Guest

Cisco CSS 11500 Series Content Services Switches

Release Note for the Cisco 11500 Series Content Services Switch (Software Version 7.30.x)

  • Viewing Options

  • PDF (518.6 KB)
  • Feedback
Release Note for the Cisco 11500 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11500 Series Content Services Switch

Contents

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Updating Management Information Base Files (MIBs)

Features in Software Version 7.30

New Documentation Set for Software Version 7.30

Documentation Enhancements and Corrections

Software Behavioral Differences

General Software Behavioral Differences

Configuring a Pre-Login Banner

Configuring File-Error Handling for Content Replication

Changes to show virtual-routers Display

Change to the no admin-shutdown Command

Operating Considerations

Software Version 7.30.4.02 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.4.02 Open Caveats

Software Version 7.30.4.02 Resolved Caveats

Software Version 7.30.4.02 Command Changes

Software Version 7.30.3.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.3.03 Open Caveats

Software Version 7.30.3.03 Resolved Caveats

Software Version 7.30.3.03 Command Changes

Software Version 7.30.2.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.2.03 Open Caveats

Software Version 7.30.2.03 Resolved Caveats

Software Version 7.30.2.03 Command Changes

Software Version 7.30.1.06 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.1.06 Open Caveats

Software Version 7.30.1.06 Resolved Caveats

Software Version 7.30.1.06 Command Changes

Software Version 7.30.0.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.0.05 Open Caveats

Software Version 7.30.0.05 Resolved Caveats

Software Version 7.30.0.05 Command Changes

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Note for the Cisco 11500 Series Content Services Switch


July 22, 2005


Note The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.


Contents

This release note applies to the following software versions for the Cisco 11500 Series Content Services Switch (CSS):

7.30.4.02 (version 7.30, release 4, build 2)

7.30.3.03 (version 7.30, release 3, build 3)

7.30.2.03 (version 7.30, release 2, build 3)

7.30.1.06 (version 7.30, release 1, build 6)

For information on version 7.30 commands and features, refer to the CSS 7.30 documentation located in http://www.cisco.com. Note that you cannot load this software image on a CSS 11050, 11150, or 11800.

This release note contains the following sections:

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Updating Management Information Base Files (MIBs)

Features in Software Version 7.30

New Documentation Set for Software Version 7.30

Software Behavioral Differences

Operating Considerations

Software Version 7.30.4.02 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.3.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.2.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.1.06 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.30.0.05 Open Caveats, Resolved Caveats, and Command Changes

Obtaining Documentation

Obtaining Technical Assistance

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or optional Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features.

Software version 7.30.0.05 no longer requires that you enter a license key for the Standard software feature set. The Enhanced software feature set, as well as the optional Secure Management feature, still require a license key in order to be activated.

Before Upgrading the CSS Software

Before you upgrade your CSS software, archive your custom scripts (including user profiles and custom script keepalives) by using the archive script or save_profile command. When you upgrade the software, the upgrade process creates a new /<current running version>/script directory, overwriting the current script directory.

After the upgrade is done, use the restore filename script command to restore the scripts you archived. Refer to the Cisco Content Services Switch Administration Guide for detailed software upgrade instructions.

Updating Management Information Base Files (MIBs)

Cisco recommends that you update the CSS MIBs after you upgrade the CSS software. CSS MIBs are included in the CSS GZIP file. During the software upgrade, the MIBs are loaded into the CSS  /mibs directory.

To update the CSS MIBs on your management station after you upgrade the CSS:

1. FTP the MIBs from the CSS MIBs (/v1 or /v2) directory to your management station.

2. Load the MIBs into the management application.

Features in Software Version 7.30

The following new features are supported in software version 7.30. In addition to these features, Table 7 and Table 8 list CLI commands that are new or changed in software version 7.30.

Routable management port, which allow a static route to be configured for the Ethernet management port - Cisco Content Services Switch Administration Guide

Version command updated to display the proper software version number - Cisco Content Services Switch Administration Guide

Flow processing for TCP fragments - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Sending a TCP reset to a client in response to the TCP packet when the VIP is unavailable - Cisco Content Services Switch Content Load-Balancing Configuration Guide

DNS weighted roundrobin supports a weight of zero - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Redirect and transparent cache service no longer require an IP address - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Absolute Load Calculation behavioral changes - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Graceful service shutdown using the (config-keepalive) tcp-close and tcp-rst commands - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Configurable cookie name and location cookie - Cisco Content Services Switch Content Load-Balancing Configuration Guide

New show sticky table and show sticky stats commands - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Fields added to flow statistics command display - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Virtual Router ID peering and critical interface for VIP interface redundancy, and Reporter mode - Cisco Content Services Switch Redundancy Configuration Guide

Secure XML support added via the restrict secure-xml and no restrict secure-xml commands - Cisco Content Services Switch Security Configuration Guide

Security banner for GUI login page updated to display encryption strength - Cisco Content Services Switch Device Management User's Guide

New Documentation Set for Software Version 7.30

The documentation set for software version 7.30 now contains the following publications.

Document Title
Description

Release Note for the Cisco 11500 Series Content Services Switch

This release note provides information on operating considerations, caveats, and command line interface (CLI) commands for the Cisco 11500 series CSS.

Cisco 11500 Series Content Services Switch Hardware Installation Guide

This guide provides information for installing, cabling, and powering the Cisco 11500 series CSS. In addition, this guide provides information about CSS specifications, cable pinouts, and hardware troubleshooting.

Cisco Content Services Switch Administration Guide

This guide describes how to perform administrative tasks on the CSS, including booting and logging in to the CSS, upgrading your CSS software, and configuring the following:

User profile and CSS parameters

Logging, including displaying log messages and interpreting sys.log messages

DNS server for hostname resolution

User profile and CSS parameters

SNMP

RMON

XML documents to configure the CSS

CSS scripting language

Offline Diagnostic Monitor (Offline DM) menu

Cisco Content Services Switch Routing and Bridging Configuration Guide

This guide describes how to perform routing and bridging configuration tasks on the CSS, including:

Management ports, interfaces, and circuits

Spanning-tree bridging

Address Resolution Protocol (ARP)

Routing Information Protocol (RIP)

Internet Protocol (IP)

OSPF protocol

Cisco Discovery Protocol (CDP)

Dynamic Host Configuration Protocol (DHCP) relay agent

Cisco Content Services Switch Content Load-Balancing Configuration Guide

This guide describes how to perform CSS content load-balancing configuration tasks, including:

Services

Owners

Content rules

Sticky parameters

Flow and port mapping

HTTP header load balancing

Content caching

Content replication

Cisco Content Services Switch Global Server Load-Balancing Configuration Guide

This guide describes how to perform CSS global load-balancing configuration tasks, including:

Domain Name Service (DNS)

DNS Sticky

Content Routing Agent

Client-Side Accelerator

Network proximity

Cisco Content Services Switch Security Configuration Guide

This guide describes how to perform CSS security configuration tasks, including:

Controlling access to the CSS

Secure Shell Daemon protocol

Radius

TACACS+

Firewall load balancing

Secure Socket Layer (SSL) termination with the SSL Acceleration Module

Cisco Content Services Switch Redundancy Configuration Guide

This guide describes how to perform CSS redundancy configuration tasks, including:

VIP and virtual interface redundancy

Adaptive session redundancy

Box-to-box redundancy

Cisco Content Services Switch Command Reference

This reference provides an alphabetical list of all CLI commands including syntax, options, and related commands.

Cisco Content Services Switch Device Management User's Guide

This guide describes how to use the Device Management user interface, an HTML-based Web-based application that you use to configure and manage your CSS.


Documentation Enhancements and Corrections

The following enhancements and corrections apply to the 7.30 documentation set.

The -norlog and -notrap flags are available for the commit_vip_redundancy script. The syntax is:

commit_vip_redundancy -nolog -notrap

The -norlog option reduces the number of log messages that the CSS sends to the configured log host during the script.

The -notrap option reduces the number of traps that the CSS sends to the configured trap host during the script.

The CSS performs a urlrewrite search in the follow order:

1. Exact match.

2. Postfix wildcard match using the shortest prefix (for example, will match on "ssl-server 1 urlrewrite 7 cis*" before matching on "ssl-server 1 urlrewrite 12 cisco.*").

3. Prefix wildcard match using the shortest match (for example, will match on "ssl-server 1 urlrewrite 7 *.cis" before matching on "ssl-server 1 urlrewrite 12 *.cisco".

4. Wildcard match (for example, ssl-server 1 urlrewrite 7 *).

The CSS does not apply a keepalive tcp-close configuration to scripted keepalives.

Before you use the snmp auth-traps command to generate traps, you must first enable SNMP generic traps using the snmp trap-type generic command. Though the CSS will allow you enter the snmp auth-traps command without first entering the snmp trap-type generic command, it will not generate traps until you enable SNMP generic traps.

The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.

You cannot configure content rules with VIP address ranges that overlap, including rules with different port numbers. However, you can configure content rules with the same VIP address range.

Software Behavioral Differences

These sections describe the software behavioral differences that apply to software version 7.30.1 and greater.

General Software Behavioral Differences

Configuring a Pre-Login Banner

Configuring File-Error Handling for Content Replication

Changes to show virtual-routers Display

Change to the no admin-shutdown Command

General Software Behavioral Differences

This section describes general software behavioral differences that apply to 7.30.1 and greater:

DNS requests to a VIP used to return a service IP address if that backend service was a type redirect service. In software version 7.30.1 and greater, DNS requests now return the VIP address.

The CSS does not require you to configure a subnet mask on the Ethernet Management port. If you do not configure a subnet mask, the CSS uses the default subnet mask of 255.255.255.0. Any traffic that is transmitted from or sent to a CSS circuit will fail is there is an overlap with the management port IP address.

When you configured a content rule with the no persistent command and globally configured the persistent reset remap command, the urlhash and domainhash load-balancing methods prevented the CSS from performing a server remap when required. The CSS now remaps a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

VIP addresses and IP addresses used on content rules, services, and source groups are now restricted to be only class A, B, or C addresses. Multicast (D or E) or IP addresses with ranges that extend beyond the end of the address range are not allowed.

CSS port 8081 has been disabled for accessing the Device Management GUI. Access to the port used to redirect the browser to port 443 over a secure connection, but now denies the request. The browser indicates that the page cannot be displayed.

In a VIP and virtual interface redundancy configuration, when you run the commit_vip_redundancy script, if the local VR priority is configured, the script configures a VR priority of 100 on the remote CSS. If you want to determine mastership based on a different priority, manually configure the remote CSS priority as required.

On an initial connection, if the connection needs to be redirected, the CSS sends a FIN. If the connection needs to be redirected at a subsequent point, the CSS sends a reset. In prior releases, the CSS always sent a FIN.

