Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1042476,1042479)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Logix Controllers Vulnerable to Denial-of-Service Attack.

CVE-2022-3157: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1256258, 1289747)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Controllers Vulnerable to a Denial-of-Service Vulnerability.

CVE-2020-6998: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (00228528)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation.

ControlLogix Redundancy Compatible Software for Revision 30.051_kit2

Catalog Numbers

• ControlLogix® 5570 controllers*

(1) You must download a FactoryTalk Alarm and Events patch. See Knowledgebase Article Master list of all available Patch TOCs.

(2) The installation of FactoryTalk View Site Edition also installs FactoryTalk Services Platform, which installs FactoryTalk Alarms and Events. Also, if you download and install the latest FactoryTalk Services Patch Rollup, this patch automatically installs the patch for FactoryTalk Alarms and Events.

(3) Use the most recent FactoryTalk Batch Patch Roll-up with this redundancy firmware revision. For the most recent patch roll-up, see Knowledgebase Article Master list of all available Patch TOCs.

IMPORTANT: The following steps apply only to the FactoryTalk Alarms and Events installation.

1. Install FactoryTalk View Site Edition.

This installation installs FactoryTalk Services Platform, which installs FactoryTalk Alarms and Events.

2. Download and install the latest FactoryTalk Services Patch Rollup.

This installation automatically installs the patch for FactoryTalk Alarms and Events.

(4) For the most recent FactoryTalk Linx patch roll-up, see Rockwell Automation Knowledgebase Answer ID Knowledgebase Article Master list of all available Patch TOCs.

ControlLogix Redundancy System Components Revision 30.051_kit2

Catalog Numbers

• ControlLogix® 5570 controllers*
• 1756-RM2, 1756-RM2XT**

This redundancy system revision includes the following:

(2) IMPORTANT: The 1756-EN2T/D modules do not support firmware revisions previous to revision 10.006.

(3) Firmware revision 10.006 or later is digitally signed.

(4) IMPORTANT: The 1756-EN2T/C (or earlier) modules do not support firmware revision 10.006 or later.

(5) Firmware revision 5.028 is digitally signed firmware. Firmware revision 5.008 is unsigned firmware.

(6) IMPORTANT: The 1756-EN2TR/C modules do not support firmware revisions previous to revision 10.007.

(7) IMPORTANT: The 1756-EN2TR/B (or earlier) modules do not support firmware revision 10.007.

(8) IMPORTANT: The 1756-EN2F/C modules do not support firmware revisions before revision 10.009.

Additional Resources for Revision 30.051_kit2

For more information on how to update your ControlLogix® redundancy system, see Replacement Guidelines: Update ControlLogix Redundancy Reference Manual, publication 1756-RM010.

For more information on how to install, configure and use your ControlLogix redundancy system, see the ControlLogix Redundancy User Manual, publication 1756-UM535.

Digitally Signed Ethernet Module Firmware for Revision 30.051_kit2

Catalog Numbers

• 1756-EN2T/C, 1756-EN2T/D, 1756-EN2TR/B, 1756-EN2TR/C, 1756-EN2F/B, 1756-EN2F/C

Digitally signed firmware provides more security over the unsigned firmware. This firmware is different based on the EtherNet/IP™ communication modules you use.

Firmware revision 5.028 is not included in the redundancy system, revision 30.051_kit2 firmware bundle. You must download and install this digitally signed firmware after the redundancy bundle is installed.

Important: After you install digitally signed firmware (revision 5.028), into a 1756-EN2T/C (or earlier), 1756-EN2TR/B (or earlier), or 1756-EN2F/B (or earlier) module, you cannot flash those modules to any firmware revisions earlier than revision 5.028. For example, after you update firmware, the module supports use of only digitally signed firmware. The module rejects any unsigned firmware updates.

