Release Notes
ControlLogix Enhanced Redundancy System
Version 20.058_kit2 (released 3/2018)
Catalog Number 1756-Lxx Enhanced Redundancy Bundle
Security
This release includes security enhancements as a part of our ongoing efforts to improve security. For information regarding Rockwell Automation's vulnerability disclosure process, please reference the Rockwell Automation Vulnerability Policy.
CVE-2022-3157: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1256258, 1289747)
|
Controllers
|
First Known in
Firmware
Revision
|
Corrected in Firmware
Revision
|
|
CompactLogix™ 5370
|
20.011
|
33.013, 34.011 and later
|
|
Compact GuardLogix® 5370
|
28.011
|
33.013, 34.011 and later
|
|
ControlLogix® 5570
|
20.011
|
33.013, 34.011 and later
|
|
GuardLogix 5570
|
20.011
|
33.013, 34.011 and later
|
|
ControlLogix 5570 redundant
|
20.054
|
33.052, 34.051 and later
|
For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Controllers Vulnerable to a Denial-of-Service Vulnerability.
CVE-2020-6998: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (00228528)
|
Controllers
|
First Known in
Firmware Revision
|
Corrected in
Firmware Revision
|
|
CompactLogix™ 5370
|
20.011
|
33.011 and later
|
|
Compact GuardLogix® 5370
|
28.011
|
33.011 and later
|
|
ControlLogix® 5570
|
20.011
|
33.011 and later
|
|
GuardLogix 5570
|
20.011
|
33.011 and later
|
|
ControlLogix 5570 redundant
|
20.054
|
33.051 and later
|
For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation.
Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1042476,1042479)
|
Controllers
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
|
CompactLogix™ 5370
|
20.011
|
33.016, 34.011 and later
|
|
Compact GuardLogix®
5370
|
28.011
|
33.016, 34.011 and later
|
|
ControlLogix® 5570
|
20.011
|
33.016, 34.011 and later
|
|
ControlLogix 5570
redundant
|
20.054
|
33.053, 34.051 and later
|
|
GuardLogix 5570
|
20.011
|
33.016, 34.011 and later
|
|
CompactLogix 5380
|
28.011
|
32.016, 33.011 and later
|
|
Compact GuardLogix 5380
SIL 2
|
31.011
|
32.016, 33.011 and later
|
|
Compact GuardLogix 5380
SIL 3
|
32.013
|
32.016, 33.011 and later
|
|
CompactLogix 5480
|
32.011
|
32.016, 33.011 and later
|
|
ControlLogix 5580
|
28.011
|
32.016, 33.011 and later
|
|
GuardLogix 5580
|
31.011
|
32.016, 33.011 and later
|
For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Logix Controllers Vulnerable to Denial-of-Service Attack.
Requirements
This release has the following requirements.
1756-L7 Safety Certification
This version is certified to SIL 2. For more information, see Safety Certificate logix-ct007.
Corrected Anomalies in This Release
This release corrects the following anomalies.
|
Controllers
|
First Known in
Firmware Revision
|
Corrected in Firmware
Revision
|
|
ControlLogix® 5570 Redundant
|
19.052
|
20.054 and later
|
|
ControlLogix 5060 Redundant
|
19.052
|
20.054 and later
|
Known Anomalies from Previous Releases
These anomalies are from previous releases but are still known in this release.
Known Anomaly as of ControlLogix Redundancy Revision 20.054
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
You cannot use a 1756-EWEB communication module in an enhanced redundancy system, revision 20.054.
If you are migrating from a ControlLogix standard redundancy system to an enhanced redundancy system, you must replace existing 1756-EWEB communication modules with any of the 1756-EN2Tx communication modules Keep in mind that when you replace a 1756-EWEB communication module with a 1756-EN2Tx communication module, your application loses functionality that is available with only the 1756-EWEB communication module. These are examples of functionality that is no longer available in an Enhanced Redundancy System:
- Simple Network Time Protocol (SNTP) Client
- Web pages
You must account for this lost functionality in your RSLogix 5000 software project.
