Updated October 16, 2002
December 20, 2000
Products Affected
PIX-525
Serial Numbers
Initial units, serial numbers 44480380055 through 44480480044.
Problem Description
When the embedded Ethernet interfaces on an affected PIX-525 (ethernet0 and ethernet1) are set to full-duplex, interface errors occur and throughput is limited. When the interfaces are set to half-duplex, they function normally without error.
The command statement interface ethernet0 100full results in increased interface error statistics, whereas the command interface ethernet0 100basetx does not result in increased interface error statistics. Setting the interface to auto sense via the command statement interface ethernet0 auto may result in errors if the link is negotiated with the neighboring device to full-duplex.
Expansion card interfaces are not affected. These errors do not affect the security of the firewall or network in any way.
Background
Due to a procedural error in manufacturing, a specific Ethernet EEPROM's contents were erased. This resulted in an unstable state in the embedded Ethernet controllers when they are set to full-duplex mode.
There are no design or hardware defects in the affected units. Programming the EEPROM's contents back to the appropriate state completely and permanently resolves the problem.
Problem Symptoms
Interface errors are seen whether monitored on the PIX-525 or the neighboring device connected to the affected interface.
PIX
The PIX-525 shows collisions and other interface errors (shown in bold):
pix-01# show interface ethernet1
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0002.b834.a75c
IP address 192.168.0.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
10199 packets input, 14152777 bytes, 0 no buffer
Received 38 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
10132 packets output, 14153193 bytes, 0 underruns
0 output errors, 21 collisions, 0 interface resets
0 babbles, 18 late collisions, 4 deferred
1 lost carrier, 0 no carrier
Neighboring Device, Such as Catalyst 2948
The following example lists neighboring device errors, such as from the command line on a Cisco Catalyst 2948 (shown in bold):
C2948-01> (enable) show port 2/2
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ -----------------
2/2 connected 1 normal full 100 10/100BaseTX
C2948-01> (enable) show port count 2/2
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
2/2 - 20 1 21 0
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
2/2 0 0 0 0 1 1 0
Last-Time-Cleared
--------------------------
Tue Nov 21 2000, 08:17:15
Workaround/Solution
Workaround
There are two possible workarounds:
-
Use expansion card interfaces instead of the embedded interfaces.
-
Configure the embedded interfaces to a half-duplex "hardware_speed" setting. See "interface" in the Command Reference document for details.
Solution
The Ethernet EEPROM may be reprogrammed by two means.
-
The "eedisk" utility is available in the PIX Firewall FTP directory. Use passive FTP to connect to ftp.cisco.com using your registered CCO account and then browse to the /cisco/ciscosecure/pix/sepcial/ directory. You cannot use anonymous FTP to access this file. You may need to specify the full path of the file (/cisco/ciscosecure/pix/special/eedisk.bin) in order to download it. Boot the PIX into the ROM monitor mode (registered customers only) (see "Using the monitor Command") and then TFTP the "eedisk" utility to the flash. Once the transfer is complete, the utility asks if you wish to reprogram the onboard Ethernet devices. Answer yes. Once the utility is finished reprogramming the EEPROM, it is necessary to reboot the PIX.
-
The eeprom update command performs the same function as the eedisk utility without requiring access to the ROM monitor mode. The show eeprom command indicates whetner or not the ethernet EEPROM is correctly programmed. A reboot will be necessary if the onboard Ethernet devices are reprogrammed. The eeprom commands exist in PIX Firewall versions 5.3(1) and later, which are available on Cisco.com (registered customers only) . The commands are fully documented in the PIX Firewall Version 6.0 Command Reference (registered customers only) .
Note:?You must have a service contract and be a registered user of Cisco.com to access this software online. Customers without both of these should contact the Technical Assistance Center (TAC) as outlined at the bottom of this notice ot obtain the utility and software upgrade.
PIX Firewall Serial Numbers
PIX 525 serial numbers as reported by the show version command have their first two characters truncated. For example, if the PIX chassis serial number is 44480521234 it will be reported by show version as 480521234. The first two characters cut off are always 44.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: