Sun Fire 12K/15K/20K/25K System Controller Management Networks May Fail After Applying Patch 122608-03.  As a result, any or all of the following conditions may occur:

1. Dynamic Reconfiguration (DR) operations may time-out.

2. Domain console(1M) may be in the (slower) IOSRAM mode, not the (faster) network mode.

3. Propagation of failover files to the spare System Controller may use the (slower) IOSRAM mode, not the (faster) network mode. Failover will still be functional.

4. TCP/IP communication using the virtual System Controller Management (scman) networks (to the other System Controller (SC) or from the SC to a domain) may fail. This means NTP and ssh(1), for example, will time-out on the scman networks.

This issue can occur on the following platforms:

• Sun Fire 12K/15K/20K/25K with patch 122608-01 through 122608-03 and without patch 122608-04

This issue only occurs if all of the following conditions are true:

1. The Sun Fire 12K/15K/20K/25K System Controller is running Solaris 10 or higher.
2. Solaris Security Toolkit (SST) version 4.2.0 is installed.
3. SST "apply" (/opt/SUNWjass/bin/jass-execute -d sunfire_15k_sc-secure.driver) has ran since installing the patch mentioned above.

If the described issue occurs, the following symptoms may be seen:

1. On the System Controller, the showfailover(1M) command output shows "Private I2 Network" in a state other than "Good"

2. Dynamic Reconfiguration operations time out. DR commands are cfgadm(1M) on the domain, or addboard(1M), deleteboard(1M), moveboard(1M), and rcfgadm(1M) on the System Controller.

3. TCP/IP operations (such as ping(1M) or ssh(1) on the scman0 or scman1 network fail.

To work around the described issue, disable the "ipfilter" service in Solaris if the output of "svcs ipfilter" shows "ipfilter" is enabled:

    # svcs ipfilter
    STATE          STIME    FMRI
    online         16:34:54 svc:/network/ipfilter:default
    # svcadm disable ipfilter
    # svcs ipfilter
    STATE          STIME    FMRI
    disabled        7:42:05 svc:/network/ipfilter:default

It is not necessary to reboot the system (but you may do so for other reasons).

This issue is addressed in the following releases:

• Sun Fire 12K/15K/20K/25K with patch 122608-04 or later

Note: If Solaris Security Toolkit 4.2 was run in "apply" mode since patch 122608-01, 122608-02, or 122608-03 was applied, run SST apply again:

    /opt/SUNWjass/bin/jass-execute -d sunfire_15k_sc-secure.driver

and reboot the System Controller. If it is not known if Solaris Security Toolkit was run in apply mode since one of the patch versions mentioned above was present, apply SST again. No harm will occur by running SST "apply" multiple times.

This solution has no attachment