Known Restrictions as of ControlLogix® Redundancy Revision 30.051_kit2

This revision supports the following:

• ControlLogix 5570 controllers*
• 1756-RM2, 1756-RM2K, and 1756-RM2XT modules
• Migration from revision 24.05X_kit1

Catalog Numbers

• The 1756-EN2T module, series D, cannot be used for SIL 2 applications as part of the safety loop. The existing 1756-EN2T/D module specification sheets do not list the modules as being SIL 2 certified.
• Policies currently in place by TÜV require that only the 1756-EN2T/C or the 1756-EN2TR modules be used for SIL 2 applications as part of the safety loop.
• For more information on configurations for SIL 2 applications, refer to Using ControlLogix in SIL 2 Applications Reference Manual, publication 1756-RM001.

1756-CN2, 1756-CN2R, 1756-CN2RXT, 1756-CN2RK:

• The 1756-CN2/C, 1756-CN2R/C, 1756-CN2RXT/C, 1756-CN2RK/C module firmware is not compatible with series B hardware.
• The 1756-CN2x communication modules provide 131 CIP™ connections. However, three of the 131 CIP connections are always reserved for redundant control. These three redundant-system CIP connections always appear to be in use, even when no connections are open.
• If a qualification fails due to a ControlNet® scheduling issue [(29) Qualification Error - Failed Connection Duplication that is logged in the 1756-RM2 event logs], the system continuously attempts the qualification and fails. This continues to occur until the cause is addressed or the Auto-Qualification option is changed to Never. The visual symptom is a repetitive display sequence of QFNG/DISQ on the 1756-RM2.

1756-EN2T:

• Do not use 1756-EN2T communication modules, firmware revision 1.004 or earlier, in redundant chassis.
• 1756-EN2T communication module firmware revision 1.004 is not redundancy-compliant either in standard or redundancy systems. You must upgrade 1756-EN2T communication modules to firmware revision 5.008 to use this redundancy system revision.

1756-EN2T, 1756-EN2TR, 1756-EN2TXT, 1756-EN2F:

• The 1756-EN2x communication modules provide 259 CIP connections. However, three of the 259 CIP connections are always reserved for redundant control. These three redundant-system CIP connections always appear to be in use, even when no connections are open.

• Because three of the 259 CIP connections are reserved for redundancy, 256 CIP connections are available for nonredundancy use.
• The 1756-EN2Tx communication modules do not support Immediate Output (IOT) instructions.
• Because these modules do not support the IOT instruction, they cannot override the RPI in a remote chassis and immediately send new data over the EtherNet/IP™ network.

ControlLogix 5570 redundant controllers*, 1756-EN2T, 1756-EN2TR, 1756-EN2TXT, 1756-EN2F:

• A redundant controller project cannot contain consumed Unicast connections. The project can contain produced Unicast tags that are consumed by remote consumers.

CIP Sync™ Technology Included in Redundant Systems:

• There are differences between CIP Sync technology in non-redundant systems and redundancy systems.
• IMPORTANT: Before you use this enhancement in a redundancy system, see these publications for a full understanding of CIP Sync technology in any system:

 • ControlLogix System User Manual, publication 1756-UM001

• Integrated Architecture® and CIP Sync Configuration Application Technique, publication IA-AT003

Consider the following when you use CIP Sync technology in a redundancy system:

• If you enable CIP Sync Time Synchronization in the controllers in a redundant chassis pair, you must also enable Time Synchronization in the EtherNet/IP communication modules in the redundant chassis pair so all devices have one path to the Grandmaster.
• If time synchronization is enabled in any controller in the primary chassis of a disqualified Redundant Chassis Pair, and no EtherNet/IP communication modules in the primary chassis have time synchronization enabled, the redundant chassis pair attempts to qualify. However, in these application conditions, the attempt to qualify fails.
• While CIP Sync technology can handle multiple paths between master and slave clocks, it resolves mastership most effectively if you configure the redundant paths so that Time Synchronization is enabled in only the minimum required number of EtherNet/IP communication modules.
• For example, if your redundant chassis pair has three 1756-EN2T communication modules and all are connected to the same network, enable Time Synchronization in only one of the modules.
• If the primary controller is the Grandmaster, the redundancy system automatically manages the CIP Sync clock attributes so that the controller in the primary chassis is always set to be the Grandmaster instead of the secondary controller. This clock management makes sure that a change to a new Grandmaster when the redundancy system switches over.

