Guest

Cisco CSS 11000 Series Content Services Switches

Release Note for the Cisco 11000 Series Content Services Switch (Software Version 5.00.x)

  • Viewing Options

  • PDF (589.2 KB)
  • Feedback
Release Note for the Cisco 11000 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11000 Series Content Services Switch

Contents

New Features in Software Version 5.00

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Script Keepalives and Upgrading WebNS Software

Updating Management Information Base Files (MIBs)

CSS 11150 and CSS 11050 Units Shipped with Incorrect MAC Addresses

Operating Considerations

CSS Documentation Updates and Corrections

URL Maximum Length

HTTP Header Request Line Description

Troubleshooting RX Errors on an Ethernet Link

Enhancements to OSPF Functionality

Software Version 5.00.6.05 Open Caveats, Resolved Caveats, and Command Changes

Open Caveats in Software Version 5.00.6.05

Resolved Caveats in Software Version 5.00.6.05

Command Changes in Software Version 5.00.6.05

Software Version 5.00.5.03 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Change

Software Behavioral Changes in 5.00.5.03

Open Caveats in Software Version 5.00.5.03

Resolved Caveats in Software Version 5.00.5.03

Command Change in Software Version 5.00.5.03

Software Version 5.00.4.03 Open Caveats, Resolved Caveats, and Command Changes

Open Caveats in Software Version 5.00.4.03

Resolved Caveats in Software Version 5.00.4.03

Command Changes in Software Version 5.00.4.03

Software Version 5.00.3.09 Open Caveats, Resolved Caveats, and Command Changes

Open Caveats in Software Version 5.00.3.09

Resolved Caveats in Software Version 5.00.3.09

Command Changes in Software Version 5.00.3.09

Software Version 5.00.2.04 Open Caveats, Resolved Caveats, and Command Changes

Open Caveats in Software Version 5.00.2.04

Resolved Caveats in Software Version 5.00.2.04

Command Changes in Software Version 5.00.2.04

Software Behavioral Changes in 5.00.2.04

Software Version 5.00.1.05 Open Caveats, Resolved Caveats, and Command Changes

Open Caveats in Software Version 5.00.1.05

Resolved Caveats in Software Version 5.00.1.05

Command Changes in Software Version 5.00.1.05

Documentation Update to Service Keepalive Type TCP in Software Version 5.00.1.105

Example of a Custom TCP Script Keepalive with Graceful Socket Close

Command Changes in Software Version 5.00 b69

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Note for the Cisco 11000 Series Content Services Switch


January 10, 2005


Note The most current Cisco documentation for released products is available at http://www.cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were printed.


Contents

This release note applies to the following software versions for the CSS 11050, CSS 11150, and CSS 11800 content services switches. For information on version 5.00 commands and features, refer to the CSS 5.00 documentation located in http://www.cisco.com.

5.00.6.05 (version 5.00, maintenance release 6, build 5)

5.00.5.03 (version 5.00, maintenance release 5, build 3)

5.00.4.03 (version 5.00, maintenance release 4, build 3)

5.00.3.09 (version 5.00, maintenance release 3 build 9)

5.00.2.04 (version 5.00, maintenance release 2, build 4)

5.00.1.05 (version 5.00, maintenance release 1, build 5)

5.00.0.69 (version 5.00, maintenance release 0, build 69)


Note Version 5.00 software requires that the CSS 11800 SCM be configured with 128 MB of memory. You must upgrade the SCM memory before you upgrade the software to version 5.00. To determine the amount of memory in your CSS 11800, enter the show system-resources command and note the Installed Memory value for slot 7/1.



Note Do not attempt to load, unpack, or configure a version 5.10, 5.20, or 7.xx software image (applicable only on a Cisco 11500 series CSS) on a Cisco 11000 series CSS.


This release note contains the following sections:

New Features in Software Version 5.00

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Script Keepalives and Upgrading WebNS Software

Updating Management Information Base Files (MIBs)

CSS 11150 and CSS 11050 Units Shipped with Incorrect MAC Addresses

Operating Considerations

CSS Documentation Updates and Corrections

Software Version 5.00.6.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 5.00.5.03 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Change

Software Version 5.00.4.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 5.00.3.09 Open Caveats, Resolved Caveats, and Command Changes

Software Version 5.00.2.04 Open Caveats, Resolved Caveats, and Command Changes

Software Version 5.00.1.05 Open Caveats, Resolved Caveats, and Command Changes

Command Changes in Software Version 5.00 b69

New Features in Software Version 5.00

The following new features are supported in software version 5.00:

Configurable Spanning Packets for HTTP Header Termination

ArrowPoint Cookie Enhancements

Configurable Flow Cleanup

Zeroing Service Statistics Counters

Enhanced SSL Load Balancing

Client Side Accelerator

Content Routing Agent (Boomerang)

RADIUS Client

VIP and Interface Redundancy Config Sync

SNTP Client

64-Character DNS A-Record

255 Scripted Keepalives

Content Requests Spanning Packets

Device Management Over Secure Sockets Layer (SSL)

Restricting SSH

Enhanced Flow Resource Collection Functionality

KAL-AP by VIP

For information on the commands added and changed in version 5.00.5.03, see the "Command Change in Software Version 5.00.5.03" section later in this document.

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and SSH are optional features. If you are upgrading from the Standard to the Enhanced feature set or want to activate a CSS software option (for example, SSH Server) that you purchased, refer to the Cisco Content Services Switch Getting Started Guide for information on entering a license key.

Access to the Standard and Enhanced feature sets or Proximity Database require that you enter a software license key when you boot the CSS for the first time. If you enter the Proximity Database license key after booting the CSS, you must reboot the CSS before you can configure the Proximity Database so the CSS can re-allocate memory. For details, refer to the Cisco Content Services Switch Getting Started Guide.

If you configure your CSS for Proximity Database, you cannot use the CSS for load balancing. For details on configuring a Proximity Database, refer to Cisco Content Services Switch Advanced Configuration Guide.

Before Upgrading the CSS Software

Read the following information before you upgrade from software versions 3.xx, 4.xx, or earlier.

If you are upgrading from software version 3.xx to 5.00.5.03 and have a 3.xx Enhanced software license key, you must enter a 5.00 Enhanced software license key during the CSS upgrade or you will receive startup errors when you attempt to enter Enhanced CLI commands. If you upgrade the CSS software and do not enter a 5.00 Enhanced license key prior to upgrading, use the following procedure to enter the new license key:

a. Use the license command to change the license key.

b. Reboot the CSS without saving the running-configuration.

If you are running SSH on a 3.xx CSS and you have disabled Telnet, you must enable Telnet prior to upgrading the CSS to 5.00.5.03. After you upgrade the CSS, use the license command to enter the SSH license key.

Script Keepalives and Upgrading WebNS Software

When you upgrade the CSS software, the upgrade process creates a new /<current running version>/script directory. You must copy your custom scripts (including custom script keepalives) to the new /<current running version>/script directory so that the CSS can locate them.

Use the following procedure to ensure that your custom script keepalives operate properly after a software upgrade.

1. Upgrade the CSS software. Refer to the Cisco Content Services Switch Administration Guide for software upgrade instructions.

2. Copy the scripts from the old /<current running version>/script directory to the new /<current running version>/script directory.

3. Reboot the CSS.

Updating Management Information Base Files (MIBs)

Cisco recommends that you update the CSS MIBs after you upgrade the CSS software. CSS MIBs are included in the CSS GZIP file. During the software upgrade, the MIBs are loaded into the CSS  /mibs directory.

To update the CSS MIBs on your management station after you upgrade the CSS:

1. FTP the MIBs from the CSS MIBs (/v1 or /v2) directory to your management station.

2. Load the MIBs into the management application.

CSS 11150 and CSS 11050 Units Shipped with Incorrect MAC Addresses

Cisco CSS 11050 and CSS 11150 units shipped from Cisco Systems between 09/27/01 and 05/30/02 may have an incorrect MAC address assigned to the device (defect CSCdy36787). The MAC address of those units is not owned by Cisco Systems or any other vendor. The MAC address of each unit, although not a proper vendor code, is still a unique address and does not cause operational issues for either the CSS 11050 or CSS 11150.

For those CSS units shipped between 09/27/01 and 05/30/02, the chassis may have an assigned MAC address in the range of aa-3b-b2-ce-70-00 to aa-3c-f5-cd-f0-15. To verify the MAC address of your CSS chassis, use the show chassis command to display the base MAC address for the CSS.

The CSS software has been modified to correct the MAC address issue. A table is built into the CSS to reprogram the MAC address to an appropriate address. The software containing the MAC address fix is included in the latest maintenance releases. It is available in WebNS versions 4.01.032 and in 5.00.045 and higher at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/webns-maint

In order to change the base MAC address of your CSS, upgrade to the appropriate version. The MAC address modification occurs during the software upgrade.

A Level 4 log message indicates that the MAC address is successfully updated with the value of the new MAC address. On subsequent reboots, the defective MAC address is not found in the Chassis Module Id EEPROM and the update does not occur.


Note The MAC address change for your CSS is permanent regardless of the CSS software version that you upgrade or downgrade to after you load one of the CSS x versions stated above or CSS version 5.00.063 (or greater).


Operating Considerations

The following operating considerations apply to the CSS 11050, CSS 11100, CSS 11150, and CSS 11800:

The CSS does not NAT fragmented IP packets.

The CSS content routing agent is compatible only with the Cisco Content Router 4430-B software version 1.1.

If you are running the Inktomi" Traffic Server` on a system that does not listen in promiscuous mode and you want to bypass the Inktomi Adaptive Redirect Module (that is, send traffic directly to port 8080 instead of port 80), specify the CSS service type as type proxy-cache. Configuring the CSS service type to type proxy-cache causes the CSS to perform full Network Address Translation (NAT) when directing traffic to the Traffic Server.

The War-FTP daemon is not supported for network-booting the system software.

The Gigabit Ethernet module port statistics are an aggregation of all ports on the module.

You cannot have an SFM and an SFM2 in the same CSS 11800 chassis.

Content replication does not support the WSFTP FTP application.

You cannot add redundancy uplink services to content rules.

A redundant VIP configuration can consist of only two CSSs.

When Cisco makes syntax changes to existing CLI commands, the CSS updates your startup-config automatically with most command syntax changes. For example, the CSS automatically updates the web-mgmt state enabled command in the startup-config to the new no restrict web-mgmt command.

If the CSS does not update a command syntax change in a startup-config automatically, a startup error is displayed. See the sections "Before Upgrading the CSS Software" for information on which command syntax changes display startup-config errors.

When using the domain hash load-balancing method with proxy cache services, you may see duplicate sites across caches because the CSS balances on the first GET request in a persistent connection unless the subsequent GET request does not match a rule with the same proxy service specified. If you are concerned with duplicate hits across caches, reset persistence to remap and disable persistence on the rule. Enter the (config) persistence reset remap command globally and the (config-owner-content) no persistent command on the content rule.

When using the content add dns command, you must add DNS names in lowercase only. If you enter DNS names with a combination of uppercase and lowercase characters, a startup error appears and you must reenter the names in lowercase characters.

The ethernet-n format for specifying an interface-port in a CSS 11050 or CSS 11150 (for example, ethernet-2) is supported for software releases prior to version 5.00 to ensure backwards-compatibility with CSS startup configurations and scripts.

In software versions prior to 5.00, the CSS 11800 Fast Ethernet Module and Gigabit Ethernet Module Link LEDs are on solid during bootup. In 5.00, the Fast Ethernet Module Link LEDs blink rapidly and the Gigabit Ethernet Module Link LEDs are off during bootup.

In a network boot configuration, the config-path and the base directory path in the ftp-record associated with the network boot must not contain a pathname that conflicts with a non-network drive name (for example, c: or host:).

The CSS FTP server supports only active FTP. It does not support passive FTP.

The CSS does not support a traceroute of a redundant IP interface.

The CSS may reclaim:

TCP flows that have not received an ACK or content request after approximately 15 seconds

UDP flows that have not received an ACK or content request after approximately 16 seconds

To prevent the CSS from reclaiming TCP or UDP flows to a specific source or destination port, use the flow permanent command and specify the TCP or UDP port number you do not want reclaimed. To configure a flow timeout value for a TCP/UDP port, use the flow port timeout command.

When you configure a service as a subscriber, you must specify the access type for each subscriber using the access ftp command.

This operating consideration applies when connecting a Cisco Catalyst switch to a CSS using 802.1q and the spanning tree protocol. Cisco switches run a spanning tree instance per VLAN. When you configure an 802.1q trunk on an Ethernet interface, the Bridge Protocol Data Units (BPDUs) are tagged with the corresponding VLAN ID, and the destination MAC address 01-00-0c-cc-cc-cd is used. This allows Cisco switches operating in a non-Cisco (a mix of other vendors) 802.1q environment to maintain spanning tree states for all VLANs.

Though the CSS maintains a spanning tree instance per VLAN as well, it continues to use the standard 01-80-C2-00-00-00 destination MAC address for all BPDUs (tagged or untagged). When you connect a Cisco Catalyst switch to a CSS over an 802.1q trunk, the result is that neither switch will recognize the other's BPDUs, and both will assume root status. If a spanning tree loop is detected, the Catalyst switch goes into blocking mode on one of its looped ports.

A subscriber's state will not be ready or will be in access failure until the publisher's state is ready.

You cannot configure services learned through APP (that is, remote services) as preferred services in ACL clauses. A remote service learned via APP is of the form ap-redirect@192.168.12.7 and can be seen on the show service summary screen. When you configure an ACL clause, you cannot use this service as a preferred service. If you save this clause in the startup-config and reboot the CSS, a startup error occurs because this service has not been learned through APP at this point. For example:

clause 10 permit any any destination any prefer ap-redirect@192.168.12.7

When you configure firewall load balancing (FWLB), you must configure the VIPs on the CSS that has the services directly connected to it or connected through a Layer 2 device. Do not configure content rules with VIPs on a CSS when the services are located on the other side of the firewall and connected to another CSS participating in FWLB. This type of configuration will result in asymmetric paths and could cause firewalls performing stateful inspection to tear down connections.

The CSS does not support VIP redundancy and box-to-box redundancy simultaneously.

The CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment. However, the CSS does not load balance these methods.

RFC-2068: OPTIONS, TRACE

RFC-2518: PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, DELETE

Network boot is not supported on UNIX workstations.

If the upgrade script fails while upgrading the CSS to the same version of software that is currently running, the CSS software directory will be incomplete. To reinstall the software, you must upgrade the CSS manually (that is, FTP the .adi to the CSS and perform a manual unpack).

The CSS does not set up flows if the source or destination port is designated as port 67, 68, 137, 138, 161, 162, 520, or 8089 (UDP only).

If you are running software version 5.00 and using the Proximity Database (PDB), do not introduce a CSS running software version 5.02 or 5.03 into the proximity mesh. Updates from a version 5.00 Proximity Database to a version 5.02 or 5.03 Proximity Database causes the CSS to reboot.

With software version 5.00.045 and higher, flow reclamation is always active. If you find that the CSS reclaims flows too quickly, enter the flow long-lived command in Global configuration mode to delay flow reclamation on a lightly loaded CSS. This command allows long-lived flows to continue even with a large period of inactivity.

You can monitor connection resources with the flow statistics command. The Number of Allocated Flows field shows the total number of connection resources allocated and managed by this processor in multiprocessor platforms. The Number of Free Flows field shows the maximum number of connection resources available on this processor in multiprocessor platforms. This number is based on how much RAM is available after the software image and configuration load.

Removing a URL suspends the associated content rule. In software version 4.01, you would receive an error message.

With a Layer 5 domain content rule that includes a URL/port of the form
"url /brandnewproducts:8001/*", the CSS matches on the entire host tag including the port number. Normally, port 80 traffic does not use a port number in the domain name. To specify a port other than port 80, enter the domain name with the port number exactly. Separate the domain name and the port number with a colon. For example:
(config-owner-content[arrowpoint-rule1])# url "//www.arrowpoint.com:8080/*"

The keepalive tcp-close fin command may be applied to a maximum of 100 keepalives.

Do not configure source groups for outbound traffic from the servers, because the backup CSS does not know which ports were NATed by the source group on the master CSS if a failure occurs at the master CSS. This restriction also applies to active FTP because the server initiates the data connection.

If you configure the redundancy-phy command on an interface and then disable the interface using the admin-shutdown command, the master CSS fails over to the backup CSS. To prevent the CSS from failing over when you administratively disable the interface, remove the redundancy-phy command by entering no redundancy-phy before you enter the admin-shutdown command on that interface.

When configuring the CSS for FTP keepalives, do not configure the keepalive frequency or the keepalive retry period to a value less than 15 seconds. Note that the CSS does not prevent you from configuring smaller values. Also, the default value for the keepalive frequency or the keepalive retry period is five seconds. You must use the keepalive frequency and keepalive retryperiod commands to override the defaults.

A CSS monitors the health of a firewall by sending a custom ICMP keepalive request every second to the remote CSS on the other side of the firewall. If the CSS does not receive a keepalive request from the remote CSS for 3 to 16 seconds (configurable timeout), the CSS declares the firewall path unusable. Each CSS does not reply to the sending CSS, but instead transmits its own keepalive request every second, totally independent of the other CSS.

When developing XML code for the Content Application Program Interface (API) to issue CLI commands, note that the maximum number of characters per each tag set is 300.

An FTP session will time out if it is idle for more than 30 seconds during the login process.

Running scripted keepalives on a CSS results in great variability in CPU utilization.

There is an operating limit of 100 IP interfaces per configured VLAN for a CSS 11800.

If an HTTP persistent keepalive fails to make a persistent connection, then it attempts to make a non-persistent connection. If the non-persistent connection succeeds, then the keepalive succeeds. At the next interval, the keepalive attempts a persistent connection.

When a destination in an ACL clause is a Layer 5 content rule, the CSS rejects the TCP SYN and therefore does not spoof the connection. As a workaround, you may configure an additional clause to permit the TCP IP addresses and ports. Be aware that content will be matched on both clauses. For example,
clause 14 permit any any destination content Layer5/L5 eq 80 (original clause)
clause 15 permit tcp any destination 200.200.200.200 eq 80 (This ia an additional clause to handle the SYN, where the destination IP address is the IP address configured in the Layer 5 content rule. Note that this clause number must be greater than the destination content clause number.)

When accessing the CSS OffDM menu from a terminal server, you must configure the client application to display 24 lines to enable the OffDM menu to display properly.

When the CSS detects a duplicate IP address on the network, it displays a log message. Duplicate IP addresses occur when VRRP is transitioning from the master CSS to the backup CSS. It is normal to see messages indicating this condition. To assist in recognizing VRRP transitions, the following new log messages were added to the Duplicate IP log message in software version 5.00.4.03:

Virtual Router <vrid> on interface <ip address> entering into VRRP negotiation

Virtual Router <vrid> on interface <ip address> exiting out of VRRP negotiation

When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.

When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.

The following operating considerations apply to the CSS Device Management software.

Use Access Control Lists (ACLs) to restrict device management access to specific IP address and subnets. Note that ACLs do not affect the Ethernet Management port.

Always exit the browser after each device management session to clear the cache.

You must enable JavaScript in your browser for the Device Management software to work.

Navigation tree icons do not always display. The pages function correctly. Open a page by clicking on the corresponding text.

Device Management supports the following browsers:

Microsoft Internet Explorer version greater than 4.0

Netscape Communicator 4.51 and 4.71

Netscape Navigator 4.08

If your Web browser has a bookmark to the Device Management software (software version 4.10 or earlier) that includes a colon (:) and TCP 8081 management port number at the end of the IP address, the software redirects the address to the correct URL. If your Web browser does not have a bookmark to the Device Management software, be sure to include an `s' in http:// in addition to the CSS IP address. For example: https://192.168.3.6.

CSS Documentation Updates and Corrections

The following documentation correction applies to the CSS 11050, CSS 11150, and CSS 11800:

The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.

The following documentation updates applies to the CSS 11050, CSS 11150, and CSS 11800:

URL Maximum Length

HTTP Header Request Line Description

Troubleshooting RX Errors on an Ethernet Link

URL Maximum Length

When you use the url content mode command to specify a Uniform Resource Locator (URL) for content, you enter the URL as a quoted text string with a maximum length of 252 characters. Note that each path defined within a 252 URL character string cannot exceed a maximum length of 32 characters. A URL path includes all characters between the two slashes (//). In addition, an extension after the "." character cannot exceed 7 characters.

For example, the URL string below includes two paths, with each path less than the 32 character maximum:

(config-owner-content[hospital.html])# "/newbirthannouncements/newbabies/babyfilename.jpg"

HTTP Header Request Line Description

When you attempt to access an Internet resource using your browser (for example, http://www.cisco.com), the browser issues a request for the resource in an HTTP header. The request line in an HTTP header contains the HTTP method (GET, HEAD, or PUSH), the request URI, and the HTTP version. A uniform resource identifier (URI) consists of a string of alphanumeric and sometimes special characters that identify a resource on the Internet. The request line is a required HTTP header field.

For example, an HTTP header contains the following URI:

http://www.foo.com/cgi-bin/some-app.pl?session=123456789123456789&user=CiscoUser&action=LoadBalanceMe&foo=bar

By creating a header field group and header field rules, you can configure a CSS to make a content rule selection based on a string in the URI. For example, you can configure a CSS to make a content rule selection based on the string LoadBalanceMe in the above URI using the following configuration:

header-field-group url 
	header-field urlString request-line contain "LoadBalanceMe"
owner arrowpoint 
	content rule UrlString 
			vip address 192.168.128.151 
		protocol tcp 
		port 80 
		url "/*" 
		add service server1 
		add service server2 
		header-field-rule url 
		active
	content rule2 
		vip address 192.168.128.151 
		protocol tcp 
		port 80 
		url "/*" 
		add service server21 
		add service server22 
		active

Troubleshooting RX Errors on an Ethernet Link

An Internal RX error on the CSS is a result of the MAC receive FIFO queue becoming oversubscribed with traffic. A CSS port that is oversubscribed with packets is receiving packets faster than it can process them, which generates errors. When the MAC receive FIFO queue becomes full, all new incoming packets are dropped.

This condition causes the Internal Rx Errors counter field in the show ether-errors command display to increment. If the Internal RX Errors value is incrementing, then packets are being lost. Internal RX errors may also result from sync loss, delimiter sequence, GMAC drop, and symbol error. To display the RFC1398 32-bit statistics, use the show ether-errors-32 command.

When internal RX errors are occurring, you may observe the following network conditions:

In aggregate port packet counters from devices installed upstream and downstream from the CSS. These counters may indicate that a greater number of packets or bytes are being sent to the CSS than are actually being passed through.

When sniffing connections or flows containing a large number of packet retransmissions that are passing through the CSS.

In applications being load-balanced by the CSS that show increased latency over time as traffic load on the servers increases.

Possible workarounds to prevent oversubscribing the CSS MAC receive FIFO queue include:

Allow only load-balanced traffic to be directed to the CSS. You can achieve this by configuring policy routing on devices external to the CSS.

If the oversubscribed link is a 10/100 port, reconfigure the network to direct traffic to a Gigabit Ethernet port.

If the oversubscribed link is a Gigabit Ethernet port, upgrade to a CSS 11500 Series Content Services Switch (CSS 11501, CSS 11503, CSS 11506) to remove the capacity limitation.

Enhancements to OSPF Functionality

The CSS OSPF functionality now examines configuration parameters (such as, service configurations in content rules, keepalive behavior, VIP redundancy configurations, and whether services are active or suspended) to make accurate advertisement decisions on VIPs.

Specified routes related to VIPs are only advertised if both of the following conditions are true:

1. At least one of the related VIPs in a content rule or source group is active.

2. At least one service related to an active VIP is available on a content rule.

If you configured the CSS for box-to-box redundancy, be aware that only the master CSS (not the backup CSS) advertises the VIP.

It is recommended that you use the /32 prefix in the ospf advertise command to specify VIPs individually. Specifying entire subnets does not enable the CSS to make proper decisions on advertising the VIPs. The advertisement must match or fit entirely within a VIP range to make proper decisions. If the ospf advertise IP address range and the VIP range overlap, or the ospf advertise range encapsulates (that is, is larger than) or doesn't match the VIP range, then the route is advertised unconditionally.

The following flow chart shows the steps required for OSPF to advertise an IP address. If the IP address is a VIP, the flowchart shows the conditions that must be met for OSPF to advertise the VIP.

Software Version 5.00.6.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 5.00.6.05:

Open Caveats in Software Version 5.00.6.05

Resolved Caveats in Software Version 5.00.6.05

Command Changes in Software Version 5.00.6.05

Open Caveats in Software Version 5.00.6.05

The following caveats apply to software version 5.00.6.05:

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

Resolved Caveats in Software Version 5.00.6.05

The following caveats are resolved in 5.00.6.05:

CSCee00757 - A non-privileged user cannot run the show log sys.log command.

CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.

CSCef02846 - The CSS may reboot when the primary servers are suspended and the sorry server configuration is used.

CSCee07348 - When you configure the dnsflow disable command and a DNS connection arrives at the CSS and there are no available portmap entries, the CSS may reboot.

CSCee08487 - If the window size advertised in a backend SYN is smaller than the length of the first data segment (for example, HTTP GET), the CSS does not send out the ACK to complete the backend three-way handshake and drops the TCP packet.

CSCee08664 - If the global portmap and restrict snmp commands are both configured when you are running the commit_vip_redundancy script, the script may report a byte count difference of 2 bytes. This does not adversely impact the CSS running-configs.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCdx09860 - If a packet that is carrying an Arrowpoint cookie does not reach a client, the retransmitted packet does not get the Arrowpoint cookie insertion. This may cause a TCP sequence number mismatch, and the packet may also contain unexpected data.

CSCef12205 - The CSS is configured as a dns-server. Each DNS query that has a different name or string will allocate memory to store the string associated with the query. If the CSS receives thousands of different DNS queries, it may reboot.

CSCef12699 - When you configure the CSS with host routes, do not remove unreachable host routes that are still on the egress host list if these routes are not a dynamic host entry. Removing these host entries may cause the CSS to reboot.

CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.

CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.

CSCef19550 - Running an SSH scanning tool against a circuit IP address may cause the CSS to not allow SSH, telnet, or console access.

CSCee21521 - Under rare circumstances while using LDAP scripted keepalives, the CSS may identify one or more services as down.

CSCef21844 - A cluster corruption causes the NetTask to suspend.

CSCef22794 - A bypass ACL conflicts with content rules that are configured with advanced-balance sticky-srcip. A sticky entry is created when a client hits a transparent-cache content rule that has advanced-balance sticky-srcip. If an ACL is applied to the circuit that has a bypass configured for that same client, it is ignored and the sticky entry takes precedence. When ACL is enabled, clients will experience a three to four second latency, and the CE will still see the client requests instead of being bypassed.

CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.

CSCee24269 - The CSS does not properly clean up an internal data structure.

CSCef24443 - The CSS may reboot when it tries to delete a service that has a service index that did not exist. The CSS will now ignore service delete messages with an incorrect service index.

CSCef34041 - The CSS may reboot if you remove an interface and an ARP request is initiated through this interface. The reboot occurs because the nexthop host is not available.

CSCef38127 - The CSS experiences a Flow Control Block leak when you configure it with a Layer 5 content rule using either ssl or arrowpoint-cookie and your network has asymmetric routing on the client side.

CSCee38396 - When you configure the CSS using the cmd-sched command, the first time the CSS executes the cmd-sched record, the CSS may execute the record twice during the first second.

CSCee38740 - When using the script modify command in a scripted keepalive, if the variable to be modified does not exist, the CSS may leak memory.

CSCef39414 - When you use UDP in scripted keepalives, internal resources may not be properly de-allocated.

CSCef39490 - If you configure the CSS with an HTTP keepalive with the method GET and the CSS receives an HTTP chunked keepalive response that contains a SPACE (0x20) in the size field, the CSS may incorrectly mark the service as Down.

CSCee41868 - You will not be able to use SSH to access the CSS after you run the Nessus scan tool on a circuit IP address.

CSCef44604 - An SNMP NEXT of the apListTable using the apListText OID would not work properly.

CSCec45721- An internal resource leak may cause the CSS to reboot. The reboot is proceeded by services going up and down, and log messages reporting: "SYSSOFT-2: VccAllocVc failed".

CSCee49236 - The CSS responds incorrectly for a DNS query type of ANY.

CSCee53027 - The CSS may reboot when it processes the timestamp option in an IP header.

CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.

CSCee56155 - The VIP address range fails to check for VIPs that are already in use on source groups.

CSCee56977 - When firewall load balancing is in use, UDP-based DNS responses from a server may not go through the same firewall as the request from the client.

CSCee59808 - Non-persistent keepalives are reusing source ports too quickly for multiple services that using the same destination IP address and port.

CSCed62063 - SSH sessions are not being cleared, which causes new sessions to be blocked.

CSCee61578 - Configuring radius-server dead-time 1 causes sockets to leak. An out-of-socket condition causes a keepalive task to crash when the keepalive tries to close a socket that it could not get.

CSCee70050 - The CSS fails to update leachability information in the route table for the first route entry for a /32 route (host route) that follows an unreachable host entry. An attempt to send traffic to the host described by such an entry may cause the CSS to stop processing traffic indefinitely or cause it to reboot.

CSCef72033 - If you configure the CSS with a DNS server, it would not allow you to configure an IP or VIP address with an invalid format (such as `ip address a.b').

CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.

CSCed73326 - When the CSS is configured with a scripted keepalive (which does multiple socket sends), the CSS buffer the data in the different socket sends and then sends them out as part of one data packet. The nowait option, added in software version 7.20.4.05, instructs the CSS to immediately send the data from a socket send and not buffer the data from different socket sends.

CSCeb73418 - If a client TCP stack retransmits an original TCP SYN at the same time the original TCP SYN is sent out, the CSS does not detect the retransmitted TCP SYN as a duplicate SYN. The CSS now checks for duplicate SYNs that arrive simultaneously.

CSCee75060 - The CSS may reboot when processing host routes for redistribution to or from OSPF when a host entry (for which an ARP could be resolved) for the IP address is submitted to the route table.

CSCee77663 - When the CSS is configured as a zone-based DNS server and you configure an A-record, but the keepalive has failed for all zones in which the name is configured, and a request is made to the CSS for that name, the CSS may reboot.

CSCed81963 - When you configure a content rule with the no persistent command and globally configure the persistent reset remap command, the urlhash and domainhash load-balancing methods prevent the CSS from performing a server remap when required. The CSS should remap a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

CSCef82714 - When you configure the CSS for VIP/IF redundancy and OSPF and you then run the commit_vip_redundancy script, the ospf as-boundary commands would not be present on the remote CSS.

CSCee85140 - The CSS stops responding to requests on port 80.

CSCed85319 - When a server response to an HTTP1.1 keepalive request contains a "Connection: keepalive", the CSS incorrectly downgrades the HTTP1.1 keepalive to an HTTP1.0 keepalive.

CSCeb83566 - Fragments sent to the Ethernet management port may cause the CSS to reboot.

CSCed88058 - When the CSS is configured as a DNS server and a DNS name is configured on a content rule, but all servers for that rule are unavailable, the CSS returns NXDOMAIN for a DNS request. In this situation, the CSS should return SERVERFAIL.

CSCed88075 - When you configure the CSS with the advanced-balance arrowpoint-cookie command, it may incorrectly interpret a server data packet beginning with `PORT' or `227' as an FTP packet. If this occurs, the CSS corrupts the packet because it assumes that FTP is in use.

CSCed89086 - The CSS allows you to remove the redirect command from an active content rule even if no services are configured on the rule. This should not be allowed because services are required on an active content rule that does not contain a redirect.

CSCed89722 - The show virtual-routers command does not show all configured virtual routers.

CSCee95633 - If a service is configured with type nci-direct-return and is then added to a content rule configured with advanced-balance sticky-srcip, the NCI options are not set up for flows hitting the content rule.

Command Changes in Software Version 5.00.6.05

Table 1 lists the commands and options that have been added in software version 5.00.6.05.

Table 1 CLI Commands Added in Version 5.00.6.05

Mode
Command and Syntax
Description

All

socket connect host ip_address port number tcp {timeout} {session} {nowait}

The new nowait option for TCP connections causes the socket to send data immediately without waiting to aggregate the data first.

Global

replication file-error retry|skip

Specifies how the CSS handles file errors during content replication. The command options are:

retry - (Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip - The CSS skips the missing file and continues the replication process


Table 2 lists the commands and options that have changed in software version 5.00.6.05.

Table 2 CLI Commands Changed in Version 5.00.6.05  

Mode
Command and Syntax
Description

All

show log {log_filename {tail lines} {line-numbers}}

This command is now available in all modes. Previously, this command was not available in User mode.

show log-list

This command is now available in all modes. Previously, this command was not available in User mode.

