A New Bug in Cisco Kit, Stop It Before It Takes Your's Down
by Darin Knobbe, on May 3, 2020 7:04:39 PM
Something is killing a number of Cisco ASAs (Adaptive Security Appliances) after 18 months, specifically ASA5508 and ASA5516 - it’s faulty register in some of them. Today we share the news behind the failure as well as an alternative to keep your system up and running at full capacity. We've also outlined two options for mitigating your faulty Cisco kit.
As detailed by The Register, the organization has discharged a field notice with the title “Field Notice: FN - 70476 - ASA5508 and ASA5516 Security Appliances Might Fail After 18 Months or Longer Due to a Damaged Component - Hardware Upgrade Required” in which it says that models ASA5508 and ASA5516 "may fail in Operation, following a year and a half or more, because of a harmed component in it."
Basically, the gadgets and the affected units were manufactured between 05-18-2017 and 08-25-2017 in which they experienced an assembling procedure issue that has prompted some of them to have a harmed resistor. The Cisco Advisory team addresses this, giving more subtleties on the issue;
"Security Appliances with a faulty resistor will work regularly on the installation and it disappointments are relied upon to increment over a long time starting after the unit has been in activity for around 18 months. When the security appliance has malfunctioned, the unit will not work anymore, won't boot, and isn't recoverable."
Affected Product ID
The Bugs Id in the Cisco database for this is mentioned below;
ASA5508 and ASA5516 Might Fail After 18 Months or Longer Due to a Damaged Component
So how you can find out that this is the problem with your model via symptoms?
- The security appliance no longer functions and the system fails to boot. There will be no output from the console port.
- In addition, the LED status indicators on the security appliance illuminate as follows:
- Power LED is green
- Status LED is amber and blinking
Unfortunately, there is no workaround for the faulty appliance. Instead, the following is suggested:
- Cisco recommends proactive replacement for the affected ASA5508 and ASA5516 security appliances. There is no workaround for this issue.
- Clients should request swaps for the afftected product(s) with the order form gave in the Upgrade Program segment of this field notice.
- For clients, that demand substitutions of products note that the License Activation key is attached to the ASA chassis Serial number. Contact the Cisco Licensing Team so as to have your present License moved to the substitution Chassis Serial number. The Cisco Licensing Team will request the PAK (Product Authorization Key) reference number and current Serial number.
Verification from the serial number if it can be from those units
This field notice gives the capacity to distinguish if the Serial number(s) of an appliance is affected by this issue. To check if your item is conceivably influenced by this issue, inspect the chassis serial number of the security appliance.
The chassis serial number can be acquired from the CLI or through a visual review of the security appliance. For units that are faulty because of this issue, a visual investigation of the security appliance or audit of the Sales Order documentation is required.
In the CLI of the ASA you just need to enter the command “show inventory”
The output will be as such:
asa> show inventory
Name: "Chassis", DESCR: "ASA 5508-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5508 , VID: V01 , SN: JMXXXXXXXXD
Note The show version command should not be used in order to avoid Cisco bug ID CSCtz56314 (ASA5500-X Chassis Serial Number Not Visible from CLI).
Visual Inspection of the ASA Security Appliance
The serial number information is located on the bottom surface of the appliance.
In order to verify your serial number(s), enter it in the Serial Number Validation Tool.
About the Upgrade Program
For ASA5508 and ASA5516 Security Appliances
A separate Form must be filled out for each unique Ship to Address.
A unique Upgrade Order Reference Number will accommodate each Form submission and can be utilized to ask about request status.
Please enter one or more valid Serial Numbers into the Form.
You will receive an acknowledgement email immediately after submitting the Form with a Request #. Depending on material availability, both you AND the Customer email address will receive a confirmation email with Order# in 7 to 10 days. UMPIRE orders are proactive replacements and do NOT adhere to normal SLAs or Service Contracts.
NOTE: If your Ship to Address is in the accompanying countries, it would be ideal if you expect deferrals of as long as 3 months relying upon importation guidelines: Argentina, Brazil, Columbia, Mexico, Venezuela, India, All countries in Asia (for example Singapore, Malaysia, Hong Kong, China, Vietnam, Korea, Thailand, Philippines), and all non-EU countries (ie: UAE, Russia, Turkey). You will get your Order# around then. Much thanks to you for your understanding as this procedure is valuable for the client; it will spare them the expense of tank/obligation in these nations (which is exceptionally high).
On the off chance that you were provided a Sales Order Number for the shipment of your new parts, if you don't mind allude to the SO Status Tool (Please note: you should have a CCO User ID and Password to get to this site):
If you were given an RMA Number for the shipment of your replacement parts, please refer to the "Service Order QuickSearch" Tool at the following location (Please note: you must have a CCO User ID and Password to access this site):
In the event that you have not gotten an email with an Order# following 10 days, please send an email with your Request#(s) and Customer in the Subject line to: email@example.com
The upgrade form is for the replacement is below:
Note: Fields marked with an asterisk (*) are required fields.
|TAC SR Number|
|Customer Shipping Information|
|Product||Affected Product||*Quantity||*Serial#(2)||Replacement PID|
|Customer Contact Information|
|Upgrade Order Reference Number||Please provide a number that you can use when inquiring about order status|
1 For phone and fax, include 011 and the country code outside North America.
2 The serial number input field for each Product ID can hold up to 4,000 characters, including commas and white space. For longer lists of serial numbers, please submit additional requests.
3 For customers in Japan only, please enter the building and the floor in the address field. Also, enter the contact person's name, the telephone number and the e-mail address in the appropriate fields.
An Alternative Solution
Fortinet Network Firewalls
Next-generation firewalls (NGFW) filter network traffic to protect an organization from external threats. Fortinet competes for the industry-leading spot in Gartner's Magic Quadrant for Network Firewalls. Read the article here. Their next-generation firewalls feature VPN support, Network monitoring, packet filtering, and IP mapping.
If you're looking to strengthen your application control, boost intrusion prevention, and advance visibility across your network, chat with a representative today about a NGFW. Not only do they block malware, but give you flexibility to evolve with the landscape and keep your network secure as new threats arise.
On the Enterprise Level, Fortinet offers an NGFW that inspects traffic as it enters and leaves the network, enables security-driven networking, and consolidates industry-leading security capabilities. Automated threat protection, intrusion prevention system, web filtering, and secure sockets layer inspections, are all included in the Enterprise Firewalls. An integral part of the NGFWs is their ability to communicate within the Fortinet Security Fabric as well as third-party solutions, sharing threat intelligence while improving security posture.
Chat with us today about your needs. We have a team ready to answer any questions or to chat more on the network security and firewalls that best suit your needs! Need to get in touch quicker than a phone call? No worries, leave a quick comment below.