slotz
asked on
PIX 515 dropping connection
I have a PIX 515 doing security and site to site VPN. I have three locations using 506's to connect. Periodically the PIX 515 will drop connection and I have to cycle the power to get the connection back. Once I do that the other sites are ok.
Should I add more memory or something??? I guess i'm not sure where to start troubleshooting.
Thanks for any Help.
slotz
Should I add more memory or something??? I guess i'm not sure where to start troubleshooting.
Thanks for any Help.
slotz
ASKER
Is there a web site i can check this on??
ASKER
Is there a web site i can check this on??
ASKER
Is there a web site i can check this on??
ASKER
sorry i missed your link,,,sorry for the duplicates too.
slotz
slotz
ASKER
I can't seem to get into the secure web site to check.
can i give you the serial number to check for me
slotz
can i give you the serial number to check for me
slotz
ASKER
I can't seem to get into the secure web site to check.
can i give you the serial number to check for me
slotz
can i give you the serial number to check for me
slotz
Sure..
If you have a unit with a serial number in the affected range which is experiencing the symptoms outlined in this Field Notice, contact the Technical Assistance Center (TAC) to request a return materials authorization (RMA) to replace the unit.
Only units manufactured in 1999 and early 2000 are affected. They may be identified by their serial numbers:
PIX 515 Serial Number Ranges Year Manufactured Serial Numbers Affected?
1999 44403010000 through 44403529999 Yes
2000 (early) 44404010000 through 44404169999 Yes
2000 (early) 44480010000 through 44480169999 Yes
2000 (later) 44404170000 through 44404529999 No
2000 (later) 44480170000 through 44480529999 No
2001 444050000 and later No
2001 444810000 and later No
PIX 515 units dispatched from service depots after September 2000 will not exhibit this fault, even if their serial number falls within the affected range.
PIX Firewall Serial Numbers
PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.
If your serial number matches, contact tac@cisco.com
If you have a unit with a serial number in the affected range which is experiencing the symptoms outlined in this Field Notice, contact the Technical Assistance Center (TAC) to request a return materials authorization (RMA) to replace the unit.
Only units manufactured in 1999 and early 2000 are affected. They may be identified by their serial numbers:
PIX 515 Serial Number Ranges Year Manufactured Serial Numbers Affected?
1999 44403010000 through 44403529999 Yes
2000 (early) 44404010000 through 44404169999 Yes
2000 (early) 44480010000 through 44480169999 Yes
2000 (later) 44404170000 through 44404529999 No
2000 (later) 44480170000 through 44480529999 No
2001 444050000 and later No
2001 444810000 and later No
PIX 515 units dispatched from service depots after September 2000 will not exhibit this fault, even if their serial number falls within the affected range.
PIX Firewall Serial Numbers
PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.
If your serial number matches, contact tac@cisco.com
ASKER
No go on the serial no. mine was in the 44405 range in 2001.
Thank you very much for that info though.
Any other thoughts??
slotz
Thank you very much for that info though.
Any other thoughts??
slotz
what version OS on the PIX??
ASKER
No go on the serial no. mine was in the 44405 range in 2001.
Thank you very much for that info though.
Any other thoughts??
slotz
Thank you very much for that info though.
Any other thoughts??
slotz
ASKER
version 5.2(5)
32mb Ram
Flash i28f640j5 0x300, 16mb
BIOS flash AT29C257 @ 9xfffd8000, 32kb
32mb Ram
Flash i28f640j5 0x300, 16mb
BIOS flash AT29C257 @ 9xfffd8000, 32kb
Look at the label on it's bottom. "800-05622-02 A0" or greater should be OK.
lrmoore, any idea on whether https://www.experts-exchange.com/questions/20305792/Wierd-IP-Problem.html is a PIX or win2k problem?
lrmoore, any idea on whether https://www.experts-exchange.com/questions/20305792/Wierd-IP-Problem.html is a PIX or win2k problem?
It's possible in tduplantis' case that the switch between the PIX and the server may have an arp cache issue or limit, but if it is just this one particular IP address every time, you may have hit on something with the subnet mask...
Slotz,
Does just the VPN traffic stop, or does all traffic stop?
How much other traffic is coming through besides the VPN's? Is your restricted license enough?
Have you setup the tunnels as in this document?
http://www.cisco.com/warp/public/110/38.html
Check the arp timeout. You might want to increase the timeout value.
Also, I would upgrade the OS version. There are at least 239 known bugs in that version. I like 6.2 myself...
There is another recall of on-board FE cards:
http://www.cisco.com/warp/public/770/fn15028.shtml
If you can't get to this link either:
Products Affected
Product Comments
PIX-1FE One 10/100 Mbps Ethernet Interface, RJ45 (option)
PIX-1FE= One 10/100 Mbps Ethernet Interface, RJ45 (spare)
Problem Description
Between July 30, 2001, and August 9, 2001, some PIX-1FE cards shipped from Cisco contained the i82550 Ethernet controller chip. This chip is not supported by the PIX operating system and these cards may not function properly when installed in PIX firewalls.
Background
The vendor supplying Cisco with Ethernet interface cards substituted a different model without notifying Cisco in advance. The i82550 Ethernet controller chip is very similar in function to the supported chips and initially passed production tests. Since this substitution has been discovered and corrected, Cisco has modified its testing to verify the Ethernet controller type.
Problem Symptoms
When an unsupported interface card is installed in a PIX firewall, the following symptoms may occur:
The incorrect interface card may not be recognized in ROM monitor mode and may fail to TFTP PIX or PDM images. The system may stop responding or "hang" when a TFTP transfer is initiated.
The incorrect interface card may cause the system to hang or reboot during the boot process.
The incorrect interface card may cause some systems (in particular the PIX 525) to hang or reboot during the execution of a show interface command.
In all situations where the Ethernet interface controller type is reported (ROM monitor mode, show interface, etc.), the i82550 controller is reported as hardware type i82557. Note that in the past i82557 interface cards were shipped as PIX-1FE units. Refer to the "How To Identify Hardware Levels" section below for more details.
In addition, newer PIX OS releases including 6.1(1) and future maintenance releases of older release trains (6.0, 5.3, etc.) will disable the card with a message like the following at boot time:
Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000
Platform PIX-515
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2466304 bytes of image from flash.
32MB RAM
Ignoring PCI card in slot:2 (vendor:0x8086 deviceid:0x1229 revisionid:0xc)
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xfffd8000
Workaround/Solution
The solution is to replace the incorrect PIX-1FE interface card with the correct card. Customers who wish to replace one or more of their cards should contact the Technical Assistance Center (TAC) and request a return materials authorization (RMA) for the affected cards.
How To Identify Hardware Levels
To identify the card from the command line, issue the show interface command. This command shows the hardware type of every installed interface card. The cards with the incorrect i82550 controller are reported as i82557 hardware types. The i82557 controller, except the 535 model, is supported by the PIX but Cisco has not shipped it for two years. Therefore, it is most likely that recently received PIX-1FE cards reported as type i82557 are the unsupported i82550 model.
Caution: Some PIX models (notably the 525) containing the i82550-based card may stop responding when the show interface command is executed. If the units are in production, it's recommended that you issue this command during off hours.
pixfirewall# show interface
interface ethernet0 "outside" is administratively down, line protocol is down
Hardware is i82557 ethernet, address is 0005.3290.024e
IP address 127.0.0.1, subnet mask 255.255.255.255
...
The printing on the Ethernet controller chips may positively identify the cards. The Ethernet controller type (8255x) is all that matters; the other text, including the location (Philippines versus Korea, year, and so on), is inconsequential.
Ethernet Controller i82557 i82558 i82559 i82550
Supported Yes (except 535) Yes Yes No
Sample Printing on Chip S82557 SB82558B GD82559 82550EY
Sample Picture
Physical Replacement of Parts
Does just the VPN traffic stop, or does all traffic stop?
How much other traffic is coming through besides the VPN's? Is your restricted license enough?
Have you setup the tunnels as in this document?
http://www.cisco.com/warp/public/110/38.html
Check the arp timeout. You might want to increase the timeout value.
Also, I would upgrade the OS version. There are at least 239 known bugs in that version. I like 6.2 myself...
There is another recall of on-board FE cards:
http://www.cisco.com/warp/public/770/fn15028.shtml
If you can't get to this link either:
Products Affected
Product Comments
PIX-1FE One 10/100 Mbps Ethernet Interface, RJ45 (option)
PIX-1FE= One 10/100 Mbps Ethernet Interface, RJ45 (spare)
Problem Description
Between July 30, 2001, and August 9, 2001, some PIX-1FE cards shipped from Cisco contained the i82550 Ethernet controller chip. This chip is not supported by the PIX operating system and these cards may not function properly when installed in PIX firewalls.
Background
The vendor supplying Cisco with Ethernet interface cards substituted a different model without notifying Cisco in advance. The i82550 Ethernet controller chip is very similar in function to the supported chips and initially passed production tests. Since this substitution has been discovered and corrected, Cisco has modified its testing to verify the Ethernet controller type.
Problem Symptoms
When an unsupported interface card is installed in a PIX firewall, the following symptoms may occur:
The incorrect interface card may not be recognized in ROM monitor mode and may fail to TFTP PIX or PDM images. The system may stop responding or "hang" when a TFTP transfer is initiated.
The incorrect interface card may cause the system to hang or reboot during the boot process.
The incorrect interface card may cause some systems (in particular the PIX 525) to hang or reboot during the execution of a show interface command.
In all situations where the Ethernet interface controller type is reported (ROM monitor mode, show interface, etc.), the i82550 controller is reported as hardware type i82557. Note that in the past i82557 interface cards were shipped as PIX-1FE units. Refer to the "How To Identify Hardware Levels" section below for more details.
In addition, newer PIX OS releases including 6.1(1) and future maintenance releases of older release trains (6.0, 5.3, etc.) will disable the card with a message like the following at boot time:
Cisco Secure PIX Firewall BIOS (4.0) #0: Thu Mar 2 22:59:20 PST 2000
Platform PIX-515
Flash=i28F640J5 @ 0x300
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2466304 bytes of image from flash.
32MB RAM
Ignoring PCI card in slot:2 (vendor:0x8086 deviceid:0x1229 revisionid:0xc)
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xfffd8000
Workaround/Solution
The solution is to replace the incorrect PIX-1FE interface card with the correct card. Customers who wish to replace one or more of their cards should contact the Technical Assistance Center (TAC) and request a return materials authorization (RMA) for the affected cards.
How To Identify Hardware Levels
To identify the card from the command line, issue the show interface command. This command shows the hardware type of every installed interface card. The cards with the incorrect i82550 controller are reported as i82557 hardware types. The i82557 controller, except the 535 model, is supported by the PIX but Cisco has not shipped it for two years. Therefore, it is most likely that recently received PIX-1FE cards reported as type i82557 are the unsupported i82550 model.
Caution: Some PIX models (notably the 525) containing the i82550-based card may stop responding when the show interface command is executed. If the units are in production, it's recommended that you issue this command during off hours.
pixfirewall# show interface
interface ethernet0 "outside" is administratively down, line protocol is down
Hardware is i82557 ethernet, address is 0005.3290.024e
IP address 127.0.0.1, subnet mask 255.255.255.255
...
The printing on the Ethernet controller chips may positively identify the cards. The Ethernet controller type (8255x) is all that matters; the other text, including the location (Philippines versus Korea, year, and so on), is inconsequential.
Ethernet Controller i82557 i82558 i82559 i82550
Supported Yes (except 535) Yes Yes No
Sample Printing on Chip S82557 SB82558B GD82559 82550EY
Sample Picture
Physical Replacement of Parts
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you say that your connection is dropped, exactly what do you mean by connection? Does this affect all traffic going through the PIX, or does it only affect your VPN connections?
ASKER
hey guys
Every pix I own is going to be replaced by the recall. I'll give irmoore the points since he's the one that gave me the recall stuff. I'll see what happens after i get them .
Thanks to all
slotz
Every pix I own is going to be replaced by the recall. I'll give irmoore the points since he's the one that gave me the recall stuff. I'll see what happens after i get them .
Thanks to all
slotz
http://www.cisco.com/warp/customer/770/fn9871.shtml