Group

vip address ip_or_host {range number}

The range for the range number variable changed from 1 to 65353 to 1 to 65535.

Owner-
Content

no arrowpoint-cookie advanced

This command has been removed.

sticky-no-cookie-found-action redirect "URL"

The length of the redirect URL text string changed from
0 to 64 characters to 0 to 252 characters.


Software Version 5.00.5.03 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Change

The following sections contain the behavioral changes, open caveats, resolved caveats, and command change in software version 5.00.5.03:

Software Behavioral Changes in 5.00.5.03

Open Caveats in Software Version 5.00.5.03

Resolved Caveats in Software Version 5.00.5.03

Command Change in Software Version 5.00.5.03

Software Behavioral Changes in 5.00.5.03

The following changes to functionality were made in 5.00.5.03:

MIB file changes

Added a `down' value to aplpv4RedundancyState object in aplpv4.mib.

Added the following new objects in aplpv4Redundancy.mib; aplpv4RedundancyStateTransition, aplpv4RedundancyEventText, aplpv4RedundancyVROperState, aplpv4RedundancyVRFailReason.

Deprecated aplpv4RedundancyVRState in aplpv4Redundancy.mib.

SNMP trap changes

The aplpv4RedundancyTrap trap is now only sent when a state transition occurs in a box-to-box redundancy configuration. It is no longer sent out in a VIP redundancy configuration.

The aplpv4RedundancyStateTransition trap is sent when a state transition occurs in a VIP redundancy configuration. Note that because of a bug, this trap is not sent out when the virtual router transitions from master to backup due to an interface going down.

Show screen changes

The State field in the show redundancy command display now contains `Down' when the CSS loses its critical resource. Prior to this change, the State field would display either `Master' or `Backup'.

The State field in the show virtual-routers command display no longer displays `IF Down' or `No Service'. It now displays `Down' when the virtual router is in the Down state.

The show virtual-routers command display contains a new `Fail Reason' field, which displays the reason that causes the virtual router to be in the Down state. Possible values for this field are `No Failure', `IF Down', and `No Service'.

Log message change

The virtual router state transition log message has changed. When the CSS is configured for box-to-box redundancy, this message is logged under the Redundancy subsystem instead of the VRRP subsystem. For example: `SNMP Trap Vrouter 127.16.1.2 change to state MASTER'.

When VIP Redundancy is configured, this message is logged under the IPV4 subsystem. This log message also contains VRID information. For example:
`SNMP Trap Vrouter 127.16.1.2, VRID 3 change to state MASTER'.

Open Caveats in Software Version 5.00.5.03

The following caveats apply to software version 5.00.5.03:

CSCed09529 - The CSS reboots after you suspend and change the portmap number of ports to a low number and the group experiences many open mappings.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCed38249 - When a CSS receives multiple load reports for a GSLB service, the reported load may be incorrect. The CSS may receive multiple load reports for a service if the load reports are received from a pair of CSSs that have a redundant VIP configured for the service.

CSCed55094 - The CSS may not insert arrowpoint-generated cookies into HTTP request packets even if you configured the arrowpoint-cookie command.

CSCed72817 - The LogPrintAgent task may suspend, which causes the CSS to reboot.

CSCed80405 - A CSS shares content rules with a DNS peer for use as a remote service. The service name on the peer has a 31-character limit, which is a combination of the content rule name and the VIP. If the combination of the content rule name and the VIP is greater than 31 characters, the name is truncated to 31 characters. If two separate combinations truncate to the same name, the peer CSS is only able to configure one name, even though the configuration requires both names. This may cause the CSS to reboot when remote services are reconfigured (for example, adding or removing content rules, clearing the running config) or the app session to the peer goes down.

CSCed81963 - When you configure a content rule with the no persistent command and globally configure the persistent reset remap command, the urlhash and domainhash load-balancing methods prevent the CSS from performing a server remap when required. The CSS should remap a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

CSCed85319 - When a server response to an HTTP 1.1 keepalive request contains a "Connection: keepalive", the CSS incorrectly downgrades the HTTP 1.1 keepalive to an HTTP 1.0 keepalive.

CSCed88075 - When you configure the CSS with the advanced-balance arrowpoint-cookie command, it may incorrectly interpret a server data packet beginning with `PORT' or `227' as an FTP packet. If this occurs, the CSS corrupts the packet because it assumes that FTP is in use.

CSCed89017 - The CSS may not use service weights configured in a content rule when you also use the balance aca command. Workaround: Remove the weight configuration from the content rule and add it to the services configuration.

CSCed89086 - The CSS allows you to remove the redirect command from a content rule even if no services are configured on the rule. This should not be allowed because services are required on an active content rule that does not contain a redirect.

CSCed89722 - The show virtual-routers command does not show all configured virtual routers.

Resolved Caveats in Software Version 5.00.5.03

The following caveats are resolved in 5.00.5.03:

CSCed01770 - When you configure the CSS for Global Server Load Balancing (GSLB) and use the dns-record a kal-ap threshold command (with the threshold default of 254) and the CSS receives NXDOMAIN responses for a dns-record with a content rule that contains only one service and that service reaches a load level of 254, the CSS does not transition down the service.

CSCed06619 - The CSS may reboot when configured for ACLs and source groups if the source groups can be matched on both an ACL clause and the add service command configuration on a source group. The reboot may occur when an active FTP data channel is opened that hits the ACL.

CSCed20671 - The string range command searches on one less byte than the range maximum. The range should be 1 to 100, but the CSS only searches on a range of 1 to 99.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCed29953 - The CSS does not set up flows for TCP port 520.

CSCed39121 - When you run the commit_redundancy or commit_vip_redundancy scripts, the OSPF area settings on the circuit may be removed from the remote CSS.

CSCed45747 - The CSS 11000 Series Content Services Switches are vulnerable to a Denial of Service (DoS) attack caused by malformed UDP packets received over the management port. This vulnerability is documented as Cisco bug ID CSCed45747. There is no workaround available to mitigate the effects of this vulnerability. Cisco is providing fixed software, and customers are recommended to upgrade to it. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040304-css.shtml.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS when you run the commit_VipRedundConfig script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, then manually configure the remote CSS priority as desired.

CSCed52186 - You can configure a Layer 5 content rule on the CSS to cause the backend connection to be spoofed. If a client sends a spanned content request using an HTTP header that spans four or more packets, the server's TCP SYN/ACK may come in on a different port from the one on which the original backend TCP SYN was sent. This causes the CSS to miss the TCP ACK for the first two packets of the spanned content request, and three seconds later, reset the connection.

CSCed52992 - When doing an SNMP NEXT through the apSvcTable from the svcExt.mib, the CSS SCM CPU may spike to high levels and remain high for long periods of time. This issue is related to the number of configured services.

CSCed57712 - RSH (Remote Shell) through the CSS does not function because source port NAT'ing interferes with it.

CSCed74244 - If the DNS forwarder feature is configured and you enter debug mode and issue the dns setFwdKal 0 command, the CSS reboots. A value of 0 is invalid for the dns setFwdKal command.

CSCed75430 - Using an incomplete MIB variable for the sample-variable command in (config-rmonalarm) mode may cause the CSS to reboot.

CSCed76105 - The show sticky-stats command was added to the showtech diagnostic script to provide information on the CSS sticky database.

CSCed76182 - Issuing the no app-udp ? command may cause the CSS to reboot.

CSCec86501 - When a script contains a quoted string that is greater than 255 characters and is used by a scripted keepalive, the CSS reboots.

CSCec89210 - When you configure a CSS with a static route that is identical to a learned OSPF route (network LSA), the OSPF route correctly takes precedence. However, if the CSS loses the OSPF route, the blackhole route is not injected into the routing table.

CSCed90714 - The CSS was not properly populating the fields in the show rmon, show ether-errors, and show mibii displays. Having the fields properly populated now enables you to trigger RMON alarms for network problems, if RMON is configured.

Command Change in Software Version 5.00.5.03

The content configuration mode no advance-balance command has been changed to no advanced-balance.

Software Version 5.00.4.03 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 5.00.4.03:

Open Caveats in Software Version 5.00.4.03

Resolved Caveats in Software Version 5.00.4.03

Command Changes in Software Version 5.00.4.03

Open Caveats in Software Version 5.00.4.03

The following caveats apply to software version 5.00.4.03:

CSCed06619 - The CSS may reboot when it performs task fmPeerMsgTask.

CSCed09529 - The CSS reboots after you suspend and change the portmap number of ports to a low number and the group experiences many open mappings.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCea25171 - In a content rule-based Global Server Load Balancing configuration in which two CSSs are in an APP session exchanging domain information where CSS-A is configured with www.a.com, www.b.com, and www.c.com (in the same content rule) and CSS-B in configured with only www.a.com and www.b.com, CSS-B incorrectly believes that it has www.c.com configured locally (because it learned about www.c.com from its peer). When CSS-B is queried for www.c.com, it returns its local VIP as well as the remote VIP. Because www.c.com is not configured on CSS-B, CSS-B should return only the remote VIP.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

Resolved Caveats in Software Version 5.00.4.03

The following caveats are resolved in 5.00.4.03:

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCec22850 - While at the -more- prompt, data that you enter may over run the internal buffer causing memory corruption, which causes the CSS to reboot.

CSCec26257 - A change has been made to the size of an internal storage array to prevent memory from being overwritten when the CSS tried to insert a Set-Cookie in a response containing ARPT cookies that was going back to a client.

CSCeb28300 - When you configure the CSS with multiple trap hosts, traps are sent only to the first host in the configuration.

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCec35690 - New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec58376 - If you have a static ARP entry using an IP address that is identical to a circuit IP address, the CSS reboots. Static ARP entry IP addresses, circuit IP addresses, and source group
IP addresses must all be unique. The CSS does not allow you to configure identical IP addresses for these configuration parameters.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCec65391 - The CSS does not deny traffic when an ACL is configured with the deny or prefer options.

CSCea66182 - The Device Management user interface may become inaccessible after one to three days. There is no response to a TCP SYN or to an SSL client Hello. Workaround: Reboot the CSS.

CSCeb73456 - When a link transition occurs, the CSS marks the entries associated with that link interface as unreachable. But when the link come back up, the CSS does not ARP for the entries, so the entries do not come back up.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCec80040 - If you configure the CSS using the advanced-balance method (which uses the sticky table) and the calculated sticky hash key is zero, the CSS reboots.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec82104 - If you configure a CSS Gigabit Ethernet port for trunking, the lowest number VLAN associated with the trunked port will be down if you do not configure an IP address for the circuit. In this case, the CSS does not report RMON statistics and the show rmon command shows all zeros. In addition, the flow port and flow details debug mode commands return an error.

CSCec85000 - The CSS does not perform lookups with a suffix appended to a requested name even if you configure a dns suffix.

Command Changes in Software Version 5.00.4.03

Table 3 lists the commands and options that have been added in software version 5.00.4.03.

Table 3 CLI Commands Changed in Version 5.00.4.03

Mode
Command and Syntax
Description

Header-field-group

header-field name field_type operator {header_string {contain|not-contain
|equal|not-equal {"header_string"}}}

You can no longer enter a carriage return after the contain|not-contain|equal|not-equal options. You must enter a quoted header string name to complete the command. Then enter a carriage return.

Interface and VLAN

bridge port-priority

The port-priority option replaces the priority option.


Software Version 5.00.3.09 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 5.00.3.09:

Open Caveats in Software Version 5.00.3.09

Resolved Caveats in Software Version 5.00.3.09

Command Changes in Software Version 5.00.3.09

Open Caveats in Software Version 5.00.3.09

The following caveats apply to software version 5.00.3.09:

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCec04896 - When you configure an interface as 100MB/full duplex, if the link is down, the show phy display may not show the configured setting. It may show the 100MB/half duplex setting. If you configure a port on the CSS as 100MB/full duplex, the CSS brings up the link, but then disconnects the port. The port reverts to 10MB/half duplex (as indicated by the port LEDs and the show phy display).

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec23109 - The CSS may become unresponsive without console or telnet access when running HTTP keepalives. Reboot the CSS to resolve this condition.

CSCeb28397 - If you issue the redundancy force-master command multiple times when running the CSS box-to-box redundancy feature, the backup CSS may not bring down its interfaces correctly. The new master CSS logs a duplicate IP address. The backup CSS shows the circuit as disabled, but the IP address is still listed. The master CSS continues to log duplicate IP addresses from the backup CSS until you reboot the master CSS.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCea66182 - The Device Management user interface may become inaccessible after one to three days. There is no response to a TCP SYN or to an SSL client Hello. Workaround: Reboot the CSS.

Resolved Caveats in Software Version 5.00.3.09

The following caveats are resolved in 5.00.3.09:

CSCec01157 - Using the `search' option in the `more' functionality may cause the CSS to reboot.

CSCec01457 - The CSS may reboot when you issue the no trunk command.

CSCeb01623 - The CSS does not fail over to the DNS secondary server if the DNS primary server is unable to resolve a hostname. The dns primary command pings the DNS server to see if the device is alive. However, the command does not resolve a hostname to see if the DNS service is alive. Thus, when the CSS can ping the DNS primary server, but it cannot resolve a hostname, it never fails over to the DNS secondary server. Now the CSS queries each configured server IP address (even if DNS name server is not operational on that device) until two attempts have been made for each server, or one of the servers responds with an answer or a DNS error.

CSCec01994 - The Cisco CSS 11800 platform may reload when a heavy storm of TCP SYN packets is sent to the circuit address of the CSS. This problem is seen on the 5.0.2.03 and 6.10 Build 4 versions and is specific to the 11800 platform. It does *not* affect the 11150 and 11050 platforms. Workaround: Using ACLs on an upstream router to protect the circuit address is recommended as a prevention measure. For example, the command access-list 116 deny tcp any <circuit address of CSS can be used on an upstream router in combination with applying the access-group to an outgoing interface to deny TCP to circuit addresses on the CSS. This bug was also publicly documented on the Bugtraq mailing list: http://www.securityfocus.com/archive/1/336580.

CSCeb02395 - When you configure CSS services with the max connections command and Layer 5 content rules using advanced-balance arrowpoint-cookies, on a persistent connection, the CSS checks the service max connection value for each HTTP GET from the client. The CSS should perform the max connection check for the first non-persistent HTTP GET and only again if the physical server changes.

CSCec04009 - The apLogSubSystemTable from the logExt.mib was not returned in SNMP lexicographical order, which caused an error when attempting a SNMP walk on the enterprises OID.

CSCec04320 - An SNMP walk of the apSvcTable does not always return all configured services.

CSCdz06244 - The CSS may reboot when you have multiple links on a VLAN and one link goes into blocking mode via spanning-tree and the CSS experiences a box-to-box redundancy transition.

CSCeb08366 - If you configure the CSS with advanced-balance url or advanced-balance cookieurl, the string-range parameter has no effect.

CSCea08822 - ARP entries are not being updated for hosts that are located one hop away from the CSS when the outgoing interface transitions. This fix prevents OSPF from adding a route to the routing table when its next hop address is equal to an exiting IP interface or redundant interface address configured on the CSS. This fix does not solve the problem that occurs when an interface is configured with an IP address that is equal to the next hop of a previously-configured OSPF route (this issue is being address in CSCec29686).

CSCeb11201 - If you configure the CSS for OSPF and the CSS is running a previous code enhancement (CSCdz86426), OSPF advertises the virtual IP address based on the state of the underlying services. This enhancement may incorrectly cause OSPF to advertise the backup VIP address.

CSCec11862 - The CSS may incorrectly show services in a suspended state.

CSCeb14245 - During RIP updates, the Ipv4Rip and Ipv4RdpTmr tasks are suspended.

CSCeb15177 - If you dynamically configure the global bridge priority command to a value lower than the root bridge value on the network, the CSS does not become the root bridge. Reboot the CSS to enable it to become the root bridge in this situation.

CSCeb16881 - When the CSS experiences an NVRAM failure and you reboot the CSS into OffDM to reconfigure the administrative username and password, the configuration fails because of the NVRAM failure but the CSS will not display an error message.

CSCeb16889 - Logging messages at NETMAN facility, level Warning 4 now appear if the CSS could not read the administrative username or password from NVRAM.

CSCeb21318 - If you manually suspend a service that is running a scripted keepalive when the script is active, the service remains in a down state after you activate it again.

CSCec23109 - The CSS may become unresponsive without console, telnet, or any access when running HTTP keepalives. In this situation, you must reboot the CSS to resume operation. To workaround this issue, remove HTTP keepalives from the configuration.

CSCeb29612 - When the CSS is configured with source groups and has the global persistence reset remap command configured, a Flow Control Block (FCB) is deleted and the CSS reboots.

CSCeb35409 - Gigabit Ethernet ports must be disabled when the CSS is booting up.

CSCeb38555 - The OSPF tag option in the ospf advertise command is only parsed as a 16-bit value, but it should be a 32-bit value.

CSCea39652 - A flood of SNMP traps and remote log messages are sent out when the commit redundancy script is executing.

CSCeb42078 - The CSS may reboot if you configure a Layer 5 content rule using a URL string containing "?*" (for example, "url/mandy?*"), and then activate, suspend, then activate the rule. The CSS also may reboot if you delete this type of content rule, create a new one, and then activate it.

CSCeb43255 - A CSS that is queried using SNMP may, at certain OIDs, respond to the GetNext with an OID that is not lexicographically higher than the first OID.

CSCeb43821, CSCeb43853, CSCeb58032 - OSPF advertise decisions do not function properly.

CSCeb52725 - If there are a large number of connections being spoofed to servers that are not responding to the SYN, the CSS may exhaust all buffers and reboot.

CSCec52752 - The CSS Gigabit Ethernet ports do not function with the Catalyst 6500 when the Catalyst port configuration is set to speed nonegotiate. The only workaround is to change the Catalyst port configuration to no speed nonegotiate.

CSCeb56670 - This caveat applies to a Layer 5 content rule containing advanced-balanced arrowpoint-cookies and a configuration that contains a client as a proxy device that multiplexes many individual client connections over one long persistent HTTP session to the CSS. When the CSS receives an HTTP GET on a persistent connection without an arrowpoint-cookie, the arrowpoint-cookie string was not always inserted in the server response.

CSCeb57374 - When running a keepalive script that uses the icp probe command, if the target host is unavailable, the CSS may leak resources and eventually reboot or cause the console to become unresponsive.

CSCeb57524 - Content rules with URQLs lock up and traffic is dropped if it hits the rule. You must suspend and activate the rule.

CSCeb57007, CSCeb58059 - Using OSPF to advertise a nonredundant VIP address when a separate redundant VIP address exists, may cause the CSS to reboot.

CSCdy58374 - When a content rule is configured with advanced-balance sticky and you also configure sticky-no-cookie-found-action redirect or sticky-no-cookie-found-action service with the service type redirect, the CSS does not properly redirect the connection.

CSCeb58671 - An edge condition in a flow teardown may cause the CSS to reboot.

CSCea66180 - If you perform an SNMP GET on the deprecated variable apFlowMgrStattSSTable from the flowMgrExt.mib, SNMP access fails using either external SNMP agents or from the CLI, and display the following error message: "%% Error - cannot obtain SNMO lock".

CSCea66340 - In a VIP and interface redundancy configuration, the commit_vip_redundancy script erroneously overwrites the RADIUS server source interface IP address on the backup CSS.

CSCeb66864 - This caveat applies to a Layer 5 content rule containing advanced-balanced arrowpoint-cookies. On a persistent HTTP connection using arrowpoint cookies, each backend server remap causes the TCP maximum segment size (MSS) option in the TCP SYN to the backend server to be reduced by 250 bytes until the MSS reaches a negative value. This condition has performance implications and may prevent the arrowpoint-cookie from being inserted in to the server data packet.

CSCeb68203 - The CSS may identify a service as dying or down when an HTTP keepalive is used and the HTTP response from the service spans more than one packet.

CSCeb70776 - If you have a Layer 5 content rule configured and the client sends HTTP POSTs and the data portion of a POST packet starts with "POST TAX", the CSS incorrectly determines that the "POST TAX" packet is the start of a new HTTP content request. The connection then hangs while waiting for the HTTP terminator in a future packet.

CSCea76928 - When one of the NICs in a dual-NIC server fails over, the CSS does not update the service MAC address. The CSS continues to use the MAC address of the failed NIC as the destination even after it receives a gratuitous ARP (GARP) from the activated secondary NIC of the server. The CSS ARP table is properly updated. Workaround: Suspend, then activate the service that is not updated.

CSCeb80090 - If the CSS receives APP-UDP packets on the Ethernet management port early in the bootup routine, the ip interface tries to process the packets before the IPV4 applications are initialized. This condition causes the CSS to reboot.

CSCeb80103 - The message Ipv4SntpTx: Failed on Ipv4StackBypassTx is logged when SNTP packets are misdirected out the Ethernet management port.

CSCeb84861 - Provides the new string match command. This command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command. For details on this command, refer to Command Changes in Software Version 5.00.3.09 later in this release note.

CSCea84953 - If the CSS is configured with a content rule that has an advanced-balance method and an ACL clause containing a preferred service, and a load-balancing decision is made when the connection is stuck to a service, the CSS prefers that service over the ACL preferred service, which is incorrect.

CSCea87542 - A configuration using header tag rules that is configured using persistence reset remap and no persistent on the content rules experiences unnecessary backend remaps to the lowest numbered service index in the content rule. The content rule favors that service index, and the service index has a high connection counter.

Command Changes in Software Version 5.00.3.09

Table 4 lists the commands and options that have been added in software version 5.00.3.09.

Table 4 CLI Commands Added or Changed in Version 5.00.3.09 

Mode
Command and Syntax
Description

All

show system-resources {cpu_summary}

The cpu_summary option displays a summary of the CPU utilization by all modules installed in the CSS chassis.

Content

string match specific|first-service-match
|first-string-found

The new string match command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command.

In this example, the incoming string is grapebananapear. The CSS service configuration is:

service s1 
string pear

service s2 
string grape

service s3 
string banana

The specific keyword matches the most specific string match and is the CSS default behavior. For the CSS, the most specific match is the longest string. In this example, the string match is banana.

The first-service-match keyword allows the CSS to look at each service in the order of its index number. The CSS compares the incoming string and compares it to the string in the service for a match. In this example, the first-service-string match is pear.

The first-string-match keyword matches the first string in the incoming string. In this example, the string match is grape.


Software Version 5.00.2.04 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain information on caveats, command changes, and software behavioral changes in software version 5.00.2.04:

Open Caveats in Software Version 5.00.2.04

Resolved Caveats in Software Version 5.00.2.04

Command Changes in Software Version 5.00.2.04

Software Behavioral Changes in 5.00.2.04

Open Caveats in Software Version 5.00.2.04

The following caveats apply to software version 5.00.2.04:

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCeb14479 - In a box-to-box redundancy configuration, if you use the admin-shutdown command to shut down the CSS that has a higher IP address, and then bring it up using the
no admin-shutdown command, the CSS takes mastership from the new master CSS for approximately 40 seconds.

CSCeb16881 - When the CSS experiences an NVRAM failure and you reboot the CSS into OffDM to reconfigure the administrative username and password, the configuration fails because of the NVRAM failure but the CSS will not display an error message.

CSCeb21318 - If you manually suspend a service that is running a scripted keepalive when the script is active, the service remains in a down state after you activate it again.

CSCea29755 - In a box-to-box redundancy configuration, if you reset the master interface on which the redundancy protocol is running, both CSSs claim mastership. The CSSs send ARP requests from the circuit IP address with a MAC address that belongs to both of them causing the ARP entries on neighboring devices to flap. The two CSSs also log "Duplicate IP address" messages. There is no impact on network connectivity.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCdy58374 - When a content rule is configured with advanced-balance sticky and you also configure sticky-no-cookie-found-action redirect or sticky-no-cookie-found-action service with the service type redirect, the CSS does not properly redirect the connection.

CSCea93743 - A ping request to a CSS circuit VLAN IP address that has a destination MAC address that belongs to a different VLAN configured on the CSS will still receive a response from the CSS.

Resolved Caveats in Software Version 5.00.2.04

The following caveats are resolved in 5.00.2.04.

CSCea00161 - When using a transparent caching FTP content rule (that is, not a VIP address) with a service type of transparent cache, the CSS incorrectly reduces the TCP SYN/ACK of the backend server by 1000. The CSS should not apply the TCP sequence number adjustment of 1000 bytes if the destination service type is transparent cache.

CSCdz02856 - The CSS may not properly redirect a service when you configure a redirect service in a Layer 5 content rule.

CSCea03472 - The CSS 11800 unexpected rebooted when attempting to free memory that had been previously freed.

CSCdz05912 - Under conditions when APP sessions go up and down rapidly, a race condition may occur that leads to file descriptor reuse causing the CSS to reboot.

CSCea07413 - When you configure the CSS for primary and secondary virtual authentication methods and the primary authentication method fails, the CSS does not try the secondary authentication method.

CSCea08548 - If you use the advanced-balance method in a content rule with a service configured using the max connections command and an incoming content request was stuck to a service that had exceeded its maximum connections, the CSS sends a TCP RST to the client. The CSS should reload-balance the incoming request and choose a new local service or sorry service if available.

CSCea08875 - The CSS does not correctly match a Layer 5 content rule that contains a % (percent sign) in the URL of the GET message.

CSCea09022 - An ARP storm on a CSS that has 200 IP interfaces on VLAN1 locks up Telnet.

CSCeb11295 - Activating a source group with the same VIP address as a suspended source group causes the CSS to reboot.

CSCea12013 - The CSS incorrectly sends an ARP request for its own VIP address when a non-flow-setup packet type (for example, SNMP, NetBIOS, BOOTP, RIP) is sent to the CSS VIP address.

CSCea14394 - When you configure the CSS for box-to-box redundancy and then enter the
show running-config command after running the commit_redundancy script, the CSS may display the following message: %%Error - cannot obtain SNMP lock.

CSCdz14760 - When the CSS receives a spanned content request and the packets are received out of order, the CSS waits for the out of order packets to be retransmitted from the client before it initiates the connection to the backend server.

CSCeb15716 - APP uses socket record structures. When initializing APP, the CSS may reboot under certain configuration timing circumstances due to a race condition in the allocation and free routines that manipulate the record structures.

CSCea18861 - When the CSS is configured with a Layer 5 rule and a client opens a long persistent connection with 100 or more HTTP GET requests, the CSS may not properly backend remap one of the HTTP GET requests. The fix now allows the flow manager application to properly detect content frames (HTTP requests that begin with GET, POST, PUSH, HEAD, etc.)

CSCea23674 - If a configuration contains a Layer 5 wild card content rule (for example, /*) using a header-field-rule and a less-specific content rule, the CSS may match on the less-specific content rule and select the wrong server.

CSCea24296 - Content rules may fail if a client request spans multiple packets and the sequence numbers do not change.

CSCea25871 - If a content header tag that spans two packets is empty, the temporary internal buffer that was created to track this would cause the CSS to reboot due to the internal buffer not being cleared correctly.

CSCea28341 - If a running-config file has more than one active content rule that uses header-field groups that are using the same header-field, suspending one of the active content rules has an adverse affect on the remaining active content rules using the same header-field.

CSCea30473 - When you use SNMP to poll the CSS for apChassisMgrExtSoftwareVersionNumber, the CSS returns inconsistent MIB information due to a string that was not properly NULL-terminated.

CSCea33647 - The trap log agent task is using too much CPU, which causes telnet and console access to hang.

CSCea33912 - Memory leaks in ICP code cause Telnet and the CSS console to lock up.

CSCea36431 - When you execute the script play flowinfo command, your telnet or console session will be disconnected.

CSCea36989 - When the CSS receives a DNS request for an A record that is configured, it responds with either return code 4 "not implemented" or with return code 3 "NXDOMAIN". These two responses may be cached by various D-proxies, which may lead to temporary DNS outages. The CSS now returns an RFC2308 NODATA type 3 response, which is an authoritative answer with rcode=NOERROR, answer=0, aabit set, and no SOA. This response causes the client to query for another A record.

CSCea38004 - A remote CSS in a VIP interface redundancy setup with a large configuration (for example, greater than 100K) may become unresponsive to console and telnet access. This issue causes an APP session to go down when running the commit_vip_redundancy script.

CSCea40806 - When the CSS receives more than the configured maximum OSPF routes to a destination and some of the currently reachable routes become unreachable, the CSS may not replace the unreachable routes with the other viable OSPF routes.

CSCea40912 - When a service is configured with a scripted keepalive on a CSS, the service may go down and not return to the Alive state. The scripted keepalive task is unresponsive and no further scripted keepalive activity will run for the service.

CSCdz41611 - When you set up box-to-box redundancy with a single interface configured using the redundant-phy command and then enter the admin-shutdown command on that interface (port), the interface shuts down but the priority does not change. This prevents the master CSS from failing over.

CSCea42812 - When you configure a CSS with an SSL or an Arrowpoint-cookie content rule, the CSS uses the first data packet it receives from the backend server to make the load-balancing decision or to inject the Arrowpoint cookie. If the TCP SYN ACK from the server arrives on a different port from where the CSS sent the TCP SYN, then neither SSL nor Arrowpoint-cookie load-balancing works.

CSCea43956 - If a configuration contains a Layer 5 wild card content rule (for example, /*) using a header-field-rule and a less-specific content rule, the CSS may match on the less-specific content rule and select the wrong server.

CSCea45106 - Using the SNMP variables apChassisMgrExtSubModulesSsCardTypeSNMP and apChassisMgrExtSubModuleSsCardOpStatus to inventory the CSS chassis may return conflicting data because these variables have been removed. Use the apChassisMgrExtSubModuleOpStatus variable to inventory the chassis.

CSCea43508 - A host tag in an HTTP header that has a port number specified causes degradation in Layer 5 performance.

CSCdy46189 - The CSS forwards packets to the wrong MAC address after receiving gratuitous ARPs.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCea47506 - When the CSS is dynamically configured with a lower bridge priority than the root bridge, the CSS does not become the root bridge. If the CSS is rebooted with the lower bridge priority in the startup-config, the CSS becomes the root bridge.

CSCea47887 - A Layer 4 content rule configured with advanced-balance sticky-srcip was incorrectly creating Layer 4 sticky entries (that is, source IP address and destination port) instead of Layer 3 sticky entries as specified by the advanced-balance method.

CSCea48629 - If you configure the CSS with Layer 5 rules with or without header-field-rules configured and the CSS receives an HTTP GET that exactly matched the URL string configured on the Layer 5 rule but did not match the header-field configured on the rule, the CSS rejects the connection and does not match on one of the other Layer 5 rules as it should.

CSCdz49051 - When you configure keepalive type http and set the frequency to a value greater than 17 seconds and the server does not respond within 17 seconds, the CSS sends a RST packet on the keepalive session and the service goes down.

CSCdz49395 - If you try to configure a source group VIP address as a redundant VIP address, the erroneous error message would be displayed: "%%Could not find content rule for specified VIP address."

CSCea51311 - If you configure a CSS with a Layer 5 content rule with a URL of the form /%xx* and then remove the rule from the configuration at a later time, the CSS does not completely clean up the rule-matching tree, which may cause the CSS to reboot.

CSCea53247 - If you configure a content rule with a sticky-no-cookie-found-action service, but do not define the service with a valid service name and the service is used when no cookie was found in the HTTP request, the CSS reboots.

CSCea55785 - The CSS reboots when you configure a username with an encrypted password that exceeds 40 characters in length. The maximum length should be 64 characters.

CSCdy56792 - The CSS 11800 may unexpectedly reboot when running APP due to a stack overflow that occurred when the APP message queue became full. The depth of the APP message queue has been reduced from 256 to 16 to prevent the stack overflow.

CSCea60671 - When the CSS is configured with Layer 5 rules and the first HTTP request is not properly terminated, the CSS detects this as spanned content request. The content request is retransmitted with the original payload in addition to more data. If both the original packet and the retransmission are processed in the same content vector (that is, they arrived at the CSS simultaneously), the CSS frees the buffer that contained the original content request, but does not clear it from the vector. This causes the CSS to reboot.

CSCdx63320 - When there are static ARP entries configured on a CSS and a Fast Ethernet link unexpectedly goes down, the CSS does not forward the packet destined to an IP address in the static ARP entry. Workaround: Enter the admin-shutdown command, then the no admin-shutdown command on the interface defined in the static ARP entry.

CSCdz67389 - If you configure an HTTP keepalive without a keepalive hash value, the service does not come up until the time you configure for the keepalive frequency transpires. For example, if you configure the keepalive with a frequency of 60 seconds, the keepalive does not come alive for 60 seconds. The keepalive now comes alive immediately upon activation.

CSCea69508 - If you configure a CSS as a primary and secondary RADIUS server and an SNMP agent issued an SNMP NEXT through the apRadiusClientExtServerEntry table, the poll would fail. All subsequent access to the SNMP database also fails. For example, entering the show running-config command would result in a Cannot obtain SNMP lock error message.