• When a switchover occurs, these events take place:

1. The Grandmaster status transfers from the original primary controller to the new primary controller. This transfer can take longer to complete than if Grandmaster status was transferred between devices in a non-redundant system.

2. The synchronization of the redundancy system can take longer when you use CIP Sync technology.

ControlLogix 5570 controllers*

• You can place a maximum of two controllers in the same chassis in a redundant chassis pair at the same firmware bundle.
• Do not use Match Project to Controller property with redundant controllers. If you use the Match Project to Controller property available in the Advanced tab of the Controller Properties dialog box, you cannot go online with, download to, or upload from the new primary controller after a switchover. This is because the serial number of the new primary controller is not the same as the serial number of the old primary controller and the project cannot be matched to the new primary controller.
• The Firmware Supervisor feature is not supported in a redundant system.
• You cannot use event tasks in a ControlLogix redundancy system. When you enable redundancy, you must change event tasks to nonevent tasks or delete them from your project.
• You cannot use motion in ControlLogix redundancy systems. A remote controller can contain motion instructions even if it is on the same network as a redundancy system.
• Under some error conditions, the 1756-RM2 module continually attempts to requalify the system while the error prevents it from being successful. This causes the redundancy module error log to fill with the same error condition. If the system is in this condition, the redundancy module display cycles between QFNG and DISQ. To stop this from happening, change the redundancy module synchronization trigger in the Redundancy Module Configuration Tool (RMCT) to Never, until the error condition is corrected.
• The MinDurationACC alarm tag member value does not update and it stays at a 0 value. This change does not affect the MinDuration calculations.

1756-CN2, 1756-CN2R, 1756-CN2RXT, 1756-EN2T, 1756-EN2TR, 1756-EN2TXT, 1756-EN2F:

• The System Event History displays a `Module Failure’ entry when you insert a 1756-CN2x communication module or a 1756-EN2x communication module in the chassis while the redundant chassis pair is synchronized. This is not indicative of any module failure; instead, it indicates that only a communication module was inserted in the chassis.

*ControlLogix 5570 controllers include all ControlLogix-XT™ and K versions.

1756-L7 Safety Certification

This version is certified to SIL 2. For more information, see Safety Certificate logix-ct007.

Catalog Numbers

• ControlLogix® 5570 controllers*
• 1756-RM2, 1756-RM2XT**

IMPORTANT: You must uninstall any existing versions of the Redundancy Module Configuration Tool (RMCT) before you install version 8.5.1.0 of the RMCT. If you do not uninstall the previous versions, you can have difficulty if you try to uninstall version 8.5.1.0 later.

You can use 1756-RM2 or 1756-RM2XT redundancy modules to commission a redundant system. You can commission a system without any additional programming. However, there is additional functionality available if you use the modules with the RMCT.

• View error diagnostics
• View qualification and compatibility status of partnered modules
• Set Auto-Synchronization parameters
• View and set Chassis ID parameters (Chassis A, Chassis B)
• Identify noncompliant modules for removal
• Configure redundancy system parameters

Flashing Firmware From 20.030 To 20.010 Results in The Module Loading BOOT Firmware (00233910)

When a redundancy module is at firmware version 20.030 and an attempt is made to flash to 20.010, the module reverts to 20.022.0.

A workaround to recover from this is to flash the module in the following order: 20.030 -> 20.009 -> 20.010.

For more information, see Knowledgebase Technote Flashing 1756-RM2 from v20.030 to v20.010.

