Guest

Cisco ACE 4700 Series Application Control Engine Appliances

Release Note vA5(1.x), Cisco ACE 4700 Series Application Control Engine Appliance

  • Viewing Options

  • PDF (590.1 KB)
  • Feedback
Release Note for the Cisco ACE 4700 Series Application Control Engine Appliance

Table Of Contents

Release Note for the Cisco ACE 4700 Series Application Control Engine Appliance

Contents

New Software Features in Version A5(1.2)

Dual Nexus 7K Support

Ability to Back Up and Restore Only SSL Files Between ACEs

Default SSL Handshake Support (Per RFC 5746)

Addition of the Normalization Stateless Function

RADIUS-Attribute Sticky Group Enhancement

Globally Applying Parameter Map Inactivity and TCP Half-Closed Connection Timeout Values

Increase in the HTTP Load-Balancing Limitation

CLI Support for Connections Per Second (CPS) at the Virtual Server Level

Mitigating a Slowloris HTTP DoS Attack

Closing a TCP Connection in a FIN_WAIT State

Device Manager GUI Support for Deploying Layer 3/Layer 4 Class Maps with Anyv6 and Portv6 Match Conditions

Selecting an HTTPS Certificate and Key

Including the REMOTE_ADDR Attribute in AAA Protocol Packets (Device Manager GUI Access)

Related SNMP Changes for A5(1.2)

New Software Features in Version A5(1.0)

Available ACE Licenses

Ordering an Upgrade License and Generating a Key

Performing ACE Appliance Software Upgrades and Downgrades

Supported Browsers for ACE Appliance Device Manager

ACE Operating Considerations

ACE Documentation Set

Software Version A5(1.2) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages

Software Version A5(1.2) Resolved Caveats

Software Version A5(1.2) Open Caveats

Software Version A5(1.2) Command Changes

Software Version A5(1.2) System Log Messages

251015

251021

322006

Software Version A5(1.1) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages

Software Version A5(1.1) Resolved Caveats

Software Version A5(1.1) Open Caveats

Software Version A5(1.1) Command Changes

Software Version A5(1.1) System Log Messages

251010

Software Version A5(1.0) Resolved Caveats and Open Caveats

Software Version A5(1.0) Resolved Caveats

Software Version A5(1.0) Open Caveats

Obtaining Documentation and Submitting a Service Request


Release Note for the Cisco ACE 4700 Series Application Control Engine Appliance


January 23, 2012


Note The most current Cisco documentation for released products is available on Cisco.com.


Contents

This release note applies to the following software versions for the Cisco 4700 Series Application Control Engine (ACE) appliance:

A5(1.2)

A5(1.1)

A5(1.0)

For information on the ACE appliance features and configuration details, see the ACE documentation located on www.cisco.com at:

http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html

This release note contains the following sections:

New Software Features in Version A5(1.2)

New Software Features in Version A5(1.0)

Available ACE Licenses

Ordering an Upgrade License and Generating a Key

Performing ACE Appliance Software Upgrades and Downgrades

Supported Browsers for ACE Appliance Device Manager

ACE Operating Considerations

ACE Documentation Set

Software Version A5(1.2) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages

Software Version A5(1.1) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages

Software Version A5(1.0) Resolved Caveats and Open Caveats

Obtaining Documentation and Submitting a Service Request

New Software Features in Version A5(1.2)

Software version A5(1.2) provides the following new features:

Dual Nexus 7K Support

Ability to Back Up and Restore Only SSL Files Between ACEs

Default SSL Handshake Support (Per RFC 5746)

Addition of the Normalization Stateless Function

RADIUS-Attribute Sticky Group Enhancement

Globally Applying Parameter Map Inactivity and TCP Half-Closed Connection Timeout Values

Increase in the HTTP Load-Balancing Limitation

CLI Support for Connections Per Second (CPS) at the Virtual Server Level

Mitigating a Slowloris HTTP DoS Attack

Closing a TCP Connection in a FIN_WAIT State

Device Manager GUI Support for Deploying Layer 3/Layer 4 Class Maps with Anyv6 and Portv6 Match Conditions

Selecting an HTTPS Certificate and Key

Including the REMOTE_ADDR Attribute in AAA Protocol Packets (Device Manager GUI Access)

Related SNMP Changes for A5(1.2)

Dual Nexus 7K Support

Per CSCtt42551, you may now configure up to two Nexus 7000 series switches per ACE as a means to determine the locality of the VMs in the local and the remote data centers. Use the nexus-device command in configuration mode in the Admin context to create each local Nexus device on the ACE. You can also configure two Nexus 7000 series switches per ACE from the ACE appliance Device Manager GUI.

For example:

nexus-device otv-sw1
  ip-address 10.8.56.11
  credentials admin encrypted XyQhMSMkSU7LfCA3yn/KWHQYHHu/nFHMG0rbR8F02AfV
 
   
nexus-device otv-sw2
  ip-address 10.8.56.12
  credentials admin encrypted XyQhMSMkSU7LfCA3yn/KWHQYHHu/nFHMG0rbR8F02AfV
 
   

For details on how to configure a Nexus 7000 series switch from the ACE to retrieve locality information for the dynamic workload scaling (DWS) feature, see:

From the CLI, see the "Configuring the Nexus Device" section in Chapter 5, Configuring Dynamic Workload Scaling, of the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

From the Device Manager GUI, see the "Configuring and Verifying a Nexus 7000 Connection" section of the online help or the Device Manager GUI Guide, Cisco ACE 4700 Series Application Control Engine Appliance.

Ability to Back Up and Restore Only SSL Files Between ACEs

Per CSCtq38074, the ACE now allows you to specify to back up only SSL files from your ACE and restore all SSL files to the new device. The redundancy configuration on the standby ACE synchronizes the configuration from the active ACE to the standby ACE.

During the restore process, the ACE does not create the missing contexts. The restore functionality looks at each context in the backup file and if the context is present in the ACE, SSL files are restored. Otherwise, if the context does not exist, the restore process is skipped for this context. The restore process then continues with the next context in the backup file.

The modified syntax of the backup and restore Exec mode commands is as follows:

backup [all] [pass-phrase text_string] [ssl-only] [exclude component]

restore {[all] disk0:archive_filename} [pass-phrase text_string] [ssl-only] [exclude {licenses | ssl-files}]

The optional ssl-only keyword has been added to the CLI syntax of the backup and restore commands to enable you to specify exportable SSL files as part of the configuration file backup and restore processes. The nonexportable files are not supported by the back up operation and need to be restored manually.

Default SSL Handshake Support (Per RFC 5746)

With defect CSCtd21177, a PSIRT case was initiated. An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.

RFC 5746 defines the renegotiation indication extension that allows SSL/TLS to perform SECURED renegotiation.

Per CSCtq48352, this enhancement supports a secure handshake by default on the ACE, as defined by RFC 5746. By default, the ACE now allows SECURED SSL/TLS renegotiation with a client and server that supports RFC 5746 and, by default, the ACE disallows UNSECURED SSL/TLS renegotiation with a client and server that do not support RFC 5746 (same as the previous behavior).

The following two new statistics have been added to the show stats crypto server and show stats crypto client commands:

SSLv3 Secured Rehandshakes—Number of secured SSLv3 renegotiation handshakes that the ACE performed successfully with the client and server.

TLSv1 Secured Rehandshakes—Number of secured TLSv1 renegotiation handshakes that the ACE performed successfully with the client and server.

Addition of the Normalization Stateless Function

The ACE uses TCP normalization to perform checks for Layer 4 packets that have invalid or suspect conditions. Per CSCtr31749, the normalization stateless command has been added to Interface mode primarily for use in DSR scenarios as well as a means to provide a certain level of protection against Distributed Denial of Service (DDoS) attacks on an interface when a TCP connection is created. The normalization stateless command is applicable only to Layer 4 flows.


Note The normalization stateless command is for DSR TCP connections only and does not apply to UDP stateless connections.


When you specify the normalization stateless command, the ACE processes TCP connections on an interface as stateless connections that undergo TCP normalization checks (for example, TCP window, TCP state, TCP sequence number, and other normalization checks).

Only SYN packets are allowed to create a TCP connection. When the connection is created, Layer 4 normalization checks are relaxed. In this case, because only a SYN packet is allowed to create a connection, the ACE sends a reset (RST) when the connection ends. The no normalization stateless command disables the function.

lbmb1104-11/CTX1(config)# interface vlan 461
lbmb1104-11/CTX1(config-if)# normalization stateless
 
   

With the normalization stateless command, there are no additional counters in the ACE used to track when a stateless DSR TCP connection is denied or DDoS-protected. All encountered issues are summarized under the existing counters available with the show np command output. See the Cisco Application Control Engine (ACE) Troubleshooting Guide wiki for details on the show np command output:

show np 1 me-stats -snormalization

RADIUS-Attribute Sticky Group Enhancement

A RADIUS-attribute sticky group enables the ACE to stick client connections to the same real server based on a RADIUS attribute. By default, a sticky entry is always created when the ACE receives an Accounting Start packet regardless of the subsequent ACK. "Accounting only" customer deployments require sticky entries to be validated by a response (ACK). After the sticky entry is created, if the real server fails to respond to or acknowledge the request, all subsequent requests must be re-load balanced excluding this real server.

Per CSCtu04121, enhancements have been made to the RADIUS-attribute sticky group to optimize sticky entry creation for Accounting Only deployments during RADIUS load balancing. With this enhancement, a new option has been added in sticky RADIUS configuration mode (accessed through the sticky radius framed-ip command and the sticky radius framed-ip username command) to instruct the ACE to use a sticky entry only after it has been validated by a server response. In the case where no response has been received and the sticky entry has not been validated, the ACE will re-load balance, excluding the real server to which the RADIUS request was stuck initially.

At the end of the service delivery, the client generates an Accounting Stop packet that describes the type of service that was delivered and statistics (optional). The Accounting Stop packet deletes the sticky entry immediately without waiting for the ACK.

The new option in sticky RADIUS configuration mode is as follows:

wait-for-ack

Use the no form of this command to return operation to the default behavior.

For example, to create a group for RADIUS-attribute stickiness that includes the "wait for ACK" function, enter the following commands:

host1/Admin(config)# sticky radius framed-ip RADIUS_GROUP
host1/Admin(config-sticky-radius)# wait-for-ack
 
   

The show sticky database detail Exec mode command has also been modified to display the new RADIUS Wait-For-Ack entry. The states of this entry are either True or False.

For example, enter the following command:

host1/Admin# show sticky database detail
processor (0/3):             3
results index:               1 of 1
sticky group:                fip-uname-farm
sticky type:                 RADIUS
rserver:                     rs-01
realPort:                    0
timeout (secs):              86400
sticky-entry:                0x1b6e0438e29341a
internal entry-id:           0xc020000b
time-to-expire (secs):       86342
sticky-hit-count:            1
active-conn-count:           0
in-use reference count:      0
static entry:                FALSE
reverse entry:               FALSE
active entry:                TRUE
timeout-active-conns:        FALSE
created-from-HA-peer:        FALSE
HA-replicated-at-least-once: TRUE
Radius Wait-For-Ack:         TRUE <<<<<<
 
   
Total Sticky Entries: 1

Globally Applying Parameter Map Inactivity and TCP Half-Closed Connection Timeout Values

Per CSCtl97681, you can globally apply the inactivity and TCP half-closed connection timeout values of a connection parameter map in a context. The global timeout values override the default values for all the Layer 3 rules in the context. If you configure the timeout values for a specific parameter map, they override the global inactivity timeout values.

Before you can globally apply the connection timeout values, you must configure a connection parameter map that contains these values. You can configure this parameter map with either or both the inactivity and TCP half-closed connection timeouts. For example, to configure a connection parameter map with the inactivity and half-closed connection timeouts, enter the following:

host1/Admin(config)# parameter-map type connection TCP_MAP
host1/Admin(config-parammap-conn)# set timeout inactivity 7200
host1/Admin(config-parammap-conn)# set tcp timeout half-closed 1800
 
   

You cannot configure any additional parameters to this parameter map. If the parameter map is configured with parameters other than these connection timeouts, the ACE displays the following error message:

Error: Parameter map can't be applied globally.
 
   

After you configure the parameter map, you can globally apply it and its timeouts through the connection advanced-option default-override command in configuration mode. The syntax of the command is as follows:

connection advanced-option default-override connection_parameter_map

The connection_parameter_map argument is the name of the connection parameter map name configured with the inactivity or half-closed connection timeout values. For example, enter the following:

host1/Admin(config)# connection advanced-option default-override TCP_MAP
 
   

The show service-policy command indicates the global parameter map applied to the Layer 3 rule by appending the (Global) tag to its name. The show parameter map command displays the globally-applied inactivity and half-closed connection timeouts by appending the (Global) tag appended to the timeout values.

To remove the global timeout values, enter the following:

host1/Admin(config)# no connection advanced-option default-override TCP_MAP

Increase in the HTTP Load-Balancing Limitation

Per CSCtn14041, the HTTP load-balancing limitation of 1024 entries per class map and 1024 entries per policy map has increased to 4096. The line number value for match statements has increased from 1024 to 4096.

CLI Support for Connections Per Second (CPS) at the Virtual Server Level

Per CSCtn73488, the show service-policy command now includes the conns per second field that displays the connections per second at the virtual server level when you configure more than one VIP under a class map. When you configure one VIP under a class map, the connections per second field is displayed at the VIP level.

For example:

switch/Admin# show service-policy L7_policy
 
   
Status     : ACTIVE
-----------------------------------------
Interface: vlan 725 727
  service-policy: httJG
    class: vip-JG
      loadbalance:
        L7 loadbalance policy: L7_policy
        Regex dnld status    : SUCCESSFUL
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        VIP DWS state: DWS_DISABLED
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 1647936
        dropped conns    : 1632955
        conns per second    : 50    >>>>>>>>>>>>>>>>>>>>>>>>>>>> This stat has been added
        client pkt count : 4972447   , client byte count: 459647112
        server pkt count : 80791     , server byte count: 7090355
        conn-rate-limit      : 100       , drop-count : 22522
        bandwidth-rate-limit : -         , drop-count : -
      compression:
        bytes_in  : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent  : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0
        Parameter-map(s):
          con
 
   

Mitigating a Slowloris HTTP DoS Attack

Slowloris is an HTTP Denial of Service (DoS) tool written in PERL that is used to perform denial of service attacks against Apache-based servers (as well as other web services). Slowloris exhausts all available server connections by repeatedly initiating several hundred valid HTTP requests to the server and keeping these connections open using a minimal amount of TCP traffic to consume server resources. Once server resources are exhausted, the server is no longer able to respond to legitimate traffic.

Per CSCtu08459, you are now able to configure the ACE to mitigate a Slowloris HTTP DOS attack by including an HTTP parse timeout in your HTTP parameter map. With software version A5(1.2), the new set max-parse-time command has been added as protection from Slowloris DoS attacks. The default HTTP parsing timeout is set to 255 seconds, and if the ACE does not receive a GET request from the connection within 255 seconds, the HTTP parse timeout initiates and the ACE drops the connection and sends a reset to the client. You can increase this timeout maximum through the set max-parse-time command.

The syntax of this parameter map HTTP configuration mode command is as follows:

set max-parse-time time

The time argument is the time in seconds for the maximum length of the HTTP parsing timeout. Valid entries are 1 to 65535 seconds.

For example, to enter an HTTP parsing timeout of 200 seconds, enter the following:

host1/Admin(config)# parameter-map type http HTTP_MAP
host1/Admin(config-parammap-http)# set max-parse-time 200
 
   

Closing a TCP Connection in a FIN_WAIT State

You may be operating in an environment where connections do not close due to clients that fail to reply to a FIN from one or more real servers. This situation can result in the server continuing to handle the open connections (remaining in a FIN_WAIT_1 state), which, during high volume traffic, can result in the server running out of connections. As a result, the server maintains a high CPU load because it continues to wait for a FIN, ACK, or RST to close the connection. The server is unable to answer requests because it is handling the open connections.

Per CSCtr61749, the ACE now supports the ability to define a timeout in your connection parameter map for TCP connections that are in the FIN_WAIT_I state. The set tcp timeout command now includes the fast-fin option to specify the FIN timeout (in seconds). This command is available in the Admin context only.

The syntax of this parameter map connection configuration mode command is as follows:

set tcp timeout fast-fin time

The time argument is the time in seconds after which the ACE will send a timeout for TCP connections that are in a FIN_WAIT_1 state. Enter an integer from 1 to 4294967295. The default is no FIN timeout.

For example, to set a FIN timeout of 200 seconds, enter the following:

host1/Admin(config)# parameter-map type connection conn_para
host1/Admin(config-parammap-http)# set tcp timeout fast-fin 60
 
   

To return to the default state of no FIN timeout, enter the following:

host1/Admin(config-parammap-http)# no set max-parse-time
 
   

The show parameter-map command output now includes information on the state of the fast FIN timeout, as shown below:

switch/Admin#  show parameter-map 
 
   
 Number of parameter-maps : 2
 
   
 Parameter-map : CONN_MAP
 Description : -
 Type : connection
    nagle                              : disabled
    slow start                         : disabled
    buffer-share size                  : 32768
    inactivity timeout (seconds)       : 240
    reassembly timeout (seconds)       : 60
    embryonic timeout (seconds)        : 5
    ack-delay (milliseconds)           : 200
    WAN Optimization RTT (milliseconds): 65535
    half-closed timeout (seconds)      : 3600
    fast FIN timeout (seconds)         : disabled >>>>>>>>>>>>> This field has been added
    TOS rewrite                        : disabled
    syn retry count                    : 4
    TCP MSS min                        : 0
    TCP MSS max                        : 1460
    tcp-options drop range             : 0-0
    tcp-options allow range            : 0-0
    tcp-options clear range            : 1-255
    selective-ack                      : clear
    timestamp                          : clear
    window-scale                       : clear
    window-scale factor                : 0
    reserved-bits                      : allow
    random-seq-num                     : enabled
    SYN data                           : allow
    exceed-mss                         : drop
    urgent-flag                        : allow
    conn-rate-limit                    : disabled
    bandwidth-rate-limit               : disabled
 
   

Device Manager GUI Support for Deploying Layer 3/Layer 4 Class Maps with Anyv6 and Portv6 Match Conditions

Per CSCts49709, when defining Layer 3/Layer 4 network traffic class map match conditions (Config -> Virtual Contexts -> Expert -> Class Maps), you can now specify either of the following IPv6 related items:

Anyv6—Any Layer 3 or Layer 4 IPv6 traffic passing through the ACE.

Portv6—UDP or TCP port or range of ports for IPv6 traffic.

Selecting an HTTPS Certificate and Key

Secure (SSL) Hypertext Transfer Protocol (HTTPS) is used by the ACE appliance for the following functions:

Establish connectivity with the Device Manager GUI on the ACE appliance through port 443.

Send and receive XML documents between the ACE appliance and an NMS through port 10443.

Per CSCte42757, the ACE appliance allows you to specify the certificate and key that the ACE HTTP server uses during the Secure Sockets Layer (SSL) handshake. This enhancement has been provided to allow you to use your own signed certificates for the ACE appliance.

The syntax of this configuration mode command is as follows:

ip https certificate cert-name key-name

The arguments are as follows:

cert-name—Specifies the name of an existing certificate file loaded on the ACE. To list all available certificates loaded on the ACE, include the question mark (?) character after the ip https certificate command. For example:

host1/Admin(config)# ip https certificate ?
  cisco-sample-cert
  mycert.crt
 
   

key-name—Specifies the name of an existing key pair file loaded on the ACE. To list all available keys loaded on the ACE, include the question mark (?) character after the ip https certificate cert-name command. For example:

host1/Admin(config)# ip https certificate mycert.crt ?
  cisco-sample-key
  mykey.key
 
   

Use the no form of this command to restore the default certificate.

Note the following usage considerations with selecting an HTTPS certificate and key:

The ip https certificate command is available in the Admin context only.

When you select the public key to be embedded in the certificate, ensure that it matches the public key in the key pair file that you select. The ACE warns you if there is a mismatch by displaying the following error message: "Error: Mismatched key/cert pair". To verify that the public keys in the two files match, use the do crypto verify command from configuration mode.

Use the show ip https command to display the current HTTP server configuration information.

For example, to specify a certificate and key for the HTTPS server on the ACE appliance, enter the following command:

host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
host1/Admin(config)# ip https certificate MYCERT.PEM MYKEY.PEM
 
   

To reset the certificate and key on the HTTPS server, enter the following command:

host1/Admin(config)# no ip https certificate
 
   

Including the REMOTE_ADDR Attribute in AAA Protocol Packets (Device Manager GUI Access)

AAA provides management security for user access to the ACE appliance through a combination of authentication and accounting services. AAA informs the ACE who the user is and what the user did. The ACE performs authentication using either the local user database that resides on the ACE or a remote AAA server.

Per CSCto94205, when a user attempts to log in to the ACE appliance Device Manager GUI and be authenticated by a remote AAA server (RADIUS or TACACS+), the AAA protocol is now populated by the Device Manager GUI with the REMOTE_ADDR attribute. The REMOTE_ADDR attribute records the IP address of the remote client making the remote access request to connect the ACE as part of the Network Access Server (NAS) information.

Prior to software version A5(1.2), the REMOTE_ADDR attribute was populated correctly for remote access to the ACE by using the Secure Shell (SSH) or Telnet protocols, but it was not populated for ACE appliance DM GUI access. With the enhancement addressed in CSCto94205, the ACE now sends AAA protocol packets with the REMOTE_ADDR embedded when logging in from the DM GUI.

See Chapter 2, Configuring Authentication and Accounting Services, in the Security Guide vA5(1.0), Cisco ACE Application Control Engine for more information.

Related SNMP Changes for A5(1.2)

Per CSCto13407, the ACE provides SNMP support for the slbVServerConnectionRate OID. This OID was added to the slbVServerInfoTable table and indicates the connections per second for the virtual server.

Per CSCtl73658, the following two new MIB objects have been added to the CISCO-SLB-EXT-MIB to better track Layer 7 parsing failures:

cslbxStatsL7ParserErrorRejects

cslbxStatsMaxParseLenReject

The two new MIB objects are part of cslbxStatsTable.

Included below is a summary of the SNMP OIDs for these two objects:

cslbxStatsMaxParseLenRejects OBJECT-TYPE:

SYNTAX Counter32

UNITS "connections"

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"The number of connections rejected because the length

of an HTTP request or response header exceeded the

maximum L7 parse length configured for the matching

virtual server."

::= { cslbxStatsTableEntry 18 }

cslbxStatsL7ParserErrorRejects OBJECT-TYPE:

SYNTAX Counter32

UNITS "connections"

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"The number of connections rejected because an

error occurred while parsing the connection data

at Layer 7."

::= { cslbxStatsTableEntry 20 }

New Software Features in Version A5(1.0)

The ACE software version A5(1.0) release contains expanded features and functions. The new features include the following:

Dual stack:

IPv4-to-IPv4 and IPv6-to-IPv6

HTTP and DNS inspection for native IPv6-IPv6 traffic

Translation:

SLB64, SLB46 for all Layer 4 load balancing which do not require payload modifications or pinholes

NAT64, NAT46 for all TCP and UDP protocols which do not need payload modifications or pinholes

SLB64 and SLB46 support for Layer 7 load balancing for HTTP and SSL protocols.

No DNS64 or DNS46 support on ACE

Mixed IPv4 and IPv6 real server support

IPv6 addressing, including link-local, global unicast, unique local, peer, and alias addresses.

IPv6 protocol support:

Neighbor Discovery (ND)

Router Discovery (RD)

Duplicate Address Detection (DAD)

ICMPv6

DHCPv6

Application awareness: HTTP, HTTPS, and DNS

Online Certificate Status Protocol (OCSP) support for authenticating Secure Sockets Layer (SSL) offloaded sessions for both IPv6 and IPv4

DM GUI changes in A5(1.0):

Support for the IPv6 and SSL OCSP features and functions outlined above.

Updated look and feel to the DM GUI and all associated pages.

Homepage—A launching point to selected areas within the DM GUI. It appears under the Home option menu. Homepage includes quick access to a series of operational tasks, monitoring functions, Guided Setup tasks, configuration functions, and quick links to the associated user documentation.

Guided Setup—Provides a series of setup sequences that offers screen guidance and networking diagrams to simplify the configuration of the ACE appliance through the DM GUI.

Network monitoring enhancements:

Dashboards—Allows faster and more accurate assessment and analysis of device and virtual context health and usage, as well as performance. Corresponding monitoring views allow for quick access to details for further investigation into potential problems highlighted in the dashboards. Graphs, as well as monitoring screens, allow you to view historical data and compare the performance with the peer objects.

Historical Graphs—Displays data recorded during the last hour, 2-hour, 4-hour, 8-hour, 24-hour interval, or 30-day (last month) interval. There is also support for real-time charts as part of the monitoring graphs feature

Dedicated Real Server and Probe Views—Displays load-balancing information that is related to real servers and the probes that monitor the health and availability of a real server.

Topology Maps—Provide a graphical representation of an application network.

Available ACE Licenses

By default, the ACE supports the following features and capabilities:

Performance: 1 gigabit per second (Gbps) appliance throughput

Virtualization: 1 admin context and 20 user contexts

Compression: 2.0 Gbps compression

Secure Sockets Layer (SSL): 7500 transactions per second (TPS)

Hypertext Transfer Protocol (HTTP) compression: 2 Gbps

Application Acceleration: 100 connections

You can increase the performance and operating capabilities of your ACE product by purchasing one of the optional license bundles. You can order your ACE product by ordering a license bundle. Each license bundle includes the ACE appliance and a software license bundle.


Note Regardless of the license bundle you choose, the maximum application acceleration performance is fixed at 100 concurrent connections and is not configurable.


You must have the Admin role in the Admin context to perform the tasks of installing, removing, and updating the license. You can access the license and show license commands only in the Admin context.

For more information on license bundles, see the Administration Guide, Cisco ACE Appliance Control Engine.

ACE demo licenses are available through your Cisco account representative. A demo license is valid for only 60 days. At the end of this period, you must update the demo license with a permanent license to continue to use the ACE software. To view the expiration of a demo license, from the CLI, use the show license usage command in Exec mode. If you need to replace the ACE appliance, you can copy and install the licenses onto the replacement appliance.

Ordering an Upgrade License and Generating a Key

This section describes the process that you use to order an upgrade license and to generate a license key for your ACE. To order an upgrade license, follow these steps:


Step 1 Order one of the licenses from the list in the "Available ACE Licenses" section using any of the available Cisco ordering tools on cisco.com.

Step 2 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the following Cisco.com website:

If you are a registered user of cisco.com, go to the following location:

http://www.cisco.com/go/license

If you are not a registered user of cisco.com, go to the following location:

http://www.cisco.com/go/license/public

Step 3 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase.

Step 4 Provide all the requested information to generate a license key. Once the system generates the license key, you will receive a license key e-mail with an attached license file and installation instructions.

Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE).


For information on installing and managing ACE licenses:

For the ACE appliance CLI, see Chapter 3, Managing ACE Software Licenses, in the Administration Guide, Cisco ACE Appliance Control Engine.

For ACE appliance Device Manager, see Chapter 2, Configuring Virtual Contexts, in the Device Manager GUI Guide, Cisco ACE 4700 Series Application Control Engine Appliance.

Performing ACE Appliance Software Upgrades and Downgrades

For detailed information on performing an ACE appliance software upgrade or downgrade, see the Upgrade/Downgrade Guide, Cisco ACE 4700 Series Application Control Engine Appliance. You can find this document at the following location on www.cisco.com:

http://www.cisco.com/en/US/products/ps7027/prod_installation_guides_list.html

Supported Browsers for ACE Appliance Device Manager

The ACE appliance Device Manager is supported on the following browsers listed in Table 1. All browsers require cookies and DHTML (JavaScript) to be enabled.

Table 1 Supported Browsers 

Browser
Version
Client Platform

Microsoft Internet Explorer

IE 7.0

Windows XP Professional with Service Pack 2 or Windows Vista with Service Pack 1

IE 8.0

Windows XP Professional with Service Pack 2, Windows Vista with Service Pack 1, or Windows 7

Firefox

3.6

Windows XP Professional with Service Pack 2, Windows Vista with Service Pack 1, or Windows 7

Red Hat Enterprise Linux 5


ACE Operating Considerations

The ACE operating considerations are as follows:

Starting with software version A4(1.0), the default connection inactivity timeout settings for the ACE have changed to the following values:

ICMP—2 seconds

TCP—3600 seconds (1 hour)

HTTP/SSL—300 seconds

UDP—10 seconds

The default HTTP and SSL ports (80 and 443) now have a default inactivity timeout of 300 seconds.

During an upgrade to software version A4(1.0) or later in a redundant configuration, we recommend that you do not run the two ACE appliances with different versions of software (split mode) for an extended period of time. However, if you must remain in split mode for a period of time to make configuration changes, we strongly recommend that you disable configuration synchronization (config sync) by entering the following command:

host1/Admin(con)# no ft auto-sync running-config
 
   

When you have finished making configuration changes to the active ACE, reenable config sync by entering the following command:

host1/Admin(con)# ft auto-sync running-config
 
   

After you reenable config sync, the ACE automatically synchronizes the configuration changes from the active ACE to the standby ACE.

We strongly recommend that you do not make any CLI changes when the ACE appliances are in a redundant configuration are running different software versions. Unexpected results may occur. Remove any new feature commands before performing a downgrade on the ACE.

Starting with software version 4(2.0), the maximum number of concurrent connections for optimization is reduced to 100 connections. If the ACE startup configuration contains the concurrent-connections command in optimize configuration mode, consider the following:

If you upgrade the ACE from a version earlier than A4(2.0), the ACE software ignores the configured command and sets it to 100 connections.

If you downgrade the ACE to a version earlier than A4(2.0), the command is removed from the startup configuration and you must reconfigure it after the downgrade process is completed.

Starting with software version A4(1.0), it is no longer necessary to configure a resource class in the Admin context to allocate resources for stickiness. You can still allocate sticky resources if you wish, but skipping this step will not affect sticky functionality.

When redundant ACEs lose connectivity, for example due to a network interruption, and they attempt to reestablish their connection, if you enter the show ft command during this time, the response for this command may be delayed.

In a redundant configuration, dynamic incremental sync is a form of config sync that copies configuration changes that you make on the active ACE to the standby ACE when the two ACEs are running the same version of software and when both ACEs are up. When you upgrade from one major release of ACE software to another major release (for example, from A3(2.0) to A4(1.0)) or later, dynamic incremental sync is automatically disabled only while the active ACE is running software version A4(1.0) and the standby ACE is running software version A3(2.0). See Table 2.

We recommend that you do not make any configuration changes during this time and that you do not keep the ACEs in this state for a long time. However, if you must make configuration changes while the ACEs are in split mode, ensure that you manually synchronize to the standby ACE any configuration changes that you make on the active ACE. After you complete the software upgrade of both ACEs, a bulk sync occurs automatically to replicate the entire configuration of the new active ACE to the new standby ACE. At this time, dynamic incremental sync will be enabled again. For details about config sync, see Chapter 6, "Configuring Redundant ACEs" in the Administration Guide, Cisco ACE Appliance Control Engine.

Table 2 Redundancy Feature Availability Between Major ACE Software Versions

Platform
Active
Standby
Bulk Sync
Incr Sync
Conn Repl
Sticky Repl
Operation
Comments

Appliance

A3(x)

A5(x)

Yes

No

Yes

Yes

Upgrade

Appliance

A4(1.x)

A5(x)

Yes

No

Yes

Yes

Upgrade

Appliance

A4(2.x)

A5(x)

Yes

No

Yes

Yes

Upgrade

Appliance

A5(x)

A3(x)

Yes

No

Yes (IPv4 flows)

Yes (IPv4 flows)

Downgrade

Standby supports only IPv4

Appliance

A5(x)

A4(1.x)

Yes

No

Yes (IPv4 flows)

Yes (IPv4 flows)

Downgrade

Standby supports only IPv4

Appliance

A5(x)

A4(2.x)

Yes

No

Yes (IPv4 flows)

Yes (IPv4 flows)

Downgrade

Standby supports only IPv4


Starting in version A1(8.0), the ACE introduced the STANDBY_WARM and WARM_COMPATIBLE redundancy states to handle any CLI incompatibility issue between peers during the upgrading and downgrading of the ACE software. When you upgrade or downgrade the ACE software in a redundant configuration with a different software version, the STANDBY_WARM and WARM_COMPATIBLE states allow the configuration and state synchronization process to continue on a best-effort basis. This basis allows the active ACE to synchronize configuration and state information to the standby ACE even though the standby ACE may not recognize or understand the CLI commands or state information. These states allow the standby ACE to come up with best-effort support. In the STANDBY_WARM state, as with the STANDBY_HOT state, configuration mode is disabled on the standby ACE and configuration and state synchronization continues. A failover from the active ACE to the standby ACE based on priorities and preemption can still occur while the standby is in the STANDBY_WARM state.

When redundancy peers run on different version images, the SRG compatibility field of the show ft peer detail command output displays WARM_COMPATIBLE instead of COMPATIBLE. When the peer is in the WARM_COMPATIBLE state, the FT groups on standby go to the STANDBY_WARM state instead of the STANDBY_HOT state.

The following software version combinations in Table 3 indicate whether the SRG compatibility field displays WARM_COMPATIBLE (WC) or COMPATIBLE (C):


Note By default, software versions are considered compatible unless they are explicitly declared as incompatible.


Table 3 Software Release Compatibility Matrix 

Active ACE Software Version
Standby ACE Software Version
A3(2.3)
A3(2.4)
A3(2.5)
A3(2.6)
A3(2.7)
A4(1.0)
A4(1.1)
A4(2.0)
A4(2.1)
A4(2.2)
A5(1.0)
A5(1.1)
A5(1.2)
A3(2.1)

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

A3(2.2)

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

A3(2.3)

C

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

A3(2.4)

WC

C

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

A3(2.5)

WC

WC

C

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

A3(2.6)

WC

WC

WC

C

WC

WC

WC

WC

WC

WC

WC

WC

WC

A3(2.7)

WC

WC

WC

WC

C

WC

WC

WC

WC

WC

WC

WC

WC

A4(1.0)

WC

WC

WC

WC

WC

C

WC

WC

WC

WC

WC

WC

WC

A4(1.1)

WC

WC

WC

WC

WC

WC

C

WC

WC

WC

WC

WC

WC

A4(2.0)

WC

WC

WC

WC

WC

WC

WC

C

WC

WC

WC

WC

WC

A4(2.1)

WC

WC

WC

WC

WC

WC

WC

WC

C

WC

WC

WC

WC

A4(2.2)

WC

WC

WC

WC

WC

WC

WC

WC

WC

C

WC

WC

WC

A5(1.0)

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

C

WC

WC

A5(1.1)

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

C

WC

A5(1.2)

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

WC

C


The ACE requires a route back to the client before it can forward a request to a server. If the route back to the client is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE appliance.

When you downgrade the ACE software, the features and commands of the higher release are lost because they are not supported by the lower release.

If you are using the Application Networking Manager (ANM) to manage an ACE appliance and you configure a named object at the ACE CLI, ANM does not support all of the special characters that the ACE CLI supports for a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM.

When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on) for use with ANM, enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.

When you remove a NAT pool configuration, wait more than five seconds before adding a NAT pool with the same ID.

ACE Documentation Set

You can access the ACE appliance documentation on www.cisco.com at:

http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html

For information about installing the Cisco ACE 4710 appliance hardware, see the following documents on Cisco.com:

Document Title
Description

Cisco 4710 Application Control Engine Appliance
Hardware Installation Guide

Provides hardware information for installing the Cisco ACE 4710 appliance.

Regulatory Compliance and Safety Information for the Cisco 4710 Application Control Engine Appliance

Provide regulatory compliance and safety information for the Cisco ACE 4710 appliance.


To familiarize yourself with the ACE appliance software, see the following documents on Cisco.com:

Document Title
Description

Release Note for the Cisco 4700 Series Application Control Engine Appliance

Provides information about operating considerations and caveats for the ACE.

Getting Started Guide, Cisco ACE 4700 Series Application Control Engine Appliance

Describes how to use the ACE appliance Device Manager GUI and CLI to perform the initial setup and configuration tasks.

Upgrade/Downgrade Guide, Cisco ACE 4700 Series Application Control Engine Appliance

Describes how to perform the following ACE software upgrade/downgrade tasks:

Upgrade scenarios

Effects of upgrading or downgrading

Ordering an upgrade license and generating a key

Upgrading your ACE software in a redundant configuration

Downgrading your ACE software in a redundant configuration


For detailed configuration information on the ACE appliance Device Manager, see the following software documents on Cisco.com:

Document Title
Description

Device Manager GUI Guide, Cisco ACE 4700 Series Application Control Engine Appliance

Describes how to use the ACE appliance Device Manager. The Device Manager resides in Flash memory on the ACE appliance to provide a browser-based graphical user interface for configuring and managing the ACE.


For detailed configuration information on the ACE CLI, see the following software documents on Cisco.com:

Document Title
Description

Administration Guide, Cisco ACE Appliance Control Engine

Describes how to perform the following administration tasks on the ACE:

Setting up the ACE

Establishing remote access

Managing software licenses

Configuring class maps and policy maps

Managing the ACE software

Configuring SNMP

Configuring redundancy

Configuring the XML interface

Upgrading the ACE software

Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance

Describes the configuration of the application acceleration and optimization features of the ACE. It also provides an overview and description of the application acceleration features and operation.

Cisco Application Control Engine (ACE) Configuration Examples Wiki

Provides examples of common configurations for load balancing, security, SSL, routing and bridging, virtualization, and so on.

Cisco Application Control Engine (ACE) Troubleshooting Wiki

Describes the procedures and methodology in wiki format to troubleshoot the most common problems that you may encounter during the operation of your ACE.

Command Reference, Cisco ACE Application Control Engine

Provides an alphabetical list and descriptions of all CLI commands by mode, including syntax, options, and related commands.

Routing and Bridging Guide, Cisco ACE Application Control Engine

Describes how to perform the following routing and bridging tasks on the ACE:

Ethernet interface ports

VLAN interfaces

IPv6, including transitioning IPv4 networks to IPv6, IPv6 header format, IPv6 addressing, and supported protocols

Routing

Bridging

Dynamic Host Configuration Protocol (DHCP)

Security Guide, Cisco ACE Application Control Engine

Describes how to perform the following ACE security configuration tasks:

Security access control lists (ACLs)

User authentication and accounting using a Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), or Lightweight Directory Access Protocol (LDAP) server

Application protocol and HTTP deep packet inspection

TCP/IP normalization and termination parameters

Network Address Translation (NAT)

Server Load-Balancing Guide, Cisco ACE Application Control Engine

Describes how to configure the following server load-balancing tasks on the ACE:

Real servers and server farms

Class maps and policy maps to load balance traffic to real servers in server farms

Server health monitoring (probes)

Stickiness

Dynamic workload scaling (DWS)

Firewall load balancing

TCL scripts

SSL Guide, Cisco ACE Application Control Engine

Describes how to configure the following Secure Sockets Layer (SSL) tasks on the ACE:

SSL certificates and keys

SSL initiation

SSL termination

End-to-end SSL

System Message Guide, Cisco ACE Application Control Engine

Describes how to configure system message logging on the ACE. This guide also lists and describes the system log (syslog) messages generated by the ACE.

Virtualization Guide, Cisco ACE Application Control Engine

Describes how to operate your ACE in a single context or in multiple contexts.

Cisco CSS-to-ACE Conversion Tool User Guide

Describes how to use the CSS-to-ACE conversion tool to migrate Cisco Content Services Switches (CSS) running-configuration or startup-configuration files to the ACE.


For detailed configuration information on Cisco Application Networking Manager (ANM), see the following software document on Cisco.com:

User Guide, Cisco Application Networking Manager

Describes how to use Cisco Application Networking Manager (ANM), a networking management application for monitoring and configuring network devices, including the ACE.


Software Version A5(1.2) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages

This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(1.2):

Software Version A5(1.2) Resolved Caveats

Software Version A5(1.2) Open Caveats

Software Version A5(1.2) Command Changes

Software Version A5(1.2) System Log Messages


Note Some caveats may have more than one number. A number in parentheses is a caveat number that was associated with the previous software release that now has another number for A4(2.0) and later releases.


Software Version A5(1.2) Resolved Caveats

The following resolved caveats apply to software version A5(1.2):

CSCsz08381—When a nontypical Layer 4 type packet is fragmented and the ACE reassembles it, the first 4 bytes of the Layer 4 header on the reassembled packet become corrupted. Workaround: To avoid reassembly, do not fragment the packet.

CSCte79279—When you display the statistics for a policy map using the show service-policy summary command, you may see "N/A" in the command output. For example:

host1/Admin# show service-policy L4-policy summary
cMap-Any                         17.1.1.10       any   any                       
OUT-SRVC
N/A 
 
   

Workaround: None.

CSCtg80762—When you use a management tool for ACE XML formatting using a script, the ACE may add four extra lines to the XML output. You can see the extra lines when you enter the show service-policy detail command. The failure is specific to the context where you have performed the formatting. Workaround: Divide the policy map where the VIP is configured.

CSCtg87855—After you change the configuration in a large ACE configuration and enter show commands, the CLI becomes unresponsive for a period of time. In this case, the show processes cpu | include cfgmgr command displays one of the configuration manager (cfgmgr) processes consuming CPU resources. After you apply the configuration change, the cfgmgr CPU usage goes to zero, and the CLI becomes unresponsive. Workaround: Wait until the cfgmgr completes its previous operation before entering the show command.

CSCti85313—When using the sticky-serverfarm command to specify that all requests that match a Layer 7 policy map are load balanced to a sticky server farm, if a server farm goes down, the ACE fails to display the following system message:

%ACE-5-441003: Serverfarm (name) failed in policy_map (policy_name) --> class_map 
(cmap_name) without backup. Number of failovers = count1, number of times back in 
service = count2
 
   

Workaround: None.

CSCtj01818— When the ACE performs a configuration rollback for a configuration that contains a large number of ACLs, the ACE may display the following system error message:

%ACE-3-440003: Deletion failed for RedInfoTable. 
 
   

This behavior can occur when you specify the no associate context or no ft group commands. Workaround: None.

CSCtj12692—You configure the ACE with 4000 sticky groups and do not allocate a sticky resource class. The sticky resource values are the default: minimum of 0 and a maximum of unlimited. When the sticky database has 800,000 entries, you create a sticky resource class to a minimum value equal to 20 percent and apply it to the context. After a few minutes the ACE becomes unresponsive and reboots. Workaround: Do not change the resource class when you configure a large number of sticky groups and the database is full with active entries.

CSCtk94447—When you enable AAA authentication and remote accounting for TACACS on the ACE and perform the following, the ACE reboots:

a. Verify the creation of a user by using the show users and show user-account commands.

b. Verify AAA accounting.

c. Enter the no username name command.

Workaround: None.

CSCtl45638—When you configure usernames with the ACE default roles, a user with the Network-Monitor role does not have access to some commands. Workaround: Assign the user with the admin role.

CSCtl56689—Log-in to the ACE appliance Device Manager fails when a TACACS server is set up with a network filter for client IP address(es). Workaround: Remove the TACACS filter running on the network.

CSCtl68891—When you configure a real server on the ACE, assign it an IP address, place it in service, and then delete it, the ACE generates an unnecessary trap. When the real server state changes from ARP-FAILED to operational, the ACE generates the CesRServerStateUp trap. Workaround: None.

CSCtn25383—When you configure a server farm with a scripted probe for health monitoring and scripted probes fail, the ACE does not generate level 3 health probe failed error messages. If you configure SNMP traps, the SNMP device logs the probe failures but the ACE does not generate them in the system log. The expected level 3 message is similar to the following:

%ACE-3-251015 Scripted probe failed for server ip_address, error message. 
 
   

Workaround: None.

CSCtn31362—When the remote AAA server is configured in multiple contexts and XML requests through HTTP are sent to multiple contexts, occasionally, the ACE reboots when the AAA daemon becomes unresponsive. For this configuration, the structure for the session is getting freed. After freeing, the session.vcid element is used for printing, causing the AAA daemon to become unresponsive. Also, the other local variable is used for printing. Workaround: None.

CSCtn54768—A HM socket leak can trigger an out-of-socket condition when the socket resource limit for HM is reached. When this issue occurs, probes fail due to the out-of-socket condition. You can verify this condition by using the show hm-internal wrkthread-stats command. Workaround: None.

CSCtn96103— When the following banner motd configurations trigger a config-sync error, the standby ACE transitions to the FSM_FT_STATE_STANDBY_COLD state with a command parse error:

h(H)ostname and a space character:

switch/Admin(config)# banner motd #  
Enter TEXT message. End with the character '#'. 
> hostname <--------------<SPACE> 
 
   

h(H)ostname, a space character, and any character:

switch/Admin(config)# banner motd #  
Enter TEXT message. End with the character '#'.  
> hostname a   
 
   

Workaround: Add a colon (:) after the h(H)ostname, for example:

> hostname: <--------------<SPACE>

> hostname: a

CSCto81777—When you use the CLI to configure a probe on the ACE, you cannot remove the open statement. You may also find that even if you did not configure values for probe interval, passdetect interval, and open timeout, those values appear in the ACE running configuration. Workaround: None.

CSCto94539—When you configure probes on the ACE, they unexpectedly stop working and an out of socket condition is reported. An additional syslog is provided to further troubleshoot this type of issue. Workaround: Take the probe out of service and place it back in service. If this action does not resolve the issue, remove the probe from the configuration and reconfigure it.

CSCtq24092—When the ACE imports PEM-encoded SSL certificates or keys with lines that wrap over 70 characters through a terminal, the ACE fails to install the certificate or key. Workaround: Import the certificate remotely through FTP or TFTP.

CSCtq38048—If you find that a restore fails due to an error (for example, if you have nonexportable keys that are missing in the backup), the restore process halts and none of the remaining contexts are restored. This behavior typically occurs during restore due to nonexportable keys missing in the backup. Workaround: None.

CSCtq40340—A half-opened connection (ESTAB/CLOSED) is created on the ACE. Upon receiving a SYN, the ACE sometimes fails to respond with the ACK for the SYN and silently drops the SYN. Without the ACK, the client continues to resend a SYN and the existing entry is never purged until the connection inactivity timer reaches the timeout for idle TCP connections. Workaround: None.

CSCtq64174—After performing a reload of the ACE, you may find that the no arp learned-mode enable command is not shown in the show running-config command output. The arp learned-mode enable command is an ACE default, so it is shown in the running-configuration file only when the command is disabled; the show running-config command output displays "no arp learned-mode." When an ACE reload occurs, this configuration is copied to the startup-config file. After an ACE reload when the startup-config file is applied to the ACE, the no arp learned-mode command generates an error because it is an incomplete command. Workaround: Specify the no arp learned-mode enable command in configuration mode, and then specify the show running-config command. The no arp learned-mode enable command should now appear in the show running-config command output.

CSCtq70223—The ACE sends TACACS+ accounting information in two lines making it slightly more difficult to use the | grep operator. The | grep operator filters CLI command output to display only the output containing the lines of text that match the specified text.

In the example shown below, "cmd=" is the start of the new line.

Mon May 23 11:49:26
2011 mnl-1slb-01 jwacase 3000 unknown stop task_id=/dev/pts/0_1306171095 stop_time=Mon 
May 23 17:49:26 2011
cmd=0:show runn service=none
 
   

Workaround: None.

CSCtq73968—In a redundant configuration, the active and standby ACEs display policy map statements in reverse order. For example:

Active ACE:

policy-map type loadbalance first-match ERP-HCMTSTVIP-POLICY
  class class-default
    sticky-serverfarm NEW
    insert-http WL-Proxy-SSL header-value "true"
    insert-http WL-Proxy-Client-IP header-value "%is"
 
   

Standby ACE:

policy-map type loadbalance first-match ERP-HCMTSTVIP-POLICY
  class class-default
    sticky-serverfarm NEW
    insert-http WL-Proxy-Client-IP header-value "%is"
    insert-http WL-Proxy-SSL header-value "true"
 
   

Workaround: None.

CSCtq80722—When you configure a real server in service and have it remain inactive until the primary real server fails (the inservice standby command), the ACE config manager may become unresponsive and the ACE reboots. The following system messages may appear:

%ACE-2-443001: System experienced fatal failure.Service name:cfgmgr(x) has terminated 
on receiving signal 8,system will not be reloaded
%ACE-2-443001:System experienced fatal failure.Service name:cfgmgr(x) crashed, last 
core saved,system will not be reloaded
%ACE-2-199006: Orderly reload started at xxx by System. Reload reason: Service 
"cfgmgr"
 
   

This issue can occur when you use the leastconns, least-loaded, or response predictor to define how the ACE selects a real server in a server farm to service a client request. Workaround: Use the roundrobin predictor for the affected server farm.

CSCtr31749With the ACE configured for no normalization on an interface and IP sticky, when the ACE receives packets such as TCP Resets, the connections and sticky entries that are created can cause high CPU conditions. Workaround: Perform one of the following actions to resolve this issue:

Specify normalization on the interface (unless you are using DSR to provide protection against Distributed Denial of Service (DDoS) attacks on an interface).

Remove sticky from the configuration.

CSCtr62421—The ACE may become unresponsive and reboot due to low system memory issues. Workaround: None.

CSCtr62530—When a NAT pool is applied and then removed from a VLAN interface, these actions corrupt the Route table in the ACE. This issue happens when the same NAT pool is applied to multiple VLAN interfaces, and that NAT pool is removed from the first VLAN interface while it is still applied on the second VLAN interface. Workaround: None.

CSCtr83034—In a redundant configuration, after you specify the no inservice command followed by the inservice command for a real server in a server farm, both ACEs become unresponsive and then reboot. Workaround: None.

CSCtr93395—When UDP Booster is enabled on the ACE to load balance DNS traffic, the source IP address does not appear in the show conn command output.

host1/Admin# show conn
conn-id    np dir proto vlan source               destination           state
----------+--+---+-----+----+---------------------+---------------------+-----
101646    1  in  UDP   302  0.0.38.114:0         80.58.61.250:53       -
 
   

Workaround: None.

CSCtr94589—In a redundant configuration, where contexts are active on both the active and standby ACEs with connection replication and implicit PAT, you may find that TCP port numbers are being reused too quickly. When this issue occurs, the next TCP port number can become corrupted. Workaround: Make all contexts active only on the active ACE.

CSCtr96229—When you remove a resource class that is associated with a specific context, the ACE may reboot. This issue is related to the number of contexts in the ACE when the ACE is configured with several contexts and when a resource class that is associated with one of the contexts requires a sticky limit. When the ACE LB module attempts to remove the sticky entries from the free list, it first determines if there is a starving context that is waiting for resources by walking through a link list of contexts, which consumes the ACE CPU time. This behavior does not occur if the resource class does not include any limits for sticky.

Workaround: We recommend that you do not change the resource class when there is a large number of contexts or sticky groups configured in the ACE, or that you gradually change the limit in the resource class if you have configured a sticky limit.

CSCts00376—While you attempt to copy a running-configuration file to the ACE from a remote server using TFTP, the ACE displays a "cmd exec error" on the console. The ACE should display an error message when there is a failure in applying the running-configuration file. Workaround: None.

CSCts08972—Control Plane (CP) management access stops when the Configuration Manager (CFGMGR) becames unresponsive while the ACE attempts to compile the regex expression contained in the following command:

ssl url rewrite location ^gdsp[\].* sslport 443 clearport 80
 
   

Similar issues can occur because the CFGMGR consumes a large portion of the CP CPU when compiling certain regex expressions. Workaround: Reboot the ACE and use the alternate regex expression:

ssl url rewrite location ^gdsp\.* sslport 443 clearport 80
 
   

CSCts14335—In a redundant configuration, entering the np session disable debug command puts the active ACE into the STANDBY_COLD state. Workaround: This debug command is intended only for internal debugging. Do not use the np session disable debug command.

CSCts19247—When using the ACE appliance Device Manager GUI, if you create a class map condition from the ACE CLI that includes a space in an HTTP URL, that class map will not appear in the DM GUI. Workaround: Use the ACE appliance DM GUI if you need to create a class map condition that includes a space in an HTTP URL match.

CSCts24977—The service name:snmpd(1395) terminates upon receiving signal 8. This issue can occur when polling the ACE CPU utility MIB in a loop; the snmpd process can become unresponsive and cause the ACE to reload. For this particular issue, the OID polled was .1.3.6.1.4.1.9.9.480.1.1.7.1. Workaround: Do not poll the ACE CPU utility MIB continuously in a loop.

CSCts29208—With one or more sticky groups and failaction reassign configured under one of the server farms, the ACE may experience the load balance issue while incrementing real server connection counts. Workaround: When this behavior occurs, do not configure the failaction reassign command with the server farm.

CSCts41389—A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server. Multiple Cisco products could be affected by this vulnerability.

Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory:

http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml.

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.0/3.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE ID CVE-2011-0956 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCts53405—After forwarding the real server's first response packet to the client, the ACE waits for the client to send an ACK to the first response packet before forwarding subsequent server response packets. Workaround: Use the set tcp wan-optimization rtt command to allow you to control how the ACE applies TCP optimizations to packets on a connection associated with a Layer 7 policy map.

CSCts58029—In a redundant configuration, if a context has "priority" as part of its name, this causes the Admin context to go to STANDBY COLD state. The issue is encountered only during a bulk synchronization. Workaround: Delete any context that includes "priority" in its name and rebuild it with a new name.

CSCts64847—The ACE appliance allows only the Admin user to use the show environment temperature command. Another user with an admin role is unable to specify this command and the ACE returns the following error:

ACE_Appliance/Admin# show environment temperature
Could not open device at /dev/ipmidev or /dev/ipmi/0 or /dev/ipmidev/0: 
Not a directory
Get Device ID command failed
Unable to open SDR for reading
 
   

Workaround: Use the default Admin user to run the show environment temperature command.

CSCts67210—In a redundant configuration, the ACE appliance allows only FT group numbers 1 to 63 to be configured; however, the ACE module supports FT group numbers 1 to 255. Workaround: None.

CSCts68281—When using a custom configured HTTPS health probe on the ACE, you may encounter the following error message:

%ACE-3-400001: MSS mismatch from 10.0.5.193:443 (1380) to 127.1.2.34:64571 (1460) on 
interface vlan40
 
   

Workaround: The only thing that will stop the errors is to un-apply the Remove the custom HTTPS probe from the server farm to stop the error condition.

CSCts69941—With a large configuration containing a large number of contexts, interfaces, and ACLs (including a merge of individual ACLs into one large ACL), the ACE can become unresponsive 10 to 15 minutes after booting. Workaround: Specify the show np 1 access-list resource command after you boot the ACE. Confirm if the Leaf Parameter nodes exceeds 400K and the policy action nodes exceeds 200K (recommended values are 200K and 100K, respectively). If one of these nodes exceeds the specified value, remove the merged ACLs and associated contexts until this threshold is not exceeded in the show np 1 access-list resource command output.

CSCts79939—The following rewrite configuration does not successfully rewrite any instances of "http" under some scenarios:

action-list type modify http REWRITE
  header rewrite response Location header-value "(.*)http(.*)" replace "%1https%2"
 
   

While parsing the Location header, the ACE stops parsing after encountering any instance of the first letter in the match string ("h"). At that point, the ACE does not complete the match or perform the rewrite. Workaround: None.

CSCts98720—In an application where the ACE is performing firewall load-balancing with two server farms (where one server farm is for user traffic and the one is for BGP traffic sent to the firewalls), when the ACE performs a failaction reassign and then undoing the failaction, the ACE incorrectly moves a user connection to the BGP dedicated server farm. Workaround: None.

CSCtt02508—An end-to-end SSL TCP connection encounters issues while uploading a large (approximately 4.5 GB) file through an ACE VIP that is configured for end-to-end SSL. Simultaneous front and back-end traces show that the ACE brings the TCP window to zero on the client side but does not send any further data toward the server on the back-end side even though the last TCP window update from the server is 65K. The upload stops and never resumes after that. Note that this issue is not seen with a Layer 4 server load-balancing VIP configuration. Workaround: None.

CSCtt14768— The ACE may start dropping connections due to an unavailable buffer. This issue is related to improper handling of an HTTP GET request to the ACE VIP. The issue is verified only if you enable Layer 7 application inspection. You will notice the connection buffer utilization is slowly increasing. Workaround: Clear the connection to clear all stale connections and to release the buffer.

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.0/3.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE ID CVE-2011-0956 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCtt24046—When the ACE performs multiple simultaneous SNMP requests on the cpmProcessTable, this may result in an SNMP timeout. Workaround: Perform only sequential SNMP requests on Cisco Process MIB.

CSCtt42497—When performing Layer 7 server load balancing with a configuration that includes a combination of sticky, server connection reuse, and persistence-rebalance, bad HTTP requests may occur on the server as Layer 7 HTTP packets are sent out of order. Packets sent out of order cause the server to drop the packets or tag the request as malformed. Workaround: Disable the server-conn reuse command.

CSCtt47587—HTTPS probes fail only for IIS servers with client certificates mode "Accept client certificates." In this case, IIS servers with "ignore client certificates" are not impacted.

Workaround: Perform one of the following actions:

Configure the IIS server to "ignore client certificates."

Configure a TCP probe instead of an HTTPS probe.

CSCtu01626—The HTTP probe with a regex search string fails when the HTTP header is split into two packets. When this issue occurs, HTTP probes pass and fail intermittently. Workaround: The server needs to send the entire header in one receive packet and not split the header into two packets.

CSCtu03063—The ACE appliance may encounter leaking 64k buffers on the NP which, when it reaches above 75%, stops passing traffic. This behavior occurs whenever a UDP port 69 probe succeeds. Note that when the probe fails, the buffer does not leak.

An example of the show np buffer usage command is as follows:

ACE/Admin# show np 1 buffer usage
Total Internal Buffer    : 155648
Internal Buffer Used     : 145139
Percentage of Buffer Used: 93.25%
Automatic reload         : disabled
 
   

This system message appears when this condition occurs:

 
   
ACE %ACE-3-443004:Available NP 1 buffer reached below 12 percent threshold, Total 
buffer:155648, Available Buffer:11694
 
   

Workaround: To set threshold levels for the NP buffers in the active and the standby ACEs and cause the active ACE to reboot if the thresholds are reached or exceeded, use the buffer threshold command.

CSCtu27310— With the ACE configured in bridge mode, a DHCP client on a VLAN located behind the ACE, is unable to obtain a lease from a DHCP server located in front of the ACE. This behavior happens only with a Linux-based DHCP server. Workaround: Use a different DHCP server with a broadcast reply (not a unicast reply).

CSCtu30517 With switch-mode enabled on a shared interface with SYN-cookie-based DoS protection configured, embryonic connections are not counted properly in the show syn-cookie output. Workaround: None.

CSCtu34037— User context configurations (including certificates and keys) are lost after the ACE reloads. When this issue occurs, the Admin context configuration is reduced to the minimal, initial configuration. This issue can occur when you specify the reload command, or if the FT link is interrupted by high CPU usage on the switch that the ACE is connected to. Workaround: None.

CSCtu34163—You attempt to establish a remote SSH connection to the ACE and the ACE reboots and then generates a SSHD core file. Workaround: None.

CSCtu36146—The ACE becomes unresponsive due to a configuration manager (Cfgmgr) process failure with the last boot reason: Service "cfgmgr."

The following example system error log messages may appear shortly before the ACE reloads:

MG6509:7:Admin 443001 Critical 24-Oct-2011 08:29:09 System experienced fatal 
failure.Service name:cfgmgr(1050) has terminated on receiving signal 11,system will 
not be reloaded 
 
   
MG6509:7:Admin 443001 Critical 24-Oct-2011 08:30:23 System experienced fatal 
failure.Service name:cfgmgr(1050) crashed, last core saved,system will not be reloaded
 
   
MG6509:7:Admin 199006 Critical 24-Oct-2011 08:30:31 Orderly reload started at Mon Oct 
24 13:30:28 2011 by System. Reload reason: Service "cfgmgr"
 
   

Workaround: None.

CSCtu40720—When using an HTTP probe for the ACE, if the response (not the header) contains "content-length: 0," the ACE fails the HTTP probe with an "Unrecognized or invalid response" even if the response is 200 ok from the server. Workaround: Perform one of the following actions to resolve this issue:

Remove the dash "-" from "content-length" ("contentlength") in the probe response from the server.

Use HEAD instead of GET in the URL request method.

CSCtv12765 (CSCtx25605)—When you have a Layer 7 class map that includes multiple access-list matches, the ACE may send resets to a VIP that has multiple Layer 7 matches. Workaround: Remove the ACL class map(s) from your ACE configuration.

CSCtw53737—When using an outbound access-group on a VLAN interface, traffic that is is explicitly permitted in the configuration may be dropped. HTTPS probes may also become unresponsive for specific real servers while TCP probes continue to work. When this behavior occurs, the following example system message may appear:

%ACE-4-106023: Deny tcp src vlanxxxx xxx.xxx.xxx.xxx/xxxxx dst 
undetermined:xxx.xxx.xxx.xxx/xxxx by access-group "<name>" [0xffffffff, 0x0] 
 
   

Workaround: Use an inbound access-group on the VLAN interface.

CSCtw76940—You may find that double quotations in a description are replaced by spaces. For example, if you configure description t"e"st, this description is displayed as description t e st in the show running configuration command output as follows:

(config-if)# description t"e"st
(config-if)# do sh run | i desc 
Generating configuration....
  description t e st
 
   

You may encounter this behavior when strings between double quotations do not include a space. This show output display issue does not occur if you insert a space between the double quotations (for example, description t" e"st). In this case, a space is inserted between " and e. For example:

(config-if)# description t" e"st
(config-if)# do sh run | i desc
Generating configuration....
  description t " e" st
 
   

Workaround: None.

CSCtw84303—The ACE downloads the CRL for the first time from the specified CRL download location. However, subsequent updates are not attempted after the ACE NextUpdate timer expires. Workaround: None.

Software Version A5(1.2) Open Caveats

The following open caveats apply to software version A5(1.2):

CSCtd42287—When the ACE is running with the maximum limit of 8K static entries and you remove a service policy from an interface and quickly readd it, the ACE removes the statements from the NAT policies. Workaround: Provide ample time between removing a service policy from an interface and then readding it.

CSCte76618—When traffic traverses the ACE with the same source and destination port and dynamic NAT for that traffic is enabled, the ACE performs an implicit PAT. This behavior interrupts some sessions. This problem does not occur when NAT is not involved. Workaround: If possible, disable dynamic NAT.

CSCtf54230—When Layer 2 connected real servers are in the arp-failed state and probes are attached to all of them or the ACE is running a high rate of traffic that generates many mac-miss IPCP messages, FT may appear to fail after several hours. Workaround: Remove the real servers in the arp_failed state or make sure that most of the real servers are UP.

CSCtg67860—When you configure multiple track probes in two user contexts and enter the show cfgmgr internal table track-probe command, the ACE becomes unresponsive due to a Cfgmgr process failure. Workaround: None.

CSCth16258—The snmpwalk or bulkwalk command on the SSL proxy MIB always returns a timeout. Currently, there is no tnrpc call to fetch data. The number of statistics has increased to string parsing and is taking more time. The default timeout is one second and it is not responding within one second. Workaround: Increase the timeout value.

CSCth74700—Connectivity to the real server may be lost when you configure the following:

A client and server side VLAN on the ACE

A real server and ensure that it is Layer 2 reachable

A static route with a /32 mask to reach the real server through another interface

Workaround: Remove and reconfigure the real server.

CSCti28255—When a real server state transitions to UP from a probe-failed or ARP-failed state, the ACE generates the CISCO-ENHANCED-SLB-MIB:cesRserverStateUp trap. However, if the real server goes down due to a probe-failed or ARP-failed state, the ACE generates the CISCO-ENHANCED-SLB-MIB:cesRserverStateChange trap. Workaround: None.

CSCtj00826—If the ACE is running a large number of HTTP or HTTPS probes when probing a file approximately a megabyte in size, the ACE reboots. The following message may precede the reboot:

System running low on direct mapped memory 
Please issue 'show system kcache' to diagnose further
 
   

Workaround: Reduce the size of the file being probed when running a large number of probes on the ACE.

CSCtj60979—The ACE suddenly reloads with the reason identified as "me-dumper crash." In rare cases, the show np 1 me-stats command causes the me-dumper crash. Workaround: None.

CSCto76442—When you configure a new IPv6 duplicate address attempt for an interface through the ipv6 nd dad-attempts command, you may find that the value does not take effect. Workaround: Specify a shut/no shut command sequence on the interface to reenable the interface. We recommend that prior to specifying a shut/no shut command sequence that you keep track of the current traffic movement on the interface.

CSCtr09972SNMP queries are incomplete with the error "snmpwalk: Unknown user name." This behavior is encountered when doing an snmp walk on the following object identifier (OID) cpmProcessExtRevTable on two contexts simultaneously. Workaround: None.

CSCtr56096—You may observe that the sticky-conns counter in the show serverfarm detail command output displays a nonzero value when there are no current connections. The sticky-conns counter displays the number of active connections when using sticky and gets updated when there are one or more active (current) connections. Workaround: None.

CSCtr58692—You may find that configuring the fail-on-all command, followed by a probe, for a real server does not function properly. Workaround: After adding or removing a probe for a real server, remove and re-add the fail-on-all command for the real server.

CSCtr79276— The ACE does not work properly in one-arm mode with SIP and TCP when source NAT is enabled. SIP registrations and calls may fail depending on whether SIP Inspect is enabled. Workaround: None.

CSCtr80967—With SIP traffic running for a long period of time (for example, overnight) with a heavy volume of traffic, the ACE may encounter one or two proxy mapping entries become unavailable. For example:

switch/Admin# sh np 1 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32767             0
Alloc Proxy Mapping:                       29612485             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     29612484             0
switch/Admin# sh np 2 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32768             0
Alloc Proxy Mapping:                       33107573             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     33107573             0
switch/Admin# sh np 3 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32766             0
Alloc Proxy Mapping:                       50967736             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     50967734             0
switch/Admin# sh np 4 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32766             0
Alloc Proxy Mapping:                       52207388             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     52207386             0
 
   
switch/Admin# sh np 1 me-stats "-D"
0 entries open.
 
   

Workaround: None.

CSCtr81263—With high point-to-multipoint traffic, the ACE may ignore the specified connection limit specified by the conn-limit max command. In this case, you may observe a few connections being received over the configured connection limit. Workaround: None.

CSCts25057—Connections to a real server may not be purged with the failaction-purge command, and the real server enters a return code failed state. Workaround: None.

CSCts42706—When performing IPv6 processing, you may find that Bridge Protocol Data Units (BPDUs) are dropped by the ACE and do not get bridged. Workaround: Perform one of the following actions to resolve this issue:

Configure an IPv4 address.

Remove and then add the ipv6 enable command under the interface to enable IPv6 processing on the interface.

CSCts56552In a P2MP scenario, there are multiple SIP connections between a client and server, and the connection is terminated with BYE. In this case, the BYE should clean the entries for the connection in the ACE, or the table will get full and a RESET would be issued to close the SIP session. Workaround: None.

CSCts60292—After enabling SYN-cookie-based DoS protection for an interface, when the SYN-cookie limit is reached and when a post request is sent, the request fails. In this case, the first segment reaches the server and subsequent segments get lost. Workaround: None.

CSCts09006—Under normal operations with SNMP, the ACE unexpectedly reloads and generates a core file. Workaround: None.

CSCtt23176—You are using an ICMP probe attached to a transparent server farm, and the probe stops sending an ICMP echo request after about 12 hours of continuos operation. Workaround: Use a UDP or TCP probe.

CSCtt33804—During modification of an access control list (ACL) within a context, an ACL merge error may be reported on one or more of the interfaces where the ACL list is applied, leaving the interface in an inconsistent state. When this issue occurs the following system message appears:

%ACE-1-106028: WARNING: ACL Merge failed to locate specified ACL in context 10049. 
Error while processing service-policy. Incomplete rule is currently applied on 
interface vlan200. Configuration on this interface needs to be manually reverted
 
   

Workaround: Perform one of the following actions:

Remove the offending lines one at a time from the ACL until the ACL can be successfully applied.

Reload the ACE.

CSCtu18281—The restore process may fail if the Admin context in the backup configuration has TACACS authorization and the configuration is associated with a domain (add-object command). When this issue occurs, the restore process fails and the non-Admin contexts are not imported. However, for the Admin context, the configurations are properly applied. Workaround: Remove "domain TACACS" from the backup configuration and perform the restore.

CSCtu33484—When setting the idle timeout on the ACE, an extra second is added for every minute of idle time. When this issue occurs, the connection disappears from the statistics on the configured time. The reset is not sent until the idle time plus the extra time expires. Workaround: None.

CSCtw58766With SIP load balancing configured without Layer 7 SIP inspection, when the client sends a SIP INVITE message as two segments, the second packet is dropped by the ACE. This issue can also occur when two consecutive SIP calls make it through the same control connection and the INVITE message is segmented so that only the body is contained in the second segment. Workaround: Configure a Layer 7 SIP inspection policy.

CSCtw79419—An error occurs when you attempt to delete a server farm, and the ACE prevents you from performing the deletion. This behavior can occur when the ACE configuration manager still associates the server farm with a load balancing policy. For example:

ACE/1(config)# no serverfarm host 2081bancaPR
Error: serverfarm 'SERVERFARM_X' is in use. Cannot delete! 
 
   

Workaround: Reboot the ACE.

CSCtu80983—With a Layer 7 load balancing policy that includes the default class map and HTTP persistence rebalance enabled, when a client sends multiple get requests on the same connection, the hit count in the show service policy details command output fails to increment for every GET request. Workaround: None.

CSCtw81056When performing Layer 7 load balancing with TCP server connection reuse enabled, you may find that intermittent client connections are reset. Traces show a Reset from the backend server occurring immediately after the ACE forwards the client's GET request on the backend. The ACE attempts to reuse a connection on the backend server that was closed on the server. Prior to this failure, the server attempted to close an inactive backend connection, but the ACE ignored and dropped the Fin Ack packets received from the server. Workaround: Reboot the ACE.

CSCtx03563—If the ACE has been operating for approximately 150 days, you may find that it may produce huge httpd logs over time when you use the XML interface. This behavior causes the file system to become full and the following messages may appear: "write error: No space left on device." If ACE reloads when in this state, and you save the configuration on reload when prompted, this action will cause the ACE to wipe all configurations. Workaround: Perform the following actions:

Do not save the configuration when prompted on reload.

If necessary, contact Cisco TAC to provide a workaround script.

CSCtx12159—The ACE becomes unresponsive and reboots, with the last reboot reason of "CP kernel crash." Workaround: None.

Software Version A5(1.2) Command Changes

Table 4 lists the command changes in software version A5(1.2).

Table 4 CLI Command Changes in Version A5(1.2) 

Mode
Command and Syntax
Description

Exec

show connections

Per CSCtr93395, when you configure the UDP booster feature using the udp command, it displays a hash value for the client address for the udp ip-source-hash and udp ip-destination-hash configuration in the show connections command output (IPv6 and IPv4 output).

show service-policy

Per CSCtn73488,the show service-policy command now includes the conns per second field that displays the connections per second at the virtual server level when you configure more than one VIP under a class map. When you configure one VIP under a class map, the connections per second field is at the VIP level.

show service-policy, show server-farm

Per CSCtu21857, a new real server state, DWS-LOCAL-DOWN, has been added to software version A5(1.2) for the dynamic workload scaling (DWS) local feature. This state informs you that a real server is unavailable for load balancing because its locality is remote in a server farm configured for dws local.

For example, the show serverfarm command displays the DWS-LOCAL-DOWN state as follows:

Admin(config-sfarm-host)# do show serverfarm sf1
 
    Codes: L - local,   R - remote
 
  serverfarm     : sf1, type: HOST
  total rservers : 3
  state          : ACTIVE
  DWS state      : ENABLED_LOCAL_LB
---------------------------
                                                              
-                 --------connections-----------
 real       weight state  current     total   failures 
--+------+------------+----------+----------+---------
rserver: pod7-vm1
  20.1.1.10:0  8 ARP_FAILED [L]0        0        0
rserver: pod7-vm2
  20.1.1.11:0  8 OPERATIONAL [L]0       0        0
rserver: pod8-vm1
  20.1.1.20:0  8  DWS-LOCAL-DOWN[R] 0   0        0
 
        

For background details on DWS, see Chapter 5, Configuring Dynamic Workload Scaling, in the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

 

show service-policy policy-name class-map detail

Per CSCtu23679, the show service-policy policy-name class-map detail command output includes the Total Logged field under the Layer 7 policy statistic so that the output will be similar to that of Layer 4 policy statistics. For example:

L4 policy stats:
  Total Req/Resp: 0, Total Allowed: 0
  Total Dropped: 0, Total Logged: 0
L7 Inspect policy : inspect_http
   class/match : http_insp
   Inspect action:
      permit
   L7 policy stats:
   Total Inspected: 0, Total Matched: 0
   Total Dropped OnError: 0, Total Logged: 0
   Parameter-map(s):
     ECOM_HTTP_PARAM

FT Group

ft group group_id

Per CSCts67210, the ACE appliance now supports a maximum of 255 FT groups.


Software Version A5(1.2) System Log Messages

Software version A5(1.2) includes the following new system log (syslog) messages and syslog identifier changes.

251015

Error Message    %ACE-3-251015: Scripted probe failed for server IPv4/IPv6 address, 
error message.

Explanation    Per CSCtn25383, the following Level-3 syslog shown above has been added to identify a scripted probe failure. This system log appears when the configured real server failed its health checks because the associated server response is not as expected or there was an internal error. The possible values of the error message variable are as follows:

Probe error: Server did not respond as expected

Internal error: Fork failed for TCL script

Internal error: Script probe terminated due to timeout

Internal error: TCL interpreter PANIC

Internal error: Script error

Internal error: Script-file lookup failed or empty buffer

Internal error: Failed to allocate memory for tcl workerthread qnode

Internal error: Unknown script error

Internal error: Out of sockets for the TCL script

Internal error: Unable to read persistent variable table

Internal error: PData (probe data) pointer is null

For example:

%ACE-3-251015: Scripted probe failed for server 25.25.25.83, Internal error: Script 
error
 
   
%ACE-3-251015: Scripted probe failed for server 2021:200::21c:23ff:fee3:a42, Probe 
error: Server did not respond as expected
 
   

Recommended Action    Perform one of the following actions:

Check the service running on the server.

Check the script used for the probe.

Check the memory available for TCL scripts.

251021

Error Message    %ACE-4-251021: Health Monitoring connection info invalid, socket:xxxx, 
socket_state:yyyy, connection_state:zzzz 

Explanation    Per CSCto94539, the corruption of health monitoring socket connection information is flagged by this Level 4 syslog. The error message variables are as follows:

socket:xxxx displays a negative value.

socket_state:yyyy, connection_state:zzzz displays invalid (mostly large) positive or negative values.

For example:

%ACE-4-251021: Health Monitor connection info invalid, socket: 44, socket_state: 1853121902, connection_state: 9

%ACE-4-251021: Health Monitor connection info invalid, socket: -1428151032, socket_state: 3, connection_state: 9

Recommended Action    Check whether health monitoring is functioning properly on the ACE. If there appears to be issues with health monitoring, contact TAC for further troubleshooting.

322006

Error Message    %ACE-3-322006: All xinetd services denied except telnet: Avaliable CP 
memory(HighMem) reached below 5 percent threshold.

Explanation    Per CSCtu33882, SSH connections may be rejected due to low memory in the ACE. This issue can occur when the available control plane (CP) high memory goes below the five percent threshold.

Recommended Action    Check for memory resources by using the show system kmem command. The HighFree field in the show system kmem command output should be less than 5 percent of the HighTotal value, as shown in the example below. If an SSH connection is causing this low memory condition, use Telnet to establish a remote connection to the ACE. If this problem persists, contact TAC for further troubleshooting.

ACE/Admin# show system kmem
MemTotal:      6097528 kB
MemFree:        631164 kB
Buffers:         26000 kB
Cached:        1211600 kB
SwapCached:          0 kB
Active:        4762776 kB
Inactive:       410232 kB
HighTotal:     5373888 kB
HighFree:       220416 kB   <<<<<<<<<<<<<<<<  <5% of HighTotal value
LowTotal:       723640 kB
LowFree:        410748 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:              40 kB
Writeback:           0 kB
Mapped:        4021076 kB
Slab:           211924 kB
CommitLimit:   3048764 kB
Committed_AS: 49686232 kB
PageTables:      51480 kB
VmallocTotal:   114680 kB
VmallocUsed:     69020 kB
VmallocChunk:    45560 kB
 
   

Software Version A5(1.1) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages

This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(1.1):

Software Version A5(1.1) Resolved Caveats

Software Version A5(1.1) Open Caveats

Software Version A5(1.1) Command Changes

Software Version A5(1.1) System Log Messages


Note Some caveats may have more than one number. A number in parentheses is a caveat number that was associated with the previous software release that now has another number for A4(2.0) and later releases.


Software Version A5(1.1) Resolved Caveats

The following resolved caveats apply to software version A5(1.1):

CSCth90592—When you configure static NAT port redirection, the ACE does not apply the configuration and displays the following error message:

Error: A static ip and source port must be provided in ACL for static port redirection
 
   

Workaround: Configure a source port in the ACL for static port redirection.

CSCtj65408—When you configure an ECHO TCP or UDP probe with send-data value, the probe passes even when the server sends a regex that does not match the send-data value. Workaround: You can use a TCP or UDP probe with send-data and regex values as required instead of an ECHO TCP or UDP probe.

CSCtk00432—The ACE appliance Device Manager (DM) GUI allows a user to log-in and view or edit ACE configurations even after the expiry date.

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.0/3.3:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C

CVE ID CVE-2011-0956 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCtk84003—When you set the window scale to ALLOW by configuring the tcp-option window-scale allow command in a parameter map, the window size calculation for the Layer 4 flows does not occur. Because the ACE calculates the window size without taking the window scale into account for Layer 4 flows, the ACE may drop some packets that are legal. Layer 7 flows are not affected. Workaround: Remove the tcp-option window-scale allow command from the parameter map configuration.

CSCtl53644—When you configure access lists on the ACE, and if there is an ACL merge error on the internal VLAN4095, you cannot display the error counters through the show vlan number command because the user-configured VLAN number ends at 4094. Workaround: None.

CSCtn93288—When redundant ACEs generate SIP probes with the same Call-ID and From-Tag options, the SIP registrar servers interpret these probe messages as duplicates and do not reply to them causing SIP health probes to fail. Workaround: None.

CSCto34856—When you configure Layer 7 load-balancing or HTTPS termination with sticky and redundancy on the ACE, HTTP/HTTPS Post requests with large headers that span multiple packets can cause packets to be sent to the backend servers out of order. This behavior can cause the server to drop the request to or to send a failure return-code. Workaround: Remove sticky from the server farm.

CSCto68956—With the ACE configured for sticky and multiple sticky groups, and the sticky database is almost full, the ACE can unexpectedly reboot and generate a core file. When this behavior occurs, the core file points to the Load Balancing (LB) process thread where a new sticky entry is trying to be obtained. Workaround: None.

CSCts41981—On rare conditions, after the ACE bootup sequence completes, default license limits are displayed instead of the installed license limits. In this case, if you specify the show resource usage all and show license status commands, the show resource usage all output displays default license values that differ from those displayed in the show license status command output. Workaround: Restart the ACE.

