears. When the operation is complete, the Raw Message Files screen appears, identifying a new Gzip archive file with a filename based on specified time range.

Step 9 To download and view the generated raw message file, click Click Here to Download next to the filename.

The filename adheres to the following syntax: YYYY-MM-DD-HH-MM-SS_YYYY-MM-DD-HH-MM-SS.gz.

Step 10 Use WinZip or another archive expansion program to extract the contents of the Gzip archive file.

Step 11 Once the textfile is extracted from the GNU Zip archive format, its contents resemble the following: 

33750»Wed Jul 27 16:16:06 PDT 2005»BR-FW-1»10.4.1.1 Mon Jan 6 11:05:34 2003 <134>Jan 06 
2003 11:03:53: %PIX-6-302001: Built inbound TCP connection 21000 for faddr 10.1.2.4/9000 
gaddr 10.1.5.20/80 laddr 10.1.5.20/80

where it reads: device ID>>date>>device name>>raw message.

Note If you see Chinese or other unfamiliar characters in the resulting text file, please use Microsoft Internet Explorer to view the file and verify that the Western European ISO or Western European Windows encoding value is selected (View > Encoding). The "»" sign appears correctly as a separator when a compatible encoding is selected.

Change the Default Password of the Administrator Account

Good security practices require that you change the default password. We recommend using strong passwords for the MARS Appliance appliances.

Login names and passwords:

can be alphanumeric characters

are case sensitive

can contain special characters (!, @, #, etc.)

cannot contain single or double quotes (`or ")

Login names can contain up to 20 characters. Passwords can contain up to 64 characters.

To change the default password and setup administrator notification, follow these steps:

Step 1 Click the Management > User Management tab.

Step 2 Check the box next to Administrator, and click Edit.

Step 3 Enter the new Administrator password and the Administrator e-mail address.

Step 4 Click Submit.

Understanding Certificate and Fingerprint Validation and Management

Many reporting devices use certificates or fingerprints to enable secure communications over SSL or SSH respectively. Beginning in 4.2.3, MARS performs a strict check of the certificate or fingerprint of the device or server to which it is attempting to connect.

Note Certificate validation does not follow the convention of presenting the client with a list of certificate authorities and using the selected one to validate individual certificates. Instead, the MARS Appliance compares the certificate presented by the reporting device with a previously stored instance of the certificate. If the two match, the presented certificate is considered valid. This approach allows MARS to validate certificates without knowledge of revocation lists and to operate in a network without an Internet connection.

Three options exist for specifying how MARS should respond during attempts to establish a secure connection. The three options are as follows:

Automatically always accept. This option, which is compatible with previous releases, allows a MARS Appliance to connect to reporting devices regardless of how frequently the certificate or fingerprint changes because MARS automatically accepts and stores the replacement certificate or fingerprint for all devices. However, this option does not provide an opportunity to inspect and authorize the changes to the certificates or fingerprints. When a conflict is detected or when a new certificate or fingerprint is accepted, the event is logged to the internal log. The internal log entry includes the name of the process that detected the conflict and the IP address of the reporting device. The logs can be retrieved by queries and reports. See Monitoring Certificate Status and Changes for more information on studying these events.

Accept first time and prompt on change (default). This option accepts and stores a new certificate or fingerprint the first time MARS Appliance connects to a device. For subsequent connection attempts, the appliance checks the presented certificate or fingerprint against the stored value. If a conflict is detected, the session is refused unless the new certificate or fingerprint is manually accepted by the administrator. This option enables initial topology discovery to proceed without administrator intervention. Internal system logs of the initial acceptance, conflict detection, and acceptance of new change are created. The internal logs include the name of the process that detected the conflict, the IP address of the reporting device, and the username of the account used to accept the change.

If, when a change is detected by a web interface process, the session times out before administrative intervention, the communication fails but no internal system log is generated to record the failure to accept the changed certificate or fingerprint. Also, if a back-end process initiates the request, such as auto discovery, then the session attempt always fails and no attempt to obtain administrative acceptance is initiated. In such cases, any data the MARS Appliance would normally ascertain from the device during such a session is not collected. This delay of data retrieval does not apply to syslogs forward to the MARS Appliance by the reporting device and it resumes once the new certificate is accept. The recommended method for manually kicking off the change detections is to use the Test Connectivity or Discover button on the reporting device.

Always prompt on new and changed. This options requires an administrator to manually accept the certificate or fingerprint before MARS can establish the desired communications each time the certificate or fingerprint changes. During changes, the internal log includes the username of the account used to accept the change. If the communication times out before administrative intervention, the communication fails and an internal system log records the failure to accept the changed certificate or fingerprint.

The implication of each option varies based on which MARS service is attempting the connection, not in the enforcement of the option, but in the ability of the service to prompt for immediate administrative intervention. In other words, if the service is a GUI-based services, you will be prompted to accept the changed certificate or fingerprint. If the service is a backend service, the communications with the target device will fail and the event will be logged.

The following services and operations are affected by the global certificate/fingerprint response setting:

Upgrade (SSL). When MARS uses the HTTPS option to download the upgrade package from the remote server specified on the Admin > System Maintenance > Upgrade page.

Discovery operation. (SSH)

Test Connectivity operation. (SSL)

Cisco IDS, IPS, and IOS IPS router Event Processing (RDEP or SDEE over SSH)

CSM Policy Query Integration (SSL)

Qualys Report Discovery. (SSL)

Graphgen process for mitigation operation (SSH and SSL)

Device Monitor process for resource monitoring feature (SSH)

DTM process (SSH)

Setting the Global Certificate and Fingerprint Response

The default response is to accept the certificate or fingerprint the first time MARS attempts to connect to the device, after which if a conflict is detected, then administrative intervention is required to update to the new certificate or fingerprint.

If this option is not the one that you wish to use, you can select from three options. The global setting for the conflict detection responses is located on the Admin > System Parameters > SSL/SSH Settings page.

To change the default certificate and fingerprint response, follow these steps:

Step 1 Log into the web interface using an account with Administrative privilege.

