Downloads |
Document ID: 21501
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
PIX Boot Sequence
Identify the Issue
PIX Hang
PIX Crash
PIX Crash and Boot Loop
Example System Messages
Normal PIX Operation
non-PIX-1GE-66 Message on the PIX
Only One NIC Used
Summary
Cisco Support Community - Featured Conversations
Related Information
Introduction
This document helps troubleshoot potential hardware issues with the Cisco Secure PIX Firewall series. It can help to identify which component might be causing a hardware failure, based on the type of error that the PIX experiences. PIX does not support Online Insertion and Removal (OIR) and needs a minimum of two interfaces for normal operation.
Prerequisites
Requirements
Readers of this document should have knowledge of these topics:
-
Identify the software version that runs on the PIX. Use the show version command to determine the software release on the PIX.
Tip: Connect your PC to the console port of the PIX using a rolled cable, and apply the correct terminal emulator settings for console connections.
-
Identify the PIX model.
If you run software version 5.0(1) or later, you can find the model by using the show version command.
pixfirewall(config)#show version Cisco PIX Firewall Version 6.2(1) ... <output deleted for brevity>... pixfirewall up 22 hours 15 mins Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
If you run a software version below 5.0(1), look at the physical unit to see what model it is. Hardware installation guides for the respective software versions contain screen shots of various PIX models.
-
How long did the PIX work before you started to have trouble?
-
What has changed (RAM upgrade, software upgrade, configuration) since the PIX last worked?
-
It is also important to keep note of any changes made while you attempt to rectify the problem.
Components Used
The information in this document applies to all Cisco Secure PIX Firewall series that include the platforms listed here:
-
501
-
506/506E
-
510
-
520
-
515/515E
-
525
-
535
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
PIX Boot Sequence
This section describes the steps that a PIX completes when it is powered on. Use it to verify that the basic PIX hardware components work correctly to ensure minimal operation.
For a PIX that functions normally, this sequence of events takes place when the PIX is powered on. Follow the steps in the order listed, using the suggested solutions listed in this document to help you resolve any issues.
-
Console prompt is seen.
-
ACT and/or Network LED on Network Interface Card(s) (NICs) is lit.
You can also verify these items:
-
Does the disk drive work (for earlier PIX models with disk drives)?
-
Does the drive light come on (for earlier PIX models with disk drives)?
-
Is the problem observed with no or light traffic through the PIX?
-
Suggested Solution if Fan Does Not Start to Operate
-
Check the power source and the power switch on the PIX.
-
Try to change the power outlets.
-
If you use an Uninterrupted Power Supply (UPS), verify whether or not the PIX works if it is not connected to a UPS.
-
Try another device in the suspect outlet.
Suggested Solution if Console Messages Do Not Appear
-
Is the console cable the correct one? To make sure it is the correct one, check whether or not the console cable and the PC serial port work on another device, such as a Cisco IOSĀ® router. If another device is not available, compare the ends of the cable side by side. The cable should be rolled, with the wire colors exactly reversed. If necessary, also check whether or not the console port works with a different PC.
-
Apply the correct terminal emulator settings for console connections.
-
The memory in the PIX might not be seated properly. If this is the case, the fan functions but the PIX itself does not. Verify that the memory is seated properly.
-
Check whether or not the PIX finds the Flash and RAM at this stage. See the sample output for PIX under normal operation.
If you still have issues after you check these items, you might have a faulty unit.
Suggested Solution if Power LED Is Not Lit
Check the power source. If the fan operates but the LED is not lit, it could be an LED issue.
Suggested Solution if ACT and/or Network LED on NIC Card(s) Is Not Lit
-
Check whether or not the network cable is connected.
-
Make sure a straight through cable is used for hub or switch connection. Otherwise, a crossover cable is used.
-
Try to change cables.
-
Try to reseat/swap the NICs.
-
If there are more than two NICs, does the PIX boot without problem when the third NIC is removed or if the NICs are swapped?
-
If you still experience troubles, check for any Field Notices available for your NIC or PIX Firewall model.
Identify the Issue
In powering on, the PIX might potentially experience one of these possible issues:
-
PIX Hang—There is no output on the serial console, such as no PIX EXEC prompt or no response to input on the serial console.
-
PIX Crash—The PIX experiences a reboot or reload while either doing a specific action or randomly.
-
PIX Crash and Boot Loop—The PIX can be stuck in a continuous loop with an error message scrolling.
PIX Hang
If you suspect a PIX hang, check to see if any specific event, such as a high load, may have caused the hang. In such a case, a reload normally clears the problem.
If the PIX hangs frequently, capture the output of the show traffic command at regular intervals. Note that you need to issue a clear traffic command on the PIX prior to collecting these statistics. Submit this information to Cisco Technical Support by opening a TAC case ( registered customers only) .
PIX Crash
A PIX crash refers to a situation where the system has detected an unrecoverable error and has restarted itself. When the PIX reboots, it returns to a normal state. A normal state means that the PIX is functional, passes traffic, and that you are able to gain access to the PIX.