If you transitioned from one CLI mode to another (for example, from config mode to service mode), and a service already existed regardless of whether TACACS+ authorization was enabled for config or non-config commands, the CSS did not perform authorization on the command. If the service was being created and authorization for config commands was enabled, then the TACACS+ server was queried if the user was authorized to perform the command. In software version 7.30.1.06 and greater, on a mode transition in an existing service, a request now goes out to the TACACS+ server if non-config commands are enabled.

Configuring a Pre-Login Banner

You can configure a custom banner that displays when you connect to a CSS before you log in. The banner is an ASCII text file that you provide and it must reside in the CSS script directory. This banner is a general banner that is the same for all users. For example, you could create a banner that includes the name of your company or a department within your company.

To configure a pre-login banner, use the prelogin-banner command in global configuration mode. This command has the following syntax:

prelogin-banner "filename"

The filename variable is the name of the ASCII text file that contains the pre-login banner test. Enter a quoted text string with a maximum of 32 characters.

For example, to configure a pre-login banner file called newBanner:

1. Use any text editor (for example, Notepad or Wordpad) to create a custom banner called newBanner and save it as a text file. The maximum line width is 80 characters.

2. FTP the text file to the CSS script directory as follows:

a. From the directory that contains the banner text file, FTP to the CSS. For example, enter: ftp 192.168.12.5.

b. At the FTP prompt, log in to the CSS.

c. Enter cd script to change to the CSS script directory.

d. Enter put newBanner newBanner. FTP transfers the banner file to the CSS script directory.

3. To complete the configuration, enter the following command at the CSS CLI:

(config)# prelogin-banner newBanner

The next time you connect to the CSS, the custom banner appears.

To reset the default behavior of the CSS to no pre-login banner, enter:

(config)# no prelogin-banner

Configuring File-Error Handling for Content Replication

Under certain rare circumstances, it is possible for the CSS to encounter a file error during content replication. A file error can occur when an application or a user deletes a file from the publisher tree during a replication operation. If such an event occurs, the scan does not detect the deleted file and during replication the CSS may keep retrying the file until another scan occurs or the file becomes available.

To specify how the CSS handles file errors during content replication, use the replication file-error command. The syntax of this global configuration mode command is:

replication file-error retry|skip

The command options are:

retry - (Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip - The CSS skips the missing file and continues the replication process

Changes to show virtual-routers Display

The following changes were made to the show virtual-routers command display:

The `Fail Reason' field was changed to `Last Fail Reason'.

Codes reported for the `Fail Reason' field used to persist for the duration of the actual failure. Codes reported for the `Last Fail Reason' field now persist until another failure event occurs. A failure event is defined as a transition from Master/Backup to Down.

The failure code `No Service' was replaced with `Critical Svc Down'. This change applies to both the show virtual-routers CLI command and the SNMP apIpv4RedundancyVRFailReason MIB object.

Change to the no admin-shutdown Command

The global no admin-shutdown command now resets ports that were shut down using the interface mode admin-shutdown command.

Operating Considerations

The following operating considerations apply to software version 7.30.1 and greater.

The CSS implementation of FTP does not support the mget command, which is used for multiple file transfers.

The CSS provides scripted keepalives to support the need for keepalives operations that cannot be handled using non-scripted keepalives. Cisco recommends that you limit I/O operations in a scripted keepalive to socket operations used to probe network connectivity to a server and for determining application health on a server. Although the scripting language supports file I/O on the CSS hard drive or flash drive, Cisco recommends that you do not use file I/O operations within scripted keepalives. Extensive file I/O operations within scripted keepalives may cause services to transition. File system access is allowed in scripts executed from the CLI or from the command scheduler.

If you configure an ArrowPoint cookie on a content rule using the advanced-balance arrowpoint-cookie command and the CSS receives a subsequent GET with no ArrowPoint cookie on a persistent HTTP connection, the CSS ignores all persistence settings in the running-config, remaps the backend connection to a new server, and inserts a new ArrowPoint cookie.

For UDP applications with high-numbered assigned ports (for example, SIP and WAP), Cisco recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to PAT client source ports, but not the destination ports. For information about configuring destination services, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

If you disable flows for a UDP port using the flow-state table and configure the portmap disable command in a source group, traffic for that port that matches on the source group may be returned to the client on an unrecognizable port number. For information about the flow-state table, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

When configuring a port mapper in a source group with the same VIP address as the content rule, you must configure the port mapper and content rule with the same VIP address ranges. The maximum VIP address range for a port mapper is 255. If you need to create a rule with a VIP address range greater than 255, create multiple rules with smaller ranges instead.

When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.

When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.

The Server Status field in the show sntp global command indicates the operating status of the SNTP server (UP or DOWN). After the CSS fails to connect to the SNTP server three consecutive times, the CSS marks the SNTP state as DOWN.

When the CSS is processing an SNMP BULK_WALK request to obtain the ether-history table, the requesting application may time out due to the large amount of information it has to gather. To avoid having the requesting application time out, increase the requesting application's retransmission timer.

Software Version 7.30.4.02 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.30.4.02:

Software Version 7.30.4.02 Open Caveats

Software Version 7.30.4.02 Resolved Caveats

Software Version 7.30.4.02 Command Changes

Software Version 7.30.4.02 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCeh64196 - In an environment using large SSL POSTs, the TCP window on the SSL module may be reduced in size to less than a packet. This issue creates an ACK in each subsequent packet. Due to the length (in Kbytes) of the transaction, this condition causes the session to last significantly longer than it should versus when the TCP windows are large enough to accept enough date to fill their buffers.

CSCeh65783 - When a critical service becomes active, the CSS does not apply the VRRP hold down timer. Immediately after the critical services becomes active, VRRP transitions to a master state.

CSCei00309 - Configuring and then removing a static ARP for an existing device may cause the CSS to reboot after an indeterminate, variable period of time.

CSCei21776 - If the CSS receives a RST packet while a connection is already in the process of being shut down, the SSL module may reboot.

CSCei31471 - While processing approximately 150 connections/sec the SSL module hangs and does not recover. The SSL module does not fail over, which causes all SSL traffic to fail. The CSS does not produce core dumps.

CSCei35940 - The following new log message was added for a source group mis-configuration where 'index' is the internal source group index value. However the log message is only logged if an internal source group debug flag "FwPortMapLogging" is enabled, which can only be done using symbols in debug mode. This may cause confusion when tracking log messages because the log message should be at warning, info, or debug level logging.

"<Routine name>: Possible portmap leak - <index> changed to <index>"

CSCei45775 - In the enhancement for CSCei03460, the syntax for the no ssl server 1 tcp virtual retrans command is incorrect. The virtual keyword is missing from the command. The no version of the command does not remove the command from the running config. The value is being set properly, but it is not correct in the running-config and will cause the running config to fail. Workaround: Use the ssl-server 1 tcp virtual retrans with the default value of 500.

CSCei47195 - The isc-port reports LifeTick failures that may not cause session replication to occur correctly because the peers are not passing messages across the isc-port. Workaround: To enable messages to be passed correctly, remove and re-add the isc-port that is experiencing the issue.

Software Version 7.30.4.02 Resolved Caveats

The following caveats were resolved in software version 7.30.3.03:

CSCeh00595 - An SNMP GET NEXT of the apFlowMgrExtSlotFlowStats table on a chassis that is not fully populated may cause the CSS to reboot.

CSCeh00709 - When you configure the CSS using the IP advanced-route-remap command, the command does not take effect on services that are local to the CSS.

CSCei00983 - On a CSS with an SSL module, the available memory on the SSL module could drop significantly on a daily basis until all available memory was lost, severely impacting SSL traffic and requiring a reboot to recover the memory.

CSCei04797 - The CSS was allowing a scripted keepalive under a service to be configured, even if the script did not exist. Once the service was activated, the following error message appeared in the show service command display:

Script Error: Script failed to load.  Is script present on disk?

CSCeh09415 - When ASR is configured, dormant flows incorrectly time out on the backup CSS.

CSCei15420 - When a CSS is configured with VIP/Interface redundancy, critical reporters, and SNMP redundancy-transition traps enabled, it reboot when a reporter transitioned to down due to a string over-run on the trap text.

CSCeh18228 - When you configure the CSS virtual router with a critical reporter that is in a Backup state, this places the virtual router into the Master(ReportBkup) state, which causes the CSS to incorrectly bring the dormant flows to an active state. The CSS should keep these flows in a dormant state until the reporter is master again.

CSCeh18285 - The CSS immediately ARPs when the spanning-tree topology changes.

CSCeg25641 - According to RFC 2068, Hypertext Transfer Protocol - HTTP/1.1, if `chunked' is in a HEAD response, the CSS should ignore it, and not try to look for more data. However, the CSS continues to look for more data, which causes the keepalive to fail.

CSCee33659 - When the ISC link is bounced, the sticky table information on the backup CSS is no longer accurate for certain slots.

CSCeh34493 - A backup CSS may reboot during a VIP redundancy config synch operation.

CSCeh34858 - A CSS running 7.40.1.07s with an SSL module and URL rewrite activated may not rewrite the URLs in 302 redirect answers from the servers if the "Location" word in the HTTP header spans two different TCP packets.

CSCeg35174 - During a secure HTTPS transfer, the CSS sends out several hundred KBs, waits between 3.5 and 5 seconds, and then sends out another several hundred KBs. The CSS repeats this pattern until the transfer is complete. The delay between bulk transfers adds to the transfer time for the file locally. Note that this delay does not impact standard HTTP file transfers, only secure HTTP file transfers.

CSCeh35317 - In a Content Replication configuration using a UNIX directory structure on the publisher, if the publisher FTP server uses UserID/GroupID instead of UserName/GroupName in the directory listing, the CSS fails to detect the files for replication on the Publisher.

CSCeh35328 - In a Content Replication configuration, it was possible for the CSS to improperly send numerous test files to the Subscriber. In some cases, the Subscriber FTP server would detect this as an attack and would deny FTP access from the CSS. This was changed so that the CSS will send no more than 4 test files per minute.

CSCeg35659 - When the sticky table is full from entries using the sticky inactivity timer, new connections requiring use of the sticky table should be sticky rejected, but should still be load balanced. This works for SSL sticky, but not for sticky-srcip.

CSCeh38676 - When ASR is configured, the ISC link will not come up unless the SCM is in slot 1.

CSCeh38890 - On a CSS11503 or CSS11506, the CSS may inject incorrect arrowpoint cookie expiration values.

CSCeh39182 - On networks that experience frequent packet losses and long transaction times, a configuration parameter is needed to deal with SSL transactions terminated on the CSS so the user can tune the retransmission timers to account for these delays.

CSCeh39266 - Running VIP/interface redundancy with a pair of CSSs connected to a Catalyst 6509/Supervisor 720, the GB ports on the backup CSS may fail unless the interfaces connected to the Catalyst are explicitly shut down using admin-shutdown command.

CSCeg40291 - While running a custom keepalive script in a Global Server Load Balancing (GSLB) environment, both CSSs reboot (that is, the CSS running the script and its peer). The CSS running the script creates a core dump, but the peer CSS reboots without creating a core dump.

CSCeh41820 - A CSS with an SSL module and URL rewrite activated may not rewrite the URLs in 302 responses.

CSCeh44041 - If the Location field of a 302 Redirect spans from the 2nd packet to the 3rd packet, the CSS does not perform the urlrewrite function if the "Location: " string falls into the third (or greater) packet of a spanned 302 response.

CSCeh44262 - For a CSS in a VIP/Interface redundant configuration, when a critical service transitioned from DOWN to BACKUP, the CSS would improperly GARP causing devices to update their ARP tables with incorrect information.

CSCeh45167 - On a CSS with an SSL module and URL rewrite activated, if non-standard ports are configured to be rewritten as well as the "https://", and the 3XX response from the server spans across multiple packets, only the "https" may be rewritten, but not the "port".

CSCeh45575 - When ASR is configured, the CSS may reboot during a VRRP transition.

CSCeg46589 - A scripted keepalive using socket waitfor in the script may fail with a "Script error" at the socket waitfor line. The service will therefore be down. Conditions: The socket waitfor must be expecting a string that matches exactly the data the service is sending. Workaround: Either configure socket waitfor to a shorter string (1 byte less is sufficient) than what the service sends or configure the service to send a string that is longer (1 byte more is sufficient) than what the socket waitfor expects.

CSCeg47732 - When the CSS sends a reset to a client that contains a redirect to an IE browser, the client receives a blank page. But, when the client refreshes the page, the issue is resolved. This problem only occurs on IE browsers. The problem is not seen when you use Netscape, Mozilla or opera browsers.

CSCeh48648 - When the CSS was configured for backend remapping, the TCP RST ACK number sent to the backend server to close the connection was incorrect.

CSCeh49861 - When a CSS was configured with a DNS entry that was added to a content rule as well as configured as a proximity record, the CSS improperly freed some of the associated memory, and rebooted.

CSCeg50573 - If the CSS receives a UDP packet, places it on a vector for future processing, and starts processing the vector, it may incorrectly reference a null pointer and reboot.

CSCeg52668 - If SSH connections from a client are dropped without a FIN or a RESET, the CSS eventually times out the connection on its side but will not release the socket. This prevents the CSS from accepting new connections.

CSCeh53894 - On a CSS with an SSL module, the TCP acknowledge timer may become corrupt, causing the CSS to reboot.

CSCeh54012 - When a CSS was configured with a service type redirect and a long URL was requested, resulting in a redirect response from the CSS, the redirect was being logged. When the redirect string was logged, it was long enough to corrupt memory and caused the CSS to reboot.

CSCeh54652 - When configuring location cookie, the service types of ssl-accel-backend and ssl-init need to be permitted. Previously only local and redirect were allowed to be configured.

CSCeh56281 - The CSS may reboot when suspending a content rule due to internal rule tree corruption using Layer 5 rules containing a wildcard url "/hraward*" and a header tag rule using the url "/home*" . This is because both URLs begin with the same letter.

CSCeh57760 - The CSS may not NAT all ICMP error packets. The IP packet within the ICMP error is translated, but the encompassing ICMP error packet may not be NAT-translated before being sent out of the CSS.

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. Workaround: Configure the source group using the add destination service command instead of using ACLs.

CSCeg60264 - When you configure the CSS with keepalives using the keepalive tcp-close fin command, the TCPFAST ports may become unresponsive. Over time, all the ports could become unresponsive, causing the keepalives to fail.

CSCeg60985 - A scripted keepalive may cause the CSS to reboot due to a double delete.

CSCef61128 - The CSS may reboot when it receives an out of sequence or malformed SSH protocol message.

CSCeg62332 - When configuring an active SSL proxy list, the CSS allows you to remove commands without first suspending the proxy list. This causes the running-config to display a configuration that is different from the configuration being run.

CSCeg62476 - When you configure an SSL server with URL rewrite on the CSS and then the CSS receives a 3XX HTTP response that does not contain the Location field in the first packet, the SSL connection may fail.

CSCeg64394 - In an ASR redundancy configuration, the sticky tables may not synchronize completely after the backup CSS is rebooted.

CSCeh65429 - When configuring the CSS to add an HTTP keepalive, you may see the following error message:

Error %% Maximum keepalives of this type have been exceeded. Cannot activate when 
trying to add a new HTTP head keepalive.

CSCeh65531 - The debug mode flowmgr reset logging may cause the port number in the log message to be incorrect.

CSCeg67414 - When an SSL server Hello spans two packets and you configure the tcp-close command with a FIN, the ssl keepalive type fails.

CSCeh68829 - When using advanced balance arrowpoint or location cookies, if the server packets are out of order and HTTP data arrives before the HTTP header, the CSS will not correctly adjust the tcp sequence number, resulting in corrupted data received on the client.

CSCeg69358 - When you configure the expiration time and date for a location cookie using the location-cookie expiration command, or the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie or the arrowpoint-cookie expiration command only when necessary.

CSCeh70529 - With the CSS configured with an SSL module and url rewrite activated, if the HTTP 3XX response from the server contained the tag "Content-Location:" the URL rewrite failed because the HTTP tag in the packet was modified. The CSS should modify the \r\nLocation: <>\r\n" tag only instead of any HTTP tag that contains the word "Location:".

CSCeh70874 - When using the commit_vip_redundancy script to sync a config that includes ACLs and has authChallenge configured on the APP session, if the session secret ends with the string "app", the commit may fail.

CSCeh71185 - On a CSS configured with a Layer5 rule, when receiving a POST with multiple data packets, if one packet starts with the content "HEAD" it will be blocked by the CSS.

CSCeg72635 - When you configure the CSS to respond to DNS requests domain names by using the content rule add dns command and the CSS is using firewall load balancing (FWLB), the CSS may send a DNS response to the wrong firewall.

CSCeg72741 - The CSS may fail to NAT when using ACLs with source groups under certain conditions.

CSCeg72773 - When you configure the CSS for content replication, constructing a file name for replication prevented the CSS from finding the root directory. The CSS now correctly handles this condition.

CSCeh75114 - When a POST is processed by the CSS, if the data that follows the POST begins with a CONNECT or GET, the CSS would erroneously interpret that to be an HTTP method. The CSS will now fully qualify all HTTP Methods to ensure that the POST data is not incorrectly processed as a valid HTTP method.

CSCeh76035 - When configuring an RMON alarm, if you suspend, activate, suspend and then enter the no rmon-alarm command, the CSS may reboot.

CSCeg81363 - If a Telnet session fails to authenticate a username and password pair to the CSS and then immediately disconnects at the same moment the CSS was disconnecting the session due to the failure, the CSS may become unresponsive. At this point Telnet, console, SSH and FTP access is denied until you reboot the CSS.

CSCeg82005 - If you issue a CWD (change working directory) command through an FTP connection and the pathname contained more than 31 directories, the CSS may reboot because the CSS only supports 31 directories in the pathname.

CSCeg83161 - When you configure the CSS with an ISC port, walking the apFlowMgrStatIfTable MIB may cause the following message to appear in the sys.log file:

FLOWMGR-3: GetPortFlowStats CE = 0

CSCeh83762 - If the CSS was configured with services with encrypted http keepalives of type ssl-backend or ssl-initiation, memory may be leaked on the SSL module until eventually all memory blocks could be depleted and user SSL traffic would cease.

CSCeg85065 - Deliveries of error logs for internal messages may cause the CSS to reboot.

CSCeg85854 - SNMP causes memory leaks.

CSCeh86555 - The CSS may reboot when enabling OSPF due to an OSPF LSA update that contained the maximum Ethernet packet size.

CSCeh87082 - If the CSS was configured for logging to an SMTP server, when the CSS opened an SMTP connection to the mail host, the CSS was incorrectly detecting the "continue" character of "-". This caused the CSS and the SMTP mail host to get out of sync in the SMTP protocol and the sendmail connection would be terminated by the CSS prematurely, causing the sendmail to fail.

CSCeh89398 - When trying to set and enable the SNTP server through the GUI on the CSS running 7.4.1.11s, the following error may occur:

"An error occurred while processing your request. The request was not completed."

CSCeh97409 - If the CSS was configured with a protocol-only content rule (that is, "protocol tcp" but no "port") and the VIP range on the content rule was changed, a reboot was required for the configuration change to take effect even suspending and activating the content rule.

Software Version 7.30.4.02 Command Changes

Table 1 lists the commands and options that have been added in software version 7.30.4.02.

Table 1 CLI Commands Added in Version 7.30.4.02  

Mode
Command and Syntax
Description

All

zero group statistics

Clears all service and portmap statistics for all source groups displayed through the show group command.

Formerly, the zero all command in group configuration mode cleared these statistics. This command now clears the statistics for the group in the current mode.

All modes except RMON, URQL, and VLAN

show http-redirect-option

Displays the TCP FIN or RST flag settings for HTTP 302 redirect messages sent by the CSS.

Global

arp mac-down-immediate

no arp mac-down-immediate

Configures the CSS to immediately send an ARP request for an IP address associated with that MAC address, thus immediately repopulating the entries in bridge forwarding table.

By default, when the CSS receives a Down event for a MAC address in the bridge forwarding table, it may not send an ARP request to an IP address associated with that MAC address for up to 60 seconds to refresh the table. During this time, the bridge flows through the CSS to the MAC address could fail. Use the no form of this command to reset the default behavior.

http-redirect-option [fin-rst|fin-fin|rst-rst]

Configures the CSS to send specific TCP FIN and RST flags with HTTP 302 redirect messages. By default, when the CSS sends an HTTP 302 redirect message, it sends a FIN flag on an initial connection and RST flags on subsequent requests in a persistent connection.

When the CSS sends packets to a client that contains a redirect message to a Microsoft IE browser, use the http-redirect-option command to select a behavior that is suitable for the browser.

The keywords for this command are:

fin-rst - Sends a FIN flag for initial connections and an RST flag for persistent connection (default)

fin-fin - Always sends a TCP FIN flag

rst-rst - Always sends a TCP RST flag

ftp data-channel-timeout seconds

no ftp data-channel-timeout

Allows you to configure the time to wait to initiate the FTP data channel on an active or passive FTP connection when you configure the CSS for FTP content rule and source groups.

The seconds variable is the wait time in seconds. Enter a number from 5 to 20. The default value is 5. To reset the default wait time to 5 seconds, use the no ftp data-channel-timeout command.

Owner-
Content

arpt-lct http-100-reinsert

no arpt-lct http-100-reinsert

Reinserts the arrowpoint (ARPT) cookie in the server response packet when the previous HTTP response packet contains a 100 Continue response. Use this command on a content rule configured with the advanced-balance arrowpoint-cookie command.

