Updated May 3, 2002
October 18, 2001
Products Affected
|
Product |
Comments |
|---|---|
|
PIX-515 |
PIX 515 Firewall (including all bundles) |
|
PIX-515-DC |
PIX 515 DC Firewall (including all bundles) |
|
PIX-506 |
PIX 506 Firewall |
Serial Numbers
|
Sequential # |
|---|
|
44405200000 - 44405399999 44481200000 - 44481399999 |
Problem Description
Some PIX 515 systems will hang and become unresponsive, typically triggered by higher traffic throughput levels. PIX 506 systems may also be affected, however they are rarely used in environments where traffic throughput levels will reach the levels necessary to induce the hang.
This failure occurs regardless of the PIX OS version installed.
Background
A new component source was introduced to the 515 and 506 production in May 2001. The new component's timing was slightly different than that on previous units. This timing differential leads to instabilities in the system and creates the potential for a system hang.
On October 2, 2001 this timing error was corrected in production.
Problem Symptoms
When the PIX hangs, all interfaces stop passing traffic and the console port becomes unresponsive. No crash or stack trace is seen on the console port, and the system does not reboot on its own. The only way to return the unit to operation is by manually resetting the power.
If a stack trace is reported on the console port or if the system reboots on its own then this failure is not being experienced and further troubleshooting should be performed on the configuration and software.
Workaround/Solution
Workaround
The only potential workaround is to reduce the traffic throughput level to the point where the hang does not occur. Levels under 15 mbit/second may be sufficiently low, however this varies from unit to unit and it may be impossible to avoid the hang on some units. You may be able to reduce the traffic levels by hard coding all interfaces to 10BaseT, or via means external to the PIX.
Solution
The solution is to replace the failed hardware.
PIX 515 and 506 systems manufactured as of October 2nd, 2001 are free of this problem. A global purge of the service depot stock has been completed as of October 26th, 2001. All PIX systems replaced by the return materials authorization (RMA) process are free of this problem.
Customers who wish to replace one or more of their systems which are failing due to the problem described in this field notice should contact the Technical Assistance Center by following the instructions at the end if this notice and request a standard RMA.
DDTS
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
|
DDTS |
Description |
|---|---|
|
PIX 515 hangs and does not respond to console access no traffic pass. |
How To Identify Hardware Levels
The presence of a version tracking label on the underside or backside of the PIX 515 chassis with version "800-05622-02 A0" or later indicates that this system contains the timing correction. This label is placed on newly manufactured systems as well as those reworked by Service to contain the timing correction, so this indication holds true even for systems with serial numbers in the affected range.
Note that some systems reworked by Service to contain the timing correction are labeled "800-05626-03 A0".
PIX 515 Version Tracking Label
The presence of a version tracking label on the underside of the PIX 506 chassis with version "800-06929-03 A0" or later indicates that this system contains the timing correction. This label is placed on newly manufactured systems as well as those reworked by Service to contain the timing correction, so this indication holds true even for systems with serial numbers in the affected range.
PIX 506 Version Tracking Label
Related Field Notices
|
Field Notice |
Problem Summary |
|---|---|
|
Some PIX 506 systems may power reset themselves and either reboot or freeze due to a poor internal power cable connection. |
|
|
Some PIX 515 systems are subject to crashing due to a Non Maskeable Interrupt exception error. The NMI is brought on by very specific network traffic conditions, and this failure has been seen in less than one percent of the systems produced prior to October 2, 2001. PIX 515 systems which have not yet experienced the symptoms described below will in all likelihood never experience this problem. |
|
|
Between 7/30/2001 and 8/9/2001 some PIX-1FE cards shipped from Cisco contained the i82550 Ethernet controller chip. This chip is not supported by the PIX operating system and these cards may not function properly when installed in PIX firewalls. |
|
|
Under moderate to heavy network load conditions (when traffic exceeds 20 to 30 mbit/second), the onboard ethernet0 interface of an affected PIX 515 may intermittently stop transmitting packets that it receives. As a side effect it is possible that the system memory will eventually be exhausted, which in turn may cause a crash or failover (depending on the configuration). After such a crash, the unit may occasionally hang during the subsequent automatic reboot. |
|
|
The power supply in an affected AC PIX-515 may short out if the unit is turned on its side during operation. |
PIX Firewall Serial Numbers
PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: