Controller May Not Re-establish Outgoing Secured I/O Connections After Cable Breaks or Power-Cycles (1432106, 1489122, 1804298, 2136899)

In a CIP Security™ application, the controller may not re-establish secured I/O connections after multiple cable breaks or power cycles.

The Studio 5000 Logix Designer® application shows:

(Code 16#0204) Connection Request Error: Connection request timed out

If you experience this anomaly, power cycle the controller again.

Controller Can Fail to Re-Establish an Outgoing Secured I/O Connection to Remote I/O Modules After a Cable-Break (1753900)

CVE-2024-3493: Logix Controllers and Communication Modules Vulnerable to MNRF Due to Invalid Header Value

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Security Advisory ControlLogix and GuardLogix Vulnerable to major nonrecoverable fault due to Invalid Header Value.

CVE 2024-5659: Multicast Request Causes Major Nonrecoverable Fault on Select Controllers

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Security Advisory ControlLogix and GuardLogix Vulnerable to Multicast Request Causes major nonrecoverable fault on Select Controllers.

ControlLogix Redundancy Compatible Software for Revision 35.011_kit1

Catalog Numbers: ControlLogix® 5580 controllers*

(1) You must download a FactoryTalk Alarm and Events patch. See Knowledgebase Article Master list of all available Patch TOCs.

(2) The installation of FactoryTalk View Site Edition also installs FactoryTalk Services Platform, which installs FactoryTalk Alarms and Events. Also, if you download and install the latest FactoryTalk Services Patch Rollup, this patch automatically installs the patch for FactoryTalk Alarms and Events.

(3) Use the most recent FactoryTalk Batch Patch Roll-up with this redundancy firmware revision. For the most recent patch roll-up, see Knowledgebase Article Master list of all available Patch TOCs.

(4) For the most recent FactoryTalk Linx patch roll-up, see Rockwell Automation Knowledgebase Article Master list of all available Patch TOCs.

ControlLogix Redundancy System Components Revision 35.011_kit1

Catalog Numbers

• ControlLogix® 5580 controllers
• 1756-RM2, 1756-RM2K, 1756-RM2XT

This redundancy system revision includes the following:

(1) Firmware revision 11.003 is digitally signed firmware.

(2) Firmware revision 5.028 is digitally signed firmware. Firmware revision 5.008 is unsigned firmware.

EtherNet/IP is a trademark of ODVA, Inc.

Additional Resources for Revision 35.011_kit1

For more information on how to install, configure and use your ControlLogix redundancy system, see:

• The ControlLogix Redundancy Modules Installation Instructions, publication 1756-IN087.
• The ControlLogix 5580 Redundant Controller User Manual, publication 1756-UM015.
• High Availability System Reference Manual, publication HIGHAV-RM002-EN-P.
• Replacement Guidelines: Logix 5000™ Controllers, publication 1756-RM100.

Digitally Signed Ethernet Module Firmware for Revision 35.011_kit1

Catalog Numbers

Digitally signed firmware provides more security over the unsigned firmware. This firmware is different based on the EtherNet/IP™ communication modules you use.

Firmware revision 5.028 is not included in the redundancy system, revision 35.011_kit1 firmware bundle. You must download and install this digitally signed firmware after the redundancy bundle is installed.

Important: When you install the digitally signed firmware, that is, firmware revision 5.028, into a 1756-EN2T/C (or earlier), 1756-EN2TR/B (or earlier), or 1756-EN2F/B (or earlier) module, the installation makes the module incompatible with some firmware revisions. For example, after you update firmware, the module supports use of only digitally signed firmware. The module rejects any unsigned firmware updates.

You can download firmware revision 5.028 and the redundancy system firmware bundle, revision 35.011_kit1, at the Product Compatibility and Download Center.

Tip: Select the base catalog number in ControlFLASH PLUS™ software when upgrading extended temperature or conformal coated modules. For example, select the 1756-EN2TR when upgrading a 1756-EN2TRXT module. Extended temperature and conformal coated modules use the same Redundancy module ControlFLASH PLUS™ kit.

EtherNet/IP is a trademark of ODVA, Inc.

Controller Restrictions in Redundancy Systems with Revision 35.011_kit1

Known Restrictions as of ControlLogix® Redundancy Revision 35.011_kit1

This revision supports the following:

• ControlLogix 5580 controllers
• 1756-RM2, 1756-RM2K, and 1756-RM2XT modules

Catalog Numbers

1756-EN2T, 1756-EN2TK, 1756-EN2TR, 1756-EN2TXT, 1756-EN2F, 1756-EN2FK, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT:

• The 1756-EN2x communication modules provide 128 TCP and 256 CIP™ connections.
• The 1756-EN2x communication modules do not support bumpless I/O on switchover with Immediate Output (IOT) instructions. Because these modules do not support bumpless I/O on switchover with the IOT instruction, they cannot override the RPI in a remote chassis and immediately send new data over the EtherNet/IP™ network.

1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT:

• The 1756-EN4TR modules with firmware revision 4.001 or later support CIP Security for program upload/download/monitoring (not I/O) when the modules are paired with redundant ControlLogix 5580 controllers in the redundant chassis pair. The ControlLogix 5580 controllers must be at firmware revision 35.011 or later, and the 1756-EN4TR pair must be configured for non-IP address swapping.
• The 1756-EN4TR modules are also supported in a remote rack as a standard adapter or in a redundant adapter architecture.

ControlLogix 5580 redundancy-enabled controllers, 1756-EN2T, 1756-EN2TK, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2TXT, 1756-EN2F, 1756-EN2FK, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT:

• A redundant controller project cannot contain consumed Unicast connections. The project can contain produced Unicast tags that are consumed by remote consumers.

CIP Sync™ Technology Included in Redundant Systems:

• There are differences between CIP Sync technology in non-redundant systems and redundancy systems.

• ControlLogix 5580 Redundant Controller User Manual, publication 1756-UM015
• Integrated Architecture® and CIP Sync Configuration Application Technique, publication IA-AT003

• Consider the following when you use CIP Sync technology in a redundancy system:

• If you enable CIP Sync Time Synchronization in the controllers in a redundant chassis pair, you must also enable Time Synchronization in the EtherNet/IP™ communication modules in the redundant chassis pair so all devices have one path to the Grandmaster.
• If time synchronization is enabled in any controller in the primary chassis of a disqualified Redundant Chassis Pair, and no EtherNet/IP communication modules in the primary chassis have time synchronization enabled, the redundant chassis pair attempts to qualify. However, in these application conditions, the attempt to qualify fails.
• While CIP Sync technology can handle multiple paths between master and slave clocks, it resolves mastership most effectively if you configure the redundant paths so that Time Synchronization is enabled in only the minimum required number of EtherNet/IP communication modules.
• For example, if your redundant chassis pair has three 1756-EN2T communication modules and all are connected to the same network, enable Time Synchronization in only one of the modules.
• If the primary controller is the Grandmaster, the redundancy system automatically manages the CIP Sync clock attributes so that the controller in the primary chassis is always set to be the Grandmaster instead of the secondary controller. This clock management makes sure that a change to a new Grandmaster when the redundancy system switches over.
• When a switchover occurs, these events take place:

1. The Grandmaster status transfers from the original primary controller to the new primary controller. This transfer can take longer to complete than if Grandmaster status was transferred between devices in a non-redundant system.
2. The synchronization of the redundancy system can take longer when you use CIP Sync technology.

ControlLogix 5580 controllers

• You can have only one controller in each chassis in a redundant chassis pair.
• The embedded EtherNet port is disabled when the controller is enabled for redundancy.
• Do not use Match Project to Controller property with redundant controllers. If you use the Match Project to Controller property available in the Advanced tab of the Controller Properties dialog box, you cannot go online with, download to, or upload from the new primary controller after a switchover. This is because the serial number of the new primary controller is not the same as the serial number of the old primary controller and the project cannot be matched to the new primary controller.
• The Firmware Supervisor feature is not supported in a redundant system.
• You cannot use event tasks in a ControlLogix redundancy system. When you enable redundancy, you must change event tasks to nonevent tasks or delete them from your project.
• You cannot use Motion in ControlLogix redundancy systems. A remote controller can contain motion instructions even if it is on the same network as a redundancy system.
• Under some error conditions, often configuration related, the 1756-RM2 module continually attempts to requalify the system while the error prevents it from being successful. This causes the redundancy module error log to fill with the same error condition. If the system is in this condition, the redundancy module display cycles between QFNG and DISQ. To stop this from happening, change the redundancy module synchronization trigger in the Redundancy Module Configuration Tool (RMCT) to Never, until the error condition is corrected.
• The MinDurationACC alarm tag member value does not update, and it stays at a 0 value. This change does not affect the MinDuration calculations.

1756-EN2T, 1756-EN2TK, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2TXT, 1756-EN2F, 1756-EN2FK, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT:

• The System Event History displays a `Module Failure’ entry when you insert a 1756-EN2x communication module in the chassis while the redundant chassis pair is synchronized. This is not indicative of any module failure; instead, it indicates that only a communication module was inserted in the chassis.

CIP, CIP Sync, and EtherNet/IP are trademarks of ODVA, Inc.

Keyswitch Does Not Clear Major Fault on Disqualified Secondary (1524410)

If you use the keyswitch to clear a major fault on a disqualified secondary controller, it clears the OK status indicator on the controller, but the 4-character display still shows a major fault.

To clear the fault:

• Use the Studio 5000 Logix Designer® application to clear the fault. This does not work if the fault was already cleared using the Keyswitch.
• Use ControlFLASH Plus™ software to update the controller firmware to the existing firmware to reset it.

PortPhysicalAddressInfo GSV Does Not Populate After Controller Power Cycle (1451494, 1514584)

When a Get System Value (GSV) instruction configured for Class Name: TimeSynchronize and Attribute Name: PortPhysicalAddressInfo executes after a controller power cycle, the physical address (MAC ID) does not populate.

PlantPAx® Embedded Instruction PAIM – Does not pass through all SrcQ values from Inp_SrcQ (1384787, 1672172, 1664909)

The Process Multi Sensor Analog Input (PAIM) instruction is only able to pass values of 0, 1, 32, or 35 to the SrcQ Output Parameter from the Inp_SrcQ Input Parameter. All remaining supported values of the SrcQ Output Parameter are not passed through correctly.

Rejection of Messages Received by IO-Link Devices in a High Availability Application (1631817, 1767445)

In a high availability application, I/O devices that accept reconfiguration messages only from the owner device (the one which initiated communication to the target /IO device) reject any reconfiguration sent via message communication with a 16#0010 error code.

Controller Can MNRF When Executing CPS Instruction with Specific Data Types (1800992, 2129625, 2129629)

When executing a Synchronous Copy File (CPS) instruction with a motion diagnostics connection as the source or destination tag, the controller can experience a major nonrecoverable fault (MNRF).

To work around this anomaly, do not use motion diagnostics connections (such as AB:Motion_Diagnostics:S:1) as arguments to the CPS instruction. If a copy is still necessary, use a non-synchronous copy via the COP instruction.

Periodic User Tasks Without Any Scheduled Programs Experience Overlaps on The New Primary Controller After Switchover (1723127, 1810033)

When configured for redundancy, if the application contains a periodic user task without any scheduled programs, then that user task will report task overlaps on the new Primary controller after a switchover.

The task overlaps result in a minor fault being reported.

Periodic User Tasks Can Experience Unexpected Overlaps on The New Primary Controller If Switchover Occurs Soon After Qualification Completes (1723127)

When configured for redundancy, if a switchover occurs before the period of the periodic user task expires, then the periodic user tasks that are running on the new Primary controller can report overlaps following the switchover.

