Field Notice: FN - 72077 - FPR9300 and FPR4100 Series Security Appliances - Some Appliances Might Fail to Pass Traffic After 3.2 Years of Uptime - Power Cycle Required - Software Upgrade Recommended

Available Languages

Updated:December 16, 2022
Document ID:FN72077

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
2.1
16-Dec-22
Updated the Workaround/Solution Section
2.0
16-Jun-21
Added the How to Identify Affected Products Section and Updated the Serial Number Validation Section
1.0
18-May-21
Initial Release

Products Affected

Affected Product ID Comments
FPR9K-SUP
FPR-C9300-AC
FPR-C9300-DC
FPR-C9300-HVDC
FPR-CH-9300-AC
FPR-CH-9300-DC
FPR-CH-9300-HVDC
FPR4110-ASA-K9
FPR4110-NGIPS-K9
FPR4110-NGFW-K9
FPR4110-AMP-K9
FPR4112-NGFW-K9
FPR4112-ASA-K9
FPR4112-NGIPS-K9
FPR4115-ASA-K9
FPR4115-NGFW-K9
FPR4115-NGIPS-K9
FPR4120-ASA-K9
FPR4120-NGFW-K9
FPR4120-NGIPS-K9
FPR4120-AMP-K9
FPR4125-NGIPS-K9
FPR4125-ASA-K9
FPR4125-NGFW-K9
FPR4140-ASA-K9
FPR4140-NGFW-K9
FPR4140-NGIPS-K9
FPR4140-AMP-K9
FPR4145-ASA-K9
FPR4145-NGFW-K9
FPR4145-NGIPS-K9
FPR4150-AMP-K9
FPR4150-NGIPS-K9
FPR4150-ASA-K9
FPR4150-NGFW-K9
FPR-4110-K9
FPR-4112-K9
FPR-4115-K9
FPR-4120-K9
FPR-4125-K9
FPR-4140-K9
FPR-4145-K9
FPR-4150-K9

Defect Information

Defect ID Headline
CSCvx99172 M500IT Model Solid State Drives on 4100/9300 may go unresponsive after 3.2 Years in service

Problem Description

Due to a flaw in solid-state drive (SSD) firmware, the SSD that is internal to the FPR9300 Supervisor module and FPR4100 Series security appliances will no longer respond after approximately 3.2 years of cumulative operation. After the first unresponsive event occurs, every subsequent power-cycle allows the SSD to operate for approximately six weeks of cumulative operation before the SSD will no longer respond again.

Background

After 28,224 hours (approximately 3.2 years) of accumulated Power On Hours (POH), a memory buffer overrun condition occurs which triggers the firmware event in the SSD. This event causes the drive to become unresponsive until it is power-cycled. No data loss will occur when the memory buffer overrun firmware event occurs. A power-cycle of the FPR9300 Supervisor module and FPR4100 Series security appliances restores normal operation of the drive. The drive continues to operate normally for 1008 additional accumulated POH (six weeks), at which time the drive becomes unresponsive again. Power-cycling the FPR9300 Supervisor module and FPR4100 Series security appliance again will re-initiate the 1008-hour window.

Note: This issue affects an internal SSD component that is not field-replaceable and does not appear in show inventory commands. The field-replaceable SSDs are not affected by this issue.

Problem Symptom

The FPR9300 and FPR4100 Series security appliances no longer pass network traffic. Users with valid credentials might not be able to log in to the management console.

Workaround/Solution

Workaround

A power-cycle of the FPR9300 Supervisor module or FPR4100 Series security appliance is required in order to temporarily recover from this issue. However, this failure will reappear after 1008 hours of operation.

Note: Proactive reloads before the 28,224 hour or 1008 hour marks will not reset the timer that triggers this issue. The issue is related to cumulative, not consecutive, hours of operation (total power on time) for affected SSDs.

Solution

In order to prevent occurrence of this issue and disruption to the network and operations, Cisco recommends to proactively upgrade the SSD firmware before the accumulated uptime reaches 28,224 hours.

Refer to the Serial Number Validation section to determine if your security appliance is affected. Use the FPR9300 supervisor module serial number or the FPR4100 series chassis serial number for validation.

If the system is already impacted, the SSD firmware upgrade will permanently resolve this defect.