By default, the CSS always inserts an ARPT cookie in the first server response packet that begins with HTTP. More than likely during POST processing, the packet may contain a 100 Continue response instead of a 200 OK response. When the client receives the 100 Continue response with the inserted ARPT cookie, it may discard the response along with the cookie. Because the CSS does not reinsert the cookie when it receives a following 200 OK response, the client never uses the cookie and stickiness is broken. To reinsert the ARPT cookie in an HTTP server response if the previous packet contains a 100 Continue response, use the arpt-lct http-100-reinsert command.

To reset the default behavior of inserting the ARPT cookie in an ARPT cookie in the first server response packet that begins with HTTP, use the no arpt-lct http-100-reinsert command.

SSL-Proxy

[backend-server | ssl-server] number tcp [virtual | server] retrans milliseconds

no [backend-server | ssl-server] number tcp [virtual | server] retrans

The new retrans option allows you to adjust the retransmission timer for SSL transactions. On networks that experience a lot of packet loss, the transaction can take a long time.

The milliseconds variable is the minimum time in milliseconds for retransmission of SSL transactions. Enter a number form 50 to 500. The default value is 500. To reset the default value of 500 milliseconds, use the no form of the command.


Table 2 lists the commands and options that have changed in software version 7.30.4.02.

Table 2 CLI Commands Changed in Version 7.30.4.02 

Mode
Command and Syntax
Description

Global

flow persist-span-ooo

no flow persist-span-ooo

This command formerly was in Debug mode. This command enables the reordering of persistent spanning packets. By default, the CSS disables the reordering of persistent spanning packets. To reset the default behavior, use the no flow persist-span-ooo command.

flow set-port-zero enable | disable

This command formerly was in Debug mode. This command enables or disables the CSS to pass traffic using a TCP/UPD source or destination port of 0. By default, the CSS disables the passing of traffic using port 0.

Use the enable keyword to enable the passing of traffic using a TCP/UPD source and destination port of 0.

Note The CSS normally logs traffic with source or destination ports of 0 as a denial-of-service (DOS) attacks. If you enable traffic on port 0, the CSS does not log the flows as denial-of-service attacks.

Use the disable keyword to reset the CSS to its default behavior of not passing traffic using a TCP/UPD source and destination port of 0.

flow tcp-del-ack

no flow tcp-del-ack

This command formerly was in Debug mode. This command enables TCP delayed acknowledgements (ACK) for Layer 5 spanning packets. By default, the CSS disables TCP delayed ACK for Layer 5 spanning packets. To reset the default behavior, use the no flow tcp-del-ack command.

 

sntp [primary-server | secondary-server] ip_address {version number}

sntp [primary-server-poll-interval | secondary-server-poll-interval] seconds

no sntp [primary-server | secondary-server]
|[
primary-server-poll-interval | secondary-server-poll-interval]

These commands and their no forms replace the previous version of the sntp command:

sntp [server ip_address {version number}|poll-interval seconds]

no sntp [server|poll-interval]

The modified commands allow the configuration of a primary or secondary SNTP server on the CSS, and their poll intervals. The keywords, variables and options of the modified command are:

primary-server | secondary-server - Defines the primary or the secondary SNTP server.

ip_address - The IP address of the SNTP server. Enter the IP address for the server.

version number - Defines the version of the SNTP server. For the number value, enter a number from 1 to 4. The default version is 1.

primary-server-poll-interval - Defines the poll interval for the primary SNTP server.

secondary-server-poll-interval - Defines the poll interval for the secondary SNTP server

seconds -The poll interval in seconds between SNTP request messages. For the seconds value, enter a number from 16 to 16284. The default is 64.

Group

zero all

Formerly, this command cleared all service statistics for all source groups displayed through the show group command. This command now clears the statistics for the group in the current mode. It also now clears the portmap statistics.

To clear a all service statistics for all source groups displayed through the show group command, use the zero group statistics commands available in any mode.


Software Version 7.30.3.03 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.30.3.03:

Software Version 7.30.3.03 Open Caveats

Software Version 7.30.3.03 Resolved Caveats

Software Version 7.30.3.03 Command Changes

Software Version 7.30.3.03 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCeg10594 - The CSS does not correctly handle VRRP announcement upon a link failure being brought back into service by a backup CSS when using VIP interface redundancy.

CSCeg25641 - According to RFC 2068, Hypertext Transfer Protocol - HTTP/1.1, if `chunked' is in a HEAD response, the CSS should ignore it, and not try to look for more data. However, the CSS continues to look for more data, which causes the keepalive to fail.

CSCee33659 - When the ISC link is bounced, the sticky table information on a backup CSS is no longer accurate for certain slots.

CSCeg35174 - During a secure HTTPS transfer, the CSS sends out several hundred KBs, waits between 3.5 and 5 seconds, and then sends out another several hundred KBs. The CSS repeats this pattern until the transfer is complete. The delay between bulk transfers adds to the transfer time for the file locally. Note that this delay does not impact standard HTTP file transfers, only secure HTTP file transfers.

CSCeg35659 - When the sticky table becomes full from entries that use the sticky inactivity timer, the CSS should sticky-reject new connections requiring use of the sticky table, but should still load-balance the connections. When you use the sticky-srcip command, the CSS rejects these connections.

CSCeg40291- While running a custom keepalive script in a Global Server Load Balancing (GSLB) environment, both CSSs reboot (that is, the CSS running the script and its peer). The CSS running the script creates a core dump, but the peer CSS reboots without creating a core dump.

CSCeg46366 - When you configure the SSL module for url rewrite, it monitors the TCP data traffic from server to client for HTTP header with status code 302. If the header is found at the start of the data payload in the TCP frame, it is considered an HTTP response header and is translated. No check is performed to ensure the data received is an HTTP header that needs to be translated. There is a possibility (very low, but not zero) that the HTTP object accessed contains data that contains HTTP header information with a configured site (for example, a packet trace or HTTP training) and this header is the first data in a TCP frame. If this is true, the header may incorrectly be rewritten.

CSCeg46589 - A scripted keepalive using socket waitfor in the script may fail with a "Script error" at the socket waitfor line. The service will therefore be down. Conditions: The socket waitfor must be expecting a string that matches exactly the data the service is sending. Workaround: Either configure socket waitfor to a shorter string (1 byte less is sufficient) than what the service sends or configure the service to send a string that is longer (1 byte more is sufficient) than what the socket waitfor expects.

CSCeg47732 - When the CSS sends a reset to a client that contains a redirect to an IE browser, the client receives a blank page. But, when the client refreshes the page, the issue is resolved. This problem only occurs on IE browsers. The problem is not seen when you use Netscape, Mozilla or opera browsers.

CSCeg50573 - If the CSS receives a UDP packet, places it on a vector for future processing, and starts processing the vector, it may incorrectly reference a null pointer and reboot.

CSCeg52668 - If SSH connections from a client are dropped without a FIN or a RESET, the CSS eventually times out the connection on its side but will not release the socket. This prevents the CSS from accepting new connections.

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCef69624 - If you configure the CSS with preempt on a virtual router that is being monitored by a reporter and the virtual router is in the backup state, the CSS may not preempt if the master CSS begins advertising a lower priority.

Software Version 7.30.3.03 Resolved Caveats

The following caveats were resolved in software version 7.30.3.03:

CSCeg02628 - If you configure double wildcards (for example, "/*.jauction*" or "/mandy/*.jauction*") within the same path on a content rule, the CSS may reboot when you activate and suspend the rule several times.

CSCeg08059 - The CSS may stop responding when it attempts to generate a core dump. When this occurs, the LED flashes red and the CSS remains unresponsive indefinitely.

CSCeg08989 - You can configure the same redundant index on two different services if the services are suspended. If you implement the commit redundancy script and activate the first service found in the configuration, the commit redundancy script fails. It fails because the backup CSS does not write the second redundant index on the second service because a service with this index would already be active. This causes the script to fail because the two configurations are not the same size.

CSCeg09823 - If the disk you use to boot a CSS is different from the primary boot Mass Storage Device (MSD) mapping, or you change the primary boot MSD mapping from the disk that was used to boot using the map command, when you run the upgrade script, the ftp-record puts the new image on the disk used to boot the CSS. When you set the primary boot file in the upgrade script, the file does not exist on the disk to which it is now mapped.

CSCeg10343 - A generated self-signed SSL certificate would not work when you configured a european date on the CSS.

CSCeg11933 - The CSS may reboot when you clear a running-config that contains a large amount of redundant VIPs and redundant interfaces on a backup CSS of a VIP redundancy configuration.

CSCef12205 - The CSS was not properly managing its memory when thousands of DNS queries (of different names and strings) were sent to the CSS. This lead to memory being reduced to the point at which an unrelated task tried to allocate memory and the CSS rebooted.

CSCef12699 - When you configure the CSS with host routes, do not remove unreachable host routes that are still on the egress host list if these routes are not a dynamic host entry. Removing these host entries may cause the CSS to reboot.

CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.

CSCef19550 - Running an SSH scanning tool against a circuit IP address may cause the CSS to deny SSH, telnet, or console access.

CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.

CSCef24443 - The CSS may reboot when it tries to delete a service that has a service index that did not exist. The CSS will now ignore service delete messages with an incorrect service index.

CSCeg25814 - If a UDP application responds on high numbered ports (for example, in the 40000 range) with packets that start with a certain type of data pattern (for example, 93 13 00 00), the CSS may incorrectly interpret a UDP reply from a service as a traceroute packet. If this occurs, the source group NAT is not applied. The CSS is now more specific in the traceroute checking for UDP packets that use higher port numbers.

CSCef26473 - If a client is behind a source group and is performing passive FTP to a VIP on the CSS, a portmap entry is leaked for every control channel.

CSCef28638 - The CSS may reboot when a globally-defined DNS record is removed, re-applied, and removed a second time.

CSCeg29153 - When the CSS is processing a spanned packet and backend remaps to a different server, the initial server then FINs the connection that may cause an ACK loop between the client and the new server.

CSCeg30876 - The CSS cannot handle active FTP transactions using control connections on TCP port 21 and data connections sourced from a TCP port other than port 20. Note that CSCeg30876 supersedes CSCeg12860.

CSCef32957 - The CSS sends out the chmgr-module-transition trip with a specific value of 1, but should send it out with a specific value of 2.

CSCef34041 - The CSS may reboot if you remove an interface and an ARP request is initiated through this interface. The reboot occurs because the nexthop host is not available.

CSCef35273 - The CSS removes the output port from the flow table after the destination MAC is aged out of the bridge forwarding table.

CSCef35258 - A CSS with an SSL module and URL rewrite configured may not rewrite the URLs in 302 redirect responses from the servers if the word "Location" in the HTTP header spans two different TCP packets.

CSCef35721 - The SSL module should not accept an out of order FIN packet.

