Guest

Cisco CSS 11000 Series Content Services Switches

Release Note for the Cisco 11000 Series Content Services Switch (Software Version 6.10.x)

  • Viewing Options

  • PDF (536.7 KB)
  • Feedback
Release Note for the Cisco 11000 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11000 Series Content Services Switch

Contents

Features in Software Version 6.10

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Script Keepalives and Upgrading WebNS Software

Updating Management Information Base Files (MIBs)

Operating Considerations

CSS Documentation Updates and Corrections

Clarification to URL Maximum Length

Troubleshooting RX Errors on an Ethernet Link

Software Version 6.10.4.05 Open Caveats, Resolved Caveats, and Command Change

Open Caveats in Software Version 6.10.4.05

Resolved Caveats in Software Version 6.10.4.05

Command Changes in Software Version 6.10.4.05

Software Version 6.10.3.04 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Change

Software Behavioral Changes in 6.10.3.04

Open Caveats in Software Version 6.10.3.04

Resolved Caveats in Software Version 6.10.3.04

Command Change in Software Version 6.10.3.04

Software Version 6.10.2.03 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Changes

Software Behavioral Changes in 6.10.2.03

Open Caveats in Software Version 6.10.2.03

Resolved Caveats in Software Version 6.10.2.03

Command Changes in Software Version 6.10.2.03

Software Version 6.10.1.07 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Changes

Software Behavioral Changes in Version 6.10.1.07

Increased Number of SSH Sessions

Enhancements to the Absolute Load Calculation Functionality

Enhancements to OSPF Functionality

Open Caveats in Software Version 6.10.1.07

Resolved Caveats in Software Version 6.10.1.07

Command Changes in Software Version 6.10.1.07

Software Version 6.10.0.04 Open Caveats, Resolved Caveats, and Command Changes

Open Caveats in Software Version 6.10.0.04

Resolved Caveats in Software Version 6.10.0.04

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Note for the Cisco 11000 Series Content Services Switch


January 10, 2005


Note The most current Cisco documentation for released products is available at http://www.cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were printed.


Contents

This release note applies to the following software versions for the CSS 11050, CSS 11150, and
CSS 11800 content services switches. For information on version 6.10 commands and features, refer to the CSS 6.10 documentation located in http://www.cisco.com.

6.10.4.05 (version 6.10, maintenance release 4, build 5)

6.10.3.04 (version 6.10, maintenance release 3, build 4)

6.10.2.03 (version 6.10, maintenance release 2, build 3)

6.10.1.07 (version 6.10, maintenance release 1, build 7)

6.10.0.04 (version 6.10, maintenance release 0, build 4)


Note Version 6.10 software requires that the CSS 11800 SCM be configured with 128 MB of memory. You must upgrade the SCM memory before you upgrade the software to version 6.10. To determine the amount of memory in your CSS 11800, enter the show system-resources command and note the Installed Memory value for slot 7/1.



Note Do not attempt to load, unpack, or configure a version 5.10, 5.20, 7.10, or 7.20 software image (applicable only on a Cisco 11500 series CSS) on a Cisco 11000 series CSS.


This release note contains the following sections:

Features in Software Version 6.10

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Script Keepalives and Upgrading WebNS Software

Updating Management Information Base Files (MIBs)

Operating Considerations

CSS Documentation Updates and Corrections

Software Version 6.10.4.05 Open Caveats, Resolved Caveats, and Command Change

Software Version 6.10.3.04 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Change

Software Version 6.10.2.03 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Changes

Software Version 6.10.1.07 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Changes

Software Version 6.10.0.04 Open Caveats, Resolved Caveats, and Command Changes

Obtaining Documentation

Obtaining Technical Assistance

Features in Software Version 6.10

The following new features are supported in software version 6.10:

Graceful service shutdown (refer to the Cisco Content Services Switch Basic Configuration Guide).

SIP aware load balancing (refer to the Cisco Content Services Switch Basic Configuration Guide).

Location cookie (refer to the Cisco Content Services Switch Basic Configuration Guide).

Configurable cookie name (refer to the Cisco Content Services Switch Basic Configuration Guide).

Routable management port (refer to the Cisco Content Services Switch Administration Guide).

Absolute load calculation (refer to the Cisco Content Services Switch Basic Configuration Guide).

Weighted DNS supports weight of zero (refer to the Cisco Content Services Switch Advanced Configuration Guide).

Configurable flow-state table (refer to the Cisco Content Services Switch Administration Guide).

Configuring DNS on a redundant virtual interface (refer to the Cisco Content Services Switch Advanced Configuration Guide).

252-character redirect string (refer to the Cisco Content Services Switch Basic Configuration Guide).

Structured output of show commands (show sorted running-config, show circuit, show service, show service summary, show group, show ip statistics, show critical-services, show virtual-routers, show redundancy. Refer to the Cisco Content Services Switch Command Reference).

New CLI commands (show sticky stats and show sticky table). For details, refer to the Cisco Content Services Switch Command Reference.

Restricted access to the Device Management user interface (refer to the Cisco Content Services Switch Device Management User's Guide).

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and SSH are optional features. If you are upgrading from the Standard to the Enhanced feature set or want to activate a CSS software option (for example, SSH Server) that you purchased, refer to the Cisco Content Services Switch Getting Started Guide for information on entering a license key.

Access to the Standard and Enhanced feature sets or Proximity Database require that you enter a software license key when you boot the CSS for the first time. If you enter the Proximity Database license key after booting the CSS, you must reboot the CSS before you can configure the Proximity Database so the CSS can re-allocate memory. For details, refer to the Cisco Content Services Switch Getting Started Guide.

If you configure your CSS for Proximity Database, you cannot use the CSS for load balancing. For details on configuring a Proximity Database, refer to Cisco Content Services Switch Advanced Configuration Guide.

Before Upgrading the CSS Software

Read the following information before you upgrade from software versions 3.xx, 4.xx, or earlier.

If rmon-history data-source commands exist in your current startup-config file, you will receive startup errors when you upgrade the CSS to version 5.00 or 6.10. In version 5.00 and 6.10, the ifIndex identifier is assigned differently from the way it was assigned in prior software versions. After you upgrade the CSS from a 3.xx, 4.xx or earlier release to 6.10, you must reenter all rmon-history data-source commands contained in your startup-config file.

If you are upgrading from software version 3.xx to 6.10 and have a 3.xx Enhanced software license key, you must enter a 6.10 Enhanced software license key during the CSS upgrade to 6.10 or you will receive startup errors when you attempt to enter Enhanced CLI commands. If you upgrade the CSS software and do not enter a 6.10 Enhanced license key prior to upgrading to 6.10, use the following procedure to enter the new license key:

a. Use the license command to change the license key.

b. Reboot the CSS without saving the running-configuration.

If you are running SSH on a 3.xx CSS and you have disabled Telnet, you must enable Telnet prior to upgrading the CSS to version 6.10. After you upgrade the CSS to version 6.10, use the license command to enter the SSH license key.

Script Keepalives and Upgrading WebNS Software

When you upgrade the CSS software, the upgrade process creates a new /<current running version>/script directory. You must copy your custom scripts (including custom script keepalives) to the new /<current running version>/script directory so that the CSS can locate them.

Use the following procedure to ensure that your custom script keepalives operate properly after a software upgrade.

1. Upgrade the CSS software. Refer to the Cisco Content Services Switch Administration Guide for software upgrade instructions.

2. Copy the scripts from the old /<current running version>/script directory to the new /<current running version>/script directory.

3. Reboot the CSS.

Updating Management Information Base Files (MIBs)

Cisco recommends that you update the CSS MIBs after you:

Upgrade to a major software release (for example, upgrading from version 5.00 or earlier to version 6.10)

Move to a new CSS hardware platform

Enable a new CSS feature

CSS MIBs are included in the CSS GZIP file. During the software upgrade, the MIBs are loaded into the CSS  /mibs directory.

To update the CSS MIBs on your management station after you upgrade the CSS:

1. FTP the MIBs from the CSS MIBs (/v1 or /v2) directory to your management station.

2. Load the MIBs into the management application.

Operating Considerations

The following operating considerations apply to the CSS 11050, CSS 11150, and CSS 11800:

Running scripted keepalives on a CSS results in great variability in CPU utilization.

When a destination in an ACL clause is a Layer 5 content rule, the CSS rejects the TCP SYN and therefore does not spoof the connection. As a workaround, you may configure an additional clause to permit the TCP IP addresses and ports. Be aware that content will be matched on both clauses. For example,
clause 14 permit any any destination content Layer5/L5 eq 80 (original clause)
clause 15 permit tcp any destination 200.200.200.200 eq 80 (This ia an additional clause to handle the SYN, where the destination IP address is the IP address configured in the Layer 5 content rule. Note that this clause number must be greater than the destination content clause number.)

There is an operating limit of 100 IP interfaces per configured VLAN for a CSS 11800.

Enabling flows for a particular protocol in the flow-state table does not affect traffic originating from a CSS. For example, a CSS does not set up flows for SNMP traps that it generates even if you have enabled flows for SNMP traps using the flow-state command.

If you configure the flow-disable and nat-disable options of the flow-state command simultaneously on a particular port, content-rule and source-group lookups are no longer available for that port. In this case, the CSS drops packets directed to a VIP address associated with the port and sends an ICMP port unreachable message to the client. The CSS continues to forward packets directed to other IP addresses.

With software version 6.10.0.04 and higher, the dnsflow enable command is obsolete and is no longer available at the CLI. Use the flow-state command and its options instead. The dnsflow disable command has been deprecated. This command now maps to the flow-state 53 udp flow-disable nat-enable command and is upgraded automatically when you upgrade to software version 6.10. For details about the flow-state command, refer to the Cisco Content Services Switch Administration Guide.

With SIP support configured, the CSS implements all the support for this protocol by slow-path processing. As a result, you will see increases in CPU utilization that correspond to the number of SIP transactions (INVITE to BYE) processed per second. For example, on a CSS11150, 500 SIP transactions/second will cause a 50% increase in CPU utilization.

With software version 6.10.0.04 and higher, a change has been made to the ingress data buffer size of 10/100 Ethernet ports to reduce the number of reset operations performed on these ports. A maximum of eight, minimum-sized packets, can now be buffered at ingress on a port. The performance impact of this change will be seen during traffic bursts. If the traffic is UDP, there will be no dropped packets or performance impact. If the traffic is TCP, then certain traffic types will experience dropped packets and a slight increase in TCP retransmissions for those packets.

The CSS does not NAT fragmented IP packets.

You cannot have an SFM and an SFM2 in the same CSS 11800 chassis.

The ethernet-n format for specifying an interface-port in a CSS 11050 or CSS 11150 (for example, ethernet-2) is supported for software releases prior to version 5.00 to ensure backwards-compatibility with CSS startup configurations and scripts.

In software versions prior to 5.00, the CSS 11800 Fast Ethernet Module and Gigabit Ethernet Module Link LEDs are on solid during bootup. In versions 5.00 and 6.10, the Fast Ethernet Module Link LEDs blink rapidly and the Gigabit Ethernet Module Link LEDs are off during bootup.

You cannot configure services learned through APP (that is, remote services) as preferred services in ACL clauses. A remote service learned via APP is of the form ap-redirect@192.168.12.7 and can be seen on the show service summary screen. When you configure an ACL clause, you cannot use this service as a preferred service. If you save this clause in the startup-config and reboot the CSS, a startup error occurs because this service has not been learned through APP at this point. For example:

clause 10 permit any any destination any prefer ap-redirect@192.168.12.7

When you configure firewall load balancing (FWLB), you must configure the VIPs on the CSS that has the services directly connected to it or connected through a Layer 2 device. Do not configure content rules with VIPs on a CSS when the services are located on the other side of the firewall and connected to another CSS participating in FWLB. This type of configuration will result in asymmetric paths and could cause firewalls performing stateful inspection to tear down connections.

The CSS does not support VIP redundancy and box-to-box redundancy simultaneously.

The CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment. However, the CSS does not load balance these methods.

RFC-2068: OPTIONS, TRACE

RFC-2518: PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, DELETE

Network boot is not supported on UNIX workstations.

If the upgrade script fails while upgrading the CSS to the same version of software that is currently running, the CSS software directory will be incomplete. To reinstall the software, you must upgrade the CSS manually (that is, FTP the .adi to the CSS and perform a manual unpack).

By default, the CSS does not set up flows if the source or destination port is designated as port 67, 68, 137, 138, 161, 162, 520, or 8089 (UDP only). With version 6.10, you can configure the CSS to set up flows for port 53, 161, 162, and 5060 using the flow-state command. For details, refer to the Cisco Content Services Switch Administration Guide.

With software version 5.00.045 and higher, flow reclamation is always active. If you find that the CSS reclaims flows too quickly, enter the flow long-lived command in Global configuration mode to delay flow reclamation on a lightly loaded CSS. This command allows long-lived flows to continue even with a large period of inactivity.

You can monitor connection resources with the flow statistics command. The Number of Allocated Flows field shows the total number of connection resources allocated and managed by this processor in multiprocessor platforms. The Number of Free Flows field shows the maximum number of connection resources available on this processor in multiprocessor platforms. This number is based on how much RAM is available after the software image and configuration load.

If you are running software version 5.00 and using the Proximity Database (PDB), do not introduce a CSS running software version 5.02, 5.03, or 6.10 into the proximity mesh. Updates from a version 5.00 Proximity Database to a version 5.02, 5.03, or 6.10 Proximity Database cause the CSS to reboot. To upgrade to version 6.10, you must backup your PDB database to disk, upgrade all devices to 6.10 with the PDB feature disabled, restore the PDB database from disk, then reenable the PDB feature.

A CSS monitors the health of a firewall by sending a custom ICMP keepalive request every second to the remote CSS on the other side of the firewall. If the CSS does not receive a keepalive request from the remote CSS for 3 to 16 seconds (configurable timeout), the CSS declares the firewall path unusable. Each CSS does not reply to the sending CSS, but instead transmits its own keepalive request every second, totally independent of the other CSS.

When developing XML code for the Content Application Program Interface (API) to issue CLI commands, note that the maximum number of characters per each tag set is 300.

An FTP session will time out if it is idle for more than 30 seconds during the login process.

If an HTTP persistent keepalive fails to make a persistent connection, then it attempts to make a non-persistent connection. If the non-persistent connection succeeds, then the keepalive succeeds. At the next interval, the keepalive attempts a persistent connection.

When accessing the CSS OffDM menu from a terminal server, you must configure the client application to display 24 lines to enable the OffDM menu to display properly.

The CSS provides scripted keepalives to support the need for keepalives operations that cannot be handled using non-scripted keepalives. Cisco recommends that you limit I/O operations in a scripted keepalive to socket operations used to probe network connectivity to a server and for determining application health on a server. Although the scripting language supports file I/O on the CSS hard drive or flash drive, Cisco recommends that you do not use file I/O operations within scripted keepalives. Extensive file I/O operations within scripted keepalives may cause services to transition. File system access is allowed in scripts executed from the CLI or from the command scheduler.

When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.

When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.

The following operating considerations apply to the CSS Device Management software.

Use Access Control Lists (ACLs) to restrict device management access to specific IP address and subnets. Note that ACLs do not affect the Ethernet Management port.

Always exit the browser after each device management session to clear the cache.

You must enable JavaScript in your browser for the Device Management software to work.

Navigation tree icons do not always display. The pages function correctly. Open a page by clicking on the corresponding text.

Device Management supports the following browsers:

Microsoft Internet Explorer version greater than 4.0

Netscape Communicator 4.51 and 4.71

Netscape Navigator 4.08

If your Web browser has a bookmark to the Device Management software (software version 4.10 or earlier) that includes a colon (:) and TCP 8081 management port number at the end of the IP address, the software redirects the address to the correct URL. If your Web browser does not have a bookmark to the Device Management software, be sure to include an `s' in http:// in addition to the CSS IP address. For example: https://192.168.3.6.

CSS Documentation Updates and Corrections

The following documentation correction applies to the CSS 11050, CSS 11150, and CSS 11800:

The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.

The following documentation updates apply to the CSS 11050, CSS 11150, and CSS 11800:

Clarification to URL Maximum Length

Troubleshooting RX Errors on an Ethernet Link

Clarification to URL Maximum Length

When you use the url content mode command to specify a Uniform Resource Locator (URL) for content, you enter the URL as a quoted text string with a maximum length of 252 characters. Note that each path defined within a 252 URL character string cannot exceed a maximum length of 32 characters. A URL path includes all characters between the two slashes (//). In addition, an extension after the "." character cannot exceed 7 characters.

For example, the URL string below includes two paths, with each path less than the 32 character maximum:

(config-owner-content[hospital.html])# "/newbirthannouncements/newbabies/babyfilename.jpg"

Troubleshooting RX Errors on an Ethernet Link

An Internal RX error on the CSS is a result of the MAC receive FIFO queue becoming oversubscribed with traffic. A CSS port that is oversubscribed with packets is receiving packets faster than it can process them, which generates errors. When the MAC receive FIFO queue becomes full, all new incoming packets are dropped.

This condition causes the Internal Rx Errors counter field in the show ether-errors command display to increment. If the Internal RX Errors value is incrementing rapidly and continuously, then packets are being lost. Internal RX errors may also result from sync loss, delimiter sequence, GMAC drop, and symbol error. To display the RFC1398 32-bit statistics, use the show ether-errors-32 command.

When internal RX errors are occurring, you may observe the following network conditions:

In aggregate port packet counters from devices installed upstream and downstream from the CSS. These counters may indicate that a greater number of packets or bytes are being sent to the CSS than are actually being passed through.

When sniffing connections or flows containing a large number of packet retransmissions that are passing through the CSS.

In applications being load-balanced by the CSS that show increased latency over time as traffic load on the servers increases.

Possible workarounds to prevent oversubscribing the CSS MAC receive FIFO queue include:

Allow only load-balanced traffic to be directed to the CSS. You can achieve this by configuring policy routing on devices external to the CSS.

If the oversubscribed link is a 10/100 port, reconfigure the network to direct traffic to a Gigabit Ethernet port.

If the oversubscribed link is a Gigabit Ethernet port, upgrade to a CSS 11500 Series Content Services Switch (CSS 11501, CSS 11503, CSS 11506) to remove the capacity limitation.

Software Version 6.10.4.05 Open Caveats, Resolved Caveats, and Command Change

The following sections contain the open caveats, resolved caveats, and command change in software version 6.10.4.05:

Open Caveats in Software Version 6.10.4.05

Resolved Caveats in Software Version 6.10.3.04

Command Change in Software Version 6.10.3.04

Open Caveats in Software Version 6.10.4.05

The following caveats apply to software version 6.10.4.05:

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

Resolved Caveats in Software Version 6.10.4.05

The following resolved caveats apply to software version 6.10.4.05:

CSCee00757 - A non-privileged user cannot run the show log sys.log command.

CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.

CSCef02846 - The CSS may reboot when the primary servers are suspended and the sorry server configuration is used.

CSCee07348 - When you configure the dnsflow disable command and a DNS connection arrives at the CSS and there are no available portmap entries, the CSS may reboot. In R6.10, this functionality is configured using the flow-state command.

CSCee08487 - If the window size advertised in a backend SYN is smaller than the length of the first data segment (for example, HTTP GET), the CSS does not send out the ACK to complete the backend three-way handshake and drops the TCP packet.

CSCee08664 - If the global portmap and restrict snmp commands are both configured when you are running the commit_vip_redundancy script, the script may report a byte count difference of 2 bytes. This does not adversely impact the CSS running-configs.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCdx09860 - If a packet that is carrying an Arrowpoint cookie does not reach a client, the retransmitted packet does not get the Arrowpoint cookie insertion. This may cause a TCP sequence number mismatch, and the packet may also contain unexpected data.

CSCee10975 - The CSS incorrectly discards the unsupported OPTIONS, DELETE, and TRACE methods from a client, causing the client connection to hang until the client sends a RST.

CSCef12205 - The CSS is configured as a dns-server. Each DNS query that has a different name or string will allocate memory to store the string associated with the query. If the CSS receives thousands of different DNS queries, it may reboot.

CSCef12699 - When you configure the CSS with host routes, do not remove unreachable host routes that are still on the egress host list if these routes are not a dynamic host entry. Removing these host entries may cause the CSS to reboot.

CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.

CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.

CSCef19550 - Running an SSH scanning tool against a circuit IP address may cause the CSS to not allow SSH, telnet, or console access.

CSCee21521 - Under rare circumstances while using LDAP scripted keepalives, the CSS may identify one or more services as down.

CSCef21844 - A cluster corruption causes the NetTask to suspend.

CSCee22762 - TFTP connections to a VIP will time out regardless of whether flow state is enabled.

CSCef22794 - A bypass ACL conflicts with content rules that are configured with advanced-balance sticky-srcip. A sticky entry is created when a client hits a transparent-cache content rule that has advanced-balance sticky-srcip. If an ACL is applied to the circuit that has a bypass configured for that same client, it is ignored and the sticky entry takes precedence. When ACL is enabled, clients will experience a three to four second latency, and the CE will still see the client requests instead of being bypassed.

CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.

CSCee24269 - The CSS does not properly clean up an internal data structure.

CSCee24309 - The CSS was not properly authorizing all commands through the TACACS+ server.

CSCef24443 - The CSS may reboot when it tries to delete a service that has a service index that did not exist. The CSS will now ignore service delete messages with an incorrect service index.

CSCef34041 - The CSS may reboot if you remove an interface and an ARP request is initiated through this interface. The reboot occurs because the nexthop host is not available.

CSCed38114 - When exiting, the DNS name server task was not properly cleaning up its resources, causing "SYSSOFT-4: SYS:SysImmBind:Bind Collision" log messages.

CSCef38127 - The CSS experiences a Flow Control Block leak when you configure it with a Layer 5 content rule using either ssl or arrowpoint-cookie and your network has asymmetric routing on the client side.

CSCee38396 - When you configure the CSS using the cmd-sched command, the first time the CSS executes the cmd-sched record, the CSS may execute the record twice during the first second.

CSCee38740 - When using the script modify command in a scripted keepalive, if the variable to be modified does not exist, the CSS may leak memory.

CSCef39414 - CSCef39414 - When you use UDP in scripted keepalives, internal resources may not be properly de-allocated.

CSCef39490 - If you configure the CSS with an HTTP keepalive with the method GET and the CSS receives an HTTP chunked keepalive response that contains a SPACE (0x20) in the size field, the CSS may incorrectly mark the service as Down.

CSCee41868 - You will not be able to use SSH to access the CSS after you run the Nessus scan tool on a circuit IP address.

CSCef44604 - An SNMP NEXT of the apListTable using the apListText OID would not work properly.

CSCec45721- An internal resource leak may cause the CSS to reboot. The reboot is proceeded by services going up and down, and log messages reporting: "SYSSOFT-2: VccAllocVc failed".

CSCee49236 - The CSS responds incorrectly for a DNS query type of ANY.

CSCee53027 - The CSS may reboot when it processes the timestamp option in an IP header.

CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.

CSCee55703 - The CSS drops approximately 10% of server TCP packets that have the FIN flag set, causing retransmissions.

CSCee56155 - The VIP address range fails to check for VIPs that are already in use on source groups.

CSCee56977 - When firewall load balancing is in use, UDP-based DNS responses from a server may not go through the same firewall as the request from the client.

CSCee59808 - Non-persistent keepalives are reusing source ports too quickly for multiple services that using the same destination IP address and port.

CSCee61578 - Configuring radius-server dead-time 1 causes sockets to leak. An out-of-socket condition causes a keepalive task to crash when the keepalive tries to close a socket that it could not get.

CSCed69094 - Using SSH to connect to the CSS while SSL performance tests are running may cause the Sshd task to suspend.

CSCee70050 - The CSS fails to update leachability information in the route table for the first route entry for a /32 route (host route) that follows an unreachable host entry. An attempt to send traffic to the host described by such an entry may cause the CSS to stop processing traffic indefinitely or cause it to reboot.

CSCef72033 - If you configure the CSS with a DNS server, it would not allow you to configure an IP or VIP address with an invalid format (such as `ip address a.b').

CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.

CSCed73326 - When the CSS is configured with a scripted keepalive (which does multiple socket sends), the CSS buffer the data in the different socket sends and then sends them out as part of one data packet. The nowait option, added in software version 7.20.4.05, instructs the CSS to immediately send the data from a socket send and not buffer the data from different socket sends.

CSCeb73418 - If a client TCP stack retransmits an original TCP SYN at the same time the original TCP SYN is sent out, the CSS does not detect the retransmitted TCP SYN as a duplicate SYN. The CSS now checks for duplicate SYNs that arrive simultaneously.

CSCee75060 - The CSS may reboot when processing host routes for redistribution to or from OSPF when a host entry (for which an ARP could be resolved) for the IP address is submitted to the route table.

CSCee77663 - When the CSS is configured as a zone-based DNS server and you configure an A-record, but the keepalive has failed for all zones in which the name is configured, and a request is made to the CSS for that name, the CSS may reboot.

CSCee80408 - Using the tacacs-server authorize config or the no tacacs-server authorize config commands cause a memory leak.

CSCed81963 - When you configure a content rule with the no persistent command and globally configure the persistent reset remap command, the urlhash and domainhash load-balancing methods prevent the CSS from performing a server remap when required. The CSS should remap a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

CSCef82714 - When you configure the CSS for VIP/IF redundancy and OSPF and you then run the commit_vip_redundancy script, the ospf as-boundary commands would not be present on the remote CSS.

CSCeb83566 - Fragments sent to the Ethernet management port may cause the CSS to reboot.

CSCee85140 - The CSS stops responding to requests on port 80.

CSCed85319 - When a server response to an HTTP1.1 keepalive request contains a "Connection: keepalive", the CSS incorrectly downgrades the HTTP1.1 keepalive to an HTTP1.0 keepalive.

CSCef86680 - The CSS must have an existing startup-config before generating SSH keys. This requirement has been modified so that SSH keys can be generated on a CSS that does not have a startup-config.

CSCed88058 - When the CSS is configured as a DNS server and a DNS name is configured on a content rule, but all servers for that rule are unavailable, the CSS returns NXDOMAIN for a DNS request. In this situation, the CSS should return SERVERFAIL.

CSCed88075 - When you configure the CSS with the advanced-balance arrowpoint-cookie command, it may incorrectly interpret a server data packet beginning with `PORT' or `227' as an FTP packet. If this occurs, the CSS corrupts the packet because it assumes that FTP is in use.

CSCed89086 - The CSS allows you to remove the redirect command from an active content rule even if no services are configured on the rule. This should not be allowed because services are required on an active content rule that does not contain a redirect.

CSCed89722 - The show virtual-routers command does not show all configured virtual routers.

CSCee94041 - An arrowpoint-cookie does not match on a arrowpoint-cookie name that is less than four characters in length. Names that are four characters in length will work, while name lengths of one to three characters fail even though the CSS accepts the configuration command.

CSCee95633 - If a service is configured with type nci-direct-return and is then added to a content rule configured with advanced-balance sticky-srcip, the NCI options are not set up for flows hitting the content rule.

Command Changes in Software Version 6.10.4.05

Table 1 lists the commands and options that have been added in software version 6.10.4.05.

Table 1 CLI Commands Added in Version 6.10.4.05

Mode
Command and Syntax
Description

All

socket connect host ip_address port number tcp {timeout} {session} {nowait}

The new nowait option for TCP connections causes the socket to send data immediately without waiting to aggregate the data first.

Global

replication file-error retry|skip

Specifies how the CSS handles file errors during content replication. The keywords are:

retry - (Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip - The CSS skips the missing file and continues the replication process

sshd version v1|v2

no sshd version

Configures the version of SSH protocol that the CSS supports. By default, CSS supports both the SSH v1 and v2 protocols. The keywords are:

v1 - Configures the CSS to support SSH v1 protocol only

v2 - Configures the CSS to support SSH v2 protocol only

To reset the CSS to its default configuration of supporting both the SSH v1 and v2 protocols, enter:

(config)# no sshd version

Table 2 lists the commands and options that have changed in software version 6.10.4.05.

Table 2 CLI Commands Changed in Version 6.10.4.05  

Mode
Command and Syntax
Description

All

show log {log_filename {tail lines} {line-numbers}}

This command is now available in all modes. Previously, this command was not available in User mode.

show log-list

This command is now available in all modes. Previously, this command was not available in User mode.

Group

vip address ip_or_host {range number}

The range for the range number variable changed from 1 to 65353 to 1 to 65535.

Owner-
Content

no arrowpoint-cookie advanced

This command has been removed.

sticky-no-cookie-found-action redirect "URL"

The length of the redirect URL text string changed from
0 to 64 characters to 0 to 252 characters.