Tracked State Value for Redundant Controller May Not Be Correct After A Switchover (Lgx00189950, Lgx00190153, Lgx00190152)

Corrected Anomaly in Firmware Revision 31.051

Known Anomaly first identified in version 30.00

Catalog Numbers: ControlLogix® 5570 Redundant Controllers

When you enable redundancy but do not retain test edits of a tracked routine, and switchover occurs with test edits running, the Tracked State value on the redundant controller will show the tracked state value of the controller with test edits, even though the test edits are not running in the redundant controller.

Follow one of these steps to work around the issue:

• On the redundant controller (after the switchover, the new primary controller), make a test edit, then undo the test edit. The Tracked State value should now be correct.
• Configure redundancy to retain test edits.

Redundancy-enabled Projects Sometimes Fail to Upload from The Controller Unless Original Download File Exists (Lgx00191976)

Corrected Anomaly as of Studio 5000 Logix Designer® v30.01.00 and v31.00.00

Known Anomaly first identified in version 30.00.00 of Studio 5000 Logix Designer

When you attempt to upload a redundancy-enabled project from the controller, the upload fails unless your computer contains the same project file that was originally downloaded.

The Studio 5000 Logix Designer application gives an error that the project has redundancy disabled and controller firmware with a minor revision of .49 is required.

Applications with PowerFlex drives in the I/O configuration can experience a major non-recoverable fault (MNRF) (00200734, 00200735, 00200600, 00200599)

Corrected Anomaly as of Firmware Revision 31.011 and 30.014 for these catalog numbers:

• CompactLogix™ 5370 Controllers

• Compact GuardLogix® 5370 Controllers

Corrected Anomaly as of Firmware Revision 31.011 and 30.013 for these catalog numbers:

• ControlLogix® 5580 Controllers
• ControlLogix 5570 Controllers
• GuardLogix 5570 Controllers

Known Anomaly First Identified as of Firmware Revision 28.011 for these catalog numbers:

• ControlLogix 5580 Controllers
• CompactLogix 5380 Controllers
• Compact GuardLogix 5370 Controllers

Known Anomaly First Identified as of Firmware Revision 20.011 for these catalog numbers:

• ControlLogix 5570 Controllers
• GuardLogix 5570 Controllers
• ControlLogix 5570 (Redundancy) Controllers
• ControlLogix 5560 Controllers
• GuardLogix 5560 Controllers
• ControlLogix 5560 (Redundancy) Controllers
• CompactLogix 5370 Controllers
• 1769 CompactLogix Controllers
• 1768 CompactLogix Controllers

If a controller already has an application loaded into it that contains PowerFlex drives in the I/O configuration, a MNRF (Major Non-Recoverable Fault) can occur when any of the following occurs:

• A download of a project is performed to the controller.
• A PowerFlex drive is deleted while online.
• A firmware flash update of the controller is performed.
  

For more information and workarounds, see Knowledgebase document 1067997.

Some Faults Are Not Logged in The Controller Log (1061142, 1594647)

The Controller Log feature does not properly log User Task Watchdog faults (Type 6 Code 1) in the Controller Log. For more information about the Controller Log feature, see the Logix 5000® Controllers Information and Status Programming Manual, publication 1756-PM015.

PCMD Returns Incorrect Error Code (1056295)

Equipment Phase Command (PCMD) returns the incorrect error code “0x6003, HIGH_PRIORITY_OWNED” when it should return “0x6004, NOT_ATTACHED”

Controller Can Assert During The I/O Module Configuration Process (1024030, 00219969)

Certain I/O modules send more configuration data than fits in a standard forward open (508 bytes) when the connection is being established.  Therefore, the configuration process can take longer to complete. Examples include E300™ Electronic Overload Relays, 1444 Dynamics, 1718 I/O, 1719 I/O, and many third-party I/O devices.

When the configuration data is being sent to the device, if you change the configuration through the Add-on Profile for the device and then apply the changes the controller can assert.

Grandmaster Clock Description Not Correctly Being Displayed (939979)

Located in controller properties → Date Time → Advanced → Grandmaster Clock description could be shown as a blank description or could be showing old information. This does not impact time synchronization.