CSCef35877 - A memory leak exists in the SSL module in client proxy mode (ssl-init and backend ssl) and when client authentication is enabled on the backend SSL servers.

CSCef39490 - If you configure the CSS with an HTTP keepalive with the method GET and the CSS receives an HTTP chunked keepalive response that contains a SPACE (0x20) in the size field, the CSS may incorrectly mark the service as Down.

CSCef40927 - When the CSS sends out a redirect to force a client to break a persistent connection, it uses the host tag and the URL to form the location field. However, proxy clients use requests in the form GET http://. Therefore, combining the host and URL creates an invalid location field.

CSCeg41862 - If the CSS receives an unexpected ChangeCipherSpec message while the cipher negotiation is in progress, the SSL module may reboot.

CSCef42240 - Flows on the backend were getting spliced to the wrong flow on the front end, causing applications to fail.

CSCef44604 - An SNMP NEXT of the apListTable using the apListText OID would not work properly.

CSCef51658 - Adding a new clause to an existing ACL does not make the new clause function by applying the ACL to the circuit.

CSCef51985 - The CSS may reboot if it receives a zero length message length in the SSL record header.

CSCef53702 - If the CSS receives a packet containing a TTL equal to 1 and was attempting to send an ICMP error response, with certain traffic patterns, it reboots without generating a core dump, or log a lifeTick failure, or display Focus port messages.

CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.

CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.

CSCee56977 - The CSS may not properly load balance return traffic over firewall routes when the traffic is using a source group.

CSCef58833 - When using ASR and VIP interface redundancy and an SSL module, the SSL service does not display as active in the configuration. If you activate the service, the CSS displays the message "Need to enable session redundancy on this service" and the service still appears suspended in the config. However, the show service summary command shows that the service is active and the SSL module is accepting traffic.

CSCef63092 - In a VIP interface redundancy configuration, the CSS may reboot if you issue the show arp command after a redundancy flip and the ARP is not yet resolved.

CSCef63182 - When you configure SSL flows to use SSL to communicate with a backend server, flows fail if the backend SSL server tries to do a SSL re-handshake. If the backend SSL server attempts to do a SSL re-handshake, the connection will be closed by the SSL module.

CSCef63534 - The CSS may reboot if you remove a location cookie from a content rule and a stray frame is received from the server that matches a deleted flow on the spoof list that had originally been handled by the location cookie.

CSCef67449 - If you configure virtual routers with vrid peering reporters and one of the virtual routers negotiates as master, but is being suppressed by the reporter due to the other virtual router being in the backup state, the Virtual-Router state in the show command display and in the MIB is displayed as Idle. A new state, Master(ReporterBkup), was added to the show virtual-routers command display and a new MIB object, masterReporterBkup, was added to apIpv4RedundancyVROperState.

CSCef68044 - When an `out of mbufs' condition is detected by the CSS, only one message is logged per second. This message includes a count of the number of messages that are dropped during that second.

CSCef70818 - When you configure a service, because its internal keepalive is configured and added to the lexicographically ordered name list, it is possible for an entry on this list to be removed twice. This may cause the CSS to reboot.

CSCef72033 - If you configure the CSS with a DNS server, it would not allow you to configure an IP or VIP address with an invalid format (such as `ip address a.b').

CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.

CSCef73794 - Using the socket waitfor command with the raw option may cause the command to work improperly if you use hex values to represent ASCII text characters.

CSCef74250 - When you configure VIP interface redundancy and reporter (VRID peering), the CSS may not respond to traffic when both CSSs interfaces flap.

CSCef74605 - The CSS may write past the end of a redirect string variable causing memory to be corrupted and causing the CSS to reboot.

CSCee82580 - The CSS may reboot if you configure the ssl-server handshake timeout command.

CSCef82699 - When you configure services using custom keepalives and the data on which to search is longer than 16 characters, a buffer overrun and memory management issue may occur, causing the CSS to reboot.

CSCef82714 - When you configure the CSS for VIP/IF redundancy and OSPF and you then run the commit_vip_redundancy script, the ospf as-boundary commands would not be present on the remote CSS.

CSCef84099 - The CSS may not send an ICMP/ARP reply for redundant interfaces.

CSCef84596 - A specific series of interface flaps may cause the CSS to reboot when a blackhole is configured in combination with a local route to the same destination subnet.

CSCef84780 - If you configure a scripted keepalive using use-output and the script finishes running at the same time it times out, a resource used by the scripted keepalive is freed twice causing the CSS to reboot.

CSCef85653 - When you configure the CSS for virtual radius authentication and have a primary and secondary server configured, if the CSS runs out of radius authentication IDs, it may reboot due to corrupted memory.

CSCef86680 - The CSS must have an existing startup-config before generating SSH keys. This requirement has been modified so that SSH keys can be generated on a CSS that does not have a startup-config.

CSCee88220 - When configuring SSL, performance is the same even when you use SSL session ID reuse, which occurs when you configure a Layer 5 SSL sticky content rule.

CSCef89163 - The CSS may reboot if there are multiple SSL handshake messages in a record.

CSCef90470 - If you type a large amount of spaces on the command line and then issue an invalid command, the buffer may be overrun and the CSS may reboot.

CSCef94178 - The CSS does not send back a redirect URL with HTTP code 302 when the server that matches the cookie is down.

CSCef95904 - Backend SSL fails if the ServerHelloDone handshake message is in a record with multiple messages.

Software Version 7.30.3.03 Command Changes

Table 3 lists the commands and options that have been added in software version 7.30.3.03.

Table 3 CLI Commands Added in Version 7.30.3.03  

Mode
Command and Syntax
Description

Global

ftp non-standard-ports

no ftp non-standard-ports

Enables the CSS to handle FTP connections that do not use the standard FTP control port of 21 and data port of 20.

By default, this setting is disabled. When disabled, the CSS requires the FTP connection to use the standard FTP ports. The CSS preserves and does not NAT the FTP data port when the FTP data connection is passed through the CSS.

When enabled with the ftp non-standards-ports command, the CSS allows the FTP control and FTP data connection to use non-standard ports, not ports 20 or 21. The CSS does not preserve the FTP data port when the FTP data connection is passed through the CSS.

When you use the ftp non-standards-ports command to allow the use of non-standard FTP ports and a content rule is using FTP, you must configure the application ftp-control command on the content rule.

To reset the default behavior of requiring the FTP connection to use standard control and data port, use the no form of this command. For example, enter:

(config)# no ftp non-standard-ports

sshd version v1|v2

no sshd version

Configures the version of SSH protocol that the CSS supports. By default, CSS supports both the SSH v1 and v2 protocols. The keywords are:

v1 - Configures the CSS to support SSH v1 protocol only

v2 - Configures the CSS to support SSH v2 protocol only

To reset the CSS to its default configuration of supporting both the SSH v1 and v2 protocols, enter:

(config)# no sshd version

SSL Proxy List

backend-server server-num tcp server ack-delay value

backend-server server-num tcp virtual ack-delay value

ssl-server server-num tcp server ack-delay value

ssl-server server-num tcp virtual ack-delay value

The new ack-delay option allows you to disable or adjust the SSL TCP timer length for delayed acknowledgements on the client or server connection.

The value variable is the timer length in milliseconds (ms) for delayed acknowledgements. The default value is 200. Enter a value from 0 to 10000.

A value of 0 disables the acknowledgement delay in receiving SSL traffic from the client. Disabling the timer improves the performance for sessions using the SSL session cache (Session ID Reuse).


Software Version 7.30.2.03 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.30.2.03:

Software Version 7.30.2.03 Open Caveats

Software Version 7.30.2.03 Resolved Caveats

Software Version 7.30.2.03 Command Changes

Software Version 7.30.2.03 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCef17772 - The Ethernet management port may become unresponsive as a result of unusual network traffic. Workaround: If the Ethernet management port becomes unresponsive, use the (config-if[Ethernet-Mgt])# admin-shutdown command to shut down the management port. Then use the (config-if[Ethernet-Mgt])# no admin-shutdown command to restart it.

CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.

CSCef19482 - If the CSS sends an ICMP redirect, the packet may contain an ICMP checksum error.

CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.

CSCeb29602 - The SNMP v1 version of chasssisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCee34613 - When configuring max connection in a service, the CSS does not switch traffic based on concurrent connections, though it seems to based on connections per second.

CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.

CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.

CSCed80405 - If two content rules using the same VIP have identical names after truncation to 31 characters (including the appended VIP), the CSS may reboot.

CSCee82580 - The CSS may reboot if you configure the ssl-server handshake timeout command.

CSCee88220 - When configuring SSL, performance is slower when you use SSL session ID reuse, which occurs when you configure a Layer 5 SSL sticky content rule.

Software Version 7.30.2.03 Resolved Caveats

The following caveats were resolved in software version 7.30.2.03:

CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.

CSCef02846 - The CSS may reboot when the primary servers are suspended and the sorry server configuration is used.

CSCef03474 - A lifetick failure on the ISC link may cause the link to become wedged in the down state.

CSCef06443 - When a PrismBufferDebug error log indicates a buffer double free, a TCP keepalive received packet from the server with PSH, FIN, and ACK bits set results in the packet being processed incorrectly.

CSCef06995 - When using multiple source groups, a flow may be associated with more than one source group, causing the CSS to reboot.

CSCef08386 - Configuring a URQL on a content rule that has a 0.0.0.0 VIP address should not be allowed, and causes the CSS to reboot.

CSCef21844 - A cluster corruption causes the NetTask to suspend.

CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.

CSCee38740 - When using the script modify command in a scripted keepalive, if the variable to be modified does not exist, the CSS may leak memory.

CSCee41868 - You will not be able to use SSH to access the CSS after you run the Nessus scan tool on a circuit IP address.

CSCee44817 - Scripted keepalives may cause the CSS to reboot.

CSCee45284 - When the CSS receives an HTTP POST request that spans multiple packets, but receives those packets too quickly, the CSS may reset the connection.

CSCee49236 - The CSS responds incorrectly for a DNS query type of ANY.

CSCee53027 - The CSS may reboot when it processes the timestamp option in an IP header.

CSCee56155 - The VIP address range fails to check for VIPs that are already in use on source groups.

CSCee59808 - Non-persistent keepalives are reusing source ports too quickly for multiple services that using the same destination IP address and port.

CSCee60837 - Backend SSL fails when a server offers a 16-byte session ID.

CSCee61578 - Configuring radius-server dead-time 1 causes sockets to leak. An out-of-socket condition causes a keepalive task to crash when the keepalive tries to close a socket that it could not get.

CSCed69094 - Using SSH to connect to the CSS while SSL performance tests are running may cause the Sshd task to suspend.

CSCee70050 - The CSS fails to update reachability information in the route table for the first route entry for a /32 route (host route) that follows an unreachable host entry. An attempt to send traffic to the host described by such an entry may cause the CSS to stop processing traffic indefinitely or cause it to reboot.