Step 2 Click the Admin > System Parameters > SSL/SSH Settings.

Step 3 Select one of the following options to define the global behavior that you require:

Automatically always accept

Accept first time and prompt when changed

Always prompt on new and changed

For details on these options, see Understanding Certificate and Fingerprint Validation and Management.

Step 4 Click Submit.

Upgrading from an Expired Certificate or Fingerprint

If you have selected a global response option other than Automatically always accept (see Setting the Global Certificate and Fingerprint Response), you will at some time be required to update an expired certificate or fingerprint.

Two options exist for upgrading from an expired certificate or fingerprint. If you are logged in to the web interface when a GUI process detects a certificate or fingerprint conflict, you will be prompted to accept or reject the new value. Otherwise, if you are not logged in or a backend process detects the conflict, you must manually initiate a communication with the device. To determine the list of devices for which you must manually update the certificates or fingerprints, review the Activity: CS-MARS Detected Conflicting Certificates/Fingerprints report (see Monitoring Certificate Status and Changes).

The following procedures explain how to upgrade under the specific circumstances:

Upgrade a Certificate or Fingerprint Interactively

Upgrade a Certificate Manually

Upgrade a Fingerprint Manually

Upgrade a Certificate or Fingerprint Interactively

An interactive upgrade refers to responding to a web interface prompt to update the certificate. This type of upgrade is available when you are logged into the GUI and a process, such as graphgen, prompts you to upgrade a certificate or fingerprint that conflicts with the previously accepted value. Click Yes to accept the new fingerprint or certificate.

Upgrade a Certificate Manually

A manual upgrade allows you to upgrade any certificate at any time due to any reason: session time out during interactive prompt, user error, detection of conflict by a backend process.

To manually upgrade to a new certificate, follow these steps:`

Step 1 Log into the web interface using an account with Administrative privilege.

Step 2 Select the reporting device on the Admin > System Setup > Security and Monitor Devices page for which MARS has detected a certificate conflict. and click Edit.

Step 3 Click Test Connectivity.

The dialog box displays stating "Do you want to accept following certificate for the device named: <device_name>?.

Step 4 Verify the certificate value.

Step 5 If the value is correct. click Yes.

Upgrade a Fingerprint Manually

A manual upgrade allows you to upgrade any fingerprint at any time due to any reason: session time out during interactive prompt, user error, detection of conflict by a backend process.

To manually upgrade a fingerprint, follow these steps:

Step 1 Log into the web interface using an account with Administrative privilege.

Step 2 Select the reporting device on the Admin > System Setup > Security and Monitor Devices page for which MARS has detected a fingerprint conflict and click Edit.

Step 3 Click Discover.

The dialog box displays stating "Do you want to accept following fingerprint for the device named: <device_name>?.

Step 4 Verify the fingerprint value.

Step 5 If the value is correct, click Yes.

Monitoring Certificate Status and Changes

To support the certificate management features in MARS, the following system inspection rule exists:

System Rule: CS-MARS Failure Saving Certificates/Fingerprints. This inspection rule indicates that MARS has failed to save a new or changed device SSL certificate or SSH key fingerprint based on either explicit user action or automatic accept as specified on the SSL/SSH Settings page.

In addition, the following reports appear under the System: CS-MARS Issue category.

Activity: CS-MARS Accepted New Certificates/Fingerprints

Activity: CS-MARS Accepted Conflicting Certificates/Fingerprints

Activity: CS-MARS Detected Conflicting Certificates/Fingerprints

Activity: CS-MARS Accepted New Certificates/Fingerprints'

Activity: CS-MARS Failure Saving Certificates/Fingerprints

Activity: CS-MARS Device Connectivity Errors

Hardware Maintenance Tasks—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2

Field Replaceable Units

Removing and Replacing the Front Bezel

Removing the Chassis Cover

Replacing the RAID Battery Backup Unit

Hard Drive Troubleshooting and Replacement

Hot-swapping a Power Supply Unit

Installing the Inline Modem Filter

Diagnostic Beep Codes

Field Replaceable Units

Table 26-1 lists the field replaceable units (FRUs) supported for the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances.

Table 26-1 List of Field Replaceable Units for the Cisco Security MARS Appliances 5.X

FRU Description
FRU Part Number

SR2500 (Driskill 2) 750 Watt Power Supply Module

CS-MARS-D750-PS =

500 GB SATA-IO Hard Drive (MARS 55)

CS-MARS-H500-HD =

500 GB SATA-IO Hard Drive (MARS 110R, 110)

CS-MARS-S500-HD =

750 GB SATA-IO Hard Drive

CS-MARS-S750-HD =

RAID Controller Back-Up Battery Unit

CS-MARS-X10-BB =

Rack-mount Kit

CS-MARS-X10-RAIL=


Removing and Replacing the Front Bezel

For the MARS 55, 110R, 110, 210, GC2, and GC, you must remove the front bezel to access the DVD ROM, hard drives, and control panel buttons. The bezel does not lock. The MARS 25R and 25 front panel features are accessible without removing the bezel.

MARS 55

To remove the MARS 55 bezel, support the left-side hinge with your hand, pull the bezel from the right-hand side, swing open, then gently detach left-hand side from hinge, as shown in Figure 26-6.

Figure 26-6 Removing the Front Bezel from a MARS 55

MARS 110R, 110, 210, GC2R, and GC2

To remove the bezel, pull the bezel from the appliance, as shown in Figure 26-7.

To replace the bezel, line up the center notch on the bezel with the center guide on the rack handles, then push the bezel onto the front of the MARS Appliance until it clicks into place.

Figure 26-7 Removing the Front Bezel

Removing the Chassis Cover

This section pertains only to the MARS 110R, 110, 210, GC2R, and GC2 appliances.

The MARS Appliance must be operated with the chassis cover in place to ensure proper cooling. Remove the top cover to add or replace components inside of the appliance. Before removing the chassis cover, power down the appliance and unplug all peripheral devices and the AC power cables.

Note A nonskid surface or a stop behind the MARS Appliance may be needed to prevent the MARS Appliance from sliding on your work surface.

Removing the Chassis Cover

Step 1 Observe all safety and ESD precautions. See "Safety Information" section."

Step 2 Turn off the appliance.

Step 3 Disconnect the AC power cords.

Step 4 Remove the safety screw if it is installed, as shown in callout A of Figure 8.

Step 5 While holding in the blue button at the top of the MARS Appliance (callout B), slide the top cover back until it stops, as shown in callout C of Figure 8.

Step 6 Insert your finger in the notch shown in callout D of Figure 8, then lift the cover upward to remove it.

Figure 8 Removing the MARS Appliance Cover

End of Procedure

Replacing the Chassis Cover

Step 1 Place the cover over the MARS Appliance so that the side edges of the cover sit just inside the
MARS Appliance sidewalls.

Step 2 Slide the cover forward until it clicks into place.

Step 3 (Optional) Insert the safety screw at the center of the top cover if required.

Step 4 Reconnect the AC power cords.

End of Procedure

Replacing the RAID Battery Backup Unit

This section pertains only to the MARS 110R, 110, 210, GC2R, and GC2 appliances.

RAID Controller Back-Up Battery
Part number: CS-MARS-X10-BB=

The RAID Backup Battery Unit (RAID BBU) prevents RAID data loss by preserving data held in the RAID cache module during a power outage. The RAID BBU can provide up to 72 hours of battery power until the system power is restored.

The RAID BBU requires 24 hours to fully charge from when the appliance is first powered on, and is continually charged thereafter from the system power. The total charge capacity of the battery degrades over time. The show healthinfo CLI command reports the relative charge state of the RAID BBU.

There is a direct relationship between the relative charge and the battery backup time
(100%charge = 72hours ). A 100 percent charge provides 72 hours RAID cache protection. Similarly, a 75 percent charge provides 54 hours of protection (100%charge * .75 = 72hours * .75).

Make sure there is sufficient charge to provide RAID cache protection for the total probable hours the MARS Appliance could be without system power. For example, a 90.3% charge (65 hours) would allow 2 hours to manually restore system power if a total power outage occurred in an unattended facility between 17h00 Friday to 8h00 Monday (63 hours).

Example 26-1 displays BBU status information in an excerpt of the show healthinfo CLI command.

Example 26-1 RAID Battery Backup Unit show healthinfo Command Output 

[pnadmin]$ show healthinfo 

<snip>

BBU information : 

Relative state of charge : 93 %

Full charge capacity : 920 mAh

Remain capacity : 858 mAh


<snip>

Summary of steps required to replace the RAID BBU:

1. Remove the chassis cover.

2. Remove the large air baffle.

3. Remove the RAID BBU.

4. Install the replacement RAID BBU.

5. Replace the large air baffle.

6. Replace the chassis cover.

Procedure to Replace the Raid Battery Backup Unit

Remove the Cover

Step 1 Observe all safety and ESD precautions. See "Safety Information" section.

Step 2 Power down the appliance and unplug all the AC power cables.

Step 3 Remove the chassis cover. For instructions, see the "Removing the Chassis Cover" section.

Remove the Large Air Baffle

Step 4 Write down how the cables are routed over and under the air baffle (if any). You will need to re-route these cables.

Step 5 Pull up on the air baffle to remove it, as shown in Figure 9. You may need to remove or hold cables out of the way.

Figure 9 Removing the Large Air Baffle

Remove the RAID BBU

Step 6 Disconnect the cable from the rear of the RAID battery backup unit and the mid-plane board as shown in callout A of Figure 10.

Step 7 Slide the RAID battery backup unit forward and lift it up from the appliance, as shown in callout B of Figure 10.

Figure 10 Removing the RAID Battery Backup Unit

Install the Replacement RAID BBU

Step 8 Insert the RAID battery backup unit into the appliance and slide it back until it locks into place as shown in callout A of Figure 11.

Step 9 Attach the cable from the rear of the RAID battery backup unit to the mid-plane board as shown in callout B of Figure 11.

Figure 11 Installing the RAID Battery Backup Unit

Replace the Large Air Baffle

Step 10 Lower the baffle into the appliance and snap it into the appliance board standoff.

Make sure to route the cables beneath the air baffle as were recorded in Step 4.

Replace the chassis cover.

Step 11 Replace the chassis cover.

Step 12 Reconnect the AC power cables to the power supplies.

End of Procedure

Hard Drive Troubleshooting and Replacement

This section pertains only to the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances and contains the following subsections:

Hard Drive Status LEDs

Partition Checking

Overview of RAID Subsystem

Hotswapping Hard Drives

Viewing RAID Array Status with the raidstatus CLI Command

Procedure to Hotswap a Hard Drive

Hotswap CLI Example

Replacing a Hard Drive in the Hard Drive Carrier

Note Hard drives are also termed HDDs throughout this section.

Cisco Security MARS HDDs are Cisco field replaceable units (FRUs). The following table provides the correct FRU part numbers for your MARS appliance.

MARS Model
Hard Drive Descriptions and Part Numbers

CS-MARS-55-K9

500 GB SATA-IO Hard Drive
Part number: CS-MARS-H500-HD=

CS-MARS-110R-K9
CS-MARS-110-K9

500 GB SATA-IO Hard Drive
Part number: CS-MARS-S500-HD=

CS-MARS-210-K9
CS-MARS-GC2R-K9
CS-MARS-GC2-K9

750 GB SATA-IO Hard Drive
Part number: CS-MARS-S750-HD=


Note Hard drives can consume up to 17 watts of power each. Drives are specified to run at a maximum ambient temperature of 45 °C.

Hard Drive Status LEDs

Each HDD has a status LED. A flickering green light indicates activity. The control panel has a status LED that flickers with any HDD activity.

Partition Checking

The appliance automatically runs checks on HDD partitions after the system has been re-booted 25-30 times, or if the appliance has not been re-booted in 180 days.

