Guest

Cisco CSS 11500 Series Content Services Switches

Release Note for the Cisco 11500 Series Content Services Switch (Software Version 7.10.x)

  • Viewing Options

  • PDF (576.6 KB)
  • Feedback
Release Note for the Cisco 11500 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11500 Series Content Services Switch

Contents

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

CSS Documentation Updates and Corrections

URL Maximum Length Clarification

Maximum Number of VLANs per CSS 11500 Model

Source Group Port Mapping Behavior

Software Version 7.10.x Operating Conditions

Software Behavioral Differences

General Software Behavioral Differences

Using the range Option with the global-portmap and noflow-portmap Commands

Using the commit_vip_redundancy and commit_redundancy Scripts without an IP Address

Matching Precedence for Layer 5 Rules

TCP Keepalive Packet Exchange

Change to the show keepalive Command

Enhancements to OSPF Functionality

Software Version 7.10.5.04 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.5.04 Open Caveats

Software Version 7.10.5.04 Resolved Caveats

Software Version 7.10.5.04 Command Changes

Software Version 7.10.4.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.4.05 Open Caveats

Software Version 7.10.4.05 Resolved Caveats

Software Version 7.10.4.05 Command Changes

Software Version 7.10.3.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.3.05 Open Caveats

Software Version 7.10.3.05 Resolved Caveats

Software Version 7.10.3.05 Command Changes

Configuring kal-ap-vip

Overview

Configuration Requirements

Configuring a kal-ap-vip Client

Software Version 7.10.2.06 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.2.06 Open Caveats

Software Version 7.10.2.06 Resolved Caveats

Software Version 7.10.2.06 Command Changes

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Note for the Cisco 11500 Series Content Services Switch


January 11, 2005


Note The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.


Contents

This release note applies to the following software versions for the Cisco 11500 Series Content Services Switch (CSS). New commands and features in version 7.10 are described in this release note. For information on version 7.10 commands and features, refer to the CSS 7.10 documentation located in http://www.cisco.com.

7.10.5.04 (version 7.10, maintenance release 5, build 4)

7.10.4.05 (version 7.10, maintenance release 4, build 5)

7.10.3.05 (version 7.10, maintenance release 3, build 5)

7.10.2.06 (version 7.10, maintenance release 2, build 6)


Note The CSS box-to-box redundancy protocol is now supported on CSS 11500 gigabit Ethernet (GE) ports in software version 7.10.1.02 and higher.


This release note contains the following sections:

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

CSS Documentation Updates and Corrections

Software Version 7.10.x Operating Conditions

Software Behavioral Differences

Software Version 7.10.5.04 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.4.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.3.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.10.2.06 Open Caveats, Resolved Caveats, and Command Changes

Obtaining Documentation

Obtaining Technical Assistance

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or optional Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features.


Note You must enter a Standard software license key when you boot the CSS for the first time. For details about activating a CSS software option, refer to the Cisco Content Services Switch Administration Guide.


Before Upgrading the CSS Software

Before you upgrade your CSS software, archive your custom scripts (including user profiles and custom script keepalives) by using the archive script or save_profile command. When you upgrade the software, the upgrade process creates a new /<current running version>/script directory, overwriting the current script directory. After the upgrade is done, use the restore filename script command to restore the scripts you archived. Refer to the Cisco Content Services Switch Administration Guide for software upgrade instructions.

CSS Documentation Updates and Corrections

The following documentation correction applies to the CSS 11501, CSS 11503 and the CSS 11506:

The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.

The following documentation updates apply to the CSS 11501, CSS 11503 and the CSS 11506:

URL Maximum Length Clarification

Maximum Number of VLANs per CSS 11500 Model

Source Group Port Mapping Behavior

URL Maximum Length Clarification

When you use the url content mode command to specify a Uniform Resource Locator (URL) for content, you enter the URL as a quoted text string with a maximum length of 252 characters. Note that each path defined within a 252 URL character string cannot exceed a maximum length of 32 characters. A URL path includes all characters between the two slashes (//). In addition, an extension after the "." character cannot exceed 7 characters.

For example, the URL string below includes three paths, with each path less than the 32 character maximum:

(config-owner-content[hospital.html])# "/newbirthannouncements/newbabies/babyfilename.jpg"

Maximum Number of VLANs per CSS 11500 Model

The following list defines the maximum number of VLANs supported by the specific CSS 11500 models:

CSS 11501 and CSS 11503 - A maximum of 256 VLANs per CSS and 64 VLANs per port (FE or GE)

CSS 11506 - A maximum of 512 VLANs per CSS and 64 VLANs per port (FE or GE)

Use the bridge vlan command to specify a VLAN and associate it with the specified Ethernet interface. Enter an integer from 1 to 4094 as the VLAN identifier. The default is 1. All interfaces are assigned to VLAN1 by default.

Source Group Port Mapping Behavior

When you configure a source group, a CSS provides network address translation (NAT) of source IP addresses and port address translation (PAT) of source ports. NAT and PAT add a measure of security to your network by not exposing private network addresses and ports to the public side of a CSS. To NAT source IP addresses and source ports for flows originating from a server (server-side) on the private side of the CSS, add existing services to a source group. To NAT source IP addresses and source ports for flows originating from a client (client-side) on the public side of the CSS, add existing services to a source group as destination services. You can also configure access control lists (ACLs) to perform source NATing.

Each CSS module (except the SSL module) has one session processor (SP) that is responsible for mastering flows.

CSS 11501 supports one SP

CSS11503 supports a maximum of three SPs

CSS 11506 supports a maximum of six SPs

The default number of source ports available for one source group is 63488 (65533 minus the named ports). With one source group configured, the CSS allocates the total number of ports proportionally among all the SPs in the CSS chassis according to the SP relative weight value. To display the relative weight value of an SP, enter the show chassis session-processors command.

For client-side flows, the CSS sends packets to different SPs for flow processing and the flows have access to the source ports in that SP. The CSS performs a simple XOR hash of the TCP or UDP source and destination port numbers to determine the SP that becomes master for that flow. If the port numbers are the same (for example, DNS UDP port 53), then the CSS uses the low order bits of the source and destination IP addresses to calculate the hash value. The CSS uses the hash value to index into a weighted table of SPs and selects the appropriate SP.

When the CSS performs PAT, the master SP for the flow uses a source port from either a source group or the global portmapper, depending on your configuration. The CSS chooses a source port so that the hash of it and the destination port will select the same SP for the server-side flow as the SP that mastered the client-side flow.

For the server-side flow from a given destination port, only certain source port numbers hash to the same SP that was used for the client-side flow. For this reason, all ports available to a particular SP are not necessarily eligible for use when establishing the back-end connection. Therefore, the hash algorithm selects only a percentage of the available ports on any one SP.

To make more available source ports eligible for flows or to provide additional source ports for each SP:

Configure services on different destination ports (vary the destination port) to broaden the hash across the SPs and allow a larger percentage of available ports to be eligible for port mapping. This strategy works by making the hashing algorithm less restrictive in the sense that now more source ports can be used to satisfy the hashing equations.

Configure another source group to provide an additional 63488 ports, which the CSS also distributes among the SPs in the same manner as described earlier in this section

Table 1 illustrates how the number of eligible ports in a CSS 11506 decreases as you increase the number of installed modules (SPs). In all cases, the CSS is configured with one service and a single destination port for all flows (for example, port 80). The numbers of eligible ports in Table 1 are approximate and are used for illustration only. Your results may vary depending on your configuration.

Table 1 Adding Modules to a CSS 11506 Decreases the Number of Eligible Source Ports 

Number of SPs
Number of Eligible Source Ports for the Chassis

1

63488

2

33728

3

21824

4

16616

5

13144

6

11408


Table 2 shows that, by increasing the number of destination ports, even in a fully-loaded CSS 11506 (six SPs), you can dramatically increase the number of source ports that are eligible for port mapping. In this example, the destination ports were chosen consecutively (for example, ports 80 through 89 for row 1).

Table 2 Increasing Destination Ports Increases Eligible Source Ports 

Number of Destination Ports
Number of Eligible Source Ports for the Chassis

10

28788

20

31757

32

40000


By comparing row six in Table 1 with row 1 in Table 2, you can see that increasing the number of destination ports to 10 more than doubles the number of source ports eligible for port mapping.

Note that it is algorithmically significant which destination ports you select to increase the number of eligible source ports and it is not a linear relationship. You may need to select several ranges of destination ports to produce the maximum number of eligible source ports.

Adaptive Session Redundancy (ASR) imposes further restrictions on the number of available and eligible source ports because of mapping resources to the backup CSS with an unknown chassis configuration. In a CSS 11506 with ASR configured, the number of source ports eligible for flows for the entire chassis is 1984 (63488 ÷ 32), regardless of the number of installed modules. You may be able to improve this number by adding a source group or configuring more destination ports for services.

Software Version 7.10.x Operating Conditions

The following operating conditions exist for software version 7.10.x.

If you are running software version 7.10.2.06A, be aware that the CSS file system has changed the `A' to `a'. Therefore, when you are upgrading from software version 7.10.2.06A, use caution when running the remove command in boot mode or running the upgrade script (which uses the remove command) to ensure that you do not inadvertently remove software version 7.10.2.06A.
For example, if you are running software version 7.10.2.06A and attempt to remove software version 7.10.2.06a, the CSS recognizes that the `A' and the `a' versions are different and allows you to delete the `A' version, which is exactly the version you are currently running.

When configuring the CSS for FTP keepalives, do not configure the keepalive frequency or the keepalive retry period to a value less than 15 seconds. Note that the CSS does not prevent you from configuring smaller values. Also, the default value for the keepalive frequency or the keepalive retry period is five seconds. You must use the keepalive frequency and keepalive retryperiod commands to override the defaults.

Issuing the show system-resources command may cause CSS CPU usage to increase. If the CSS has more processors, using this command increases CPU usage accordingly.

A CSS monitors the health of the firewall by sending a custom ICMP keepalive request every second to the remote CSS on the other side of the firewall. If the CSS does not receive a keepalive request from the remote CSS for 3 to 16 seconds (configurable timeout), the CSS declares the firewall path unusable. Each CSS does not reply to the sending CSS, but instead transmits its own keepalive every second, totally independent of the other CSS.

When a traplog file reaches its maximum size (50 MB for a hard disk-based CSS, 10 MB for a flash disk-based CSS), the CSS renames the traplog file to traplog.prev as a backup file and starts a new traplog file. The CSS overwrites the backup traplog file when it renames the traplog file. Each time the CSS reboots, it continues to use the existing traplog file until it reaches its maximum size.

Do not perform an SNMP GET on the apFlowMgrStatSSTable OIDs because they are no longer valid.

A CSS supports 64 VLANs per trunked port (Fast Ethernet or Gigabit Ethernet port).

You can configure a VIP from an active source group as a redundant VIP.

If you configure the redundancy-phy command on the interface and then disable the interface using the admin-shutdown command, the master CSS fails over to the backup CSS. To prevent the CSS from failing over when you administratively disable the interface, remove the redundancy-phy command by entering no redundancy-phy before you enter the admin-shutdown command on the interface.

The CSS 11501 uses the following interface-port format: e1, e2, and so on through e9, the Gigabit Ethernet (GE) port.

Because it has only one GE port, the CSS 11501 does not support redundant GE Inter-Switch Communications links for Adaptive Session Redundancy (ASR).

The CSS does not NAT fragmented IP packets.

The valid range for the sshd server-keybits command is 512 to 1024. However, to maintain compatibility with software version 5.00, the CSS allows you to enter a range from 512 to 32768. If you enter a value greater than 1024, the CSS changes the value to the default value of 768. When you reboot the CSS, the following sys.log message appears to indicate the valid range:

NETMAN-3: sshd: Bad server key size <configured value>; range 512 to 1024; defaulting 
to 768

When a destination in an ACL clause is a Layer 5 content rule, the CSS does not spoof the connection. Therefore, the ACL clause does not function as would be expected. As a workaround, you may configure an additional clause to permit the TCP IP addresses and ports. Be aware that content will be matched on both clauses. For example:
clause 14 permit any any destination content Layer5/L5 eq 80 (original clause)
clause 15 permit tcp any destination 200.200.200.200 eq 80 (This is an additional clause to handle the SYN, where the destination IP address is the IP address configured in the Layer 5 content rule. Note that this clause number must be greater than the destination content clause number.)

For the 11500 series CSS, the Ethernet management port default IP address is 0.0.0.0, which disables the management port. To enable the management port, enter an IP address in one of the following ways:

During the boot process (refer to the Cisco 11500 Series Content Services Switch Hardware Installation Guide, Chapter 3, Booting and Configuring the CSS).

Using the Offline Diagnostic Monitor (Offline DM) menu (refer to the Content Services Switch Administration Guide, Appendix B, Using the Offline Diagnostic Monitor Menu).

Using the ip address CLI command in boot mode (refer to the Content Services Switch Administration Guide, Chapter 1, Logging In and Getting Started).

In an ASR environment, if you run traffic to a configuration that has discrepancies between the redundant indexes on the two CSSs, the CPU utilization for each processor on the CSS may climb to an abnormal level (at 2000 flows/second, approximately 50 percent utilization for each processor). If you set the logging level to notice-5 or higher, the SCM utilization may peak at approximately 90 percent because each connection generates a redundant index mismatch log entry. For example:

AUG 7 14:12:15 3/1 1124272 SLR-5: Rejected. Redundant global rule index (7) not found. 

When you configure firewall load balancing (FWLB), you must configure the VIPs on the CSS that has the services directly connected to it or connected through a Layer 2 device. Do not configure content rules with VIPs on a CSS when the services are located on the other side of the firewall and connected to another CSS participating in FWLB. This type of configuration will result in asymmetric paths and could cause firewalls performing stateful inspection to tear down connections.

If you configure a CSS with the dns-server command, and the CSS receives a DNS query for a domain name that you configured on the CSS using the host command, the DNS query will not match on an ACL that is configured with the apply dns command.

However, if you configure a domain name on a content rule on a CSS using the add dns {domain name} command, a DNS query for that domain name will match on an ACL that is configured with the apply dns command.

With a portmapper logging level of 6, an Adaptive Session Redundancy (ASR) peer finds and logs that a port is still in use by another flow on the peer CSS. Cleanup messages of accounting reports from the master CSS may have been dropped and the entry remains until garbage collection cleans up the flow on the peer CSS. The new flow that uses this port will have the proper NATing information to support the connection.

When you use the ssl gencsr command to generate a Certificate Signing Request (CSR) file for an RSA key pair file, the generated request is in PKCS10 format.

When the SSL modules are receiving more traffic than they can handle, one module may have more errors than another. Once a module gets behind, it is not able to catch up, so it gets further behind. You may see a load imbalance between the two modules. This occurs because the Session Processor (SP) does not detect the status of the SSL modules. The SP continues to send flows to the SSL module even if it is not able to handle them. This does not include a condition by which the module completely fails. In that case, the CSS removes the module from service.

The request-line field type for the header-field command allows you to define the request line in an HTTP header for a header field group. When you attempt to access an Internet resource using your browser (for example, http://www.cisco.com), the browser issues a request for the resource in an HTTP header. The request line in an HTTP header contains the HTTP method (GET, HEAD, or PUSH), the request URI, and the HTTP version. A uniform resource identifier (URI) consists of a string of alphanumeric and sometimes special characters that identify a resource on the Internet. The request line is a required HTTP header field.

For example, suppose an HTTP header contains the following URI:

http://www.foo.com/cgi-bin/some-app.pl?session=123456789123456789&user=CiscoUser&a
ction=LoadBalanceMe&foo=bar

By creating a header field group and header field rules, you can configure a CSS to make a content rule selection based on a string in the URI. For example, you can configure a CSS to make a content rule selection based on the string LoadBalanceMe in the above URI using the following configuration:

header-field-group url 
	header-field urlString request-line contain "LoadBalanceMe"
owner arrowpoint 
	content rule UrlString 
		vip address 192.168.128.151 
		protocol tcp 
		port 80 
		url "/*" 
		add service server1 
		add service server2 
		header-field-rule url 
		active
	content rule2 
		vip address 192.168.128.151 
		protocol tcp 
		port 80 
		url "/*" 
		add service server21 
		add service server22 
		active

Dynamically changing the base port and range values through the global-portmap or noflow-portmap command may cause port conflicts on existing flows.

When developing XML code for the Content Application Program Interface (API) to issue CLI commands, note that the maximum number of characters per each tag set is 300.

When you configure TACACS+ on a CSS, note that the CSS does not authorize scripts through the TACACS+ server. Because the CSS transform all XML commands into scripts, the CSS also does not authorize XML commands through the TACACS+ server.

When accessing the CSS OffDM menu from a terminal server, you must configure the client application to display 24 lines to enable the OffDM menu to display properly.

The CSS tears down the FTP control channel after 10 minutes of idle time. This teardown may occur during a file transfer if the transfer exceeds 10 minutes. This timeout applies only to active FTP (that is, it does not apply to PASV FTP). To increase the 10-minute timeout, use the flow-timeout-multiplier number command in owner-content mode on the associated content rule to configure the timeout to a value large enough to accommodate the expected duration of FTP file transfers. This command specifies the number of seconds for which an idle flow can exist before the CSS tears it down. Enter an integer for the number variable from 0 to 65533. The CSS multiplies the value you specify by 16 to calculate the flow timeout in seconds.

A fix for defect CSCdy19162 was introduced into software versions 7.10.3.05 and 7.20.1.04 that caused a software version requirement for CSSs in an Adaptive Session Redundancy (ASR) configuration. The requirement states that both CSSs in an ASR configuration must be running software versions that either contain the fix for CSCdy191962 or do not contain the fix. That is, you cannot operate one CSS running a software version that contains the fix and have the other CSS running a software version that does not contain the fix.
If two ASR redundant CSS peers are running software versions in which one version includes the fix for defect CSCdy19162 and one version does not, the backup CSS will not be aware of any dormant flows. Therefore, during a failover, all of the ASR flows will fail.

The keepalive tcp-close fin command may be applied to a maximum of 100 keepalives.

When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.

When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.

The following operating considerations apply to the CSS Web-based Device Management software:

To access the Device Management software, use the URL https://ip_address. For example: https://192.168.3.6. The "s" indicates a secure SSL connection.

The CSS Web-based Device Management software uses cookies for authentication. Your browser must have cookies enabled to obtain access to the Device Management pages. Cookies are created when you log in using the login page and are valid only for the current browser session. If the CSS does not find a cookie, it does not allow you to access any pages. If the CSS finds a cookie, it determines whether you have SuperUser or User privileges. You must have SuperUser privileges to access all pages. User privileges enable you to access only non-configuration pages. Use the username command to configure SuperUser and User privileges.

Always exit the browser after each device management session to clear the cache.

You must enable JavaScript in your browser for the Device Management software to work.

Navigation tree icons do not always display. The pages function correctly. Open a page by clicking on the corresponding text.

Device Management supports the following browsers:

Microsoft Internet Explorer version greater than 4.0

Netscape Communicator 4.51 and 4.71

Netscape Navigator 4.08

With Microsoft Internet Explorer 6.0, when a page is displayed and you highlight the page in the Address field and select carriage return, an Internet Explorer expired page appears. To redisplay the page, click Refresh in the browser navigation bar, then click Retry in the message box that appears.

Software Behavioral Differences

The following sections describe software behavioral differences made in software version 7.10.4.05 that also apply to 7.10.5.04:

General Software Behavioral Differences

Using the range Option with the global-portmap and noflow-portmap Commands

Using the commit_vip_redundancy and commit_redundancy Scripts without an IP Address

Matching Precedence for Layer 5 Rules

TCP Keepalive Packet Exchange

Change to the show keepalive Command

Enhancements to OSPF Functionality

General Software Behavioral Differences

This section describes general software behavioral differences that were introduced in software version 7.10:

The timeout value for a keepalive is related to the configured keepalive frequency. For version 7.10.3.05 and greater, the timeout is 2 seconds less than the keepalive frequency with a minimum of 1 second. Previously, the timeout was one second less than the keepalive frequency.

The group mode portmap number-of-ports number command defines the total number of ports in the portmap range for the entire CSS. Enter a number from 2048 to 63488. The default is 63488. This default value should be sufficient for most applications. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32.

The CSS allocates the total number of configured ports proportionally among all the Session Processors (SPs) in the CSS chassis according to the session processor relative weight value. To display the relative weight value of a session processor, enter the show chassis session-processors command.

The more modules you add to the CSS chassis, the less session processing the SP in the SCM performs and the fewer ports the CSS assigns to it. To display the number of ports that the CSS allocates to each module, enter the show group portmap command.

The ipRouteTable has been deprecated and has been replaced by IpCidrRouteTable.

Using the range Option with the global-portmap and noflow-portmap Commands

This section describes the functionality of the range option when used with the global-portmap and the noflow-portmap commands.

The range keyword for the global mode global-portmap command configures the total number of ports in the port-map range that the CSS allocates to each of the 16 megamap banks in each SP. Enter an integer from 2048 to 63488. The default is 63488. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32. Each megamap bank in an SP can use the full range of configured ports. Because of the unique source address hash that the CSS uses to select a megamap bank in an SP, more than one SP can use the same port number without a tuple collision. If you enter a range value that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number you specify from 65504.


Caution Dynamically changing the range value may cause port conflicts on existing flows.

The range keyword for the global mode noflow-portmap command configures the total number of ports in the port-map range that the CSS allocates to each SP. Each SP can use the full range of configured ports. Enter an integer from 2048 to 63488. The default is 63488. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32. If you enter a range value that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number from 65504.


Caution Dynamically changing the range value may cause port conflicts on existing flows.