CSCee75060 - The CSS may reboot when processing host routes for redistribution to or from OSPF when a host entry (for which an ARP could be resolved) for the IP address is submitted to the route table.

CSCee77663 - When the CSS is configured as a zone-based DNS server and you configure an A-record, but the keepalive has failed for all zones in which the name is configured, and a request is made to the CSS for that name, the CSS may reboot.

CSCee80408 - Using the tacacs-server authorize config or the no tacacs-server authorize config commands cause a memory leak.

CSCee85140 - The CSS stops responding to requests on port 80.

CSCee90213 - The CSS logs the following error message when there is no FTP content rule in a configuration: "Can't change type to transparent-cache if attached to an FTP rule".

CSCee95633 - If a service is configured with type nci-direct-return and is then added to a content rule configured with advanced-balance sticky-srcip, the NCI options are not set up for flows hitting the content rule.

Software Version 7.30.2.03 Command Changes

Table 4 lists the commands and options that have changed in software version 7.30.2.03.

Table 4 CLI Commands Changed in Version 7.30.2.03  

Mode
Command and Syntax
Description

Group

vip address ip_or_host {range number}

The range for the range number variable changed from
1 to 65353 to 1 to 65535.


Software Version 7.30.1.06 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.30.1.06:

Software Version 7.30.1.06 Open Caveats

Software Version 7.30.1.06 Resolved Caveats

Software Version 7.30.1.06 Command Changes

Software Version 7.30.1.06 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.
Workaround: To remove a service, copy the startup-config to a TFTP server and edit the startup-config to remove the service from the content rule or to delete the content rule. Then copy the edited startup-config back to the CSS and reboot the CSS.

CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCee38740, CSCee44817 - Scripted keepalives may cause the CSS to reboot.

CSCee45284 - When the CSS receives an HTTP POST request that spans multiple packets, but receives those packets too quickly, the CSS may reset the connection.

CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCee60213 - The CSS may reboot when memory gets corrupted.

Software Version 7.30.1.06 Resolved Caveats

The following caveats were resolved in software version 7.30.1.06:

CSCee00757 - A non-privileged user cannot run the show log sys.log command.

CSCee01234, CSCee01240 - A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004. An affected network device running a SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.

CSCee03077 - The CSS reboots while attempting to send data with corrupted flow structure to a spoofed server.

CSCed06619 - When you configure the CSS with Session Level Redundancy (SLR) using source groups and a passive FTP connection is initiated through the source group, the CSS may reboot when the connection is torn down.

CSCee07003 - When a CSS is configured for max connections, the outputs for the show service and show service summary commands may display a number of connections greater than the number of max connection configured on the service. When the CSS load-balances a flow, the number of connections to a service is not properly updated. Therefore, the number of connections to the service may be exceeded.

CSCee08487 - If the window size advertised in a backend SYN is smaller than the length of the first data segment (for example, HTTP GET), the CSS does not send out the ACK to complete the backend three-way handshake and drops the TCP packet.

CSCee08529 - The CSS does not require you to configure a subnet mask on the Ethernet Management port. If you do not configure a subnet mask, the CSS uses the default subnet mask of 0.0.0.0. Any traffic that is transmitted from or sent to a CSS circuit will fail is there is an overlap with the management port IP address. The default is now 255.255.255.0.

CSCee08664 - If the global portmap and restrict snmp commands are both configured when you are running the commit_vip_redundancy script, the script may report a byte count difference of 2 bytes. This does not adversely impact the CSS running-configs.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCdx09860 - If a packet that is carrying an Arrowpoint cookie does not reach a client, the retransmitted packet does not get the Arrowpoint cookie insertion. This may cause a TCP sequence number mismatch, and the packet may also contain unexpected data.

CSCee21521 - Under rare circumstances while using LDAP scripted keepalives, the CSS may identify one or more services as down.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCee24269 - The CSS does not properly clean up an internal data structure.

CSCee24309 - The CSS was not properly authorizing all commands through the TACACS+ server.

CSCee32636 - Using the application ssl command in a SSL content rule on a CSS 11500 with a SSL module running software version 7.20.3.05 or greater causes two SSL client hellos to be sent from the client three seconds apart, which causes latency.

CSCed32955 - After power-cycling the Catalyst 2950, the Rx port on the CSS stops incrementing. The Tx port functions properly. The workaround is to reboot the CSS. To avoid this issue, configure both the Cat2950 and the CSS for a speed of 10 megabits per second.

CSCdw34822 - The "@" character in a user profile causes the profile to abort if you log in as a user (that is, not SuperUser). Because the "@" character enables a command to be run in user mode, the CSS should have allowed it.

CSCee38396 - When you configure the CSS using the cmd-sched command, the first time the CSS executes the cmd-sched record, the CSS may execute the record twice during the first second.

CSCee39336 - A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality. All Cisco products which contain TCP stack are susceptible to this vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software. A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

CSCed39121 - When you run the commit_redundancy or commit_vip_redundancy scripts, the OSPF area settings on the circuit may be removed from the remote CSS.

CSCed40192 - The CSS may queue up more blocks of data than it can send to the hardware. This may cause the `Too Many Blocks for Block2AccelFragmentArray' counter to increment.

CSCed46905 - The SSL module allows a finite amount of SSL/TLS backend connections before it stops passing traffic. All cipher suites are affected. To recover, reboot the CSS. Workarounds are to disable backend SSL/TLS or use a smaller certificate on the IIS server.

CSCed47022 - When running high amounts of sustained traffic on two SSL modules, tasks may become suspended and the CSS may reboot.

CSCee49006 - The CSS GUI does not display owner/service in the monitor summary page.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS, when you run the commit_vip_redundancy script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, manually configure the remote CSS priority as required.

CSCed52992 - When doing an SNMP NEXT through the apSvcTable from the svcExt.mib, the CSS SCM CPU may spike to high levels and remain high for long periods of time. This issue is related to the number of configured services.

CSCed54235 - The show log sys.log tail number command only displays half of the number of lines specified in the command line.

CSCed57552 - When running non-sticky flows through an ASR environment when ISC ports are down, the CSS continuously displays the following sys.log message because it is not aware that the logical ISC state is down.
DEC 28 14:30:05 1/1 2496137 FP_DRV-4: PrismFastPath::TxPacketToQueue: Queue Write failed Qnum: 0 SB: 0 TaskName: tFlowMgrPktRx TaskId: 0x84de9dc0 Buffer Address: 0x87c588688

CSCed57712 - RSH (Remote Shell) through the CSS does not function because source port NAT'ing interferes with it.

CSCed58756 - If you configure the CSS for a SuperUser account with a password of 123456, the SuperUser is allowed access to the CSS if they enter 1234567 as the password. This problem exists only with passwords that contain a number of characters that are divisible by 8.

CSCed58848 - Untranslated TCP packets are passed through the CSS when using backend SSL.

CSCed61321 - When you configure the CSS for SSL termination and the SSL handshake is in process when a client key exchange is received instead of a client hello, the CSS may reboot.

CSCed62063 - SSH sessions are not being cleared, which causes new sessions to be blocked.

CSCed64614 - The ap-kal-dns keepalive script fails when used with the dnsflow disable command and you add a service to a source group. The workaround is to remove the DNS server from the source group.

CSCed66271 - If you configure many persistent HTTP keepalives, you may overflow the registration of internal CSS semaphores. This does not affect the function of the keepalives. If this occurs, the following log message is displayed:
SYSSOFT-1: Exceeded max # of semaphore registry entries (2000).

CSCed66531 - The Time (Sec) Elapsed field in the show sticky-table command for SSL traffic is incorrect.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCed73326 - When the CSS is configured with a scripted keepalive (which does multiple socket sends), the CSS buffer the data in the different socket sends and then sends them out as part of one data packet. The nowait option, added in software version 7.20.4.04, instructs the CSS to immediately send the data from a socket send and not buffer the data from different socket sends.

CSCeb73418 - If a client TCP stack retransmits an original TCP SYN at the same time the original TCP SYN is sent out, the CSS does not detect the retransmitted TCP SYN as a duplicate SYN. The CSS now checks for duplicate SYNs that arrive simultaneously.

CSCed74244 - If the DNS forwarder feature is configured and you enter debug mode and issue the dns setFwdKal 0 command, the CSS reboots. A value of 0 is invalid for the dns setFwdKal command.

CSCed75430 - Using an incomplete MIB variable for the sample-variable command in (config-rmonalarm) mode may cause the CSS to reboot.

CSCed76105 - The show sticky-stats command was added to the showtech diagnostic script to provide information on the CSS sticky database.

CSCed76182 - Issuing the no app-udp ? command may cause the CSS to reboot.

CSCed76755 - If the CSS Ethernet Management port does not have a subnet mask configured on it, the CSS will not be able to respond to DNS queries. Workaround: Configure an IP address and a subnet mask on the Ethernet Management port.

CSCec81039 - The flow statistics command displays invalid active flow counts per port. The counts increase, but do not decrease.

CSCed81963 - When you configure a content rule with the no persistent command and globally configure the persistent reset remap command, the urlhash and domainhash load-balancing methods prevent the CSS from performing a server remap when required. The CSS should remap a server when a subsequent HTTP GET on an HTTP 1.1 connection causes a different hash value than the previous GET.

CSCed83158 - A CSS with an installed SSL module may incorrectly forward a server response according to the routing table rather than delivering the server response to the SSL module for encryption. This issue occurs when the port configured on the clear text content rule and the port configured on the service do not match.

CSCed85319 - When a server response to an HTTP1.1 keepalive request contains a "Connection: keepalive", the CSS incorrectly downgrades the HTTP1.1 keepalive to an HTTP1.0 keepalive.

CSCed88058 - When the CSS is configured as a DNS server and a DNS name is configured on a content rule, but all servers for that rule are unavailable, the CSS returns NXDOMAIN for a DNS request. In this situation, the CSS should return SERVERFAIL.

CSCed88075 - When you configure the CSS with the advanced-balance arrowpoint-cookie command, it may incorrectly interpret a server data packet beginning with `PORT' or `227' as an FTP packet. If this occurs, the CSS corrupts the packet because it assumes that FTP is in use.

CSCed88755 - A CSS may stop allowing SSH connections after running for a period of time. Workaround: Reboot the CSS.

CSCed89086 - The CSS allows you to remove the redirect command from an active content rule even if no services are configured on the rule. This should not be allowed because services are required on an active content rule that does not contain a redirect.

CSCed91385 - The CSS drops traffic when it is configured for VIP redundancy and is the backup CSS for a VIP and needs to NAT a client IP address due to a configured source group.

CSCed95285 - The CSS may reboot when removing a session if the VIP address was already removed.

CSCed95735 - A port that is set to 100Mbits-HD may stop transmitting packets.