Overview of RAID Subsystem

This section pertains to the following MARS Appliances equipped with a Serial ATA RAID
controller card:

CS-MARS-55-K9

CS-MARS-110R-K9

CS-MARS-110-K9

CS-MARS-210-K9

CS-MARS-GC2R-K9

CS-MARS-GC2-K9

Except for the MARS 55, the MARS RAID controller cards operate the hard drives in a RAID 10 configuration, also called RAID 1+0 because it combines the data handling techniques of RAID 1 and RAID 0. The MARS 55 operates as RAID 1 only. For additional information on RAID concepts and terminology, access the following URL: http://en.wikipedia.org/wiki/RAID

RAID 0 Data Striping

In a MARS RAID 10 configuration, half the total number of drives are arrayed as a single logical drive, wherein a data block is distributed across all of the physical drives in the logical drive using RAID 0 striping techniques. Data striping results in better performance for a data intensive application such as MARS, because hard drive random access times are minimized when data is read and written simultaneously from more than one physical hard drive.

Note The MARS 55 does not do RAID 0 striping. It is RAID 1 only.

RAID 1 Mirroring and Subunits

Half the number of drives in the MARS RAID 10 array mirror the RAID 0 virtual drive. Each physical drive in the RAID 0 array is mirrored by an identical physical drive using RAID 1 techniques. Data written to one of the drives within the RAID 0 array is simultaneously written to its dedicated RAID 1 partner, thereby providing fault tolerance through data redundancy. The RAID 1 hard drive pairs are listed in Table 26-4. For the MARS 55, one drive mirrors the other in a simple RAID 1 configuration.

Rebuilding a Degraded Array

Either drive in a RAID 1 pair can serve in place of its partner should either drive become degraded (unavailable, physically inoperative, or data corrupted). A physical drive degraded but still physically operative can be rebuilt from the data of its undegraded partner and rejoin the array. An inoperative physical drive can be replaced with an operative one which is then rebuilt to join the array.

When any physical drive of the RAID 10 array is degraded, the entire array is considered degraded. While the array still functions, it is not working to its optimal throughput or redundancy capacity.

In a degraded RAID 10 array, data destined for a degraded physical drive is written to available space on the RAID 1 partner until the degraded drive can be rebuilt or replaced. Degraded drives are rebuilt in sequence, one rebuilding process must complete before the next process can begin. Between 200 and 300 minutes are required to rebuild a RAID 1 subunit.

Hotswapping Hard Drives

This section pertains only to the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances.

An HDD can be hotswapped, that is, replaced without rebooting the MARS appliance. The hotswap actions can be summarized in the following five steps. The detailed procedure is in the section, Procedure to Hotswap a Hard Drive.

1. Establish a console connection to the MARS appliance.

2. Enter the raidstatus command to determine the status and the chassis HDD slot number of the HDD to hotswap.

3. Execute a hotswap remove disk command, then remove the HDD.

4. Execute a hotswap add disk command then insert the replacement HDD.

5. Enter the raidstatus command to monitor the progress of the replacement HDD as it is rebuilt.

Use the raidstatus CLI command to view the status of the RAID array (virtual disk) and of the individual HDDs. Table 26-2 lists the status conditions that require an HDD to be hotswapped. These status conditions cause MARS to send an email alert to the adminstrator.

Caution Always use the hotswap remove disk CLI command before you remove a hard drive and
hotswap add disk before you insert a hard drive. The disk argument is the hard drive slot number.
Use the hotswap list all command to view the slot number to Port and PD number map.

The rebuilding process duration is between 200 and 300 minutes, depending on CPU load.

Note To match original performance, hotswapped HDDs should be the same make, model and size as the original HDDs.

Caution The RAID 10 array will not function if both both HDDs of any RAID 1 pair are removed or corrupted.

Table 26-2 HDD Actions for MARS 55, 110R, 110, 210, GC2R, and GC2 

Hard Drive Status1
Possible Cause
Recommended Action

Failed

Unrecoverable error on previously operative HDD.

Hotswap with a new HDD.

Offline

The hotswap remove command was executed for this HDD.

Execute a hotswap add on the HDD if the HDD is known to be good.

Unconfigured Good

An online HDD was removed and inserted without executing a hotswap command sequence.

Execute a hotswap remove and hotswap add on the HDD.

Unconfigured Bad

An online HDD was removed or inserted without executing a hotswap sequence and the HDD has a media error.

Hotswap with a new HDD.

N/A

The HDD slot is empty.

Insert a new HDD with the hotswap add command.

1 For the MARS 55, only the Failed status and Recommend Action is applicable, the other error messages will not appear.


Failed Hard Drive Alert

MARS sends and email alert when the hard drive status changes from Online to Failed, Offline, Unconfigured Good, Unconfigured Bad, or N/A. Example 26-2 displays the contents of an e-mail alert sent to the administrator for a failed HDD. In the alert, the DISK number is the same as the chassis HDD slot or raidstatus PD number.

Example 26-2 MARS Hard Drive Replacement Alert 

From: csmars-system.SJ-LC-86@cisco.com [mailto:csmars-system.SJ-LC-86@cisco.com]

Sent: Tuesday, March 20, 2007 12:22 PM

To: Liu Bang (liubang)

Subject: Hard disk failure (host: SJ-LC-86, disk No.: 4)

Importance: High


Hard disk failure: RAID error

-------------------------

 HOST   :   SJ-LC-86

 DISK   :   4

 STATUS :   FAILED

 MODEL  :   ST3750640NS

 SIZE   :   750GBs


Hard disk 4 on adapter a0 has failed. As a result, the disk array on adapter a0 is running 
in degrade mode and is no longer fault tolerant. Please replace hard disk 4 as soon as 
possible. Instructions for doing so can be found in the user's manual.

Viewing RAID Array Status with the raidstatus CLI Command

This section pertains only to the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances.

Example 26-3 displays the output of the raidstatus command executed on a Local Controller 55. Example 26-4 displays the output of the raidstatus command executed on a Local Controller 210. Table 26-3 describes the raidstatus command output fields.

Example 26-3 MARS raidstatus CLI Command Output for MARS 55 

[pnadmin]$ raidstatus

RAID Controller Information: 

-------------------------------------------------------

Product Name    : Intel Embedded Server RAID Technology

Driver Version  : 05.08y

Controller Type : SATA


Adapter  Raid Type  Status         Stripe    Size           

------------------------------------------------------

 a0      Raid 1     Optimal        64 KB     476772 MB      


Port Status       Size        Model            Serial #        Write Cache 

--------------------------------------------------------------------------

0    Online       476772 MB   HDS725050KLA360  KRVN67ZAHY8NXF  Enabled     

1    Online       476772 MB   HDS725050KLA360  KRVN37ZAJP565F  Enabled     


Rebuild Progress on Device at Enclosure 0, Slot 1 Completed 8%

In Example 26-4, HDDs p2 and p5 were hotswapped and are in the final stages of being rebuilt.

Example 26-4 MARS raidstatus CLI Command Output for MARS 110R, 110, 210, GC2R, and GC2 

[pnmars]# raidstatus

Adapter Information:

-------------------------------------------------------

Product Name     : Intel(R) RAID Controller SROMBSAS18E

Firmware Version :  1.02.00-0119

BIOS Version     : MT25

Adapter RaidType        Status     Stripe      Size             Cache

------------------------------------------------------------------------------------------

a0      Raid-10         Degraded   64kB        2097151MB        Enabled



PD      Status  Size & Block                    Model                            Serial#

-----------------------------------------------------------------------------------------

p0      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS     E        3QD09ZNT

p1      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS     E        3QD07ZYK

p2      Rebuild 715404MB [0x575466f0 Sectors]   ATA     ST3750640NS     E        3QD091BZ

p3      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS     E        3QD09E3A

p4      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS     E        3QD0A03B

p5      Rebuild 715404MB [0x575466f0 Sectors]   ATA     ST3750640NS     E        3QD0A04G


Rebuild Progress on Device at Enclosure 20, Slot 2 Completed 71% in 279 Minutes.

Rebuild Progress on Device at Enclosure 20, Slot 5 Completed 60% in 259 Minutes.

=======================================================================================

Table 26-3 raidstatus CLI command for MARS 55, 110R, 110, 210, GC2R, and GC2 

Output Field
Description

RAID Controller Information Fields

Product Name

RAID controller manufacturer and serial number

Firmware Version : 1.02.00-0119

Indicates version of the RAID controller firmware

RAID Array Information Fields ( The RAID 10 Virtual Drive Information)

Adapter

Identifier for the physical RAID controller.

RaidType

RAID Level of Array. MARS is always RAID 10.

Status

The current state of the RAID 10 virtual drive.

Optimal—All component HDDs are operating as configured.

Degraded—At least one of the component HDDs has failed or is offline. Troubleshooting is advised to prevent possible data loss.

Offline—The array is not available or is unusable.

Stripe

The MARS RAID 10 data stripe is always 64 KB.

Size

The available storage in megabytes of the
RAID array.

Cache (not displayed for the MARS 55)

The MARS RAID 10 array cache is
always enabled.

Individual Hard Drive Information Fields

PD or Port (MARS 55)

p0-p5. The physical hard drive numbers.
0 or 1 for the MARS 55

Status

Note Only Online, Failed, Rebuild, and Undefined are supported on the
MARS 55.

The current state of the physical HDD.

Online—The HDD is functioning normally within the RAID 10 array.

Rebuild—The HDD is being reimaged from its RAID 1 partner to restore full redundancy to a the virtual disk. The RAID 10 array efficiency is not yet optimal.

Failed—The HDD originally was Online, but now has an unrecoverable error. An email alert is sent to the administrator.

Offline—The HDD was removed by executing a hotswap remove command, but the HDD was not physically removed from the slot. An email alert is sent to the administrator.

Unconfigured Good—The HDD is usable, but the RAID information is out of sync with the RAID 1 partner. An email alert is sent to the administrator.

Unconfigured Bad— The firmware detected a media error on the hard drive. An online HDD was probably removed or inserted without executing a hotswap sequence and the HDD now has a media error. An alert is sent to
the administrator.

Undefined—(MARS 55 only) A new HDD has been added but is not RAID 1 formatted, may appear briefly before "Rebuild."

N/A—There is no HDD in the slot.
An email alert is sent to the administrator.

Size & Block (not displayed for MARS 55)

Size of the usable storage on the HDD

Model

The model number of the physical HDD

Serial#

The serial number of the physical HDD.

The string, "This drive is foreign" is appended to the serial number when an HDD formatted with metadata from a different RAID controller is introduced. The message is removed when the HDD is assimilated into the array.

Write Cache (MARS 55 only)

RAID 1 Write Cache is always enabled.

Progress Messages 

Rebuild Progress on Device at Enclosure 0, 
Slot 1 Completed 8%

(MARS 55) Indicates the slot number and percentage complete of the physical drive being rebuilt. 

Rebuild Progress on Device at Enclosure 
20, Slot 2 Completed 71% in 279 Minutes.

Indicates the status, elapsed rebuilding time, and slot number of each physical drive being rebuilt.


Hard Drive Slot Number Diagrams

Figure 26-12 shows the chassis HDD slot numbers of the MARS 55. Figure 26-13 shows the chassis HDD slot numbers of the MARS 110R, 110, 210, GC2R, and GC2. Table 26-4 shows how slot numbers correspond to PD and Port numbers used in the raidstatus CLI.

Note For Release 5.3.2 and more recent, the hotswap list all CLI command displays the physical slot number to PD and Port Number layout in ASCII art.