The task overlaps result in a minor fault being reported.

Sent Bytes Per Second Displays a Larger Incorrect Value (1548181)

Under HMI/MSG Connected (EtherNet/IP Port) on the device Diagnostic webpages, Sent Bytes Per Second displays a much larger incorrect value, not the actual sent bytes per second.

PlantPAx® Embedded Instruction PVSD - Unlimited Jog Request Stops When Horn Time Expires (1662547, 1795646, 1795647)

When the Process Variable Speed Drive (PVSD) instruction is configured to enable unlimited jog with a nonzero horn sound time, and the Jog button is pushed and held, then the jog command stops when the horn sound stops. The expected result is for the jog to continue after the horn sound stops.

To work around this anomaly, set the jog timer to a very large number instead of zero.

PlantPAx® Embedded Instruction PMTR - Unlimited Jog Request Stops When Horn Time Expires (1657427, 3397702)

When the Process Motor (PMTR) instruction is configured to enable unlimited jog with a nonzero horn sound time, and Jog button is pushed and held, then the jog command stops when the horn sound stops.

The expected result is for the jog to continue after the horn sound stops.

To work around this anomaly, set the jog timer to a very large number instead of zero.

PlantPAx® Embedded Instruction PAI - Deviation Alarm Settings Not Checked in Logic (1661684, 3637718)

The Process Analog Input (PAI) instruction logic allows the instruction to process infeasible deviation alarm settings. High deviation limit (Cfg_HiDevLim) can be set negative and low deviation limit (Cfg_LoDevLim) can be set positive, which results in an incorrect calculation.

To work around this anomaly, follow the parameter description and take care writing proper values from the range specified.

PlantPAx® Embedded Instruction PAI - Infeasible Low Deviation Deadband Setting Allowed (1661686, 3559581)

The Process Analog Input (PAI) instruction logic accepts a low deviation deadband (Cfg_LoDevDB) setting, violating the range of feasible values.

To work around this anomaly, set the low deviation deadband parameter to ≥ -Cfg_LoDevLim and ≤ 0.

PlantPAx® Embedded Instruction PAI - Infeasible High Deviation Deadband Setting Allowed (1661688, 3559637)

The Process Analog Input (PAI) instruction logic accepts a high deviation deadband (Cfg_HiDevDB) setting, violating range of feasible values.

To work around this anomaly, set the high deviation deadband parameter to ≥ 0 and ≤ Cfg_HiDevLim.

I/O Device Configured Within a 5032 IO-Link Module Stuck in Shutting Down State (2003359, 2117004)

If the configuration of an I/O device within a 5032 IO-Link module fails while performing greater than 20 simultaneous configurations, one or more I/O devices can get stuck in the Shutting Down state.

For more information, see Knowledgebase Technote IO-Link device shows Shutting Down.

Open Socket Functionality Not Behaving as Expected (1957130, 1957175)

In a Socket Read Message, when reading an empty TCP Ethernet Buffer (buffer length of 0), the expectation is that a 12 byte header will be returned for the Socket Read Message’s .DN_LEN ([MessageTag].DN_LEN=12).

Instead, 0 bytes are returned by the message ([MessageTag].DN_LEN=0).

This anomaly affects the Rockwell Automation® Sample Code Add-On Instructions and Applications. For more information and a workaround for this anomaly, see the Knowledgebase Technote Socket functionality may not behave as expected in specific Logix controllers at version 35.011 and 1756-EN4TR version 5.001.

Studio 5000 Logix Designer Trends Can Cause the Controller to MNRF (3062715, 3081542)

If the Studio 5000 Logix Designer® application shuts down unexpectedly while running trends, the controller can experience a major non-recoverable fault (MNRF).

Workaround: If the Logix Designer application is running trends and shuts down unexpectedly, open Microsoft Windows Task Manager, select the RATrendSrvU.exe task, and click End task.