Using the commit_vip_redundancy and commit_redundancy Scripts without an IP Address

This section describes how to use the commit_vip_redundancy and the commit_redundancy scripts without an IP address.

To eliminate the need to specify IP addresses each time you run the commit_vip_redundancy configuration synchronization script, you can set the value of two variables (LOCAL_VIPR_IP and REMOTE_VIPR_IP) to IP addresses and save them in your user profile. Once you set the variables and save them in your user profile, the variables will always be available after you log in to the CSS.

The IP addresses are the ones on which the Application Peering Protocol session occurs. Set the LOCAL_VIPR_IP variable to the circuit IP address of the local CSS. Set the REMOTE_VIPR_IP variable to the APP session IP address configured on the local CSS. The APP session address is the circuit IP address for the remote CSS. To set the variables, enter:

# set LOCAL_VIPR_IP "local_ip_address" session
# set REMOTE_VIPR_IP "remote_ip_address" session

To save the variable in your user profile, enter:

# copy profile user-profile

If you already created the MASTER_VIPR_IP and BACKUP_VIPR_IP variables in an earlier release, the script will use the new variables instead, if present.

To eliminate the need to specify a remote IP address each time you run the commit_redundancy configuration synchronization script, you can set the value of the variable REMOTE_IP to an IP address and save it in your user profile. Once you set the variable and save it in your user profile, the variable will always be available after you log in to the CSS.

Set the REMOTE_IP variable to the APP session IP address configured on the local CSS. The APP session address is the circuit IP address for the remote CSS. To set the variable, enter:

# set REMOTE_IP "remote_ip_address" session

To save the variable in your user profile, enter:

# copy profile user-profile

If you already created the BACKUP_IP variable in an earlier release, the script will use the new variable instead, if present.

Matching Precedence for Layer 5 Rules

The matching precedence for Layer 5 rule URLs has changed. In a Layer 5 content rule, the CSS matches the URL after the CSS matches the IP address, protocol, and port. An HTTP header field group in a Layer 5 content rule enables a rule to be more specific than if the rule defined just a URL. Because content rules are hierarchical, if a request for content matches more than one rule, the characteristics of the most specific rule apply to the flow.

In version 7.10.3.05 and greater, the matching precedence for Layer 5 rule URLs has changed and is defined below. The CSS uses this order of precedence to process requests for the content, with 1 being the highest match and 10 being the lowest match.

1. Exact URL (for example, /test/index.html) with a header field group configuration.

2. Exact URL (for example, /test/index.html).

3. Wildcard URL length (for example, /test/ind* or /test/index.h*) with a header field group configuration.

4. Wildcard URL length (for example, /test/ind* or /test/index.h*).

5. Wildcard URL extension (for example, /test/*.html) with a header field group configuration.

6. Wildcard URL extension (for example, /test/*.html).

7. Wildcard Extension Qualifier List (for example, "/test/*" eql EQL_LIST) with a header field group configuration. For more information on Extension Qualifier Lists (EQLs), refer to the Cisco Content Services Switch Basic Configuration Guide.

8. Wildcard EQL (for example, "/test/*" eql EQL_LIST).

9. Wildcard URL (for example, /test/*) with a header field group configuration.

10. Wildcard URL (for example, /test/*).

In the following example, the content rules ruleWap and ruleNoWap are identical except ruleWap includes a header field group.

The content rule ruleWap matches any TCP port 80 traffic destined for VIP 192.168.128.151 that has the MSISDN field in the HTTP header, as defined in the header field group configuration.

The content rule ruleNoWap matches any TCP port 80 traffic destined for VIP 192.168.128.151 that does not have the MSISDN field in the HTTP header.

Because content rule ruleWap includes a header field group, the CSS will try to match on it before trying to match on content rule ruleNoWap.

header-field-group wap
   header-field 1 msisdn exist
owner arrowpoint
   content ruleWap
     vip address 192.168.128.151
     protocol tcp
     port 80
     url "/*"
     add service server1
     add service server2
     header-field-rule wap
     active
content ruleNoWap
     vip address 192.168.128.151
     protocol tcp
     port 80
     url "/*"
     add service server21
     add service server22
     active

For more information on configuring content rules and HTTP header field groups, refer to the
Cisco Content Services Switch Basic Configuration Guide.

TCP Keepalive Packet Exchange

In software versions 5.20.xx, 7.10.0.xx, 7.10.1.xx, 7.10.2.xx, and 7.20.0.xx, the packet exchange for a TCP keepalive was inadvertently changed with the introduction of the support for increased keepalives. The packet exchange for these software versions was changed to Syn, Syn-Ack, Rst.

In software versions 7.10.3.05 and greater and 7.20.1.04 and greater, the packet exchange for a TCP keepalive was corrected to Syn, Syn-Ack, Ack, Rst-Ack.

Change to the show keepalive Command

The behavior of the show keepalive command has changed due to a code fix for CSCeb30454. When two sessions (for example, console, SSH, telnet) are simultaneously accessing keepalive data and one of the sessions modifies the keepalive data (for example, clears a service or a keepalive) in the second session, the CSS may abort the command because of the configuration change.This situation is most likely to occur if the data being displayed is removed by the command issued in the second session. If the CSS aborts the command, it displays the message:

"Command Aborted!!! Configuration changed. Please reissue command."

Enhancements to OSPF Functionality

The CSS OSPF functionality now examines configuration parameters (such as, service configurations in content rules, keepalive behavior, VIP redundancy configurations, and whether services are active or suspended) to make accurate advertisement decisions on VIPs.

Specified routes related to VIPs are only advertised if both of the following conditions are true:

1. At least one of the related VIPs in a content rule or source group is active.

2. At least one service related to an active VIP is available on a content rule.

If you configured the CSS for box-to-box redundancy, be aware that only the master CSS (not the backup CSS) advertises the VIP.

It is recommended that you use the /32 prefix in the ospf advertise command to specify VIPs individually. Specifying entire subnets does not enable the CSS to make proper decisions on advertising the VIPs. The advertisement must match or fit entirely within a VIP range to make proper decisions. If the ospf advertise IP address range and the VIP range overlap, or the ospf advertise range encapsulates (that is, is larger than) or doesn't match the VIP range, then the route is advertised unconditionally.

The following flow chart shows the steps required for OSPF to advertise an IP address. If the IP address is a VIP, the flowchart shows the conditions that must be met for OSPF to advertise the VIP.

Software Version 7.10.5.04 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.10.5.0x:

Software Version 7.10.5.04 Open Caveats

Software Version 7.10.5.04 Resolved Caveats

Software Version 7.10.5.04 Command Changes

Software Version 7.10.5.04 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCed06619 - When you configure the CSS with Session Level Redundancy (SLR) using source groups and a passive FTP connection is initiated through the source group, the CSS may reboot when the connection is torn down.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCed38249 - When a CSS receives multiple load reports for a GSLB service, the reported load may be incorrect. The CSS may receive multiple load reports for a service if the load reports are received from a pair of CSSs that have a redundant VIP configured for the service.

CSCed40192 - The CSS may queue up more blocks of data than it can send to the hardware. This may cause the `Too Many Blocks for Block2AccelFragmentArray' counter to increment.

CSCed49849 - If a critical service in an ASR configuration transitions under a heavy load, causing both redundancy and an ASR failover, the redundancy transition may cause the CSS to reboot.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS when you run the commit_VipRedundConfig script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, then manually configure the remote CSS priority as desired.

CSCed52992 - When doing an SNMP NEXT through the apSvcTable from the svcExt.mib, the CSS SCM CPU may spike to high levels and remain high for long periods of time. This issue is related to the number of configured services.

CSCed61321 - The CSS may reboot due to an incorrect packet received by a device.

CSCed64240 - The CSS reboots at Task Level Exc in LogPrintAgent.

CSCed64614 - The ap-kal-dns keepalive script fails when used with the dnsflow disable command and you add a service to a source group. The workaround is to remove the DNS server from the source group.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

CSCec83724 - When you use source groups on the CSS in an ASR environment, the number of eligible and usable ports for portmapping decreases.

Software Version 7.10.5.04 Resolved Caveats

The following caveats were resolved in software version 7.10.5.04:

CSCed00734 - If you change a keepalive on a service from keepalive type script to keepalive type ssl without first suspending the service, the service will go into a DOWN state indefinitely.

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCed01717 - When you configure a service using the type ssl-accel-backend command and the redundant-index command, the CSS displays an incorrect error message.

CSCed01770 - When you configure the CSS for Global Server Load Balancing (GSLB) and use the dns-record a kal-ap threshold command (with the threshold default of 254) and the CSS receives NXDOMAIN responses for a dns-record with a content rule that contains only one service and that service reaches a load level of 254, the CSS does not transition down the service.

CSCed02951 - If you issue the no ssl associate cert command, place a new certificate on the CSS, and then issue the ssl associate cert command, if the new certificate is larger than the previous certificate, the CSS reboots.

CSCed03090 - A stack overflow may occur on some processes on the SSL module, including TimerTask and SslTx. This may cause these processes to fail.

CSCec07321 - When using ASR (Adaptive Session Redundancy), if the backend server goes down due to having a cable removed from the Layer 2 switch, the CSS does not send UDP traffic.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCed13555 - In a VIP redundancy configuration, when CSS-A (master) fails over to CSS-B (backup), and then CSS-B fails back over to CSS-A, if flowy traffic hits CSS-B, the ARP entry on CSS-B that should point to CSS-A, may be missing, and traffic is dropped. If non-flowy traffic hits CSS-B, the ARP request is sent out and traffic is forwarded properly.

CSCed15825 - The CSS reboots when the following three conditions are true. Under these three conditions, the CSS uses the wrong host information to send the DNS keepalive packet to itself (the circuit IP address).

No management port IP address or subnet mask is configured (that is, the address is 0.0.0.0)

The CSS is configured with the app-udp command

The CSS is configured with the dns-record command that contains a keepalive pointing to the CSS circuit IP address.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCec17121 - When disabling the dns-server, the console or a telnet session may lock up.

CSCin18392 - The apPortCopy table does not properly copy files when an absolute path is provided.

CSCed20671 - The string range command searches on one less byte than the range maximum. The range should be 1 to 100, but the CSS only searches on a range of 1 to 99.

CSCed21013 - SSL connections that are terminated on a CSS may have trailing data added to them after being decrypted. This added data may confuse the servers on the back-end, causing application errors.

CSCed25009 - When you configure a content rule with application ssl and use an advanced-balance method that employs the sticky database, the CSS does not distribute sticky database entries properly to modules in the chassis, which causes connections to fail because they are not directed to the correct server.

CSCed29795 - SSL connections terminated on a CSS may have trailing data added after being decrypted. This may cause confusion to the servers on the back-end and lead to application errors.

CSCed26264 - If you do not configure an IP address for the management port, an SNMP GET of ifOperStatus returns invalid data (that is, a value of 0).

