Re: HELP!! my PIX 515's keep locking-up

mike-greene · ‎09-18-2001

Here at our company we sell a lot of LANtoLAN VPN solutions using 506,515R and 515UR hardware. In the past everything has worked very well and our clients have been extremely pleased with the results. But the last four 515's (3 515R's, 515UR) are having a lot of problems just passing packets. It seems they can run from 10 minutes to 4 days but still the firewalls seem to seize. And when I say seize I mean you can't even console to them. All the devices are running 6.0.1, usually with a VPN Accelerator card in them. But even just running the chaise alone with no card additions, the systems still freeze and need to be rebooted. I do have a case open with three of the 515's and we are going to RMA those devices. These three units came from the same vendor and pretty much left the assembly line one after another. This leads me to believe that maybe it was just a bad batch and Cisco is working to correct problem and get these units back before they made it to customer sites. This morning though, I had yet another 515 fail at our office that I have been testing for the past few days. This PIX came from a different vendor and was bought about 45 days ago. Has anyone else seen these problems with PIX 515's? Here at our company we preach and preach and preach that Cisco firewall and VPN solutions are the best in the business. It's hard to sell and have confidence in that solution if the 515's that you are putting into place will not run for more than 30 minutes usually.

Thank you, any comments would be great.

mikgriff · ‎09-18-2001

It would not suprise me that you are seeing high cpu utilization due to the code red virus..

wvaux · ‎09-20-2001

he took the words right out of my mouth. Sounds very much like the code red virus or the newer Nimda virus. I had one 515 lock up completely because of the virus. Also check and see if your NAT address's are in the config before your PAT address's that was part of the problem we had including the virus problems.

dhcantwell · ‎09-20-2001

I also have two 515UR's configured for failover that are locking-up. The primary unit will lock-up after only about 30 minutes of run time and the Secondary will run for a week or more before it locks up. The primary unit will even lock-up while it is in standby mode. I am at a total loss and have found no evidence of any virus on our network.

thompson · ‎09-21-2001

I have identical issues and have recieved a new 515. However, the problems still exists.

mperme · ‎09-24-2001

Did you fix Eth0, Eth1.. from auto to 10/100Mb, Half/Full duplex?

Regards,

Matjaz

wraights · ‎09-25-2001

I have had EXACTLY the same problem. With TWO different 515's in a span of about 5 months. I had cases open about it all and we were never able to resolve anything because the log files would show nothing and you could not even console into it. Glad to hear someone else is having that problem.

bmiller · ‎09-25-2001

At my company, we have had at least 3 customers with similar problems locking up 515's. These were all failover configs, and the problem only started after we upgraded to 6.0(1). Believe it or not, the problem went away after we connected all unused Ethernet ports with crossover cables and assigned them IP addresses. We found an obscure reference to the fact that failover won't work correctly unless all interfaces are connected. Putting the ports in shutdown isn't the thing to do. We did this for all 3 of our customers having this problem, and so far, the problem hasn't resurfaced.

shukin · ‎09-25-2001

Yup. Same problem here. Cisco Stated that it is a known issue and replaced the 515 with a 520 last week. No lockups since.

I would suggest contacted TAC and asked for the case to be made level 2

Good luck

lj · ‎11-04-2001

Hi

I too the same problem with 515 and version 6.1(1). Why did Cisco replace the 515 with a 520 - is the problem not fix'ed in any 515?

br

Lars

elehman · ‎11-09-2001

Cisco has reported that the 515's will lock under heavy load if the ethernet ports are set at 15mb or higher. It is a hardware flaw and Cisco is replacing the units for free. If you have yours set to 100mb and you are experiencing this, try setting your ports to 10mb. If it still happens, then it could be something else. If not, send in your PIX for a replacement.

thompson · ‎09-25-2001

I just recieved a replacement for the replacement with a manufacturing date of last year. Appartently there is a bad batch of PIX 515's.

mperme · ‎09-25-2001

You can find this info in TAC Newsletter:

http://www.cisco.com/warp/customer/770/fn9871.shtml.

Regards,

Matjaz

thompson · ‎09-26-2001

I read through that document. It is isn't that issue because the PIX doesn't reset and communication stops on all interfaces and @ console. The fix is to upgrade the IOS to version 5.1.x but the system hang I have experienced happens on IOS 5.1 through 6.11

r.malone · ‎09-26-2001

I do not believe that the Virus/worm answer is correct in this case ...

A Server behind our office's PIX 506 (6.0.1 IOS) got nailed by the Nimda worm and the PIX could not pass traffic until we unplugged the server from the LAN, but it did not lock up and it still accepted Telnet from the inside and the console still worked, once we unplugged the server things returned to normal ...

We will be getting the RMAed PIXes within the week, hopefully we do not have the same issues with the new ones ...