CSCts56112—If you have dynamic workload scaling (DWS) configured in the ACE, ACE connectivity with the Cisco Nexus 7000 series switch may be lost. When this happens, SSH connection to the Cisco Nexus 7000 series switch from the ACE reports an "authentication failure" error. Workaround: Perform the following actions:

On the newly active Cisco Nexus 7000 series switch, assign a new management IP address.

On the ACE, update the IP address of the Nexus 7000 management interface for the local Nexus device on the ACE to the newly assigned IP address.

CSCts76353—In some cases, you may find that real servers frequently reach the INBAND-FAIL state. This issue occurs because the reset interval in the inband health monitoring function is working in seconds instead of milliseconds, which causes the error interval detection to be longer and increases the chance of hitting the INBAND-FAIL state. There are no issues with the other associated real server timers (such as reset, resume-service, and so on); they all appear to be working properly. Workaround: None.

CSCts79885—In a redundant configuration, persistent connections do not properly flow through the ACE after first switchover occurs; only the first request in the persistent connections gets serviced, and the client waits indefinitely for a response to the second request. Workaround: None.

CSCtt08368—You specify the show tech-support details command and the resulting size of the output file on the ACE is extremely large. In some cases, the resulting show tech-support output file can become so large that the ACE can run out of disk space. Workaround: Individually specify the show command output using the individual keywords of the show tech-support command. Each command output is separated by the line and the command that precedes the output.

Software Version A5(1.1) Open Caveats

The following open caveats apply to software version A5(1.1):

CSCtd42287—When the ACE is running with the maximum limit of 8K static entries and you remove a service policy from an interface and quickly readd it, the ACE removes the statements from the NAT policies. Workaround: Provide ample time between removing a service policy from an interface and then readding it.

CSCte76618—When traffic traverses the ACE with the same source and destination port and dynamic NAT for that traffic is enabled, the ACE performs an implicit PAT. This behavior interrupts some sessions. This problem does not occur when NAT is not involved. Workaround: If possible, disable dynamic NAT.

CSCtf54230—When Layer 2 connected real servers are in the arp-failed state and probes are attached to all of them or the ACE is running a high rate of traffic that generates many mac-miss IPCP messages, FT may appear to fail after several hours. Workaround: Remove the real servers in the arp_failed state or make sure that most of the real servers are UP.

CSCtg67860—When you configure multiple track probes in two user contexts and enter the show cfgmgr internal table track-probe command, the ACE becomes unresponsive due to a Cfgmgr process failure. Workaround: None.

CSCtg87855—After you change the configuration in a large ACE configuration and enter show commands, the CLI becomes unresponsive for a period of time. In this case, the show processes cpu | include cfgmgr command displays one of the configuration manager (cfgmgr) processes consuming CPU resources. After you apply the configuration change, the cfgmgr CPU usage goes to zero, and the CLI becomes unresponsive. Workaround: Wait until the cfgmgr completes its previous operation before entering the show command.

CSCth04993—When you configure an ACE interface with single NAT IP address in the NAT pool and the ACE receives SIP UDP traffic, it resets subsequent SIP TCP traffic. Workaround: Perform either of the following:

Perform a checkpoint rollback to a non-SIP configuration and then to the existing configuration.

Increase the number of IP addresses in the NAT pool.

CSCth07709—When performing the snmpwalk or snmpbulkwalk command for any object on the ACE, occasionally the ACE displays an Unknown user name error. The frequency of this occurrence can increase by having three contexts on the ACE. Workaround: None.

CSCth24647—When the FT interface VLAN number is lower than the other interface numbers and these interfaces require the downloading of large configurations, an API timed out error occurs when applying the startup configuration. Workaround: Enter the no ft auto-sync running-config command and then enter the ft auto-sync running-config command.

CSCth55362—When the ACE performs a configuration rollback, existing classes in a policy are not reordered according to the new configuration. The running configuration has a policy that contains several classes. The checkpoint contains that policy with some or all the classes in a different order. After performing the rollback, the order of the classes stays as it was in the running configuration. Workaround: Perform either of the following:

Remove the policy that was changed during the rollback and then perform the rollback.

If there are many similar policies in the configuration, perform a rollback to an empty configuration and then rollback to the desired configuration.

CSCth74700—Connectivity to the real server may be lost when you configure the following:

A client and server side VLAN on the ACE

A real server and ensure that it is Layer 2 reachable

A static route with a /32 mask to reach the real server through another interface

Workaround: Remove and reconfigure the real server.

CSCti28255—When a real server state transitions to UP from a probe-failed or ARP-failed state, the ACE generates the CISCO-ENHANCED-SLB-MIB:cesRserverStateUp trap. However, if the real server goes down due to a probe-failed or ARP-failed state, the ACE generates the CISCO-ENHANCED-SLB-MIB:cesRserverStateChange trap. Workaround: None.

CSCti68449—The show xlate command displays thousands of entries. However, the show resource usage command displays zero peak and zero current. Workaround: Reboot the ACE.

CSCtj00826—If the ACE is running a large number of HTTP or HTTPS probes when probing a file approximately a megabyte in size, the ACE reboots. The following message may precede the reboot:

System running low on direct mapped memory 
Please issue 'show system kcache' to diagnose further
 
   

Workaround: Reduce the size of the file being probed when running a large number of probes on the ACE.

CSCtj12692—You configure the ACE with 4000 sticky groups and do not allocate a sticky resource class. The sticky resource values are the default: minimum of 0 and a maximum of unlimited. When the sticky database has 800,000 entries, you create a sticky resource class to a minimum value equal to 20 percent and apply it to the context. After a few minutes the ACE becomes unresponsive and reboots. Workaround: Do not change the resource class when you configure a large number of sticky groups and the database is full with active entries.

CSCtj60979—The ACE suddenly reloads with the reason identified as "me-dumper crash." In rare cases, the show np 1 me-stats command causes the me-dumper crash. Workaround: None.

CSCtl45638—When you configure usernames with the ACE default roles, a user with the Network-Monitor role does not have access to some commands. Workaround: Assign the user with the admin role.

CSCtl56689—Log-in to the ACE appliance Device Manager fails when a TACACS server is set up with a network filter for client IP address(es). Workaround: Remove the TACACS filter running on the network.

CSCtl68891—When you configure a real server on the ACE, assign it an IP address, place it in service, and then delete it, the ACE generates an unnecessary trap. When the real server state changes from ARP-FAILED to operational, the ACE generates the CesRServerStateUp trap. Workaround: None.

CSCto46159 (CSCtg96456)—When you configure the maximum number of the VIP statements in a single class map of 254 and then delete one of the VIP statements, the ACE cannot add a match VIP address in a single class map and displays the following message:

Error: Exceeded maximum match item limit for the class-map 
 
   

Workaround: Remove the class map and the reconfigure it again with all of the VIP addresses.

CSCto76442—When you configure a new IPv6 duplicate address attempt for an interface through the ipv6 nd dad-attempts command, you may find that the value does not take effect. Workaround: Specify a shut/no shut command sequence on the interface to reenable the interface. We recommend that prior to specifying a shut/no shut command sequence that you keep track of the current traffic movement on the interface.

CSCtr56096—You may observe that the sticky-conns counter in the show serverfarm detail command output displays a nonzero value when there are no current connections. The sticky-conns counter displays the number of active connections when using sticky and gets updated when there are one or more active (current) connections. Workaround: None.

CSCtr58692—You may find that configuring the fail-on-all command, followed by a probe, for a real server does not function properly. Workaround: After adding or removing a probe for a real server, remove and re-add the fail-on-all command for the real server.

CSCtr70477—You may observe that the show service policy detail command output includes invalid values for the Hit Count or Dropped Conns counters under the class-default class map. This behavior can occur with a large number of client source entries and when you add and remove the class-default class map several times in a policy map. Workaround: None.

CSCtr80967—With SIP traffic running for a long period of time (for example, overnight) with a heavy volume of traffic, the ACE may encounter one or two proxy mapping entries become unavailable. For example:

switch/Admin# sh np 1 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32767             0
Alloc Proxy Mapping:                       29612485             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     29612484             0
switch/Admin# sh np 2 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32768             0
Alloc Proxy Mapping:                       33107573             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     33107573             0
switch/Admin# sh np 3 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32766             0
Alloc Proxy Mapping:                       50967736             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     50967734             0
switch/Admin# sh np 4 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32766             0
Alloc Proxy Mapping:                       52207388             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     52207386             0
 
   
switch/Admin# sh np 1 me-stats "-D"
0 entries open.
 
   

Workaround: None.

CSCtr81263—With high point-to-multipoint traffic, the ACE may ignore the specified connection limit specified by the conn-limit max command. In this case, you may observe a few connections being received over the configured connection limit. Workaround: None.

CSCtr95088—You may find that ND entries are not refreshed for learned entries at the configured ND interval. Workaround: None.

CSCtr96229—When you remove a resource class that is associated with a specific context, in some cases the ACE may reboot. This issue is related to the number of contexts in the ACE, when the ACE configured with several contexts and a resource class, which is associated with one of the contexts, requires a sticky limit. When the ACE LB module attempts to remove the sticky entries from the free list, it first determines if there is a starving context that is waiting for resources by walking through a link list of contexts, which consumes ACE CPU time. This behavior does not occur if the resource class does not include any limits for sticky.

Workaround: We recommend that you do not change the resource class when there is a large number of contexts or sticky groups configured in the ACE, or that you gradually change the limit in the resource class if you have configured a sticky limit.

CSCts09817—In an ACE HA configuration, with an FT setup with a large configuration, when you attempt to make a configuration change, you may find that MTS buffers can leak on both the active and standby ACEs. Workaround: Do not make any changes when you have large configurations.

CSCts14335—In a redundant configuration, specification of the np session disable debug command puts the active ACE into the STANDBY_COLD state. Workaround: This debug command is intended only for internal debugging. Do not use the np session disable debug command.

CSCts19247—When using the ACE appliance Device Manager GUI, if you create a class map condition from the ACE CLI that includes a space in an HTTP URL, that class map will not appear in the DM GUI. Workaround: Use the ACE appliance DM GUI if you need to create a class map condition that includes a space in an HTTP URL match.

CSCts20690— The Internet Message Access Protocol (IMAP) probe may fail with certain IMAP servers, and the ACE displays the failure reason as "Authentication failed." In this case, the IMAP servers are configured with the name of the mailbox from which the probe retrieves e-mail through the credentials mailbox command. This behavior is typically encountered with SurgeMail IMAP servers, and occurs only if the IMAP server responds with multiple packets on the SELECT INBOX. Workaround: Perform one of the following actions:

Do not use the credentials mailbox command.

Use the IMAP TCL scripted probe.

CSCts24977—The service name:snmpd(1395) terminates upon receiving signal 8. This issue can occur when polling the ACE CPU utility MIB in a loop; the snmpd process can become unresponsive and cause the ACE to reload. For this particular issue, the OID polled was .1.3.6.1.4.1.9.9.480.1.1.7.1. Workaround: Do not poll the ACE CPU utility MIB continuously in a loop.

CSCts25057—Connections to a real server may not be purged with the failaction-purge command, and the real server enters a return code failed state. Workaround: None.

CSCts29208—With one or more sticky groups and failaction reassign configured under one of the server farms, the ACE may experience the load balance issue while incrementing real server connection counts. Workaround: When this behavior occurs, do not configure the failaction reassign command with the server farm.

CSCts42706—When performing IPv6 processing, you may find that Bridge Protocol Data Units (BPDUs) are dropped by the ACE and do not get bridged. Workaround: Perform one of the following actions to resolve this issue:

Configure an IPv4 address.

Remove and then add the ipv6 enable command under the interface to enable IPv6 processing on the interface.

CSCts53405—After forwarding the real server's first response packet to the client, the ACE waits for the client to send an ACK to the first response packet before forwarding subsequent server response packets. Workaround: Use the set tcp wan-optimization rtt command to allow you to control how the ACE applies TCP optimizations to packets on a connection associated with a Layer 7 policy map.

CSCts58029—In a redundant configuration, if a context has "priority" as part of its name, this causes the Admin context to go to STANDBY COLD state. The issue is encountered only during a bulk synchronization. Workaround: Delete any context that includes "priority" in its name and rebuild it with a new name.

CSCts60292—After enabling SYN-cookie-based DoS protection for an interface, when the SYN-cookie limit is reached and when a post request is sent, the request fails. In this case, the first segment reaches the server and subsequent segments get lost. Workaround: None.

CSCts64847—The ACE appliance allows only the Admin user to use the show environment temperature command. Another user with an admin role is unable to specify this command and the ACE returns the following error:

ACE_Appliance/Admin# show environment temperature
Could not open device at /dev/ipmidev or /dev/ipmi/0 or /dev/ipmidev/0: 
Not a directory
Get Device ID command failed
Unable to open SDR for reading
 
   

Workaround: Use the default Admin user to run the show environment temperature command.

CSCts67210—In a redundant configuration, the ACE appliance allows only FT group numbers 1 to 63 to be configured; however, the ACE module supports FT group numbers 1 to 255. Workaround: None.

CSCts68281—When using a custom configured HTTPS health probe on the ACE, you may encounter the following error message:

%ACE-3-400001: MSS mismatch from 10.0.5.193:443 (1380) to 127.1.2.34:64571 (1460) on 
interface vlan40
 
   

Workaround: The only thing that will stop the errors is to un-apply the Remove the custom HTTPS probe from the server farm to stop the error condition.

CSCts69941—With a large configuration containing a large number of contexts, interfaces, and ACLs (including a merge of individual ACLs into one large ACL), the ACE can become unresponsive 10 to 15 minutes after booting. Workaround: Specify the show np 1 access-list resource command after you boot the ACE. Confirm if the Leaf Parameter nodes exceeds 400K and the policy action nodes exceeds 200K (recommended values are 200K and 100K, respectively). If one of these nodes exceeds the specified value, remove the merged ACLs and associated contexts until this threshold is not exceeded in the show np 1 access-list resource command output.

CSCts79939—The following rewrite configuration does not successfully rewrite any instances of "http" under some scenarios:

action-list type modify http REWRITE
  header rewrite response Location header-value "(.*)http(.*)" replace "%1https%2"
 
   

While parsing the Location header, the ACE stops parsing after encountering any instance of the first letter in the match string ("h"). At that point, the ACE does not complete the match or perform the rewrite. Workaround: None.

CSCts98720—In an application where the ACE is performing firewall load-balancing with two server farms (where one server farm is for user traffic and the one is for BGP traffic sent to the firewalls), when performing a failaction reassign and then undoing the failaction, the ACE incorrectly moves a user connection to the BGP dedicated server farm. Workaround: None.

CSCtt02508—An end-to-end SSL TCP connection encounters issues while uploading a large (approximately 4.5 GB) file through an ACE VIP that is configured for end-to-end SSL. Simultaneous front and back-end traces show that the ACE brings the TCP window to zero on the client side but does not send any further data toward the server on the back-end side even though the last TCP window update from the server is 65K. The upload stops and never resumes after that. Note that this issue is not seen with a Layer 4 server load-balancing VIP configuration. Workaround: None.

CSCtt24046—When the ACE performs multiple simultaneous SNMP requests on the cpmProcessTable, this may result in an SNMP timeout. Workaround: Perform only sequential SNMP requests on Cisco Process MIB.

CSCtt33804—During modification of an access control list (ACL) within a context, an ACL merge error may be reported on one or more of the interfaces where the ACL list is applied, leaving the interface in an inconsistent state. When this issue occurs the following system message appears:

%ACE-1-106028: WARNING: ACL Merge failed to locate specified ACL in context 10049. 
Error while processing service-policy. Incomplete rule is currently applied on 
interface vlan200. Configuration on this interface needs to be manually reverted
 
   

Workaround: Perform one of the following actions:

Remove the offending lines one at a time from the ACL until the ACL can be successfully applied.

Reload the ACE.

CSCtt47587—HTTPS probes fail only for IIS servers with client certificates mode "Accept client certificates." In this case, IIS servers with "ignore client certificates" are not impacted.

Workaround: Perform one of the following actions:

Configure the IIS server to "ignore client certificates."

Configure a TCP probe instead of an HTTPS probe.

CSCtu03063—The ACE appliance may encounter leaking 64k buffers on the NP which, when it reaches above 75%, stops passing traffic. This behavior occurs whenever a UDP port 69 probe succeeds. Note that when the probe fails, the buffer does not leak.

Included below is an example of the show np buffer usage command:

ACE/Admin# show np 1 buffer usage
Total Internal Buffer    : 155648
Internal Buffer Used     : 145139
Percentage of Buffer Used: 93.25%
Automatic reload         : disabled
 
   

And here is the associated system message that appears when this condition occurs:

 
   
ACE %ACE-3-443004:Available NP 1 buffer reached below 12 percent threshold, Total 
buffer:155648, Available Buffer:11694
 
   

Workaround: To set threshold levels for the NP buffers in the active and the standby ACEs and cause the active ACE to reboot if the thresholds are reached or exceeded, use the buffer threshold command.

CSCtu01626—The HTTP probe with a regex search string fails when the HTTP header is split into two packets. When this issue occurs, HTTP probes pass and fail intermittently. Workaround: The server needs to send the entire header in one receive packet and not split the header into two packets.

Software Version A5(1.1) Command Changes

Table 5 lists the command changes in software version A5(1.1).

Table 5 CLI Command Changes in Version A5(1.1) 

Mode
Command and Syntax
Description

Exec

show interface vlan number

Per CSCtl53644, this command now accepts the range from 1 to 4095 to display the internal VLAN information. Previously, the range was 2 to 4094.

show probe detail

Per CSCtj65408, the show probe detail command now displays the following error message in the Last disconnect err field when the server sends a regex that does not match the configured send-data value for an echo TCP or UDP probe:

Server response not matching with user configured 
send-data
 
        

Previously, echo probes always passed including when the server sends a regex that does not match the configured send data value.


Software Version A5(1.1) System Log Messages

Software version A5(1.1) includes following new system log (syslog) messages.

251010

Error Message    %ACE-3-251010: Health probe failed for server address on port number, 
Server response not matching with configured echo probe send-data

Per CSCtj65408, when you configure an echo TCP or UDP probe on the ACE and the server sends a regex that does not match the configured send-data value, the probe fails and the ACE generates this syslog message.

Also the show probe detail command (Table 5) displays the following error message in the Last disconnect err field:

Server response not matching with user configured send-data
 
   

Previously, echo probes always passed including when the server sends a regex that does not match the configured send-data value.

Software Version A5(1.0) Resolved Caveats and Open Caveats

This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats, command changes, and revised system messages in software version A5(1.0):

Software Version A5(1.0) Resolved Caveats

Software Version A5(1.0) Open Caveats


Note Some caveats may have more than one number. A number in parentheses is a caveat number that was associated with the previous software release that now has another number for A4(2.0) and later releases.


Software Version A5(1.0) Resolved Caveats

The following resolved caveats apply to software version A5(1.0):

CSCsr55832—When you enable logging console 6 or 7 on the ACE and approximately 200 messages per second flood the console, the show run command becomes unresponsive. Workaround: Do not turn on logging console 6 when traffic through the ACE exceeds 100 cps. The ACE recovers in less than 10 minutes.

CSCsu55909 (CSCto45906)—In a redundant configuration, when you configure the ACE with 20 contexts, apply it to the active ACE, and then bring up the standby ACE with the configuration, the active ACE transitions into the Cold state with the following error:

Error on Standby device when applying configuration file replicated from active 
 
   

Workaround: First bring up the active and standby ACEs individually and then enable redundancy.

CSCta87584 (CSCto45952)—Connections may get dropped intermittently when you use persistence rebalance in a configuration and a rebalance is performed across traffic policies. This behavior typically occurs in a configuration with two different server farms that both contain the same real server with different ports, and the server farms are attached to two different Layer 7 load-balancing policy maps. Workaround: None.

CSCte96191 (CSCti74189)—On a rare occasion, the route manager becomes unresponsive on the standby ACE when you attempt configuration changes similar to the following on the active ACE:

Remove a service policy from local to global and global to local.

Remove or add VIPs in a Layer 3 class map which traffic is hitting.

Perform a checkpoint rollback.

Workaround: None.

CSCtg17350—When you configure the Acceleration and Optimization features on the ACE, the integrated packet capture utility may not capture traffic from all interfaces, even when you configure the capture to capture from all interfaces. Workaround: None.

CSCtg53126—When you attempt to delete a server farm with the no serverfarm host command, the ACE displays the following error message:

Error: serverfarm `serverfarm_name' is in use. Cannot delete! 
 
   

The configuration manager thinks the server farm is still applied to the load-balance policy. Workaround: None.

CSCtg87927 (CSCtf42007)—When you apply a real server to multiple server farms and the server recovers from a probe failure, it does not receive any new connections on any of the server farms. The show probe and show serverfarm commands indicate the real server is operational but does not have any current connections. Workaround: Remove the real server from service. Then, place it in service.

CSCth07619—When you apply or modify ACLs or object groups to an ACE that has operated for a long time and undergone many ACL configuration changes, issues in the ACL object group expansion during the configuration download may cause an unexpected traffic drop. The show interface command displays a nonzero download failure counter, similar to the following:

Access-group download failures: 8
 
   

Workaround: Remove and readd the object group.

CSCth08116—When you configure the expect regex command on HTTP or HTTPS probes with a long regex string and the web page parsed by the probe is longer than 100 KB with the matched string at the bottom of the page, the probes may fail. Workaround: Configure a basic HTTP probe that does not match a regular expression.

CSCth15305 (CSCtg37325)—During normal ACE operating conditions, the configuration manager becomes unresponsive and the ACE generates a core file. Workaround: None.

CSCth26795—When you configure the mac-address autogenerate command with the ip dhcp relay command on an interface, the ACE appliance fails to relay the DHCP request to the configured server and the counters displayed by the dhcp relay statistics command do not increment. Workaround: Remove the mac-address autogenerate command from the interfaces and reboot the ACE.

CSCth39505 (CSCth39502)—The ACE divides the sticky table and cookies between its two IXP network processors (NPs). If a connection on one NP uses a cookie with a hash that resolves to the other NP, the NPs must perform additional inter-IXP messaging to process the cookie. In a default TCP connection configuration, if the server sends 32K or more of data in less than 10 milliseconds (msec), a zero window may result on the backend. Some server TCP stacks may inadvertently introduce a 5-second delay in this situation. The ACE should advertise a nonzero window to the sending server when the buffers are released. Workaround: You can configure the set tcp wan-optimization rtt 0 command to apply TCP optimizations to packets for the life of a connection. However, this command results in increased resource consumption.

CSCth45076—When you configure a static multicast ARP address on the ACE, you cannot ping to the address from the ACE. Workaround: None.

CSCth59247—When you configure long and complex regular expressions in new or existing commands, the ACE does not allow you to make any additional changes and may become unresponsive for a long duration of time. Workaround: Shorten the regular expressions in the commands.

CSCth63553 (CSCth63549)—The standby ACE may have a higher number of connections than the active ACE. Workaround: Configure a shorter connection inactivity timeout.

CSCth64338—If you configure TCP probes with small intervals and set the termination mode as forced, the TCP probe stops firing if the server sends an RST after the TCP handshake. Workaround: Remove and readd the faulty probe from the real server.

CSCth67961 (CSCsy66327)—When you enter the show snmp group command from any context other than the Admin context, it does not display any output. Workaround: None.

CSCth84690 (CSCth78715, CSCti66139)—When you configure a large number of NAT pools and they are in use and receiving traffic, if you change the configuration to a smaller number of NAT pools, the ACE delays the release of the older NAT translation resources. For this issue to occur, the ACE must have active NAT translation objects (xlates) that are in use. The cause of this issue is the queued-up reap messages that prevent the xlate from being reaped. In this case, the configuration rollback reduced 2 K lines of NAT pools to a one-line NAT pool. The ACE generates one reap message per line for each removed NAT pool.

Workaround: To avoid this issue, do either of the following:

During a configuration rollback, if the new configuration deletes a large number of NAT pools in one big pool but still keep the overall dynamic pool, remove the entire dynamic pool and re-add it when required.

Set up a clean checkpoint that has an empty configuration. Perform a rollback to the first configuration and then perform a rollback to the second configuration. In this case, an overall reap message cleans the resource.

Either of the workarounds can prevent large number of reap messages from being produced and queued, which can cause the slow release of system resources.

CSCth90592—When you configure static NAT port redirection, the ACE does not apply the configuration and displays the following error message:

Error: A static ip and source port must be provided in ACL for static port redirection
 
   

Workaround: Configure a source port in the ACL for static port redirection.

CSCti11896—The ACE treats the deny function inside a management policy or class map as a SKIP. The ACE does not deny the traffic. Instead, it skips the class map and tries to match another one. Workaround: None.

CSCti25263—If the same SNMP request identifier is used in previous SNMP GET and GET NEXT requests to the ACE and an SNMP agent is polling the ACE, the ACE may incorrectly respond to the SNMP request. Workaround: Perform the following:

a. Change the SNMP agent to use unique SNMP request identifiers for each SNMP request.

b. Wait at least 10 seconds between SNMP requests that use the same SNMP request identifier.

CSCti40433—When the client sends a SYN on an existing Layer 7 connection, the ACE responds to a TCP SYN with an ACK, and an incorrect ACK sequence number. Workaround: None.

CSCti40456—The ACE does not reset a SYN on an existing L7 connection. The SYN is for an existing L7 connection and the sequence number is within the receive window. Workaround: None.

CSCti66770 (CSCth37401)—When the ACE receives a cookie string that contains many cookies and encounters a space character in the cookie value, it stops processing the cookies. Spaces are not permitted in the cookie name or cookie value. Persistence or stickiness fail. Workaround: None.

CSCti74520—When sending malformed requests, SSHD may become unresponsive. This issue has occurred when running testcase 4738 of the Codenomicon SSHV2 test tool. Workaround: None.

CSCti76678—When you change the default destination port for an HTTP probe, the probe does not append the port to the Host tag in the HTTP request and the ACE receives an HTTP/1.1 404 Not Found error. Workaround: Configure the probe with the header Host header-value command to specify and append the destination port to the host in the HTTP request.

CSCti96864—When you perform dynamic configurations of usernames in multiple contexts and enter the no username name command in a user context, the ACE unexpectedly reboots and generates an SNMP core file. Workaround: None.

CSCtj04935—When the Layer 7 TCP path is overutilized that causes the Timer Freelist Empty to be hit several times, the ACE reboots because of the Timer Freelist corruption. Workaround: Reduce the work load of the Layer 7 TCP path.

CSCtj07489—When you configure a policy map that references another policy map on the ACE, if the checkpoint rollback or restore operation removes these recursively referenced policy maps during context deletion while the operation loads another context, the cfgmgr process may become unresponsive. This is especially risky when all context policy maps are removed which can occur during a restore operation. Workaround: None.

CSCtj30082 (CSCte91850)—When the NPs on the ACE are in a combination of RETCODE-FAILED and INBAND-HM-FAILED state due to a traffic pattern that hashes connections to specific NPs, the show serverfarm name command displays the real servers as OPERATIONAL but they will not process any connections. Workaround: Enter the no inservice command and then enter the inservice command to restore the real server to a working state.

CSCtj45039—When you configure a Session Initiation Protocol (SIP) probe for health monitoring (HM), the ACE may incorrectly display the probe as down due to the ACE using the same Call ID for multiple probe instances to different configured real servers. Workaround: Configure the ACE with a different probe type.

CSCtk53132—An ACE appliance running software version A4(1.0) does not boot properly. When the ACE is running an A3(2.x) software image, it does boot properly and run normally. Workaround: Complete an RMA for the appliance. In this case, the new ACE appliance booted properly.

CSCtl03706—When the ACE performs the snmpwalk command on the cpmProcessTable, the show proc cpu command becomes unresponsive.The output of the show system internal mts buffers command displays an MTS leak. The output of the show system internal mts buffers details command confirms this leak. Also, the MTS sends error messages similar to the following:

mts_do_msg_input() failing since no space available in 91 (src_sap = 91, opc = 1376 
PID = 934) 2
 
   

Workaround: None.

CSCtl53644—When you configure access lists on the ACE and an ACL Merge error occurs on VLAN1 which is an internal VLAN, the show vlannumber command cannot display the error counters because user-configured VLANs start at 2. Workaround: You may be able to use the debug function to display the logs.

CSCtl76773—When you create a real server, class map, policy map, KAL-AP tag, server farm, or context name that includes a space in it, an ACE redundant configuration can become out of synchronization. Workaround: Do not use spaces when naming an object on the ACE.

CSCtl89566—When the ACE is performing Layer 5 load balancing and receives a noncompliant HTTP request, if the request hits a default class and is Layer 4 load balanced, the ACE drops the connection. Workaround: None.

CSCtn11417—On rare occasions, an XML command sent through an XML agent fails with a 500 error. This behavior can occur on an ACE software release prior to A5(1.0). Workaround: Send the XML command in raw (text) mode.

CSCtn40037—The signal handler has been disabled on the network processor cores. As a result, when one core becomes unresponsive, the ACE immediately generates a core file. Typically, an ME dump would detect this and force all other cores to become unresponsive. Because the signal handler is disabled, the other cores do not get stuck and they continue to process their message queues. This behavior may be an issue when debugging customer problems. This situation happens whenever a core becomes unresponsive. Workaround: None.

CSCtn43569—The CPU utilization counter that the ACE obtains from the VMware vCenter Server provides the CPU utilization of a virtual machine (VM) as a percentage of the total ESX/Hypervisor CPU utilization. This process works fine for the default case where a VM is allocated with any number of cores and no resource limits are applied. The ACE receives the correct CPU load values of the VM and the feature works as expected. However, if there are resource limits provisioned to the VM (for example, limiting it to 50 percent of the maximum CPU), the counter value that the ACE receives from the vCenter does not accurately reflect the results. For example, a VM can use the entire 50 percent of the allocated maximum CPU, and so the reported value should be 100 percent as the VM's CPU load. Instead, the reported value is 50 percent, which is the percentage of total available ESX CPU utilization.

When you create a VM, the vCenter provides multiple options for CPU and memory allocation for the VM. As an administrator, you can allocate the number of cores to the VM and limit the CPU utilization of the VM to a portion of the maximum available CPU power (MHz). When you configure this CPU-limiting option on the vCenter, the average CPU usage counter provided by the vCenter is still calculated against the total CPU power for the ESX/ESXi host. The ACE retrieves this counter, but treats it incorrectly as the VM's CPU usage percentage against its own allocated CPU resource limit.

Workaround: When you create a VM with a CPU resource limit that is lower than the maximum limit (MHz), adjust the CPU burst threshold that you configure on the ACE for the DWS feature to compensate for the incorrect value provided by the vCenter. Calculate the new CPU burst threshold to be configured on the ACE by using the following formula:

New burst threshold = expected burst threshold x VM's CPU resource limit (MHz) / VM's maximum resource limit (MHz)

CSCto11586—In an ACE HA configuration, reuse connections may not be deleted on the standby ACE when the active ACE puts them on the reuse list. This behavior results in the reuse connections getting out of synchronization on the standby ACE. Workaround: None.

CSCto34701—NAT translation (Xlate) entry resources may encounter a memory leak as a result of performing a checkpoint rollback. The issue may occur when your current configuration and checkpoint have NAT pools with slightly different yet overlapping IP address ranges. If you attempt to roll back the current running configuration to the previously checkpointed running configuration while there are active connections/NAT xlates, the xlates might leak. This problem could occur when a connection that is associated to an existing reaped xlate is decremented from a new xlate created against the new NAT pool. In this case, the old xlate entry reference counts stay > 0 and the xlates persist forever. Workaround: When changing the NAT pool configuration, delete the pools and wait approximately one minute before configuring a similar pool.

CSCto65861—During normal ACE operating conditions, the ACE fails to reboot or to generate a file when the ha_mgr process in the ACE become unresponsive. Workaround: None.

CSCto83952—The use of the packet capture function to capture packet information may sometimes generate a "Bad Merge ID" error as well as the "ACL merge add acl to list failed" error if you perform an access group deletion during the packet capture. Workaround: Delete an access group when you are not usimg the packet capture function.