CSCed26299 - Using ACLs and source groups to NAT client traffic fails for traffic destined to an SSL content rule that uses an SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCed29953 - The CSS does not set up flows for TCP port 520.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCed32955 - After power-cycling the Cat2950, the Rx port on the CSS stops incrementing. The Tx port functions properly. The workaround is to reboot the CSS. To avoid this issue, configure both the Cat2950 and the CSS for a speed of 10 megabits per second.

CSCec38220 - When the CSS is configured for SSL termination, the SSL module may send the decrypted traffic in a TCP packet with a bad checksum.

CSCed39121 - When you run the commit_redundancy or commit_vip_redundancy scripts, the OSPF area settings on the circuit may be removed from the remote CSS.

CSCed41281 - During bootup, the CSS may receive multiple entries for processors in the chassis that time out certain commands that are waiting for responses from modules even though the modules have already responded. The workaround is to reboot the CSS.

CSCec45381 - When the Resource Manager Essentials (RME) software 3.5 performs a config archive and uses SSH login to the CSS, it performs the archive successfully, but generates the following two messages in the sys.log:

******* 
SEP 29 10:53:44 1/1 361 NETMAN-4: Accepted without authentication for admin from 
172.16.123.78 port 59514 
SEP 29 10:53:46 1/1 366 NETMAN-4: Disconnecting: Corrupted checked bytes on input. 
******* 

CSCec45497 - In an ASR configuration, source port resources may leak after a failover occurs and the CSS cleans up the flows.

CSCed46905 - The SSL module allows a finite amount of SSL/TLS backend connections before it stops passing traffic. All cipher suites are affected. To recover, reboot the CSS. Workarounds are to disable backend SSL/TLS or use a smaller certificate on the IIS server.

CSCed47022 - When running high amounts of sustained traffic on two SSL modules, tasks may become suspended and the CSS may reboot.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec49123 - When the CSS cannot forward a packet because of an unresolved ARP, the buffer in which the packet was received may leak when the ARP times out.

CSCed49253 - The CSS may reboot if an alert needs to be sent during a client hello.

CSCec54416 - A buffer may not be transmitted to a hardware queue when the queue is full (known as a transmit abort). The CSS should free the buffer back into the free pool.

CSCec55690 - When SPAN is configured on a port, certain types ingress traffic may eventually cause the Session Processor (SP) to stop processing flows. Reboot the CSS to recover from this situation.

CSCec58376 - If you have a static ARP entry using an IP address that is identical to a circuit IP address, the CSS reboots. Static ARP entry IP addresses, circuit IP addresses, and source group
IP addresses must all be unique. The CSS does not allow you to configure identical IP addresses for these configuration parameters.

CSCeb59662 - The CSS should time out idle GUI connections, but does not. Also, you should be able to show the GUI sessions in use and be able to disconnect GUI sessions, but can not.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCeb61316 - If an XML document that is not terminated with a carriage return line feed (CRLF) is uploaded to a CSS 11500, it will fail and the following message will be logged:
"httpRpmPut: Not a well-formed XML document".

CSCec64389 - If the CSS is configured for SSL termination with export ciphers contained in the configuration, the CSS may log the error: SSLACCEL-3:CRYPTO HARDWARE RESET. The CSS would then experience slow, stalled SSL connections and may reboot.

CSCec65326 - If you do not configure an IP address or subnet mask for the management port and the SNMP trap is an enterprise trap, 0.0.0.0 is used as the agent IP address in the trap.

CSCec68022 - When any remote command is performed (either manually or by running the config_sync script) and the primary SCM is in slot 2, the CSS reboots.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCeb73970 - Using the ssl gencert command causes the CSS to generate a certificate with valid dates from 12/31/1960 to 1/30/1970 or 1/01/1970 to 1/31/1970 instead of using the actual date corresponding to the internal CSS clock.

CSCec74453 - CDP packets are bridged by the CSS, but they should not be bridged.

CSCec77158 - The CSS reboots when you issue the no ssl associate command and then suspend and activate the service.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCdy79571 - The CSS may not detect the proper number of modules installed in a chassis. This may result in internal broadcast messages being sent to the slots that do not exist, which leads to unexpected behavior on the CSS and causes the CSS to display the following messages:

FP_DRV-4: PrismImmFastPath::Send: TxToQueue Failure
FP_DRV-3: PrismBufferDebug: (Buffer Pool: 2) Xfer of ownership error on buffer 
Xfer activity FROM:DEALLOC TO: DEALLOC 

CSCec80040 - If you configure the CSS using the advanced-balance method (which uses the sticky table) and the calculated sticky hash key is zero, the CSS reboots.

CSCec80045 - Service maximum connections may be overrun when traffic hits a content rule that is configured for stickiness.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec80987 - The CSS may reboot due to freeing an internal communication buffer.

CSCec85000 - The CSS does not perform lookups with a suffix appended to a requested name even if you configure a dns suffix.

CSCec86444 - In a chunked encoding transfer header, the CSS incorrectly interprets the string as case sensitive and fails if any of the characters are capitalized.

CSCec86501 - When a script contains a quoted string that is greater than 255 characters and is used by a scripted keepalive, the CSS reboots.

CSCec88084 - The CSS stops translating sequence numbers on the FTP control connection after a FIN packet.

CSCec89210 - When you configure a CSS with a static route that is identical to a learned OSPF route (network LSA), the OSPF route correctly takes precedence. However, if the CSS loses the OSPF route, the blackhole route is not injected into the routing table.

CSCec89216 - On a CSS 11503 or a CSS 11506 configured for active FTP with destination services specified in a source group, if the FTP control channel and data channel are handled by different slots, the CSS may fail to clean up portmap entries.

Software Version 7.10.5.04 Command Changes

Table 3 lists the commands and options that have been added in software version 7.10.5.04.

Table 3 CLI Commands Added in Version 7.10.5.04  

Mode
Command and Syntax
Description

Global

idle timeout web-mgmt minutes

no idle timeout web-mgmt

The new web-mgmt option sets the maximum amount of idle time for active web management sessions.

The minutes variable is the maximum time in minutes. Enter a number from 0 to 65535. The default is 0, disabling the timeout.

tacacs-server send-full-command

no tacacs-server send-full-command

The new send-full-command option enables the CSS to expand user-executed abbreviated commands to their full command syntax before sending them to the TACACS+ server.

Use the no form of the command to reset the default behavior of sending user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.

Keepalive

tcp-close fin|rst

Specifies a global keepalive to close a TCP socket with a FIN or a RST.

The fin keyword specifies that the keepalive closes the TCP socket with a FIN rather than a RST.

The rst keyword specifies that the keepalive closes the TCP socket with a RST (default).

By default and in compliance with RFC 1122, the CSS sends a reset (RST) to close the socket on a server port for TCP keepalives. A RST is faster than a FIN, because a RST requires only one packet, while a FIN can take up to four packets. If your servers require a graceful closing of a socket using a FIN, use the tcp-close fin command.

Service

keepalive tcp-close fin|rst

The new tcp-close option specifies a service keepalive to close a TCP socket with a FIN or a RST.

The fin keyword specifies that the keepalive closes the TCP socket with a FIN rather than a RST.

The rst keyword specifies that the keepalive closes the TCP socket with a RST (default).

By default and in compliance with RFC 1122, the CSS sends a reset (RST) to close the socket on a server port for TCP keepalives. A RST is faster than a FIN, because a RST requires only one packet, while a FIN can take up to four packets. If your servers require a graceful closing of a socket using a FIN, use the keepalive tcp-close fin command.


Software Version 7.10.4.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.10.4.05:

Software Version 7.10.4.05 Open Caveats

Software Version 7.10.4.05 Resolved Caveats

Software Version 7.10.4.05 Command Changes

Software Version 7.10.4.05 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCec07321 - When using ASR (Adaptive Session Redundancy), if the backend server goes down due to having a cable removed from the Layer 2 switch, the CSS does not send UDP traffic.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCec17121 - When disabling the dns-server, the console or a telnet session may lock up.

CSCeb25077, CSCed25009 - If a SSL handshake message spans a SSL record and a TCP packet, a handshake failure occurs.

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCeb28397 - If you issue the redundancy force-master command multiple times when running the CSS in a box-to-box configuration, the backup CSS may not bring down its interfaces correctly. The new master CSS then logs a duplicate IP address. The backup CSS shows the circuit as disabled, but the IP address is still listed. The master CSS continues to log duplicate IP addresses from the backup CSS until you reboot the master CSS.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCec37282 - Older revisions of SSL modules may contain a bad pointer, which causes the CSS to reboot.

CSCec38220 - When the CSS is configured for SSL termination, the SSL module may send the decrypted traffic in a TCP packet with a bad checksum.

CSCec45381 - When the Resource Manager Essentials (RME) software 3.5 performs a config archive and uses SSH login to the CSS, it performs the archive successfully, but generates the following two messages in the sys.log:

******* 
SEP 29 10:53:44 1/1 361 NETMAN-4: Accepted without authentication for admin from 
172.16.123.78 port 59514 
SEP 29 10:53:46 1/1 366 NETMAN-4: Disconnecting: Corrupted checked bytes on input. 
******* 

CSCec45497 - In an ASR configuration, source port resources may leak after a failover occurs and the CSS cleans up the flows.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec49123 - When the CSS cannot forward a packet because of an unresolved ARP, the buffer in which the packet was received may leak when the ARP times out.

CSCeb59662 - The CSS should time out idle GUI connections, but does not. Also, you should be able to show the GUI sessions in use and be able to disconnect GUI sessions, but can not.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCeb61316 - If an XML document that is not terminated with a carriage return line feed (CRLF) is uploaded to a CSS 11500, it will fail and the following message will be logged:
"httpRpmPut: Not a well-formed XML document".

CSCeb61726 - Redirecting the socket inspect command to a file corrupts the data contained in the socket buffer.

CSCec64389 - If the CSS is configured for SSL termination with export ciphers contained in the configuration, the CSS may log the error: SSLACCEL-3:CRYPTO HARDWARE RESET. The CSS would then experience slow, stalled SSL connections and may reboot.

CSCec67036 - The CSS incorrectly inserts a new ArrowPoint cookie into a response packet.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCec68022 - When any remote command is performed (either manually or by running the config_sync script) and the primary SCM is in slot 2, the CSS reboots.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCec73646 - The CSS experiences an error in internal message processing when two processes attempt to modify the same buffer.

CSCec74453 - CDP packets are bridged by the CSS, but they should not be bridged.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec80940 - A CSS 11500 does not return any data when polling the MIB-II ipRouteTable (.1.3.6.1.2.1.4.21) using SNMP.

CSCec80987 - The CSS may reboot due to freeing an internal communication buffer.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

CSCeb83566 - Fragments sent to the Ethernet management port may cause the CSS to reboot.

Software Version 7.10.4.05 Resolved Caveats

The following caveats were resolved in software version 7.10.4.05:

CSCec01157 - Using the `search' option in the `more' functionality may cause the CSS to reboot.

CSCec01457 - The CSS may reboot when you issue the no trunk command.

