Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1042476,1042479)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Logix Controllers Vulnerable to Denial-of-Service Attack.

CVE-2022-3157: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1256258, 1289747)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Controllers Vulnerable to a Denial-of-Service Vulnerability.

CVE-2020-6998: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (00228528)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation.

Minimum Value for the Watchdog Time Revision 24

Catalog Numbers

• ControlLogix® 5570 controllers, revisions 24.052 and 24.053

To set the ControlLogix 5570 controllers initial task tuning, follow these steps.

IMPORTANT: This works only when there is no Continuous task configured in the Logix application.

1. Monitor the Max Scan Time for each task while the redundant chassis pair is synchronized.
2. Set the Watchdog times for each task to 3 times the Max Scan Time.
3. Use the Logix5000™ Task Monitor Tool to configure each Task Period.

Version of the Logix5000 Task Monitor v3.4.2.0

• Adjust the Task periods of each so that the maximum scan time is less than 80% of the task period rate.

• Adjust the Task periods so that the Logix CPU% utilization is never above 75%.

• While performing these tests, the HMI and any other external systems must be connected to the Logix controller.

ControlLogix Redundancy Compatible Software 24.053_kit1

Catalog Numbers

• ControlLogix® 5570 controllers*

(1) You must download a FactoryTalk Alarm and Events patch in Rockwell Automation Knowledgebase Answer ID 730429. The patch is available at http://www.rockwellautomation.com/knowledgebase/.

(2) The installation of FactoryTalk View Site Edition also installs FactoryTalk Services Platform, which installs FactoryTalk Alarms and Events. Also, if you download and install the latest FactoryTalk Services Patch Rollup, this patch automatically installs the patch for FactoryTalk Alarms and Events.

(3) Use the most recent FactoryTalk Batch Patch Roll-up with this redundancy firmware revision. For the most recent patch roll-up, see Rockwell Automation Knowledgebase Answer ID 59058, accessible at: http://www.rockwellautomation.com/knowledgebase/.

IMPORTANT: The following steps apply only to the FactoryTalk Alarms and Events installation.

1. Install FactoryTalk View Site Edition.

This installation installs FactoryTalk Services Platform, which installs FactoryTalk Alarms and Events.

2. Download and install the latest FactoryTalk Services Patch Rollup.

This installation automatically installs the patch for FactoryTalk Alarms and Events.

ControlLogix Redundancy System Components 24.053_kit1

Catalog Numbers

• ControlLogix® 5570 controllers*
• 1756-RM2, 1756-RM2XT**

(1) IMPORTANT: The 1756-CN2/C, 1756-CN2R/C, 1756-CN2RXT/C, 1756-CN2RK/C modules do not support firmware revisions previous to revision 25.004.

(2) IMPORTANT: The 1756-EN2T/D modules do not support firmware revisions previous to revision 10.006.

(3) Firmware revision 10.006 or later is digitally signed.

(4) IMPORTANT: The 1756-EN2T/C (or earlier) modules do not support firmware revision 10.006 or later.

(5) Firmware revision 5.028 is digitally signed firmware. Firmware revision 5.008 is unsigned firmware.

(6) IMPORTANT: The 1756-EN2TR/C modules do not support firmware revisions previous to revision 10.007.

(7) IMPORTANT: The 1756-EN2TR/B (or earlier) modules do not support firmware revision 10.007.

(8) IMPORTANT: The 1756-EN2F/C modules do not support firmware revisions before revision 10.009.

For more information on how to update your ControlLogix® redundancy system, see Replacement Guidelines: Update ControlLogix Redundancy Reference Manual, publication 1756-RM010.

For more information on how to install, configure and use your ControlLogix redundancy system, see the ControlLogix Redundancy User Manual, publication 1756-UM535.

Known Restrictions as of ControlLogix® Redundancy Revision 24.053_kit1

This revision provides support for the following:

• ControlLogix 5570 controllers*
• 1756-RM2, 1756-RM2K, and 1756-RM2XT modules
• Migration from revisions 20.054 and later

Catalog Numbers

• The 1756-EN2T module, series D, cannot be used for SIL2 applications as part of the safety loop.
• For more information on configurations for SIL2 applications, refer to Using ControlLogix® in SIL 2 Applications Reference Manual, publication 1756-RM001.

• The existing 1756-EN2T/D module specification sheets do not list the modules as being SIL2 certified. Policies currently in place by TÜV require that only the 1756-EN2T/C or the 1756-EN2TR modules be used for SIL2 applications as part of the safety loop.