CSCto98399—ACE CLI commands may time out with configurations greater than 4000 lines. This behavior may be encountered with configurations that contain greater than 4000 lines while operating under conditions such as triggering a configuration download every 10 seconds, changing real server states, and issuing show commands using scripts in 10-second intervals. Workaround: Depending on the configuration size, specify a larger interval while running scripts.

CSCtq13621—When you change a predictor under a server farm where the fail-on-all function is already configured for a real server, at least one of the real server probes is in the FAILED state and at least one of the real server probes is in the SUCCESS state, the real state moves from OPERATIONAL to PROBE_FAILED. Workaround: After changing the predictor, specify the no fail-on-all command followed by the fail-on-all command for the real server.

CSCtq16302—When small SSL record packets are sent to the ACE, the ACE dataplane may become unresponsive and the ACE reboots. Workaround: Do not send small SSL record packets to the ACE.

CSCtq29919—With the persistence-rebalance strict command configured, when a client comes with a cookie in the first request and the comes without a cookie in the second request a memory leak to the sticky connection count can occur. Workaround: None.

CSCtq30198—In an ACE HA configuration, sticky entries in the ACE standby are not removed after running overnight traffic. In this case, the active ACE does not contain any sticky entries, and the sticky database does not show any connections. Workaround: Reboot the standby ACE.

CSCtq32037—An ACL download may fail as a result of you applying an access group at an interface level while removing the global access group. In this case, the ACE does not have sufficient time to synchronize the global access group deletion and, as a result, connections are dropped. Workaround: Wait for the global access group deletion to synchronize to the ACE, and then add the access group to an interface.

CSCtq36895—You may encounter a situation where the ACE control plane kernel becomes unresponsive, which results in the ACE rebooting. This behavior occurs when you repeatedly perform the addition and deletion of interfaces attached to a bridge using a script in a loop. Workaround: Do not perform a repetitive creation and deletion of interfaces using a script. If possible, manually create the interfaces. If you require the use of a script, add a delay between the addition and deletion of interfaces.

CSCtq52756With reverse IP sticky traffic, sticky entries may remain with an Active connection count even though no connections exist. This behavior results in a memory leak to the sticky connection count. Workaround: None.

CSCtq57849—Deleted port channel information may still appear in the show interface portchannel command output even though this information does not appear in the show running config command output. This behavior can occur when you configure a new port channel with the same number as the previously deleted port channel; in this case, the show command may still display the deleted port channels configuration. Workaround: None.

CSCtq81407—In an ACE HA configuration, in the ACE standby, certain show commands either fail to respond or respond after a long period of time with the error message: "System Busy:Config application in progress." All show commands function properly in the active ACE. Workaround: None.

CSCtr22338—When you enable SSL session ID reuse and header insert, and the client performs a GET or PUT operation on a large page, the ACE dataplane may become unresponsive and the ACE reboots. Workaround: None.

CSCtr26670—When you enable SSL session ID reuse and you make an SSL-related configuration change while passing traffic, the ACE dataplane may become unresponsive and the ACE reboots. Workaround: Avoid making configuration changes when passing traffic through the ACE.

CSCtr32985—With a configuration containing server connection reuse as well a sticky group, after a period of time when traffic has stopped, you may find that the ACE contains sticky entries with no connections in the connection table. In this case, the sticky entries have a timeout equal to 0 and those entries are not removed from the database. Workaround: Clear the sticky database.

CSCtr39117—In an ACE HA configuration, when running HTTP traffic with the no conn-limit and no rate-limit commands configured for real servers in a server farm, in some cases, when an FT switchover happens between the active and standby ACEs, you may encounter an FT flap. When this behavior occurs you may find that all logs, context configurations, and FT configuration are deleted from the ACE. Workaround: None.

CSCtr44410—After modifying the sticky resources that have been assigned to a context, even though you have allocated a specific number of sticky resources to the context, you may find that sticky entries get reused without reaching the maximum number of resources. The global pool is not used in this case, causing the removal of the existing sticky entries. Workaround: None.

CSCtr46599—You may experience an HSRP flap on the ACE if your configuration includes an ACL that allows all traffic on all interfaces along with a configured default route. Workaround: Add an ACL to deny UDP traffic on port 2029.

CSCtr47583—You may find that the ACE reboots when you perform SNMP polling using snmpbulkwalk. This behavior can also be encountered when doing an snmp walk on the following object identifier (OID): ciscoL4L7NpCpuUtilTable. Workaround: Avoid SNMP polling to the above OIDs.

CSCtr58188—You may find that sticky entries remain in the sticky database after timeout expiration and with no active connections.Workaround: None.

CSCtr78693—In some instances, SSL client connections fail to get redirected when you enable either the authentication-failure ignore or authentication-failure redirect commands to instruct the ACE the action to take when encountering a client certificate failure during the setup of the front-end connection in an SSL termination configuration. Workaround: None.

CSCtr94144—Associating a class map to a policy map through XML to transmit, exchange, and interpret data among applications can sometimes result in the generation of an invalid error. Workaround: None.

CSCts52315—If you create a class-map condition from the ACE CLI that contains a space in either an HTTP or RTSP URL match, the ACE appliance DM GUI will not display the class-map condition. For example:

class-map type http loadbalance match-any URLMatch
 
   
  2 match http url "/Benefit\ Plans/.*"
  3 match http url \Plans
  4 match http url "\ Plans"
  5 match http url "\ "
 
   

If you access the DM GUI and synchronize to the CLI configuration shown in the example above, after the synchronization is completed, when you display the class map from the DM GUI , you will see only line 3. If you attempt to insert line 4 "match http url "\ Plans," the DM GUI will instruct you that the condition already exists. However, if you apply this configuration using the DM GUI, it will appear correctly in the CLI. Workaround: Create the match condition using the DM GUI.

Software Version A5(1.0) Open Caveats

The following open caveats apply to software version A5(1.0):

CSCtd42287—When the ACE is running with the maximum limit of 8K static entries and you remove a service policy from an interface and quickly readd it, the ACE removes the statements from the NAT policies. Workaround: Provide ample time between removing a service policy from an interface and then readding it.

CSCte76618—When traffic traverses the ACE with the same source and destination port and dynamic NAT for that traffic is enabled, the ACE performs an implicit PAT. This behavior interrupts some sessions. This problem does not occur when NAT is not involved. Workaround: If possible, disable dynamic NAT.

CSCtf54230—When Layer 2 connected real servers are in the arp-failed state and probes are attached to all of them or the ACE is running a high rate traffic that generates many mac-miss IPCP messages, FT may appear to fail after several hours. Workaround: Remove the real servers in the arp_failed state or make sure that most of the real servers are UP.

CSCtg67860—When you configure multiple track probes in two user contexts and enter the show cfgmgr internal table track-probe command, the ACE becomes unresponsive due to a Cfgmgr process failure. Workaround: None.

CSCtg87855—After you change the configuration in a large ACE configuration and enter show commands, the CLI becomes unresponsive for a period of time. In this case, the show processes cpu | include cfgmgr command displays one of the configuration manager (cfgmgr) processes consuming CPU resources. After you apply the configuration change, the cfgmgr CPU usage goes to zero, and the CLI becomes unresponsive. Workaround: Wait until the cfgmgr completes its previous operation before entering the show command.

CSCth04993—When you configure an ACE interface with single NAT IP address in the NAT pool and the ACE receives SIP UDP traffic, it resets subsequent SIP TCP traffic. Workaround: Perform either of the following:

Perform a checkpoint rollback to a non-SIP configuration and then to the existing configuration.

Increase the number of IP addresses in the NAT pool.

CSCth07709—When performing the snmpwalk or snmpbulkwalk command for any object on the ACE, occasionally the ACE displays an Unknown user name error. The frequency of this occurrence can increase by having three contexts on the ACE. Workaround: None.

CSCth24647—When the FT interface VLAN number is lower than the other interface numbers and these interfaces require the downloading of large configurations, an API timed out error occurs when applying the startup configuration. Workaround: Enter the no ft auto-sync running-config command and then enter the ft auto-sync running-config command.

CSCth55362—When the ACE performs a configuration rollback, existing classes in a policy are not reordered according to the new configuration. The running configuration has a policy that contains several classes. The checkpoint contains that policy with some or all the classes in a different order. After performing the rollback, the order of the classes stays as it was in the running configuration. Workaround: Perform either of the following:

Remove the policy that was changed during the rollback and then perform the rollback.

If there are many similar policies in the configuration, perform a rollback to an empty configuration and then rollback to the desired configuration.

CSCth74700—Connectivity to the real server may be lost when you configure the following:

A client and server side VLAN on the ACE

A real server and ensure that it is Layer 2 reachable

A static route with a /32 mask to reach the real server through another interface

Workaround: Remove and reconfigure the real server.

CSCti28255—When a real server state transitions to UP from a probe-failed or ARP-failed state, the ACE generates the CISCO-ENHANCED-SLB-MIB:cesRserverStateUp trap. However, if the real server goes down due to a probe-failed or ARP-failed state, the ACE generates the CISCO-ENHANCED-SLB-MIB:cesRserverStateChange trap. Workaround: None.

CSCti68449—The show xlate command displays thousands of entries. However, the show resource usage command displays zero peak and zero current. Workaround: Reboot the ACE.

CSCtj00826—If the ACE is running a large number of HTTP or HTTPS probes when probing a file approximately a megabyte in size, the ACE reboots. The following message may precede the reboot:

System running low on direct mapped memory 
Please issue 'show system kcache' to diagnose further
 
   

Workaround: Reduce the size of the file being probed when running a large number of probes on the ACE.

CSCtj12692—You configure the ACE with 4000 sticky groups and do not allocate a sticky resource class. The sticky resource values are the default: minimum of 0 and a maximum of unlimited. When the sticky database has 800,000 entries, you create a sticky resource class to a minimum value equal to 20 percent and apply it to the context. After a few minutes the ACE becomes unresponsive and reboots. Workaround: Do not change the resource class when you configure a large number of sticky groups and the database is full with active entries.

CSCtj65408—When you configure an ECHO TCP or UDP probe with send-data value, the probe passes even when the server sends a regex that does not match the send-data value. Workaround: You can use a TCP or UDP probe with send-data and regex values as required instead of an ECHO TCP or UDP probe.

CSCtl45638—When you configure usernames with the ACE default roles, a user with the Network-Monitor role does not have access to some commands. Workaround: Assign the user with the admin role.

CSCtl56689—Log-in to the ACE appliance Device Manager fails when a TACACS server is set up with a network filter for client IP address(es). Workaround: Remove the TACACS filter running on the network.

CSCtl68891—When you configure a real server on the ACE, assign it an IP address, place it in service, and then delete it, the ACE generates an unnecessary trap. When the real server state changes from ARP-FAILED to operational, the ACE generates the CesRServerStateUp trap. Workaround: None.

CSCto34856—When you configure Layer 7 load-balancing or HTTPS termination with sticky and redundancy on the ACE, HTTP/HTTPS Post requests with large headers that span multiple packets can cause packets to be sent to the backend servers out of order. This behavior can cause the server to drop the request to or to send a failure return-code. Workaround: Remove sticky from the server farm.

CSCto46159 (CSCtg96456)—When you configure the maximum number of the VIP statements in a single class map of 254 and then delete one of the VIP statements, the ACE cannot add a match VIP address in a single class map and displays the following message:

Error: Exceeded maximum match item limit for the class-map 
 
   

Workaround: Remove the class map and the reconfigure it again with all of the VIP addresses.

CSCto68956—With the ACE configured for sticky and multiple sticky groups and the sticky database is almost full, the ACE may unexpectedly reboot and generate a core file. When this behavior occurs, the core file points to the Load Balancing (LB) process thread where a new sticky entry is trying to be obtained. Workaround: None.

CSCto76442—When you configure a new IPv6 duplicate address attempt for an interface through the ipv6 nd dad-attempts command, you may find that the value does not take effect. Workaround: Specify a shut/no shut command sequence on the interface to reenable the interface. We recommend that prior to specifying a shut/no shut command sequence that you keep track of the current traffic movement on the interface.

CSCtr56096—You may observe that the sticky-conns counter in the show serverfarm detail command output displays a nonzero value when there are no current connections. The sticky-conns counter displays the number of active connections when using sticky and gets updated when there are one or more active (current) connections. Workaround: None.

CSCtr58692—You may find that configuring the fail-on-all command, followed by a probe, for a real server does not function properly. Workaround: After adding or removing a probe for a real server, remove and re-add the fail-on-all command for the real server.

CSCtr70477—You may observe that the show service policy detail command output includes invalid values for the Hit Count or Dropped Conns counters under the class-default class map. This behavior can occur with a large number of client source entries and you add and remove the class-default class map several times in a policy map. Workaround: None.

CSCtr80967—With SIP traffic running for a long period of time (for example, overnight) with a heavy volume of traffic, the ACE may encounter one or two proxy mapping entries become unavailable. For example:

switch/Admin# sh np 1 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32767             0
Alloc Proxy Mapping:                       29612485             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     29612484             0
switch/Admin# sh np 2 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32768             0
Alloc Proxy Mapping:                       33107573             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     33107573             0
switch/Admin# sh np 3 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32766             0
Alloc Proxy Mapping:                       50967736             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     50967734             0
switch/Admin# sh np 4 me-stats "-s lb" | inc Mapping
Free Proxy Mapping:                           32766             0
Alloc Proxy Mapping:                       52207388             0
Alloc Proxy Mapping Failed:                       0             0
Release Proxy Mapping:                     52207386             0
 
   
switch/Admin# sh np 1 me-stats "-D"
0 entries open.
 
   

Workaround: None.

CSCtr81263—With high point-to-multipoint traffic, the ACE may ignore the specified connection limit specified by the conn-limit max command. In this case, you may observe few connections being received over the configured connection limit. Workaround: None.

CSCtr95088—You may find that ND entries are not refreshed for learned entries at the configured ND interval. Workaround: None.

CSCtr96229—When you remove a resource class that is associated with a specific context, in some cases the ACE may reboot. This issue is related to the number of contexts in the ACE, when the ACE configured with several contexts and a resource class, that is associated with one of the contexts, requires a sticky limit. When the ACE LB module attempts to remove the sticky entries from the free list, it first determines if there is a starving context that is waiting for resources by walking through a link list of contexts, which consumes ACE CPU time. This behavior does not occur if the resource class does not include any limits for sticky.

Workaround: We recommend that you do not change the resource class when there is a large number of contexts or sticky groups configured in the ACE, or that you gradually change the limit in the resource class if you have configured a sticky limit.

CSCts09817—In an ACE HA configuration, with an FT setup with a large configuration, when you attempt to make a configuration change, you may find that MTS buffers can leak on both the active and standby ACEs. Workaround: Do not make do any changes when you have large configurations.

CSCts25057—Connections to a real server may not be purged with the failaction-purge command, and the real server enters a return code failed state. Workaround: None.

CSCts42706—When performing IPv6 processing, you may find that Bridge Protocol Data Units (BPDUs) are dropped by the ACE and do not get bridged. Workaround: Perform one of the following actions to resolve this issue:

Configure an IPv4 address.

Remove and then add the ipv6 enable command under the interface to enable IPv6 processing on the interface.

CSCts56112—If you have dynamic workload scaling (DWS) configured in the ACE, ACE connectivity with the Cisco Nexus 7000 series switch may be lost. When this happens, SSH connection to the Cisco Nexus 7000 series switch from the ACE reports an "authentication failure" error. Workaround: Perform the following actions:

On the newly active Cisco Nexus 7000 series switch, assign a new management IP address.

On the ACE, update the IP address of the Nexus 7000 management interface for the local Nexus device on the ACE to the newly assigned IP address.

CSCts76353—In some cases, you may find that real servers frequently reach the INBAND-FAIL state. This issue occurs because the reset interval in the inband health monitoring function is working in seconds instead of milliseconds, which causes the error interval detection to be longer and increases the chance of hitting the INBAND-FAIL state. There are no issues with the other associated real server timers (such as reset, resume-service, and so on) are all working properly. Workaround: None.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.