CSCdy01722, CSCdy26214, CSCea76800 - When you configure two default routes with different metrics and the default route with the lower metric goes down, flows using the lower-metric route may be torn down and not remapped to the new default route with the higher cost metric.

CSCec04009 - The apLogSubSystemTable from the logExt.mib was not returned in SNMP lexicographical order, which caused an error when attempting a SNMP walk on the enterprises OID.

CSCec04320 - An SNMP walk of the apSvcTable does not always return all configured services.

CSCec06292 - With non-128 bit Microsoft IE browsers that offer both 40-bit and 56-bit ciphers in the Client Hello, the CSS configures the 56-bit ciphers with a higher weight on the SSL module, but the Server Hello communicates a 40-bit cipher, if selected.

CSCec10173 - In the show sticky-table output on a CSS 11500, you can see different values in the hitcount/time elapsed field. These values should be the same on all modules.

CSCec11862 - The CSS may incorrectly show services in a suspended state.

CSCec13344 - If you run the commit_redundancy script using the -int option, the redundancy-phy settings are removed from the remote CSS.

CSCdx14704 - If a content rule has all services of type redirect and the load balancing algorithm is balance weightedrr (weighted roundrobin), load balancing is not performed using weighted roundrobin, but instead uses roundrobin as the balancing mechanism. Previously, the only load balancing method that worked on a content rule with only redirect services was roundrobin. Added the ability to use balance weightedrr on this type of content rule as well.

CSCec22205 - Running the nessus port scanner against the CSS may the CSS to reboot.

CSCec22850 - While at the -more- prompt, data that you enter may over run the internal buffer causing memory corruption, which causes the CSS to reboot.

CSCec23297 - The CSS may reboot when it receives a sticky table update message.

CSCec25848 - Multiple receive tasks running on the SSL module may cause the CSS to reboot.

CSCec26257 - A change has been made to the size of an internal storage array to prevent memory from being overwritten when the CSS tried to insert a Set-Cookie in a response containing ARPT cookies that was going back to a client.

CSCeb26590 - An Administrator-level user will not be able to exit from a TACACS session when the TACACS server is in a down state and command authorization is enabled.

CSCec27236 - File names greater than 36 characters may cause the CSS to reboot.

CSCeb28300 - When you configure the CSS with multiple trap hosts, traps are sent only to the first host in the configuration.

CSCeb29612 - When the CSS tears down a flow, an internal corruption may cause it to reboot.

CSCeb30454 - The show service or show keepalive command, could lock the CSS CLI due to a semaphore deadlock condition. If this deadlock condition occurs, it affects only the terminal session issuing the command. However, the condition would also lock out any access to keepalive data resulting in undesirable behavior, such as failure of keepalives to run on the CSS.

CSCec33255 - Token ring clients fail going through the SSL module.

CSCeb35567 - Incoming UDP traffic that is NATed by an ACL using a source group may not be NATed properly on the return.

CSCec35690 - New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml.

CSCeb38059 - The CSS loses MAC addresses and cannot allocate MCID, requiring that you reboot the CSS.

CSCeb38555 - The OSPF tag is recognized only for 16 bits.

CSCec38726 - The CSS may reboot when it encounters an unhandled internal message type.

CSCeb42078 - If you create or activate a content rule that contains the URL "/?*", delete the URL, and then recreate or reactivate the URL, the CSS may reboot.

CSCeb42094 - When TACACS is configured to authenticate commands and you issue the script play script command from the command line, the first line of the script does not get played. Because the first line is the only line affected in the script, update the script so that the contents of the first line appears twice.

CSCeb43255 - The MIB variable apSvcName does not order getNext responses lexicographically.

CSCeb43415 - Using ap_file delete to remove a SSL certificate file may corrupt the internal database information.

CSCec43762 - An ACL configured to drop all telnet sessions does not drop telnet sessions to the CSS circuit addresses.

CSCec45165 - New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device running a SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml.

CSCeb56670 - The CSS may not return an Arrowpoint cookie (ARPT) after the first GET on persistent HTTP 1/1 connections.

CSCeb57374 - When you run a keepalive script that uses the icmp probe command and the target host is unavailable, the CSS may leak resources and eventually hang the console or reboot.

CSCeb57524 - Content rules with URQLs lock up and traffic is dropped if it hits the rule. You must suspend and activate the rule.

CSCeb58032 - OSPF advertise decisions do not function properly.

CSCea58217 - If you configure the CSS with a Layer 5 content rule, it would drop any client packet while the TCP SYN to the server was outstanding. In this case, when the CSS received a HTTP POST, it did the load balance decision and sent the TCP SYN to the backend server. If the CSS receives another TCP PUSH (the POST data) from the client before the TCP SYN/ACK was received from the server, the CSS would drop the packet.

CSCeb62751 - When configuring the bucket interval for RMON history to one second on a CSS 11500, the output of the show rmon-history command displays a 30 seconds interval.

CSCea66180 - If you perform an SNMP NEXT on the deprecated apFlowMgrStatSSTable from the flowMgrExt.mib, future SNMP access would fail through both external SNMP agents or from the CLI with the error %% Error - cannot obtain SNMP lock.

CSCea66182 - The WebNS device management software cannot be accessed after one to three days of uptime.

CSCea66340 - When running the commit_redundancy or the commit_vip_redundancy scripts, the scripts incorrectly overwrite the radius-server source interface on the remote CSS.

CSCeb66864 - A persistent connection that uses arrowpoint cookies reduces the TCP maximum segment size (MSS) on the server side TCP connection by 250 bytes for each backend remap until the MSS is a negative value.

CSCeb68203 - A CSS may mark a service as dying or down if an HTTP keepalive is used and the HTTP response from the service spans more than one packet.

CSCeb70776 - When the CSS is configured with a Layer 5 content rule and the client performs HTTP POSTs and the data portion of a POST packet starts with "POST TAX", the CSS incorrectly determines this as the start of the new HTTP content request. This situation causes the connection to hang while waiting for the HTTP terminator in a future packet.

CSCeb73456 - When a link transition occurs, the CSS marks the entries associated with that link interface as unreachable. But when the link come back up, the CSS does not ARP for the entries, so the entries do not come back up.

CSCeb73606 - The CSS reboots when an SSH session is shut down.

CSCeb75507 - Issuing the traceroute command may cause the Ipv4 process that handles ICMP response to hang.

CSCeb75694 - A keepalive packet sent by the CSS for HTTP HEAD non-persistent keepalives does not contain the IP address as a host tag in the packet.

CSCeb76495 - The CSS may reboot when the SSL module processes many small packets.

CSCea76928 - When a service Network Interface Card (NIC) fails over, the CSS may not update service information to reflect the new NIC MAC address.

CSCec77181 - When you use source groups with destination services in conjunction with ASR, fewer portmap entries will be available to provide the client with NAT functionality. For further details, refer to the "Source Group Port Mapping Behavior" section earlier in this release note.

CSCdz79438 - A learned DFP weight does not have precedence over a configured service weight of 0.

CSCeb80090 - If the CSS receives a capp-upd packet on the management port during initialization, it may reboot.

CSCeb82432, CSCec40933 - A backup CSS configured using Adaptive Session Redundancy (ASR) was incorrectly decrementing and incrementing service local connection counters for backup (dormant) flows.

CSCeb84861 - Provides the new string match command. This command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command. For details on using this command, refer to the Software Version 7.10.4.05 Command Changes section later in this release note.

CSCea84953 - ACLs that are configured with the prefer servicename option do not prefer the correct service.

Software Version 7.10.4.05 Command Changes

Table 4 lists the commands and options that have been added in software version 7.10.4.05.

Table 4 CLI Commands Added or Changed in Version 7.10.4.05  

Mode
Command and Syntax
Description

Owner-Content

string match specific|first-service-match
|first-string-found

The new string match command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command.

In this example, the incoming string is grapebananapear. The CSS service configuration is:

service s1 
string pear

service s2 
string grape

service s3 
string banana

The specific keyword matches the most specific string match and is the CSS default behavior. For the CSS, the most specific match is the longest string. In this example, the string match is banana.

The first-service-match keyword allows the CSS to look at each service in the order of its index number. The CSS compares the incoming string and compares it to the string in the service for a match. In this example, the first-service-string match is pear.

The first-string-match keyword matches the first string in the incoming string. In this example, the string match is grape.

Service

load number

no load

The new load command configures a load on a service and bypasses the CSS load calculation method (relative or absolute). Use this command with the ACA load-balancing method when you want to take into account server load parameters, for example:

CPU utilization

Free memory

Application threads

Other server tasks

You can set the load command value with your application or server using SNMP or the CSS XML interface. For information about ACA, refer to the Cisco Content Services Switch Basic Configuration Guide. For information about SNMP and the XML interface, refer to the Cisco Content Services Switch Administration Guide.


Note Before you can use the load command on a service, you must disable load reporting by entering the no load reporting command in global configuration mode. Do not reenable load reporting. If you do, the load value you entered with the load command will no longer apply to the service. To recover, you must disable load reporting again and reenter the load command on the service at the CLI.


The number variable is the load value that you assign to a service. Services with higher load numbers receive fewer hits than a service with a lower load number. The CSS considers a service with a load of 254 as unavailable, and, therefore, the service receives no hits. Enter an integer from 2 to 254. The default is 2.

Use the no form of the command to reset the load value to the default of 2.


Table 5 lists the commands and options that have been changed in software version 7.10.4.05.

Table 5 CLI Commands Changed in Version 7.10.4.05

Mode
Command and Syntax
Description

Global

dns-server zone load variance number

The number variable range changed from 1 to 254 to
1 to 255. The default value changed from 50 to 255.

Interface and VLAN

bridge priority

The bridge priority command now has the syntax of bridge port-priority. The CSS automatically upgrades your startup-config with the new command name.


Software Version 7.10.3.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.10.3.05:

Software Version 7.10.3.05 Open Caveats

Software Version 7.10.3.05 Resolved Caveats

Software Version 7.10.3.05 Command Changes

Software Version 7.10.3.05 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCdx14704 - If a content rule has all services of type redirect and the load balancing algorithm is balance weightedrr (weighted roundrobin), load balancing is not performed using weighted roundrobin, but instead uses roundrobin as the balancing mechanism. Previously, the only load balancing method that worked on a content rule with only redirect services was roundrobin. Added the ability to use balance weightedrr on this type of content rule as well.

CSCdy01722, CSCdy26214 - When you configure two default routes with different metrics and the default route with the lower metric goes down, flows using the lower-metric route may be torn down and not remapped to the new default route with the higher cost metric.

CSCdy23633 - Do not use the FTP MPUT command in passive mode when the CSS is load-balancing FTP flows.

CSCea60595 - A high SSL traffic load generated by a test tool may cause the CSS to reboot.

CSCea76800 - Traffic destined for the SSL module is bridged through the CSS when flows are torn down.

CSCea76806 - Suspending services causes SSL traffic from the SSL module to incur delays of 2 to 3 seconds.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCeb38059 - The CSS loses MAC addresses and cannot allocate a multicast identifier (MCID), requiring that you reboot the CSS.

CSCeb42094 - When TACACS is configured to authenticate commands and you issue the script play script command from the command line, the first line of the script does not get played. Because the first line is the only line affected in the script, update the script so that the contents of the first line appears twice.

CSCeb57524 - Content rules with URQLs lock up and traffic is dropped if it hits the rule. You must suspend and activate the rule.

CSCeb58032 - OSPF advertise decisions do not function properly.

CSCeb63212 - When the CSS is running VIP interface redundancy with trunking, VIPs become unreachable from a directly-connected client.

CSCeb63876 - On a CSS 11500, you can not bridge an interface to a VLAN and also include that VLAN in an 802.1q trunk to a Catalyst 4000 switch.

CSCeb64385 - In a complex and unusual trunking configuration, the CSS only load balances to one server.

Software Version 7.10.3.05 Resolved Caveats

The following caveats were resolved in software version 7.10.3.05:

CSCdy42703 - If certain SSH clients shut down the connection to the CSS in an ungraceful manner, it was possible for the CSS to fail to clean up the SSH session internally. Over time, this failure to clean up the session would prevent any future SSH connections to the CSS and only a reboot would clear it.

CSCdy58374 - When you configure a content rule with advanced-balance sticky and sticky-no-cookie-found-action redirect or sticky-no-cookie-found-action service with the service type redirect, the CSS does not properly redirect the connection.

CSCdz05912 - Under conditions when APP sessions go up and down rapidly, a race condition may occur that leads to file descriptor reuse causing the CSS to reboot.

CSCdz67389 - If you configure an HTTP keepalive without a keepalive hash value, the service does not come up until the keepalive frequency transpires. For example, if you configure the keepalive with a frequency of 60 seconds, the keepalive does not come alive for 60 seconds. The keepalive now comes alive immediately upon activation.

CSCea08822 - The CSS does not properly update the ARP entry for a network device that is one hop away from the CSS.

CSCea14544 - Removing and reinstalling a flash disk from a running CSS may cause the CSS to reboot.

CSCea25791, CSCea55785 - An encrypted password greater than 40 characters in length causes the console to hang.

CSCea40912 - When you configure a service with a scripted keepalive on a CSS, occasionally the service goes down and does not return to the Alive state. The scripted keepalive task is unresponsive and no further scripted keepalive activity will run for the service.

CSCea42665 - The CSS rebooted and core dumped because of a one-bit corruption in a data structure. The code modification checks for this specific corruption, repairs it, and logs a hexadecimal backtrace to the Syssoft facility at the Warning 4 level.

CSCea45981 - When source groups are in use, the CSS may choose a source port other than port 20 for an incoming FTP data connection. This causes problems for clients and firewalls expecting a data connection to be sourced from port 20.

CSCea51311 - If you configure a CSS with a Layer 5 content rule with a URL of the form /%xx* and then remove the rule from the configuration at a later time, the CSS does not completely clean up the rule-matching tree, which may cause the CSS to reboot.

CSCea51848 - SSL files stored on the CSS with a password may be removed with an invalid password. If you enter an invalid password that contains the first character of the valid password, the CSS successfully exports the file.

CSCea53236 - On a persistent connection, if a subsequent GET request matches a 302 redirect content rule, the server-side connection is not torn down.

CSCea58217, CSCeb66320 - If you configure the CSS with a Layer 5 content rule, it would drop any client packet while the TCP SYN to the server was outstanding. In this case, when the CSS received a HTTP POST, it did the load balance decision and sent the TCP SYN to the backend server. If the CSS receives another TCP PUSH (the POST data) from the client before the TCP SYN/ACK was received from the server, the CSS would drop the packet.

CSCea61351- A CSS was configured with a SSL module and ran a stress test that consumed the CSS buffer resources. Some of the SSL-related commands, for example, show ssl statistics, may cause the CSS to reboot if a buffer could not be obtained.

CSCea62888 - A CSS configured with a SSL module was upgraded to R7.20 and rebooted while processing a SSL session. Protection code was added to prevent the CSS from rebooting when the data buffer is NULL. In addition, a counter was added to the debug mode version of the show ssl stat ssl command to indicate this condition has been observed.

CSCea68508 - When you configure the CSS for Secure FTP (SFTP), the CSS may reboot if the CSS is accessed with SFTP when the connection closes abnormally.

CSCea69508 - If you configure a CSS as a primary and secondary RADIUS server and an SNMP agent issued an SNMP NEXT through the apRadiusClientExtServerEntry table, the poll would fail. All subsequent access to the SNMP database also fails. For example, entering the show running-config command would result in a Cannot obtain SNMP lock error message.

CSCea74866 - When using the more command for some screen display options, a data structure overflows and causes the display task to suspend and the CSS to reboot.

CSCea77132 - Using the show flows command during heavy remap traffic may cause the console to hang.

CSCea77466 - The global configuration dnsflow disable command did not work properly if the services defined in the DNS content rule were of type transparent-cache.

CSCea81030 - When you configure a CSS 11500 with a SSL Accelerator module, the module responds to a client request from an IP address x.x.x.224 with a Time to Live (TTL) of 2 rather than 254. The low TTL value could cause the packet to be dropped within the network. The module incorrectly detects the last octet of 224 as a multicast address.

CSCea82617 - Excessive amounts of ASR traffic causes the CSS to reboot.

CSCea85836 - The CSS uses an internal table structure called "CII", and these tables can be dynamically modified in size during CSS operations. An edge condition may cause the CSS to reboot if two applications tried to access the table and modify the size simultaneously. The reboot is not caused as the result of any user action or traffic pattern.

CSCea89042 - When you configure the CSS with the global ip uncond-bridging command, the CSS does not use the routing lookup results. In certain edge cases, the CSS could use the wrong destination MAC address from the routing lookup rather than the original MAC and this is incorrect.

CSCea89474 - When you configure the CSS with CDP, if the CDP packet sent to the switch driver fails, the CSS could reboot because both CDP and the switch driver error handler would free the CDP packet.

CSCea89934 - The ssl-server num tcp virtual nagle disable command has no effect. The nagle algorithm remains enabled.

CSCea90537 - On a CSS configured with a Layer 5 content rule, an HTTP content request spans greater than 4 packets and is in the process of being sent to the backend server. The request timed out after 3 seconds because no response was received from the server. In this case, the CSS could reboot if the Flow Manager transmit handler failed to find the content request by network tuple in the flow table.

CSCea90603 - If you configure a CSS for VIP Interface Redundancy and scripted keepalives, when you run the commit_vip_redundancy script on the master CSS, the scripted keepalives on the backup CSS may end up in the DOWN state. The show service screen display Script Error: None (suspended).

CSCea93122 - If you configure the IP address on the management port to 0.0.0.0, on reboot, the CSS removes the IP address from the show boot display. However, the commit_redundancy and commit_vip_redundancy scripts check for the APP sessions between the peers over the management port and expect to find an IP address. If not, the scripts fail.

CSCeb01623 - The CSS does not fail over to the DNS secondary server if the DNS primary server is unable to resolve a hostname. The dns primary command pings the DNS server to see if the device is alive. However, the command does not resolve a hostname to see if the DNS service is alive. Thus, when the CSS can ping the DNS primary server, but it cannot resolve a hostname, it never fails over to the DNS secondary server. Now the CSS queries each configured server IP address (even if DNS name server is not operational on that device) until two attempts have been made for each server, or one of the servers responds with an answer or a DNS error.

CSCeb02395 - When you configure CSS services with the max connections command and Layer 5 content rules using advanced-balance arrowpoint-cookies, on a persistent connection, the CSS checks the service max connection value for each HTTP GET from the client. The CSS should perform the max connection check for the first non-persistent HTTP GET and only again if the physical server changes.

CSCeb04691 - In some cases, the CSS would reboot when a SSH client connected into the CSS. The problem involved timing within the SSH task-to-task communication. The intertask communication method has been modified so the timing is no longer an issue.

CSCeb05819 - A CSS configured for SSL termination required a new CLI command ssl-server 1 unclean-shutdown as a workaround for a Microsoft IE bug. The browser attempts to continue to use SSL keepalive connections that the CSS SSL module and real physical server have closed due to the inactivity timer expiring. Configuring the new unclean-shutdown command causes the SSL module not to send the Close Notify alert. Then IE can choose a new connection for the next HTTP request.

CSCeb08366 - If you configure the CSS with advanced-balance url or advanced-balance cookieurl, the string-range parameter had no effect.

CSCeb09145 - If you configure the CSS with an ACL clause with a preferred service, the CSS incorrectly does not apply the ACL clause with a preferred service to ICMP ECHO REPLY packets.

CSCeb11201 - If you configure the CSS for OSPF and the CSS is running a previous code enhancement (CSCdz86426), OSPF advertises the virtual IP address based on the state of the underlying services. Unfortunately, this enhancement may cause OSPF to advertise the backup VIP address, which is incorrect.

CSCeb11295 - Activating a source group with the same VIP address as a suspended source group causes the CSS to reboot.

CSCeb12985 - If you configure the CSS with a global idle timeout and a SSHv1 or SSHv2 session is disconnected due to the idle timeout, the CSS may not clean up the SSH session properly. Over time, this failure to clean up the session could prevent any future SSH connections to the CSS and only a reboot would clear the session.

CSCeb15342 - Issuing the ip opportunistic disable command when running keepalive type script ap-kal-ssl causes the service to fail into the DOWN state. When TACACS+ is enabled, issuing the ip opportunistic disable command delays CLI commands.

CSCeb15716 - When initializing APP, which uses socket record structures, the CSS may reboot under certain configuration timing circumstances due to a race condition in the allocation and free routines that manipulate the record structures.

CSCeb16881 - When the CSS experiences an NVRAM failure and you reboot the CSS into OffDM to reconfigure the administrative username and password, the configuration fails because of the NVRAM failure. The CSS will not display an error message.

CSCeb16889 - Logging messages at NETMAN facility, level Warning 4 now appear if the CSS could not read the administrative username or password from NVRAM.

CSCeb20895 - When you configure CSS to TACACS authentication, the TACACS accounting report sent by the CSS had an incorrect attribute field. The CSS sent task=<integer> rather than task_id=<integer>. This was inconsistent with IOS and could cause server issues.

CSCeb21318 - If you manually suspend a service that is running a scripted keepalive when the script is active, the service remains in a down state after you reactivate it.

CSCeb25508 - If you configure the CSS with a Layer 5 content rule and no persistent and persistent reset remap on a persistent connection, backend remapping can occur when it should not.

CSCeb26592 - If you configure the CSS with source groups and the CSS sends the source group statistics to the SCM for processing, the sending routine returns an error status and the CSS would reboot when freeing the statistics buffer.

CSCeb30454 - The show keepalive command may lock the CSS CLI due to a semaphore deadlock condition. If this deadlock condition occurs, it affects only the terminal session issuing the command. However, the condition would also lock out any access to keepalive data resulting in undesirable behavior, such as failure of keepalives to run on the CSS.

CSCeb43881 - The CSS runs out of buffers in the buffer pools during periods of heavy network traffic.

CSCeb52250 - The SSL module stops responding to traffic requiring you to reboot the CSS.

Software Version 7.10.3.05 Command Changes

Table 6 lists the commands and options that have been added in software version 7.10.3.05.

Table 6 CLI Commands Added or Changed in Version 7.10.3.05

Mode
Command and Syntax
Description

Global

dns-record a|ns dns_name ip_address {ttl_value {single|multiple {kal-ap-vip {ip_address2}}}}

The kal-ap-vip option for the dns-record command allows a CSS client to query a local or remote CSS agent for load information for a VIP configured on multiple content rules. For details, see "Configuring kal-ap-vip" later in this document.

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}

The frequency number option for the tacacs-server command allows you to set the keepalive frequency for the specified TACACS+ server. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives.

Defining this option overrides the tacacs-server frequency command.

tacacs-server frequency number

no tacacs-server frequency number

The frequency number option for the tacacs-server command allows you to set the global keepalive frequency for all TACACS+ servers. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives.

When you configure the keepalive frequency when specifying a TACACS+ server, the server keepalive frequency overrides the global keepalive frequency.

The no form of the command resets the global keepalive frequency to 5 seconds.

SSL-proxy

ssl-server number unclean-shutdown

no ssl-server number unclean-shutdown

The unclean-shutdown option for the ssl-server command instructs the CSS to send only a TCP FIN message to terminate a client connection. The CSS does not send a Close-Notify message to close a client connection.

Normally, the Close-Notify message is the SSL message to terminate a connection without an error. However, some versions of MSIE browsers do not close the connection upon receiving the Close-Notify message. The browser may attempt to reuse the connection even though it appears to be closed to the CSS. Because the CSS cannot reply to a new request on this connection, the browser may display an error.

The no version of this command resets the default behavior of having the CSS send both Close-Notify and TCP FIN messages to close the client connection.


Table 7 lists the commands and options that have been removed in software version 7.10.3.05.

Table 7 CLI Commands Removed in Version 7.10.3.05

Mode
Command and Syntax
Description

SSL-proxy

ssl-server number tcp virtual nagle
no ssl-server number tcp virtual nagle

This command has been removed.


Configuring kal-ap-vip

The kal-ap-vip option of the dns-record command extends the functionality of kal-ap (the CSS keepalive that uses domain names configured on a single content rule) by providing load and status responses to queries for virtual IP (VIP) addresses configured on multiple content rules. This feature allows greater flexibility and accuracy of load and status reports for multiple content rules that are configured with the same VIP. This feature also eliminates the need for configuring domain names on a CSS that is responding to kal-ap-vip queries only and is not running a local DNS server.

Overview

In a manner similar to kal-ap, kal-ap-vip has two main components:

Client

Agent

A client is a CSS that requests load and status information for a VIP from an agent. You configure a client to generate queries using the dns-record command. For details, see the "Configuring kal-ap-vip" section later in this section.

An agent is a CSS that responds to client queries with load and status reports for the requested VIPs. A kal-ap-vip agent can handle and respond to queries from local or remote CSSs (including itself) and other supported devices. No additional configuration is required for the agent.

To best service requests for a domain when a CSS makes GSLB decisions, a CSS may need to consider the keepalive status and load information of all content rules sharing the same VIP. Often, a kal-ap-vip configuration has at least two content rules to handle domain traffic: one for port 80 (TCP) and one for port 443 (SSL). The load reported by the agent is the average load of all the content rules that share the same VIP, unless a content rule is suspended.

In order for a kal-ap-vip agent to return a load value from 2 to 254 (indicating an Alive status) for a requested VIP, at least one service must be Up on each content rule sharing the requested VIP. For a requested VIP, if all services configured on one content rule are Down, or if one content rule is suspended, the agent reports a load of 255, indicating that the VIP is unavailable.

Configuration Requirements

Kal-ap-vip requires that you configure the following:

Application Peering Protocol-User Datagram Protocol (APP-UDP) - Used to transmit kal-ap-vip datagrams. (For information on configuring APP-UDP, refer to the Cisco Content Services Switch Advanced Configuration Guide.) The datagrams can contain a mix of both kal-ap (by domain or tag) and kal-ap-vip requests.

dns-record command with the kal-ap-vip option - Used to configure a kal-ap-vip client. See the following "Configuring kal-ap-vip" section.


Note You can configure kal-ap-vip and kal-ap on the same CSS. If you configure kal-ap on a CSS, you must also configure the add dns command with the appropriate domain names on the CSS acting as an agent. The agent will respond with the load information for a VIP and/or a domain, as appropriate. For information on the add dns command, refer to the Cisco Content Services Switch Advanced Configuration Guide.


Configuring a kal-ap-vip Client

To configure a kal-ap-vip client on a CSS to allow the CSS to query a kal-ap-vip agent for keepalive information on multiple content rules, use the kal-ap-vip option of the dns-record command.

The syntax for this global configuration command is:

dns-record a|ns dns_name ip_address {ttl_value {single|multiple {kal-ap-vip {ip_address2}}}}

The options and variables for this global configuration mode command are:

a|ns - Indicates a request for an address record (a) or a name server record (ns).

dns_name - Domain name mapped to the address record or name server record. Enter the name as a lowercase unquoted text string with no spaces and a maximum of 63 characters.

ip_address - IP address bound to the domain name within the DNS server zone. Enter the address in dotted-decimal notation (for example, 172.16.6.7). This is the VIP for which a CSS client sends a kal-ap-vip request to itself or another CSS agent for load information.

ttl_value - Optional Time to Live (TTL) value, in seconds. This value determines how long the DNS client remembers the IP address response to the query. Enter a value between 0 to 65535. The default is 0.

single|multiple - Optional number of records to return in a DNS response message. By default, the DNS server returns a single A-record. Specifying single returns one A- or NS-record. Specifying multiple returns two A- or NS-records.

kal-ap-vip - Optional CSS keepalive message type keyword used by a CSS client to request load information for the VIP specified in the ip_address value from the CSS agent specified in the ip_address2 value. Use this option to allow a CSS client to query a local or remote CSS agent for load information for a VIP configured on multiple content rules.

ip_address2 - IP address of the local or remote CSS agent interface receiving CSS keepalive messages. If you omit this address while the keepalive type is specified, the CSS uses the DNS IP address to complete keepalive messaging.

For example:

(config)# dns-record a www.work.com 192.168.12.7 10 single kal-ap-vip 172.16.25.3

For details on the other dns-record command options and variables, refer to the Cisco Content Services Switch Advanced Configuration Guide.

Software Version 7.10.2.06 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.10.2.06:

Software Version 7.10.2.06 Open Caveats

Software Version 7.10.2.06 Resolved Caveats

Software Version 7.10.2.06 Command Changes

Software Version 7.10.2.06 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCdx14704 - If a content rule has all services of type redirect and the load balancing method is weighted roundrobin, the CSS load-balances services using roundrobin instead of weighted roundrobin.

CSCdx54346 - When a large number of clients send SSL requests across a slow network, the requests may use a disproportionate amount of memory, causing the SSL module to reset subsequent connections. To determine if this is occurring:

a. Enter the show system command and look for available memory in the SSL module to be less than 50 MB.

b. Enter the show dos summary command and look for increasing amounts of DoS attacks from the SSL VIP.

CSCdy01722, CSCdy26214 - When two default routes are configured with different metrics and the default route with the lower metric goes down, flows using the lower-metric route may be torn down and not remapped to the new default route with the higher cost metric.

CSCdz22090 - When using the show flows command while processing traffic, the CSS falsely increments DOS SYN attack counters, which indicate a Denial of Service attack. To prevent this from occurring, disable the `More' function by pressing Esc-M at the CLI prompt.

CSCea14544 - Removing and reinstalling a flash disk from a running CSS may cause the CSS to reboot.

CSCea25791, CSCea55785 - An encrypted password greater than 40 characters in length causes the console to hang.

CSCea47506 - When the CSS is dynamically configured with a lower bridge priority than the root bridge, the CSS does not become the root bridge. If the CSS is rebooted with the lower bridge priority in the startup-config, the CSS becomes the root bridge.

CSCea51848 - SSL files stored on the CSS with a password may be removed with an invalid password. If you enter an invalid password that contains the first character of the valid password, the CSS successfully exports the file.

CSCea60595 - A high SSL traffic load generated by a test tool may cause the CSS to reboot.

CSCea76800 - Traffic destined for the SSL module is bridged through the CSS when flows are torn down.

CSCea76806 - Suspending services causes SSL traffic from the SSL module to incur delays of 2 to 3 seconds.

CSCea77132 - Using the show flows command during heavy remap traffic may cause the console to hang.

Software Version 7.10.2.06 Resolved Caveats

The following caveats were resolved in software version 7.10.2.06:

CSCdw63447 - A large configuration that contains many DQL domain name entries may take a long time to load at bootup on an 11500 series CSS.

CSCdy46189 - The CSS forwards packets to the wrong MAC address after receiving gratuitous ARPs.

CSCdy70914 - If the CSS does not receive an ARP response, it may continue to send ARP requests instead of marking the host as unreachable.

CSCdz02856 - The CSS may not properly redirect a service when you configure a redirect service in a Layer 5 content rule.

CSCdz40523 - UDP packets sent through a source group may result in the CSS generating an ARP request for the VIP of the source group IP address.

CSCdz41611 - When you set up box-to-box redundancy with a single interface configured using the redundant-phy command and then enter the admin-shutdown command on that interface (port), the interface shuts down but the priority does not change. This prevents the master CSS from failing over.

CSCdz49051 - When you configure keepalive type http and set the frequency to a value greater than 17 seconds and the server does not respond within 17 seconds, the CSS sends a RST packet on the keepalive session and the service goes down.

CSCdz49372 - The CSS may reboot when sending TCP RST/SYN packets if a Layer 3 or Layer 4 rule took precedence over an existing Layer 5 connection that is being backend remapped.

CSCdz55950 - If the CSS has only the Standard feature set installed, you cannot use the WebNS Device Management software to configure the DNS balance field.

CSCdz59778 - When communicating to a CSS 11500 over an SSH connection, it was possible for the CSS to reboot when the connection was closed.

CSCdz62499 - The CSS incorrectly responds to a DNS type AAAA query with a "name error" whether an A-record for the name exists. Now if an A-record is configured, the CSS responds with a "not implemented" error. If no A-record exists, the CSS still responds with the previous "name" error. These errors also apply to other DNS record types that the CSS does not support.

CSCdz71863 - The SCM stops functioning when running a certificate generation test due to buffer depletion.

CSCdz74987 - Repeatedly establishing and terminating an APP (Application Peering Protocol) session between two CSSs causes a memory leak that may result in a low memory condition and cause the CSS to reboot.