• The 1756-CN2/C, 1756-CN2R/C, 1756-CN2RXT/C, 1756-CN2RK/C module firmware is not compatible with B hardware.
• The 1756-CN2x communication modules provide 131 CIP connections. However, three of the 131 CIP connections are always reserved for redundant control. These three redundant-system CIP connections always appear to be in use, even when no connections are open.
• If a qualification fails due to a ControlNet scheduling issue ((29) Qualification Error - Failed Connection Duplication logged in the 1756-RM2 event logs), the system continuously attempts the qualification and fails. This continues to occur until the cause is addressed or the Auto-Qualification option is changed to Never. The visual symptom is a repetitive display sequence of QFNG/DISQ on the 1756-RM2.

• Do not use 1756-EN2T communication modules, firmware revision 1.004 or earlier, in redundant chassis.
• 1756-EN2T communication module firmware revision 1.004 is not redundancy-compliant either in standard or redundancy systems. You must upgrade 1756-EN2T communication modules to firmware revision 5.008 to use this redundancy system revision.

• The 1756-EN2x communication modules provide 259 CIP connections. However, three of the 259 CIP connections are always reserved for redundant control. These three redundant-system CIP connections always appear to be in use, even when no connections are open.
• Because three of the 259 CIP connections are reserved for redundancy, 256 CIP connections are available for nonredundancy use.
• The 1756-EN2Tx communication modules do not support Immediate Output (IOT) instructions.
• Because these modules do not support the IOT instruction, they cannot override the RPI in a remote chassis and immediately send new data over the EtherNet/IP network.

• A redundant controller project cannot contain consumed Unicast connections. The project can contain produced Unicast tags consumed by remote consumers.

• There are differences between CIP Sync technology in nonredundant systems and redundancy systems.
• IMPORTANT: Before you use this enhancement in a redundancy system, see these publications for a full understanding of CIP Sync technology in any system:

 ControlLogix System User Manual, publication 1756-UM001

 Integrated Architecture® and CIP Sync Configuration Application Technique, publication IA-AT003

Consider the following when you use CIP Sync technology in a redundancy system:

• While CIP Sync technology can handle multiple paths between master and slave clocks, it resolves mastership most effectively if you configure the redundant paths so that Time Synchronization is enabled in only the minimum required number of EtherNet/IP communication modules.
• For example, if your redundant chassis pair has three 1756-EN2T communication modules and all are connected to the same network, enable Time Synchronization in only one of the modules.
• If you enable CIP Sync Time Synchronization in the controllers in a redundant chassis pair, you must also enable Time Synchronization in the EtherNet/IP communication modules in the redundant chassis pair so all devices have one path to the Grandmaster.

• If time synchronization is enabled in any controller in the primary chassis of a disqualified Redundant Chassis Pair, and no other devices, that is, EtherNet/IP communication modules, in the primary chassis have time synchronization enabled, the redundant chassis pair attempts to qualify. However, in these application conditions, the attempt to qualify fails.

• If the primary controller is the Grandmaster, the redundancy system automatically manages the CIP Sync clock attributes so that the controller in the primary chassis is always set to be the Grandmaster instead of the secondary controller. This clock management makes sure that a change to a new Grandmaster when the redundancy system switches over.
• When a switchover occurs, these events take place:

1. The Grandmaster status transfers from the original primary controller to the new primary controller. This transfer can take longer to complete than if Grandmaster status was transferred between devices in a nonredundant system.
2. The synchronization of the redundancy system can take longer when you use CIP Sync technology.

• You can place a maximum of two controllers in the same chassis in a redundant chassis pair. The processors also have to be at the same revision of firmware if they are in the same chassis.
• Do not use Match Project to Controller property with redundant controllers. If you use the Match Project to Controller property available in the Advanced tab of the Controller Properties dialog box, you cannot go online with, download to, or upload from the new primary controller after a switchover. This is because the serial number of the new primary controller is not the same as the serial number of the old primary controller and the project cannot be matched to the newly-switched-to controller.
• The Firmware Supervisor feature is not supported in a redundant system.
• You cannot use event tasks in a ControlLogix redundancy system. When you enable redundancy, you must change event tasks to nonevent tasks or delete them from your project.
• You cannot use Motion in ControlLogix redundancy systems. A remote controller can contain motion instructions even if it is on the same network as a redundancy system.
• Under some error conditions, the 1756-RM2 module continually attempts to requalify the system while the error prevents it from being successful. This causes the redundancy module error log to fill with the same error condition. If the system is in this condition, the redundancy module display cycles between QFNG and DISQ. To stop this from happening, change the redundancy module synchronization trigger in the Redundancy Module Configuration Tool (RMCT) to Never, until the error condition is corrected.
• The MinDurationACC alarm tag member value does not update and it stays at a 0 value. This change does not affect the MinDuration calculations.