Software Version 6.10.3.04 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Change

The following sections contain the software behavioral changes, open caveats, resolved caveats, and command change in software version 6.10.3.04:

Software Behavioral Changes in 6.10.3.04

Open Caveats in Software Version 6.10.3.04

Resolved Caveats in Software Version 6.10.3.04

Command Change in Software Version 6.10.3.04

Software Behavioral Changes in 6.10.3.04

The following changes to functionality were made in 6.10.3.04:

MIB file changes

Added a `down' value to aplpv4RedundancyState object in aplpv4.mib.

Added the following new objects in aplpv4Redundancy.mib; aplpv4RedundancyStateTransition, aplpv4RedundancyEventText, aplpv4RedundancyVROperState, aplpv4RedundancyVRFailReason.

Deprecated aplpv4RedundancyVRState in aplpv4Redundancy.mib.

SNMP trap changes

The aplpv4RedundancyTrap trap is now only sent when a state transition occurs in a box-to-box redundancy configuration. It is no longer sent out in a VIP redundancy configuration.

The aplpv4RedundancyStateTransition trap is sent when a state transition occurs in a VIP redundancy configuration. Note that because of a bug, this trap is not sent out when the virtual router transitions from master to backup due to an interface going down.

Show screen changes

The State field in the show redundancy command display now contains `Down' when the CSS loses its critical resource. Prior to this change, the State field would display either `Master' or `Backup'.

The State field in the show virtual-routers command display no longer displays `IF Down' or `No Service'. It now displays `Down' when the virtual router is in the Down state.

The show virtual-routers command display contains a new `Fail Reason' field, which displays the reason that causes the virtual router to be in the Down state. Possible values for this field are `No Failure', `IF Down', and `No Service'.

Log message change

The virtual router state transition log message has changed. When the CSS is configured for box-to-box redundancy, this message is logged under the Redundancy subsystem instead of the VRRP subsystem. For example: `SNMP Trap Vrouter 127.16.1.2 change to state MASTER'.

When VIP Redundancy is configured, this message is logged under the IPV4 subsystem. This log message also contains VRID information. For example:
`SNMP Trap Vrouter 127.16.1.2, VRID 3 change to state MASTER'.

Open Caveats in Software Version 6.10.3.04

The following caveats apply to software version 6.10.3.04:

CSCed09529 - The CSS reboots after you suspend and change the portmap number of ports to a low number and the group experiences many open mappings.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCed38249 - When a CSS receives multiple load reports for a GSLB service, the reported load may be incorrect. The CSS may receive multiple load reports for a service if the load reports are received from a pair of CSSs that have a redundant VIP configured for the service.

CSCed55094 - The CSS may not insert arrowpoint-generated cookies into HTTP request packets even if you configured the arrowpoint-cookie command.

CSCed72817 - The LogPrintAgent task may suspend, which causes the CSS to reboot.

CSCed81963 - When you configure a content rule with the no persistent command and globally configure the persistent reset remap command, the urlhash and domainhash load-balancing methods prevent the CSS from performing a server remap when required. The CSS should remap a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

CSCed85319 - When a server response to an HTTP1.1 keepalive request contains a "Connection: keepalive", the CSS incorrectly downgrades the HTTP1.1 keepalive to an HTTP1.0 keepalive.

CSCed88075 - When you configure the CSS with the advanced-balance arrowpoint-cookie command, it may incorrectly interpret a server data packet beginning with `PORT' or `227' as an FTP packet. If this occurs, the CSS corrupts the packet because it assumes that FTP is in use.

CSCed89017 - The CSS may not use service weights configured in a content rule when you also use the balance aca command. Workaround: Remove the weight configuration from the content rule and add it to the services configuration.

CSCed89086 - The CSS allows you to remove the redirect command from a content rule even if no services are configured on the rule. This should not be allowed because services are required on an active content rule that does not contain a redirect.

CSCed89722 - The show virtual-routers command does not show all configured virtual routers.

Resolved Caveats in Software Version 6.10.3.04

The following resolved caveats apply to software version 6.10.3.04:

CSCee01234 - A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004. An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.

CSCed01770 - When you configure the CSS for Global Server Load Balancing (GSLB) and use the dns-record a kal-ap threshold command (with the threshold default of 254) and the CSS receives NXDOMAIN responses for a dns-record with a content rule that contains only one service and that service reaches a load level of 254, the CSS does not transition down the service.

CSCed06619 - The CSS may reboot when configured for ACLs and source groups if the source groups can be matched on both an ACL clause and the add service command configuration on a source group. The reboot may occur when an active FTP data channel is opened that hits the ACL.

CSCed20671 - The string range command searches on one less byte than the range maximum. The range should be 1 to 100, but the CSS only searches on a range of 1 to 99.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCed29953 - The CSS does not set up flows for TCP port 520.

CSCed39121 - When you run the commit_redundancy or commit_vip_redundancy scripts, the OSPF area settings on the circuit may be removed from the remote CSS.

CSCdz42482 - If you configure a content rule with advanced-balance sticky-srcip or advanced-balance sticky-srcip-dstport and a TCP or UDP packet with a source IP address of 0.0.0.0 matches on the rule, the CSS reboots.

CSCec45381 - When the Resource Manager Essentials (RME) software 3.5 performs a config archive and uses SSH login to the CSS, it performs the archive successfully, but generates the following two messages in the sys.log:

******* 
SEP 29 10:53:44 1/1 361 NETMAN-4: Accepted without authentication for admin from 
172.16.123.78 port 59514 
SEP 29 10:53:46 1/1 366 NETMAN-4: Disconnecting: Corrupted checked bytes on input. 
******* 

CSCed45747 - The CSS 11000 Series Content Services Switches are vulnerable to a Denial of Service (DoS) attack caused by malformed UDP packets received over the management port. This vulnerability is documented as Cisco bug ID CSCed45747. There is no workaround available to mitigate the effects of this vulnerability. Cisco is providing fixed software, and customers are recommended to upgrade to it. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040304-css.shtml.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS when you run the commit_VipRedundConfig script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, then manually configure the remote CSS priority as desired.

CSCed52186 - You can configure a Layer 5 content rule on the CSS to cause the backend connection to be spoofed. If a client sends a spanned content request using an HTTP header that spans four or more packets, the server's TCP SYN/ACK may come in on a different port from the one on which the original backend TCP SYN was sent. This causes the CSS to miss the TCP ACK for the first two packets of the spanned content request, and three seconds later, reset the connection.

CSCed52992 - When doing an SNMP NEXT through the apSvcTable from the svcExt.mib, the CSS SCM CPU may spike to high levels and remain high for long periods of time. This issue is related to the number of configured services.

CSCed57712 - RSH (Remote Shell) through the CSS does not function because source port NAT'ing interferes with it.

CSCed58756 - If you configure the CSS for a SuperUser account with a password of 123456, the SuperUser is allowed access to the CSS if they enter 1234567 as the password. This problem exists only with passwords that contain a number of characters that are divisible by 8.

CSCed62063 - SSH sessions are not being cleared, which causes new sessions to be blocked.

CSCed64614 - The ap-kal-dns keepalive script fails when used with the dnsflow disable command and you add a service to a source group. The workaround is to remove the DNS server from the source group.

CSCec68054 - For sticky mechanisms (for example, SSL and source IP address) that use the sticky table, the CSS may delete entries when location cookie processing determines that the request should be forwarded to a remote site.

CSCed76105 - The show sticky-stats command was added to the showtech diagnostic script to provide information on the CSS sticky database.

CSCed74244 - If the DNS forwarder feature is configured and you enter debug mode and issue the dns setFwdKal 0 command, the CSS reboots. A value of 0 is invalid for the dns setFwdKal command.

CSCed75430 - Using an incomplete MIB variable for the sample-variable command in (config-rmonalarm) mode may cause the CSS to reboot.

CSCed76182 - Issuing the no app-udp ? command may cause the CSS to reboot.

CSCed76755 - If the CSS Ethernet Management port does not have a subnet mask configured on it (or is configured to the default 0.0.0.0), the CSS will not be able to respond to DNS queries. Workaround: Configure an IP address and a subnet mask on the Ethernet Management port.

CSCec86501 - When a script contains a quoted string that is greater than 255 characters and is used by a scripted keepalive, the CSS reboots.

CSCec89210 - When you configure a CSS with a static route that is identical to a learned OSPF route (network LSA), the OSPF route correctly takes precedence. However, if the CSS loses the OSPF route, the blackhole route is not injected into the routing table.

CSCed90714 - The CSS was not properly populating the fields in the show rmon, show ether-errors, and show mibii displays. Having the fields properly populated now enables you to trigger RMON alarms for network problems, if RMON is configured.

Command Change in Software Version 6.10.3.04

The content configuration mode no advance-balance command has been changed to no advanced-balance.

Software Version 6.10.2.03 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 6.10.2.03:

Operating Considerations

Open Caveats in Software Version 6.10.2.03

Resolved Caveats in Software Version 6.10.2.03

Command Changes in Software Version 6.10.2.03

Software Behavioral Changes in 6.10.2.03

The following changes to functionality were made in software version 6.10.2.03:

The CSS no longer bridges Cisco Discovery Protocol (CDP) multicast packets.

The CSS incorrectly allowed you to configure the content rule configuration options location-cookie name and arrowpoint-cookie name to the same value. The CSS no longer allows you to configure both options to the same value on the same content rule. This change may cause a startup error.

The show tacacs-server display has the following new Per-Server Configuration fields:

Key - Shared secret used by the TACACS+ server

Server Timeout - The amount of time the CSS waits for a response from the server.

Server Frequency - The keepalive frequency for the specified TACACS+ server.

The show tacacs-server screen display also has a new Global Configuration field: Global KAL Frequency. This field defines the global keepalive frequency in seconds.

All global tacacs-server parameters (frequency, key, and timeout) take effect immediately when configured. You no longer need to remove and re-add servers for these parameters to take effect. Also, you may configure these parameters in any order.

