Guest

Cisco CSS 11500 Series Content Services Switches

Release Note for the Cisco 11500 Series Content Services Switch (Software Version 7.20.x)

  • Viewing Options

  • PDF (683.1 KB)
  • Feedback
Release Note for the Cisco 11500 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11500 Series Content Services Switch

Contents

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Software Behavioral Differences

General Software Behavioral Differences

Using the range Option with the global-portmap and noflow-portmap Commands

Using the commit_vip_redundancy and commit_redundancy Scripts without an IP Address

Matching Precedence for Layer 5 Rules

TCP Keepalive Packet Exchange

Change to the show keepalive Command

Change to the no admin-shutdown Command

Enhancements to OSPF Functionality

Configuring a Pre-Login Banner

Configuring File-Error Handling for Content Replication

Changes to show virtual-routers Display

Software Version 7.20 Operating Conditions

CSS Documentation Updates and Corrections

URL Maximum Length Clarification

Maximum Number of VLANs per CSS 11500 Model

Source Group Port Mapping Behavior

Software Version 7.20.5.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.5.03 Open Caveats

Software Version 7.20.5.03 Resolved Caveats

Software Version 7.20.5.03 Command Changes

Software Version 7.20.4.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.4.05 Open Caveats

Software Version 7.20.4.05 Resolved Caveats

Software Version 7.20.4.05 Command Changes

Software Version 7.20.3.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.3.05 Open Caveats

Software Version 7.20.3.05 Resolved Caveats

Software Version 7.20.3.05 Command Changes

Software Version 7.20.2.06 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.2.06 Open Caveats

Software Version 7.20.2.06 Resolved Caveats

Software Version 7.20.2.06 Command Changes

Software Version 7.20.1.04 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.1.04 Open Caveats

Software Version 7.20.1.04 Resolved Caveats

Software Version 7.20.1.04 Command Changes

Configuring kal-ap-vip

Overview

Configuration Requirements

Configuring a kal-ap-vip Client

Software Version 7.20.0.03 Open and Resolved Caveats

Software Version 7.20.0.03 Open Caveats

Software Version 7.20.0.03 Resolved Caveats

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Note for the Cisco 11500 Series Content Services Switch


January 10, 2005


Note The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.


Contents

This release note applies to the following software versions for the Cisco 11500 Series Content Services Switch (CSS). For information on version 7.20 commands and features, refer to the CSS 7.20 documentation located in http://www.cisco.com. Note that you cannot load this software image on a CSS 11050, 11150, or 11800.

7.20.5.03 (version 7.20, release 5, build 3)

7.20.4.05 (version 7.20, release 4, build 5)

7.20.3.05 (version 7.20, release 3, build 5)

7.20.2.06 (version 7.20, release 2, build 6)

7.20.1.04 (version 7.20, release 1, build 4)

7.20.0.03 (version 7.20, release 0, build 3)


Note The CSS box-to-box redundancy protocol is supported on CSS 11500 gigabit Ethernet (GE) ports in software version 7.20.


This release note contains the following sections:

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Software Behavioral Differences

Software Version 7.20 Operating Conditions

CSS Documentation Updates and Corrections

Software Version 7.20.5.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.4.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.3.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.2.06 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.1.04 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.20.0.03 Open and Resolved Caveats

Obtaining Documentation

Obtaining Technical Assistance

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or optional Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features.

You must enter a Standard software license key when you boot the CSS for the first time. For details about activating a CSS software option, refer to the Cisco Content Services Switch Administration Guide.

Before Upgrading the CSS Software

Before you upgrade your CSS software, archive your custom scripts (including user profiles and custom script keepalives) by using the archive script or save_profile command. When you upgrade the software, the upgrade process creates a new /<current running version>/script directory, overwriting the current script directory.

After the upgrade is done, use the restore filename script command to restore the scripts you archived. Refer to the Cisco Content Services Switch Administration Guide for software upgrade instructions.

Software Behavioral Differences

The following sections describe the software behavioral differences that apply to software version 7.20.5.03.

General Software Behavioral Differences

Using the range Option with the global-portmap and noflow-portmap Commands

Using the commit_vip_redundancy and commit_redundancy Scripts without an IP Address

Matching Precedence for Layer 5 Rules

TCP Keepalive Packet Exchange

Change to the show keepalive Command

Change to the no admin-shutdown Command

Enhancements to OSPF Functionality

Configuring a Pre-Login Banner

Configuring File-Error Handling for Content Replication

Changes to show virtual-routers Display

General Software Behavioral Differences

This section describes general software behavioral differences that apply to software version 7.20:

DNS requests to a VIP used to return a service IP address if that backend service was a type redirect service. In software version 7.20.x, DNS requests now return the VIP address.

The CSS does not require you to configure a subnet mask on the Ethernet Management port. If you do not configure a subnet mask, the CSS uses the default subnet mask of 255.255.255.0. Any traffic that is transmitted from or sent to a CSS circuit will fail is there is an overlap with the management port IP address.

When you configured a content rule with the no persistent command and globally configured the persistent reset remap command, the urlhash and domainhash load-balancing methods prevented the CSS from performing a server remap when required. The CSS now remaps a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

VIP addresses and IP addresses used on content rules, services, and source groups are now restricted to be only class A, B, or C addresses. Multicast (D or E) or IP addresses with ranges that extend beyond the end of the address range are not allowed.

CSS port 8081 has been disabled for accessing the Device Management GUI. Access to the port used to redirect the browser to port 443 over a secure connection, but now denies the request. The browser indicates that the page cannot be displayed.

In a VIP and virtual interface redundancy configuration, if you configured a virtual router (VR) on the local CSS but not on the remote CSS, when you ran the commit_vip_redundancy script, the script copied the local VR and its priority to the remote CSS. Because both the local and the remote VRs had the same priority, priority was not used to determine the master. In this case, the CSS with the lower IP address became the master. If you wanted to determine mastership based on priority, you had to manually configure the remote CSS priority as required.

On an initial connection, if the connection needs to be redirected, the CSS sends a FIN. If the connection needs to be redirected at a subsequent point, the CSS sends a reset. In prior releases, the CSS always sent a FIN.

If you transitioned from one CLI mode to another (for example, from config mode to service mode), and a service already existed regardless of whether TACACS+ authorization was enabled for config or non-config commands, the CSS did not perform authorization on the command. If the service was being created and authorization for config commands was enabled, then the TACACS+ server was queried if the user was authorized to perform the command. In software version 7.30.1.05, on a mode transition in an existing service, a request now goes out to the TACACS+ server if non-config commands are enabled.

The timeout value for a keepalive is related to the configured keepalive frequency. For version 7.20.1.04 and greater, the timeout is 2 seconds less than the keepalive frequency with a minimum of 1 second. Previously, the timeout was one second less than the keepalive frequency.

The group mode portmap number-of-ports number command defines the total number of ports in the portmap range for the entire CSS. Enter a number from 2048 to 63488. The default is 63488. This default value should be fine for most applications. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32.

The CSS allocates the total number of configured ports proportionally among all the Session Processors (SPs) in the CSS chassis according to the session processor relative weight value. To display the relative weight value of a session processor, enter the show chassis session-processors command. The more modules you add to the CSS chassis, the less session processing the SP in the SCM performs and the fewer ports the CSS assigns to it. To display the number of ports that the CSS allocates to each module, enter the show group portmap command.

The ipRouteTable has been deprecated and has been replaced by IpCidrRouteTable.

Using the range Option with the global-portmap and noflow-portmap Commands

This section describes the functionality of the range option when used with the global-portmap and the noflow-portmap commands.

The range keyword for the global mode global-portmap command configures the total number of ports in the port-map range that the CSS allocates to each of the 16 megamap banks in each SP. Enter an integer from 2048 to 63488. The default is 63488. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32.

Each megamap bank in an SP can use the full range of configured ports. Because of the unique source address hash that the CSS uses to select a megamap bank in an SP, more than one SP can use the same port number without a tuple collision.

If you enter a range value that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number you specify from 65504.


Caution Dynamically changing the range value may cause port conflicts on existing flows.

The range keyword for the global mode noflow-portmap command configures the total number of ports in the port-map range that the CSS allocates to each SP. Each SP can use the full range of configured ports. Enter an integer from 2048 to 63488. The default is 63488. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32.

If you enter a range value that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number from 65504.


Caution Dynamically changing the range value may cause port conflicts on existing flows.

Using the commit_vip_redundancy and commit_redundancy Scripts without an IP Address

This section describes how to use the commit_vip_redundancy and the commit_redundancy scripts without an IP address.

To eliminate the need to specify IP addresses each time you run the commit_vip_redundancy configuration synchronization script, you can set the value of two variables (LOCAL_VIPR_IP and REMOTE_VIPR_IP) to IP addresses and save them in your user profile. Once you set the variables and save them in your user profile, the variables will always be available after you log in to the CSS.

The IP addresses are the ones on which the Application Peering Protocol session occurs. Set the LOCAL_VIPR_IP variable to the circuit IP address of the local CSS. Set the REMOTE_VIPR_IP variable to the APP session IP address configured on the local CSS. The APP session address is the circuit IP address for the remote CSS.

To set the variables, enter:

# set LOCAL_VIPR_IP "local_ip_address" session
# set REMOTE_VIPR_IP "remote_ip_address" session

To save the variable in your user profile, enter:

# copy profile user-profile

If you already created the MASTER_VIPR_IP and BACKUP_VIPR_IP variables in an earlier release, the script will use the new variables instead, if present.

To eliminate the need to specify a remote IP address each time you run the commit_redundancy configuration synchronization script, you can set the value of the variable REMOTE_IP to an IP address and save it in your user profile. Once you set the variable and save it in your user profile, the variable will always be available after you log in to the CSS.

Set the REMOTE_IP variable to the APP session IP address configured on the local CSS. The APP session address is the circuit IP address for the remote CSS. To set the variable, enter:

# set REMOTE_IP "remote_ip_address" session

To save the variable in your user profile, enter:

# copy profile user-profile

If you already created the BACKUP_IP variable in an earlier release, the script will use the new variable instead, if present.

Matching Precedence for Layer 5 Rules

In a Layer 5 content rule, the CSS matches the URL after the CSS matches the IP address, protocol, and port. An HTTP header field group in a Layer 5 content rule enables a rule to be more specific than if the rule defined just a URL. Because content rules are hierarchical, if a request for content matches more than one rule, the characteristics of the most specific rule apply to the flow.

In version 7.20.1.04 and greater, the matching precedence for Layer 5 rule URLs has changed and is defined below. The CSS uses this order of precedence to process requests for the content, with 1 being the highest match and 10 being the lowest match.

1. Exact URL (for example, /test/index.html) with a header field group configuration.

2. Exact URL (for example, /test/index.html).

3. Wildcard URL length (for example, /test/ind* or /test/index.h*) with a header field group configuration.

4. Wildcard URL length (for example, /test/ind* or /test/index.h*).

5. Wildcard URL extension (for example, /test/*.html) with a header field group configuration.

6. Wildcard URL extension (for example, /test/*.html).

7. Wildcard Extension Qualifier List (for example, "/test/*" eql EQL_LIST) with a header field group configuration. For more information on Extension Qualifier Lists (EQLs), refer to the Cisco Content Services Switch Basic Configuration Guide.

8. Wildcard EQL (for example, "/test/*" eql EQL_LIST).

9. Wildcard URL (for example, /test/*) with a header field group configuration.

10. Wildcard URL (for example, /test/*).

In the following example, the content rules ruleWap and ruleNoWap are identical except ruleWap includes a header field group.

The content rule ruleWap matches any TCP port 80 traffic destined for VIP 192.168.128.151 that has the MSISDN field in the HTTP header, as defined in the header field group configuration.

The content rule ruleNoWap matches any TCP port 80 traffic destined for VIP 192.168.128.151 that does not have the MSISDN field in the HTTP header.

Because content rule ruleWap includes a header field group, the CSS will try to match on it before trying to match on content rule ruleNoWap.

header-field-group wap
   header-field 1 msisdn exist

owner arrowpoint
   content ruleWap
     vip address 192.168.128.151
     protocol tcp
     port 80
     url "/*"
     add service server1
     add service server2
     header-field-rule wap
     active

   content ruleNoWap
     vip address 192.168.128.151
     protocol tcp
     port 80
     url "/*"
     add service server21
     add service server22
     active

For more information on configuring content rules and HTTP header field groups, refer to the Cisco Content Services Switch Basic Configuration Guide.

TCP Keepalive Packet Exchange

In software versions 5.20.xx, 7.10.0.xx, 7.10.1.xx, 7.10.2.xx, and 7.20.0.xx, the packet exchange for a TCP keepalive was inadvertently changed with the introduction of the support for increased keepalives. The packet exchange for these software versions was changed to Syn, Syn-Ack, Rst.

In software versions 7.10.3.05 and greater and 7.20.1.04 and greater, the packet exchange for a TCP keepalive was corrected to Syn, Syn-Ack, Ack, Rst-Ack.

Change to the show keepalive Command

The behavior of the show keepalive command has changed due to a code fix for CSCeb30454. When two sessions (for example, console, SSH, telnet) are simultaneously accessing keepalive data and one of the sessions modifies the keepalive data (for example, clears a service or a keepalive) in the second session, the CSS may abort the command because of the configuration change. This situation is most likely to occur if the data being displayed is removed by the command issued in the second session. If the CSS aborts the command, it displays the message:

"Command Aborted!!! Configuration changed. Please reissue command."

Change to the no admin-shutdown Command

The global no admin-shutdown command now resets ports that were shut down using the interface mode admin-shutdown command.

Enhancements to OSPF Functionality

The CSS OSPF functionality now examines configuration parameters (such as, service configurations in content rules, keepalive behavior, VIP redundancy configurations, and whether services are active or suspended) to make accurate advertisement decisions on VIPs.

Specified routes related to VIPs are only advertised if both of the following conditions are true:

1. At least one of the related VIPs in a content rule or source group is active.

2. At least one service related to an active VIP is available on a content rule.

If you configured the CSS for box-to-box redundancy, be aware that only the master CSS (not the backup CSS) advertises the VIP.

It is recommended that you use the /32 prefix in the ospf advertise command to specify VIPs individually. Specifying entire subnets does not enable the CSS to make proper decisions on advertising the VIPs. The advertisement must match or fit entirely within a VIP range to make proper decisions. If the ospf advertise IP address range and the VIP range overlap, or the ospf advertise range encapsulates (that is, is larger than) or doesn't match the VIP range, then the route is advertised unconditionally.

The following flow chart shows the steps required for OSPF to advertise an IP address. If the IP address is a VIP, the flowchart shows the conditions that must be met for OSPF to advertise the VIP.

Configuring a Pre-Login Banner

You can configure a custom banner that displays when you connect to a CSS before you log in. The banner is an ASCII text file that you provide and it must reside in the CSS script directory. This banner is a general banner that is the same for all users. For example, you could create a banner that includes the name of your company or a department within your company.

To configure a pre-login banner, use the prelogin-banner command in global configuration mode. This command has the following syntax:

prelogin-banner "filename"

The filename variable is the name of the ASCII text file that contains the pre-login banner test. Enter a quoted text string with a maximum of 32 characters.

For example, to configure a pre-login banner file called newBanner:

1. Use any text editor (for example, Notepad or Wordpad) to create a custom banner called newBanner and save it as a text file. The maximum line width is 80 characters.

2. FTP the text file to the CSS script directory as follows:

a. From the directory that contains the banner text file, FTP to the CSS. For example, enter: ftp 192.168.12.5.

b. At the FTP prompt, log in to the CSS.

c. Enter cd script to change to the CSS script directory.

d. Enter put newBanner newBanner. FTP transfers the banner file to the CSS script directory.

3. To complete the configuration, enter the following command at the CSS CLI:

(config)# prelogin-banner newBanner

The next time you connect to the CSS, the custom banner appears.

To reset the default behavior of the CSS to no pre-login banner, enter:

(config)# no prelogin-banner

Configuring File-Error Handling for Content Replication

Under certain rare circumstances, it is possible for the CSS to encounter a file error during content replication. A file error can occur when an application or a user deletes a file from the publisher tree during a replication operation. If such an event occurs, the scan does not detect the deleted file and during replication the CSS may keep retrying the file until another scan occurs or the file becomes available.

To specify how the CSS handles file errors during content replication, use the replication file-error command. The syntax of this global configuration mode command is:

replication file-error retry|skip

The command options are:

retry - (Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip - The CSS skips the missing file and continues the replication process

Changes to show virtual-routers Display

The following changes were made to the show virtual-routers command display:

The `Fail Reason' field was changed to `Last Fail Reason'.

Codes reported for the `Fail Reason' field used to persist for the duration of the actual failure. Codes reported for the `Last Fail Reason' field now persist until another failure event occurs. A failure event is defined as a transition from Master/Backup to Down.

The failure code `No Service' was replaced with `Critical Svc Down'. This change applies to both the show virtual-routers CLI command and the SNMP apIpv4RedundancyVRFailReason MIB object.

Software Version 7.20 Operating Conditions

The following operating conditions apply to software version 7.20.

When configuring the CSS for FTP keepalives, do not configure the keepalive frequency or the keepalive retryperiod to a value less than 15 seconds. Note that the CSS does not prevent you from configuring smaller values. Also, the default value for the keepalive frequency or the keepalive retryperiod is five seconds. You must use the keepalive frequency and keepalive retryperiod commands to override the defaults.

Issuing the show system-resources command causes CSS CPU usage to increase. If the CSS has more modules installed, using this command increases CPU usage accordingly. The increased CPU usage is direct result of the computational overhead that occurs when the CSS polls the modules and calculates CPU usage.

A CSS monitors the health of the firewall by sending a custom ICMP keepalive request every second to the remote CSS on the other side of the firewall. If the CSS does not receive a keepalive request from the remote CSS for 3 to 16 seconds (configurable timeout), the CSS declares the firewall path unusable. Each CSS does not reply to the sending CSS, but instead transmits its own keepalive every second, totally independent of the other CSS.

When a traplog file reaches its maximum size (50 MB for a hard disk-based CSS, 10 MB for a flash disk-based CSS), the CSS renames the traplog file to traplog.prev as a backup file and starts a new traplog file. The CSS overwrites the backup traplog file when it renames the traplog file. Each time the CSS reboots, it continues to use the existing traplog file until it reaches its maximum size.

Do not perform an SNMP GET on the apFlowMgrStatSSTable OIDs because they are no longer valid.

If you configure the redundancy-phy command on the interface and then disable the interface using the admin-shutdown command, the master CSS fails over to the backup CSS. To prevent the CSS from failing over when you administratively disable the interface, remove the redundancy-phy command by entering no redundancy-phy before you enter the admin-shutdown command on the interface.

The valid range for the sshd server-keybits command is 512 to 1024. However, to maintain compatibility with software version 5.00, the CSS allows you to enter a range from 512 to 32768. If you enter a value greater than 1024, the CSS changes the value to the default of 768. When you reboot the CSS, the following sys.log message appears to indicate the valid range:

NETMAN-3: sshd: Bad server key size <configured value>; range 512 to 1024; defaulting 
to 768

A CSS supports 64 VLANs per trunked port (Fast Ethernet or Gigabit Ethernet port).

You can configure a VIP from an active source group as a redundant VIP.

The CSS 11501 uses the following interface-port format: e1, e2, and so on through e9, the Gigabit Ethernet (GE) port.

Because it has only one GE port, the CSS 11501 does not support redundant GE Inter-Switch Communications links for Adaptive Session Redundancy (ASR).

The CSS does not NAT fragmented IP/TCP packets.

When you configure firewall load balancing (FWLB), you must configure the VIPs on the CSS that has the services directly connected to it or connected through a Layer 2 device. Do not configure content rules with VIPs on a CSS when the services are located on the other side of the firewall and connected to another CSS participating in FWLB. This type of configuration will result in asymmetric paths and could cause firewalls performing stateful inspection to tear down connections.

For the 11500 series CSS, the Ethernet management port default IP address is 0.0.0.0, which disables the management port. To enable the management port, enter an IP address in one of the following ways:

During the boot process (refer to the Cisco 11500 Series Content Services Switch Hardware Installation Guide, Chapter 3, Booting and Configuring the CSS)

Using the Offline Diagnostic Monitor (Offline DM) menu (refer to the Content Services Switch Administration Guide, Appendix B, Using the Offline Diagnostic Monitor Menu)

Using the ip address CLI command in boot mode (refer to the Content Services Switch Administration Guide, Chapter 1, Logging In and Getting Started)

In an ASR environment, if you run traffic to a configuration that has discrepancies between the redundant indexes on the two CSSs, the CPU utilization for each processor on the CSS may climb to an abnormal level (at 2000 flows/second, approximately 50 percent utilization for each processor). If you set the logging level to notice-5 or higher, the SCM utilization may peak at approximately 90 percent because each connection generates a redundant index mismatch log entry. For example:

MAR 6 14:12:15 3/1 1124272 SLR-5: Rejected. Redundant global rule index (7) not found. 

If you configure a CSS with the dns-server command, and the CSS receives a DNS query for a domain name that you configured on the CSS using the host command, the DNS query will not match on an ACL that is configured with the apply dns command.

However, if you configure a domain name on a content rule on a CSS using the add dns {domain name} command, a DNS query for that domain name will match on an ACL that is configured with the apply dns command.

With a portmapper logging level of 6, an Adaptive Session Redundancy (ASR) peer finds and logs that a port is still in use by another flow on the peer CSS. Cleanup messages of accounting reports from the master CSS may have been dropped and the entry remains until garbage collection cleans up the flow on the peer CSS. The new flow that uses this port will have the proper NATing information to support the connection.

When the SSL modules are receiving more traffic than they can handle, one module may have more errors than another. Once a module gets behind, it is not able to catch up, so it gets further behind. You may see a load imbalance between the two modules. This occurs because the Session Processor (SP) does not detect the status of the SSL-offload modules. The SP continues to send flows to the SSL module even if it is not able to handle them. This does not include a condition by which the module completely fails. In that case, the CSS removes the module from service.

When you use the ssl gencsr command to generate a Certificate Signing Request (CSR) file for an RSA key pair file, the generated request is in PKCS10 format.

Dynamically changing the base port and range values through the global-portmap or noflow-portmap command may cause port conflicts on existing flows.

When you configure TACACS+ on a CSS, note that the CSS does not authorize scripts through the TACACS+ server. Because the CSS transform all XML commands into scripts, the CSS also does not authorize XML commands through the TACACS+ server.

When accessing the CSS OffDM menu from a terminal server, you must configure the client application to display 24 lines to enable the OffDM menu to display properly.

The request-line field type for the header-field command allows you to define the request line in an HTTP header for a header field group. When you attempt to access an Internet resource using your browser (for example, http://www.cisco.com), the browser issues a request for the resource in an HTTP header. The request line in an HTTP header contains the HTTP method (GET, HEAD, or PUSH), the request URI, and the HTTP version. A uniform resource identifier (URI) consists of a string of alphanumeric and sometimes special characters that identify a resource on the Internet. The request line is a required HTTP header field.

For example, suppose an HTTP header contains the following URI:

http://www.foo.com/cgi-bin/some-app.pl?session=123456789123456789&user=CiscoUser&a
ction=LoadBalanceMe&foo=bar

By creating a header field group and header field rules, you can configure a CSS to make a content rule selection based on a string in the URI. For example, you can configure a CSS to make a content rule selection based on the string LoadBalanceMe in the above URI using the following configuration:

header-field-group url 
	header-field urlString request-line contain "LoadBalanceMe"
owner arrowpoint 
	content rule UrlString 
		vip address 192.168.128.151 
		protocol tcp 
		port 80 
		url "/*" 
		add service server1 
		add service server2 
		header-field-rule url 
		active
	content rule2 
		vip address 192.168.128.151 
		protocol tcp 
		port 80 
		url "/*" 
		add service server21 
		add service server22 
		active

The CSS tears down the FTP control channel after 10 minutes of idle time. This teardown may occur during a file transfer if the transfer exceeds 10 minutes. This timeout applies only to active FTP (that is, it does not apply to PASV FTP). To increase the 10-minute timeout, use the flow-timeout-multiplier number command in owner-content mode on the associated content rule to configure the timeout to a value large enough to accommodate the expected duration of FTP file transfers. This command specifies the number of seconds for which an idle flow can exist before the CSS tears it down. Enter an integer for the number variable from 0 to 65533. The CSS multiplies the value you specify by 16 to calculate the flow timeout in seconds.

A fix for defect CSCdy19162 was introduced into software versions 7.10.3.05 and 7.20.1.04 that caused a software version requirement for CSSs in an Adaptive Session Redundancy (ASR) configuration. The requirement states that both CSSs in an ASR configuration must be running software versions that either contain the fix for CSCdy191962 or do not contain the fix. That is, you cannot operate one CSS running a software version that contains the fix and have the other CSS running a software version that does not contain the fix.
If two ASR redundant CSS peers are running software versions in which one version includes the fix for defect CSCdy19162 and one version does not, the backup CSS will not be aware of any dormant flows. Therefore, during a failover, all of the ASR flows will fail.

The keepalive tcp-close fin command may be applied to a maximum of 100 keepalives.

The CSS implementation of FTP does not support the mget command, which is used for multiple file transfers.

The CSS provides scripted keepalives to support the need for keepalives operations that cannot be handled using non-scripted keepalives. Cisco recommends that you limit I/O operations in a scripted keepalive to socket operations used to probe network connectivity to a server and for determining application health on a server. Although the scripting language supports file I/O on the CSS hard drive or flash drive, Cisco recommends that you do not use file I/O operations within scripted keepalives. Extensive file I/O operations within scripted keepalives may cause services to transition. File system access is allowed in scripts executed from the CLI or from the command scheduler.

If you configure an ArrowPoint cookie on a content rule using the advanced-balance arrowpoint-cookie command and the CSS receives a subsequent GET with no ArrowPoint cookie on a persistent HTTP connection, the CSS ignores all persistence settings in the running-config, remaps the backend connection to a new server, and inserts a new ArrowPoint cookie.

When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.

When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.

The following operating considerations apply to the CSS Web-based Device Management software:

To access the Device Management software, use the URL https://ip_address. For example: https://192.168.3.6. The "s" indicates a secure SSL connection.

Always exit the browser after each device management session to clear the cache.

You must enable JavaScript in your browser for the Device Management software to work.

Navigation tree icons do not always display. The pages function correctly. Open a page by clicking on the corresponding text.

The CSS Web-based Device Management software uses cookies for authentication. Your browser must have cookies enabled to obtain access to the Device Management pages. Cookies are created when you log in using the login page and are valid only for the current browser session. If the CSS does not find a cookie, it does not allow you to access any pages. If the CSS finds a cookie, it determines whether you have SuperUser or User privileges. You must have SuperUser privileges to access all pages. User privileges enable you to access only non-configuration pages. Use the username command to configure SuperUser and User privileges.

Device Management supports the following browsers:

Microsoft Internet Explorer version greater than 4.0

Netscape Communicator 4.51 and 4.71

Netscape Navigator 4.08

With Microsoft Internet Explorer 6.0, when a page is displayed and you highlight the page in the Address field and select carriage return, an Internet Explorer expired page appears. To redisplay the page, click Refresh in the browser navigation bar, then click Retry in the message box that appears

CSS Documentation Updates and Corrections

The following documentation correction applies to the CSS 11501, CSS 11503 and the CSS 11506:

The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.

The following documentation updates apply to the CSS 11501, CSS 11503 and the CSS 11506:

URL Maximum Length Clarification

Maximum Number of VLANs per CSS 11500 Model

Source Group Port Mapping Behavior

URL Maximum Length Clarification

When you use the url content mode command to specify a Uniform Resource Locator (URL) for content, you enter the URL as a quoted text string with a maximum length of 252 characters. Note that each path defined within a 252 URL character string cannot exceed a maximum length of 32 characters. A URL path includes all characters between the two slashes (//). In addition, an extension after the "." character cannot exceed 7 characters.

For example, the URL string below includes three paths, with each path less than the 32 character maximum:

(config-owner-content[hospital.html])# "/newbirthannouncements/newbabies/babyfilename.jpg"

Maximum Number of VLANs per CSS 11500 Model

The following list defines the maximum number of VLANs supported by the specific CSS 11500 models:

CSS 11501 and CSS 11503 - A maximum of 256 VLANs per CSS and 64 VLANs per port (FE or GE)

CSS 11506 - A maximum of 512 VLANs per CSS and 64 VLANs per port (FE or GE)

Use the bridge vlan command to specify a VLAN and associate it with the specified Ethernet interface. Enter an integer from 1 to 4094 as the VLAN identifier. The default is 1. All interfaces are assigned to VLAN1 by default.

Source Group Port Mapping Behavior

When you configure a source group, a CSS provides network address translation (NAT) of source IP addresses and port address translation (PAT) of source ports. NAT and PAT add a measure of security to your network by not exposing private network addresses and ports to the public side of a CSS. To NAT source IP addresses and source ports for flows originating from a server (server-side) on the private side of the CSS, add existing services to a source group. To NAT source IP addresses and source ports for flows originating from a client (client-side) on the public side of the CSS, add existing services to a source group as destination services. You can also configure access control lists (ACLs) to perform source NATing.

Each CSS module (except the SSL module) has one session processor (SP) that is responsible for mastering flows.

CSS 11501 supports one SP

CSS11503 supports a maximum of three SPs

CSS 11506 supports a maximum of six SPs

The default number of source ports available for one source group is 63488 (65533 minus the named ports). With one source group configured, the CSS allocates the total number of ports proportionally among all the SPs in the CSS chassis according to the SP relative weight value. To display the relative weight value of an SP, enter the show chassis session-processors command.