• The System Event History displays a `Module Failure’ entry when you insert a 1756-CN2x communication module or a 1756-EN2x communication module in the chassis while the redundant chassis pair is synchronized. This is not indicative of any module failure; instead, it indicates that only a communication module was inserted in the chassis.

Digitally Signed Ethernet Module Firmware for Revision 24.053_kit1

Catalog Numbers

• 1756-EN2T/C, 1756-EN2T/D, 1756-EN2TR/B, 1756-EN2TR/C, 1756-EN2F/B, 1756-EN2F/C

Digitally signed firmware provides more security over the unsigned firmware. This firmware is different based on the EtherNet/IP communication modules you use.

Firmware revision 5.028 is not included in the redundancy system, revision 24.053_kit1 firmware bundle. You must download and install this digitally signed firmware after the redundancy bundle is installed.

Important: When you install the digitally signed firmware, that is, firmware revision 5.028, into a 1756-EN2T/C (or earlier), 1756-EN2TR/B (or earlier), or 1756-EN2F/B (or earlier) module, the installation makes the module incompatible with some firmware revisions. For example, after you update firmware, the module supports use of only digitally signed firmware. The module rejects any unsigned firmware updates.

Catalog Numbers

• ControlLogix® 5570 controllers* revisions 24.053 and 30.051
• 1756-RM2, 1756-RM2XT**

IMPORTANT: You must uninstall any existing versions of the Redundancy Module Configuration Tool (RMCT) before you install version 8.4.1.0 of the RMCT. If you do not uninstall the previous versions, you can have difficulty if you try to uninstall version 8.4.1.0 later.

You can use 1756-RM2 or 1756-RM2XT redundancy modules to commission a redundant system. You can commission a system without any additional programming. However, there is additional functionality available if you use the modules with the RMCT.

• View error diagnostics
• View qualification and compatibility status of partnered modules
• Set Auto-Synchronization parameters
• View and set Chassis ID parameters (Chassis A, Chassis B)
• Identify noncompliant modules for removal
• Configure redundancy system parameters

Dynamix 1444 Reconfiguration Error when Modifying Configuration Online (Lgx00178261)

Corrected: Studio 5000 Logix Designer® Version 24.053_kit1

Catalog Numbers: Dynamix™ 1444

The Dynamix 1444 module fails to modify properties while making online edits to the module configuration. See Technote 673785 for a workaround. The Technote is available at: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/673785. A separate login is required.

Corrected Anomaly in Firmware Revisions 24.053 and 30.051

Catalog Numbers: ControlLogix® 5570 Redundant Controllers

Known Anomaly first identified as of firmware revision 20.054

• Download the application to the Primary controller.
• The system is synchronized, it disqualifies, and then in the process of requalifying it disqualifies again.
• Delete drives in an online synchronized system.

New Primary Controller Experiences a T04:C82 SFC Jump Back Failure (Lgx00187293 and Lgx00187316)

Corrected Anomaly with Firmware Revisions 24.053 and 30.051

Known Anomaly First Identified as of Firmware Revision 24.052

Catalog Numbers: ControlLogix® 5570 Redundant Controllers

After a switchover, the new primary chassis controller experiences a Major Fault Type 4 Code 82 (T04:C82) SFC Jump Back Fault. This can occur in a redundant system when SFC’s are in a continuous task in the user’s application.

For information, see Knowledgebase Article ControlLogix Redundancy New Primary Experiences a T04:C82 SFC Jump Back Major Recoverable Fault

Small Timing Window when Crossloading the Key Switch and Controller (Lgx00185375)

Corrected: Studio 5000 Logix Designer® Version 24.053_kit1

Catalog Numbers:

• 1756-L71 Redundant series B
• 1756-L72 Redundant series A and B
• 1756-L73 Redundant series A and B
• 1756-L73XT Redundant series B
• 1756-L74 Redundant series A and B
• 1756-L75 Redundant series A and B

There is a small timing window when crossloading the key switch and controller mode information to the secondary controller during qualification that can result in the primary controller MNRFing (major non-recoverable fault). This condition has the potential to occur if there are User periodic tasks that take longer than 200 milliseconds to execute. When this condition occurs, it results in the primary controller that is MNRFed and secondary controller that could not take control since it was not synchronized.

See Rockwell Automation Knowledgebase Answer ID 943413, accessible at:

http://www.rockwellautomation.com/knowledgebase/ (log on is required).

Applications with PowerFlex drives in the I/O configuration can experience a major non-recoverable fault (MNRF) (00200734, 00200735, 00200600, 00200599)

Corrected Anomaly as of Firmware Revision 31.011 and 30.014 for these catalog numbers:

• CompactLogix™ 5370 Controllers

• Compact GuardLogix® 5370 Controllers

Corrected Anomaly as of Firmware Revision 31.011 and 30.013 for these catalog numbers:

• ControlLogix® 5580 Controllers
• ControlLogix 5570 Controllers
• GuardLogix 5570 Controllers

Known Anomaly First Identified as of Firmware Revision 28.011 for these catalog numbers:

• ControlLogix 5580 Controllers
• CompactLogix 5380 Controllers
• Compact GuardLogix 5370 Controllers

Known Anomaly First Identified as of Firmware Revision 20.011 for these catalog numbers:

• ControlLogix 5570 Controllers
• GuardLogix 5570 Controllers
• ControlLogix 5570 (Redundancy) Controllers
• ControlLogix 5560 Controllers
• GuardLogix 5560 Controllers
• ControlLogix 5560 (Redundancy) Controllers
• CompactLogix 5370 Controllers
• 1769 CompactLogix Controllers
• 1768 CompactLogix Controllers

If a controller already has an application loaded into it that contains PowerFlex drives in the I/O configuration, a MNRF (Major Non-Recoverable Fault) can occur when any of the following occurs:

• A download of a project is performed to the controller.
• A PowerFlex drive is deleted while online.
• A firmware flash update of the controller is performed.
  

For more information and workarounds, see Knowledgebase document 1067997.

Some Faults Are Not Logged in The Controller Log (1061142, 1594647)

The Controller Log feature does not properly log User Task Watchdog faults (Type 6 Code 1) in the Controller Log. For more information about the Controller Log feature, see the Logix 5000® Controllers Information and Status Programming Manual, publication 1756-PM015.

PCMD Returns Incorrect Error Code (1056295)

Equipment Phase Command (PCMD) returns the incorrect error code “0x6003, HIGH_PRIORITY_OWNED” when it should return “0x6004, NOT_ATTACHED”

Controller Can Assert During The I/O Module Configuration Process (1024030, 00219969)

Certain I/O modules send more configuration data than fits in a standard forward open (508 bytes) when the connection is being established.  Therefore, the configuration process can take longer to complete. Examples include E300™ Electronic Overload Relays, 1444 Dynamics, 1718 I/O, 1719 I/O, and many third-party I/O devices.

When the configuration data is being sent to the device, if you change the configuration through the Add-on Profile for the device and then apply the changes the controller can assert.

Grandmaster Clock Description Not Correctly Being Displayed (939979)

Located in controller properties → Date Time → Advanced → Grandmaster Clock description could be shown as a blank description or could be showing old information. This does not impact time synchronization.

• Extended tag properties, rung comments, and descriptions
• Updated alarm state model and subscription model
• Support for up to 3000 active alarms and a burst of up to 250 simultaneous alarms
• Support for up to 1000 programs
• Add-On Instruction hardware abstraction support
• Program parameters support

Communication Interruption on EtherNet/IP Networks for Revision 24.053_kit1

Application Notes

Catalog Numbers

• ControlLogix®5570 controllers*

These connection types can experience the communication delay when a switchover occurs:

• HMI to redundant chassis pair
• FactoryTalk® Batch server to redundant chassis pair

IMPORTANT: The Batch Server detects the lost connection and repeatedly attempts to reestablish the connection until successful. However, while the connection is lost, the Batch Server puts the recipes, or entire batch, in the held state.
After the connection between the Batch Server and the redundant chassis pair is reestablished, you can clear the communication failure and restart the recipes. The Batch Server keeps the recipes in the held state until the failure is cleared and recipes restarted.

• FactoryTalk Alarms and Events Service to redundant chassis pair

If any alarms are generated while the connection is lost, that data is buffered. When the connection is reestablished, you must acknowledge the connection loss.

If your application requires that the connections described above are maintained during a switchover, we recommend the following:

• Bridge the connection between the component and a redundant chassis pair with an EtherNet/IP network to ControlNet network path.
• Bridge the connection between the component and redundant chassis pair with an exclusive ControlNet connection.

IMPORTANT: I/O connections do not experience delays when a switchover occurs.

Use these firmware revisions for EtherNet/IP communication modules in the remote chassis to maintain I/O and Produce/Consume connections during a switchover.

Synchronize after Disqualification for Revision 24.053_kit1

Application Notes

Catalog Numbers

• ControlLogix® 5570 controllers*

If your secondary chassis becomes disqualified, or you manually disqualify it, perform these actions before you try to synchronize the chassis.

1. Verify that the synchronization status of the primary module is full compatibility.
2. Wait at least 15 seconds after the redundant chassis are disqualified before you try to synchronize them.

Increase Product Resiliency for Revision 24.053_kit1

Application Notes

Catalog Numbers

• 1756-RM
• 1756-RM2