Figure 26-12 HDD Slot Numbers —MARS 55

Figure 26-13 HDD Slot Numbers—MARS 110R, 110, 210, GC2R, and GC2

Table 26-4 Mapping HDD Slot Number to raidstatus CLI Command PD number—
MARS 55, 110R, 110, 210, GC2R, and GC2

MARS Appliance
Storage Capacity1
Chassis HDD Slot to Port or PD Numbers2
RAID 1 Pairs

MARS 55

500GB RAID 1

2 X 500GB SATA-IO 3.0 Gbps HDD
7200 RPM, 16MB Buffer

Hot-Swappable
Front Accessible

Slot 0 is Port 0
Slot 1 is Port 1

Slot 0 and Slot 1

MARS 110R, 110

1.5TB RAID 10
6 X 500GB SATA-IO 3.0 Gbps HDD
7200 RPM, 16MB Buffer

Hot-swappable
Front accessible

Slot 0 is p0
Slot 1 is p1
Slot 2 is p2
Slot 3 is p3
Slot 4 is p4
Slot 5 is p5

Slot 0 and Slot 1

Slot 2 and Slot 3

Slot 4 and Slot 5

MARS 210, GC2R, GC2

2.0TB3 RAID 10
6 X 750GB SATA-IO 3.0 Gbps HDD
7200 RPM, 16MB Buffer

Hot-swappable
Front accessible

1 The stated storage capacity is the sum of the rated capacity of all the hard drives and does reflect bytes reserved for the RAID overhead on each drive.

2 As of Release 5.3.2, the hotswap list all command displays a map of physical slot locations with their Port and PD Numbers

3 Although there is a total of 4.5 TB storage, RAID 10 has a maximum size configuration of 2 TB Redundant, or 4 TB


Procedure to Hotswap a Hard Drive

This section pertains only to the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances.

In the hotswap command, the disk parameter is the chassis slot number of the HDD, but the raidstatus command reports physical drive (PD) numbers or Port numbers (MARS 55). To determine the physical location of the slot in the chassis (chassis slot number), see Figure 26-12 or Figure 26-13 or use the hotswap list all command.

To hotswap an HDD, complete the following steps:

Step 1 Remove the front bezel. See the "Removing and Replacing the Front Bezel" section.

Step 2 Establish a console connection with MARS.

Step 3 Identify the slot number of the HDD to replace with the raidstatus command.

Step 4 Enter hotswap remove disk. (where disk is the slot number of the HDD)

A message informs you that it is safe to remove the HDD.

Note Make sure that you remove the correct physical HDD. If you remove the wrong one accidently then reinsert it, that HDD will register as Unconfigured Good (or Failed for MARS 55).

Step 5 Pull out the black lever of the hard drive carrier and slide the carrier from the chassis as shown in callout B of Figure 26-14.

Figure 26-14 Removing a Hard Drive from the MARS Appliance Chassis

The raidstatus command should now report the slot status as N/A (or Failed for MARS 55).

Step 6 At the CLI prompt, enter hotswap add disk . Be sure to use the same slot number as in Step 2.

Step 7 With the black lever in the fully open position, slide the replacement HDD and carrier into the chassis. The green latch at the front of the drive carrier must be to the right. Do not push on the black drive carrier lever until the lever begins to close by itself.

Step 8 When the black drive carrier lever begins to close by itself, push it closed to lock the drive assembly into place.

A console message informs you that the HDD (disk) is added successfully (to the logical array).

Step 9 Replace the front bezel. (See "Removing and Replacing the Front Bezel" section).

Step 10 From the CLI, enter raidstatus to verify that the HDD is being rebuilt into the RAID array.

The status message indicates the progress of the added HDD.

The rebuilding process can last from 200 to 300 minutes.

End of Procedure, Hotswapping Hard Drives.

Hotswap CLI Example

This section pertains only to the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances.

The following CLI output example hotswaps an HDD in slot 1 of a MARS 55.

Example 26-5 Hotswap Procedure for MARS 55—CLI Output Example 

[pnadmin]$ version

5.3.2 (2688)


[pnadmin]$ hotswap list all 

Hardware RAID is found with 2 disks!

Disks available to be hotswapped: 

        |======================|======================|

        |        Port 0        |        Port 1        |

        |======================|======================|


[pnadmin]$ hotswap remove 1 


Broadcast message from root (console) (Fri Jan 18 08:45:08 2008):


Physical drive 'PORT # 1' status : Failed

Disk 1 can now be safely removed from the system.


[pnadmin]$ raidstatus

RAID Controller Information: 

-------------------------------------------------------

Product Name    : Intel Embedded Server RAID Technology

Driver Version  : 05.08y

Controller Type : SATA


Adapter  Raid Type  Status         Stripe    Size           

------------------------------------------------------

 a0      Raid 1     Degraded       64 KB     476772 MB      


Port Status       Size        Model            Serial #        Write Cache 

--------------------------------------------------------------------------

0    Online       476772 MB   HDS725050KLA360  KRVN0AZBH5R3LJ  Enabled     

1    Failed       476772 MB   HDS725050KLA360  KRVN0AZBH5R8RJ  Enabled 



[pnadmin]$ hotswap add 1

Disk 1 has been successfully added to RAID


[pnadmin]$ raidstatus

RAID Controller Information: 

-------------------------------------------------------

Product Name    : Intel Embedded Server RAID Technology

Driver Version  : 05.08y

Controller Type : SATA


Adapter  Raid Type  Status                Stripe    Size           

-------------------------------------------------------------

 a0      Raid 1     Degraded, Rebuilding  64 KB     476772 MB      


Port Status       Size        Model            Serial #        Write Cache 

--------------------------------------------------------------------------

0    Online       476772 MB   HDS725050KLA360  KRVN0AZBH5R3LJ  Enabled     

1    Rebuilding   476772 MB   HDS725050KLA360  KRVN0AZBH5R8RJ  Enabled     


Rebuild Progress on Device at Enclosure 0, Slot 1 Completed 0%

The following CLI output example hotswaps an HDD in slot 2 of a MARS 110.

Example 26-6 Hotswap Procedure for MARS 110R, 110, 210, GC2R, and GC2—CLI Output Example

In the following example, a hard drive is hotswapped in slot 5 of a MARS 210. The hard drive status is verified with the raidstatus command: 

[pnadmin]$ version

5.3.2 (2702)

[pnadmin]$ hotswap list all

Hardware RAID is found with 6 disks!

Disks available to be hotswapped: 

        |==============|==============|==============|

        |     PD 1     |     PD 3     |     PD 5     |

        |--------------|--------------|--------------|

        |     PD 0     |     PD 2     |     PD 4     |

        |==============|==============|==============|

[pnadmin]$ hotswap remove 5  

Adapter: 0: EnclId-14 SlotId-5 state changed to OffLine.

Disk 5 can now be safely removed from the system.


[pnadmin]$ raidstatus 

Adapter Information: 

-------------------------------------------------------

Product Name     : Intel(R) RAID Controller SROMBSAS18E

Firmware Version : 1.03.00-0211

BIOS Version     : MT30


Adapter RaidType        Status          Stripe  Size            Cache

---------------------------------------------------------------------------------

a0      Raid-10         Degraded        64kB    2097151MB       Enabled


PD      Status  Size & Block                    Model                     Serial#

----------------------------------------------------------------------------------

p0      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD09EEZ

p1      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD09CQT

p2      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD094KY

p3      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD08NZX

p4      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD09EWP

p5      Offline 715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD06AQ2


[pnadmin]$ hotswap add 5  

Started rebuild progress on device(Encl-14 Slot-5)

Disk 5 has been successfully added to RAID

[pnadmin]$ raidstatus

Adapter Information: 

-------------------------------------------------------

Product Name     : Intel(R) RAID Controller SROMBSAS18E

Firmware Version :  1.03.00-0211

BIOS Version     : MT30


Adapter RaidType        Status          Stripe  Size            Cache

---------------------------------------------------------------------------------

a0      Raid-10         Degraded        64kB    2097151MB       Enabled


PD      Status  Size & Block                    Model                     Serial#

----------------------------------------------------------------------------------

p0      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD09EEZ

p1      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD09CQT

p2      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD094KY

p3      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD08NZX

p4      Online  715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD09EWP

p5      Rebuild 715404MB [0x575466f0 Sectors]   ATA     ST3750640NS E     3QD06AQ2


Rebuild Progress on Device at Enclosure 14, Slot 5 Completed 17% in 32 Minutes.

Replacing a Hard Drive in the Hard Drive Carrier

This section pertains only to the MARS 55, 110R, 110, 210, GC2R, and GC2 appliances.

To match original performance, HDDs should be the same make, model and size as the original hard drives.

Step 1 Remove the four screws that attach the hard drive or empty retention device to the drive carrier, as shown in callout A of Figure 26-15.

Two screws are at each side of the retention device or the hard drive. Store the plastic retention device for future use.

Figure 26-15 Removing Hard Drive or Retention Device from Drive Carrier (Retention Device Shown Here)

Step 2 Remove the hard drive from its wrapper and place it on an antistatic surface.

Step 3 With the hard drive circuit-side down, position the connector end of the drive so that it is facing the rear of the drive carrier, as shown in callout A of Figure 26-16.

Step 4 Align the holes in the drive to the holes in the drive carrier and attach it to the carrier with the screws that were attached to the plastic retention device, as shown in callout B of Figure 26-16.

Figure 26-16 Installing a Hard Drive into a Carrier

End of Procedure

Hot-swapping a Power Supply Unit

SR2500 (Driskill 2) 750 Watt Power Supply Module
Part number: CS-MARS-D750-PS =

This section pertains only to the MARS 110R, 110, 210, GC2R, and GC2 appliances.

Up to two power supply modules may be on a single AC line. The lower power supply (PS1) supplies most of the power requirements. The upper power supply (PS2) is the redundant power supply.

A power supply module can be replaced without powering down the system (hotswapped). Example 26-7 is an excerpt of the show healthinfo CLI command. The power supply unit should be evaluated for hotswapping if its status is "down."

Example 26-7 Power Supply Status in the show healthinfo CLI Command. 

[pnadmin]$ show healthinfo 

<SNIP>

Power Supply            Value   Status

----------------------------------------

PS1 AC Current  2.36 Amps       ok

PS2 AC Current  0.12 Amps       ok

PS1 +12V Current        21 Amps ok

PS2 +12V Current        0 Amps  ok

PS1 +12V Power  248 Watts       ok

PS2 +12V Power  0 Watts         ok

PS1 Status      0x01            ok

PS2 Status      0x09            ok

<SNIP>

To hotswap a power supply, do the following:

Step 1 Observe all safety and ESD precautions. See "Safety Information" section."

Step 2 Unplug the AC power cord of power supply to be replaced.

Step 3 Release the latch ( callout A) and remove the power supply by pulling on the handle (callout B) as shown in Figure 26-17.

Figure 26-17 Removing Power Supply Module from the MARS Appliance

Step 4 Insert the replacement power supply module into the power supply cage until it clicks into place.

Step 5 Connect the AC power cord to the replacement power supply.

End of Procedure

Installing the Inline Modem Filter

An inline filter for line impedance matching is shipped in the Accessory Kit. The following countries require the filter to be used with the MARS modem:

Australia, Austria, Belgium, China, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Korea, Luxembourg, Netherlands, Poland, Portugal, Spain, Sweden, and the UK.

Insert the male RJ-11 connector of the filter into the line-in socket of the MARS modem. Insert the local telephone cable into the RJ-11 socket of the filter.

The modem line-in socket is labeled with a socket icon, the external telephone socket is labeled with a telephone icon.

Diagnostic Beep Codes

Table 26-5 lists Power-on Self Test (POST) error beep codes. Prior to system Video initialization, BIOS uses these beep codes to signal error conditions. The beep code is followed by a user visible code on the POST Progress LEDs (not shown). Beep codes are sounded each time the problem is discovered, such as on each power-up attempt, but they are not sounded continuously. The beep code sequence is read left to right. For example, 4-7 represents four beeps followed by seven beeps.

Table 26-5 POST Error Beep Codes

Number of Beeps
Error Message
Description

1, 2, or 3

(3 for MARS 55)

Memory Error

Fatal memory error. Reseat the memory or replace the DIMMs with known good modules.

6

(Not applicable to MARS 25R, 25,
and 55)

BIOS Error

The system has detected a corrupted BIOS in the flash part, and is rolling back to the last good BIOS.

4-7 or 9-11
(Not applicable to MARS 25R, 25,
and 55)

System Error

Fatal error indicating a possible serious system problem.

8
(N/A for MARS 55)

Video Card Error

Replace or reseat the system video add-in card. If on-board video is being used, the server board may be faulty


Safety Information

These saftety instructions apply to all Cisco Security Monitoring, Analysis, and Response System models

To reduce the risk of bodily injury, electrical shock, fire, and equipment damage, read this section and observe all warnings and precautions before maintaining your Cisco Security MARS appliance.

Intended Application Uses

This product was evaluated as Information Technology Equipment (ITE), which may be installed in offices, schools, computer rooms, and similar commercial type locations. The suitability of this product for other product categories and environments (such as medical, industrial, residential, alarm systems, and test equipment), other than an ITE application, may require further evaluation.

Equipment Handling Practices

Reduce the risk of personal injury or equipment damage:

Conform to local occupational health and safety requirements when moving and lifting equipment.

Use mechanical assistance or other suitable assistance when moving and lifting equipment.

To reduce the weight for easier handling, remove any easily detachable components.

Power and Electrical Warnings

Caution The power button, indicated by the stand-by power marking, DOES NOT completely turn off the system AC power, 5V standby power is active whenever the system is plugged in.

Warning

This unit might have more than one power supply connection. All connections must be removed to de-energize the unit. Statement 1028


Caution Do not attempt to modify or use an AC power cord if it is not the exact type required. A separate AC cord is required for each system power supply.
Caution Some power supplies inCisco Security MARS appliances use Neutral Pole Fusing. To avoid risk of shock use caution when working with power supplies that use Neutral Pole Fusing.
Caution The power supply in this product contains no user-serviceable parts. Do not open the power supply. Hazardous voltage, current and energy levels are present inside the power supply. Return to manufacturer for servicing.
Caution When replacing a hot-plug power supply, unplug the power cord to the power supply being replaced before removing it from the server.
Caution To avoid risk of electric shock, turn off the server and disconnect the power cord, telecommunications systems, networks, and modems attached to the appliance before opening.

Power Cord Warnings

If an AC power cord was not provided with your product, purchase one that is approved for use in your country.

To avoid electrical shock or fire, check the power cords that will be used with the product as follows:

Do not attempt to modify or use the AC power cord(s) if they are not the exact type required to fit into the grounded electrical outlets

The power cord(s) must meet the following criteria:

The power cord must have an electrical rating that is greater than that of the electrical current rating marked on the product.

The power cord must have safety ground pin or contact that is suitable for the electrical outlet.

The power supply cord(s) is/are the main disconnect device to AC power. The socket outlet(s) must be near the equipment and readily accessible for disconnection.

The power supply cord(s) must be plugged into socket-outlet(s) that is /are provided with a suitable earth ground.

System Access Warnings

To avoid personal injury or property damage, the following safety instructions apply whenever accessing the inside of the product:

Turn off all peripheral devices connected to this product.

Turn off the system by pressing the power button to off.

Disconnect the AC power by unplugging all AC power cords from the system or wall outlet.

Disconnect all cables and telecommunication lines that are connected to the system.

Retain all screws or other fasteners when removing access cover(s). Upon completion of accessing inside the product, refasten access cover with original screws or fasteners.

Do not access the inside of the power supply. There are no serviceable parts in the power supply. Return to manufacturer for servicing.

Power down the appliance and disconnect all power cords before adding or replacing any non hot-plug component.

When replacing a hot-plug power supply, unplug the power cord to the power supply being replaced before removing the power supply from the appliance.

Caution If the appliance has been running, any installed processor(s) and heat sink(s) may be hot. Unless you are adding or removing a hot-plug component, allow the appliance to cool before opening the covers. To avoid the possibility of coming into contact with hot component(s) during a hot-plug installation, be careful when removing or installing the hot-plug component(s).
Caution To avoid injury do not contact moving fan blades. If your system is supplied with a guard over the fan, do not operate the appliance without the fan guard in place.

Rack Mount Warnings

The equipment rack must be anchored to an unmovable support to prevent it from tipping when a server or piece of equipment is extended from it. The equipment rack must be installed according to the rack manufacturer's instructions.

Install equipment in the rack from the bottom up, with the heaviest equipment at the bottom of the rack.

Extend only one piece of equipment from the rack at a time.

You are responsible for installing a main power disconnect for the entire rack unit. This main disconnect must be readily accessible, and it must be labeled as controlling power to the entire unit, not just to the appliance.

To avoid risk of potential electric shock, a proper safety ground must be implemented for the rack and each piece of equipment installed in it.

Electrostatic Discharge (ESD)

Caution ESD can damage disk drives, boards, and other parts. We recommend that you perform all procedures at an ESD workstation. If one is not available, provide some ESD protection by wearing an antistatic wrist strap attached to chassis ground -- any unpainted metal surface -- on your server when handling parts. Always handle boards carefully. They can be extremely sensitive to ESD. Hold boards only by their edges. After removing a board from its protective wrapper or from the server, place the board component side up on a grounded, static free surface. Use a conductive foam pad if available but not the board wrapper. Do not slide board over any surface.

Battery Replacement

Caution Do not attempt to recharge a battery. Do not attempt to disassemble, puncture, or otherwise damage a battery.

Warning

There is the danger of explosion if the battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions. Statement 33


Cooling and Airflow

Carefully route cables as directed to minimize airflow blockage and cooling problems. For proper cooling and airflow, operate the system only with the chassis covers installed. Operating the system without the covers in place can damage system parts.

To install the covers:

Check first to make sure you have not left loose tools or parts inside the system.

Check that cables, add-in boards, and other components are properly installed.

Attach the covers to the chassis according to the product instructions.

Laser Peripherals or Devices

To avoid risk of radiation exposure and/or personal injury:

Do not open the enclosure of any laser peripheral or device

Laser peripherals or devices have are not user serviceable

Return to manufacturer for servicing