IMPORTANT: You cannot perform online migration from 1756-EWEB communication modules to 1756-EN2T or 1756-EN2TR communication modules.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
Keep in mind the following alarm considerations in redundancy systems:
- Alarms scanned during the continuous task can be published to the alarm server twice after a switchover. If a switchover occurs and a continuous task that contains alarm instructions is scanned twice as a result, a duplicate `out of scope’ alarm entry can be indicated in the alarm summary object. To clear `out of scope’ entries, click Refresh alarm list.
- Alarm status messages can be duplicated in the Alarm History Log in the event of a switchover. To make troubleshooting duplicate alarm states easier, consider programming alarms to indicate when a redundant system switchover occurs.
- Alarms that are acknowledged just before or during a switchover can be indicated as active and unacknowledged after a switchover. If this occurs, acknowledge the alarm a second time.
- If an alarm is active, then inactive, and a switchover occurs before change in the alarm state is updated to the FactoryTalk server, the FactoryTalk alarm history log can not indicate the change in alarm state.
(Lgx00093529)
Alarm parameters can be lost when a switchover occurs.
When a switchover occurs in a redundant system that uses alarms, certain alarm parameters can not be transferred to the new primary controller if the parameters have changed since the last crossload of data. Alarm parameters that can not transfer include the following:
- DeliveryER
- DeliveryEN
- NoSubscriber
- NoConnection
- CommError
- AlarmBuffered
- SubscNotified
Once the alarm data is buffered, the parameters are updated.
(Lgx00093826)
Alarms can fail to be acknowledged when the attempt to acknowledge them occurs during a switchover.
If you attempt to acknowledge an alarm while a switchover occurs, a failure to acknowledge the alarm is indicated. Attempting to acknowledge the alarm a second time is successful.
Known Anomaly as of ControlLogix Redundancy Revision 20.054
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
There are differences between CIP Sync technology in nonredundant systems and enhanced redundancy systems, revision 20.054.
IMPORTANT: Before you use this enhancement in an enhanced redundancy system, see these publications for a full understanding of CIP Sync technology in any system:
- ControlLogix System User Manual, publication 1756-UM001
- ControlLogix Controllers, Revision 18 Release Notes, publication 1756-RN018
- Integrated Architecture and CIP Sync Configuration Application Technique, publication IA-AT003
Consider the following when you use CIP Sync technology in an enhanced redundancy system, revision 20.054:
- If you enable CIP Sync Time Synchronization in the controllers in a redundant chassis pair, you must also enable Time Synchronization in the EtherNet/IP communication modules in the redundant chassis pair so all devices have a single path to the Grandmaster.
- If time synchronization is enabled in any controller in the primary chassis of a disqualified Redundant Chassis Pair, and no other devices, that is, EtherNet/IP communication modules, in the primary chassis have time synchronization enabled, the redundant chassis pair attempts to qualify. However, in these application conditions, the attempt to qualify fails.
- While CIP Sync technology can handle multiple paths between master and slave clocks, it resolves mastership most effectively if you configure the redundant paths so that Time Synchronization is enabled in only the minimum required number of EtherNet/IP communication modules.
For example, if your redundant chassis pair has three 1756-EN2T communication modules and all are connected to the same network, enable Time Synchronization in only one of the modules.
• If the primary controller is the Grandmaster, the enhanced redundancy system automatically manages the CIP Sync clock attributes so that the controller in the primary chassis is always set to be the Grandmaster instead of the secondary controller. This clock management ensures a change to a new Grandmaster when the redundancy system switches over.
- When a switchover occurs, these events take place:
– The Grandmaster status transfers from the original primary controller to the new primary controller. This transfer can take longer to complete than if Grandmaster status was transferred between devices in a nonredundant system.
– The synchronization of the enhanced redundancy system can take longer to complete than when it occurs on a switchover in an enhanced redundancy system, revision 20.054, that does not use CIP Sync technology.
- If you attempt to use the Redundant System Update (RSU) feature to upgrade an enhanced redundancy system, revision 16.081 or earlier, that uses Coordinated System Time (CST), the enhanced redundancy system, revision 20.054 does not permit a locked switchover and the upgrade fails to complete.
To work around this restriction, first disable CST Mastership in the original redundancy system and then use RSU to upgrade to enhanced redundancy system, revision 20.054.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
Connections can drop temporarily if a 1756-EN2Tx communication module is not configured correctly.
If your application includes a connection from a remote controller to a primary controller over an EtherNet/IP network, you must use these configuration settings for the 1756-EN2Tx communication module in the primary chassis when it is added to the remote controller’ s RSLogix 5000 project:
- Rack Connection = None
- Time Sync Connection = None
If the parameters are configured in any other combination, the connection between the remote controller and primary controller is temporarily dropped during a switchover. The connection is re-established after the switchover is complete.
Important: When you add the 1756-EN2Tx communication module to the primary controller’s RSLogix 5000 project, you can use any settings for the parameters above with no effect on the connection from remote controller to primary controller.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 controllers
If connecting a redundant controller over ControlNet by using the Controller Log feature, and a switchover occurs, the controller log entries no longer shows the user’ s name. After the switchover, the user name indicates ‘ unknown.’
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
When a high number of consumed connections are routed through a ControlNet communication module in the primary chassis to a SoftLogix controller, the primary controller reports a connection failure, that is, error code 16#0203. This anomaly occurs despite the fact that there are no network disruptions or device power cycling.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
1756-L7 controllers display No Project message during qualification process.
While qualification is in process in a system that uses 1756-L7x controllers, controllers in the secondary chassis display No Project in their Scrolling Status Display status indicator. When qualification is complete, the secondary controllers display the name of the project loaded into the primary controller.
Known Anomaly as of ControlLogix Redundancy Revision 20.054
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
- You can place a maximum of two controllers in the same chassis in a redundant chassis pair. When two controllers are used in the same chassis, they must be of the same product family. For example, you cannot place a 1756-L6x controller with a 1756-L7x controller in the same chassis.
- Do not use Match Project to Controller property with redundant controllers. If you use the Match Project to Controller property available in the Advanced tab of the Controller Properties dialog box, you cannot go online with, download to, or upload from the new primary controller after a switchover. This is because the serial number of the new primary controller is not the same as the serial number of the old primary controller and the project cannot be matched to the newly-switched-to controller.
- You cannot use the Firmware Supervisor feature available in RSLogix 5000 software.
- You cannot use event tasks in a ControlLogix enhanced redundancy systems. When you enable redundancy, you must change event tasks to nonevent tasks or delete them from your project.
- You cannot use Motion in ControlLogix enhanced redundancy systems. A remote controller can contain motion instructions even if it is on the same network as a redundancy system.
- Under some error conditions, the 1756-RM module continually attempts to requalify the system while the error prevents it from being successful. This causes the redundancy module error log to fill with the same error condition. If the system is in this condition, the redundancy module display cycles between QFNG and DISQ. To stop this from happening, change the redundancy module synchronization trigger in the Redundancy Module Configuration Tool (RMCT) to Never, until the error condition is corrected.
- Under rare conditions, inserting a redundancy module into a running system can cause the redundancy system to switchover or disqualify, and cause the other modules in that chassis to reset themselves. Inserting the module at an angle causes the anomaly. Make sure the module is inserted straight into the chassis without any side-to-side or top-to-bottom movement.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
When a program in the primary controller is inhibited or uninhibited, the secondary can disqualify and re-qualify.
When changing the Inhibit Program setting, plan for secondary chassis disqualification according to potential implications that are specific to your application. Or, unschedule the program rather than inhibiting it.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
Inhibiting equipment phase can cause disqualification.
If you inhibit an equipment phase, or a task that includes an equipment phase, in a primary controller, the secondary controller is disqualified. This disqualification results from program sequence mismatches between the primary and secondary controllers.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
(Lgx00114044, Lgx00113005, Lgx00111045, Lgx00111230)
A Partial Import Online to a primary controller over a ControlNet network can fail
if a system switchover occurs while the PIO is still in process.
When the anomaly occurs and the PIO fails, you can see any of these errors:
- Failed to import file 'c\...\xxx.L5x
Object already exists
- Failed to import file 'c\...\xxx.L5x
Already in request mode/state
- CIP error: Problem with a semaphore
- Internal Object Identifier (IOI) destination unknown
After the switchover completes, restart the PIO with the redundant chassis pair disqualified or synchronized, and the PIO is complete.