Software Version 7.30.1.06 Command Changes

Table 5 lists the commands and options that have been added in software version 7.30.1.06.

Table 5 CLI Commands Added in Version 7.30.1.06  

Mode
Command and Syntax
Description

Global

ip advanced-route-remap

no ip advanced-route-remap

Remaps flows based on the most specific available route.

prelogin-banner filename

no prelogin-banner

Allows you to display banner text before you log in to the CSS. To specify where the banner text resides, enter a filename as quoted text and a maximum of 32 characters.

replication file-error retry|skip

Specifies how the CSS handles file errors during content replication. The command options are:

retry - (Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip - The CSS skips the missing file and continues the replication process


Table 6 lists the commands and options that have changed in software version 7.30.1.06.

Table 6 CLI Commands Changed in Version 7.30.1.06  

Mode
Command and Syntax
Description

All

show log {log_filename {tail lines} {line-numbers}}

This command is now available in all modes. Previously, this command was not available in User mode.

show log-list

This command is now available in all modes. Previously, this command was not available in User mode.

show system-resources slot

Added the slot variable to display system resources for a specific slot in the CSS chassis.

socket connect host ip_address port number tcp {timeout} {session} {nowait}

For TCP connections, added the nowait option, which causes the socket to send data immediately without waiting to aggregate the data first.

Content

no advanced-balance

The syntax of this command changed from no advance-balance.

SuperUser and All Config Modes

show script {filename {line-numbers}}

Added the line-numbers option, which allows you to display line numbers with the script text.


Software Version 7.30.0.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.30.0.05:

Software Version 7.30.0.05 Open Caveats

Software Version 7.30.0.05 Resolved Caveats

Software Version 7.30.0.05 Command Changes

Software Version 7.30.0.05 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506 in software version 7.30.0.05:

CSCed06619 - When you configure the CSS with Session Level Redundancy (SLR) using source groups and a passive FTP connection is initiated through the source group, the CSS may reboot when the connection is torn down.

CSCeb08303 - A unicast or multicasT IP fragment sent to the management port may cause the management port to be inoperable. If this occurs, issue the admin-shutdown command and then the no admin-shutdown command using the console port. Or issue these two commands in a telnet session to the CSS through an active circuit IP address.

CSCed09529 - The CSS reboots after it suspends and changes the portmap number of ports to a low number if the group has many open mappings.

CSCed21769 - Using VIP and interface redundancy in one Global Server Load Balancing (GSLB) site and using a single CSS in another GSLB site causes the load to be reported incorrectly after you suspend and activate a content rule.

CSCea25171 - In a content rule-based Global Server Load Balancing configuration in which two CSSs are in an APP session exchanging domain information where CSS-A is configured with www.a.com, www.b.com, and www.c.com (in the same content rule) and CSS-B in configured with only www.a.com and www.b.com, CSS-B incorrectly believes that it has www.c.com configured locally (because it learned about www.c.com from its peer). When CSS-B is queried for www.c.com, it returns its local VIP as well as the remote VIP. Because www.c.com is not configured on CSS-B, CSS-B should return only the remote VIP.

CSCed26299 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCeb29602 - The SNMPv1 version of chassisMgrExt.mib and apent.mib may not load correctly in some network management systems.

CSCed32955 - After power-cycling the Cat2950, the Rx port on the CSS stops incrementing. The Tx port functions properly. The workaround is to reboot the CSS. To avoid this issue, configure both the Cat2950 and the CSS for a speed of 10 megabits per second.

CSCec34406 - In a Layer-3 one-arm configuration, a SSL module ignores client TCP FIN/ACKs once a threshold between 400 and 500 TPS (transmissions per second) is reached.

CSCdy35383 - The CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.

CSCed38249 - When a CSS receives multiple load reports for a GSLB service, the reported load may be incorrect. The CSS may receive multiple load reports for a service if the load reports are received from a pair of CSSs that have a redundant VIP configured for the service.

CSCed39121 - When you run the commit_redundancy or commit_vip_redundancy scripts, the OSPF area settings on the circuit may be removed from the remote CSS.

CSCed40192 - The CSS may queue up more blocks of data than it can send to the hardware. This may cause the `Too Many Blocks for Block2AccelFragmentArray' counter to increment.

CSCed45747 - The CSS reboots after it receives on port 5002 a 0 length app-upd message destined to the management port.

CSCed47022 - When running high amounts of sustained traffic on two SSL modules, tasks may become suspended and the CSS may reboot.

CSCed48493 - In an ASR environment, if the ISC port and critical services are continuously bounced while high levels of flows are running, the backup CSS may start perpetually logging the following messages:

DEC 20 15:40:25 1/1 112132 FP_DRV-5: AuxReadPrimitive: WriteQueue failed

DEC 20 15:40:25 1/1 112133 FP_DRV-5: AuxReadPrimitive: Request queue not empty before burst: 4 packets.

The workaround is to reboot the CSS that is logging these messages.

CSCed49849 - If a critical service in an ASR configuration transitions under a heavy load, causing both redundancy and an ASR failover, the redundancy transition may cause the CSS to reboot.

CSCed51417 - The CSS considers a service to be down if the service is configured with an HTTP keepalive and the only response from the keepalive is HTTP/1.0 200OK. The CSS should interpret this as a valid response to an HTTP keepalive and consider the service as up. Workaround: Configure the service keepalive type as non-persistent using the keepalive type http non-persistent command.

CSCed51715 - In a VIP and virtual interface redundancy configuration, if you configure a virtual router (VR) on the local CSS but not on the remote CSS when you run the commit_VipRedundConfig script, the script copies the local VR and its priority to the remote CSS. Because both the local and the remote VRs now have the same priority, priority is not used to determine the master. In this case, the CSS with the lower IP address becomes the master. If you want to determine mastership based on priority, then manually configure the remote CSS priority as desired.

CSCec67557 - When the CSS backend-remaps a persistent connection, an ACL check does not occur. This prevents the backend connection from being NAT'd properly.

CSCec77032 - If an ARP or ICMP storm occurs on the same network as the CSS Ethernet management port and the management port is being queried by an SNMP device (for example, HSE), CPU utilization may spike and services may transition from up to down. This occurs if the ARP storm and SNMP queries happen simultaneously. A workaround is to either stop SNMP querying or prevent an ARP or ICMP storm from occurring on the same network as the Ethernet management port.

CSCec81039 - When an ingress port is changed, the CSS cannot properly maintain the per-port Active, TCP, and UDP flow counters in the flow statistics display. The ingress port of the flow changes when you configure the CSS for a Layer 5 content rule and the CSS performs a backend spoof to a server. When the TCP SYN is sent to the backend server and the TCP SYN/ACK response from the server is received on a port that is different from the port on which the original SYN was sent by the CSS.

CSCeb83566 - Fragments sent to the Ethernet management port may cause the CSS to reboot.

CSCec83724 - When you use source groups on the CSS in an ASR environment, the number of eligible and usable ports for portmapping decreases.

Software Version 7.30.0.05 Resolved Caveats

The following caveats were resolved in software version 7.30.0.05:

CSCed00734 - If you change a keepalive on a service from keepalive type script to keepalive type ssl without first suspending the service, the service will go into a DOWN state indefinitely.

CSCec01380 - The CSS sends 302 redirects with an incorrect URL in response to a CONNECT.

CSCed01717 - When you configure a service using the type ssl-accel-backend command and the redundant-index command, the CSS displays an incorrect error message.

CSCed01770 - When you configure the CSS for Global Server Load Balancing (GSLB) and use the dns-record a kal-ap threshold command (with the threshold default of 254) and the CSS receives NXDOMAIN responses for a dns-record with a content rule that contains only one service and that service reaches a load level of 254, the CSS does not transition down the service.

CSCed02951 - If you issue the no ssl associate cert command, place a new certificate on the CSS, and then issue the ssl associate cert command, if the new certificate is larger than the previous certificate, the CSS reboots.

CSCed03090 - A stack overflow may occur on some processes on the SSL module, including TimerTask and SslTx. This may cause these processes to fail.

CSCec07321 - When using ASR (Adaptive Session Redundancy), if the backend server goes down due to having a cable removed from the Layer 2 switch, the CSS does not send UDP traffic.

CSCeb12522 - On a CSS configured as a PDB, the PDB functionality may hang. To recover, you must reboot the CSS. This situation occurs when you issue the proximity commit ftp command and the FTP server does not allow PUT.

CSCec16679 - SNMP lexicographical ordering is incorrect in various MIBs locations.

CSCec16689 - When you configure a blackhole route to the same IP subnet on which a firewall route has as its next hop, shutting down the IP interface or unplugging the cable from the interface to that next hop may cause the CSS to reboot.

CSCec17121 - When disabling the dns-server, the console or a telnet session may lock up.

CSCin18392 - The apPortCopy table does not properly copy files when an absolute path is provided.

CSCed13555 - In a VIP redundancy configuration, when CSS-A (master) fails over to CSS-B (backup), and then CSS-B fails back over to CSS-A, if flowy traffic hits CSS-B, the ARP entry on CSS-B that should point to CSS-A, may be missing, and traffic is dropped. If non-flowy traffic hits CSS-B, the ARP request is sent out and traffic is forwarded properly.

CSCed15825 - The CSS reboots when the following three conditions are true. Under these three conditions, the CSS uses the wrong host information to send the DNS keepalive packet to itself (the circuit IP address).

No management port IP address or subnet mask is configured

The CSS is configured with the app-udp command

The CSS is configured with the dns-record command that contains a keepalive pointing to the CSS circuit IP address.

CSCed20671 - The string range command searches on one less byte than the range maximum. The range should be 1 to 100, but the CSS only searches on a range of 1 to 99.

CSCed21013 - SSL connections that are terminated on a CSS may have trailing data added to them after being decrypted. This added data may confuse the servers on the back-end, causing application errors.

CSCeb25077, CSCed29795- If a SSL handshake message spans a SSL record and TCP packet, a handshake failure occurs.

CSCed25009 - When you configure a content rule with application ssl and use an advanced-balance method that employs the sticky database, the CSS does not distribute sticky database entries properly to modules in the chassis, which causes connections to fail because they are not directed to the correct server.

CSCed26264 - If you do not configure an IP address for the management port, an SNMP GET of ifOperStatus returns invalid data (that is, a value of 0).

CSCec28308 - The CSS sends mails with a line feed (\n) that does not contain a preceding carriage return (\r). This causes mail to be rejected by qmail.

CSCed29953 - The CSS does not set up flows for TCP port 520.

CSCec30587 - SSHv1 connections into the CSS leak 3277 bytes of memory. Over time, the CSS may run low on memory.

CSCec38220 - When the CSS is configured for SSL termination, the SSL module may send the decrypted traffic in a TCP packet with a bad checksum.