A product return and replacement (RMA) is not recommended because the firmware upgrade process will resolve the issue.

A service contract is not required to download the referenced software images.

Note: Both Step 1 and Step 2 must be performed in this sequence to complete the SSD firmware update.

 

Step 1: Upgrade the FXOS chassis software to one of the following versions. This software is available from the Cisco Software Download Center:

  • FXOS 2.2.2.148 or later
  • FXOS 2.3.1.215 or later
  • FXOS 2.4.1.273 or later
  • FXOS 2.6.1.229 or later
  • FXOS 2.7.1.143 or later
  • FXOS 2.8.1.152 or later
  • FXOS 2.9.1.143 or later
  • FXOS 2.10 or later

See the Cisco Firepower 4100/9300 Upgrade Guide for instructions on how to upgrade the FXOS software.

 

Step 2: After upgrading the FXOS software, apply the Firepower 4100/9300 Firmware Upgrade Package version 1.0.19 or later to update the SSD firmware revision.

After Firmware Upgrade Package 1.0.19 or later has completed installation, you can enter the following commands to view the SSD firmware revision.

firepower-chassis /firmware/firmware-install # top

firepower-chassis# scope chassis 1

firepower-chassis /chassis # show sup version

SUP FIRMWARE:

    ROMMON:

        Running-Vers: 1.0.15

        Package-Vers: 1.0.19

        Activate-Status: Ready

    FPGA:

        Running-Vers: 2.00

        Package-Vers: 1.0.19

        Activate-Status: Ready

    SSD:

        Running-Vers: MU03

        Model: Micron_M500IT_MTFDDAT128MBD

 

If the SSD Model is Micron_M500IT_* and the Running-Vers is MU03 or later, then the SSD firmware update was successful. Other SSD Models are not affected by the issue.

Note: Reimaging the security appliance will not downgrade the SSD firmware revision after it has been updated.

How To Identify Affected Products

FPR9300 and FPR4100 - Obtain the Chassis Serial Number for Validation

In order to determine whether your product might be affected by this issue, validate the chassis serial number of the security appliance.

For units that have already failed due to this issue, a visual inspection of the security appliance or review of the Sales Order documentation is required.

The chassis serial number can be obtained from the CLI or through visual inspection of the security appliance.

CLI

firepower# scope chassis
firepower /chassis # show inventory

Chassis    PID             Vendor            Serial (SN) HW Revision
---------- --------------- ----------------- ----------- -----------

         1 FPR-4110-K9     Cisco Systems Inc JMX1234ABCD 0

 

FPR9300 - Obtain the Supervisor Module Serial Number for Validation

For customers with FPR9300 platforms, the Supervisor module serial number must also be validated.

The Supervisor module serial number can be obtained from the CLI.

CLI

firepower# scope chassis
firepower /chassis # show inventory expand
Chassis 1:
    Servers:
        Server 1/1:
            Equipped Product Name: Cisco Firepower 9000 Series Security Module
 
*** Output continues ***
       
Fabric Card 1:
    Description: Firepower 9300 Supervisor
    Number of Ports: 8
    State: Online
    Vendor: Cisco Systems, Inc.
    Model: FPR9K-SUP
    HW Revision: 0
    Serial (SN): JAD1234ABCD
    Perf: N/A
    Power State: Online
    Presence: Equipped
    Thermal Status: N/A
    Voltage Status: N/A
 
*** Output continues ***
 
firepower /chassis #

For additional information, refer to the Cisco Firepower 4100/9300 FXOS Command Reference.

Visual Inspection

The chassis serial number for the Firepower 4100 Series appliance is located on the bottom surface of the chassis.

The chassis serial number for the Firepower 9300 appliance is located on the pullout asset card on the front panel, on the side of the chassis and on the top of the Supervisor module.

Refer to the Serial Number Validation section in order to verify your FPR9300 and FPR4100 Series serial number(s).

Serial Number Validation

Cisco provides a tool to verify whether a device is impacted by this issue. In order to check the device, enter the device's serial number in the Serial Number Validation Tool.

Note: For security reasons, you must click on the Serial Number Validation Tool link provided in this section to check the serial number for the device. Use of the Serial Number Validation Tool URL external to this field notice will fail.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products