Cisco CSS 11000 Series Content Services Switches

Release Note for the Cisco 11000 Series Content Services Switch (Software Version

  • Viewing Options

  • PDF (374.4 KB)
  • Feedback
Release Note for the Cisco 11000 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11000 Series Content Services Switch


New Features in Software Version 5.00

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Updating Management Information Base Files (MIBs)

Operating Considerations


Resolved Caveats

Device Management Operating Considerations and Caveats

Version 5.00 b45 Command Changes

Version 5.00 b33 Command Changes

Korean Certification Information

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center

Release Note for the Cisco 11000 Series Content Services Switch

June 26, 2002

Note The most current Cisco documentation for released products is available at The online documents may contain updates and modifications made after the hardcopy documents were printed.


This release note applies to software version 5.00 build 45 (b45), maintenance release for version 5.00, for the CSS 11050, CSS 11100, CSS 11150, and CSS 11800 content services switches. For information on version 5.00 commands and features, refer to the CSS 5.00 documentation located in

Note Do not attempt to load, unpack, or configure a version 5.10 software image on an 11000 series CSS.

This release note contains the following sections:

New Features in Software Version 5.00

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Updating Management Information Base Files (MIBs)

Operating Considerations


Resolved Caveats

Device Management Operating Considerations and Caveats

Version 5.00 b45 Command Changes

Version 5.00 b33 Command Changes

Korean Certification Information

New Features in Software Version 5.00

The following new features are supported in software version 5.00:

Configurable Spanning Packets for HTTP Header Termination

ArrowPoint Cookie Enhancements

Configurable Flow Cleanup

Zeroing Service Statistics Counters

Enhanced SSL Load Balancing

Client Side Accelerator

Content Routing Agent (Boomerang)


VIP and Interface Redundancy Config Sync

SNTP Client

64-Character DNS A-Record

255 Scripted Keepalives

Content Requests Spanning Packets

Device Management Over Secure Socket Layer (SSL)

Restricting SSH

For information on the commands added in version 5.00 b45, see "Version 5.00 b45 Command Changes" later in this chapter. For information on the commands added in versions 5.00 b33, see "Version 5.00 b33 Command Changes" later in this chapter.

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and SSH are optional features. If you are upgrading from the Standard to the Enhanced feature set or want to activate a CSS software option (for example, SSH Server) that you purchased, refer to the Content Services Switch Getting Started Guide for information on entering a license key.

Access to the Standard and Enhanced feature sets or Proximity Database require that you enter a software license key when you boot the CSS for the first time. If you enter the Proximity Database license key after booting the CSS, you must reboot the CSS before you can configure the Proximity Database so the CSS can re-allocate memory. For details, refer to the Content Services Switch Getting Started Guide.

If you configure your CSS for Proximity Database, you cannot use the CSS for load balancing. For details on configuring a Proximity Database, refer to Content Services Switch Advanced Configuration Guide.

Before Upgrading the CSS Software

Read the following information before you upgrade the CSS.

If rmon-history data-source commands exist in your current startup-config file, you will receive startup errors when you upgrade the CSS to 5.00 build 45. In version 5.00, the ifIndex identifier is assigned differently from the way it was assigned in prior software versions. After you upgrade the CSS to 5.00 build 45, you must reenter all rmon-history data-source commands contained in your startup-config file.

If you are upgrading from 3.xx to 5.xx and have a 3.xx Enhanced software license key, you must enter a 5.xx Enhanced license key during the CSS upgrade to 5.xx or you will receive startup errors when you attempt to enter Enhanced CLI commands. If you upgrade the CSS and do not enter a 5.xx Enhanced license key prior to upgrading to 5.xx:

a. Use the license command to change the license key.

b. Reboot the CSS without saving the running-configuration.

If you are running SSH on a 3.xx CSS and you have disabled Telnet, you must enable Telnet prior to upgrading the CSS to 5.00 build 45. After you upgrade the CSS to 5.00 build 45, use the license command to enter the SSH license key.

Updating Management Information Base Files (MIBs)

Cisco recommends that you update the CSS MIBs after you upgrade the CSS software. CSS MIBs are included in the CSS GZIP file. During the software upgrade, the MIBs are loaded into the CSS  /mibs directory.

To update the CSS MIBs on your management station after you upgrade the CSS:

1. FTP the MIBs from the CSS MIBs (/v1 or /v2) directory to your management station.

2. Load the MIBs into the management application.

Operating Considerations

The following operating considerations apply to the CSS 11050, CSS 11100, CSS 11150, and CSS 11800:

The CSS does not NAT fragmented IP packets.

The CSS content routing agent is compatible only with the Cisco Content Router 4430-B software version 1.1.

If you are running the Inktomi" Traffic Server` on a system that does not listen in promiscuous mode and you want to bypass the Inktomi Adaptive Redirect Module (that is, send traffic directly to port 8080 instead of port 80), specify the CSS service type as type proxy-cache. Configuring the CSS service type to type proxy-cache causes the CSS to perform full Network Address Translation (NAT) when directing traffic to the Traffic Server.