CSCed41281 - During bootup, the CSS may receive multiple entries for processors in the chassis that time out certain commands that are waiting for responses from modules even though the modules have already responded. The workaround is to reboot the CSS.

CSCec45381 - When the Resource Manager Essentials (RME) software 3.5 performs a config archive and uses SSH login to the CSS, it performs the archive successfully, but generates the following two messages in the sys.log:

******* 
SEP 29 10:53:44 1/1 361 NETMAN-4: Accepted without authentication for admin from 
172.16.123.78 port 59514 
SEP 29 10:53:46 1/1 366 NETMAN-4: Disconnecting: Corrupted checked bytes on input. 
******* 

CSCec45497 - In an ASR configuration, source port resources may leak after a failover occurs and the CSS cleans up the flows.

CSCea47419 - A custom script opens port 443 on one server and sends an SNMP request to another server. With 12 to 16 services using this script, every 5 to 15 minutes, a service goes into the Dying state while waiting for the SNMP reply (which was already received). This caveat is caused by a timing issue in the waitfor script command.

CSCec48758 - OSPF only advertises a VIP host route if regular services are active. If regular services are not active and the Primary Sorry Server is active, the VIP route is not advertised. This issue prevents access to the Sorry Server.

CSCec49123 - When the CSS cannot forward a packet because of an unresolved ARP, the buffer in which the packet was received may leak when the ARP times out.

CSCec54416 - A buffer may not be transmitted to a hardware queue when the queue is full (known as a transmit abort). The CSS should free the buffer back into the free pool.

CSCec55690 - When SPAN is configured on a port, certain types ingress traffic may eventually cause the Session Processor (SP) to stop processing flows. Reboot the CSS to recover from this situation.

CSCec58376 - If you have a static ARP entry using an IP address that is identical to a circuit IP address, the CSS reboots. Static ARP entry IP addresses, circuit IP addresses, and source group
IP addresses must all be unique. The CSS does not allow you to configure identical IP addresses for these configuration parameters.

CSCeb59662 - The CSS should time out idle GUI connections, but does not. Also, you should be able to show the GUI sessions in use and be able to disconnect GUI sessions, but can not.

CSCec59890 - When a CSS is configured with persistent reset remap and a Layer 5 content rule configured with no persistent, advanced-balanced cookies, and sticky-no-cookie-found-action and receives on a persistent connection an HTTP GET with no cookie, it does not re-load balance to select a new service. The CSS keeps the connection on the previous sticky server, which is incorrect.

CSCec61316 - If an XML document that is not terminated with a carriage return line feed (CRLF) is uploaded to a CSS 11500, it will fail and the following message will be logged:
"httpRpmPut: Not a well-formed XML document".

CSCec64389 - If the CSS is configured for SSL termination with export ciphers contained in the configuration, the CSS may log the error: SSLACCEL-3:CRYPTO HARDWARE RESET. The CSS would then experience slow, stalled SSL connections and may reboot.

CSCec65326 - If you do not configure an IP address or subnet mask for the management port and the SNMP trap is an enterprise trap, 0.0.0.0 is used as the agent IP address in the trap.

CSCec68022 - When any remote command is performed (either manually or by running the config_sync script) and the primary SCM is in slot 2, the CSS reboots.

CSCec73591 - The show ip forwarding debug mode command may cause the CSS to reboot if the table is too large. In addition, the data displayed may be incomplete.

CSCec73612 - The CSS reboots when OSPF submits greater than 15 equal cost routes to a single destination.

CSCec74453 - CDP packets are bridged by the CSS, but they should not be bridged.

CSCec77158 - The CSS reboots when you issue the no ssl associate command and then suspend and activate the service.

CSCeb77234 - After the CSS experiences a transition in a VIP redundancy configuration, UDP flows initiated from a backend server are unNAT'd.

CSCec80040 - If you configure the CSS using the advanced-balance method (which uses the sticky table) and the calculated sticky hash key is zero, the CSS reboots.

CSCec80913 - A SNMP NEXT of the apChassisMgrExtSubModuleTable causes the CSS to reboot if you use an invalid slot/subslot to index the table.

CSCec80987 - The CSS may reboot due to freeing an internal communication buffer.

CSCec85000 - The CSS does not perform lookups with a suffix appended to a requested name even if you configure a dns suffix.

CSCec86444 - In a chunked encoding transfer header, the CSS incorrectly interprets the string as case sensitive and fails if any of the characters are capitalized.

CSCec86501 - When a script contains a quoted string that is greater than 255 characters and is used by a scripted keepalive, the CSS reboots.

CSCec88084 - The CSS stops translating sequence numbers on the FTP control connection after a FIN packet.

CSCec89210 - When you configure a CSS with a static route that is identical to a learned OSPF route (network LSA), the OSPF route correctly takes precedence. However, if the CSS loses the OSPF route, the blackhole route is not injected into the routing table.

CSCec89216 - On a CSS 11503 or a CSS 11506 configured for active FTP with destination services specified in a source group, if the FTP control channel and data channel are handled by different slots, the CSS may fail to clean up portmap entries.

Software Version 7.30.0.05 Command Changes

Table 7 lists the commands and options that have been added in software version 7.30.0.05.

Table 7 CLI Commands Added in Version 7.30.0.05  

Mode
Command and Syntax
Book Title

All

show arp management-port

Cisco Content Services Switch Routing and Bridging Configuration Guide

show critical-reporters {ip_address {vrid}}

Cisco Content Services Switch Redundancy Configuration Guide

show load {absolute}

Cisco Content Services Switch Content Load-Balancing Configuration Guide

show reporter {reporter_name|summary}

Cisco Content Services Switch Redundancy Configuration Guide

show running-config reporter reporter_name

show sticky-stats

Cisco Content Services Switch Content Load-Balancing Configuration Guide

show sticky-table all-sticky {page value}

show sticky-table l3-sticky {page value|ipaddress ip_address sticky_mask}

show sticky-table l4-sticky {page value|ipaddress ip_address sticky_mask port}

show sticky-table ssl-sticky {rule index {page value}|{time number {page value}|sid text|collision|page value}

show sticky-table wap-sticky {page value|msisdn msisdn_header}

zero reporter state-transitions [all|reporter reporter_name]

Cisco Content Services Switch Redundancy Configuration Guide

zero virtual-router state-changes [all|circuit ip_address [all|vrid number]]

Circuit IP

ip critical-reporter vrid reporter_name

no ip critical-reporter vrid reporter_name

Cisco Content Services Switch Redundancy Configuration Guide

Content

add location-service service_name

remove location-service service_name

Cisco Content Services Switch Content Load-Balancing Configuration Guide

arrowpoint-cookie name name

no arrowpoint-cookie name name

change service service_name weight number

no change service service_name

cookie-domain "name"

no cookie-domain

location-cookie name text value text {expiration dd:hh:mm:ss}

no location-cookie name

Global

dns-peer load variance number

no dns-peer variance

Cisco Content Services Switch Global Server Load-Balancing Configuration Guide

flow tcp-reset-vip-unavailable

no flow tcp-reset-vip-unavailable

Cisco Content Services Switch Content Load-Balancing Configuration Guide

idle timeout web-mgmt number

no idle timeout web-mgmt

Cisco Content Services Switch Device Management User's Guide

ip management no-icmp-redirect

no ip management no-icmp-redirect

Cisco Content Services Switch Administration Guide

ip management route ip_address1 subnet mask ip_address2

no ip management route ip_address1 subnet mask ip_address2

load [calculation[relative|absolute]|absolute-sensitivity number]

no load calculation|absolute-sensitivity

Cisco Content Services Switch Content Load-Balancing Configuration Guide

reporter reporter_name

The reporter reporter_name command is also available in circuit, interface, IP, keepalive, SSL proxy list, and VLAN configuration modes

no reporter reporter_name

Cisco Content Services Switch Redundancy Configuration Guide

restrict secure-xml

no restrict secure-xml

Cisco Content Services Switch Security Configuration Guide

snmp trap-type enterprise reporter-transition

no snmp trap-type enterprise reporter-transition

Cisco Content Services Switch Administration Guide

tacacs-server send-full-command

no tacacs-server send-full-command

Cisco Content Services Switch Security Configuration Guide

tcp-ip-fragment enabled

no tcp-ip-fragment enabled

Cisco Content Services Switch Content Load-Balancing Configuration Guide

udp-ip-fragment enabled

no udp-ip-fragment enabled

Interface

shut

no shut

Cisco Content Services Switch Routing and Bridging Configuration Guide

Keepalive

tcp-close fin

Cisco Content Services Switch Content Load-Balancing Configuration Guide

tcp-close rst

Reporter

active

Cisco Content Services Switch Redundancy Configuration Guide

phy interface_name

no phy interface_name

suspend

type reporter_type

no type

vrid ip_address vrid

no vrid ip_address vrid

Service

keepalive tcp-close fin

Cisco Content Services Switch Content Load-Balancing Configuration Guide

keepalive tcp-close rst

SSL-proxy list

ssl-server number ssl-queue-delay ms

no ssl-server number ssl-queue-delay

Cisco Content Services Switch Security Configuration Guide


Table 8 lists the commands and options that have been changed in software version 7.30.0.05.

Table 8 CLI Commands Changed in Version 7.30.0.05 

Mode
Command and Syntax
Book Title

Boot

reboot

Available only in boot configuration mode.

Cisco Content Services Switch Administration Guide

shutdown

Available only in boot configuration mode.

Content

add service service_name weight number

Weight range is now 0 to 10. Was 1 to 10.

Cisco Content Services Switch Content Load-Balancing Configuration Guide

Global

dns-record a|ns dns_name ip_address {ttl_value {single|multiple {kal-ap-vip|kal-ap|kal-icmp|kal-none {ip_address2 {threshold . . . {weight}}}}}}}

Weight range is now 0 to 10. Was 1 to 10.

Cisco Content Services Switch Global Server Load-Balancing Configuration Guide

dns-server zone zone_index {tier1|tier2 {"description" {weightedrr|srcip
|leastloaded|preferlocal|roundrobin
|ip_address {weightedrr|srcip
|leastloaded|preferlocal|roundrobin}
{weight}}}}

Added the weight variable for zones.

dns-server zone load variance number

Variance range is now 0 to 255. Was 1 to 255.

Global

ip-fragment enabled

This command has been deprecated (obsoleted). If you enter the ip-fragment enabled command, the CLI automatically converts it to the udp-ip-fragment enabled command.

Cisco Content Services Switch Content Load-Balancing Configuration Guide

no ip-fragment enabled

This command has been removed from the CLI.

username name encrypted-password password

Removed command from CLI.

Cisco Content Services Switch Administration Guide

SSL-proxy list

ssl-server number tcp buffer-share [rx number1|tx number2]

The receive buffer and the transmit buffer size range is now 16400 to 262144 bytes. The range was 8192 to 262144 bytes.

Cisco Content Services Switch Security Configuration Guide


Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.