(Lgx00108673)
When you import a routine to an empty program in a synchronized enhanced
redundancy system, disqualification can occur.
(Lgx00108575)
If tasks are not properly tuned and you execute a large PIO, the primary
controller can experience a watchdog fault during the import because the
Watchdog parameter is set too low. The fault causes a switchover.
When this anomaly occurs, however, once the secondary controller goes online, it shows incorrect data in its fault log. The incorrect data appears in the Task, Program, and Routine fields.
The fault log typically shows the following:
- Watchdog Fault (Type 06)
- Task watchdog expired. Can be caused by an infinite loop, a complex program, or a higher priority task. (Code 01)
- Task: <unknown>
- Program: <unknown>
- Routine: <unknown>
You must execute an upload on the secondary controller to obtain correct Task, Program, and Routine watchdog information in the event of a future watchdog fault.
Known Anomaly as of ControlLogix Redundancy Revision 20.054
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
If a qualification fails due to a ControlNet scheduling issue ((29) Qualification Error - Failed Connection Duplication logged in the 1756-RM event logs), the system continuously attempts the qualification and fail. This continues to occur until the cause is addressed or the Auto-Qualification option is changed to Never. The visual symptom is a repetitive display sequence of QFNG/DISQ on the 1756-RM.
Known Anomaly as of ControlLogix Redundancy Revision 20.055
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
Redundant chassis synchronization fails when the controller is near its connection limit.
Chassis synchronization can fail if the controller is near its connection limits. To reduce the likelihood of this anomaly, verify that you use controller connections within the limits of the controller and that at least eight controller connections are reserved for the redundant system.
- The 1756-L6 controllers support as many as 250 controller connections. If your enhanced redundancy system uses these controllers, limit the number of controllers connections used to 242 or fewer connections.
- The 1756-L7 controllers support as many as 500 controller connections. If your enhanced redundancy system uses these controllers, limit the number of controllers connections used to 492 or fewer connections.
Known Anomaly as of ControlLogix Redundancy Revision 20.054
Catalog Numbers
- ControlLogix L7 redundant controllers
- ControlLogix L6 redundant controllers
A redundant controller project cannot contain consumed Unicast connections. The project can contain produced Unicast tags consumed by remote consumers.
Applications with PowerFlex drives in the I/O configuration can experience a major non-recoverable fault (MNRF) (00200734, 00200735, 00200600, 00200599)
Corrected Anomaly as of Firmware Revision 31.011 and 30.014 for these catalog numbers:
- CompactLogix™ 5370 Controllers
- Compact GuardLogix® 5370 Controllers
Corrected Anomaly as of Firmware Revision 31.011 and 30.013 for these catalog numbers:
- ControlLogix® 5580 Controllers
- ControlLogix 5570 Controllers
- GuardLogix 5570 Controllers
Known Anomaly First Identified as of Firmware Revision 28.011 for these catalog numbers:
- ControlLogix 5580 Controllers
- CompactLogix 5380 Controllers
- Compact GuardLogix 5370 Controllers
Known Anomaly First Identified as of Firmware Revision 20.011 for these catalog numbers:
- ControlLogix 5570 Controllers
- GuardLogix 5570 Controllers
- ControlLogix 5570 (Redundancy) Controllers
- ControlLogix 5560 Controllers
- GuardLogix 5560 Controllers
- ControlLogix 5560 (Redundancy) Controllers
- CompactLogix 5370 Controllers
- 1769 CompactLogix Controllers
- 1768 CompactLogix Controllers
If a controller already has an application loaded into it that contains PowerFlex drives in the I/O configuration, a MNRF (Major Non-Recoverable Fault) can occur when any of the following occurs:
- A download of a project is performed to the controller.
- A PowerFlex drive is deleted while online.
- A firmware flash update of
the controller is performed.
For more information and workarounds, see Knowledgebase document 1067997.