When Cisco makes syntax changes to existing CLI commands, the CSS updates your startup-config automatically with most command syntax changes. For example, the CSS automatically updates the web-mgmt state enabled command in the startup config to the new no restrict web-mgmt command.

If the CSS does not update a command syntax change in a startup-config automatically, a startup error is displayed. See the sections "Before Upgrading the CSS Software" and "Caveats" for information on which command syntax changes display startup-config errors.

The War-FTP daemon is not supported for network-booting the system software.

The Gigabit Ethernet module port statistics are an aggregation of all ports on the module.

When using the domain hash load-balancing method with proxy cache services, you may see duplicate sites across caches because the CSS balances on the first GET request in a persistent connection unless the subsequent GET request does not match a rule with the same proxy service specified. If you are concerned with duplicate hits across caches, reset persistence to remap and disable persistence on the rule. Enter the (config) persistence reset remap command globally and the (config-owner-content) no persistent command on the content rule.

You cannot have an SFM and an SFM2 in the same CSS 11800 chassis.

Content replication does not support the WSFTP FTP application.

When using the content add dns command, you must add DNS names in lowercase only. If you enter DNS names with a combination of uppercase and lowercase characters, a startup error appears and you must reenter the names in lowercase characters.

You cannot add redundancy uplink services to content rules.

A redundant VIP configuration can consist of only two CSSs.

The ethernet-n format for specifying an interface-port in a CSS 11050 or CSS 11150 (for example, ethernet-2) is supported for software releases prior to version 5.00 to ensure backwards-compatibility with CSS startup configurations and scripts.

In software versions prior to 5.00, the CSS 11800 Fast Ethernet Module and Gigabit Ethernet Module Link LEDs are on solid during bootup. In 5.00, the Fast Ethernet Module Link LEDs blink rapidly and the Gigabit Ethernet Module Link LEDs are off during bootup.

The CSS may reclaim TCP/UDP flows that have not received an ACK or content request after approximately 15 seconds. To prevent the CSS from reclaiming TCP/UDP flows to a specific source or destination port, use the flow permanent command and specify the TCP/UDP port number you do not want reclaimed.

When you configure a service as a subscriber, you must specify the access type for each subscriber using the access ftp command.

This operating consideration applies when connecting a Cisco Catalyst switch to a CSS using 802.1q and the spanning tree protocol. Cisco switches run a spanning tree instance per VLAN. When you configure an 802.1q trunk on an Ethernet interface, the Bridge Protocol Data Units (BPDUs) are tagged with the corresponding VLAN ID, and the destination MAC address 01-00-0c-cc-cc-cd is used. This allows Cisco switches operating in a non-Cisco (a mix of other vendors) 802.1q environment to maintain spanning tree states for all VLANs.

Though the CSS maintains a spanning tree instance per VLAN as well, it continues to use the standard 01-80-C2-00-00-00 destination MAC address for all BPDUs (tagged or untagged). When you connect a Cisco Catalyst switch to a CSS over an 802.1q trunk, the result is that neither switch will recognize the other's BPDUs, and both will assume root status. If a spanning tree loop is detected, the Catalyst switch goes into blocking mode on one of its looped ports.

In a network boot configuration, the config-path and the base directory path in the ftp-record associated with the network boot must not contain a pathname that conflicts with a non-network driver name (for example, c: or host:).

You cannot configure services learned through APP (that is, remote services) as preferred services in ACL clauses. A remote service learned via APP is of the form ap-redirect@ and can be seen on the show service summary screen. When configuring an ACL clause, you cannot use this service as a preferred service. If you save this clause in the startup-config and reboot the CSS, a startup error occurs because this service has not been learned through APP at this point. For example:

clause 10 permit any any destination any prefer ap-redirect@

When using Firewall load balancing, the VIPs must be configured on the CSS that is not on the Internet side of the firewalls. Do not configure content rules with VIPs on the CSS connected to the Internet side of the firewalls unless the servers are directly connected to the CSS.

The CSS FTP server supports only active FTP. It does not support passive FTP.

The CSS does not support a traceroute of a redundant IP interface.

A subscriber's state will not be ready or will be in access failure until the publisher's state is ready.

The CSS does not support VIP redundancy and box-to-box redundancy configurations simultaneously.

The CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment. However, the CSS does not load balance these methods.



Network boot is not supported on UNIX workstations.

If the upgrade script fails while upgrading the CSS to the same version of software that is currently running, the CSS software directory will be incomplete. To reinstall the software, you must upgrade the CSS manually (that is, FTP the .adi to the CSS and perform a manual unpack).

The CSS does not set up flows if the source or destination port is designated as port 67, 68, 137, 138, 161, 162, 520, or 8089 (UDP only).

With software version 5.00 build 33, the number of concurrent XML sessions to the CSS has been limited to 20.

With software version 5.00.045 and higher, flow reclamation is always active. If you find that the CSS reclaims flows too quickly, enter the flow long-lived command in Global configuration mode to delay flow reclamation on a lightly loaded CSS. This command allows long-lived flows to continue even with a large period of inactivity. For command details, see "Version 5.00 b45 Command Changes" later in this document.

You can monitor connection resources with the flow statistics command. The Number of Allocated Flows field shows the total number of connection resources allocated and managed by this processor in multiprocessor platforms. The Number of Free Flows field shows the maximum number of connection resources available on this processor in multiprocessor platforms. This number is based on how much RAM is available after the software image and configuration load.

When using Arrowpoint cookies, the CSS may experience performance delays. To improve the CSS performance, enter the arrowpoint-cookie advanced command in owner-content mode. This command improves CSS performance by mapping the Arrowpoint cookie flows in the fastpath (hardware). For command details, see "Version 5.00 b45 Command Changes" later in this document.


The following caveats apply to software version 5.00 b45:

CSCdw00921 - You are unable to activate an RMON alarm without specifying a rising and falling event and a threshold.

CSCdx01430 - If you configure RADIUS on a CSS, the CSS incorrectly displays a startup-error for the RADIUS primary or secondary server, even though the server is configured properly.

CSCdx02753 - With an L5 rule configured on a CSS and a NATing device between the CSS and the Internet, the CSS may encounter multiple instances of a SYN and the same network tuple for a flow that is already mapped. The NATing device can also reuse the TCP sequence number making it difficult for the CSS to determine if an incoming SYN is a retransmission for an existing flow, a possible SYN attack, or a new flow. As a result, the CSS may forward the SYN (and the subsequent POST) to the wrong server.

CSCdx13320 - If you configure a static route to take precedence over a RIP route, the CSS does not update the show ip route command output right away. The new static route should appear even while the old RIP route is waiting to be removed from the route table.

CSCdw15723 - If you are running software version 5.0 and using the Proximity Database (PDB), you should not introduce a CSS running software version 5.02 into the proximity mesh. Updates from a version 5.0 Proximity Database to a version 5.02 Proximity Database can cause the CSS to reboot.

CSCdx18636, CSCdx39369, CSCdu46997 - There are multiple issues with the Current Connection counter in the show service output. 1. The wrong service may be decremented at flow teardown time because the internal WCC in/out cookies contain different service indexes. 2. With a persistent connection, it is possible to overwrite the internal WCC in cookie server and lose track of which service index needs to be decremented at flow teardown time. 3. The Total Connections counter in the show service output is cleared when a service goes down.

CSCdx25872 - If you configure an L5 content rule without a VIP on a CSS and open a Webmail session across a TCP connection, the CSS resets the TCP connection. The workaround is to remove the L5 rule and configure an L4 rule.

CSCdx27019 - RADIUS access-request packets sent by a CSS have empty fields for attributes 4 (NAS-IP-Address) and 61 (NAS-Port-type). This can cause interoperability problems with some RADIUS server features that are based on such attributes, for example, the Cisco ACS Network Access Restriction feature. The RADIUS RFC states that attribute 4 must be present and attribute 61 should be present.

CSCdw31969 - SNMP service transition messages may overflow the SNMP trap queue.

CSCdx32956 - A RADIUS authentication request may be overwritten if two users are logging in simultaneously or if the primary server is being probed and the secondary server is being used for authentication.

CSCdu34502 - Do not use the Cisco Content Router 4430-B bloat and fragment-size options with the CSS content routing agent. Entering these options causes unexpected results.

CSCdx35296 - The show radius config all command may not display the correct state of the primary RADIUS server. When probing the primary RADIUS server because it has gone done, the time to wait for a response must be less then the dead timer, or else the state of the primary server may be inconsistent with the show command output.

CSCdw35822 - Using a one-armed router configuration and an SSL rule with a URL defined, the CSS could leak Flow Control Blocks (FCBs).

CSCdt36894 - If you enter the proximity clear command, cancel it, and then reenter the command, the PDB may no longer respond to database lookups.

CSCdx40769 - When a redundant interface or VIP MAC address switches between a master CSS and a backup CSS a number of times in quick succession, a bridge entry may be freed too many times and cause an unexpected system reload.

CSCdx42545 - The arrowpoint-cookie expiration command syntax does not comply with RFC2822.

CSCdw42879 - Under some conditions, when the CSS sends a 302 redirect, it sets the TCP RST bit rather that the FIN bit. This can cause problems for clients running Microsoft® Internet Explorer.

CSCdw44598 - An external client launch of SNMP GET fails for ap64ifInOctets and ap64ifOutOctets.

CSCdx45147, CSCdx59152 - Logging from the CSS to a syslog host is not working properly. The software does not check properly for the loghost facility level to determine whether a syslog message should be sent.

CSCdx46445 - URQLs do not work properly when configured with domain names. A workaround for this caveat is to define the domain name in the URQL with all uppercase letters. For example, if the domain you want is, then define it as domain WWW.TEST.COM in the URQL.

CSCdx46512 - If you change the SSHD listen port on a CSS using XML or SNMP, the CSS may perform a core dump during bootup.

CSCdt49036 - The CSS supports a maximum of 15 active ECMP routes.

CSCdx49132 - With an L5 domain content rule with a URL/port of the form "url /poorfredthedog:8001/*", the CSS does not match on anything past the colon.

CSCdx50286 - If a CSS receives the Telnet option NOP, a Telnet session to the CSS may become unresponsive.

CSCdv52072 - Removing a URL suspends the associated content rule. In software version 4.01, you would receive an error message.

CSCdx54742 - When using an L5 content rule with a header-field group, the rule does not match properly when the HTTP method is CONNECT.

CSCdx55312 - In a VIP redundancy configuration (active/backup), setting the interface to 100 Mb can cause physical link failures and affect VIP redundancy operation. Workaround: set interface to auto-negotiate or 10 Mb.

CSCdx55560 - If the event count for a DoS attack is greater than 10 million, the show dos command may become unresponsive.

CSCdx59034 - With two different IP addresses with the same MAC address configured on the same VLAN on a CSS, the CSS continually learns and updates the forwarding entry on different ports. This environment causes the CSS to allocate memory incorrectly and eventually to perform a core dump and reboot.

CSCdx59081 - If a CSS receives a UDP packet that hits a content rule, the CSS performs a core dump and reboots.

CSCdx60204 - Entering the icp shell command in debug mode may cause the CSS to perform an unexpected system reload. Do not use the icp shell command; it is not a supported command.

CSCdx62611 - If the CSS has to retransmit a SYN/ACK back to the client when spoofing the connection, it does not include any TCP options. It should include the options that the client included in the initial TCP SYN.

CSCdx63118 - If a CSS is performing an SNMP poll for the apIpv4RedundancyVIPState OID and a user at the CLI has just deleted the redundant VIP, the CSS may unexpectedly reload the system.

CSCdw78256 - If the bridge command options max-age, forward-time, and hello-time are in the CSS startup-config, the CSS does not apply the options properly upon reboot.

CSCdv86041, CSCdw90381 - Using the proximity assign command to make a subnet less specific may cause a CSS to unexpectedly reload the system.

CSCdw87925 - When there are no file descriptors available, the console may hang and the CSS has no management access via Telnet, SSH, or FTP.

Resolved Caveats

The following caveats have been resolved in software version 5.00 build 33:

CSCdw64236 - The Cisco 11000 series content services switch is vulnerable to SNMP vulnerabilities. These vulnerabilities can be easily and repeatedly demonstrated with the use of the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for SNMPv1. The test suite is generally used to analyze a protocol and produce messages that probe various design limits within an implementation of a protocol. Test packets containing overly-long or malformed object identifiers and other combinations of exceptional values in various fields can be programmatically generated and then transmitted to a network device under test. The PROTOS test suite for SNMPv1, as distributed, contains approximately 53,000 individual test cases. Further details are described in the advisory at:

CSCdw26696 - The CSS formerly used TCP port 8081 for its web management interface. The web server that listens on port 8081 did not understand XML data, and in trying to process the request would result in a soft reset of the device. Currently all web management interface traffic should be directed over SSL or HTTPS. Further details are described in the advisory at:

CSCdx41911 - The CSS may be forced to reboot by sending an HTTPS POST request to the web management interface of the device. This may occur even if the sender of the request is not yet authenticated to the device. Further details are described in the advisory at:

CSCdx01467 - The RADIUS server statistics are not cleared when you remove the RADIUS server or clear the running-config.

CSCdx01469 - The RADIUS configuration allows an IP address of

CSCdx01565 - Under heavy load, the ASYNC messaging system could free apSyncHeader buffer but leave it on the active list to process at a later time. This could cause the CSS to perform a core dump and become unresponsive.

CSCdx02405 and CSCdx01674 - When logging a syslog message, the CSS uses the global logging subsystem level rather than the user-defined logging host facility level.

CSCdx03391 - You can configure a content rule and a service with the same IP address.

CSCdx03401 - If you configure a range of redundant VIPs after configuring a single VIP that overlaps the redundant range, the CSS does not catch the conflict and prevent it.

CSCdu03592 - For an L5 header field content rule, the CSS resets a spanned content request if the request spans two packets and the section terminator is divided so that the second packet contains a single line feed character.

CSCdx05748 - When the CSS receives a GET request with multiple header fields and one of those fields spans a packet, a matching content rule configured with a header-field-group that contains multiple header-fields is never hit.

CSCdx08332 - If you delete a non-OSPF route and the CSS receives a new OSPF route to a destination, the CSS does not update the SFP routing table.

CSCdx08869 - When running the commit_redundancy script with the verify option (default), if the APP session is configured with additional parameters after the IP address, the script removes these parameters from the local CSS configuration. This will cause the APP session not to come back up and the verify will time out/fail.

CSCdw08986, CSCdw11746 - The CSS 11800 may cease to clean up flow control blocks (FCBs) due to an internal error. This can cause performance issues and may cause all traffic to cease.

CSCdx09494 - When a keepalive fails, the CSS continues to use the keepalive frequency period, instead of the retry frequency period, for several keepalive iterations after the failure.

CSCdx10956 - If there is more then one APP session configured and local services go down in a global server load balancing (GSLB) environment, the load is not properly reported across the APP mesh.

CSCdx10969 - In a GSLB environment with all local services down, a CSS still responds to PING requests.

CSCdx12290 - When a CSS receives a TCP PUSH frame without first seeing the TCP SYN, the CSS considers this a mid-NAT reject and sends a TCP RST back to the client. The TCP RST uses a zero sequence number, which some TCP stacks ignore.

CSCdw13122 - When an APP session goes down, the CSS tries to renegotiate it. If the APP peers are out of sync, the APP session may remain in the INIT state.

CSCdx14304 - When using advanced-balance arrowpoint cookies with HTTP requests that span multiple packets, the connection may not complete.

CSCdx15148 - When running box-to-box redundancy on the CSS with a minimal configuration, it is possible that the CSS with the higher IP address on the redundancy VLAN always retains mastership.

CSCdx17480 - EPIF resets do not work because the physical interfaces are not taken out of reset mode when a new copy of the image is downloaded to the EPIF. XPIF resets work properly.

CSCdx17871 - On rare occasions, two APP sessions can come back up and try to connect to their respective peers with the same time delay. If the APP peers are out of sync, the APP sessions may remain in the INIT state.

CSCdx18725 - If you are using box-to-box redundancy with services configured with HTTP keepalives, the CSS should zero the internal hash value (or checksum) of the keepalive URI when redundancy changes state, unless you specifically configured the keepalive hash value. Dynamically changing pages may cause keepalives to not come alive unless this is done.

CSCdx18786 -You cannot disallow SSH access to the CSS.

CSCdx18853 - When using the advanced-balance wap-msisdn command, the CSS 11800 does not distribute the flows properly because the sticky table is not updated across all SFPs. In addition, the CSS does not update the sticky counters properly for this sticky type.

CSCdx19132 - If a flow is deleted from its internal cache and a CSS receives a TCP SYN with the same network tuple and initial sequence number as the deleted flow, the CSS may forward the SYN to the wrong server or may drop the SYN packet, depending on the state of the older, deleted flow.

CSCdx21088 - Under certain circumstances, you cannot set the arrowpoint-cookie expiration time correctly when using the Device Management User Interface. The following error message may appear: Please enter a valid Arrowpoint cookie expiration time; format=dd:hh:mm:ss.

CSCdx23011 - The show mibii and show mibii internal commands display different counter values.

CSCdx24661 - When trying to configure a default gateway, the setup script aborts if the address is not pingable. The invalid default route is still added to the running-config.

CSCdw25048 - With advanced-balance ssl configured, the CSS does not use roundrobin load balancing properly.

CSCdx25053 - With a sticky advanced-balance method, no persistent, and a sorry server configured in a Layer 5 content rule, connections go to the sorry server when the local services are down. When the local services come back up, new connections do not always go to the local services.

CSCdx25751 - The CSS performs a core dump when submitting to the routing table an OSPF host route to a directly connected host.

CSCdx25882 - In certain circumstances, such as large amounts of very short SSL connections, connections using arrowpoint-cookies, and connections that experience GETs or POSTs that span multiple TCP packets, the CSS may experience a loss of internal system resources. Symptoms include slower connections through the switch.

CSCdw27759 - Sometimes the CSS incorrectly logs a SMURF attack if ip subnet-broadcast is configured.

CSCdw30264 - When playing the commit_vip_redundancy script, if the APP session between the CSS peers is not up before entering a RCMD to the remote peer, the script fails.

CSCdw31648 - If a hard disk has a corrupted directory entry, the CSS may core dump and reboot while writing to the disk.

CSCdx31761 - In the show service output, the Total Reused Connection counter may appear as a very large number because the SFP incorrectly calculates the service statistics report length and the SCM does not read the counter value out of the report properly.

CSCdx34275 - If you enter a show command with the more option enabled, the more buffer is full, and you conduct a forward search with the forward slash (/) character, the CSS performs a core dump.

CSCdw34526 - Telnet may become unresponsive after entering approximately 300 characters without a line terminator.

CSCdx35281 - In a box-to-box redundancy configuration, the show mibii command output displays incorrect values for the In Multicast byte counts on the backup CSS. There is an issue with the 32-bit counter wrapping to the 64-bit counter.

CSCdw35885 - If you are using the Device Management software and performing an update on the service screen, the CSS performs a core dump if more than 140 services are configured. Any large transfer of data between the Device Management software and the CSS may cause a core dump.

CSCdx36699 - With Source NAT configured on the CSS, ICMP type 3 packets (destination unreachable) initiated at a router and passing through the CSS back to the host, do not have the TCP source port NATed correctly.

CSCdx37177 - If a CSS has to retransmit a SYN/ACK to the client (front-end spoof), the CSS may use a TCP sequence number different from the one used in the previous SYN/ACK. This may cause a PIX firewall (located between the CSS and client) to drop the connection. The CSS should reuse the TCP sequence number from the initial TCP SYN/ACK in a retransmission.

CSCdw37876 - If you configure your CSS to send a login-failure enterprise trap, the sys.log message SNMPAPI_CopyOID:Potential memory leak may be displayed, but there is no memory leak.

CSCdw37935 - If you configure a CSS in a box-to-box redundancy setup and configure a redirect service, on failover the redirect service may not work until you suspend the service and then reactivate it.

CSCdw39342 - When using the virtual web hosting range functionality, service address ranges may be improperly applied to source group addresses.

CSCdx39590 - The CSS did not clean up idle flows until one-eighth of the total number of Flow Control Blocks (FCBs) were in use. In this way, a CSS that was lightly loaded did not tear down idle flows when those resources were not needed. This practice left more active FCBs on ports and made it appear that there were more active flows than actually existed. For this reason, flow resource cleanup has now been made configurable. The default behavior is that flow resource cleanup is always running. See the flow long-lived command in the "Version 5.00 b45 Command Changes" section.

CSCdx41785 - If a CSS has box-to-box redundancy with sshd server-keybits num configured, then, upon bootup, both CSSs may become master or the wrong CSS may assume mastership. The calculation of the SSHD key is so time intensive that it does not leave any CPU cycles for the VRRP redundancy process to run.

CSCdx45606 - If the CSS encounters an EPIF reset, the physical interface configuration may not be restored properly. When the EPIF bank comes back up, the speed and duplexity of the interface may be incorrect and the flow rate may be severely impacted. EPIFs are associated only with 10/100 Ethernet ports.

CSCdw45668 - When setting the clock during an SNTP update, the CSS 11800 SCM may reboot.

CSCdw45669 - The internal source group index is missing from the show group display in debug mode. This information is necessary to enter the show sync commands to look at the group.

CSCdw45813 - If a configuration has multiple content domain name rules with the same domain name (for example, url "//<uri>") and one of the domain name rules is suspended, all other rules using that domain name may stop working. If you reactivate the suspended rule, that rule starts working, but none of the others works.

CSCdw47573 - DNS peering may not negotiate properly when the receive slot number is set to a low value.

CSCdw48871 - Using scripted keepalives with domain names may cause the CSS available memory to fragment. Within a few days to a few weeks, the CSS may reboot due to no free memory being available.

CSCdw49263 - If an HTTP GET request spans three packets and the second packet contains a single line feed character, parsing the header tag causes the CSS to core dump when processing the second packet.

CSCdw50197 - If you configure two content rules that differ only by a header-field-rule, the CSS does not consider them different. A match occurs only on the last-activated rule.

CSCdw50596 - Under certain conditions, firewall routes with different costs may not be established if they were not cabled properly at CSS boot.

CSCdw50679 - On the Monitor>Web Content>Content Service page of the Device Management software, some owners are not displayed. Because of the length of each name, the total length of the OID is too long and is ignored by the GUI, which results in some of the data not being displayed.

CSCdw50685 - When running V3.6 of the commit_redundancy script from another script that redirects output, the session state may be corrupted so that subsequent script execution fails and improperly indicates errors with associated line numbers.

CSCdv52379 - If the server that an SSL Session ID is stuck to goes down, the CSS incorrectly forwards a subsequent request from that SSL Session ID to the down server. If the service that is down has config changes made to it, (for example, the max connections value) the CSS performs a core dump when it tries to forward the request to the down server.

CSCdw53444 - An NQL may not work properly if there is a large difference in the address range in the NQL hash bucket.

CSCdw54258 - Certain packets may cause the ACL check to run even though ACLs are not configured. The packet is not discarded, but ACL syslog messages may appear.

CSCdw54926 - The Last Change field in the show interface screen may constantly update because of time change events with SNTP.

CSCdw57900 - The sshd port command does not take effect after a reboot.

CSCDw58074 - Due to abnormal termination of an HTTP keepalive, the CSS may core dump with a NULL pointer reference.

CSCdw59305 - The CSS performs a core dump when the apChassisMgrExtModuleSlotNumber OID is SNMP NEXTed with an invalid index.

CSCdw60690 - If you remove an ip firewall route, the CSS may reboot.

CSCdw64236 - If an SNMP SET of an OID that requires a text string occurs, a new SNMP test suite may cause the CSS to core dump when the CSS receives an OID instead of a text string.

CSCdw65756 - The show virtual-routers command displays the critical service information only for the first virtual router using a VRID. If a second virtual router using the same VRID on a different VLAN exists, the CSS does not display that information even though it the virtual router is configured and functioning properly.

CSCdw68144 - The apCntsvcBytes MIB variable from the apCntsvc.mib file is incorrect because it is stored in a 16-bit variable rather than a 32-bit variable.

CSCdv68906 - When trying to process an asynchronous response, the CSS may core dump and reboot due to a NULL Async semaphore.

CSCdw71508 - If you use a script to open and close connections to the Device Management port 443, each connection leaks approximately 20,000 bytes of CSS memory. Within approximately one hour, the CSS performs a core dump.

CSCdw72661 - If you configure IP redundancy on a CSS and you enter the clear running-config command, the Ipv4 redundancy task may fail.

CSCdw74389 - When using spanning packets, a slow buffer leak may occurs.

CSCdw77194 - With a redundant VIP range configured, the CSS responds with the VLAN MAC address instead of the VRRP MAC address for a ping to that VIP range.

CSCdw77302 - The debug command show sticky-table command does not work consistently.

CSCdw78712 - When using the show virtual-router command, a critical service with a named or scripted keepalive should be displayed as Scripted.

CSCdv79527 - Configuring the advanced-balance arrowpoint-cookie command may cause high CSS CPU usage and lowered performance.

CSCdw80084 - The content rule balance method srcip is not optimized to provide an even distribution across all services. Also, if a server goes down, the load balancing among the remaining servers is unbalanced.

CSCdv80661 - Configuring an interface on the CSS to a setting other than auto-negotiate may result in a slower FTP connection on that interface.

CSCdw82319 - Adding multiple equal-cost OSPF routes that are not in next-hop order may cause the CSS to reboot.

CSCdw84352 - An Application Peering Protocol (APP) log message may be logged even if APP is disabled.

CSCdw86445 - If you modify the management port subnet mask, the CSS does not prompt you to reboot so the change will take effect.

CSCdw88334 - A BOOTP application fails when sending packets from a source IP address of to a directed address. The CSS considers this a DoS attack and drops the packets.

CSCdw91022 - The CSS may not complete the initialization of the APP state, which can cause cause the APP session to hang.

CSCdw91223 - The CSS 11153 does not display the speed properly for the 100-base FX ports.

CSCdw91751 - On rare occasions, the backup CSS of an IP redundancy pair may perform a system reload when the master CSS is rebooted. The VRRP interface is not torn down properly so that, when the CSSs attempt to re-establish the interface, the CSSs detect an error and reboots.

CSCdw91767 - If the CSS is in debug mode, is executing the shell d command to display memory, and the resulting data contains a particular data sequence (%*), the CSS unexpectedly reboots.

CSCdw94699 - When setting up an SSH connection, if the CSS does not receive an SSH_CMSG_REQUEST_PTY message from the client to set up an interactive session, the CSS sets up an interactive session anyway.

Device Management Operating Considerations and Caveats

The following operating considerations and caveats apply to the CSS Device Management software.

Use Access Control Lists (ACLs) to restrict device management access to specific IP address and subnets. Note that ACLs do not affect the Ethernet Management port.

Always exit the browser after each device management session to clear the cache.

You must enable Java script in your browser for the Device Management software to work.

Navigation tree icons do not always display. The pages function correctly. Open a page by clicking on the corresponding text.

Device Management supports the following browsers:

MicroSoft Internet Explorer version greater than 4.0

Netscape Communicator 4.51 and 4.71

Netscape Navigator 4.08

If your Web browser has a bookmark to the Device Management software (software version 4.10 or earlier) that includes a colon (:) and TCP 8081 management port number at the end of the IP address, the software redirects the address to the correct URL. If your Web browser does not have a bookmark to the Device Management software, be sure to include an `s' in http:// in addition to the CSS IP address. For example:

CSCdu16696 - The Device Management software only supports 128-bit encryption. Browsers that support less than 128-bit encryption will not work with the CSS Device Management and will generate a message informing you of this limitation.

Version 5.00 b45 Command Changes

Table 1 lists the commands and options that have been added to software version 5.00 b45.

Table 1 CLI Commands Added in 5.00 b45 

Command and Syntax

General Commands: SuperUser, User, and all modes

zero service [total-connections

Sets specified statistics counters to zero for all services on the CSS.

The total-connections option sets the Total Connections counter to zero for all services.

The total-reused-connections option sets the Total Reused Conns counter to zero for all services.

The state-transitions option sets the State Transitions counter to zero for all services.


flow long-lived

no flow long-lived

Delays flow reclamation on lightly loaded CSSs to allow long-lived flows to continue even with a large period of inactivity. This command is disabled by default.

Use this command only if the CSS reclaims flows too quickly and the number of flows on the CSS is relatively low. You may find this command particularly useful for a database application.

To disable this command, use the no form.

spanning-packets packets

no spanning-packets

Allows you to configure the number of packets spanned for the search of the HTTP Header termination string. The default packets value is 6. You can enter a value from 1 to 20.

The CSS will try to match a content rule even if the termination string does not appear within the number of spanned packets allowed. Previously, the CSS would send a reset (RST) if the termination string was not found within the number of spanned packets.

