Field Notice: FN - 72019 - ASA 5506 Series Security Appliances - Some Appliances Might Fail to Pass Traffic After 3.2 Years Of Uptime - Power Cycle Required - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
25-Feb-21 |
Initial Release |
2.0 |
08-Jun-21 |
Updated the Products Affected, Background, and How To Identify Affected Products Sections and Added the Serial Number Validation Section |
Products Affected
| Affected Product ID | Comments |
|---|---|
ASA5506-K8 |
|
ASA5506-K9 |
|
ASA5506-FTD-K9 |
|
ASA5506W-A-K9 |
|
ASA5506W-A-FTD-K9 |
|
ASA5506W-B-K9 |
|
ASA5506W-B-FTD-K9 |
|
ASA5506W-E-K9 |
|
ASA5506W-E-FTD-K9 |
|
ASA5506W-Q-K9 |
|
ASA5506W-Q-FTD-K9 |
|
ASA5506W-Z-K9 |
|
ASA5506W-Z-FTD-K9 |
|
ASA5506H-K9 |
|
ASA5506H-FTD-K9 |
|
ASA5506 |
|
ASA5506W |
|
ASA5506H |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvw53884 | M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
Problem Description
Due to a flaw in Solid State Drive (SSD) firmware, the SSD internal to the Adaptive Security Appliance (ASA) 5506 security appliance will no longer respond after approximately 3.2 years of cumulative operation. After the first unresponsive event is experienced, every subsequent ASA 5506 power-cycle will allow the SSD to operate for approximately six weeks of cumulative operation before the SSD will no longer respond again.
Background
After 28,224 hours (approximately 3.2 years) of accumulated Power On Hours (POH), a memory buffer overrun condition occurs which triggers the firmware event in the SSD. This causes the drive to become unresponsive until it is power-cycled. No data loss will occur when the memory buffer overrun firmware event occurs. A power-cycle of the ASA 5506 security appliance restores normal operation of the drive. The drive continues to operate normally for 1008 additional accumulated POH (six weeks), at which time the drive will become unresponsive again. Power-cycling the ASA 5506 security appliance again will re-initiate the 1008 hour window.
The ASA 5506 SSD is used for data storage when running ASA with Firepower Services or Firepower Threat Defense (FTD) software and is not field replaceable.
Problem Symptom
The ASA 5506 security appliance no longer passes network traffic. The management console will be responsive, but users with valid credentials might not be able to log in. Previously logged in sessions might continue with reduced functionality.
Workaround/Solution
Workaround
A power-cycle of the ASA 5506 security appliance is required in order to temporarily recover from this issue. However, this failure will reappear after 1008 hours of operation.
Solution
In order to prevent occurrence of this issue and disruption to the network and operations, Cisco recommends to proactively upgrade the SSD firmware before the accumulated uptime reaches 28,224 hours. Refer to the How To Identify Affected Products section and follow one of the software upgrade procedures in this section.
If the system is already impacted, the SSD firmware upgrade will permanently resolve this defect.
A product return and replacement (RMA) is not recommended as the firmware upgrade process will resolve the issue.
Upgrade the ASA or FTD software to update the SSD firmware and resolve the issue. A service contract is not required to download the referenced software images.
Software Upgrade for ASA-Only or ASA with Firepower Services
For ASA 5506 appliances that run ASA-only or ASA with Firepower Services, upgrade to one of these ASA software versions in order to update the SSD firmware. This software is available from the Cisco Software Download Center.
- 9.8.4.33 or later
- 9.9.2.83 or later
- 9.12.4.13 or later
- 9.13.1.19 or later
- 9.14.2.8 or later
- 9.15.1.7 or later
See the Cisco ASA Upgrade Guide for instructions on how to upgrade your ASA software.
Additional ASA software upgrade guidance is available in the ASA 9.x : Upgrade a Software Image using ASDM or CLI Configuration Example.
Software Upgrade for FTD
For ASA 5506 appliances that run FTD, apply Cisco Firepower Hotfix EH with filename “Cisco_FTD_Hotfix_EH-6.2.3.999-6.sh.REL.tar” in order to update the SSD firmware. This software is available from the Cisco Software Download Center by selecting FTD Release 6.2.3.
See the Cisco Firepower Hotfix Release Notes for instructions on how to install the Firepower Hotfix.
The hotfix can be applied with Firepower Management Center (FMC) or Firepower Device Manager (FDM).
Note: Rolling back to a previous ASA software version, uninstalling the Firepower Hotfix, or reimaging the ASA 5506 security appliance will not downgrade the SSD firmware after it has been updated.
How To Identify Affected Products
ASA-Only or ASA with Firepower Services
Cisco ASA 5506 Series security appliances that run a Cisco ASA FirePOWER Module might be affected and Cisco recommends to upgrade the ASA software.
Cisco ASA 5506 Series security appliances that run ASA-only software are not affected since the SSD is not used to store information for this application. However, Cisco recommends to upgrade the ASA software in case the ASA 5506 is used to provide Firepower Services or is converted to FTD software at a future date.
There are no previously defined CLI commands available in the ASA software to display the SSD information.
However, the ASA software versions that fix this issue (see the Workaround/Solution section) provide additional debug commands to display system log files and show if the SSD firmware upgrade was performed. The new debug commands are:
debug menu file-system 9 debug menu file-system 10 (provides additional details)
A sample output of the debug menu file-system 9 command is shown here.
firepower# debug menu file-system WARNING: These utilities are intended for troubleshooting purposes only. Use of these utilities can severely impact performance and the proper operation of the device. File-system commands are:
*** Debug menu displayed ***
firepower# debug menu file-system 9 ------------------------------------------------------------------------------- micron-ssd-firmware.sh: Called at (Tue Jan 26 17:57:34 UTC 2021) -------------------------------------------------------------------------------
*** Output continues ***
Completed the firmware upgrade, verifying... Successfully upgraded the SSD firmware on Micron_M500IT_MTFDDAT064MBD to MU04 firepower#
FTD
For ASA 5506 security appliances that run FTD, the SSD model and firmware revision can be determined as follows:
- Connect to the ASA 5506 and log in as an admin user via either a SSH or serial console connection.
- Enter the
expertcommand to switch to expert mode. - Enter this command to display the SSD model and current firmware revision:
sudo hdparm -I /dev/sda | egrep 'Model Number|Firmware Revision'
A sample output of this command is shown here:
> expert $ sudo hdparm -I /dev/sda | egrep 'Model Number|Firmware Revision' Micron_M500IT_MTFDDAT064MBD Firmware Revision: MU01.00
Cisco ASA 5506 and ASA 5506W Security Appliances
If the SSD Model Number is Micron_M500IT_* and the Firmware Revision is MU01.00 or MU02.00, then a Firepower software upgrade is required to prevent the issue.
Cisco ASA 5506H Security Appliances
If the SSD Model Number is Micron_M500IT_* and the Firmware Revision is CT01.00 or MU02.00, then a Firepower software upgrade is required to prevent the issue.
Obtain the Chassis Serial Number for Validation
In order to determine whether your product might be affected by this issue, examine the chassis serial number of the security appliance.
The chassis serial number can be obtained from the CLI or through visual inspection of the security appliance. For units that have already failed due to this issue, a visual inspection of the security appliance or review of the Sales Order documentation is required.
CLI
Enter the show inventory command to obtain the chassis serial number (SN) of the appliance:
> show inventory
Name: "Chassis", DESCR: "ASA 5506H-X with FirePOWER services, 4GE Data, AC, 3DES/AES"
PID: ASA5506H , VID: V05 , SN: JMX1234ABCD
Name: "Storage Device 1", DESCR: "ASA 5506H-X SSD"
PID: ASA5506H-SSD , VID: N/A , SN: MSA223101AS
Visual Inspection of the ASA Security Appliance
The serial number information is located on the bottom surface of the appliance.
Refer to the Serial Number Validation section in order to verify your ASA 5506 serial number(s).
Serial Number Validation
Cisco provides a tool to verify whether a device is impacted by this issue. In order to check the device, enter the device's serial number in the Serial Number Validation Tool.
Note: For security reasons, you must click on the Serial Number Validation Tool link provided in this section to check the serial number for the device. Use of the Serial Number Validation Tool URL external to this field notice will fail.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Feedback
Unleash the Power of TAC's Virtual Assistance