Field Notice: FN - 70614 - ASR1001-X, ASR1001-HX, and ASR1002-HX Routers with ROMMON Version 17.3(1r) Will Not Be Downgradable to Earlier Versions - Workaround Provided

Available Languages

Updated:January 12, 2021

Document ID:FN70614

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	05-Jan-21	Initial Release

Products Affected

Affected Product ID	Comments
ASR1001-X
ASR1001X-20G-K9
ASR1001X-10G-K9
ASR1001X-5G-K9
ASR1001X-2.5G-K9
ASR1001-X=	Part Alternate
ASR1001X-20G-SEC
ASR1001X-10G-VPN
ASR1001X-5G-SEC
ASR1001X-5G-VPN
ASR1001X-2.5G-VPN
ASR1001X-10G-SEC
ASR1001X-2.5G-SEC
ASR1001X-20G-VPN
ASR1001X-AIS-AX
ASR1001X-AES-AX
C1-ASR1001-X/K9
ASR1001-X-DNA
ASR1001-HX
ASR1001-HX=	Part Alternate
C1-ASR1001-HX/K9
ASR1001-HX-4GE
ASR1001-HX-DNA
ASR1002-HX
ASR1002-HX=	Part Alternate
C1-ASR1002-HX/K9
C1-ASR1002-HX/K9=
ASR1002-HX-DNA
ASR1002HX-6GE-2TE

Defect Information

Defect ID	Headline
CSCvu57682	ASR1001-X 16GB: Kernel crashes repeatedly after upgrading from 16.12.2 to 17.2.1
CSCvv19063	ASR1K, C9800 Commit config clean up for cstate and pstate to 17.4, 17.3.2, 17.2.2: backout idle=poll

Problem Description

Once the router is upgraded to ROM Monitor (ROMMON) Version 17.3(1r), it cannot be downgraded to any earlier ROMMON version.

These routers ordered after 2021-02-28 will ship with ROMMON Version 17.3(1r) and customers will not be able to downgrade to earlier versions.

ASR1001-X
ASR1001-HX
ASR1002-HX

Background

Cisco will ship ASR1001-X, ASR1001-HX, and ASR1002-HX routers ordered after 2021-02-28 with ROMMON Version 17.3(1r) in order to prevent Cisco IOS^® XE Release 17.x crashes. Cisco IOS XE Release 17.x enables automatic power management mode shifting that at times results in Cisco IOS XE crashes. The automatic power management mode shifting might induce Multiple Bit ECC (MBE) memory errors, which results in Cisco IOS XE crashes. See Cisco field notice 70611 for more information.

This issue is not seen on Cisco IOS XE Release 16.x and earlier. Automatic power management mode shifting is disabled in earlier software versions.

ROMMON Version 17.3(1r) contains secure BIOS protection and will not allow downgrade to non-BIOS protected ROMMON versions (Versions 16.x and earlier).

Cisco incorporates security protections outlined in industry requirements where applicable and where there is value to Cisco and our customers. NIST SP800-193 is a general set of guidelines and best practices for protecting bootcode/firmware.

Unified Extensible Firmware Interface (UEFI) capsule updates are a standardized way to provide secure BIOS/bootloader updates. The capsule format is defined by the UEFI specification and the payload of the capsule goes through image signing validation BEFORE the update image within the capsule is applied. This provides a secure mechanism to ensure only valid signed update capsules are applied to a system, which adds another layer of protection when images are updated on a system.

Problem Symptom

There are two problem symptoms:

Signature does not match - FAILURE: MD5 signature does not match!
Did not find capsule or capsule not valid-

Cisco IOS Releases Earlier Than 17.2.1

If the Cisco IOS XE release is earlier than Release 17.2.1, the signature is:

Router# upgrade rom-monitor filename bootflash:asr1000-rommon.169_4r_SPA.pkg r0

Platform is ASR. Verifying the code signature of the ROMMON package... Chassis model ASR1001-HX
has a single rom-monitor.

Upgrade rom-monitor



Target copying rom-monitor image file

File size : //tmp/rommon_upgrade/latest.bin

File size is : 3211264

FIPS File size is : 3211264

ROMMON Image Type : X86

File /tmp/rommon_upgrade/latest.bin is a FIPS ROMMON image

4259840+0 records in

4259840+0 records out

4259840 bytes (4.3 MB, 4.1 MiB) copied, 5.87427 s, 725 kB/s

131072+0 records in

131072+0 records out

131072 bytes (131 kB, 128 KiB) copied, 0.435839 s, 301 kB/s

655360+0 records in

655360+0 records out

655360 bytes (655 kB, 640 KiB) copied, 1.14162 s, 574 kB/s

Checking upgrade image...

3211264+0 records in

6272+0 records out

3211264 bytes (3.2 MB, 3.1 MiB) copied, 1.99637 s, 1.6 MB/s

Upgrade image MD5 signature is d4acb95f9a3e91236cae9a51cadca39d

Burning upgrade partition...

3211264+0 records in

3211264+0 records out

3211264 bytes (3.2 MB, 3.1 MiB) copied, 14.2442 s, 225 kB/s

Checking upgrade partition...

3211264+0 records in

3211264+0 records out

3211264 bytes (3.2 MB, 3.1 MiB) copied, 7.48787 s, 429 kB/s

Copying ROMMON environment

4259840+0 records in

4259840+0 records out

4259840 bytes (4.3 MB, 4.1 MiB) copied, 56.6583 s, 75.2 kB/s

131072+0 records in

131072+0 records out

131072 bytes (131 kB, 128 KiB) copied, 1.91704 s, 68.4 kB/s

131072+0 records in

131072+0 records out

131072 bytes (131 kB, 128 KiB) copied, 1.9026 s, 68.9 kB/s

655360+0 records in

655360+0 records out

655360 bytes (655 kB, 640 KiB) copied, 6.73176 s, 97.4 kB/s

Upgrade flash partition MD5 signature is 172a3c146f666fa70cd13644bb001101



FAILURE: MD5 signature does not match!

Router#

Cisco IOS Releases Later Than 17.2.1

If the Cisco IOS XE release is later than Release 17.2.1, the signature is:

Router# upgrade rom-monitor filename bootflash:asr1000-rommon.169_4r_SPA.pkg r0

Verifying the code signature of the ROMMON package...

Chassis model ASR1001-HX has a single rom-monitor.



Upgrade rom-monitor



Target copying rom-monitor image file



Warning - Didn't find capsule file.



head: cannot open '//tmp/rommon_upgrade/capsule.bin' for reading: No such file or directory



echo "FATAL: File $CAPSULE_FILE is not valid capsule! \ Upgrade aborted"

Router#

Workaround/Solution

Customers need to qualify ROMMON Version 17.3.(1r) prior to 2021-02-28 in preparation for receiving systems with ROMMON Version 17.3.(1r).

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)