For client-side flows, the CSS sends packets to different SPs for flow processing and the flows have access to the source ports in that SP. The CSS performs a simple XOR hash of the TCP or UDP source and destination port numbers to determine the SP that becomes master for that flow. If the port numbers are the same (for example, DNS UDP port 53), then the CSS uses the low order bits of the source and destination IP addresses to calculate the hash value. The CSS uses the hash value to index into a weighted table of SPs and selects the appropriate SP.

When the CSS performs PAT, the master SP for the flow uses a source port from either a source group or the global portmapper, depending on your configuration. The CSS chooses a source port so that the hash of it and the destination port will select the same SP for the server-side flow as the SP that mastered the client-side flow.

For the server-side flow from a given destination port, only certain source port numbers hash to the same SP that was used for the client-side flow. For this reason, all ports available to a particular SP are not necessarily eligible for use when establishing the back-end connection. Therefore, the hash algorithm selects only a percentage of the available ports on any one SP.

To make more available source ports eligible for flows or to provide additional source ports for each SP:

Configure services on different destination ports (vary the destination port) to broaden the hash across the SPs and allow a larger percentage of available ports to be eligible for port mapping. This strategy works by making the hashing algorithm less restrictive in the sense that now more source ports can be used to satisfy the hashing equations.

Configure another source group to provide an additional 63488 ports, which the CSS also distributes among the SPs in the same manner as described earlier in this section

Table 1 illustrates how the number of eligible ports in a CSS 11506 decreases as you increase the number of installed modules (SPs). In all cases, the CSS is configured with one service and a single destination port for all flows (for example, port 80). The numbers of eligible ports in Table 1 are approximate and are used for illustration only. Your results may vary depending on your configuration.

Table 1 Adding Modules to a CSS 11506 Decreases the Number of Eligible Source Ports 

Number of SPs
Number of Eligible Source Ports for the Chassis

1

63488

2

33728

3

21824

4

16616

5

13144

6

11408


Table 2 shows that, by increasing the number of destination ports, even in a fully-loaded CSS 11506 (six SPs), you can dramatically increase the number of source ports that are eligible for port mapping. In this example, the destination ports were chosen consecutively (for example, ports 80 through 89 for row 1).

Table 2 Increasing Destination Ports Increases Eligible Source Ports 

Number of Destination Ports
Number of Eligible Source Ports for the Chassis

10

28788

20

31757

32

40000


By comparing row six in Table 1 with row 1 in Table 2, you can see that increasing the number of destination ports to 10 more than doubles the number of source ports eligible for port mapping.

Note that it is algorithmically significant which destination ports you select to increase the number of eligible source ports and it is not a linear relationship. You may need to select several ranges of destination ports to produce the maximum number of eligible source ports.

Adaptive Session Redundancy (ASR) imposes further restrictions on the number of available and eligible source ports because of mapping resources to the backup CSS with an unknown chassis configuration. In a CSS 11506 with ASR configured, the number of source ports eligible for flows for the entire chassis is 1984 (63488 ÷ 32), regardless of the number of installed modules. You may be able to improve this number by adding a source group or configuring more destination ports for services.

Software Version 7.20.5.03 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.20.5.03:

Software Version 7.20.5.03 Open Caveats

Software Version 7.20.5.03 Resolved Caveats

Software Version 7.20.5.03 Command Changes

Software Version 7.20.5.03 Open Caveats

The following open caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCef17772 - The Ethernet management port may become unresponsive as a result of unusual network traffic. Workaround: If the Ethernet management port becomes unresponsive, use the (config-if[Ethernet-Mgt])# admin-shutdown command to shut down the management port. Then use the (config-if[Ethernet-Mgt])# no admin-shutdown command to restart it.

CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.

CSCef19482 - If the CSS sends an ICMP redirect, the packet may contain an ICMP checksum error.

CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.

CSCeb29602 - The SNMP v1 version of chasssisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCee34613 - When configuring max connection in a service, the CSS does not switch traffic based on concurrent connections, though it seems to based on connections per second.

CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.

CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.

CSCed80405 - If two content rules using the same VIP have identical names after truncation to 31 characters (including the appended VIP), the CSS may reboot.

CSCee82580 - The CSS may reboot if you configure the ssl-server handshake timeout command.

CSCee88220 - When configuring SSL, performance is slower when you use SSL session ID reuse, which occurs when you configure a Layer 5 SSL sticky content rule.

Software Version 7.20.5.03 Resolved Caveats

The following resolved caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.

CSCef02846 - The CSS may reboot when the primary servers are suspended and the sorry server configuration is used.

CSCef03474 - A lifetick failure on the ISC link may cause the link to become wedged in the down state.

CSCef06443 - When a PrismBufferDebug error log indicates a buffer double free, a TCP keepalive received packet from the server with PSH, FIN, and ACK bits set results in the packet being processed incorrectly.

CSCef06995 - When using multiple source groups, a flow may be associated with more than one source group, causing the CSS to reboot.

CSCef08386 - Configuring a URQL on a content rule that has a 0.0.0.0 VIP address should not be allowed, and causes the CSS to reboot.

CSCef21844 - A cluster corruption causes the NetTask to suspend.

CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.

CSCee38740 - When using the script modify command in a scripted keepalive, if the variable to be modified does not exist, the CSS may leak memory.

CSCee41868 - You will not be able to use SSH to access the CSS after you run the Nessus scan tool on a circuit IP address.

CSCee44817 - Scripted keepalives may cause the CSS to reboot.

CSCee45284 - When the CSS receives an HTTP POST request that spans multiple packets, but receives those packets too quickly, the CSS may reset the connection.

CSCee49236 - The CSS responds incorrectly for a DNS query type of ANY.

CSCee53027 - The CSS may reboot when it processes the timestamp option in an IP header.

CSCee56155 - The VIP address range fails to check for VIPs that are already in use on source groups.

CSCee59808 - Non-persistent keepalives are reusing source ports too quickly for multiple services that using the same destination IP address and port.

CSCee60837 - Backend SSL fails when a server offers a 16-byte session ID.

CSCee61578 - Configuring radius-server dead-time 1 causes sockets to leak. An out-of-socket condition causes a keepalive task to crash when the keepalive tries to close a socket that it could not get.

CSCed69094 - Using SSH to connect to the CSS while SSL performance tests are running may cause the Sshd task to suspend.

CSCee70050 - The CSS fails to update reachability information in the route table for the first route entry for a /32 route (host route) that follows an unreachable host entry. An attempt to send traffic to the host described by such an entry may cause the CSS to stop processing traffic indefinitely or cause it to reboot.

CSCee75060 - The CSS may reboot when processing host routes for redistribution to or from OSPF when a host entry (for which an ARP could be resolved) for the IP address is submitted to the route table.

CSCee77663 - When the CSS is configured as a zone-based DNS server and you configure an A-record, but the keepalive has failed for all zones in which the name is configured, and a request is made to the CSS for that name, the CSS may reboot.

CSCee80408 - Using the tacacs-server authorize config or the no tacacs-server authorize config commands cause a memory leak.

CSCee85140 - The CSS stops responding to requests on port 80.

CSCee90213 - The CSS logs the following error message when there is no FTP content rule in a configuration: "Can't change type to transparent-cache if attached to an FTP rule".

CSCee95633 - If a service is configured with type nci-direct-return and is then added to a content rule configured with advanced-balance sticky-srcip, the NCI options are not set up for flows hitting the content rule.

Software Version 7.20.5.03 Command Changes

Table 3 lists the commands and options that have been added in software version 7.20.5.03.

Table 3 CLI Commands Added in Version 7.20.5.03  

Mode
Command and Syntax
Description

All

zero virtual-router state-changes [all|circuit ip_address [all|vrid number]]

Sets the State Changes counter displayed by show virtual router command to zero. The variables and options for this command are:

all - Zeroes the State Changes counter of all VRs configured on the CSS.

When the all keyword is specified with the circuit ip_address keyword and variable, the CSS zeroes the State Changes counter of all VRs on the specified circuit.

circuit ip_address - Specifies a circuit IP address where VRs are configured.

vrid number - Zeroes the State Changes counter of the specified VR on the specified circuit.

Global

replication file-error retry|skip

Specifies how the CSS handles file errors during content replication. The command options are:

retry - (Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip - The CSS skips the missing file and continues the replication process


Table 4 lists the commands and options that have changed in software version 7.20.5.01.

Table 4 CLI Commands Changed in Version 7.20.5.01  

Mode
Command and Syntax
Description

Group

vip address ip_or_host {range number}

The range for the range number variable changed from 1 to 65353 to 1 to 65535.


Software Version 7.20.4.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.20.4.04:

Software Version 7.20.4.05 Open Caveats

Software Version 7.20.4.05 Resolved Caveats

Software Version 7.20.4.05 Command Changes

Software Version 7.20.4.05 Open Caveats

The following open caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.
Workaround: To remove a service, copy the startup-config to a TFTP server and edit the startup-config to remove the service from the content rule or to delete the content rule. Then copy the edited startup-config back to the CSS and reboot the CSS.

CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCee38740, CSCee44817 - Scripted keepalives may cause the CSS to reboot.

CSCee45284 - When the CSS receives an HTTP POST request that spans multiple packets, but receives those packets too quickly, the CSS may reset the connection.

CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

Software Version 7.20.4.05 Resolved Caveats

The following resolved caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCed00757 - A non-privileged user cannot run the show log sys.log command.

CSCee01234, CSCee01240 - A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004. An affected network device running a SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.

CSCee03077 - The CSS reboots while attempting to send data with corrupted flow structure to a spoofed server.

CSCed06619 - When you configure the CSS with Session Level Redundancy (SLR) using source groups and a passive FTP connection is initiated through the source group, the CSS may reboot when the connection is torn down.

CSCee07003 - When a CSS is configured for max connections, the outputs for the show service and show service summary commands may display a number of connections greater than the number of max connection configured on the service. When the CSS load-balances a flow, the number of connections to a service is not properly updated. Therefore, the number of connections to the service may be exceeded.

CSCee08487 - If the window size advertised in a backend SYN is smaller than the length of the first data segment (for example, HTTP GET), the CSS does not send out the ACK to complete the backend three-way handshake and drops the TCP packet.

CSCee08529 - The CSS does not require you to configure a subnet mask on the Ethernet Management port. If you do not configure a subnet mask, the CSS uses the default subnet mask of 255.255.255.0. Any traffic that is transmitted from or sent to a CSS circuit will fail is there is an overlap with the management port IP address.

CSCee08664 - If the global portmap and restrict snmp commands are both configured when you are running the commit_vip_redundancy script, the script may report a byte count difference of 2 bytes. This does not adversely impact the CSS running-configs.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCdx09860 - If a packet that is carrying an Arrowpoint cookie does not reach a client, the retransmitted packet does not get the Arrowpoint cookie insertion. This may cause a TCP sequence number mismatch, and the packet may also contain unexpected data.

CSCee21521 - Under rare circumstances while using LDAP scripted keepalives, the CSS may identify one or more services as down.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCee24269 - The CSS does not properly clean up an internal data structure.

CSCee24309 - The CSS was not properly authorizing all commands through the TACACS+ server.

CSCee32636 - Using the application ssl command in a SSL content rule on a CSS 11500 with a SSL module running software version 7.20.3.05 or greater causes two SSL client hellos to be sent from the client three seconds apart, which causes latency.

CSCdw34822 - The "@" character in a user profile causes the profile to abort if you log in as a user (that is, not SuperUser). Because the "@" character enables a command to be run in user mode, the CSS should have allowed it.

CSCee38396 - When you configure the CSS using the cmd-sched command, the first time the CSS executes the cmd-sched record, the CSS may execute the record twice during the first second.

CSCee39336 - A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality. All Cisco products which contain TCP stack are susceptible to this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software. A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

CSCed40192 - The CSS may queue up more blocks of data than it can send to the hardware. This may cause the `Too Many Blocks for Block2AccelFragmentArray' counter to increment.

CSCed46905 - The SSL module allows a finite amount of SSL/TLS backend connections before it stops passing traffic. All cipher suites are affected. To recover, reboot the CSS. Workarounds are to disable backend SSL/TLS or use a smaller certificate on the IIS server.

CSCed47022 - When running high amounts of sustained traffic on two SSL modules, tasks may become suspended and the CSS may reboot.

CSCee49006 - The CSS GUI does not display owner/service in the monitor summary page.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS, when you run the commit_vip_redundancy script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, manually configure the remote CSS priority as required.

CSCed52992 - When doing an SNMP NEXT through the apSvcTable from the svcExt.mib, the CSS SCM CPU may spike to high levels and remain high for long periods of time. This issue is related to the number of configured services.

CSCed54235 - The show log sys.log tail number command only displays half of the number of lines specified in the command line.

CSCed57552 - When running non-sticky flows through an ASR environment when ISC ports are down, the CSS continuously displays the following sys.log message because it is not aware that the logical ISC state is down.
DEC 28 14:30:05 1/1 2496137 FP_DRV-4: PrismFastPath::TxPacketToQueue: Queue Write failed Qnum: 0 SB: 0 TaskName: tFlowMgrPktRx TaskId: 0x84de9dc0 Buffer Address: 0x87c588688

CSCed57712 - RSH (Remote Shell) through the CSS does not function because source port NAT'ing interferes with it.

CSCed58756 - If you configure the CSS for a SuperUser account with a password of 123456, the SuperUser is allowed access to the CSS if they enter 1234567 as the password. This problem exists only with passwords that contain a number of characters that are divisible by 8.

CSCed61321 - When you configure the CSS for SSL termination and the SSL handshake is in process when a client key exchange is received instead of a client hello, the CSS may reboot.

CSCed62063 - SSH sessions are not being cleared, which causes new sessions to be blocked.

CSCed64614 - The ap-kal-dns keepalive script fails when used with the dnsflow disable command and you add a service to a source group. The workaround is to remove the DNS server from the source group.

CSCed66531 - The Time (Sec) Elapsed field in the show sticky-table command for SSL traffic is incorrect.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCed73326 - When the CSS is configured with a scripted keepalive (which does multiple socket sends), the CSS buffer the data in the different socket sends and then sends them out as part of one data packet. The nowait option, added in software version 7.20.4.05, instructs the CSS to immediately send the data from a socket send and not buffer the data from different socket sends.

CSCeb73418 - If a client TCP stack retransmits an original TCP SYN at the same time the original TCP SYN is sent out, the CSS does not detect the retransmitted TCP SYN as a duplicate SYN. The CSS now checks for duplicate SYNs that arrive simultaneously.

CSCed74244 - If the DNS forwarder feature is configured and you enter debug mode and issue the dns setFwdKal 0 command, the CSS reboots. A value of 0 is invalid for the dns setFwdKal command.

CSCed75430 - Using an incomplete MIB variable for the sample-variable command in (config-rmonalarm) mode may cause the CSS to reboot.

CSCed76105 - The show sticky-stats command was added to the showtech diagnostic script to provide information on the CSS sticky database.

CSCed76182 - Issuing the no app-udp ? command may cause the CSS to reboot.

CSCed76755 - If the CSS Ethernet Management port does not have a subnet mask configured on it (or is configured to the default 255.255.255.0), the CSS will not be able to respond to DNS queries. Workaround: Configure an IP address and a subnet mask on the Ethernet Management port.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

CSCed81963 - When you configure a content rule with the no persistent command and globally configure the persistent reset remap command, the urlhash and domainhash load-balancing methods prevent the CSS from performing a server remap when required. The CSS should remap a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

CSCed83158 - A CSS with an installed SSL module may incorrectly forward a server response according to the routing table rather than delivering the server response to the SSL module for encryption. This issue occurs when the port configured on the clear text content rule and the content rule configured on the service do not match.

CSCed85319 - When a server response to an HTTP1.1 keepalive request contains a "Connection: keepalive", the CSS incorrectly downgrades the HTTP1.1 keepalive to an HTTP1.0 keepalive.

CSCed88058 - When the CSS is configured as a DNS server and a DNS name is configured on a content rule, but all servers for that rule are unavailable, the CSS returns NXDOMAIN for a DNS request. In this situation, the CSS should return SERVERFAIL.

CSCed88075 - When you configure the CSS with the advanced-balance arrowpoint-cookie command, it may incorrectly interpret a server data packet beginning with `PORT' or `227' as an FTP packet. If this occurs, the CSS corrupts the packet because it assumes that FTP is in use.

CSCed88755 - A CSS may stop allowing SSH connections after running for a period of time. Workaround: Reboot the CSS.

CSCed89086 - The CSS allows you to remove the redirect command from an active content rule even if no services are configured on the rule. This should not be allowed because services are required on an active content rule that does not contain a redirect.

CSCed91385 - The CSS drops traffic when it is configured for VIP redundancy and is the backup CSS for a VIP and needs to NAT a client IP address due to a configured source group.

CSCed95285 - The CSS may reboot when removing a session if the VIP address was already removed.

CSCed95735 - A port that is set to 100Mbits-HD may stop transmitting packets.

Software Version 7.20.4.05 Command Changes

Table 5 lists the commands and options that have been added in software version 7.20.4.05.

Table 5 CLI Commands Added in Version 7.20.4.05  

Mode
Command and Syntax
Description

Global

ip advanced-route-remap

no ip advanced-route-remap

Remaps flows based on the best available route.

prelogin-banner filename

no prelogin-banner

Allows you to display banner text before you log in to the CSS. To specify where the banner text resides, enter a filename as quoted text and a maximum of 32 characters.


Table 6 lists the commands and options that have changed in software version 7.20.4.05.

Table 6 CLI Commands Changed in Version 7.20.4.05  

Mode
Command and Syntax
Description

All

show log {log_filename {tail lines} {line-numbers}}

This command is now available in all modes. Previously, this command was not available in User mode.

show log-list

This command is now available in all modes. Previously, this command was not available in User mode.

show system-resources slot

Added the slot variable to display system resources for a specific slot in the CSS chassis.

socket connect host ip_address port number tcp {timeout} {session} {nowait}

For TCP connections, added the nowait option, which causes the socket to send data immediately without waiting to aggregate the data first.

Content

no advanced-balance

The syntax of this command changed from no advance-balance.

SuperUser and All Config Modes

show script {filename {line-numbers}}

Added the line-numbers option, which allows you to display line numbers with the script text.


Software Version 7.20.3.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.20.3.05:

Software Version 7.20.3.05 Open Caveats

Software Version 7.20.3.05 Resolved Caveats

Software Version 7.20.3.05 Command Changes

Software Version 7.20.3.05 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCed06619 - When you configure the CSS with Session Level Redundancy (SLR) using source groups and a passive FTP connection is initiated through the source group, the CSS may reboot when the connection is torn down.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCed38249 - When a CSS receives multiple load reports for a GSLB service, the reported load may be incorrect. The CSS may receive multiple load reports for a service if the load reports are received from a pair of CSSs that have a redundant VIP configured for the service.

CSCed40192 - The CSS may queue up more blocks of data than it can send to the hardware. This may cause the `Too Many Blocks for Block2AccelFragmentArray' counter to increment.

CSCed49849 - If a critical service in an ASR configuration transitions under a heavy load, causing both redundancy and an ASR failover, the redundancy transition may cause the CSS to reboot.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS, when you run the commit_vip_redundancy script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, manually configure the remote CSS priority as required.

CSCed52992 - When doing an SNMP NEXT through the apSvcTable from the svcExt.mib, the CSS SCM CPU may spike to high levels and remain high for long periods of time. This issue is related to the number of configured services.

CSCed61321 - The CSS may reboot due to an incorrect packet received by a device.

CSCed62063 - SSH sessions are not being cleared, which causes new sessions to be blocked.

CSCed64240 - The CSS reboots at Task Level Exc in LogPrintAgent.

CSCed64614 - The ap-kal-dns keepalive script fails when used with the dnsflow disable command and you add a service to a source group. The workaround is to remove the DNS server from the source group.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

CSCec83724 - When you use source groups on the CSS in an ASR environment, the number of eligible and usable ports for portmapping decreases.

Software Version 7.20.3.05 Resolved Caveats

The following caveats were resolved in software version 7.20.3.05:

CSCed00734 - If you change a keepalive on a service from keepalive type script to keepalive type ssl without first suspending the service, the service will go into a DOWN state indefinitely.

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCed01717 - When you configure a service using the type ssl-accel-backend command and the redundant-index command, the CSS displays an incorrect error message.

CSCed01770 - When you configure the CSS for Global Server Load Balancing (GSLB) and use the dns-record a kal-ap threshold command (with the threshold default of 254) and the CSS receives NXDOMAIN responses for a dns-record with a content rule that contains only one service and that service reaches a load level of 254, the CSS does not transition down the service.

CSCed02951 - If you issue the no ssl associate cert command, place a new certificate on the CSS, and then issue the ssl associate cert command, if the new certificate is larger than the previous certificate, the CSS reboots.

CSCed03090 - A stack overflow may occur on some processes on the SSL module, including TimerTask and SslTx. This may cause these processes to fail.

CSCec07321 - When using ASR (Adaptive Session Redundancy), if the backend server goes down due to having a cable removed from the Layer 2 switch, the CSS does not send UDP traffic.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCed13555 - In a VIP redundancy configuration, when CSS-A (master) fails over to CSS-B (backup), and then CSS-B fails back over to CSS-A, if flowy traffic hits CSS-B, the ARP entry on CSS-B that should point to CSS-A, may be missing, and traffic is dropped. If non-flowy traffic hits CSS-B, the ARP request is sent out and traffic is forwarded properly.

CSCed15825 - The CSS reboots when the following three conditions are true. Under these three conditions, the CSS uses the wrong host information to send the DNS keepalive packet to itself (the circuit IP address).

No management port IP address or subnet mask is configured (that is, the address is 0.0.0.0)

The CSS is configured with the app-udp command

The CSS is configured with the dns-record command that contains a keepalive pointing to the CSS circuit IP address.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCec17121 - When disabling the dns-server, the console or a telnet session may lock up.

CSCin18392 - The apPortCopy table does not properly copy files when an absolute path is provided.

CSCed20671 - The string range command searches on one less byte than the range maximum. The range should be 1 to 100, but the CSS only searches on a range of 1 to 99.

CSCed21013 - SSL connections that are terminated on a CSS may have trailing data added to them after being decrypted. This added data may confuse the servers on the back-end, causing application errors.

CSCed25009 - When you configure a content rule with application ssl and use an advanced-balance method that employs the sticky database, the CSS does not distribute sticky database entries properly to modules in the chassis, which causes connections to fail because they are not directed to the correct server.

CSCeb25077 - If a SSL handshake message spans a SSL record and a TCP packet, a handshake failure occurs.

CSCed29795 - SSL connections terminated on a CSS may have trailing data added after being decrypted. This may cause confusion to the servers on the back-end and lead to application errors.

CSCed26264 - If you do not configure an IP address for the management port, an SNMP GET of ifOperStatus returns invalid data (that is, a value of 0).

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCed29953 - The CSS does not set up flows for TCP port 520.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCed32955 - After power-cycling the Cat2950, the Rx port on the CSS stops incrementing. The Tx port functions properly. The workaround is to reboot the CSS. To avoid this issue, configure both the Cat2950 and the CSS for a speed of 10 megabits per second.

CSCec38220 - When the CSS is configured for SSL termination, the SSL module may send the decrypted traffic in a TCP packet with a bad checksum.

CSCed39121 - When you run the commit_redundancy or commit_vip_redundancy scripts, the OSPF area settings on the circuit may be removed from the remote CSS.

CSCed41281 - During bootup, the CSS may receive multiple entries for processors in the chassis that time out certain commands that are waiting for responses from modules even though the modules have already responded. The workaround is to reboot the CSS.

CSCec45381 - When the Resource Manager Essentials (RME) software 3.5 performs a config archive and uses SSH login to the CSS, it performs the archive successfully, but generates the following two messages in the sys.log:

******* 
SEP 29 10:53:44 1/1 361 NETMAN-4: Accepted without authentication for admin from 
172.16.123.78 port 59514 
SEP 29 10:53:46 1/1 366 NETMAN-4: Disconnecting: Corrupted checked bytes on input. 
******* 

CSCec45497 - In an ASR configuration, source port resources may leak after a failover occurs and the CSS cleans up the flows.

CSCed46905 - The SSL module allows a finite amount of SSL/TLS backend connections before it stops passing traffic. All cipher suites are affected. To recover, reboot the CSS. Workarounds are to disable backend SSL/TLS or use a smaller certificate on the IIS server.

CSCed47022 - When running high amounts of sustained traffic on two SSL modules, tasks may become suspended and the CSS may reboot.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec49123 - When the CSS cannot forward a packet because of an unresolved ARP, the buffer in which the packet was received may leak when the ARP times out.

CSCed49253 - The CSS may reboot if an alert needs to be sent during a client hello.

CSCec54416 - A buffer may not be transmitted to a hardware queue when the queue is full (known as a transmit abort). The CSS should free the buffer back into the free pool.

CSCec55690 - When SPAN is configured on a port, certain types ingress traffic may eventually cause the Session Processor (SP) to stop processing flows. Reboot the CSS to recover from this situation.

CSCec58376 - If you have a static ARP entry using an IP address that is identical to a circuit IP address, the CSS reboots. Static ARP entry IP addresses, circuit IP addresses, and source group
IP addresses must all be unique. The CSS does not allow you to configure identical IP addresses for these configuration parameters.

CSCeb59662 - The CSS should time out idle GUI connections, but does not. Also, you should be able to show the GUI sessions in use and be able to disconnect GUI sessions, but can not.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCeb61316 - If an XML document that is not terminated with a carriage return line feed (CRLF) is uploaded to a CSS 11500, it will fail and the following message will be logged:
"httpRpmPut: Not a well-formed XML document".

CSCec64389 - If the CSS is configured for SSL termination with export ciphers contained in the configuration, the CSS may log the error: SSLACCEL-3:CRYPTO HARDWARE RESET. The CSS would then experience slow, stalled SSL connections and may reboot.

CSCec65326 - If you do not configure an IP address or subnet mask for the management port and the SNMP trap is an enterprise trap, 0.0.0.0 is used as the agent IP address in the trap.

CSCec68022 - When any remote command is performed (either manually or by running the config_sync script) and the primary SCM is in slot 2, the CSS reboots.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCeb73970 - Using the ssl gencert command causes the CSS to generate a certificate with valid dates from 12/31/1960 to 1/30/1970 or 1/01/1970 to 1/31/1970 instead of using the actual date corresponding to the internal CSS clock.

CSCec74453 - CDP packets are bridged by the CSS, but they should not be bridged.

CSCec77158 - The CSS reboots when you issue the no ssl associate command and then suspend and activate the service.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCdy79571 - The CSS may not detect the proper number of modules installed in a chassis. This may result in internal broadcast messages being sent to the slots that do not exist, which leads to unexpected behavior on the CSS and causes the CSS to display the following messages:

FP_DRV-4: PrismImmFastPath::Send: TxToQueue Failure
FP_DRV-3: PrismBufferDebug: (Buffer Pool: 2) Xfer of ownership error on buffer 
Xfer activity FROM:DEALLOC TO: DEALLOC 

CSCec80040 - If you configure the CSS using the advanced-balance method (which uses the sticky table) and the calculated sticky hash key is zero, the CSS reboots.

CSCec80045 - Service maximum connections may be overrun when traffic hits a content rule that is configured for stickiness.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec80987 - The CSS may reboot due to freeing an internal communication buffer.

CSCec85000 - The CSS does not perform lookups with a suffix appended to a requested name even if you configure a dns suffix.

CSCec86444 - In a chunked encoding transfer header, the CSS incorrectly interprets the string as case sensitive and fails if any of the characters are capitalized.

CSCec86501 - When a script contains a quoted string that is greater than 255 characters and is used by a scripted keepalive, the CSS reboots.

CSCec88084 - The CSS stops translating sequence numbers on the FTP control connection after a FIN packet.

CSCec89210 - When you configure a CSS with a static route that is identical to a learned OSPF route (network LSA), the OSPF route correctly takes precedence. However, if the CSS loses the OSPF route, the blackhole route is not injected into the routing table.

CSCec89216 - On a CSS 11503 or a CSS 11506 configured for active FTP with destination services specified in a source group, if the FTP control channel and data channel are handled by different slots, the CSS may fail to clean up portmap entries.

Software Version 7.20.3.05 Command Changes

Table 7 lists the commands and options that have been added in software version 7.20.3.05.

Table 7 CLI Commands Added in Version 7.20.3.05  

Mode
Command and Syntax
Description

Global

idle timeout web-mgmt minutes

no idle timeout web-mgmt

The new web-mgmt option sets the maximum amount of idle time for active web management sessions.

The minutes variable is the maximum time in minutes. Enter a number from 0 to 65535. The default is 0, disabling the timeout.

tacacs-server send-full-command

no tacacs-server send-full-command

The new send-full-command option enables the CSS to expand user-executed abbreviated commands to their full command syntax before sending them to the TACACS+ server.

Use the no form of the command to reset the default behavior of sending user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.

Keepalive

tcp-close fin|rst

Specifies a global keepalive to close a TCP socket with a FIN or a RST.

The fin keyword specifies that the keepalive closes the TCP socket with a FIN rather than a RST.

The rst keyword specifies that the keepalive closes the TCP socket with a RST (default).