Some Faults Are Not Logged in The Controller Log (1061142, 1594647)
|
Controllers
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
|
CompactLogix™ 5370
|
20.011
|
33.016, 34.011 and later
|
|
Compact GuardLogix® 5370
|
28.011
|
33.016, 34.011 and later
|
|
ControlLogix® 5570
|
20.011
|
33.016, 34.011 and later
|
|
ControlLogix 5570 redundant
|
20.054
|
33.053, 34.051 and later
|
|
GuardLogix 5570
|
20.011
|
33.016, 34.011 and later
|
The Controller Log feature does not properly log User Task Watchdog faults (Type 6 Code 1) in the Controller Log. For more information about the Controller Log feature, see the Logix 5000® Controllers Information and Status Programming Manual, publication 1756-PM015.
PCMD Returns Incorrect Error Code (1056295)
|
Controllers
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
|
CompactLogix™ 5370
|
20.011
|
34.011
|
|
Compact GuardLogix® 5370
|
28.011
|
34.011
|
|
ControlLogix® 5570
|
20.011
|
34.011
|
|
ControlLogix 5570 redundant
|
20.054
|
34.051
|
|
GuardLogix 5570
|
28.011
|
34.011
|
|
CompactLogix 5380
|
28.011
|
34.011
|
|
Compact GuardLogix 5380 SIL 2
|
31.011
|
34.011
|
|
Compact GuardLogix 5380 SIL 3
|
32.013
|
34.011
|
|
CompactLogix 5380 Process
|
33.011
|
34.011
|
|
CompactLogix 5480
|
32.011
|
34.011
|
|
ControlLogix 5580
|
28.011
|
34.011
|
|
GuardLogix 5580
|
31.011
|
34.011
|
|
ControlLogix 5580 Process
|
33.011
|
34.011
|
Equipment Phase Command (PCMD) returns the incorrect error code “0x6003, HIGH_PRIORITY_OWNED” when it should return “0x6004, NOT_ATTACHED”
Controller Can Assert During The I/O Module Configuration Process (1024030, 00219969)
|
Controllers
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
|
CompactLogix™ 5370
|
20.011
|
34.011
|
|
Compact GuardLogix® 5370
|
28.011
|
34.011
|
|
ControlLogix® 5570
|
20.011
|
34.011
|
|
ControlLogix 5570 redundant
|
20.054
|
34.051
|
|
GuardLogix 5570
|
28.011
|
34.011
|
|
CompactLogix 5380
|
28.011
|
33.011
|
|
Compact GuardLogix 5380 SIL 2
|
31.011
|
33.011
|
|
Compact GuardLogix 5380 SIL 3
|
32.013
|
33.011
|
|
CompactLogix 5480
|
32.011
|
33.011
|
|
ControlLogix 5580
|
28.011
|
33.011
|
|
GuardLogix 5580
|
31.011
|
33.011
|
Certain I/O modules send more configuration data than fits in a standard forward open (508 bytes) when the connection is being established. Therefore, the configuration process can take longer to complete. Examples include E300™ Electronic Overload Relays, 1444 Dynamics, 1718 I/O, 1719 I/O, and many third-party I/O devices.
When the configuration data is being sent to the device, if you change the configuration through the Add-on Profile for the device and then apply the changes the controller can assert.
Grandmaster Clock Description Not Correctly Being Displayed (939979)
|
Controllers
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
|
CompactLogix™ 5370
|
20.011
|
34.011
|
|
Compact GuardLogix® 5370
|
28.011
|
34.011
|
|
ControlLogix® 5570
|
20.011
|
34.011
|
|
ControlLogix 5570 redundant
|
20.054
|
34.051
|
|
GuardLogix 5570
|
20.011
|
34.011
|
Located in controller properties → Date Time → Advanced → Grandmaster Clock description could be shown as a blank description or could be showing old information. This does not impact time synchronization.
Copyright © 2026 Rockwell Automation, Inc. All rights reserved.
Rockwell Automation, Allen-Bradley, and FactoryTalk are trademarks of Rockwell Automation, Inc.
To view a complete list of Rockwell Automation trademarks please click here.
Trademarks not belonging to Rockwell Automation are property of their respective companies.