CSCdy70914 - If the CSS does not receive an ARP response, it may continue to send ARP requests instead of marking the host as unreachable.

CSCea71636 - The show ether-error command indicates that the SQE TEST counter incorrectly keeps increasing when the Ethernet management port is used. The problem is not seen for other ports. There is no workaround.

CSCea74866 - When using the more command for some screen display options, a data structure overflows and causes the display task to suspend and the CSS to reboot.

CSCeb75507 - When you issue the traceroute command, the process that handles ICMP responses may hang. This condition causes all of the ICMP keepalives to go down.

CSCea77466 - If the services defined in a DNS content rule are of type transparent-cache, the dnsflow disable command does not work properly.

CSCea85836 - The CSS uses an internal table structure called "CII", and these tables can be dynamically modified in size during CSS operations. An edge condition may cause the CSS to reboot if two applications tried to access the table and modify the size simultaneously. The reboot is not caused as the result of any user action or traffic pattern.

CSCdz87014 - The CSS incorrectly routes keepalives, which causes keepalives to fail and services to be brought down.

CSCdy87317 - The Current Connections field in the show group command displays consistently high values.

CSCdz88580 - When you configure a source group on the CSS and a server configured in the source group attempts to communicate with a device over the network or on the Internet and that device does not have its port open, the device will return a RST/ACK in response to the server's TCP SYN. The CSS will discard the RST/ACK response because it will not be able to identify the port from which the corresponding SYN/ACK returned.

CSCea93122 - If you configure the IP address on the management port to 0.0.0.0, on reboot, the CSS removes the IP address from the show boot display. However, the commit redundancy and commit vip redundancy scripts check for the APP sessions between the peers over the management port and expect to find an IP address. If not, the scripts would fail.

Command Changes in Software Version 5.00.2.04

Table 5 lists the commands that have been added to software version 5.00.2.04.

Table 5 CLI Commands Added and Changed in 5.00 b204 

Mode
Command and Syntax
Description

All Modes

show ospf advertise
{ip address}{prefix length}

Displays the configuration of ASE routes into OSPF. To display the configuration of ASE routes into OSPF for a specific host, include the IP address and the subnet mask. Enter the address in dotted-decimal format (for example, 192.168.11.1). Enter the prefix length either:

As a prefix length in CIDR bit-count notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

In dotted-decimal notation (for example, 255.255.255.0).

Global

logging sendmail

email_address ip_address level {domain}

Use the logging sendmail command to send the log activity of a subsystem to an e-mail address. The variables are as follows:

email_address - The e-mail address for the recipient. Enter the e-mail address as an unquoted text string with a length of 1 to 30 characters.

IP_address - The IP address for the SMTP host. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

level - The type of information to log. The valid levels are: fatal-0, alert-1, critical-2, error-3, warning-4, (default), notice-5, info-6, debug-7.

domain - (Optional) The domain name for the SMTP host. Enter an unquoted text string with a maximum length of 64 characters (for example, arrowpoint.com). Do not insert an @ sign before the domain name. The CSS automatically prepends the @ sign to the domain name.

To turn off logging to an e-mail address, enter:

(config)# no logging sendmail email_address

Keepalive

hash "text"

Overrides the default MD5 hash for a keepalive. The CSS compares the hash value against the computed hash value of all HTTP GET responses. A successful comparison results in the keepalive maintaining an Alive state. Enter a quoted hexadecimal string with a maximum of 32 characters.

tcp-close rst

For global keepalives, specifies that the CSS send a TCP RST to a service to terminate the connection with the backend server.

tcp-close fin

For global keepalives, specifies that the CSS send a TCP FIN to a service to terminate the connection with the backend server. The keepalive tcp-close fin command may be applied to a maximum of 100 keepalives. When you configure the fin option, the show keepalive command displays will contain the field:
Keepalive TCP-Close: .

Service

keepalive tcp-close rst

Sends a TCP RST (default) to terminate the connection with the specified service on the backend server.

keepalive tcp-close fin

Sends a TCP FIN to terminate the connection with the specified service on the backend server. When you configure the fin option, the
show service and show keepalive command displays will contain the field: Keepalive TCP-Close: .


Software Behavioral Changes in 5.00.2.04

You can no longer dynamically modify the VIP address on an active content rule. If you attempt to do so, you will receive the error message "Operation may not be performed on an active content rule." To modify a VIP address, first suspend the content rule, modify the VIP address, then activate the content rule. This change is due to a fix for CSCea24798.

Software Version 5.00.1.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain information on caveats, command changes, and information on service keepalive changes in software version 5.00.1.05:

Open Caveats in Software Version 5.00.1.05

Resolved Caveats in Software Version 5.00.1.05

Command Changes in Software Version 5.00.1.05

Documentation Update to Service Keepalive Type TCP in Software Version 5.00.1.105

Open Caveats in Software Version 5.00.1.05

The following caveats apply to software version 5.00.1.05.

CSCdz14760 - When the CSS receives a spanned content request and the packets are received out of order, the CSS waits for the out of order packets to be retransmitted from the client before it initiates the connection to the backend server.

CSCea21808 - You cannot modify a primary or secondary sorry server IP address or port range in a content rule unless you first remove the sorry server from the rule.

CSCdw31969 - SNMP service transition messages may cause the SNMP trap queue to overflow.

CSCdu34502 - Do not use the Cisco Content Router 4430-B bloat and fragment-size options with the CSS content routing agent. Entering these options causes unexpected results.

Resolved Caveats in Software Version 5.00.1.05

The following caveats are resolved in 5.00.1.05.

CSCdz00787- Under heavy traffic, the CSS internal message communications interrupt process may cause the CSS to lock up. Reboot the CSS to resume normal operations.

CSCea02018 - The CSS may drop messages when configured with the near maximum keepalive limits. This causes the actual state of the service to become out of syn with the status the CSS is reporting.

CSCea06451 - When the CSS receives multiple telnet connects and then disconnects in short succession, it is possible for the CSS to experience a console or telnet session hang due to a problem that could occur when the Terminal Session Manager freed a message queue to which another task still had a pointer.

CSCdz07302 - When using a reporting tool to gather SNMP information from the CSS, it was possible with SNMPv2 to get correct SNMP information for the first two consecutive pollings. But the CSS returns the message: "SNMP - Error: Couldn't parse message header: Wrong type for that item" from the third polling. The CSS now handles this task properly.

CSCdz08541 - The CSS may reboot if the OSPF processing function cannot find a Link State Advertisement (LSA) in the Link State Database (LSDB).

CSCdz08577 - A blackhole route to a directly connected network is not installed reliably into the routing table when the physical link to that network is repeatedly disconnected and reconnected.

CSCdz09603 - The CSS may reboot if the search for the URL string in the HTTP packet goes beyond the valid payload length of the data.

CSCea10255 - If the commit_vip_redundancy script fails, the redundancy protocol or the virtual routers might not come back up properly on the remote CSS.

CSCdz12256 - When a telnet session closes down, the CSS may access corrupted memory and reboot.

CSCdz12609 - The CSS may reboot when you issue the clear running-config command on a configuration with a large number of IP interfaces.

CSCdz12954 - The CSS may reboot if you configure the redundancy-l4-stateless command on a source group and apply it using an ACL and the CSS receives the first packet of a spanned content request from a service on the source group.

CSCdz14075 - The CSS may hang when you add a firewall route that is more specific than an existing IP static route.

CSCea14394 - When you configure the CSS for box-to-box redundancy and then enter the show running-config command after running the commit_redundancy script, the CSS may display the following message: %%Error - cannot obtain SNMP lock.

CSCdz15425 - If you perform an SNMP GET of entries in the apBoomClientRecordTable or apBoomClientAliasTable MIBs using a NULL domain name, the CSS reboots.

CSCdz15612 - When the CSS is configured as an OSPF area border router, it may incorrectly prefer an inter (between) area route to the intra (within) area route to the same destination.

CSCdy15662 - Under heavy load, if you disconnect cables from the Gigabit Ethernet port and console port of one CSS and connect these cables to the Gigabit Ethernet port and console port of a second CSS, the second CSS reboots.

CSCdz16851 - With IP redundancy configured, the CSS may report erroneous log messages when a link goes up or down.

CSCdz16999 - In a box-to-box redundancy configuration, using a CLI script that continuously enables and disables a redundant interface (using the no admin-shutdown and admin-shutdown commands, respectively) and then performs a redundancy force master on both CSSs may cause one of the CSSs to reboot.

CSCdz17203 - If a content rule and a source group have different VIP ranges, the CSS reboots when both the content rule and the source group are activated.

CSCdz18627 - The logging host log-level number command is not accessible from the GUI.

CSCdz19714 - The CSS may incorrectly choose between IP routes with the same route prefix but different route masks.

CSCdz19774 - This caveat resolves multiple issues with the commit_vip_redundancy script.

CSCdz19986 - A memory leak may occur when running Application Peering Protocol (APP) on a CSS and the CSS responds to an authentication message from another CSS.

CSCdz20504 - If you configure the CSS to redistribute non-OSPF routes into OSPF, and then globally disable OSPF on the CSS, the CSS does not redistribute these routes when you globally reenable OSPF.

CSCin21797 - An SNMP SET of the MIB variable sysLocation to an integer value instead of an octet string causes the CSS to return the wrong SNMP error.

CSCdz23178 - The CSS now returns data properly from the FlowMgrExt MIB as Counter32 rather than a signed integer. Returning the data as a signed integer may cause large numbers to be reported as negative numbers to the MIB tools.

CSCdz23334, CSCdz29329, CSCdz30280 - These caveats resolved multiple issues with the commit_redundancy script.

CSCdz23543 - With a CSS 11800, if you configure the header-field-group command on a content rule, the CSS performance may degrade.

CSCea24798 - You can no longer dynamically modify the VIP address on an active content rule. If you attempt to do so, you will receive the error message "Operation may not be performed on an active content rule." To modify a VIP address, first suspend the content rule, modify the VIP address, then activate the content rule.

CSCdz24964 - The CSS command line interface (CLI) may hang when numerous simultaneous FTP connections are made to the CSS. The CSS now limits the number of simultaneous FTP connections to four.

CSCdea26240 - The CSS 11800 may reboot when experiencing many EPIF resets that are due to an exception case that is not properly handled in the flow manager timer code.

CSCdz30175 - The summarization of RIP V2 routes out a RIP V1 interface on the CSS is not consistent with the same summarization on IOS. If the CSS learns a more specific route over RIP V2 at a lower cost than a route learned over RIP v1 using the natural mask, the CSS does not advertise the lower cost summary route using the metric from RIP V2.

CSCdz30683 - If the CSS had 250 services configured, all of which were using keepalive type http-head persistent, it was possible to exhaust the maximum number of file descriptors on the CSS. This would cause the CSS console to lockup and the CSS would reboot when a file descriptor was allocated.

CSCdz32244 - If you suspend a service that is using a scripted keepalive, the CSS may reboot when processing a message to start a new keepalive. When the service is suspended, some memory was freed, but a pointer to that memory could have existed when a message to handle a new keepalive was put on the message queue to be processed later. When this message is pulled off the queue, the CSS attempts to reference freed or possibly reused memory and may reboot.