When the CSS detects a duplicate IP address on the network, it displays a log message. Duplicate IP addresses occur when VRRP is transitioning from the master CSS to the backup CSS. It is normal to see messages indicating this condition. To assist in recognizing VRRP transitions, the following new log messages were added to the Duplicate IP log message:

Virtual Router <vrid> on interface <ip address> entering into VRRP negotiation

Virtual Router <vrid> on interface <ip address> exiting out of VRRP negotiation

Open Caveats in Software Version 6.10.2.03

The following caveats apply to software version 6.10.2.03:

CSCed06619 - The CSS may reboot when it performs task fmPeerMsgTask.

CSCed09529 - The CSS reboots after you suspend and change the portmap number of ports to a low number and the group experiences many open mappings.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCea25171 - In a content rule-based Global Server Load Balancing configuration in which two CSSs are in an APP session exchanging domain information where CSS-A is configured with www.a.com, www.b.com, and www.c.com (in the same content rule) and CSS-B in configured with only www.a.com and www.b.com, CSS-B incorrectly believes that it has www.c.com configured locally (because it learned about www.c.com from its peer). When CSS-B is queried for www.c.com, it returns its local VIP as well as the remote VIP. Because www.c.com is not configured on CSS-B, CSS-B should return only the remote VIP.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

Resolved Caveats in Software Version 6.10.2.03

The following resolved caveats apply to software version 6.10.2.03:

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCec17121 - When disabling the dns-server, the console or a telnet session may lock up.

CSCec22850 - At the -more- prompt, data that you enter may overrun an internal buffer causing memory corruption. This may cause the CSS to reboot.

CSCec26257 - A change has been made to the size of an internal storage array to prevent memory from being overwritten when the CSS tried to insert a set-cookie in a response containing arrowpoint cookies that was going back to a client.

CSCeb28300 - When you configure the CSS with multiple trap hosts, traps are sent only to the first host in the configuration.

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCec28779 - If you configure the CSS for location cookie, it may overrun a stack variable when checking the location cookie name.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCec32131 - If you configure the arrowpoint-cookie name command on the CSS and issue the no owner command, the CSS generates an error. The only method to fix this error is to recreate the owner and the content rule, and then issue the no arrowpoint-cookie name command.

CSCec35690 - New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec49123 - When the CSS cannot forward a packet because of an unresolved ARP, the buffer in which the packet was received may leak when the ARP times out.

CSCec51908 - If you use the location-cookie command and the client does not have a location cookie, the CSS does not properly use the advanced-balanced load-balancing methods. The CSS instead applies the roundrobin load-balancing method.

CSCec58376 - If you have a static ARP entry using an IP address that is identical to a circuit IP address, the CSS reboots. Static ARP entry IP addresses, circuit IP addresses, and source group
IP addresses must all be unique. The CSS does not allow you to configure identical IP addresses for these configuration parameters.

CSCeb59280 - The CSS does not allow you to configure a source group VIP as a redundancy VIP unless you associate the VIP to a content rule.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCec61445 - When you upgrade a CSS 11000 series CSS from a 5.00.x.xx software release to a 6.10.0.xx software release, configured static routes with destinations that overlap the IP subnet directly connected to the Ethernet management port are not configured, but are instead displayed in the startup-error display.

CSCec65391 - The CSS does not deny traffic when an ACL is configured with the deny or prefer options.

CSCea66182 - The Device Management user interface may become inaccessible after one to three days. There is no response to a TCP SYN or to an SSL client Hello. Workaround: Reboot the CSS.

CSCeb73456 - When a link transition occurs, the CSS marks the entries associated with that link interface as unreachable. But when the link come back up, the CSS does not ARP for the entries, so the entries do not come back up.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCec74453 - CDP packets are bridged by the CSS, but they should not be bridged.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCec80040 - If you configure the CSS using the advanced-balance method (which uses the sticky table) and the calculated sticky hash key is zero, the CSS reboots.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec82104 - If you configure a CSS Gigabit Ethernet port for trunking, the lowest number VLAN associated with the trunked port will be down if you do not configure an IP address for the circuit. In this case, the CSS does not report RMON statistics and the show rmon command shows all zeros. In addition, the flow port and flow details debug mode commands return an error.

CSCec83790 - If the TACACS server is in a DYING state, new authentication requests fail.

CSCec85000 - The CSS does not perform lookups with a suffix appended to a requested name even if you configure a dns suffix.

Command Changes in Software Version 6.10.2.03

Table 3 and Table 4 list the commands and options that have been added or changed in software version 6.10.2.03.

Table 3 CLI Commands Added in Version 6.10.2.03 

Mode
Command and Syntax
Description

Global

ip management no-icmp-redirect

no ip management no-icmp-redirect

The no-icmp-redirect option configures the CSS to discard ICMP redirect packets on the Ethernet management port. By default, the Ethernet management port accepts all incoming ICMP redirect packets. Use the no form of this command to reset the default behavior of accepting ICMP redirect packets on the Ethernet management port.

If you do not configure static routes for the Ethernet management port, the CSS disregards any ICMP redirects. However, when you configure static routes for the Ethernet management port, the CSS incorporates the ICMP redirects as entries in the routing table.

To enhance security on the CSS when you configure static routes on the Ethernet management port, we strongly recommend that you configure the CSS Ethernet management port to discard ICMP redirects.

The Ethernet management port never transmits an ICMP redirect. If you remove a static route when the Ethernet management port is configured to accept ICMP redirect packets, the CSS removes the router entry created by the ICMP redirect associated with the static route from the routing table.

 

tacacs-server send-full-command

no tacacs-server send-full-command

The send-full-command option expands user-executed abbreviated commands to their full command syntax before the CSS sends them to the TACACS+ server.

Use the no form of the command to reset the default CSS behavior of sending user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.


Table 4 CLI Commands Changed in Version 6.10.2.03

Mode
Command and Syntax
Description

All

show sorted running-config

This command has been re-added to this release.

Global

dns-server load variance number

The variance number default changed from 50 to 255 and its range changed from 0 to 254 to 0 to 255.

Header-field-group

header-field name field_type operator {header_string {contain|not-contain
|equal|not-equal {"header_string"}}}

You can no longer enter a carriage return after the contain|not-contain|equal|not-equal options. You must enter a quoted header string name to complete the command. Then enter a carriage return.

Interface and VLAN

bridge port-priority

The port-priority option has replaced the priority option.


Software Version 6.10.1.07 Software Behavioral Changes, Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the software behavioral changes, open caveats, resolved caveats, and command changes in software version 6.10.1.07:

Software Behavioral Changes in Version 6.10.1.07

Open Caveats in Software Version 6.10.1.07

Resolved Caveats in Software Version 6.10.1.07

Command Changes in Software Version 6.10.1.07

Software Behavioral Changes in Version 6.10.1.07

The following sections describe changes to functionality in software version 6.10.1.07:

Increased Number of SSH Sessions

Enhancements to the Absolute Load Calculation Functionality

Enhancements to OSPF Functionality

Increased Number of SSH Sessions

The number of supported simultaneous SSH clients has increased from 3 to 5 in software version 6.10.1.07.

Enhancements to the Absolute Load Calculation Functionality

In a GSLB environment with the absolute load calculation method configured, if a service exceeds its maximum connections limit, exceeds the local load threshold, or has a configured weight of 0 (to gracefully shut down), a CSS does not consider the load for that service in the calculation of reported load average for one or more content rules. This behavior results in more accurate load average reporting for APP, kal-ap, and kal-ap-vip.

When using the weight command in service mode to specify the relative weight of the service, note that when you configure the absolute load calculation method on a CSS and then set a weight of zero on a service, the CSS does not include the load of that service in any content rule load that the CSS advertises.

When using the service mode max connections command, note that when you configure the absolute load calculation method on a CSS and a service exceeds the configured maximum number of connections, the CSS does not include the load of that service in any content rule load that the CSS advertises.

When using the service mode load threshold command to define the global load number, note that if you configure the absolute load calculation method on a CSS and a service exceeds its configured global load threshold, the CSS does not include the load of that service in any content rule load that the CSS advertises.

Enhancements to OSPF Functionality

The CSS OSPF functionality now examines configuration parameters (such as, service configurations in content rules, keepalive behavior, VIP redundancy configurations, and whether services are active or suspended) to make accurate advertisement decisions on VIPs.

Specified routes related to VIPs are only advertised if both of the following conditions are true:

1. At least one of the related VIPs in a content rule or source group is active.

2. At least one service related to an active VIP is available on a content rule.

If you configured the CSS for box-to-box redundancy, be aware that only the master CSS (not the backup CSS) advertises the VIP.

It is recommended that you use the /32 prefix in the ospf advertise command to specify VIPs individually. Specifying entire subnets does not enable the CSS to make proper decisions on advertising the VIPs. The advertisement must match or fit entirely within a VIP range to make proper decisions. If the ospf advertise IP address range and the VIP range overlap, or the ospf advertise range encapsulates (that is, is larger than) or doesn't match the VIP range, then the route is advertised unconditionally.

The following flow chart shows the steps required for OSPF to advertise an IP address. If the IP address is a VIP, the flowchart shows the conditions that must be met for OSPF to advertise the VIP.

Open Caveats in Software Version 6.10.1.07

The following open caveats apply to software version 6.10.1.07:

CSCec01157, CSCec22850 - At the -more- prompt, data that you enter may overrun an internal buffer causing memory corruption. This may cause the CSS to reboot.

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec13239 - The CSS generates unnecessary ARP requests.

CSCeb28397 - If you issue the redundancy force-master command multiple times when running the CSS box-to-box redundancy feature, the backup CSS may not bring down its interfaces correctly. The new master CSS logs a duplicate IP address. The backup CSS shows the circuit as disabled, but the IP address is still listed. The master CSS continues to log duplicate IP addresses from the backup CSS until you reboot the master CSS.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCec63067 - The show sorted running-config command was inadvertently removed from the CSS CLI.

CSCea66182 - The Device Management user interface may become inaccessible after one to three days. There is no response to a TCP SYN or to an SSL client Hello. Workaround: Reboot the CSS.

Resolved Caveats in Software Version 6.10.1.07

The following resolved caveats apply to software version 6.10.1.07:

CSCeb04691 - When a SSHv2 session terminates improperly, the CSS may reboot.

CSCec01457 - The CSS may reboot when you issue the no trunk command.

CSCeb01623 - The CSS does not fail over to the DNS secondary server if the DNS primary server is unable to resolve a hostname. The dns primary command pings the DNS server to see if the device is alive. However, the command does not resolve a hostname to see if the DNS service is alive. Thus, when the CSS can ping the DNS primary server, but it cannot resolve a hostname, it never fails over to the DNS secondary server. Now the CSS queries each configured server IP address (even if DNS name server is not operational on that device) until two attempts have been made for each server, or one of the servers responds with an answer or a DNS error.

CSCec01994 - The Cisco CSS 11800 platform may reload when a heavy storm of TCP SYN packets is sent to the circuit address of the CSS. This problem is seen on the 5.0.2.03 and 6.10 Build 4 versions and is specific to the 11800 platform. It does *not* affect the 11150 and 11050 platforms. Workaround: Using ACLs on an upstream router to protect the circuit address is recommended as a prevention measure. For example, the command access-list 116 deny tcp any <circuit address of CSS can be used on an upstream router in combination with applying the access-group to an outgoing interface to deny TCP to circuit addresses on the CSS. This bug was also publicly documented on the Bugtraq mailing list: http://www.securityfocus.com/archive/1/336580.

CSCec02038 - If you configure the CSS using the flow-state command to prevent the CSS from setting up flows for DNS and SIP traffic, the CSS may not forward responses from the server to the client and may erroneously send ICMP unreachable to the server.

CSCeb02395 - When you configure CSS services with the max connections command and Layer 5 content rules using advanced-balance arrowpoint-cookies, on a persistent connection, the CSS checks the service max connection value for each HTTP GET from the client. The CSS should perform the max connection check for the first non-persistent HTTP GET and only again if the physical server changes.

CSCec04009 - The apLogSubSystemTable from the logExt.mib was not returned in SNMP lexicographical order, which caused an error when attempting a SNMP walk on the enterprises OID.

CSCec04320 - An SNMP walk of the apSvcTable does not always return all configured services.

CSCdz05912 - Under conditions when APP sessions go up and down rapidly, a race condition may occur that leads to file descriptor reuse causing the CSS to reboot.

CSCeb08366 - If you configure the CSS with advanced-balance url or advanced-balance cookieurl, the string-range parameter has no effect.

CSCea08822 - ARP entries are not being updated for hosts that are located one hop away from the CSS when the outgoing interface transitions. This fix prevents OSPF from adding a route to the routing table when its next hop address is equal to an exiting IP interface or redundant interface address configured on the CSS. This fix does not solve the problem that occurs when an interface is configured with an IP address that is equal to the next hop of a previously-configured OSPF route (this issue is being address in CSCec29686).

CSCeb11201 - If you configure the CSS for OSPF and the CSS is running a previous code enhancement (CSCdz86426), OSPF advertises the virtual IP address based on the state of the underlying services. This enhancement may incorrectly cause OSPF to advertise the backup VIP address.

CSCeb11295 - Activating a source group with the same VIP address as a suspended source group causes the CSS to reboot.

CSCec11862 - The CSS may incorrectly show services in a suspended state.

CSCeb12985 - When an SSH connection to the CSS is terminated, the SSH client may not terminate properly. If the termination is not recognized by the SSH server in the CSS, the server assumes that clients are still active and does not allow new SSH client connections.

CSCeb14245 - During RIP updates, the Ipv4Rip and Ipv4RdpTmr tasks are suspended.

CSCeb15177 - If you dynamically configure the global bridge priority command to a value lower than the root bridge value on the network, the CSS does not become the root bridge. Reboot the CSS to enable it to become the root bridge in this situation.

CSCeb15716 - APP uses socket record structures. When initializing APP, the CSS may reboot under certain configuration timing circumstances due to a race condition in the allocation and free routines that manipulate the record structures.

CSCeb16881 - When the CSS experiences an NVRAM failure and you reboot the CSS into OffDM to reconfigure the administrative username and password, the configuration fails because of the NVRAM failure but the CSS will not display an error message.

CSCeb16889 - Logging messages at NETMAN facility, level Warning 4 now appear if the CSS could not read the administrative username or password from NVRAM.

CSCeb20895 - TACACS+ accounting records sent by the CSS have an incorrect Attribute Value (AV) pair. The record contains task=<integer> instead of task_id=<integer>.

CSCeb21318 - If you manually suspend a service that is running a scripted keepalive when the script is active, the service remains in a down state after you activate it again.

CSCec23109 - This caveat was resolved in software version 6.10.1.07a. The CSS may become unresponsive without console, telnet, or any access when running HTTP keepalives. In this situation, you must reboot the CSS to resume operation. To workaround this issue, remove HTTP keepalives from the configuration.

CSCeb29612 - When the CSS is configured with source groups and has the global persistence reset remap command configured, a Flow Control Block (FCB) is deleted and the CSS reboots.

CSCeb35409 - Gigabit Ethernet ports must be disabled when the CSS is booting up.

CSCeb38555 - The OSPF tag option in the ospf advertise command is only parsed as a 16-bit value, but it should be a 32-bit value.

CSCea39652 - A flood of SNMP traps and remote log messages are sent out when the commit redundancy script is executing.

CSCeb42078 - The CSS may reboot if you configure a Layer 5 content rule using a URL string containing "?*" (for example, "url/mandy?*"), and then activate, suspend, then activate the rule. The CSS also may reboot if you delete this type of content rule, create a new one, and then activate it.

CSCeb42094 - When TACACS is configured to authenticate commands and you issue the script play script_name command from the CLI, the first line of the script fails to execute.

CSCdy42703 - When multiple SSH sessions are running, subsequent SSH sessions take longer to start up. This condition creates a window during which a user could terminate the SSH client being used to connect to the CSS during the client/server key creation and exchange. If the client is terminated during the window and a new connection to the CSS is attempted, the new connection is denied or it will hang.

CSCea42812 - When you configure a CSS with an SSL or an Arrowpoint-cookie content rule, the CSS uses the first data packet it receives from the backend server to make the load-balancing decision or to inject the Arrowpoint cookie. If the TCP SYN ACK from the server arrives on a different port from where the CSS sent the TCP SYN, then neither SSL nor Arrowpoint-cookie load-balancing works.

CSCeb43255 - A CSS that is queried using SNMP may, at certain OIDs, respond to the GetNext with an OID that is not lexicographically higher than the first OID.

CSCdy46189 - A CSS does not handle gratuitous ARPs (GARPs) for existing flows properly. After receiving a GARP, the CSS uses the updated MAC address of a service or next hop to reach the service or client for new flows only. The CSS does not modify existing flows and sends packets to the previous MAC address, which causes the packets to be lost.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCea47506 - When the CSS is dynamically configured with a lower bridge priority than the root bridge, the CSS does not become the root bridge. If the CSS is rebooted with the lower bridge priority in the startup-config, the CSS becomes the root bridge.

CSCea47709 - With the Device Management user interface enabled (no restrict web-mgmt command), a denial of service (DoS) port scanner tool connected to port 443 causes the CSS to reboot unexpectedly. Workaround: Disable the CSS Device Management user interface using the restrict web-mgmt command to close up the port.

CSCea47887 - A Layer 4 content rule configured with advanced-balance sticky-srcip was incorrectly creating Layer 4 sticky entries (that is, source IP address and destination port) instead of Layer 3 sticky entries as specified by the advanced-balance method.

CSCdz49249 - The flow port timeout command does not work properly on Gigabit Ethernet links. This command should allow a maximum value of 600 seconds, but on the Gigabit Ethernet links, the CSS may collect the flow after a few seconds have elapsed.

CSCeb52725 - If there are a large number of connections being spoofed to servers that are not responding to the SYN, the CSS may exhaust all buffers and reboot.

CSCec52752 - This caveat was resolved in software version 6.10.1.07a. The CSS Gigabit Ethernet ports do not function with the Catalyst 6500 when the Catalyst port configuration is set to speed nonegotiate. The only workaround is to change the Catalyst port configuration to no speed nonegotiate.

CSCeb56670 - This caveat applies to a Layer 5 content rule containing advanced-balanced arrowpoint-cookies and a configuration that contains a client as a proxy device that multiplexes many individual client connections over one long persistent HTTP session to the CSS. When the CSS receives an HTTP GET on a persistent connection without an arrowpoint-cookie, the arrowpoint-cookie string was not always inserted in the server response.

CSCeb57007, CSCeb58059 - Using OSPF to advertise a nonredundant VIP address when a separate redundant VIP address exists, may cause the CSS to reboot.

CSCeb57374 - When running a keepalive script that uses the icp probe command, if the target host is unavailable, the CSS may leak resources and eventually reboot or cause the console to become unresponsive.

CSCeb57524 - Content rules with URQLs lock up and traffic is dropped if it hits the rule. You must suspend and activate the rule.

CSCeb58032 - OSPF advertise decisions do not function properly.

CSCeb58671 - An edge condition in a flow teardown may cause the CSS to reboot.

CSCdx63320 - When the CSS is configured with static ARP entries and the link that a static ARP is reaching goes down, the SCM and SFM ARP tables become out of synch, resulting in erroneous host unreachable errors and dropped packets.