A Project with Multiple FLEXHA 5000 I/O Modules can Fail to Download to the Controller (3196845, 1867140)

A Studio 5000 Logix Designer application that has a large number (greater than 200) of FLEXHA 5000™ Universal I/O modules (5015-U8IHFTXT) in the I/O tree can fail to download to the controller.

SD Status Indicator Flashes When I/O Connection Errors Exist (1917586, 1917602, 1917603)

The SD status indicator flashes and decreases SD card performance when I/O connection errors exist. The impact on SD card performance is directly related to the number of I/O connection errors present at that time.

Disqualification of Redundant Chassis Pair Due to Concurrent Connection Timeout (1895856)

Controller Can MNRF During Online Edit (2123008, 2306717, 3741373)

Controller Can Become Unresponsive When You Inhibit or Uninhibit a Module (3080005)

Controller Can Experience a MNRF When You Inhibit and Uninhibit an Axis and Drive (2069903, 2162056, 2162057)

Inhibiting the Axis and then the associated Drive with SSV instructions (in that order) can cause the controller to experience a major non-recoverable fault (MNRF).

Workaround: Inhibit the Drive, then inhibit the Axis (in that order). The order of uninhibiting the axis and drive does not matter.

Online Configuration of I/O Devices can Cause a MNRF/Assert (3231324, 3385069, 3335724, 3355887, 3355890)

When an I/O device is owned by the controller, if you make an online change with either the module properties dialog or a MSG instruction with a “Module Reconfigure” message type, the controller can MNRF/assert.

There is a higher probability for this anomaly to occur when there are many unconnected I/O devices in the I/O tree.

We recommend that you inhibit devices in the I/O tree that are not powered or do not exist on the network. If possible, inhibit the device while offline with the controller and then download the application to the controller.

This anomaly does not impact all I/O devices:

• Common I/O devices include: 1718 Ex I/O, 1719 Ex I/O, ArmorBlock® I/O, Compact 5000® I/O, FLEX 5000® I/O, Armor™ PowerFlex® Drives, E300™ Electronic Overload Relays, Dynamix™ 1444 Series modules.

• For all impacted I/O devices, see Knowledgebase Technote Determining the I/O Devices that Utilize an EDS AOP

Workaround:

Inhibit the I/O connection to the device while online before you start any reconfiguration. Once you complete the reconfiguration, then uninhibit the I/O connection.

1. Upgrade the controller’s firmware.
2. Install the latest release of software associated with the major revision of firmware.
3. Open the project file and perform a compact and delete of cache.
   1. Go to File → Compact
   2. When the Compact Project File dialog appears, make sure the Delete cached build data checkbox is checked.

4. Download the project to the controller.

New Firmware Updates Can Impact the Performance of Message Rate Capacity HMI/MSG (Class 3) Data

Each new major revision of the controller/communication module firmware provides additional features and functionality, but this consumes additional processing power from the module even if the features are not utilized. This manifests as degrading HMI/messaging performance for the respective module.

Despite this degradation, the specifications defined for the respective modules have been maintained:

To improve the messaging capacity, it is recommended to employ the following:

• For high-frequency messaging, utilize connected cached messages

• Utilize message reads as opposed to message writes; they’re more efficient

• For ControlLogix 5580 controllers, route HMI/messages through communication modules in the chassis as opposed to going directly to the embedded port of the controller
  • Offloading some of the processing to the communications module results in greater messaging capacity than using the front port alone
  • This recommendation does not apply to I/O or produce/consume data, it is more efficient and there is more capacity for that data to route through the embedded port of the controller
• Upgrade to a 5590 controller
  • The HMI/messaging messaging capacity is doubled through the embedded ethernet port

For more information, see these publications:

• ControlLogix and GuardLogix Controller Specifications Technical Data, publication 1756-TD001

• CompactLogix 5380, Compact GuardLogix 5380, and CompactLogix 5480 Controllers Specifications Technical Data, publication 5069-TD002

• 1756 ControlLogix Communication Modules Specifications Technical Data, publication 1756-TD003