By default and in compliance with RFC 1122, the CSS sends a reset (RST) to close the socket on a server port for TCP keepalives. A RST is faster than a FIN, because a RST requires only one packet, while a FIN can take up to four packets. If your servers require a graceful closing of a socket using a FIN, use the tcp-close fin command.

Service

keepalive tcp-close fin|rst

The new tcp-close option specifies a service keepalive to close a TCP socket with a FIN or a RST.

The fin keyword specifies that the keepalive closes the TCP socket with a FIN rather than a RST.

The rst keyword specifies that the keepalive closes the TCP socket with a RST (default).

By default and in compliance with RFC 1122, the CSS sends a reset (RST) to close the socket on a server port for TCP keepalives. A RST is faster than a FIN, because a RST requires only one packet, while a FIN can take up to four packets. If your servers require a graceful closing of a socket using a FIN, use the keepalive tcp-close fin command.

SSL-proxy-list

ssl-server number ssl-queue-delay number2

no ssl-server number ssl-queue-delay

The new ssl-queue-delay option specifies the amount of time for the CSS virtual SSL server to wait for packets before emptying the queued data for encryption.

The virtual SSL server on the CSS empties the data from the queue and encrypts it for transmission to the client when:

The queue fills to 16,400 bytes (the maximum SSL record size)

The server sends a TCP FIN packet

When the delay time on the CSS has passed, even though the queue has less than 16,400 bytes

The ssl-queue-delay number2 option and variable sets the time in milliseconds to wait for packets before emptying the queued data for encryption. Enter a value from 0 to 10000. The default delay is 200. Setting the value to 0 disables the queuing of data.

When you set the value to 0 to disable the queuing of data, the virtual SSL server on the CSS encrypts the data as soon as it arrives from the server and then sends the data to the client.

Use the no form of this command to reset the delay to 200 milliseconds.


Software Version 7.20.2.06 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.20.2.06:

Software Version 7.20.2.06 Open Caveats

Software Version 7.20.2.06 Resolved Caveats

Software Version 7.20.2.06 Command Changes

Software Version 7.20.2.06 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506 in software version 7.20.2.06:

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCec07321 - When using ASR (Adaptive Session Redundancy), if the backend server goes down due to having a cable removed from the Layer 2 switch, the CSS does not send UDP traffic.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec17121 - When disabling the dns-server, the console or a telnet session may lock up.

CSCeb25077 - If a SSL handshake message spans a SSL record and a TCP packet, a handshake failure occurs.

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCeb28397 - If you issue the redundancy force-master command multiple times when running the CSS in a box-to-box configuration, the backup CSS may not bring down its interfaces correctly. The new master CSS then logs a duplicate IP address. The backup CSS shows the circuit as disabled, but the IP address is still listed. The master CSS continues to log duplicate IP addresses from the backup CSS until you reboot the master CSS.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCec38220 - When the CSS is configured for SSL termination, the SSL module may send the decrypted traffic in a TCP packet with a bad checksum.

CSCec45381 - When the Resource Manager Essentials (RME) software 3.5 performs a config archive and uses SSH login to the CSS, it performs the archive successfully, but generates the following two messages in the sys.log:

******* 
SEP 29 10:53:44 1/1 361 NETMAN-4: Accepted without authentication for admin from 
172.16.123.78 port 59514 
SEP 29 10:53:46 1/1 366 NETMAN-4: Disconnecting: Corrupted checked bytes on input. 
******* 

CSCec45497 - In an ASR configuration, source port resources may leak after a failover occurs and the CSS cleans up the flows.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec49123 - When the CSS cannot forward a packet because of an unresolved ARP, the buffer in which the packet was received may leak when the ARP times out.

CSCec55690 - When SPAN is configured on a port, certain types ingress traffic may eventually cause the Session Processor (SP) to stop processing flows. Reboot the CSS to recover from this situation.

CSCeb59662 - The CSS should time out idle GUI connections, but does not. Also, you should be able to show the GUI sessions in use and be able to disconnect GUI sessions, but can not.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCeb61316 - If an XML document that is not terminated with a carriage return line feed (CRLF) is uploaded to a CSS 11500, it will fail and the following message will be logged:
"httpRpmPut: Not a well-formed XML document".

CSCeb61726 - Redirecting the socket inspect command to a file corrupts the data contained in the socket buffer.

CSCec64389 - If the CSS is configured for SSL termination with export ciphers contained in the configuration, the CSS may log the error: SSLACCEL-3:CRYPTO HARDWARE RESET. The CSS would then experience slow, stalled SSL connections and may reboot.

CSCec67036 - The CSS incorrectly inserts a new ArrowPoint cookie into a response packet.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCec68022 - When any remote command is performed (either manually or by running the config_sync script) and the primary SCM is in slot 2, the CSS reboots.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCec73646 - The CSS experiences an error in internal message processing when two processes attempt to modify the same buffer.

CSCec74453 - CDP packets are bridged by the CSS, but they should not be bridged.

CSCec75716 - A CSS 11500 may take 100 ms or longer to send a FIN/ACK to a Real Server once it receives the Real Server FIN/ACK for SSL connections that terminate on the CSS.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec80940 - A CSS 11500 does not return any data when polling the MIB-II ipRouteTable (.1.3.6.1.2.1.4.21) using SNMP.

CSCec80987 - The CSS may reboot due to freeing an internal communication buffer.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

CSCeb83566 - Fragments sent to the Ethernet management port may cause the CSS to reboot.

Software Version 7.20.2.06 Resolved Caveats

The following caveats were resolved in software version 7.20.2.06:

CSCec01157 - Using the `search' option in the `more' functionality may cause the CSS to reboot.

CSCec01457 - The CSS may reboot when you issue the no trunk command.

CSCdy01722, CSCdy26214, CSCea76800 - When you configure two default routes with different metrics and the default route with the lower metric goes down, flows using the lower-metric route may be torn down and not remapped to the new default route with the higher cost metric.

CSCec04009 - The apLogSubSystemTable from the logExt.mib was not returned in SNMP lexicographical order, which caused an error when attempting a SNMP walk on the enterprises OID.

CSCec04320 - An SNMP walk of the apSvcTable does not always return all configured services.

CSCec06292 - With non-128 bit Microsoft IE browsers that offer both 40-bit and 56-bit ciphers in the Client Hello, the CSS configures the 56-bit ciphers with a higher weight on the SSL module, but the Server Hello communicates a 40-bit cipher, if selected.

CSCec10173 - In the show sticky-table output on a CSS 11500, you can see different values in the hitcount/time elapsed field. These values should be the same on all modules.

CSCec11862 - The CSS may incorrectly show services in a suspended state.

CSCec12547 - Changing the ssl-proxy list on a service may cause the CSS to reboot.

CSCec13344 - If you run the commit_redundancy script using the -int option, the redundancy-phy settings are removed from the remote CSS.

CSCdx14704 - If a content rule has all services of type redirect and the load balancing algorithm is balance weightedrr (weighted roundrobin), load balancing is not performed using weighted roundrobin, but instead uses roundrobin as the balancing mechanism. Previously, the only load balancing method that worked on a content rule with only redirect services was roundrobin. Added the ability to use balance weightedrr on this type of content rule as well.

CSCec22205 - Running the nessus port scanner against the CSS may the CSS to reboot.

CSCec22850 - While at the -more- prompt, data that you enter may over run the internal buffer causing memory corruption, which causes the CSS to reboot.

CSCec23297 - The CSS may reboot when it receives a sticky table update message.

CSCec24379 - The CSS reboots when it processes a packet that contains a bad message authentication code.

CSCec25848 - Multiple receive tasks running on the SSL module may cause the CSS to reboot.

CSCec26257 - A change has been made to the size of an internal storage array to prevent memory from being overwritten when the CSS tried to insert a Set-Cookie in a response containing ARPT cookies that was going back to a client.

CSCeb26590 - An Administrator-level user will not be able to exit from a TACACS session when the TACACS server is in a down state and command authorization is enabled.

CSCec27236 - File names greater than 36 characters may cause the CSS to reboot.

CSCeb28300 - When you configure the CSS with multiple trap hosts, traps are sent only to the first host in the configuration.

CSCeb29612 - When the CSS tears down a flow, an internal corruption may cause it to reboot.

CSCeb30454 - Commands that access keepalive information, such as the show service or show keepalive commands, may lock the CSS CLI due to a semaphore deadlock condition. If this deadlock condition occurs, it affects only the terminal session issuing the command. However, the condition would also lock out any access to keepalive data resulting in undesirable behavior, such as failure of keepalives to run on the CSS.

CSCec33255 - Token ring clients fail going through the SSL module.

CSCeb35567 - Incoming UDP traffic that is NATed by an ACL using a source group may not be NATed properly on the return.

CSCec35690 - New vulnerabilities in the OpenSSH implementation for SSH servers have been announced. An affected network device, running an SSH server based on the OpenSSH implementation, may be vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the same device. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml.

CSCeb38059 - The CSS loses MAC addresses and cannot allocate MCID, requiring that you reboot the CSS.

CSCeb38247, CSCeb39688 - The CSS SSL module stops sending data in response to HTTP GET requests. However subsequent connections do receive data.

CSCeb38555 - The OSPF tag is recognized only for 16 bits.

CSCec38726 - The CSS may reboot when it encounters an unhandled internal message type.

CSCec41430 - Using Internet Information Services (IIS) with client authentication enabled may cause the CSS to reboot.

CSCeb42078 - If you create or activate a content rule that contains the URL "/?*", delete the URL, and then recreate or reactivate the URL, the CSS may reboot.

CSCeb42094 - When TACACS is configured to authenticate commands and you issue the script play script command from the command line, the first line of the script does not get played. Because the first line is the only line affected in the script, update the script so that the contents of the first line appears twice.

CSCeb43255 - The MIB variable apSvcName does not order getNext responses lexicographically.

CSCeb43415 - Using ap_file delete to remove a SSL certificate file may corrupt the internal database information.

CSCec43762 - An ACL configured to drop all telnet sessions does not drop telnet sessions to the CSS circuit addresses.

CSCec44143 - In a backend SSL connection, the CSS initiates a SSL connection to the backend server. If that backend server requests a client certificate, the CSS may reboot.

CSCec44158 - The CSS may reboot when starting or stopping SSL traffic.

CSCec45165 - New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device running a SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml.

CSCeb56670 - The CSS may not return an Arrowpoint cookie (ARPT) after the first GET on persistent HTTP 1/1 connections.

CSCeb57374 - When you run a keepalive script that uses the icmp probe command and the target host is unavailable, the CSS may leak resources and eventually hang the console or reboot.

CSCeb57524 - Content rules with URQLs lock up and traffic is dropped if it hits the rule. You must suspend and activate the rule.

CSCeb58032 - OSPF advertise decisions do not function properly.

CSCea58217 - If you configure the CSS with a Layer 5 content rule, it would drop any client packet while the TCP SYN to the server was outstanding. In this case, when the CSS received a HTTP POST, it did the load balance decision and sent the TCP SYN to the backend server. If the CSS receives another TCP PUSH (the POST data) from the client before the TCP SYN/ACK was received from the server, the CSS would drop the packet.

CSCeb62751 - When configuring the bucket interval for RMON history to one second on a CSS 11500, the output of the show rmon-history command displays a 30 seconds interval.

CSCeb64686 - SSL data does not get passed correctly if a rehandshakes occurs.

CSCea66180 - If you perform an SNMP NEXT on the deprecated apFlowMgrStatSSTable from the flowMgrExt.mib, future SNMP access would fail through both external SNMP agents or from the CLI with the error %% Error - cannot obtain SNMP lock.

CSCea66182 - The WebNS device management software cannot be accessed after one to three days of uptime.

CSCea66340 - When running the commit_redundancy or the commit_vip_redundancy scripts, the scripts incorrectly overwrite the radius-server source interface on the remote CSS.

CSCeb66864 - A persistent connection that uses arrowpoint cookies reduces the TCP maximum segment size (MSS) on the server side TCP connection by 250 bytes for each backend remap until the MSS is a negative value.

CSCeb68203 - A CSS may mark a service as dying or down if an HTTP keepalive is used and the HTTP response from the service spans more than one packet.

CSCeb70776 - When the CSS is configured with a Layer 5 content rule and the client performs HTTP POSTs and the data portion of a POST packet starts with "POST TAX", the CSS incorrectly determines this as the start of the new HTTP content request. This situation causes the connection to hang while waiting for the HTTP terminator in a future packet.

CSCeb73456 - When a link transition occurs, the CSS marks the entries associated with that link interface as unreachable. But when the link come back up, the CSS does not ARP for the entries, so the entries do not come back up.

CSCeb73606 - The CSS reboots when an SSH session is shut down.

CSCeb74945 - Back-to-back SSL connections result in slow backend SSL performance.

CSCeb75507 - Issuing the traceroute command may cause the Ipv4 process that handles ICMP response to hang.

CSCeb75694 - A keepalive packet sent by the CSS for HTTP HEAD non-persistent keepalives does not contain the IP address as a host tag in the packet.

CSCeb75796 - The URL rewrite function of the ssl-proxy command works only if the location header is received from a server in the form "Location:". No other capitalizations are rewritten.

CSCeb76495 - The CSS may reboot when the SSL module processes many small packets.

CSCea76928 - When a service Network Interface Card (NIC) fails over, the CSS may not update service information to reflect the new NIC MAC address.

CSCec77181 - When you use source groups with destination services in conjunction with ASR, fewer portmap entries will be available to provide the client with NAT functionality. For further details, refer to the "Source Group Port Mapping Behavior" section earlier in this release note.

CSCdz79438 - A learned DFP weight does not have precedence over a configured service weight of 0.

CSCeb80090 - If the CSS receives a capp-upd packet on the management port during initialization, it may reboot.

CSCeb82432, CSCec40933 - A backup CSS configured using Adaptive Session Redundancy (ASR) was incorrectly decrementing and incrementing service local connection counters for backup (dormant) flows.

CSCeb84861 - Provides the new string match command. This command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command. For details on using this command, refer to the Software Version 7.20.2.06 Command Changes section later in this release note.

CSCea84953 - ACLs that are configured with the prefer servicename option do not prefer the correct service.

Software Version 7.20.2.06 Command Changes

Table 8 lists the commands and options that have been added in software version 7.20.2.06.

Table 8 CLI Commands Added in Version 7.20.2.06  

Mode
Command and Syntax
Description

Owner-Content

string match specific|first-service-match
|first-string-found

The new string match command determines how the CSS handles a string that contains multiple matches with configured strings on services. Use this command with the advanced-balance cookies|cookiesurl|url command.

In this example, the incoming string is grapebananapear. The CSS service configuration is:

service s1 
string pear

service s2 
string grape

service s3 
string banana

The specific keyword matches the most specific string match and is the CSS default behavior. For the CSS, the most specific match is the longest string. In this example, the string match is banana.

The first-service-match keyword allows the CSS to look at each service in the order of its index number. The CSS compares the incoming string and compares it to the string in the service for a match. In this example, the first-service-string match is pear.