CSCeb64625 - The CSS may reboot when you use the dns-server forwarder command.

CSCea66180 - If you perform an SNMP GET on the deprecated variable apFlowMgrStattSSTable from the flowMgrExt.mib, SNMP access fails using either external SNMP agents or from the CLI, and display the following error message: "%% Error - cannot obtain SNMO lock".

CSCeb66320 - If a CSS receives a FIN or RST packet from a client prior to fully setting up a connection to a server, it mishandles the packet.

CSCea66340 - In a VIP and interface redundancy configuration, the commit_vip_redundancy script erroneously overwrites the RADIUS server source interface IP address on the backup CSS.

CSCeb66864 - This caveat applies to a Layer 5 content rule containing advanced-balanced arrowpoint-cookies. On a persistent HTTP connection using arrowpoint cookies, each backend server remap causes the TCP maximum segment size (MSS) option in the TCP SYN to the backend server to be reduced by 250 bytes until the MSS reaches a negative value. This condition has performance implications and may prevent the arrowpoint-cookie from being inserted in to the server data packet.

CSCeb68203 - The CSS may identify a service as dying or down when an HTTP keepalive is used and the HTTP response from the service spans more than one packet.

CSCeb68330 - This caveat applies to a Layer 5 content rule containing advanced-balanced location-cookies. On a persistent HTTP connection using location cookies, each backend server remap causes the TCP maximum segment size (MSS) option in the TCP SYN to the backend server to be reduced by 250 bytes until the MSS reaches a negative value. This condition has performance implications and may prevent the location cookie from being inserted into the server data packet.

CSCeb69714 - When using the location cookie feature, the CSS may incorrectly insert the location cookie value in the arrowpoint cookie field. This error results in a client request being sent to a different server from the one to which client requests were previously sent.

CSCeb70776 - If you have a Layer 5 content rule configured and the client sends HTTP POSTs and the data portion of a POST packet starts with "POST TAX", the CSS incorrectly determines that the "POST TAX" packet is the start of a new HTTP content request. The connection then hangs while waiting for the HTTP terminator in a future packet.

CSCeb73428 - Sending a malformed DNS request to the CSS causes CPU utilization to increase to 100%.

CSCeb73606 - Closing down an SSH connection to the CSS may cause the CSS to reboot.

CSCeb75507 - When you issue the traceroute command, the process that handles ICMP responses may hang. This condition causes all of the ICMP keepalives to go down.

CSCea75864 - When a CSS is configured with a Layer 5 content rule using the advanced-balance sticky method, a source group with destination services, and the source group contained only a subset of the services defined in the Layer 5 content rule as destination services, the destination service source group lookup may fail. If it fails, NAT'ing also fails intermittently.

CSCea76928 - When one of the NICs in a dual-NIC server fails over, the CSS does not update the service MAC address. The CSS continues to use the MAC address of the failed NIC as the destination even after it receives of a gratuitous ARP (GARP) from the activated secondary NIC of the server. The CSS ARP table is properly updated. Workaround: Suspend, then activate, the service that is not updated.

CSCea77466 - If the services defined in a DNS content rule are of type transparent-cache, the dnsflow disable command does not work properly.

CSCea79737 - Premature termination of an SSHv1 connection to the CSS may cause the CSS to reboot.

CSCeb80090 - If the CSS receives APP-UDP packets on the Ethernet management port early in the bootup routine, the ip interface tries to process the packets before the IPV4 applications are initialized. This condition causes the CSS to reboot.

CSCeb80103 - The message Ipv4SntpTx: Failed on Ipv4StackBypassTx is logged when SNTP packets are misdirected out the Ethernet management port.

CSCeb84861 - Provides the new string match command. This command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command. For details on using this command, refer to the Command Changes in Software Version 6.10.1.07 section later in this release note.

CSCea84953 - If the CSS is configured with a content rule that has an advanced-balance method and an ACL clause containing a preferred service, and a load-balancing decision is made when the connection is stuck to a service, the CSS prefers that service over the ACL preferred service, which is incorrect.

CSCea85836 - The CSS uses an internal table structure called "CII", and these tables can be dynamically modified in size during CSS operations. An edge condition may cause the CSS to reboot if two applications tried to access the table and modify the size simultaneously. The reboot is not caused as the result of any user action or traffic pattern.

CSCea87542 - A configuration using header tag rules and configured using persistence reset remap and no persistent on the content rules experiences unnecessary backend remaps to the lowest numbered service index in the content rule. The content rule favors that service index and it has a high connection counter.

CSCea93122 - If you configure the IP address on the management port to 0.0.0.0, on reboot, the CSS removes the IP address from the show boot display. However, the commit redundancy and commit vip redundancy scripts check for the APP sessions between the peers over the management port and expect to find an IP address. If not, the scripts would fail.

Command Changes in Software Version 6.10.1.07

Table 5 and Table 6 list the commands and options that have been added or changed in software version 6.10.1.07.

Table 5 CLI Commands Added in Version 6.10.1.07 

Mode
Command and Syntax
Description

All

show arp management-port

The management-port option displays the ARP entries from the CSS management port.

show ospf advertise {ip_address subnet_mask}

The ip_address subnet_mask options display the configuration of ASE routes into OSPF. To display the configuration of ASE routes into OSPF for a specific host, include the IP address and the subnet mask. Enter the address in dotted-decimal format (for example, 192.168.11.1). Enter the prefix length either:

As a prefix length in CIDR bit-count notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

In dotted-decimal notation (for example, 255.255.255.0).

show system-resources {cpu_summary}

The cpu_summary option displays a summary of the CPU utilization by all modules installed in the CSS chassis.

Global

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}

The frequency number option for the tacacs-server command allows you to set the keepalive frequency for the specified TACACS+ server. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. Defining this option overrides the global tacacs-server frequency command.

To apply any TACACS+ global attribute, such as the keepalive frequency, to a TACACS+ server, you must configure the global attribute before you configure the server.

tacacs-server frequency number

no tacacs-server frequency number

The frequency number option for the tacacs-server command allows you to set the global keepalive frequency for all TACACS+ servers. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. The no form of the command resets the global keepalive frequency to 5 seconds.

When you configure the keepalive frequency for a TACACS+ server, the server keepalive frequency overrides the global keepalive frequency.

To apply a global attribute to a configured CSS TACACS+ server and have it take effect immediately, you must remove the server and then reconfigure it.

Keepalive

tcp-close rst

For global keepalives, this command specifies that the CSS send a TCP RST to a service to terminate the connection with the backend server.

tcp-close fin

For global keepalives, this command specifies that the CSS send a TCP FIN to a service to terminate the connection with the backend server. The tcp-close fin command may be applied to a maximum of 100 keepalives. When you configure the fin option, the show keepalive command displays will contain the field: Keepalive TCP-Close: .

Owner-Content

string match specific|first-service-match
|first-string-found

The new string match command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command.

In this example, the incoming string is grapebananapear. The CSS service configuration is:

service s1 
string pear

service s2 
string grape

service s3 
string banana

The specific keyword matches the most specific string match and is the CSS default behavior. For the CSS, the most specific match is the longest string. In this example, the string match is banana.

The first-service-match keyword allows the CSS to look at each service in the order of its index number. The CSS compares the incoming string and compares it to the string in the service for a match. In this example, the first-service-string match is pear.

The first-string-match keyword matches the first string in the incoming string. In this example, the string match is grape.

Service

keepalive tcp-close rst

This command sends a TCP RST (default) to terminate the connection with the specified service on the backend server.

keepalive tcp-close fin

This command sends a TCP FIN to terminate the connection with the specified service on the backend server. When you configure the fin option, the show service and show keepalive command displays will contain the field: Keepalive TCP-Close: .


Table 6 CLI Commands Changed in Version 6.10.1.07

Mode
Command and Syntax
Description

All

show sorted running-config

This command has been removed.

Interface

phy auto-negotiate enable|disable

The enable and disable options no longer appear in the CLI.


Software Version 6.10.0.04 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats and resolved caveats in software version 6.10.0.04:

Open Caveats in Software Version 6.10.0.04

Resolved Caveats in Software Version 6.10.0.04

Open Caveats in Software Version 6.10.0.04

The following open caveats apply to software version 6.10:

CSCea08822 - The ARP entry is not being updated properly for a user that is one hop away from the CSS.

CSCea29755 - In a box-to-box redundancy configuration, if you reset the master interface on which the redundancy protocol is running, both CSSs claim mastership. The CSSs send ARP requests from the circuit IP address with a MAC address that belongs to both of them causing the ARP entries on neighboring devices to flap. The two CSSs also log "Duplicate IP address" messages. There is no impact on network connectivity.

CSCdu34502 - Do not use the Cisco Content Router 4430-B bloat and fragment-size options with the CSS content routing agent. Entering these options causes unexpected results.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCea42812 - When you configure a CSS with an SSL or an Arrowpoint-cookie content rule, the CSS uses the first data packet it receives from the backend server to make the load-balancing decision or to inject the Arrowpoint cookie. If the TCP SYN ACK from the server arrives on a different port from where the CSS sent the TCP SYN, then neither SSL nor Arrowpoint-cookie load-balancing works.

CSCdy46189 - A CSS does not properly handle gratuitous ARPs (GARPs) for existing flows. After receiving a GARP, the CSS uses the updated MAC address of a service or next hop to reach the service or client for new flows only. The CSS does not modify existing flows and sends packets to the previous MAC address, which causes the packets to be lost.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCea47709 - With the Device Management user interface enabled (no restrict web-mgmt command), a denial of service (DoS) port scanner tool connected to port 443 causes the CSS to reboot unexpectedly. Workaround: Disable the CSS Device Management user interface using the restrict web-mgmt command to free up the port.