You can confirm whether a PIX rebooted by issuing the show version command and looking for the uptime. To check why the PIX rebooted, attach a PC to the console of the PIX Firewall. This enables capturing of the log messages (typically called tracebacks) the next time the PIX reboots. An example traceback is shown here:
Traceback: 0: 8010278c 1: 80094107 2: 8009beb6 3: 800a5389 4: 800a95fb 5: 8008f9c4 6: 8000279b 7: 00000000 <output deleted for brevity>
Customers can look for any known bugs for the specific PIX software release you run using the Bug Toolkit ( registered customers only) . Compare the traceback with that of the bug to see if they are the same. If a fix is available, upgrade the PIX to the software release in which the fix is present. If a bug fix is not available, or if you do not find anything related in the Bug Toolkit, open a TAC case ( registered customers only) with the information you gathered described earlier in this document. Capture the complete traceback before you open the case.
PIX Crash and Boot Loop
When a PIX experiences a continuous/boot loop, you cannot gain access to the PIX and error messages scroll until the unit is powered off. A continuous loop might be due to a hardware issue. The Example System Messages section of this document shows an example of a good boot and two examples of a bad boot due to hardware problems.
Customers can look for any known bugs for the specific PIX software release you are running using the Bug Toolkit ( registered customers only) . Compare the traceback with that of the bug to see if they are same. If a fix is available, upgrade the PIX to the software release in which the fix is present. If a bug fix is not available, or if you do not find anything related in the Bug Toolkit, open a TAC case ( registered customers only) case with the information you gathered earlier in this document. Capture the complete traceback before you open the case.
Example System Messages
Normal PIX Operation
This is sample output from a PIX 515 booting under normal operation:
PhoenixPICOBIOS 4.0 Release 6.0
Copyright 1985-1998 Phoenix Technologies Ltd.
All Rights Reserved
Build Time: 04/27/99 17:08:34
Polaris BIOS Version 0.09
CPU = Pentium with MMX 200 MHz
640K System RAM Passed
31M Extended RAM Passed
0512K Cache SRAM Passed
System BIOS shadowed
PIX BIOS (4.0) #38: Tue Apr 27 12:45:23 PDT 1999
timhahn@irp-view5:/vws/dry/timhahn/trunk/loader
Platform PIX-515
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Reading 1528320 bytes of image from flash.
#####################################################
#
32MB RAM
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xfffd8000
mcwa i82559 Ethernet at irq 11 MAC: 0050.54fe.ea30
mcwa i82559 Ethernet at irq 10 MAC: 0050.54fe.ea31
mcwa i82558 Ethernet at irq 7 MAC: 0090.2742.fbbe
-----------------------------------------------------------------------
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
-----------------------------------------------------------------------
Cisco PIX Firewall
Cisco PIX Firewall Version 6.2(1)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
****************************** Warning *******************************
Compliance with U.S. Export Laws and Regulations - Encryption.
This product performs encryption and is regulated for export
by the US Government.
This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the US Government.
This product may not be exported outside the US and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the US Government.
Persons outside the US and Canada may not re-export, resell
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the US
Government.
******************************* Warning *******************************
Copyright (c) 1996-2002 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cryptochecksum(unchanged): d32550f0 c52eaa1b 952dabc8 6e7b6ea3
199002: PIX startup completed. Beginning operation.
Type help or '?' for a list of available commands.
non-PIX-1GE-66 Message on the PIX
WARNING: A non-PIX-1GE-66 Gigabit Ethernet card was found in slot 0. WARNING: This combination is not recommended and will reduce the overall WARNING: performance of the system. Remove this card and replace it with WARNING: a PIX-1GE-66 Gigabit Ethernet card for optimal performance.
Solution: This message can be seen if a 33 MHz Gigabet Ethernet card is used in a 66 MHz bus slot. It does not appear on a PIX 535 unit as shipped from Cisco but can appear if the slower card has been moved from a 33 MHz bus slot on the left to one of the four 66 MHz bus slots on the right. For performance reasons, only 66 MHz cards should be used in these 66MHz bus slots.
Only One NIC Used
An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative. assertion "PifCount >= 2 && PifCount <= MAX_PIFS" failed: file "pixmain.c", line 219 An internal error occurred. Specifically, a programming assertion was violated. Copy the error message exactly as it appears, and get the output of the show version command and the contents of the configuration file. Then call your technical support representative. Assertion"(unsigned)ifc < PifCount" failed: file "pixmain.c", line 547 Panic: pix/intf1 - Cannot open interface card 1 (en_3com/1) 0x807c14c8: 0x00000000 0x807c14c4: 0x00000001 0x807c14c0: 0x80069e1c 0x807c14bc: 0x00000000 <output deleted for brevity>
Solution: Use a minimum of two interfaces.
Summary
If you have identified a component that needs to be replaced, contact your Cisco partner or reseller to request a replacement for the hardware component that causes the issue. If you have a support contract directly with Cisco, use the Cisco.com Case Open Tool to open a TAC case ( registered customers only) and request a hardware replacement. Make sure you attach this information:
-
Console captures that show the complete error messages or tracebacks.
-
Console captures that show the troubleshooting steps taken and the boot sequence during each step.
-
The hardware component that failed and the serial number for the chassis.
-
Troubleshooting logs.
-
Output from the show tech command.
If you have been unable to identify your hardware issue in this document, refer to PIX 500 Series Firewalls Field Notices to look at additional known hardware problems.
Cisco Support Community - Featured Conversations
Related Information
- PIX Support Page
- Documentation for PIX Firewall
- PIX Command References
-
Requests for
Comments (RFCs)
- Technical Support - Cisco Systems
| Updated: Feb 02, 2006 | Document ID: 21501 |