CSCea32557, CSCdz76688 - The CSS may stop resolving ARP requests. This prevents communication to the CSS from the circuit IP address and causes the CSS to stop processing traffic.

CSCdz34614 - While running some SNMP tests, the CSS may hang or reboot due to system log messages that were too large if the debug mask snmpapi was enabled.

CSCdz36350, CSCdz68837- When the CSS is sending a statistics report to the SCM, it may cause the CSS to get into a deadlock state. Because of the deadlock, a service that was suspended may show the Hit Count field increasing, which is incorrect.

CSCdy37815 - If a static arp entry conflicts with a redundant VIP, the static arp entry is removed from the ARP database. If you enter the clear running-config or no arp command, the CSS reboots.

CSCdz38731 - If there are no sendmail hosts configured on the CSS, the CSS may reboot when you enter the no logging sendmail command.

CSCdz41306 - An OSPF interface/IP interface and circuit configuration is not be removed if an OSPF password is configured on the CSS.

CSCdz42482 - If you configure a content rule with advanced-balance sticky-srcip or advanced-balance sticky-srcip-dstport and a TCP or UDP packet with a source IP address of 0.0.0.0 matches on the rule, the CSS reboots.

CSCdz42835 - Source and destination IP addresses have been added to the Bad IP Version received, Bad IP header length received, and Bad buffer length warning log messages.

CSCdz43339 - When the CSS completes an FTP connection, the FTP task may erroneously free a stale data structure. Subsequently, when a second task attempts to access the previously-free data structure, the CSS reboots.

CSCdz44174 - If a zero length packet is read from a socket receive, the CSS reboots when it tries to allocate a zero length buffer. The CSS now properly handles this error case.

CSCdz48105 - The CSS may reboot when an invalid SNMP request is received for the apChassisMgrExtSlotPortTable or apChassisMgrExtModule Table MIB tables.

CSCdz49372 - The CSS may get stuck in a loop or reboot when sending TCP RST/SYN packets if a Layer 3 or Layer 4 rule took precedence over an existing Layer 5 connection that was being backend remapped.

CSCdz52400 - If a URQL contains URL entries that are identical up to the parameter characters "?" and "#" (for example "/mandy" and "/mandy?Fred"), the CSS may reboot when a content rule with this URQL is suspended and then activated. In addition, if the URQL list is suspended, the error message "Failed Operation on CSD database" may be displayed.

CSCdy56195 - When the CSS receives a spanned content request and receives the packets out of order, it may incorrectly acknowledge a packet out of sequence. This condition may cause the connection to hang.

CSCdz56784 - If you configure a service for an HTTP keepalive and the three-way handshake (SYN, SYN/ACK, ACK) is successful but the HTTP method request is responded to by a TCP RST, the CSS incorrectly brings the service to the "Alive" state. The service should be down because no HTTP data was ever received by the server in response to the HTTP method request.

CSCdz59833 - If you configure the CSS with static ARP entries and enter the clear running-config command and then the copy startup-config running-config command, you will not be able to telnet into the CSS or ping the management port. Reboot the CSS to resume operation.

CSCdy59914 - Continuous rapid link state changes on an interface may cause the CSS performance to degrade and eventually cause the CSS to reboot.

CSCdz60636 - Using the find ip address command with masks smaller than /16 may block other processes from running, causing failover in redundant configurations.

CSCdy60795 - Removing a domain name from one DQL and adding it to another DQL has no effect. The CSS directs requests for the domain name to the original DQL.

CSCdz62499 - The CSS incorrectly responds to a DNS type AAAA query with a "name error" whether an A-record for the name exists. Now if an A-record is configured, the CSS responds with a "not implemented" error. If no A-record exists, the CSS still responds with the previous "name" error. These errors also apply to other DNS record types that the CSS does not support.

CSCdy68928 - The current connections on the show service display may be incorrect. This can occur on a persistent HTTP connection when the CSS could not locate a subsequent HTTP request in the sticky database.

CSCdy71003 - If you configure a content rule and a source group with different VIP ranges, the CSS reboots.

CSCdy74475 - If a task took a long time to complete, it may hold onto stale data and delete a task that no longer belonged to it. This may result in a scripted keepalive becoming stuck or for the input, output or playtask to be deleted, and therefore the keepalive would not be able to run.

CSCdz74987 - Repeatedly establishing and terminating an APP (Application Peering Protocol) session between two CSSs causes a memory leak that may result in a low memory condition and cause the CSS to reboot.

CSCdy77209 - If you configure a CSS 11800 with more than 100 IP interfaces per VLAN, the IP system, including ARP, OSPF, and RIP may not function properly. Limit the number of IP interfaces per VLAN to 100 or less. If you exceed 100 IP interfaces per VLAN, the CSS displays the following message: %%You have reached the maximum number of IP interfaces.

CSCdx82407 - The show rmon-history display on the CSS incorrectly reports receive errors and shows inconsistencies between the show rmon-history and show mibii command displays.

CSCdz89204 - If an HTTP HEAD request spans multiple packets and the first packet contains only "HEAD / HTTP/1.1 <CR><LF>", the CSS does not ACK the HTTP HEAD request.

CSCdz86193 - When you rapidly clear and reconfigure a CSS configured to run OSPF, the CSS may reboot.

CSCdx87850 - HTTP and scripted keepalives may stop functioning on the CSS when a link transition occurs over a GIG link. The link transition may leave FCBs with incorrect information.

Command Changes in Software Version 5.00.1.05

Table 6 lists the commands that have been added to software version 5.00.1.05. This table also contains a clarification of the usage of the url and domain commands.

Table 6 CLI Commands Added and Changed in 5.001.05 

Mode
Command and Syntax
Description

Content

vip-ping-response local

vip-ping-response local-remote

Specifies that all local services are included in ping response decisions. The default is local.

Specifies that both local and remote services are included in ping response decisions (including services configured as type redirect).

url

The CSS now matches on the entire host tag including the port number. If a domain name includes a port number, enter the domain name with the port number exactly. For example:

(config-owner-content[arrowpoint-rule1])# url 
"//www.arrowpoint.com:8080/*"
 

domain name index number

When using the domain name index number command to add a domain to the list of domains supported by a DQL, enter the name of the domain as an unquoted text string with a maximum of 63 characters (for example, www.arrowpoint.com). The CSS matches the domain name exactly.


Documentation Update to Service Keepalive Type TCP in Software Version 5.00.1.105

Information on the keepalive type tcp command for a service and the type tcp command for a global keepalive has been updated in software version 5.00.1.105. This information applies to both commands and replaces existing information in the Content Services Switch Basic Configuration Guide, Chapter 1 Configuring Services.

keepalive type tcp - A TCP session that determines service viability (3-way handshake and reset (RST)). By default and in compliance with RFC 1122, the CSS sends a RST to close the socket on a server port for TCP keepalives. A RST is faster than a FIN, because a RST requires only one packet, while a FIN can take up to four packets. If your servers require a graceful closing of a socket using a FIN, you can use a script keepalive. For an example TCP script keepalive that sends a FIN to close a socket, refer to the Cisco Content Services Switch Advanced Configuration Guide,
Chapter 12, Using the CSS Scripting Language, in the "Script Keepalive Examples" section.

For example, to set serv1 keepalive type to ftp, enter:

(config-service[serv1])# keepalive type ftp 

To set the global keepalive keepimages to type tcp, enter:

(config-keepalive[keepimages])# type tcp

Example of a Custom TCP Script Keepalive with Graceful Socket Close

Use the following script keepalive to open and gracefully close (using a FIN rather than a RST) a socket on user-specified TCP ports.

!no echo
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Filename: ap-kal-tcp-ports
! Parameters: Service Address, TCP Port(s) 
!
!Description: 

! This script will open and close a socket on the user specified 
! ports.
! The close will be a FIN rather than a RST. If one of the ports fails 
! the service will be declared down 
!
! Failure Upon:
! Not establishing a connection with the host on one of the specified 
! ports.
!
! Notes: Does not use output   
!	  Will handle out of sockets scenario.
!
! Tested: KGS 12/18/01
!     
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

set OUT-OF-SOCKETS "785"
set NO-CONNECT "774"

! Make sure the user has a qualified number of arguments
if ${ARGS}[#] "LT" "2"
  echo "Usage: ap-kal-tcp-ports \'ipAddress tcpPort1 [tcpPort2 tcpPort3...]\'"
  exit script 1
endbranch

set SERVICE "${ARGS}[1]"
!echo "SERVICE = ${ARGS}[1]"
var-shift ARGS

while ${ARGS}[#] "GT" "0"
  set TCP-PORT "${ARGS}[1]"
  var-shift ARGS
  function SOCKET_CONNECT call 
! If we're out of sockets, exit and look for sockets on the next KAL interval
  if RETURN "==" "${OUT-OF-SOCKETS}"
    set EXIT_MSG "Exceeded number of available sockets, skipping until next interval."
    exit script 0
  endbranch

! Valid connection, look to see if it was good
  if RETURN "==" "${NO-CONNECT}"
    set EXIT_MSG "Connect: Failed to connect to ${SERVICE}:${TCP-PORT}"
    exit script 1
  endbranch
endbranch

no set EXIT_MSG
exit script 0

function SOCKET_CONNECT begin
  set CONTINUE_ON_ERROR "1"
  socket connect host ${SERVICE} port ${TCP-PORT} tcp 2000
  set SOCKET-STAT "${STATUS}"
  set CONTINUE_ON_ERROR "0"
  socket disconnect ${SOCKET} graceful
  function SOCKET_CONNECT return "${SOCKET-STAT}"
function SOCKET_CONNECT end

Command Changes in Software Version 5.00 b69

Table 7 lists the commands and options that have been added to and changed in software version
5.00 b69.

Table 7 CLI Commands Added and Changed in 5.00 b69 

Mode
Command and Syntax
Description

Global configuration

logging host

Added the log-level number option to the logging host command. This new option enables you to specify the level of the CSS subsystem log messages to be sent to the syslog daemon on a host. Valid logging levels are 0 to 7, which correspond to the following subsystem logging levels:

fatal-0, alert-1, critical-2, error-3, warning-4, notice-5, info-6, debug-7 (default)

The logging host log-level number must be equal to or less than the log level you configure for the logging subsystem command. If the log-level is less than the logging subsystem level, the CSS only sends the message level specified in the log-level option. If the log-level is greater than the logging subsystem level, the CSS only sends the level of messages specified in the logging subsystem command.

For example:

(config)# logging host 192.168.11.1 facility 3 
log-level 3

Interface

show script, show archive, show core

These commands are now available in interface mode for a specific vlan.

SuperUser

script play commit_redundancy "arguments"

The -v argument was removed from commit redundancy script.

The following arguments were added to the commit redundancy script:

-int (Interface) - Does not clear the interfaces on the backup CSS so that the link does not go down. Do not use this argument with the -a argument. If you do and the interface settings are different on the master and the backup CSSs, the configurations will not match and the script will not finish successfully.

-nv (No Verify) - Informs the script not to verify that the configuration synchronization was successful.


Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html