CSCea51478 - If you configure an access control list (ACL) clause with a destination specified by a Layer 5 content rule, traffic does not match the clause and is not permitted. Workaround: Use an additional ACL clause that permits the TCP addresses and ports. In this case, the CSS logs a match for both clauses.

CSCea54373 - A CSS with a high flow rate may experience an EPIF reset condition, which causes a group of four physical port to go down. If this condition continues for a long period of time and the ports continue to go up and down, the CSS may reboot.

CSCea66182 - The Device Management user interface may become inaccessible after one to three days. There is no response to a TCP SYN or to an SSL client Hello. Workaround: Reboot the CSS.

CSCea66340 - In a VIP and interface redundancy configuration, the commit_vip_redundancy script erroneously overwrites the RADIUS server source interface IP address on the backup CSS.

CSCea76928 - When one of the NICs in a dual-NIC server fails over, the CSS does not update the service MAC address. The CSS continues to use the MAC address of the failed NIC as the destination even after it receives of a gratuitous ARP (GARP) from the activated secondary NIC of the server. The CSS ARP table is properly updated. Workaround: Suspend, then activate, the service that is not updated.

CSCea77466 - If the services defined in a DNS content rule are of type transparent-cache, the dnsflow disable command does not work properly.

CSCdz80161 - While attempting to complete its task, a keepalive script tries to clean up resources that have already been removed, which is caused by a timing issue. The CSS reboots.

CSCea82431 - With a custom scripted keepalive configured on a CSS, the keepalive may enter the Dying state even though the keepalive responses sent by the server indicate a healthy service.

Resolved Caveats in Software Version 6.10.0.04

The following resolved caveats apply to software version 6.10.0.04:

CSCea36989 - The Cisco Content Services Switch (CSS) 11000 series switches respond to certain Domain Name Service (DNS) name server record requests with an error code and no Start of Authority (SOA) records, which can be negatively cached by some DNS name servers resulting in a potential denial-of-service attack for a particular domain name hosted by a CSS. To be affected by this vulnerability, CSS devices must be configured for Global Server Load Balancing. The CERT/CC issued a vulnerability note on this issue (VU#714121). Cisco is providing repaired software, and customers are urged to upgrade to repaired code.

This vulnerability in CSS is documented as Cisco Bug IDs CSCdz62499 and CSCea36989.

This advisory will be available at http://www.cisco.com/warp/public/707/cisco-sa-20030430-dns.shtml.

CSCdz02856 - With a redirect service configured in a Layer 5 content rule, the redirects issued by the CSS are inconsistent. For example, if there are two rules, one with a URL of "/a/*" and one with a URL of "/a*", and the CSS receives a GET request for "/a", the CSS resets the connection instead of matching one of those rules, even if there are less specific rules from which to choose.

CSCea08875 - When the CSS has a Layer 5 content rule configured that has a URL containing the % (percent) character, the CSS does not match on that rule when an appropriate HTTP GET request arrives.

CSCea10851 - The CSS primary authentication method should be consistent with Cisco IOS. If the primary authentication method is TACACS/RADIUS and the server rejects the login, the secondary/tertiary method is not tried. If the server is not responding, the secondary/tertiary method is tried. If the primary authentication method is LOCAL, the secondary/tertiary method is tried only if the username is not in the local database.

CSCea12013 - If the CSS receives a packet with the destination IP address of a configured VIP address but a destination port that is non-flowy (for example SNMP 161), the CSS may incorrectly ARP for the VIP address if the VIP is on the same subnet as a circuit address.

CSCdz14760 - When the CSS receives a spanned content request and the packets are received out of order, the CSS waits for the out of order packets to be retransmitted from the client before it initiates the connection to the backend server.

CSCea18861 - With Layer 5 content rules configured and a long persistent connection with over 100 HTTP GET requests, the CSS may not properly backend remap one of the HTTP GET requests because the request is not detected properly as a content frame (HTTP requests that begin with GET, POST, HEAD, and so on) by the fastpath.

CSCea21808 - You cannot modify the IP address or port of a primary or secondary sorry server with an address range or port range unless you remove the sorry server from the content rule. If the sorry server already has a range configured and you enter the no ip address command, the command fails. The following message appears: %% Invalid mapping of rule to service address ranges.

CSCea24296 - With Layer 5 content rules configured on a CSS, if a client sends an incomplete HTTP request and then retransmits the complete request, the CSS incorrectly identifies the retransmission as a duplicate even though the payload of the original packet and the retransmitted packet are different.

CSCea24798 - The VIP address on an active content rule cannot be dynamically modified. The following error message appears: %% Operation may not be performed on active content rule.

CSCea25871 - If a CSS receives a content header tag that spans two packets and is empty, the content tag is ignored, but the allocated memory is not cleared and may cause the CSS to reboot.

CSCea30473 - When polled with SNMP for the apChassisMgrExtSoftwareVersionNumber MIB variable, the CSS returns inconsistent MIB information because of a string that was not properly NULL terminated.

CSCea36431 - Because the flowinfo diagnostic script contains an extra exit command, the console or Telnet session to the CSS disconnects after running the script at the CLI using the script play flowinfo command.

CSCdy87317 - If a CSS has multiple Layer 5 wildcard rules configured of the form "url /a/*" and "url /a*" and receives an HTTP GET for "/a", instead of matching one of the wildcard rules, the CSS rejects the connection and sends a TCP RST.

CSCea38004 - When you run the commit_vip_redundancy script with a very large configuration, the remote CSS becomes unresponsive to console or telnet access and the APP session goes down. The console becomes responsive after approximately five minutes and the APP session comes back up.

CSCea40178 - Attempting to add a default route with IP address 0.0.0.0 and a non-zero subnet mask causes the CSS to reboot.

CSCea40806 - When the CSS receives more than the configured maximum OSPF routes to a destination and some of the currently reachable routes become unreachable, the CSS may not replace the unreachable routes with the other viable OSPF routes.

CSCea40912 - When a service is configured with a scripted keepalive on a CSS, occasionally the service goes down and does not return to the Alive state. The scripted keepalive task is unresponsive and no further scripted keepalive activity will run for the service.

CSCdz41611 - If you enter the admin-shutdown command on the only port configured with redundancy-phy in a box-to-box redundancy configuration, the port state changes to Down, but the priority does not change so there is no redundancy transition.

CSCea43956 - If a configuration contains a Layer 5 wild card content rule (for example, /*) using a header-field rule and a less specific content rule, the CSS may choose the wrong content rule, which causes the request to be sent to the incorrect server.

CSCea45106 - Using the SNMP variables apChassisMgrExtSubModulesSsCardTypeSNMP and apChassisMgrExtSubModuleSsCardOpStatus to inventory the CSS chassis may return conflicting data because these variables have been removed. Use the apChassisMgrExtSubModuleOpStatus variable to inventory the chassis.

CSCea48629 - If a CSS (configured with Layer 5 content rules with and without header-field-rules) receives an HTTP GET that exactly matches the URL string configured on a Layer 5 rule but does not match the header-field configured on that rule, the CSS rejects the connection and does not match one of the other rules.

CSCdz49051 - If a server takes longer than 17 seconds to respond to an HTTP keepalive, the CSS incorrectly detects the server as Down.

CSCea51311 - If you configure a CSS with a Layer 5 content rule with a URL of the form /%xx* and then remove the rule from the configuration at a later time, the CSS does not completely clean up the rule-matching tree, which may cause the CSS to reboot.

CSCea53236 - On a persistent connection, if a subsequent GET request matches a 302 redirect content rule, the server-side connection is not torn down.

CSCea60671 - If a CSS receives a packet, then immediately receives a retransmission of that packet, but the retransmitted packet contains more data, the CSS may reboot.

CSCdz67389 - If you configure an HTTP keepalive without a keepalive hash value, the service does not come up until the time you configure for the keepalive frequency transpires. For example, if you configure the keepalive with a frequency of 60 seconds, the keepalive does not come alive for 60 seconds. The keepalive now comes alive immediately upon activation.

CSCdy69343 - If there is an automatic service (a service learned through an APP session with another CSS) assigned to a content rule, the CSS incorrectly allows the removal of the last configured service while the rule is still active. After removing the last configured service, the content rule is still active and the CSS improperly forwards packets to the automatic service.

CSCea69508 - If you configure a CSS as a primary and secondary RADIUS server and an SNMP agent issued an SNMP NEXT through the apRadiusClientExtServerEntry table, the poll would fail. All subsequent access to the SNMP database also fails. For example, entering the show running-config command would result in a Cannot obtain SNMP lock error message.

CSCdy70914 - A CSS continues to ARP for VIP addresses configured on another CSS on the same network even after removing the other CSS and after the resolution timer should have expired.

CSCea71636 - The show ether-error command indicates that the SQE TEST counter incorrectly keeps increasing when the Ethernet management port is used. The problem is not seen for other ports. There is no workaround.

CSCea74866, CSCea81382 - If you enter the debug command show pmd-records and the More option is enabled, the CSS may reboot.

CSCdz88580 - If a server configured in a CSS source group tries to communicate with a device on the Internet or over the network and that device does not have the specified port open, the device sends back a RST ACK in response to the server TCP SYN. This RST ACK response is not forwarded to the server if the server default gateway is configured with the upstream router. All conversations with devices that have the port open work fine. Workaround: Configure the server default gateway as the circuit IP address on the CSS.

CSCdy89225 - If you configure a content rule with a VIP range, configure a second rule with a single VIP that falls within the VIP range of the first rule, and configure a source group with a VIP range that overlaps and conflicts with the first rule, when you activate the group, the CSS reboots.

CSCdz89703 - In a VIP and interface redundancy configuration, the commit_vip_redundancy script incorrectly copies the OSPF router ID of the master CSS to the backup CSS.

Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.