To reset the number of packets spanned to the default value, use the no form of this command.

Global (continued)

ssl-l4-fallback disable|enable

Disables or reenables the CSS insertion of the Layer 4 hash value, based on the source IP address and destination address pair, into the sticky table. By default, the CSS inserts the Layer 4 hash value into the sticky table.

Insertion of the Layer 4 hash value into the sticky table occurs when more than three frames are transmitted in either direction (client-to-server, server-to-client) or if SSL version 2 is in use on the network. If either condition occurs, the CSS inserts the Layer 4 hash value into the sticky table, overriding the further use of the SSL version 3 session ID.

The disable option disables the CSS from inserting the Layer 4 hash value into the sticky table and continues to look for SSL version 3 session IDs.

The enable option resets the CSS to its default behavior of inserting a Layer 4 hash value into the sticky table.

The ssl-l4-fallback command is only applicable when the (config-owner-content) advanced-balance ssl method is specified for a content rule, which forces the content rule to stick to a server based on SSL version 3 session ID.

Do not enter the ssl-l4-fallback disable command if SSL version 2 is in use on the network.


arrowpoint-cookie advanced

no arrowpoint-cookie advanced

The new advanced option improves performance with Arrowpoint cookies where large amounts of data (for example, graphics) are returned from the server by mapping the Arrowpoint cookie flows in the fastpath (hardware). Use this option only if you are experiencing performance delays with Arrowpoint cookies. This option is disabled by default.

To disable this option, use the no form of this command.

zero {total-connections
|state-transitions {service name}}

The new total-connections, total-reused-connections, and state-transitions options for the zero command set the applicable counters to zero for a specified service or all services of the current content rule.

When you use the service name option, only the counter for the specified service is set to zero.

Version 5.00 b33 Command Changes

Table 2 and Table 3 list CLI commands and options that have been added or changed in software version 5.00 b33.

Table 2 CLI Commands Added in 5.00 b33 

Command and Syntax


flow tcp-mss size

no flow tcp-mss

Configures the TCP maximum segment size (MSS). The MSS is the largest piece of TCP data that the CSS expects to receive from the other end. This command changes the MSS value in the TCP header options field of a SYN segment.

This command applies only when the client is accessing a Layer 5 content rule. The CSS does not negotiate TCP maximum segment size for Layer 3 or Layer 4 content rules.

The size variable is the maximum segment size (in bytes) from 1 to 1460. The default is 1460 bytes. Do not define a very small segment size with the flow tcp-mss command. Smaller payloads may be less efficient due to increased overhead.

To reset the TCP maximum segment size to the default value, use the no form of this command.

ip uncond-bridging

no ip uncond-bridging

The new uncond-bridging option does not allow the IPV4 routing table lookup to override a bridging decision. By default, the routing table lookup overrides a bridging decision if the routing table says to use a different port than where the packet came in (the ingress port).

When you enter the ip uncond-bridging command, if the packet comes in a different ingress port than where the IPV4 routing table thought it should, the bridging decision takes precedence.

To reset the default behavior, allowing the routing lookup to override a bridging decision, use the no form of this command.

logging to-disk [disable|enable]

The new to-disk option allows you to disable or enable logging to the sys.log file on the CSS disk, preventing excessive writes to the disk. By default, the CSS logs to the sys.log file.

The disable option disables logging to the sys.log file.

The enable option re-enables logging to the sys.log file.

This option affects the sys.log file only. It does not affect a disk log file that you specified through the logging disk command. To disable all logging to the CSS disk, use the no logging disk command. Then, enter the logging to-disk disable command to disable logging to the sys.log file on the CSS disk.

Table 3 CLI Commands Changed in 5.00 b33 



archive, copy, and remove commands

These commands are now available in all modes.

date european-date and its no form

This command is now available in Global configuration mode.

Korean Certification Information

The following Korean certification information applies to the CSS 11000 series models. The certification label on the CSS model provides the applicable certification number.

Trade Name or Applicant: Cisco Systems, Inc.

Manufacturing Date: (To determine the date, see the explanation later in this section)

Manufacturer/Nationality: Cisco Systems, Inc./USA

The Manufacturing Date year of the CSS model is embedded in the line of text under the Cisco serial number bar code. The line of text consists of 11 characters, similar to the following representation:


This fields provide:

The location of the supplier (LLL)

The year (YY) of manufacture

The work week (WW)

The sequential serial ID (SSSS)

The year is in a coded format. To determine the year of the Manufacturing Date, see Table 0-4.

Table 0-4 Manufacturing Date Code and Associated Year

Code (YY)
Associated Year















Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:

Translated documentation is available at the following URL:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

Registered users can order the Documentation CD-ROM through the online Subscription Store:

Nonregistered users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. registered users have complete access to the technical support resources on the Cisco TAC Web Site. is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

You can self-register on to obtain customized information and service. To access, go to the following URL:

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a registered user, you can open a case online by using the TAC Case Open tool at the following URL:

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.