Field Notice: FN - 64294 - ISA3000 Software Security Appliance Might Fail To Pass Traffic After 213 Days Of Uptime - Software Upgrade Recommended

Available Languages

Updated:October 10, 2017
Document ID:FN64294

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Publish Date Comments
1.0
18-May-17
Initial Release
10.0
10-Oct-17
Migration to new field notice system

Products Affected

Affected OS Type Affected Release Affected Release Number Comments
NON-IOS
9
9.5.3,9.6.2,9.6.3,9.7.1
Please check the "Workaround/Solution" section for affected ASA interim release numbers.

Defect Information

Defect ID Headline
CSCvd78303 ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'

Problem Description

All Cisco Industrial Security Appliance 3000 (ISA3000) devices that run the affected software versions do not pass network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

 

 

In the near term, immediately reboot the deployed security appliances in order to prevent this issue.

 

 

The Cisco ISA3000 units shipped with manufacturing image ASA 9.6.2 are not impacted. These devices are impacted only if the customer has upgraded the software to any of the affected versions.

 

Background

On March 29, 2017 Cisco became aware of an issue that affects all Cisco ISA3000 security appliances that run certain versions of software. The affected versions of software cause the security appliance to stop passing network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

 

 

The issue detailed in this Field Notice is not a security vulnerability and there is no associated risk to the integrity of the security appliance.

 

Problem Symptom

The Cisco ISA3000 security appliances stop passing all network traffic.

 

 

Entering the show asp drop command over the console port will indicate that packets are being dropped due to the reason Punt rate limit exceeded (punt-rate-limit).

 

Workaround/Solution

In order to mitigate the risk and impact of the device not passing network traffic, Cisco urges customers to proactively reboot their Cisco ISA3000 security appliances that run affected versions of the software.

 

 

For customers with failover configurations, it is recommended to reboot the standby devices first, make them active after they complete booting, and then reboot the formerly active devices.

 

 

The reboot of the security appliance must be performed prior to 213 days 12 hours of uptime. After the reboot, the security appliance avoids an encounter with this issue for another 213 days 12 hours.

 

 

Enter the show version | grep up command in order to display the uptime of the security appliance.

 

 

The output is shown here:

 

 

ciscoasa# show version | grep up

 

Config file at boot was "startup-config"

 

ciscoasa up 210 days 11 hours

 

 

The device can be rebooted with one of these methods:

 

 

- CLI - Enter the reload command in privileged mode

 

- ASDM GUI - Choose Tools > System Reload

 

 

A physical power-cycle can be used in order to perform a reboot.

 

 

Updated ASA software versions that address this issue are available from Cisco Software Central for customers with a valid service contract. The recommended upgrade paths are shown in the table below.

 

 

Impacted Release Number(s) Fixed Release Number(s)
ASA 9.5.3, ASA 9.5.3.1, ASA 9.5.3.2, ASA 9.5.3.6 ASA 9.6.3.1 or later
ASA 9.6.2.1, ASA 9.6.2.2, ASA 9.6.2.3, ASA 9.6.2.4, ASA 9.6.2.7, ASA 9.6.2.11, ASA 9.6.2.13, ASA 9.6.3 ASA 9.6.3.1 or later
ASA 9.7.1, ASA 9.7.1.2 ASA 9.7.1.4 or later

 

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products