Guest

Cisco uBR10000 Series Universal Broadband Routers

Field Notice: FN - 62168 - uBR10k: PRE May Crash When Executing the Command "Show Access-lists"


August 10, 2005


Products Affected

Product

Comments

UBR10K -

This bug affects only uBR10k and only when running 12.3(09a)BC, 12.3(9a)BC02, 12.3(9a)BC03, and 12.3(09a)BC04.

Problem Description

PRE may crash or produce tracebacks when executing the show access-lists command.

Background

Do a show access-lists. Then, see the following:

  1. Tracebacks: can't find policy super acl %s, Spurious memory access, Attempted to free memory and so on.

  2. Unexpected system reload immediately.

  3. Unexpected system reload after a period of time.

  4. Unexpected system reload after doing other ACL commands.

  5. Corrupted memory.

  6. Per-user ACL's disappear.

The specific tracebacks in the system reloads are typically unreproducable and rarely helpful.

When a per-user ACL is created, the ACL reference count is set to zero. When the reference count went to zero, a bug caused the ACL to be deleted (CSCed34058 (registered customers only) ). Accesses to ACLs would result in tracebacks, indicating that an expected ACL was deleted. The fix was backed out so that an ACL is no longer deleted by using a follow on bug as a tracking means (CSCsb21280) . With CSCsb21280, subsequent accesses to ACL's succeed.

However, when the ACL is deleted not all references to this ACL are removed. Therefore, subsequent ACL commands can dereference pointers into freed memory and even attempt to free blocks which have already been freed. This can cause unexpected system reloads.

Packet filter groups are already protected by CSCsa76002 (registered customers only) .

Problem Symptoms

  1. Create a per-user ACL that's not a packet filter group, usually through either "route-map" or "policy-map

    For example:

    route-map (route-map-name) (RETURN) * or * (RETURN) class-map (class-map-name) (RETURN) policy-map (policy-map-name) (RETURN) class (class-map-name) (RETURN) (some parameter command) (RETURN)

  2. Do a show access-lists (RETURN)

  3. Do some other ACL commands

Workaround/Solution

Workaround

Do not use the offending command: show access-lists

Solution

Upgrade to a Cisco IOS® Software Release that has the fix for this issue:

12.3(09a)BC05 or later

12.3(13a)BC or later

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsb31420 (registered customers only)

PRE crash on show access-list

CSCsb21280 (registered customers only)

BadBugFix CSCed34058:ACL's deleted during show access-lists

Cisco IOS Versions Affected

In general, the issue affects all releases containing CSCed34058 (registered customers only) but not CSCsb21280 or CSCee01688 (registered customers only) .

This is the list of known Cisco IOS releases affected by the issue:

12.3(09a)BC, 12.3(9a)BC02, 12.3(9a)BC03, and 12.3(09a)BC04

Note: Both CSCsb21280 and CSCee01688 (registered customers only) back out CSCed34058 (registered customers only) .

How to Determine if Your Router Configuration is at Risk

How to determine if you're at risk:

  1. Are you running on a ubr10k?

    If yes, continue to #2.

    If not, then you're not at risk

  2. Is the version of your Cisco IOS Software: 12.3(09a)BC, 12.3(09a)BC02, 12.3(09a)BC03, or 12.3(09a)BC04?

    If yes, continue to #3.

    If not, then you're not at risk.

  3. Does your system have either "route-map" or "policy-map" configured?

    If yes, then you're at risk.

    If not, continue to #4.

  4. Does your system have any per-user ACLs configured? First copy your IOS config to a lab machine (with no customers) since this is a destructive test.

    Then, do a show access-lists.

    If you have any per-user ACL's, they should show up as "(per-user)". Ignore any that start with CMTS_PKT_FILTER_GROUP_###. Do you have any other "(per-user)" ACL's?

    If yes, then you're at risk.

    If not, then you're not at risk

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.