Question : Problem: Cisco IOS 6.2(2) bug?

My LAN is protected by Cisco PIX-515E-UR  + PIX-515E-FO units. I noticed recently both units are reloaded sometimes, but not because of the power failures. I've found weird thing: when I try to send my public PGP (DH/DSS) key to ldap://keyserver.pgp.com, PIX stops to response. I've connected to console port, set logging level to info and saw the messages (first line is info about my connection to ldap server):

302013: Built outbound TCP connection 123 for out0:63.251.255.12/389 (63.251.255.12/389) to inside:10.0.1.5/2021 (xxx.xxx.xxx.xxx/2021) (mara)

Thread Name: 557poll (Old pc 0x800aa087 ebp 0x8127bcc4)

Traceback:
0: 800aa079
1: 80002fc1
2: 00000000
    vector 0x0000000e (page fault)
       edi 0x72206c6c
       esi 0x809f5568
       ebp 0x8127bcb4
       esp 0x8127bc8c
       ebx 0x8095f648
       edx 0x809f55bc
       ecx 0x00000000
       eax 0x8079bc60
error code 0x00000000
       eip 0x800aacfc
        cs 0x00000008
    eflags 0x00010286
       CR2 0x72206c5c
Stack dump: base:0x8127ad20 size:4096, active:276
0x8127bd1c: 0x00000000
... and so on, primary system is rebooted and became active.

I was forced to issue the command "no fixup protocol ils 389" to avoid pix reboots. Has anybody solved this problem in some other way?

Answer : Problem: Cisco IOS 6.2(2) bug?

I have access to Cisco's Bug Tracker..
They are not EXACT to your situation, but close enough to consider that the workaround that you found is the same workaround for this:


CSCdx78331 Bug Details
Headline: pix crash
Product: pix
First found in: 6.2(1)
Duplicate of CSCdx73007
Notes:

Release-note :

A pix with release 6.2.1 might reload with the following. This could be related to "fixup protocol ils 389"

pix1#
Thread Name: pix/intf0 (Old pc 0x800b1480 ebp 0x811d195c)

Traceback:
0: 8002c6c7
1: 8002bd4c
2: 8002c0de
3: 8002c22c
4: 8011dde5
5: 80122727
6: 80121911
7: 80126472
==============================================================
CSCdx73007:
DESCRIPTION:
A PIX running version 6.2(1) might crash with the following traceback thread:

Thread Name: pix/intf0 (Old pc 0x800b1480 ebp 0x811d195c)

Please contact TAC and provide the traceback from the console of the
PIX when it crashed.

This issue is related to the ILS fixup on the PIX.

WORKAROUND:
Disable the ils fixup:
no fixup protocol ils 389
=============================================================
Found this one, too, that might be closer:

:
CSCdz65766
PIX-515 reload due to fixup ils (ldap)
Affected version: 6.2(2)

PIX 515 handling 800kbits/second max on 4 of the six interfaces, with 2
interfaces maxing out at around 2.5Mbits/sec. With this traffic now going
through, the PIX is seeing failures every 30 hours or so.

Specifically, the failures are that the active PIX throws a traceback out the
console port and reboots. The secondary PIX successfully detects the failure
and becomes active, resulting in a 15-20 second outage for all services.

Replaced one of the pixes with another 515 (matching hardware/software) but
this replacement PIX failed in the same manner.

By decoding the tracebacks, this is believed to be a software failure issue in
6.2.2 with the fixup protocol for ILS.

Possible workaround where appropriate : Disable ILS fixup.