CSCdz76578 - The commit redundancy script fails when the acl enable command is located before the bridging commands in the startup-config.

CSCdz79022 - If you issued the show dns-record keepalive command when there were nine or more configured records, the ninth record that was displayed was always corrupted when you turned on the -more- option.

CSCdz81812 - The Total Connections counter in the show service command display may not increment correctly.

CSCdz82243 - File descriptor usage on the CSS 11506 has been improved.

CSCdz85122 - TCP keepalives may fail on redundant CSSs. Other keepalive types work correctly.

CSCdz87014 - The CSS incorrectly routes keepalives, which causes keepalives to fail and services to be brought down.

CSCdz88357 - When running the commit_vip_redundancy script, the global portmap command from the local CSS is copied over to the remote CSS.

CSCdz88580 - When you configure a source group on the CSS and a server configured in the source group attempts to communicate with a device over the network or on the Internet and that device does not have its port open, the device will return a RST/ACK in response to the server's TCP SYN. The CSS will discard the RST/ACK response because it will not be able to identify the port from which the corresponding SYN/ACK returned.

CSCdz89703 - The OSPF router ID of two CSSs in a VIP interface redundancy configuration are usually unique. When running the commit_redundancy script, the CSS incorrectly copied the OSPF router ID of the local CSS to the remote CSS.

CSCdz89958 - When using the -n option on an SSH session initiated to the CSS, all management connections to the CSS stop responding.

CSCea03373 - During back end SSL performance testing, the SSL module stopped functioning during an assertion failure due to a buffer overflow.

CSCea06097 - When running the commit_vip_redundancy script in a VIP interface redundancy configuration, the CSS was incorrectly copying the SNMP name of the local CSS to the remote CSS.

CSCea08548 - If you use the advanced-balance method in a content rule with a service configured using the max connections command and an incoming content request was stuck to a service that had exceeded its maximum connections, the CSS sends a TCP RST to the client. The CSS should reload-balance the incoming request and choose a new local service or sorry service if available.

CSCea08875 - The CSS does not correctly match a Layer 5 content rule that contains a % (percent sign) in the URL of the GET message.

CSCea10851 - The functions of the CSS primary authentication methods of local, radius, tacacs are not consistent with the Cisco IOS methods.

CSCea11300 - The persistence reset remap command does not work correctly for SSL flows.

CSCea12013 - The CSS incorrectly sends an ARP request for its own VIP address when a non-flow-setup pack type (for example, SNMP, NetBIOS, BOOTP, RIP) is sent to the CSS VIP address.

CSCea14336 - The CSS does not properly pass an HTTP POST larger than 11750 bytes to a server when using the SSL module in the CSS.

CSCea14394 - When you configure the CSS for box-to-box redundancy and enter the show running-config command after running the commit_redundancy script, the CSS may display the following message: %%Error - cannot obtain SNMP lock.

CSCea14511 - In a CSS box-to-box redundant configuration, the backup CSS may stop authenticating logins (including logins on the console port) and eventually reboot.

CSCea16040 - If you activate a content rule that has either port 21 or application ftp-control configured and on e of the services is type transparent-cache, the CSS displays the following error:
"Ftp-control/port 21 is not supported with transparent cache service."
If the service type is configured as transparent-cache and it is configured in a content rule that has either port 21 or application ftp-control configured, the CSS displays the following error:
"Can't change type to transparent-cache if attached to an ftp rule."

CSCea16602 - Several debug commands were sending internal module messages to non-existent slots causing the CSS to reboot.

CSCea19865 - Unnecessary latencies in SSL connection setup may result in a 150ms delay on each SSL connection through the CSS.

CSCea21751 - The SSL module stops functioning when it runs a script due to closing a bad file descriptor.

CSCea23674, CSCea43956 - If a configuration contains a Layer 5 wild card content rule (for example, /*) using a header-field-rule and a less-specific content rule, the CSS may match on the less-specific content rule and select the wrong server.

CSCea24798 - You cannot dynamically modify the VIP address on an active content rule or the CSS displays the following message: "Operation may not be performed on active content rule."

CSCea25871 - If a content header tag that spans two packets is empty, the temporary internal buffer that was created to track this would cause the CSS to reboot due to the internal buffer not being cleared correctly.

CSCea27010 - The CSS does not increment the SSL Alert counters in the show ssl statistics command display.

CSCea28341 - If a running-config file has more than one active content rule that uses header-field groups that are using the same header-field, suspending one of the active content rules has an adverse affect on the remaining active content rules using the same header-field.

CSCea28717 - The CSS incorrectly performs Network Address Translation (NATs) on the TCP port of a Remote Shell (RSH) connection through the CSS causing the RSH session to fail.

CSCea33647 - The trap log agent task is using too much CPU causing telnet and console access to hang.

CSCea36431 - When you execute the script play flowinfo command, your telnet or console session is disconnected.

CSCea36989 - When the CSS receives a DNS request for an A record that is configured, it responds with either return code 4 "not implemented" or with return code 3 "NXDOMAIN". These two responses may be cached by various D-proxies, which may lead to temporary DNS outages. The CSS now returns an RFC2308 NODATA type 3 response, which is an authoritative answer with rcode=NOERROR, answer=0, aabit set, and no SOA. This response causes the client to query for another A record.

CSCea38004 - A remote CSS in a VIP interface redundancy setup with a large configuration (for example, greater than 100K) may become unresponsive to console and telnet access. This issue causes an APP session to go down when running the commit_vip_redundancy script.

CSCea39652 - A flood of SNMP traps and remote log messages are sent out when the commit redundancy script is executing.

CSCea40178 - The CSS reboots when it receives a bad type 3 Link State Advertisement (LSA) from an area border router running OSPF and moves the LSA from the database to the routing table.

CSCea43800 - The SSL module may not function properly when running under a high load.

CSCea44844 - When using a SSL module, if no data needs to be transmitted on a TCP retransmission timeout in TCP states FIN_WAIT or LAST_ACK, the CSS sends a FIN without an ACK. The CSS should send an ACK with the FIN.

CSCea45106 - Using the SNMP variables apChassisMgrExtSubModulesSsCardType and apChassisMgrExtSubModuleSsCardOpStatus to inventory the CSS chassis may return conflicting data because these variables have been obsoleted. Use the apChassisMgrExtSubModuleOpStatus variable to inventory the chassis.

CSCea47506 - When the CSS is dynamically configured with a lower bridge priority than the root bridge, the CSS does not become the root bridge. If the CSS is rebooted with the lower bridge priority in the startup-config, the CSS becomes the root bridge.

CSCea48629 - If a CSS (configured with Layer 5 content rules with and without header-field-rules) receives an HTTP GET that exactly matches the URL string configured on a Layer 5 rule but does not match the header-field configured on that rule, the CSS rejects the connection and does not match one of the other rules.

CSCea48736 - The Fastpath did not have the proper Flow Control Block (FCB) mapping for a connection the termination TCP FIN or RST packet would be NAT'ed and forwarded by the flow manager application. The flow manager needs to also unmap the flow so that FCBs and source group portmap entries, if in use, do not build up over time.

CSCea53247 - If you configure a content rule with a sticky-no-cookie-found-action service, but do not define the service with a valid service name and the service is used when no cookie was found in the HTTP request, the CSS reboots.

CSCea71293 - If the CSS 11501 received an ICMP Echo Request and the CSS had not learned the destination MAC address for the packet, the CSS sends the packet back out the originating port. This action could result in a flood of ICMPs being transmitted by the CSS.

CSCea75858 - When you upgrade a CSS from R5.10 to R7.10, you could not activate a service with type redirect and keepalive type none without configuring an IP address.

CSCea88415 - When the CSS boots up, SNMP is enabled by default unless you configure the restrict snmp command (the default is no restrict snmp). The CSS would allow read-only access with a SNMP community string of "null" (not configured) and this was incorrect. You must configure a SNMP community string and the SNMP management station must use the preconfigured SNMP community string for SNMP access to the CSS.

CSCea60671 - When the CSS is configured with Layer 5 rules and the first HTTP request is not properly terminated, the CSS detects this request as a spanned content request. The content request is retransmitted with the original payload in addition to more data. If both the original packet and the retransmission are processed in the same content vector (that is, they arrived at the CSS simultaneously), the CSS frees the buffer that contained the original content request, but does not clear it from the vector. Then the CSS reboots.

CSCeb09364 - The CSS reboots when attempting to send a Denial of Service SNMP trap. The workaround is to remove the Denial of Service trap from the configuration.

CSCeb12562, CSCeb12602, CSCeb12567 - Under extremely heavy load, the FlowMgrMgmtTask may stop working due to corruption of an internal message. This may cause the CSS to run out of message buffers, which results in the CSS rebooting. As a workaround, reduce heavy traffic load.

Software Version 7.10.2.06 Command Changes

Table 8 lists the commands and options that have been added or changed in software version 7.10.2.06.

Table 8 CLI Commands Added or Changed in Version 7.10.2.06 

Mode
Command and Syntax
Description

Global

logging host ip_or_host facility number log-level level

The log-level level options for the logging host command were changed to be consistent with the levels for the logging subsystem command. The valid levels for this command are:

alert-1, critical-2, error-3, warning-4, notice-5, info-6, debug-7

Also, the default log level was changed from 7 to warning-4.

commit_vip_redundancy -nolog -notrap

The -nolog option reduces the number of log messages that the CSS sends to the configured log host during the script.

The -notrap option reduces the number of traps that the CSS sends to the configured trap host during the script.

Boot

no gateway address

This command disables the default gateway address by setting the IP address to 0.0.0.0.

Service

redirect-string text

The text variable no longer requires quotes.

SSL-proxy

ssl-server number tcp virtual nagle enable|disable

no ssl-server number tcp virtual nagle

The nagle option specifies the Nagle algorithm for the TCP connection for the client. By default, the Nagle algorithm is enabled for each TCP connection. Use the disable keyword to disable the Nagle algorithm when you observe a delay on the TCP connection. Use the enable keyword to reenable the Nagle algorithm.

The no version of this command reenables the Nagle algorithm.

ssl-server number tcp server nagle enable|disable

no ssl-server number tcp server nagle

The nagle option specifies the Nagle algorithm for the TCP connection for the web server. By default, the Nagle algorithm is enabled for each TCP connection. Use the disable keyword to disable the Nagle algorithm when you observe a delay on the TCP connection. Use the enable keyword to reenable the Nagle algorithm.

The no version of this command reenables the Nagle algorithm.


Table 9 lists the commands and options that have been removed in software version 7.10.2.06.

Table 9 CLI Commands Removed in Version 7.10.2.06 

Mode
Command and Syntax
Description

Global

gem-traffic-bursty
no gem-traffic-bursty

These commands have been removed.

Global

flow port-resets

This command has been removed. (CSCea06114)

Global

no flow port-resets

This command has been removed.

Interface

fcb-lowwater

This command has been removed.

Interface

no fcb-lowwater

This command has been removed. (CSCea06132)


Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.