The first-string-match keyword matches the first string in the incoming string. In this example, the string match is grape.

Service

load number

no load

The new load command configures a load on a service and bypasses the CSS load calculation method (relative or absolute). Use this command with the ACA load-balancing method when you want to take into account server load parameters, for example:

CPU utilization

Free memory

Application threads

Other server tasks

You can set the load command value with your application or server using SNMP or the CSS XML interface. For information about ACA, refer to the Cisco Content Services Switch Basic Configuration Guide. For information about SNMP and the XML interface, refer to the Cisco Content Services Switch Administration Guide.

Note Before you can use the load command on a service, you must disable load reporting by entering the no load reporting command in global configuration mode.

The number variable is the load value that you assign to a service. Services with higher load numbers receive fewer hits than a service with a lower load number. The CSS considers a service with a load of 254 as unavailable, and, therefore, the service receives no hits. Enter an integer from 2 to 254. The default is 2.

Use the no form of the command to reset the load value to the default of 2.


Table 9 lists the commands and options that have been changed in software version 7.20.2.06.

Table 9 CLI Commands Changed in Version 7.20.2.06

Mode
Command and Syntax
Description

Global

dns-server zone load variance number

The number variable range changed from 1 to 254 to
1 to 255. The default value changed from 50 to 255.

Interface and VLAN

bridge priority

The bridge priority command now has the syntax of bridge port-priority. The CSS automatically upgrades your startup-config with the new command name.


Software Version 7.20.1.04 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.20.1.04:

Software Version 7.20.1.04 Open Caveats

Software Version 7.20.1.04 Resolved Caveats

Software Version 7.20.1.04 Command Changes

Software Version 7.20.1.04 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCdy01722, CSCdy26214 - When you configure two default routes with different metrics and the default route with the lower metric goes down, flows using the lower-metric route may be torn down and not remapped to the new default route with the higher cost metric.

CSCdy23633 - Do not use the FTP MPUT command in passive mode when the CSS is load-balancing FTP flows.

CSCdx14704 - If a content rule has all services of type redirect and the load balancing method is weighted roundrobin, the CSS load-balances services using roundrobin instead of weighted roundrobin.

CSCeb25077 - If a SSL handshake message spans a SSL record and TCP packet, a handshake failure occurs.

CSCeb38247 - The CSS SSL module stops sending data in response to HTTP GET requests. However subsequent connections do receive data.

CSCeb58032 - With keepalive type set to ICMP, all services must go down for the CSS to stop advertising the VIP through OSPF. With script keepalive, one service down is enough for the CSS to stop advertising the VIP through OSPF. If you configure a CSS with both a script keepalive and any other keepalive type, when one script keepalive service goes into the Down state, the CSS stops advertising the VIP through OSPF.

CSCeb61726 - Redirecting the socket inspect command to a file corrupts the data contained in the socket buffer.

CSCeb61805 - Periodically the CSS becomes unresponsive to Telnet and pings, and FTP service stops working. Reboot the CSS to resolve this condition.

CSCeb62751 - When configuring the bucket interval for RMON history to one second on a CSS 11500, the output of the show rmon-history command displays a 30 seconds interval.

CSCeb63876 - On a CSS 11500, you can not bridge an interface to a VLAN and also include that VLAN in an 802.1q trunk to a Catalyst 4000 switch.

Software Version 7.20.1.04 Resolved Caveats

The following caveats were resolved in software version 7.20.1.04:

CSCdx78501 - Strong encryption web management must be restricted by a license key that is tied to the serial number to meet export restrictions.

CSCdy42703 - If certain SSH clients shut down the connection to the CSS in an ungraceful manner, it was possible for the CSS to fail to clean up the SSH session internally. Over time, this failure to clean up the session would prevent any future SSH connections to the CSS and only a reboot would clear it.

CSCdy46189 - The CSS forwards packets to the wrong MAC address after receiving gratuitous ARPs.

CSCdy70914 - If the CSS does not receive an ARP response, it may continue to send ARP requests instead of marking the host as unreachable.

CSCdz02856 - The CSS may not properly redirect a service when you configure a redirect service in a Layer 5 content rule.

CSCdz05912 - Under conditions when APP sessions go up and down rapidly, a race condition may occur that leads to file descriptor reuse causing the CSS to reboot.

CSCdz41611 - When you set up box-to-box redundancy with a single interface configured using the redundant-phy command and then enter the admin-shutdown command on that interface (port), the interface shuts down but the priority does not change. This prevents the master CSS from failing over.

CSCdz49051 - When you configure keepalive type http and set the frequency to a value greater than 17 seconds and the server does not respond within 17 seconds, the CSS sends a RST packet on the keepalive session and the service goes down.

CSCdz67389 - If you configure an HTTP keepalive without a keepalive hash value, the service does not come up until the keepalive frequency transpires. For example, if you configure the keepalive with a frequency of 60 seconds, the keepalive does not come alive for 60 seconds. The keepalive now comes alive immediately upon activation.

CSCea08822 - The CSS does not properly update the ARP entry for a network device that is one hop away from the CSS.

CSCea14511 - In a CSS box-to-box redundant configuration, the backup CSS may stop authenticating logins (including logins on the console port) and eventually reboot.

CSCea14544 - Removing and replacing a flash disk while the CSS is running may cause the CSS to reboot. Power down the CSS prior to removing and replacing a flash disk.

CSCea14645 - Running the commit_vip_redundancy command with a configuration of 14,000 lines causes the CSS to reboot.

CSCea20947 - If you suspend and then reactivate a service, the service may not reactivate properly and keepalives may remain in a suspended state.

CSCea23674, CSCea43956 - If a configuration contains a Layer 5 wild card content rule (for example, /*) using a header-field-rule and a less-specific content rule, the CSS may match on the less-specific content rule and select the wrong server.

CSCea24798 - You cannot dynamically modify the VIP address on an active content rule or the CSS displays the following message: Operation may not be performed on active content rule.

CSCea25791, CSCea55785 - An encrypted password greater than 40 characters in length causes the console to hang.

CSCea28717 - The CSS incorrectly performs Network Address Translation (NATs) on the TCP port of a Remote Shell (RSH) connection through the CSS causing the RSH session to fail.

CSCea33647 - The trap log agent task is using too much CPU causing Telnet and console access to hang.

CSCea34949 - Clearing and loading a new configuration during an IP storm could trigger a race condition that results in the CSS rebooting. Appropriate locking has been added to prevent this from happening.

CSCea36431 - When you execute the script play flowinfo command, your Telnet or console session will be disconnected.

CSCea39652 - A flood of SNMP traps and remote log messages are sent out when the commit redundancy script is executing.

CSCea40178 - The CSS reboots when it receives a bad type 3 Link State Advertisement (LSA) from an area border router running OSPF and moves the LSA from the database to the routing table.

CSCea40912 - When you configure a service with a scripted keepalive on a CSS, occasionally the service goes down and does not return to the Alive state. The scripted keepalive task is unresponsive and no further scripted keepalive activity will run for the service.

CSCea42665 - The CSS rebooted and core dumped because of a one-bit corruption in a data structure. The code modification checks for this specific corruption, repairs it, and logs a hexadecimal backtrace to the Syssoft facility at the Warning 4 level.

CSCea44844 - If no data needs to be transmitted on a TCP retransmission timeout in TCP state FIN_WAIT or LAST_ACK, the CSS sends a FIN without an ACK. The CSS should send an ACK with the FIN.

CSCea45106 - Using the SNMP variables apChassisMgrExtSubModulesSsCardTypeSNMP and apChassisMgrExtSubModuleSsCardOpStatus to inventory the CSS chassis may return conflicting data because these variables have been obsoleted. Use the apChassisMgrExtSubModuleOpStatus variable to inventory the chassis.

CSCea45981 - When source groups are in use, the CSS may choose a source port other than port 20 for an incoming FTP data connection. This causes problems for clients and firewalls expecting a data connection to be sourced from port 20.

CSCea47506 - When the CSS is dynamically configured with a lower bridge priority than the root bridge, the CSS does not become the root bridge. If the CSS is rebooted with the lower bridge priority in the startup-config, the CSS becomes the root bridge.

CSCea48629, CSCea55628 - If a CSS (configured with Layer 5 content rules with and without header-field-rules) receives an HTTP GET that exactly matches the URL string configured on a Layer 5 rule but does not match the header-field configured on that rule, the CSS rejects the connection and does not match one of the other rules.

CSCea48736 - The Fastpath did not have the proper Flow Control Block (FCB) mapping for a connection so the flow manager application would NAT and forward the termination TCP FIN or RST packet. The flow manager needs to also unmap the flow so that FCBs and source group portmap entries, if in use, do not build up over time.

CSCea51311 - If you configure a CSS with a Layer 5 content rule with a URL of the form /%xx* and then remove the rule from the configuration at a later time, the CSS does not completely clean up the rule-matching tree, which may cause the CSS to reboot.

CSCea51848 - SSL files stored on the CSS with a password may be removed with an invalid password. If you enter an invalid password that contains the first character of the valid password, the CSS successfully exports the file.

CSCea53236 - On a persistent connection, if a subsequent GET request matches a 302 redirect content rule, the server-side connection is not torn down.

CSCea58217, CSCeb66320 - If you configure the CSS with a Layer 5 content rule, it would drop any client packet while the TCP SYN to the server was outstanding. In this case, when the CSS received a HTTP POST, it did the load balance decision and sent the TCP SYN to the backend server. If the CSS receives another TCP PUSH (the POST data) from the client before the TCP SYN/ACK was received from the server, the CSS would drop the packet.

CSCea60671 - When you configure the CSS with Layer 5 rules and the first HTTP request is not properly terminated, the CSS detects this request as a spanned content request. The content request is retransmitted with the original payload in addition to more data. If both the original packet and the retransmission are processed in the same content vector (that is, they arrived at the CSS simultaneously), the CSS frees the buffer that contained the original content request, but does not clear it from the vector. Then the CSS reboots.

CSCea61351- A CSS was configured with a SSL module and ran a stress test that consumed the CSS buffer resources. Some of the SSL-related commands, for example, show ssl statistics, may cause the CSS to reboot if a buffer could not be obtained.

CSCea62888 - A CSS configured with a SSL module was upgraded to R7.20 and rebooted while processing a SSL session. Protection code was added to prevent the CSS from rebooting when the data buffer is NULL. In addition, a counter was added to the debug mode version of the show ssl stat ssl command to indicate this condition has been observed.

CSCea66180 - If you perform an SNMP NEXT on the deprecated apFlowMgrStatSSTable from the flowMgrExt.mib, future SNMP access would fail through both external SNMP agents or from the CLI with the error %% Error - cannot obtain SNMP lock.

CSCea68508 - When you configure the CSS for Secure FTP (SFTP), the CSS may reboot if the CSS is accessed with SFTP when the connection closes abnormally.

CSCea69508 - If you configure a CSS as a primary and secondary RADIUS server and an SNMP agent issued an SNMP NEXT through the apRadiusClientExtServerEntry table, the poll would fail. All subsequent access to the SNMP database also fails. For example, entering the show running-config command would result in a Cannot obtain SNMP lock error message.

CSCea71293 - If a CSS 11501 received an ICMP Echo Request and had not learned the destination MAC address for the packet, it would send the packet back out the originating port. This action could result in a flood of ICMPs being transmitted by the CSS.

CSCea74866 - When using the more command for some screen display options, a data structure overflows and causes the display task to suspend and the CSS to reboot.

CSCea75858 - When you upgrade a CSS from R5.10 to R7.20, you could not activate a service with type redirect and keepalive type none without configuring an IP address.

CSCea77132 - Using the show flows command during heavy remap traffic may cause the console to hang.

CSCea77466 - The global configuration dnsflow disable command did not work properly if the services defined in the DNS content rule were of type transparent-cache.

CSCea81030 - When you configure a CSS 11500 with a SSL Accelerator module, the module responds to a client request from an IP address x.x.x.224 with a Time to Live (TTL) of 2 rather than 254. The low TTL value could cause the packet to be dropped within the network. The module incorrectly detects the last octet of 224 as a multicast address.

CSCea81052 - The CSS may run out memory when the maximum number of backend SSL sessions are reached.

CSCea82617 - Excessive amounts of ASR traffic causes the CSS to reboot.

CSCea85836 - The CSS uses an internal table structure called "CII", and these tables can be dynamically modified in size during CSS operations. An edge condition may cause the CSS to reboot if two applications tried to access the table and modify the size simultaneously. The reboot is not caused as the result of any user action or traffic pattern.

CSCea88415 - When the CSS boots up, SNMP is enabled by default unless you configure the restrict snmp command (the default is no restrict snmp). The CSS would allow read-only access with a SNMP community string of "null" (not configured) and this was incorrect. You must configure a SNMP community string and the SNMP management station must use the preconfigured SNMP community string for SNMP access to the CSS.

CSCea89042 - When you configure the CSS with the global ip uncond-bridging command, the CSS does not use the routing lookup results. In certain edge cases, the CSS could use the wrong destination MAC address from the routing lookup rather than the original MAC and this is incorrect.

CSCea89474 - When you configure the CSS with CDP, if the CDP packet sent to the switch driver fails, the CSS could reboot because both CDP and the switch driver error handler would free the CDP packet.

CSCea89934 - The ssl-server num tcp virtual nagle disable command has no effect. The nagle algorithm remains enabled.

CSCea90537 - On a CSS configured with a Layer 5 content rule, an HTTP content request spans greater than 4 packets and is in the process of being sent to the backend server. The request timed out after 3 seconds because no response was received from the server. In this case, the CSS could reboot if the Flow Manager transmit handler failed to find the content request by network tuple in the flow table.

CSCea90603 - If you configure a CSS for VIP Interface Redundancy and scripted keepalives, when you run the commit_vip_redundancy script on the master CSS, the scripted keepalives on the backup CSS may end up in the DOWN state. The show service screen display Script Error: None (suspended).

CSCea93122 - If you configure the IP address on the management port to 0.0.0.0, on reboot, the CSS removes the IP address from the show boot display. However, the commit_redundancy and commit_vip_redundancy scripts check for the APP sessions between the peers over the management port and expect to find an IP address. If not, the scripts fail.

CSCeb01623 - The CSS does not fail over to the DNS secondary server if the DNS primary server is unable to resolve a hostname. The dns primary command pings the DNS server to see if the device is alive. However, the command does not resolve a hostname to see if the DNS service is alive. Thus, when the CSS can ping the DNS primary server, but it cannot resolve a hostname, it never fails over to the DNS secondary server. Now the CSS queries each configured server IP address (even if DNS name server is not operational on that device) until two attempts have been made for each server, or one of the servers responds with an answer or a DNS error.

CSCeb02395 - When you configure CSS services with the max connections command and Layer 5 content rules using advanced-balance arrowpoint-cookies, on a persistent connection, the CSS checks the service max connection value for each HTTP GET from the client. The CSS should perform the max connection check for the first non-persistent HTTP GET and only again if the physical server changes.

CSCeb04392 - When you configure the CSS for SSL termination with a SSL module, the CSS may reboot when performing backend SSL to a IIS server. The IIS server can include multiple handshake messages in a single SSL record layer message and this type of packet could cause the CSS to reboot. It was also possible that the CSS may not reboot but the IIS SSL connection could fail because the SSL module did not compute the finish MAC address correctly.

CSCeb04691 - In some cases, the CSS would reboot when a SSH client connected into the CSS. The problem involved timing within the SSH task-to-task communication. The intertask communication method has been modified so the timing is no longer an issue.

CSCeb05819 - A CSS configured for SSL termination required a new CLI command ssl-server 1 unclean-shutdown as a workaround for a Microsoft IE bug. The browser attempts to continue to use SSL keepalive connections that the CSS SSL module and real physical server have closed due to the inactivity timer expiring. Configuring the new unclean-shutdown command causes the SSL module not to send the Close Notify alert. Then IE can choose a new connection for the next HTTP request.

CSCeb06632 - TCP and buffering issues on the CSS may cause a drop in SSL performance.

CSCeb06979 - The CSS could not activate a SSL-proxy list when you configured URL rewrite on the CSS.

CSCeb08366 - If you configure the CSS with advanced-balance url or advanced-balance cookieurl, the string-range parameter had no effect.

CSCeb09145 - If you configure the CSS with an ACL clause with a preferred service, the CSS incorrectly does not apply the ACL clause with a preferred service to ICMP ECHO REPLY packets.

CSCeb09364 - The CSS reboots when attempting to send a Denial of Service SNMP trap. The workaround is to remove the Denial of Service trap from the configuration.

CSCeb11201 - If you configure the CSS for OSPF and the CSS is running a previous code enhancement (CSCdz86426), OSPF advertises the virtual IP address based on the state of the underlying services. Unfortunately, this enhancement may cause OSPF to advertise the backup VIP address, which is incorrect.

CSCeb11295 - Activating a source group with the same VIP address as a suspended source group causes the CSS to reboot.

CSCeb12562, CSCeb12567, CSCeb12602 - Under extremely heavy load, the FlowMgrMgmtTask may stop working due to corruption of an internal message. This may cause the CSS to run out of message buffers, which causes the CSS to reboot. As a workaround, reduce heavy traffic load.

CSCeb12985 - If you configure the CSS with a global idle timeout and a SSHv1 or SSHv2 session is disconnected due to the idle timeout, the CSS may not clean up the SSH session properly. Over time, this failure to clean up the session could prevent any future SSH connections to the CSS and only a reboot would clear the session.

CSCeb15342 - Issuing the ip opportunistic disable command when running keepalive type script ap-kal-ssl causes the service to fail into the DOWN state. When TACACS+ is enabled, issuing the ip opportunistic disable command delays CLI commands.

CSCeb15716 - When initializing APP, which uses socket record structures, the CSS may reboot under certain configuration timing circumstances due to a race condition in the allocation and free routines that manipulate the record structures.

CSCeb16881 - When the CSS experiences an NVRAM failure and you reboot the CSS into OffDM to reconfigure the administrative username and password, the configuration fails because of the NVRAM failure. The CSS will not display an error message.

CSCeb16889 - Logging messages at NETMAN facility, level Warning 4 now appear if the CSS could not read the administrative username or password from NVRAM.

CSCeb20895 - When you configure CSS to TACACS authentication, the TACACS accounting report sent by the CSS had an incorrect attribute field. The CSS sent task=<integer> rather than task_id=<integer>. This was inconsistent with IOS and could cause server issues.

CSCeb21318 - If you manually suspend a service that is running a scripted keepalive when the script is active, the service remains in a down state after you reactivate it.

CSCeb25508 - If you configure the CSS with a Layer 5 content rule and no persistent and persistent reset remap on a persistent connection, backend remapping can occur when it should not.

CSCeb26592 - If you configure the CSS with source groups and the CSS sends the source group statistics to the SCM for processing, the sending routine returns an error status and the CSS would reboot when freeing the statistics buffer.

CSCeb30454 - The show keepalive command may lock the CSS CLI due to a semaphore deadlock condition. If this deadlock condition occurs, it affects only the terminal session issuing the command. However, the condition would also lock out any access to keepalive data resulting in undesirable behavior, such as failure of keepalives to run on the CSS.

CSCeb30818 - If the CSS only saw the client side of a connection (that is, the server side traffic did not come back through the CSS), the CSS would log a Denial of Service (DOS) attack.

CSCeb43881 - The CSS runs out of buffers in the buffer pools during periods of heavy network traffic.

CSCeb45633 - When the CSS is running a SSL backend configuration, route changes in the server side network may cause the CSS to reboot.

CSCeb45649 - Incomplete fixes for CSCeb25048 and CSCeb25050 could cause the CSS to reboot during high SSL traffic loads.

Software Version 7.20.1.04 Command Changes

Table 10 lists the commands and options that have been added in software version 7.20.1.04.

Table 10 CLI Commands Added in Version 7.20.1.04 

Mode
Command and Syntax
Description

Global

dns-record a|ns dns_name ip_address {ttl_value {single|multiple {kal-ap-vip {ip_address2}}}}

The kal-ap-vip option for the dns-record command allows a CSS client to query a local or remote CSS agent for load information for a VIP configured on one or more content rules. For details, see "Configuring kal-ap-vip" later in this document.

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}

The frequency number option for the tacacs-server command allows you to set the keepalive frequency for the specified TACACS+ server. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives.

Defining this option overrides the tacacs-server frequency command.

tacacs-server frequency number

no tacacs-server frequency number

The frequency number option for the tacacs-server command allows you to set the global keepalive frequency for all TACACS+ servers. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives.

When you configure the keepalive frequency when specifying a TACACS+ server, the server keepalive frequency overrides the global keepalive frequency.

The no form of the command resets the global keepalive frequency to 5 seconds.

SSL-proxy

backend-server number tcp buffer-share rx number1|tx number2

no backend-server number tcp buffer-share rx|tx

The buffer-share option for the backend-server command allows you to set the TCP buffering from the client or server on a given connection. If the network is slow and congested, the buffer size is the largest amount of data that the CSS buffers for a given connection before shutting down the TCP window to 0.

The rx number1 keyword and variable set the amount of data in bytes that a given connection can buffer from the client to the server. By default, the buffer size is 32768. The buffer size can range from 16400 to 262144.

The tx number2 keyword and variable set the amount of data in bytes that a given connection can buffer from the server to the client. By default, the buffer size is 65536. The buffer size can range from 16400 to 262144.

The no form of the command resets the transmit or receive buffer size to its default value.

ssl-server number tcp buffer-share rx number1|tx number2

no ssl-server number tcp buffer-share rx|tx

The buffer-share option for the ssl-server command allows you to set the TCP buffering from the client or server on a given connection. If the network is slow and congested, the buffer size is the largest amount of data that the CSS buffers for a given connection before shutting down the TCP window to 0.

The rx number1 keyword and variable set the amount of data in bytes that a given connection can buffer from the client traffic. By default, the buffer size is 32768. The buffer size can range from 16400 to 262144.

The tx number2 keyword and variable set the amount of data in bytes that a given connection can buffer from the server to the client. By default, the buffer size is 65536. The buffer size can range from 16400 to 262144.

The no form of the command resets the transmit or receive buffer size to its default value.

ssl-server number unclean-shutdown

no ssl-server number unclean-shutdown

The unclean-shutdown option for the ssl-server command instructs the CSS to send only a TCP FIN message to terminate a client connection. The CSS does not send a Close-Notify message to close a client connection. Normally, the Close-Notify message is the SSL message to terminate a connection without an error. However, some versions of MSIE browsers do not close the connection upon receiving the Close-Notify message. The browser may attempt to reuse the connection even though it appears to be closed to the CSS. Because the CSS cannot reply to a new request on this connection, the browser may display an error.

The no version of this command resets the default behavior of having the CSS send both Close-Notify and TCP FIN messages to close the client connection.


Configuring kal-ap-vip

The kal-ap-vip option of the dns-record command extends the functionality of kal-ap (the CSS keepalive that uses domain names configured on a single content rule) by providing load and status responses to queries for virtual IP (VIP) addresses configured on one or more content rules. This feature allows greater flexibility and accuracy of load and status reports for multiple content rules that are configured with the same VIP. This feature also eliminates the need for configuring domain names on a CSS that is responding to kal-ap-vip queries only and is not running a local DNS server.

Overview

In a manner similar to kal-ap, kal-ap-vip has two main components:

Client

Agent

A client is a CSS that requests load and status information for a VIP from an agent. You configure a client to generate queries using the dns-record command. For details, see the "Configuring kal-ap-vip" section later in this section.

An agent is a CSS that responds to client queries with load and status reports for the requested VIPs. A kal-ap-vip agent can handle and respond to queries from local or remote CSSs (including itself) and other supported devices. No additional configuration is required for the agent.

To best service requests for a domain when a CSS makes GSLB decisions, a CSS may need to consider the keepalive status and load information of all content rules sharing the same VIP. Often, a kal-ap-vip configuration has at least two content rules to handle domain traffic: one for port 80 (TCP) and one for port 443 (SSL). The load reported by the agent is the average load of all the content rules that share the same VIP, unless a content rule is suspended.

In order for a kal-ap-vip agent to return a load value from 2 to 254 (indicating an Alive status) for a requested VIP, at least one service must be Up on each content rule sharing the requested VIP. For a requested VIP, if all services configured on one content rule are Down, or if one content rule is suspended, the agent reports a load of 255, indicating that the VIP is unavailable.

Configuration Requirements

Kal-ap-vip requires that you configure the following:

Application Peering Protocol-User Datagram Protocol (APP-UDP) - Used to transmit kal-ap-vip datagrams. (For information on configuring APP-UDP, refer to the Cisco Content Services Switch Advanced Configuration Guide.) The datagrams can contain a mix of both kal-ap (by domain or tag) and kal-ap-vip requests.

dns-record command with the kal-ap-vip option - Used to configure a kal-ap-vip client. See the following "Configuring kal-ap-vip" section.


Note You can configure kal-ap-vip and kal-ap on the same CSS. If you configure kal-ap on a CSS, you must also configure the add dns command with the appropriate domain names on the CSS acting as an agent. The agent will respond with the load information for a VIP and/or a domain, as appropriate. For information on the add dns command, refer to the Cisco Content Services Switch Advanced Configuration Guide.


Configuring a kal-ap-vip Client

To configure a kal-ap-vip client on a CSS to allow the CSS to query a kal-ap-vip agent for keepalive information on multiple content rules, use the kal-ap-vip option of the dns-record command.

The syntax for this global configuration command is:

dns-record a|ns dns_name ip_address {ttl_value {single|multiple {kal-ap-vip {ip_address2}}}}

The options and variables for this global configuration mode command are:

a|ns - Indicates a request for an address record (a) or a name server record (ns).

dns_name - Domain name mapped to the address record or name server record. Enter the name as a lowercase unquoted text string with no spaces and a maximum of 63 characters.

ip_address - IP address bound to the domain name within the DNS server zone. Enter the address in dotted-decimal notation (for example, 172.16.6.7). This is the VIP for which a CSS client sends a kal-ap-vip request to itself or another CSS agent for load information.

ttl_value - Optional Time to Live (TTL) value, in seconds. This value determines how long the DNS client remembers the IP address response to the query. Enter a value between 0 to 65535. The default is 0.

single|multiple - Optional number of records to return in a DNS response message. By default, the DNS server returns a single A-record. Specifying single returns one A- or NS-record. Specifying multiple returns two A- or NS-records.

kal-ap-vip - Optional CSS keepalive message type keyword used by a CSS client to request load information for the VIP specified in the ip_address value from the CSS agent specified in the ip_address2 value. Use this option to allow a CSS client to query a local or remote CSS agent for load information for a VIP configured on multiple content rules.

ip_address2 - IP address of the local or remote CSS agent interface receiving CSS keepalive messages. If you omit this address while the keepalive type is specified, the CSS uses the DNS IP address to complete keepalive messaging.

For example:

(config)# dns-record a www.work.com 192.168.12.7 10 single kal-ap-vip 172.16.25.3

For details on the other dns-record command options and variables, refer to the Cisco Content Services Switch Advanced Configuration Guide.

Software Version 7.20.0.03 Open and Resolved Caveats

The following sections contain the open and resolved caveats in software version 7.20.0.03:

Software Version 7.20.0.03 Open Caveats

Software Version 7.20.0.03 Resolved Caveats

Software Version 7.20.0.03 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCdx14704 - If a content rule has all services of type redirect and the load balancing algorithm is balance weightedrr (weighted roundrobin), load balancing is not performed using weighted roundrobin, but instead uses roundrobin as the balancing mechanism. Previously, the only load balancing method that worked on a content rule with only redirect services was roundrobin. Added the ability to use balance weightedrr on this type of content rule as well.

CSCdy01722, CSCdy26214 - When two default routes are configured with different metrics and the default route with the lower metric goes down, flows using the lower-metric route may be torn down and not remapped to the new default route with the higher cost metric.

CSCdy23633 - Do not use the FTP MPUT command in passive mode when the CSS is load-balancing FTP flows.

CSCdy70914 - If the CSS does not receive an ARP response, it may continue to send ARP requests instead of marking the host as unreachable.

CSCdz02856 - The CSS may not properly redirect a service when you configure a redirect service in a Layer 5 content rule.

CSCdz41611 - When you set up box-to-box redundancy with a single interface configured using the redundant-phy command and then enter the admin-shutdown command on that interface (port), the interface shuts down but the priority does not change. This prevents the master CSS from failing over.

CSCdz49051 - When you configure keepalive type http and set the frequency to a value greater than 17 seconds and the server does not respond within 17 seconds, the CSS sends a RST packet on the keepalive session and the service goes down.

CSCea14511 - In a CSS box-to-box redundant configuration, the backup CSS may stop authenticating logins (including logins on the console port) and eventually reboot.

CSCea14544 - Removing and replacing a flash disk while the CSS is running may cause the CSS to reboot. Power down the CSS prior to removing and replacing a flash disk.

CSCea20947 - If you suspend and then reactivate a service, the service may not reactivate properly and keepalives may remain in a suspended state.

CSCea23674, CSCea43956 - If a configuration contains a Layer 5 wild card content rule (for example, /*) using a header-field-rule and a less-specific content rule, the CSS may match on the less-specific content rule and select the wrong server.

CSCea28717 - The CSS incorrectly performs Network Address Translation (NATs) on the TCP port of a Remote Shell (RSH) connection through the CSS causing the RSH session to fail.

CSCea36431 - When you execute the script play flowinfo command, your telnet or console session will be disconnected.

CSCea38004 - A remote CSS in a VIP interface redundancy setup with a large configuration (for example, greater than 100K) may become unresponsive to console and telnet access. This issue causes an APP session to go down when running the commit_vip_redundancy script.

CSCea40178 - The CSS reboots when it receives a bad type 3 Link State Advertisement (LSA) from an area border router running OSPF and moves the LSA from the database to the routing table.

CSCea43800 - The SSL module may not function properly when running under a high load.

CSCea44844 - If no data needs to be transmitted on a TCP retransmission timeout in TCP state FIN_WAIT or LAST_ACK, the CSS sends a FIN without an ACK. The CSS should send an ACK with the FIN.

CSCea45106 - Using the SNMP variables apChassisMgrExtSubModulesSsCardTypeSNMP and apChassisMgrExtSubModuleSsCardOpStatus to inventory the CSS chassis may return conflicting data because these variables have been obsoleted. Use the apChassisMgrExtSubModuleOpStatus variable to inventory the chassis.

CSCea45981 - When source groups are in use, the CSS may choose a source port other than port 20 for an incoming FTP data connection. This causes problems for clients and firewalls expecting a data connection to be sourced from port 20.

CSCea51478 - When you configure an access control list clause with a destination specified by a Layer 5 content rule, the CSS will not match on the clause and traffic will not be permitted. To work around this caveat, configure an additional clause that permits TCP IP addresses and ports.

CSCea55785 - The CSS reboots when you configure a username with an encrypted password that exceeds 40 characters in length. The maximum length should be 64 characters.

Software Version 7.20.0.03 Resolved Caveats

The following caveats were resolved in software version 7.20.0.03:

CSCdw63447 - A large configuration that contains many DQL domain name entries may take a long time to load at bootup on an 11500 series CSS.

CSCdx54084 - When the CSS processes the response to a CSS-generated HTTP requests, it may not free all memory allocated if the requests terminated in error.

CSCdx77068 - If a service was reachable via a router and the MAC address of the router changed and the CSS was notified via GARP, unless the service transitioned, the CSS forwards flows to the wrong (old) MAC address.

CSCdx82407 - The show rmon-history display incorrectly reports receive errors and shows inconsistencies between the show rmon-history and show mibii displays.

CSCdy56195 - When an HTTP request spanned multiple packets, if the first packet of the sequence was lost, the CSS may incorrectly acknowledge the last packet received even though there was a hole in the TCP sequence space. This could cause a client connection to hang.

CSCdy58374 - When you configure a content rule configured with advanced-balance sticky and you also configure sticky-no-cookie-found-action redirect or sticky-no-cookie-found-action service with the service type redirect, the CSS does not properly redirect the connection.

CSCdy60795 - Dynamically changing DQLs do not take effect until you reboot the CSS. DQL changes should take effect immediately.

CSCdy64139 - The commit_redundancy script incorrectly exits when it encounters an incompatibility error between two CSS 11503s with different hardware module revisions. For config-sync purposes, the chassis type does not need to match for the script to run successfully.

CSCdy65204 - When you configure the CSS to use RADIUS, file descriptors were not properly cleaned up. Over time, this condition may cause the CSS to reboot.

CSCdy67591 - The CSS no longer logs an IPV4 warning message for unsupported IP protocols when the packet is an IP multicast.

CSCdy68928 - If a second HTTP request comes in on a persistent connection and an entry was not found in the sticky database, the server index may inadvertently be reset to an invalid index. This may cause problems when trying to decrement the service connection count when the flow is torn down.

CSCdy74475 - If a task takes a long time to complete, the CSS may retain stale data and may delete a task that no longer belonged to it. This may cause a scripted keepalive to become stuck and input, output, or playtask to be deleted, and the keepalive would not be able to run.

CSCdy82861 - When you configure a source group with a destination service, a PASV FTP connection does not properly NAT the payload of the FTP packet. The server's real IP address, rather than the VIP address, is contained in the payload.

CSCdy88389 - SSL sticky users using port 443 remain stuck to the sorryserver even though the local service has returned to service.

CSCdz04101 - When source groups are configured and a client reuses a source port rapidly, the client connection may hang.

CSCdz07302 - When you use a reporting tool to gather SNMPv2 information from the CSS, the third polling on the CSS returns "SNMP - Error:".

CSCdz08257 - If an HTTP content request spans multiple packets and the packets are received out of order, the CSS may free a buffer twice causing the CSS to reboot.

CSCdz08577 - A blackhole route to a directly connected network is not installed reliably into the routing table when the physical link to that network is repeatedly disconnected and reconnected.

CSCdz09796 - When running Adaptive Session Redundancy (ASR) between two CSSs and the master CSS fails and then comes back on line, flows correctly switch to the backup CSS and then back to the original master CSS when the original master CSS comes back on line. However, if the master CSS fails again, the flows do not switch over correctly.

CSCdz12620 - The show redundant-interfaces, show redundant-vips, and no ip critical-service commands do not display the proper information if the IP address on the circuit contains a zero.

CSCdz12954 - When you configure the CSS with a source group via the l4-stateless command that is preferred using an ACL and the CSS receives a spanned content request from a service in the source group, the CSS reboots.

CSCdz14139 - When performing a trace route on a local circuit address, all routes will disappear. The CSS does not properly detect when a trace route IP address on a local interface and tries to ARP for its own IP address causing route instability.

CSCdz14760 - When the CSS receives a spanned content request and the packets are received out of order, the CSS waits for the out of order packets to be retransmitted from the client before it initiates the connection to the backend server.

CSCdz15425 - When you perform an SNMP GET of entries in the apBoomClientRecordTable or apBoomClientAliasTable tables with a NULL instance (domain name), the CSS reboots.

CSCdz15612 - When you configure the CSS as an OSPF area border router, it could wrongly prefer an inter (between) area route to the intra (within) area route to the same destination.

CSCdz19774 - This caveat resolved multiple issues with the commit_vip_redundancy script.

CSCdz23178 - The CSS now properly returns data from the FlowMgrExt MIB as Counter32 rather than as a signed integer. Returning the data as a signed integer may cause large numbers to be reported as negative numbers to the MIB tools.

CSCdz23334, CSCdz29329, CSCdz30280- These caveats resolved multiple issues with the commit_redundancy script.

CSCdz27130 - Support was added for the SSL cipher suite RSA-EXPORT-WITH-RC4-40-MD5 using a 1024-bit RSA key.

CSCdz30175 - The summarization of RIP V2 routes out a RIP V1 interface on the CSS is not consistent with the same summarization on IOS. Specifically, if the CSS learned a more specific route (for example, 192.168.1.0 /25) over RIP V2 at a lower cost than a route learned via RIP V1 using the natural mask (192.168.1.0 /24), it did not advertise the lower cost summary route using the metric from RIP V2. The CSS now advertises the lower cost summary route learned from RIP V2 into the RIP V1 network with the natural mask.

CSCdz30683 - When a CSS has 250 services with keepalives of http-head persistent, it uses 250 file descriptors (and keeps them open) for the keepalives. The maximum number of file descriptors for the CSS is 250. If you exceed 250 files descriptors the console lockups and the CSS may reboot.

CSCdz31186 - SSH will not work on the CSS if you configure a default route and do not configure a management port IP address.

CSCdz31477 - CSS cipher suite dhe-rsa-export-des40-cbc-sha cannot establish SSL connections with Internet Explorer 4.0 (because it is only 40-bit enabled).

CSCdz32244 - When you configure a large number of keepalive, the CSS may reboot if you manually suspend one of the keepalives when the keepalive is trying to run.

CSCdz32883 - If you configure a CSS with a port 80 Layer 5 content rule with no VIP address and an ACL clause to bypass the rule for specific IP addresses, the first HTTP GET received is properly bypassed, but the next HTTP GET would either be redirected back to the VIP address or remapped based on persistent reset setting rather than bypassed as it should.

CSCdz33122 - The CSS has reduced the log messages at warning and notice level when it frees a buffer because it had a bad IP header or the protocol is not supported by the CSS.

CSCdz35946 - Interoperability issues exist when using a CSS 11500 and Internet Explorer with SSL 3.0 Server Session Timeout.

CSCdz36072 - A CSS 11500 reboots when it processes an incoming UDP packet that matched on a bypass ACL clause and dnsflow disable is configured.

CSCdz36350 - When the CSS sends a statistics report to the SCM it may cause the CSS to get into a deadlock state. Because of the deadlock, a service that was suspended could still show the Hit Count field increasing, which was incorrect.

CSCdz41306 - You cannot remove an OSPF interface, IP interface, or circuit configuration information if you configure an OSPF password on the CSS.

CSCdz42482 - The CSS reboots if you configure a content rule using advanced-balance sticky-srcip or advanced-balance sticky-srcip-dstport and a TCP or UDP packet with a source IP address of 0.0.0.0 matched on the rule.

CSCdz42835 - Source and destination IP addresses have been added to the Bad IP Version received, Bad IP header length received, and Bad buffer length warning log messages.

CSCdz43339 - When the CSS processes an FTP connection shutdown, it was possible for an FTP keepalive to free data that no longer belonged to its task. The CSS reboots if attempts are made to access this data.

CSCdz46319 - When you activate a service that references a suspended named keepalive, the CSS displays the message "%%Maximum keepalives of this type have been exceeded. Cannot activate". If you suspend the keepalive, the service is brought down. When you activate the keepalive, the service is also activated.

CSCdz49372 - The CSS may reboot when sending TCP RST/SYN packets if a Layer 3 or Layer 4 rule took precedence over an existing Layer 5 connection that is being backend remapped.

CSCdz52400 - A URQL was defined with duplicate entries if the URL string contained the "?" or "#" parameter characters. For example, the URL string "/mandy?Fred" and "/mandy?Roxi" are duplicate entries because the URL is only parsed up to the parameter character. Because the duplicate entries were incorrect, this causes the CSS to reboot or display the error message "Failed operation on CSD database". The CSS now properly flags these entries as duplicates.

CSCdz55875 - The logging commands enable command has been changed so that it does not log messages generated from the show log log name command. This change is to prevent the log file from being locked when you attempt to view it.

CSCdz56784 - When the CSS is configured with a HTTP HEAD keepalive and the three-way handshake is successful, the CSS incorrectly declares the keepalive as well and responds to the HEAD request with a TCP RST.

CSCdz60636 - Using the find ip address with masks smaller than /16 may cause the CSS to block other processes from running, which may cause failovers in redundant configurations.

CSCdz61973 - Software version 7.10.1.02 contains the new IP global configuration command
ip uncond-bridging. This command prevents routing lookups from overriding bridging decisions. The default is enabled, which allows the CSS to use the routing table lookup for the return path to the client to send the SYN/ACK back on, even if the original SYN came in on a different port. If the command is disabled the CSS ignores the routing table lookup and uses the port on which the original SYN came in.

CSCdz62209 - The CSS does not properly handle certificates that are larger than a block.

CSCdz62330 - Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default. Cisco will be making free software available to correct the problem as soon as possible. The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml.

CSCdz62499 - The CSS incorrectly responds to a DNS type AAAA query with a "name error" whether an A-record for the name exists. Now if an A-record is configured, the CSS responds with a "not implemented" error. If no A-record exists, the CSS still responds with the previous "name" error. These errors also apply to other DNS record types that the CSS does not support.

CSCdz66772 - The CSS does not bypass HTTP PROPFIND requests when used in a transparent cache rule. In a transparent caching configuration where the CSS is spoofing all HTTP (port 80) traffic, any unsupported HTTP methods for load balancing should be bypassed to the origin server, rather than being RST by the CSS. The HTTP methods PROPFIND, PROPPATH, MKCOL, COPY, MOVE, LOCK, UNLOCK, OPTIONS, DELETE and TRACE are now properly bypassed in the transparent caching case.

CSCdz79045 - During flow setup, the initial sequence number in the corresponding SYN/ACK may be replicated from a prior SYN/ACK.

CSCdz85122 - TCP keepalives may fail on redundant CSSs. Other keepalive types work correctly.

CSCdz87014 - The CSS incorrectly routes keepalives, which causes keepalives to fail and services to be brought down.

CSCdz88580 - When you configure a source group on the CSS and a server configured in the source group attempts to communicate with a device over the network or on the Internet and that device does not have its port open, the device will return a RST/ACK in response to the server's TCP SYN. The CSS will discard the RST/ACK response because it will not be able to identify the port from which the corresponding SYN/ACK returned.

CSCdz89204 - If an HTTP HEAD request spans multiple packets and the first packet contains only "HEAD / HTTP/1.1 <CR><LF>", the CSS does not ACK the HTTP HEAD request.

CSCea00161 - When using a transparent caching FTP content rule (that is, not a VIP address) with a service type of transparent cache, the CSS incorrectly reduces the TCP SYN/ACK of the backend server by 1000. The CSS should not apply the TCP sequence number adjustment of 1000 bytes if the destination service type is transparent cache.

CSCea07413 - When you configure the CSS for primary and secondary virtual authentication methods and the primary authentication method fails, the CSS does not try the secondary authentication method.

CSCea08548 - If you use the advanced-balance method in a content rule with a service configured using the max connections command and an incoming content request was stuck to a service that had exceeded its maximum connections, the CSS sends a TCP RST to the client. The CSS should reload-balance the incoming request and choose a new local service or sorry service if available.

CSCea08875 - The CSS does not correctly match a Layer 5 content rule that contains a % (percent sign) in the URL of the GET message.

CSCea10851 - The functions of the CSS primary authentication methods of local, radius, tacacs are not consistent with the Cisco IOS methods.

CSCea11300 - The persistence reset remap command does not work correctly for SSL flows.

CSCea12013 - The CSS incorrectly sends an ARP request for its own VIP address when a non-flow-setup pack type (for example, SNMP, NetBIOS, BOOTP, RIP) is sent to the CSSs VIP address.

CSCea14336 - When using a SSL module in the CSS, the CSS does not properly pass an HTTP POST larger than 11750 bytes to the server.

CSCea19865 - Unnecessary latencies in SSL connection setup could result in a 150ms delay on each SSL connection through the CSS.

CSCea24296 - Content rules may fail if a client request spans multiple packets and the sequence numbers do not change.

CSCea25871 - If a content header tag that spans two packets is empty, the temporary internal buffer causes the CSS to reboot due to the internal buffer not being clear correctly.

CSCea28341 - If a running-config file has more than one active content rule that uses header-field groups that are using the same header-field, suspending one of the active content rules has an adverse affect on the remaining active content rules using the same header-field.

CSCea33912 - Memory leaks in ICP code cause Telnet and the CSS console to lock up.

CSCea36989 - When the CSS receives a DNS request for an A record that is configured, it responds with either return code 4 "not implemented" or with return code 3 "NXDOMAIN". These two responses may be cached by various D-proxies , which may lead to temporary DNS outages. The CSS now returns an RFC2308 NODATA type 3 response, which is an authoritative answer with rcode=NOERROR, answer=0, aabit set and no SOA. This response causes the client to query for another A record.

Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.