Field Notice: FN - 63861 - Cisco S380 and S680 Series Appliances Might Reboot or Lock Up - Software Upgrade Recommended

Available Languages

Updated:October 9, 2017
Document ID:FN63861

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.0
18-Aug-14
Initial Release
10.0
09-Oct-17
Migration to new field notice system

Products Affected

Affected Product ID Comments
WSA-S380-K9

Defect Information

Defect ID Headline
CSCuo61072 Sx80's go network dead in an event where the interfaces flap
CSCuo58953 WSA watchdog reboot introduced in 7.7.0-725
CSCuj20621 WSAs are prone to lockup from trafmon interactions

Problem Description

Some software versions might cause the Cisco S380 and S680 Series appliances to reboot or lock up.

Background

These issues are responsible for the resets or lockups on the Cisco S380 and S680 Series appliances:

  • Cisco bug ID CSCuo58953: The Cisco Web Security Appliance (WSA) can experience a lockup, which causes the hardware watchdog to reset the appliance. This lockup can occur in the TCP stack when Synchronization (SYN)/Acknowledgement (ACK) retransmissions are required, which locks up the entire network stack and eventually the whole appliance.

  • Cisco bug ID CSCuj20621: The WSA can experience a lockup when Firewall (IPFW) rules are updated while trafmon is run. This lockup is caused by the order in which locking is performed during the update.

  • Cisco bug ID CSCuo61072: The WSA S380 and S680 Series network interfaces can hang if the network link is reset. This is occurs when the interface buffers become inaccessible during the transition, which results in a lockup.

Problem Symptom

In all of the three cases that are mentioned in the previous section, users are unable to access the Internet. The circumstances deteriorate quickly, which results in the inability for administrators to access the appliance, followed by a complete lockup on the appliance. In most instances, the hardware watchdog reboots the appliance. In the case where the network link resets, the appliance might require manual intervention.

All of the three issues are resolved in these AsyncOS for Web versions:

  • Version 7.7.0 build 753 (7.7.0-753)

  • Version 8.0.6 build 078 (8.0.6-078)

In order to verify the AsyncOS software version that your WSA runs via the CLI, enter the version command:

> version

...

Version: 7.7.0-725

Workaround/Solution

Upgrade your WSA to Version 7.7.0 build 753 or Version 8.0.6 build 078. Higher builds of Versions 7.7.0 and 8.0.6, or versions higher than Version 8.0.6, also fix the issues.

Complete these steps in order to upgrade your appliance from the Web Interface:

  1. Navigate to the System Administration > System Upgrade page and click Available Upgrades. The page refreshes with a list of available AsyncOS for Web upgrade versions.

  2. Click Begin Upgrade in order to start the upgrade process.

  3. Answer the questions as they appear.

  4. When the upgrade is complete, click Reboot Now in order to reboot the WSA.

In order to upgrade the WSA with the CLI, enter the upgrade command and answer the questions as they appear. This presents you with a list of the available versions. Select one of the versions with the new engine and reboot your appliance after the upgrade is complete.

Note: If you use a Content Security Management Appliance (SMA) in order to manage the WSA and the Cisco Email Security Appliance (ESA), the SMA must be upgraded to another version, dependent upon the versions that run on the WSA and the ESA. 

Use this table in order to determine the SMA version that you should run. Cross the row and column with the WSA and the ESA versions that you currently run in order find the SMA version to which you must upgrade. If you do not have an ESA, upgrade your SMA to any option that is listed in the column with your WSA version:

WSA 7.7.0-753WSA 8.0.6-078
ESA 8.0.1 or 8.0.2SMA 8.1.1-033SMA 8.3.6-028
ESA 8.5.xSMA 8.3.6-028SMA 8.3.6-028

If you have any questions, contact your local Cisco Support Team for assistance.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco