Guest

Cisco 7500 Series Routers

Field Notice: IPsec/CEF Software Defect on RSPx and RSM


January 24, 2000



Products Affected

Product

Description

RSP7000

Cisco 7000 Series Route Switch Processor (RSP)

RSP2

Cisco 7500 Series Route Switch Processor (RSP)

RSP4

Cisco 7500 Series Route Switch Processor (RSP)

RSP8

Cisco 7500 Series Route Switch Processor (RSP)

RSM

Catalyst 5000 Family Route Switch Module (RSM)

Problem Description

On all RSP and RSM processors, when an interface in the router is configured with an IPSec crypto map and the switching mode is Cisco Express Forwarding (CEF), the RSP and RSM will restart when it attempts to decrypt IPSec packets.

This defect is tracked with CSCdp58142.

Background

CSCdp58142 exists due to CSCdm60335 and CSCdp21248.

CSCdm60335 affected Cisco IOS 12.0T and 12.0(5)XE trains.

CSCdp21248 affected Cisco IOS 12.0, 12.0T, 12.0XE, and 12.0S trains.

Problem Symptoms

The problem manifests as a system restart when IPSec and CEF switching is running on RSP and RSM processors that are running software that has not implemented the fix for the software defect CSCdp58142.

Workaround/Solution

The short-term workaround for systems running affected Cisco IOS images is to turn the CEF switching option off on all interfaces that have crypto map entries applied to them.

The Cisco IOS interface configuration command to turn CEF off is presented below:

router(config-if)# no ip route-cache cef

Note:?More detailed information on the no ip route-cache cef command can be found in the Cisco documentation.

warning Warning:?Disabling the CEF functionality may substantially reduce the throughput performance of an interface.

The long-term solution requires that customers upgrade their Cisco IOS image. The table below provides the needed Cisco IOS upgrade path.

Solution for CSCdp58142

Cisco IOS

Cisco IOS Maintenance

Cisco IOS Image

Cisco IOS Availability

12.0

12.0(9)

rsp-*56i-mz, c5rsm-*56i-mz

CCO - January 31, 2000

12.0XE

12.0(7)XE1

rsp-*56i-mz, rsp-*k2*-mz

CCO - January 31, 2000

12.1

12.1(1)

rsp-*56i-mz, rsp-*k2*-mz, c5rsm-*56i-mz, c5rsm-*k2*-mz

CCO - Anticipated availability

12.1T

12.1(1)T

rsp-*56i-mz, rsp-*k2*-mz, c5rsm-*56i-mz, c5rsm-*k2*-mz

CCO - Anticipated availability March/April 2000

12.1E

12.1(1)E

rsp-*56i-mz, rsp-*k2*-mz, c5rsm-*56i-mz, c5rsm-*k2*-mz

CCO - Anticipated availability March/April 2000

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCdp58142

EWAN:IPSec:7500 peer-peer ping caused routers crash

? ?

Cisco IOS Versions Affected

The following Cisco IOS images are affected by CSCdp58142.

Note:?The k2 feature set Cisco IOS images are TripleDES Cryptographic, Secured, and are Export Controlled.

CSCdp58142 Affected Cisco IOS Images

Cisco IOS

Cisco IOS Maintenance

Cisco IOS Images

12.0

12.0(8)

all rsp-*56i-mz, c5rsm-*56i-mz

12.1T

12.1(1)T

all rsp-*56i-mz or rsp-*k2-mz images c5rsm-*56i-mz or c5rsm-*k2-mz images

12.0XE

12.0(5)XE through 12.0(5)XE7T

all rsp-*56i-mz or rsp-*k2-mz images

12.0S

12.0(7)S through 12.0(8)S

all rsp-*56i-mz or rsp-*k2-mz images

How To Upgrade Software

Maintenance Solution

To obtain the next maintenance release, see the instructions below:

Using the Software Center

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: