Guest

Cisco CSS 11500 Series Content Services Switches

Release Note for the Cisco 11500 Series Content Services Switch (Software Version 7.50.x)

  • Viewing Options

  • PDF (485.7 KB)
  • Feedback
Release Note for the Cisco 11500 Series Content Services Switch

Table Of Contents

Release Note for the Cisco 11500 Series Content Services Switch

Contents

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Required Updates to Management Information Base (MIB) Files

Features in Software Version 7.50

Documentation Set for Software Version 7.50

Documentation Enhancements and Corrections

Operating Considerations

Software Version 7.50.3.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.3.03 Open Caveats

Software Version 7.50.3.03 Resolved Caveats

Software Version 7.50.3.03 Command Changes

Software Version 7.50.2.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.2.05 Open Caveats

Software Version 7.50.2.05 Resolved Caveats

Software Version 7.50.2.05 Command Changes

Software Version 7.50.1.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.1.03 Open Caveats

Software Version 7.50.1.03 Resolved Caveats

Software Version 7.50.1.03 Command Changes

Software Version 7.50.0.04 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.0.04 Open Caveats

Software Version 7.50.0.04 Resolved Caveats

Software Version 7.50.0.04 Command Changes

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Note for the Cisco 11500 Series Content Services Switch


October 12, 2006
Revised: October 28, 2009


Note The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.


Contents

This release note applies to the following software versions for the Cisco 11500 Series Content Services Switch (CSS):

7.50.3.03 (version 7.50, release 3, build 3)

7.50.2.05 (version 7.50, release 2, build 5)

7.50.1.03 (version 7.50, release 1, build 3)

7.50.0.04 (version 7.50, release 0, build 4)

For information on version 7.50 commands and features, refer to the CSS 7.50 documentation located in http://www.cisco.com.

This release note contains the following sections:

CSS Standard and Enhanced Feature Sets

Before Upgrading the CSS Software

Required Updates to Management Information Base (MIB) Files

Features in Software Version 7.50

Documentation Set for Software Version 7.50

Documentation Enhancements and Corrections

Operating Considerations

Software Version 7.50.3.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.2.05 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.1.03 Open Caveats, Resolved Caveats, and Command Changes

Software Version 7.50.0.04 Open Caveats, Resolved Caveats, and Command Changes

Obtaining Documentation, Obtaining Support, and Security Guidelines

Product Alerts and Field Notices

CSS Standard and Enhanced Feature Sets

The CSS software is available in a Standard or optional Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features.

Software version 7.50 no longer requires that you enter a license key for the Standard software feature set. The Enhanced software feature set, as well as the optional Secure Management feature, still require a license key in order to be activated.

Before Upgrading the CSS Software

Before you upgrade your CSS software, archive your custom scripts (including user profiles and custom script keepalives) by using the archive script or save_profile command. When you upgrade the software, the upgrade process creates a new /<current running version>/script directory, overwriting the current script directory.

After the upgrade is done, use the restore filename script command to restore the scripts you archived. Refer to the Cisco Content Services Switch Administration Guide for detailed software upgrade instructions.

Required Updates to Management Information Base (MIB) Files

The MIBs in 7.50 have been modified to be consistent with other Cisco products within the Cisco private enterprise branch of the MIB tree. The modifications include a change to the enterprise OIDs (Object Identifiers). If you have created any customized network management applications, you must modify these applications in order to use the new OIDs in the modified MIBs in 7.50. If you continue to use the former Arrowpoint enterprise OIDs (.2467), the CSS will not recognize SNMP requests.

The former Arrowpoint enterprise MIB branch was:

iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).arrowPoint(2467)
1.3.6.1.4.1.2467

The new Cisco enterprise MIB branch is:

iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).cisco(9).ciscoMgmt(9).arrowPoint(368) 1.3.6.1.4.1.9.9.368

The .2467 needs to be replaced with 9.9.368 wherever it is used. For a graphical view of the updated MIB tree, refer to the Cisco Content Services Switch Administration Guide, Chapter 5, `Configuring Simple Network Management Protocol', Figure 5-2.

After you upgrade the CSS software, you must unload the current CSS MIBs and load the latest CSS MIBs in your network management station. The CSS MIBs are included in the CSS GZIP file. During the software upgrade, the MIBs are loaded into the CSS /mibs directory.

To update the CSS MIBs on your management station after you upgrade the CSS:

1. FTP the specific MIBs or the GZIP file (which contains all the MIBs) from the CSS MIBs (/v1 or /v2) directory to your management station.

2. Unload the CSS MIBs from the management application.

3. Load the MIBs into the management application.

Features in Software Version 7.50

The following new features are supported in software version 7.50.

Daylight saving time (DST) configuration - Cisco Content Services Switch Getting Started Guide

Primary and secondary SNTP servers configuration - Cisco Content Services Switch Getting Started Guide

HTTP method parsing configuration - Cisco Content Services Switch Content Load-Balancing Configuration Guide

Server/Application State Protocol (SASP) configuration - Cisco Content Services Switch Content Load-Balancing Configuration Guide

TCP FIN and RST flags with HTTP 302 redirect messages configuration - Cisco Content Services Switch Content Load-Balancing Configuration Guide

HTTP encrypted keepalives configuration - Cisco Content Services Switch SSL Configuration Guide

SSL HTTP header modification - Cisco Content Services Switch SSL Configuration Guide

SSL proxy list modification without suspending a service - Cisco Content Services Switch SSL Configuration Guide

Immediate refreshing of the bridge forwarding table for an ARP MAC Down event - Cisco Content Services Switch Routing and Bridging Configuration Guide

Documentation Set for Software Version 7.50

The documentation set for software version 7.50 contains the publications listed below.

Document Title
Description

Cisco 11500 Series Content Services Switch Hardware Installation Guide

This guide provides information for installing, cabling, and powering the Cisco 11500 series CSS. In addition, this guide provides information about CSS specifications, cable pinouts, and hardware troubleshooting.

Cisco Content Services Switch Getting Started Guide

This guide describes how to perform initial administration and configuration tasks on the CSS, including:

Booting the CSS for the first time and a routine basis, and logging in to the CSS

Configuring the username and password, Ethernet management port, static IP routes, and the date and time

Configuring DNS server for hostname resolution

Configuring sticky cookies with a sticky overview and advanced load-balancing method using cookies

Finding information in the CSS documentation with a task list

Troubleshooting the boot process

Cisco Content Services Switch Administration Guide

This guide describes how to perform administrative tasks on the CSS, including upgrading your CSS software and configuring the following:

Logging, including displaying log messages and interpreting sys.log messages

User profile and CSS parameters

SNMP

RMON

XML documents to configure the CSS

CSS scripting language

Offline Diagnostic Monitor (Offline DM) menu

Cisco Content Services Switch Routing and Bridging Configuration Guide

This guide describes how to perform routing and bridging configuration tasks on the CSS, including:

Management ports, interfaces, and circuits

Spanning-tree bridging

Address Resolution Protocol (ARP)

Routing Information Protocol (RIP)

Internet Protocol (IP)

Open Shortest Path First (OSPF) protocol

Cisco Discovery Protocol (CDP)

Dynamic Host Configuration Protocol (DHCP) relay agent

Cisco Content Services Switch Content Load-Balancing Configuration Guide

This guide describes how to perform CSS content load-balancing configuration tasks, including:

Flow and port mapping

Services

Service, global, and script keepalives

Source groups

Loads for services

Server/Application State Protocol (SASP)

Dynamic Feedback Protocol (DFP)

Owners

Content rules

Sticky parameters

HTTP header load balancing

Content caching

Content replication

Cisco Content Services Switch Global Server Load-Balancing Configuration Guide

This guide describes how to perform CSS global load-balancing configuration tasks, including:

Domain Name System (DNS)

DNS Sticky

Content Routing Agent

Client-Side Accelerator

Network proximity

Cisco Content Services Switch Redundancy Configuration Guide

This guide describes how to perform CSS redundancy configuration tasks, including:

VIP and virtual interface redundancy

Adaptive session redundancy

Box-to-box redundancy

Cisco Content Services Switch Security Configuration Guide

This guide describes how to perform CSS security configuration tasks, including:

Controlling access to the CSS

Secure Shell Daemon protocol

Radius

TACACS+

Firewall load balancing

Cisco Content Services Switch SSL Configuration Guide

This guide describes how to perform CSS SSL configuration tasks, including:

SSL certificate and keys

SSL termination

Back-end SSL

SSL initiation

Cisco Content Services Switch Command Reference

This reference provides an alphabetical list of all CLI commands including syntax, options, and related commands.

Cisco Content Services Switch Device Management User's Guide

This guide describes how to use the Device Management user interface, an HTML-based Web-based application that you use to configure and manage your CSS.


Documentation Enhancements and Corrections

The following enhancements and corrections apply to the 7.50 documentation set.

The -norlog and -notrap flags are available for the commit_vip_redundancy script. The syntax is:

commit_vip_redundancy -nolog -notrap

The -norlog option reduces the number of log messages that the CSS sends to the configured log host during the script.

The -notrap option reduces the number of traps that the CSS sends to the configured trap host during the script.

The CSS performs a urlrewrite search in the follow order:

1. Exact match.

2. Postfix wildcard match using the shortest prefix (for example, will match on "ssl-server 1 urlrewrite 7 cis*" before matching on "ssl-server 1 urlrewrite 12 cisco.*").

3. Prefix wildcard match using the shortest match (for example, will match on "ssl-server 1 urlrewrite 7 *.cis" before matching on "ssl-server 1 urlrewrite 12 *.cisco".

4. Wildcard match (for example, ssl-server 1 urlrewrite 7 *).

The CSS does not support Virtual IP address ranges (VIPs) on the SSL module. The ssl-proxy-list and ssl-server vip commands cannot be configured as part of a content rule VIP configured using the vip range command.

The CSS does not apply a keepalive tcp-close configuration to scripted keepalives.

Before you use the snmp auth-traps command to generate traps, you must first enable SNMP generic traps using the snmp trap-type generic command. Though the CSS will allow you enter the snmp auth-traps command without first entering the snmp trap-type generic command, it will not generate traps until you enable SNMP generic traps.

The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.

You cannot configure content rules with VIP address ranges that overlap, including rules with different port numbers. However, you can configure content rules with the same VIP address range.

Operating Considerations

The following operating considerations apply to software version 7.50 and greater.

When the SSL modules are receiving more traffic than they can handle, one module may have more errors than another. Once a module gets behind, it is not able to catch up, so it gets further behind. You may see a load imbalance between the two modules. This occurs because the Session Processor (SP) does not detect the status of the SSL-offload modules. The SP continues to send flows to the SSL module even if it is not able to handle them. This does not include a condition by which the module completely fails. In that case, the CSS removes the module from service.

When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.

When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.

When the CSS is processing an SNMP BULK_WALK request to obtain the ether-history table, the requesting application may time out due to the large amount of information it has to gather. To avoid having the requesting application time out, increase the requesting application's retransmission timer.

If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.

In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.

content testing
vip address 192.168.128.131
add service s1
balance url
active

The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.

In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.

content testing
vip address 192.168.128.131
add service s1
advanced-balance arrowpoint-cookie
active

The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.

Per CSCek40367, the ACL configuration mode exclude ssl circuit-(VLANnumber) {acl_clause} command allows you to exclude all clauses or specific clauses within an ACL to outbound traffic from the SSL module. For more information on this command, see Table 1. Previously, you could not use an ACL clause with a source group translation of traffic destined to an SSL module; the clause would be accepted by the CSS but would be ignored for flows terminated at the SSL module.

We do not recommend using custom scripted keepalive scripts that contain the ">" or ">>" file redirection characters (see DDTS CSCek55371 in the "Software Version 7.50.3.03 Open Caveats" section). These characters write the output of a CSS command to the named file on disk. For example, the following command writes the received data from the keepalive host to a file on the CSS disk named tmp:

socket inspect ${SOCKET} >log/tmp

Software Version 7.50.3.03 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.50.3.03:

Software Version 7.50.3.03 Open Caveats

Software Version 7.50.3.03 Resolved Caveats

Software Version 7.50.3.03 Command Changes

Software Version 7.50.3.03 Open Caveats

The following caveats apply to software version 7.50.3.03:

CSCek54104- If an SSL client does not respond to the CSS FIN with a FIN, the CSS waits for the inactivity timer to expire. Occasionally, the CSS has difficulty when the timer wraps. Thus, the CSS does not correctly clean up the SSL resources.

CSCek55371 - When a CSS custom scripted keepalive script includes the ">" and ">>" file redirection characters to perform file input/output (I/O), the script does not follow the CSS scripted keepalive guidelines. Over time, the CSS loses internal file descriptors that eventually cause the CSS file system to unmount. You must reboot the CSS to clear the condition. Do not include custom contain file redirection characters for file I/O in scripted keepalive scripts.

CSCek56722 - If the CSS 11500 is configured for UDP fragment support in addition to ports configured for flow-disable, the CSS does not properly forward any UDP fragments that match the UDP port number configured for flow-disable. For example:

    udp-ip-fragment enabled
    flow-state UDP_port_number flow-disable nat-enable

CSCek57234 - When the CSS spoofs a clear-text connection from the SSL module, it responds to the SYN with a SYN/ACK that has a maximum segment size (MSS) of 1,460. Eventually, the CSS also opens a connection to the server and the server informs the CSS that its MSS is a smaller value. When data arrives from the client, the CSS decrypts it. The CSS may combine data from multiple packets that it sends to the server, exceeding what the server can handle.

CSCek58150 - When an SSL-proxy list activation occurs, a verification of the certificate and key pairs occurs for all configured SSL servers. During that process, if the CSS finds a problem with the actual certificate and key pair files on the disk, it is not prepared to handle an error. The CSS references through a NULL pointer and fails.

CSCek58275 - The lifetick failure occurs due to a failed task on the SSL module when the module tries to free a buffer twice. If the module had properly cleaned out the address of the buffer after freeing it, it would not attempt to free it again.

Software Version 7.50.3.03 Resolved Caveats

The following caveats were resolved in software version 7.50.2.05:

CSCdu87494 - When a session to the CSS or scripted keepalive is closing down, it is possible for the CSS to reboot if the MORE buffer is in use.

CSCdx34275 - If you use a show command with the MORE option enabled, if the MORE buffer is full and you perform a forward search with the slash (/) character, the CSS reboots.

CSCej87514 - The CSS fails to negotiate a TCP handshake successfully when it is proxying a connection to a server that returns a zero window size.

CSCek00530 - The CRL download fails if the HTTP header spans multiple packets. The CRL download occurs between the SSL module and the configured CRL server. The HTTP header is terminated by a CRLFCRLF, and the CRL download code expects that terminator to be in the first server data packet. The actual CRL data may span multiple packets. In testing with Linux, if the MTU is 278, the HTTP header splits and the CRL download fails.

CSCek15563 - The IPV4 critical message does not include adequate information to determine which traffic is causing the error message to be generated. For example, the following message should include the IP addresses or ports so you can determine which traffic is generating the error condition.

SEP 19 13:50:25 4/1 6307 IPV4-2: Ipv4SlaveForwBmanChk: no ingress LP in buffer

CSCek27227 - The CSS may reboot when receiving an SNMP get request for the MIB variable apCntStickyNoCookieString on a content rule.

CSCek29491 - When the CSS is configured with a service with keepalive type http encrypt (an encrypted keepalive) and the service IP address is not on the local subnet, but must be routed to it, the CSS fails to complete the SSL handshake and resets the connection. This causes the service to remain in the down state permanently.

CSCek32632 - The CSS reboots when it runs out of system application buffers and fails to check for a non-existent buffer return code.

CSCek33838 - When you suspend, modify, and reactivate an SSL-proxy list, the CSS updates the modifications on the SSL module in the CSS 11500 chassis. Though the CSS updates these changes on SSL services with different SSL slot numbers, it does not update SSL services of the same ssl-accel type. Thus, the CSS updates only the first configured SSL service of this type with the SSL-proxy list modifications. In addition, due to IP tuple collisions, the CSS may not download the same CRL when the CRL is configured on multiple SSL modules.

CSCek34035 - When the CSS is configured for DHCP and it receives a DHCP BOOTREQUEST to its circuit address, it incorrectly sends an ARP request out for itself causing the circuit to become unusable. The CSS should drop the DHCP packet because the CSS is a DHCP relay agent only.

CSCek34314 - On a CSS with a configured SSL module, when you enter the no ssl associate cert command to remove a certificate that is configured on an SSL-proxy list, the CSS removes the certificate globally, but it has no effect on the configured SSL-proxy list, SSL server, and traffic on the SSL module. The CSS should not allow the use of the no ssl associate cert command when a certificate is configured on an active SSL-proxy list.

CSCek35783 - A SNMP GET or GET NEXT request for any OID in the rip2PeerEntry table suspends the SNMP engine on the CSS and no further SNMP actions can take place. The CSS sends the "%%Error - cannot obtain SNMP lock" error message, does not respond to SNMP requests, and appears to hang.

CSCek34973 - When you use the WebManagement GUI to configure the CSS, it fails to allocate a socket through a call into the VxWorks kernel. All the sockets were in use due to a major network event and a large number of keepalives were configured. The GUI did not check whether the socket allocation returned an error. It used a NULL or zero socket pointer and the CSS rebooted.

CSCek35141 - When running the commit_vip_redundancy script in partial mode (that is, without the -a option), the script automatically checks that all VIP addresses on active local content rules and source groups are redundant on the remote CSS. The -norvip option has been added so that this checking is completely bypassed at the script execution time.

CSCek36511 - When CSS is configured with an ACL clause that preferred certain clients to a source group allowing the CSS to send the packet out with a NATed source IP address, several servers did not respond to the initial TCP SYN (a TCP SYN/ACK in all cases), causing the client to retransmit the TCP SYN repeatedly. Occasionally, an intermediate firewall logs an error due to unexpected IP addresses because the CSS eventually forwards some the retransmitted TCP SYNs unNATed.

CSCek37183 - When the CSS is configured for Session Level Redundancy (SLR) with content rules of the sticky advanced-balance arrowpoint-cookie method, if the arrowpoint-cookie content rule is not configured with the redundant-index command, the rule should not participate in the SLR peer-to-peer Flow Control Block (FCB) sharing. However, the CSS sends SLR flow-modify arrowpoint-cookie sequence-number updates to the SLR peer and, under an extremely heavy load, overwhelms it. The slots in the CSS 11500 chassis may display as bad in the show chassis command output or become unresponsive to different show commands, or unexpected behavior can occur.

CSCek37489 - The VxWorks timerLib, accessed through timerGet() or timerSet(), is a 32-bit value that wraps every 828 days (0xffffffff -> 0x0). This wrapping causes the following two issues:

If the CSS is running redundancy, the backup would also become master and create duplicate IP addresses in the network.

If the CSS is configured for service keepalives and the keepalive went down legitimately, the CSS may still mark it as alive.

The only way to recover from either of these issues is to reboot the CSS.

CSCek38578 - On rare occasions, when two users log into the CSS and dynamically configure the same content rule and one user issues the remove service ? command and hints for the services on the content rule while the other user issues the no content name command and removes the content rule and all the associated services. The CSS reboots because the CSS removed the services as it collected the hints.

CSCek39096 - When the CSS is configured for SSL termination and an application is running over a 14.4 baud modem, a large HTTP POST data is divided over multiple packets. As the SSL module collects these packets and an internal hardware limit of 50 is reached, the module discards the HTTP POST data. The SSL module tries to compact the smaller buffers into larger buffers, decreasing the block chain side, and ensuring that the internal limit is not reached.

CSCek39894 - When the CSS has two DNS A records configured and dynamically reconfigures the weight from "0 to 1" and "1 to 0," the remote CSS peer incorrectly load balances between the two DNS A records with different weights (one a 0 and one at 1).

CSCek40630 - When multiple users log into the CSS and issue CSS configuration commands, the CSS SNMP application hangs and stops processing further commands. It is possible for two users to each take one of the necessary SNMP locks (internal name SNMP semaphore) and thus neither are able to complete the configuration commands.

CSCek40768 - The fix to DDTS CSCeh18228 attempted to ensure that the publishing of the VIP state is done when the reporter is fully up so that dormant flows are not activated too early. However, the VIP state was not updated when the VRID-PEERING router goes down, which may cause the state of the content rule to go down or become inconsistent.

CSCek41097 - If you configure a global named keepalive, left it suspended, and then add it to a service in the active state, the CSS does not configure the keepalive on the service. If you change the keepalive type on the service itself, the global keepalive becomes a ghost keepalive. It appears in the running-config file but the CSS deletes it internally so that you cannot delete it.

CSCek41354 - When a CSS is configured for SSL termination and Session Level Redundancy (SLR), a redundant index is configured on the clear-text rule used by the SSL module for decrypted SSL traffic and two physical ports are in the server VLAN network, if you establish a long-lived client session using the SSL rule with the session in progress and the active port fails to the server, the session uses the other port but the session does not recover. However, a long-lived non-SSL connection to the server through the clear-text rule recovers as well as an SSL connection using a clear-text rule that does not have a configured redundant index.

CSCek42526 - When the CSS is configured for SSL termination, it experiences a problem very similar to CSCek39096 (receiving a large SSL record split across many small packets due to the TCP MTU size and dial-up over a slow modem). The DDTS CSCek39096 fix handles this problem up to approximately 16,000 bytes. But when this number is exceeded, the CSS would drop a portion of the HTTP POST data and the SSL module would exceed the number of data blocks allowed. A coding error in the calculation of the number of data blocks occurred after compactions. The SSL modules now handles the compaction correctly up to the largest SSL record of 16,384 bytes.

CSCek42725 - The fix for DDTS CSCei03219 relaxed certain restrictions when processing an SSL PKCS12 file. However, this fix leaked SCM memory in the size of the PKCS12 file, occupying a large chunk of memory over a period of time and thus causing the CSS to reboot due to the unavailability of SCM memory.

CSCek43439 - The CSS reboots due to an ONDM Lifetick failure because the SSL module is out of buffers. When the CSS polls the flowMgrExt.mib/apFlowMgrExtSlotFlowStatsTable SNMP OIDs, the CSS incorrectly sends these SNMP requests to the SSL module and a buffer leak occurs.

CSCek43975 - The CSS may drop bridged IP packets with the IPV4 Type of Service (TOS) bits set when set dscp af21 (DiffServ feature) is configured on a Catalyst policy and the IPV4 header TOS bits are sent (0x48 in this example).

CSCek44225 - An SNMP GET or NEXT of the apIpv4VrrpStateDuration apIpv4.mib leaks a small amount of memory. Over a period of time, this leak may cause the CSS 11500 SCM to reboot.

CSCek44615 - When the CSS is configured for a Global Server Load Balancing (GLSB) dns-record encrypted-KAL keepalive, a misconfiguration on the peer device corrupts the data in the AP-KAL message. When the CSS processes this corrupted data, it may reboot.

CSCek44734 - Per DDTS CSCei86650, the HTTP "Connection: closed" tag is added instead of the "Connection: close" tag.

CSCek44888 - The passive sync command returns a Busy error message for a period of many weeks. A CSS reboot clears the issue.

CSCek46451 - If you attempt to modify a configured service or global keepalive, you may incorrectly receive the message "%% Maximum keepalives of this type have been exceeded. Cannot activate" when the maximum number has not been exceeded. This message may occur when you configure a global keepalive and add the global keepalive to a service. Later, you change the global keepalive type to type tcp. After you activate the keepalive or it is modified dynamically when the global keepalive is already active, the internal keepalive count is corrupted. This problem may cause any further service or global keepalive modifications to fail with the previously-described error message.

CSCek46686 - When you log into the CSS with a username that has embedded control characters, the login is invalid. When the CSS generates the subsequent SNMP login trap, the trap contains the embedded control characters, which is incorrect. The RFC specifies the removal of control characters before the SNMP login trap is generated.

CSCek47850 - The CSS can leave unreachable host entries in the route table causing the table to exceed the 5,120 entry limit. The CSS can not learn any additional route entries. These entries accumulate when an ARP resolution fails for a host that has already been marked unreachable.

CSCek48356 - DDTS CSCdx09860 fixed a long standing advanced-balance arrowpoint-cookie issue that a server retransmission of the HTTP 200 OK response (usually the first server data packet) would not have the ARPT cookie reinserted. DDTS CSCee55759 fixed a problem that the TCP sequence number was wrong in the retransmitted server data. However, the fix failed to redo the TCP packet checksum when the TCP sequence number is adjusted in the server retransmission and the client sees a TCP checksum error. Now, a server retransmission of what is usually the first server data packet (HTTP 200 OK) has the inserted ARPT cookie, the correct TCP sequence number, and the correct TCP checksum. CSCek48833 also had the same TCP checksum issue and that problem is corrected.

CSCek48429 - RFC 1155 states that SYNTAX Counter is a non-negative integer that monotonically increases. The CSS 11500 MIBs have cases where a MIB OID is defined as a COUNTER or Counter32 when it is really a value that varies. An example of this is from the svcExt.mib - apSvcCurrentLocalConnections. The current connection counter on a configured service does not reflect RFC 1155. Instead, it should be defined as GAUGE or GAUGE32, which indicates an unsigned integer value that will not consistently increase until it wraps. All the CSS 11500 are updated to properly define MIB OIDs as Gauge where appropriate.

CSCek48831 - When you run a script manually on the CSS and the script exits unexpectedly, the EXIT_MSG defined in the script should appear at the CLI prompt. This functionality was broken by the DDTS CSCei41874 fix.

CSCek48833 - A long lived CSS 11500 flow may incorrectly be made eligible for garbage collection every 49 days, 17 hours, and approximately 6 minutes. The flow appears inactive for longer than any configurable flow-timeout-multiplier period because an internal CSS unsigned 32-bit variable overflowed wraps because it contains milliseconds since the CSS boot. The flow would be eligible for garbage collection until the next packet (activity) occurs and then the flow is again safe for the next approximately 50 days.

CSCek49708 - When the CSS is configured for VIP/IF redundancy with spanning tree disabled and the no enable command is configured on the virtual-router IP interface, if you run the commit_vip_redundancy script or the copy startup-config running-config command, the state of the virtual router becomes Master or Backup instead of Down.

CSCek49389 - When the CSS contains an SSL module, the module should send an ACK for every other packet instead of every single packet.

CSCek50736 - When the CSS is configured with an Layer 5 VIP and the client sends a SYN to the VIP, the CSS responds with a SYN/ACK to the client. The SYN/ACK is returned as an ICMP unreachable to the VIP by a router unable to locate the client. This action may cause the CSS to forward the ICMP unreachable with a source and destination IP address of 0.0.0.0.

CSCek51806 - The chassis backplane part number is 16 characters long. This length may cause the CSS to reboot when you issue the show chassis inventory command or run the diagnostic showtech script.

CSCek52385 - The following two commands have been added to allow you to modify the default TCP window size (12288) to a larger value between 12288 and 40960 for both the server and client side independently: ssl-server number tcp server window bytes and ssl-server number tcp virtual window bytes

CSCek52881 - When the CSS is configured with the advanced-balance arrrowpoint-cookie command, during a backend remap condition, a subsequent method comes into the arrowpoint cookie without the cookie being set. This action may cause the CSS to send a RST to the client and the server.

CSCek53172 - On a CSS that contains an SSL module and an SNMP WALK of the sslExt mib occurs, the CSS may return the keys and certificates in the wrong order.

CSCek53697 - When the CSS is configured with VIP/IF redundancy, running the show running-config service service_name command may cause a redundancy failover.

CSCin99962 - When the SNMP configuration tool performs a byte-by-byte comparison of the startup-config and the running-config files obtained from the CSS, it did not perform a comparison for extra Carriage Returns (CRs) in the startup-config output.

Software Version 7.50.3.03 Command Changes

Table 1 lists the commands and options that have been added in software version 7.50.3.03.

Table 1 CLI Commands Added in Version 7.50.3.03  

Mode
Command and Syntax
Description

ACL

exclude ssl circuit-(VLANnumber) {acl_clause}

no exclude ssl circuit-(VLANnumber)

This new command allows you to exclude all clauses or specific clauses within an ACL to outbound traffic from the SSL module. By default, the CSS applies all clauses within the ACL to outbound traffic from the SSL module. The variables for this command are:

number - Number of the circuit on which to exclude the ACL clauses.

acl_clause - (Optional) The number of the clause to exclude. You can configure one or more clauses, or a range of clauses. To enter more than one clause, separate each number by a comma with no spaces. To enter a range of clauses, separate the first and last number in the range by a dash (-) with no spaces.

If you do not specify a clause, all clauses are excluded.

For example, to exclude clauses 1, 5, and 10 through 20 on ACL 7 for VLAN1, enter:

(config-acl[7])# exclude ssl circuit-(VLAN1) 1,5,10-20

Consider the following requirements when using the exclude command:

The CSS must contain an SSL module for use with the exclude command.

Before reconfiguring the exclude command on an ACL, you must use the no form of the exclude command. Otherwise, the CSS displays an error.

Must issue <no exclude ssl circuit-(VLAN#)> command 
first

You can configure only one exclude command per ACL. This rule includes use of the no exclude command for a different VLAN other than the configured VLAN. Otherwise, the following error message appears:

Only one <exclude ssl circuit-(VLAN#)> command 
per-ACL

ACL (continued)

exclude ssl circuit-(VLANnumber) {acl_clause}

no exclude ssl circuit-(VLANnumber)

(continued)

The exclude command cannot be on different ACLs for the same VLANs. Otherwise, the following error message appears:

Command <exclude ssl circuit-(VLAN#)> command found 
on different ACL

When you configure the exclude command on an ACL, you can configure only one apply command on that ACL. Otherwise, the following error message appears:

Only one <apply circuit-(VLAN#)> command allowed 
with exclude configured

If you have multiple apply commands configured on an ACL, you cannot configure the exclude command.

You can configure the exclude command without the apply command but it does not take effect until the apply command is configured.

When you configure the exclude and apply commands on an ACL, the circuit VLAN number must match in these commands. Otherwise, the following error message appears:

No circuit apply command or exclude ssl circuit 
mismatch

The exclude and apply commands for the same circuit must be on the same ACLs. Otherwise, the following error message appears:

Command <exclude ssl circuit-(VLAN#)> command on 
different ACL than apply

If you configure the apply command and then configure the exclude command or its no form, the CSS internally reissues the apply command to reapply the ACL to the circuit. Reissuing this command allows the SSL setting to be updated on the remote session processors.

The following command set negates the exclude command if the circuit VLAN is removed:

interface slot/subslot command

no bridge vlan command

Use the no form of the exclude command to apply all ACL clauses to the outbound traffic from the SSL module.

Global

flow-state flow-disable timeout seconds

no flow-state flow-disable timeout

This new command sets the wait time for any response from a server for a configured flow-disable port. By default, the CSS times out a flow-disable (no flow) connection in 5 seconds if it does not receive a response from the server. In the case of DNS responses, they may take longer than 5 seconds, causing the connection to fail. By using the flow-state flow-disable timeout command to set a longer wait time for server responses, these connections are less likely to fail.

The seconds variable is the time in seconds. Enter an integer from 5 to 20. The default value is 5.

Use the no form of the command to reset the default flow-disable timeout to 5 seconds.

snmp trap-type enterprise disk-quota {interval minutes {quota-threshold percentage}}

no snmp trap-type enterprise disk-quota

The new disk-quota option enables SNMP enterprise traps when the space used on the CSS disk is greater than or equal to the configured threshold. By default, the time interval in minutes is 720 minutes (12 hours) and the percentage threshold is 90.

The options are:

interval minutes - Configures the disk quota interval in minutes. This interval determines how often to check the percentage of space used on the CSS disk.

For the minutes variable, enter an integer from 1 to 1440. The default is 720.

quota-threshold percentage - Configures the disk quota threshold. This threshold is the percentage of bytes used on the CSS disk.

For the percentage variable, enter an integer from 10 to 99. The default is 90.

Use the no form of the command to disable this trap.

SSL-proxy

backend-server|ssl-server server-num tcp virtual|server window bytes

no [backend-server | ssl-server] server-num tcp virtual|server window

As per CSCek52385, the new window keyword allows you to increase the client-side or server-side SSL TCP window size for your specific environment to improve performance.

The bytes variable is the window size in bytes. Enter a number from 12288 to 40960. By default, the CSS sends a window size of 12,288 bytes.

Use the no form of the command to reset the default value for the window size.


Table 4 lists the commands and options that have changed in software version 7.50.3.03.

Table 2 CLI Commands Changed in Version 7.50.3.03

Mode
Command and Syntax
Description

Content

application realaudio-control

The realaudio-control keyword has been removed from the CLI. If configured, this keyword would cause startup errors per CSCek32262.

Service

domain "string"

The string variable is now a quoted string. The quoted string allows the use of the % character.

For backward compatibility, you can enter an unquoted text string with no spaces and a maximum length of 64 characters. However, the CSS does not allow you to enter the % character. Also the CSS changes the string in the running-config to a quoted string.


Software Version 7.50.2.05 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.50.2.05:

Software Version 7.50.2.05 Open Caveats

Software Version 7.50.2.05 Resolved Caveats

Software Version 7.50.2.05 Command Changes

Software Version 7.50.2.05 Open Caveats

The following caveats apply to software version 7.50.2.05:

CSCej87514 - The CSS fails to negotiate a TCP handshake successfully when it is proxying a connection to a server that returns a zero window size.

CSCek00530 - The CRL download fails if the HTTP header spans multiple packets. The CRL download occurs between the SSL module and the configured CRL server. The HTTP header is terminated by a CRLFCRLF, and the CRL download code expects that terminator to be in the first server data packet. The actual CRL data may span multiple packets. In testing with Linux, if the MTU was 278, the HTTP header splits and the CRL download fails.

CSCek15563 - The IPV4 critical message does not include adequate information to determine which traffic is causing the error message to be generated. For example, the following message should include the IP addresses or ports so you can determine which traffic is generating the error condition.
SEP 19 13:50:25 4/1 6307 IPV4-2: Ipv4SlaveForwBmanChk: no ingress LP in buffer

CSCek27227 - The CSS may reboot when receiving an SNMP get request for the MIB variable apCntStickyNoCookieString on a content rule.

CSCek29491 - When the CSS is configured with a service with keepalive type http encrypt (an encrypted keepalive) and the service IP address is not on the local subnet, but must be routed to, the CSS fails to complete the SSL handshake and resets the connection. This causes the service to remain in the down state permanently.

CSCek32632 - The CSS reboots when it runs out of system application buffers and fails to check for a non-existent buffer return code.

CSCek32637 - The CSS reboots when it runs out of file descriptors and is configured with scripted keepalives and the command scheduler.

Software Version 7.50.2.05 Resolved Caveats

The following caveats were resolved in software version 7.50.2.05:

CSCei00309 - The CSS may reboot if the ARP timing list has duplicate entries.

CSCei21776 - If the CSS receives a RST packet while a connection is already in the process of being shut down, the SSL module may reboot.

CSCei27622 - Invalid "SSL FINISHED" messages may cause the CSS SSL module to reset, which causes the CSS to deny any SSL connections. When the offending packet is no longer sent to the CSS and the timer expiration causes the SSL module to reset, the CSS start accepting new connections.

CSCei31328 - When you configure client authentication on an SSL module, the SSL module may incorrectly reuse the session ID with different VIPs.

CSCei31463 - VRRP traps may no longer be sent by the backup CSS when the commit_redundancy script is run.

CSCei33610 - When an SSL module is configured with the http-method parse RFC2518-methods global command and the ssl-server 20 http-header static "WL-Proxy-SSL: true" SSL config mode command, the custom header is not seen when the RFC2518 PROPFIND header is present.

CSCei35940 - The following new log message was added for a source group mis-configuration where 'index' is the internal source group index value. However the log message is only logged if an internal source group debug flag "FwPortMapLogging" is enabled, which can only be done using symbols in debug mode. This may cause confusion when tracking log messages because the log message should be at warning, info, or debug level logging.

"<Routine name>: Possible portmap leak - <index> changed to <index>"

CSCei40272 - When using an SSL module, there may be packets that are being seen on the client-side connection that are believed to be destined to the SSL module.

CSCei47195 - After rebooting the CSS, the isc-port reports LifeTick failures that may not cause session replication to occur correctly because the peers are not passing messages across the isc-port. Workaround: To enable messages to be passed correctly, remove and re-add the isc-port that is experiencing the issue.

CSCei49115 - Creating a service using the CSS GUI may result in the following error message:

"An error has occurred while processing your service configuration request."

Though the service may get created, the keepalive parameters may not be displayed in the CLI and the service will not be activated. Workaround: Add the service using the CLI.

CSCei55203 - The CSS does receive get CRLs when booting even though it is able to resolve DNS requests. Workaround: Use an IP address instead of a hostname in the CRL record to avoid this issue.

CSCei55727 - Software version 7.40.2.02 enables you to suspend and activate the ssl-proxy list without making changes to the type ssl-init, ssl-accel, and ssl-accel-backend services. If you make changes to your backend-server configuration and suspend and activate the ssl-proxy list, the CSS will not process traffic correctly.

CSCei55869 - The CSS ignores the header-insert information in the ssl-proxy-list after you suspend and then reactivate the ssl-proxy-list. The configuration appears in the running configuration.

CSCei81533 - The CSS leaks a TCPFAST application source port when it receives a TCP FIN and it was in the process of closing the connection. When the CSS leaks source ports, it causes services to remain in the DOWN state.

CSCei88708 - A CSS that contains an SSL module may reboot due to improperly handling an error condition when it closes a connection.

CSCei91293 - When you configure the CSS for SSL termination using the ssl-server http-header insert-per-request command and the CSS receives HTTP POST requests that span multiple packets, the SSL module incorrectly inserts the static HTTP header into multiple packets in the spanned POST requests. This incorrect insertion causes the connection to fail.

CSCej01719 - When you configure the CSS with an ACL preferred service clause and a source group that both match an incoming ICMP ECHO request, the CSS properly performs source NAT on the ICMP request but does not properly forward the request to the preferred service in the matched ACL clause.

CSCej02503 - Setting the TCP syn timeout value on an SSL service causes the CSS to reboot.

CSCej12554 - The CSS may provide the wrong MAC address for the VIP address or not properly handle VIP load-balanced traffic if the CSS VIP address is inserted into the internal CSS ARP or routing tables.

CSCej12745 - If you configure a service with the ap-kal-pinglist scripted keepalive, the service would be in the wrong service state if one of the script arguments is a local VIP address on the CSS.

CSCej14453 - The CSS may reboot when trying to import or export an SSL file using SFTP.

CSCej17291 - When you configure the CSS for SSL termination, it may fail to complete an SSL connection and issue an alert when the server combines multiple SSL messages into a single record layer message.

CSCej22808 - When the CSS is configured for SSL Termination and a SSL session closed down, it was possible to free the internal SSL session structure twice causing the CSS to reboot.

CSCej30229 - The SSL module may insert an extra byte into the SSL record causing all of the subsequent bytes in the record to decode incorrectly. This issue prevents the client from finding the next SSL record header and the session falls apart with "short record" errors.

CSCej34375 - The CSS SSL backend-server IP address and server IP addresses and their port values must be unique. If they are not unique, the following error message appears:
%% Backend-server ip/server address and port values must form unique tuples.

CSCej35592 - If you configure the number of hours before you update the CRL to 0, the CSS may reboot.

CSCej45447 - In a CSS with an SSL module using SSL session ID reuse, if SSL sessions are reused with the same session ID, VIP, and port, some SSL sessions may be leaked causing the SSL module to refuse new SSL connections.

CSCej46421 - The CSS may reboot when the CSS SNMP agent receives an SNMP bulk NEXT request and one of the SNMP OID requests returns an error.

CSCej60160 - A CSS under minimum load may send many traplog messages that display extremely high DOS attack numbers and display the numbers as negative.

CSCej61680 - The CSS may reboot if it is configured with an unsupported wildcard domain name in a content rule.

CSCej64552 - During an FTP session, if you enter a list (ls) command with a pathname greater than 256 characters, the CSS reboots.

CSCej70513 - The CSS reboots after you modify an SSL configuration and then run the commit_vip_redundancy script.

CSCej72467 - The CSS SSL module may leak chunks of memory causing the CSS to run out of sessions and to be unable to accept new incoming connections.

CSCej72718 - On a CSS configured with URL rewrite, if the CSS cannot find the http:// value in the expected Location: field, it may perform the URL rewrite incorrectly and reboot.

CSCej76133 - The global configuration flow reserve-clean command is being removed and the associated MIB object deprecated. This command has been replaced with the flow permanent and the flow-timeout-multiplier commands.

CSCej76835 - The CSS SSL module may hang in a Down state and then attempt to reboot because it was unable to create a core file. During this time, all traffic to the SSL module is dropped. When this condition exists, the show task command in debug mode displays suspended tasks on the SSL module.

CSCej83237 - Using the ssl genscr command to generate a new certificate with an existing filename causes the CSS to reboot.

CSCej88415 - On a CSS configured with SSL header insertion, when the CSS processes an application data frame that contains a GET, it attempts to insert session information into the clear text request header, but the cipher is NULL, causing the SSL module to reboot.

CSCek00656 - In some instances, an ap-kal-dns scripted keepalive stops being sent from CSS to server.

CSCek04270 - The CSS reboots when you add a DNS entry to a content rule.

CSCek04631 - The ip route originated-packets command did not work consistently when configured on the CSS and the results were undefined.

CSCek06031 - An FTP test tool was run against the CSS to perform vulnerability testing and the CSS experienced many core dumps. The tool would send FTP commands with very long file and path names and the CSS would corrupt internal memory and reboot.

CSCek12106 - The CSS allows you to add a primary or a secondary sorry server (whose service does not contain a redundant-index) to a content rule that contains a redundant-index when that content rule is active. This should not be allowed and may cause the config-sync command to fail and Adaptive Session Redundancy to not work properly.

CSCek22918 - When accessing the CSS GUI, you are prompted with a SSL certificate from the CSS. The SSL certificate was configured to expire on 5/29/2006. Although the expired certificate can continue to be used to access the GUI, a new certificate has been provided.

CSCek24806 - If a TACACS server responds to the three way TCP handshake but then fails to fully respond to the actual TACACS request, the CSS authentication ability may fail to respond and no further login attempts will be authenticated.

CSCek24921 - A connection that is being authenticated is closed before the authentication process is completed causing the CSS to reboot.

CSCek25025 - When the CSS is configured with SSL initiation and SSL backend, the CSS terminates the cleartext connection but does not create the corresponding SSL connection.

CSCek25247 - The CSS reboots when it is configured for XML and receives a HTTP content request with a large number of tags that uses all the available HTTP daemon memory, which leaves zero memory when it is time to process the MIME authorization.

CSCek26020 - The CSS reboots if you enter the no ssl-server xx cipher ? command and "xx" is not a configured ssl-server.

CSCek26792 - The CSS did not send a TCP RST for a "Mid Spoof Reject" as it did for a "Mid Nat Reject". These errors occur when the Flow Control Blocks (FCBs) for a connection have been deleted and reused for new incoming connections. If the configured content rule configured is a Layer 3 rule or a Layer 4 rule, then the error is "Mid Nat Reject". If the configured content rule is a Layer 5 rule, then the error is "Mid Spoof Reject".

CSCek34363 - On a CSS with an SSL module with client authentication and session id reuse (which is enabled by default) configured, when IE browser connections are made, the connections hangs. Once the HTTP GET is received, the CSS does not forward that GET to the server. The client browser hangs until the connection times out.

Software Version 7.50.2.05 Command Changes

Table 3 lists the commands and options that have been added in software version 7.50.2.05.

Table 3 CLI Commands Added in Version 7.50.2.05  

Mode
Command and Syntax
Description

SSL-Proxy

no [backend-server | ssl-server] number tcp [virtual | server] ack-delay

The no version of this command resets the acknowledgement delay on a client or server connection to 200 milliseconds (ms).

ssl-server number crl crl_record_name expiration-enable {verification-enable}

The new expiration-enabled keyword allows the SSL module to determine whether a reloaded CRL file has expired by checking the Next Update field in the file. By default, when the CSS successfully loads the CRL initially and then reloads a new copy of the CRL file at the configured hourly refresh interval, it does not check the Next Update field in the file to determine if the CRL has expired, and subsequently downloads an expired file from the configured server.

When you configure this keyword and the CSS tries to load a new copy of the CRL, the SSL module checks the Next Update field in the file. If the field indicates that the CRL has expired, the module clears it from each associated SSL server and rejects all resulting client connections.

The SSL module checks the Next Update field when the CSS loads the CRL file. A load occurs when:

You activate an ssl-accel type service.

An SSL-server VIP address associated with a CRL goes to the master state (for example when a content rule is activated).

The CRL hourly refresh interval is reached.

You enter the ssl force-crl command.

The new verification-enabled option allows the SSL module to clear the CRL from each associated SSL server and rejects all resulting client connections when any of the following failures occurs when downloading a CRL file:

Host Timeout

Host TCP Reset

Host HTTP "File not Found" return code

CRL File Format Bad

CRL Signature Bad

CRL Next Update Field Invalid

CRL Next Update Expired

Internal CRL memory allocation failure

SuperUser

clear ssl crl statistics {crl_name}

Clears all SSL certificate revocation list (CRL) records statistics displayed through the show ssl crl-record command. You can optionally clear the statistics for a specified CRL record name, crl_name.

ssl clear-crl {crl_name}

Clears the CRL file from all associated SSL servers. You can optionally clear a specified CRL record name, crl_name.


Caution Use this command with caution. If client authentication is configured and you clear the CRL, all resulting client connections are reset.

Table 4 lists the commands and options that have changed in software version 7.50.2.05.

Table 4 CLI Commands Changed in Version 7.50.2.05

Mode
Command and Syntax
Description

Global

flow reserve-clean

no flow reserve-clean

These command has been removed from the CLI.

SSL-Proxy

no ssl-server number tcp virtual retrans

This command replaces the no ssl-server number tcp retrans command.

[backend-server | ssl-server] number tcp [virtual | server] syn-timeout seconds

The range for the seconds variable is now 1 to 3600. Formerly, the range was 0 to 3600.


Software Version 7.50.1.03 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.50.1.03:

Software Version 7.50.1.03 Open Caveats

Software Version 7.50.1.03 Resolved Caveats

Software Version 7.50.1.03 Command Changes

Software Version 7.50.1.03 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCeh64196 - In an environment using large SSL POSTs, the TCP window on the SSL module may be reduced in size to less than a packet. This issue creates an ACK in each subsequent packet. Due to the length (in Kbytes) of the transaction, this condition causes the session to last significantly longer than it should versus when the TCP windows are large enough to accept enough date to fill their buffers.

CSCeh65783 - When a critical service becomes active, the CSS does not apply the VRRP hold down timer. Immediately after the critical services becomes active, VRRP transitions to a master state.

CSCei21776 - If the CSS receives a RST packet while a connection is already in the process of being shut down, the SSL module may reboot.

CSCei31328 - When you configure client authentication on an SSL module, the SSL module may incorrectly reuse the session ID with different VIPs.

CSCei31463 - VRRP traps may no longer be sent by the backup CSS when the commit_redundancy script is run.

CSCei31471 - While processing approximately 150 connections/sec the SSL module hangs and does not recover. The SSL module does not fail over, which causes all SSL traffic to fail. The CSS does not produce core dumps.

CSCei33610 - When an SSL module is configured with the http-method parse RFC2518-methods global command and the ssl-server 20 http-header static "WL-Proxy-SSL: true" SSL config mode command, the custom header is not seen when the RFC2518 PROPFIND header is present.

CSCei35940 - The following new log message was added for a source group mis-configuration where 'index' is the internal source group index value. However the log message is only logged if an internal source group debug flag FwPortMapLogging is enabled, which can only be done using symbols in debug mode. This may cause confusion when tracking log messages because the log message should be at warning, info, or debug level logging.

"<Routine name>: Possible portmap leak - <index> changed to <index>"

CSCei40272 - When using an SSL module, there may be packets that are being seen on the client-side connection that are believed to be destined to the SSL module.

CSCei44528 - When using SSL header insertion, some characters may be dropped from the client cert.

CSCei45775 - In the enhancement for CSCei03460, the syntax for the no ssl server 1 tcp virtual retrans command is incorrect. The virtual keyword is missing from the command. The no version of the command does not remove the command from the running config. The value is being set properly, but it is not correct in the running-config and will cause the running config to fail. Workaround: Use the ssl-server 1 tcp virtual retrans with the default value of 500.

CSCei47195 - The isc-port reports LifeTick failures that may not cause session replication to occur correctly because the peers are not passing messages across the isc-port. Workaround: To enable messages to be passed correctly, remove and re-add the isc-port that is experiencing the issue.

CSCei49115 - Creating a service using the CSS GUI may result in the following error message:

"An error has occurred while processing your service configuration request."

Though the service may get created, the keepalive parameters may not be displayed in the CLI and the service will not be activated. Workaround: Add the service using the CLI.

CSCei50372 - On a CSS with an SSL module and SSL initiation configured, the SSL module may reboot without creating a core file in certain situations.

CSCei55203 - The CSS does not receive CRLs when booting even though it is able to resolve DNS requests. Workaround: Use an IP address instead of a hostname in the CRL record to avoid this issue.

CSCei55869 - The CSS ignores the header-insert information in the ssl-proxy-list after you suspend and then reactivate the ssl-proxy-list. The configuration appears in the running configuration.

CSCei55651 - The commit vip redundancy script may fail when the master configuration is very large.

CSCei55727 - Software version 7.40.2.02 enables you to suspend and activate the ssl-proxy list without making changes to the type ssl-init, ssl-accel, and ssl-accel-backend services. If you make changes to your backend-server configuration and suspend and activate the ssl-proxy list, the CSS will not process traffic correctly.

Software Version 7.50.1.03 Resolved Caveats

The following caveats were resolved in software version 7.50.1.03:

CSCeg64394 - In an ASR redundancy configuration, the sticky tables may not synchronize completely after the backup CSS is rebooted.

CSCeg69358 - When you configure the expiration time and date for a location cookie using the location-cookie expiration command, or the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie or the arrowpoint-cookie expiration command only when necessary.

CSCeh00709 - When you configure the CSS using the IP advanced-route-remap command, the command does not take effect on services that are local to the CSS.

CSCeh18228 - When you configure the CSS virtual router with a critical reporter that is in a Backup state, this places the virtual router into the Master(ReportBkup) state, which causes the CSS to incorrectly bring the dormant flows to an active state. The CSS should keep these flows in a dormant state until the reporter is master again.

CSCeh34493 - A backup CSS may reboot during a VIP redundancy config synch operation.

CSCeh34858 - A CSS running 7.40.1.07s with an SSL module and URL rewrite activated may not rewrite the URLs in 302 redirect answers from the servers if the "Location" word in the HTTP header spans two different TCP packets.

CSCeh35317 - In a Content Replication configuration using a UNIX directory structure on the publisher, if the publisher FTP server uses UserID/GroupID instead of UserName/GroupName in the directory listing, the CSS fails to detect the files for replication on the Publisher.

CSCeh35328 - In a Content Replication configuration, it was possible for the CSS to improperly send numerous test files to the Subscriber. In some cases, the Subscriber FTP server would detect this as an attack and would deny FTP access from the CSS. This was changed so that the CSS will send no more than 4 test files per minute.

CSCeh38202 - Client authentication fails when the client certificate spans multiple packets.

CSCeh38676 - When ASR is configured, the ISC link will not come up unless the SCM is in slot 1.

CSCeh38890 - On a CSS 11503 or CSS 11506, the CSS may inject incorrect arrowpoint cookie expiration values.

CSCeh39182 - On networks that experience frequent packet losses and long transaction times, a configuration parameter is needed to deal with SSL transactions terminated on the CSS so the user can tune the retransmission timers to account for these delays.

CSCeh39266 - Running VIP/interface redundancy with a pair of CSSs connected to a Catalyst 6509/Supervisor 720, the GB ports on the backup CSS may fail unless the interfaces connected to the Catalyst are explicitly shut down using admin-shutdown command.

CSCeh44262 - For a CSS in a VIP/Interface redundant configuration, when a critical service transitioned from DOWN to BACKUP, the CSS would improperly GARP causing devices to update their ARP tables with incorrect information.

CSCeh45167 - On a CSS with an SSL module and URL rewrite activated, if non-standard ports are configured to be rewritten as well as the "https://", and the 3XX response from the server spans across multiple packets, only the "https" may be rewritten, but not the "port".

CSCeh45575 - When ASR is configured, the CSS may reboot during a VRRP transition.

CSCeh48648 - When the CSS was configured for backend remapping, the TCP RST ACK number sent to the backend server to close the connection was incorrect.

CSCeh49741 - When the CSS is configured for SSL termination, if a SSL handshake message contained multiple SSL messages inside a single record and the record size was greater then 1520 bytes, the resulting CSS behavior was incorrect. The CSS sent an SSL alert, rebooted, or failed to verify the SSL client certificate.

CSCeh49861 - When a CSS was configured with a DNS entry that was added to a content rule as well as configured as a proximity record, the CSS improperly freed some of the associated memory, and rebooted.

CSCeh51008 - If a new client authentication certificate was placed on the CSS and you entered the no ssl associate command followed by the ssl associate command that contained a name that already existed in the ssl-proxy-list, and then you suspended and activated the server that was using the ssl-proxy-list, the CSS would reboot.

CSCeh53894 - On a CSS with an SSL module, the TCP acknowledge timer may become corrupt, causing the CSS to reboot.

CSCeh54012 - When a CSS was configured with a service type redirect and a long URL was requested, resulting in a redirect response from the CSS, the redirect was being logged. When the redirect string was logged, it was long enough to corrupt memory and caused the CSS to reboot.

CSCeh54652 - When configuring location cookie, the service types of ssl-accel-backend and ssl-init need to be permitted. Previously only local and redirect were allowed to be configured.

CSCeh56281 - The CSS may reboot when suspending a content rule due to internal rule tree corruption using Layer 5 rules containing a wildcard url "/hraward*" and a header tag rule using the url "/home*". This is because both URLs begin with the same letter.

CSCeh57760 - The CSS may not NAT all ICMP error packets. The IP packet within the ICMP error is translated, but the encompassing ICMP error packet may not be NAT-translated before being sent out of the CSS.

CSCeh64254 - When typing the show group command on a group name that is not configured using specific arguments and you use the question mark (?) to get the list of available options, the CSS may reboot.

CSCeh65429 - When configuring the CSS to add an HTTP keepalive, you may see the following error message:

Error %% Maximum keepalives of this type have been exceeded. Cannot activate when 
trying to add a new HTTP head keepalive.

CSCeh65531 - The debug mode flowmgr reset logging may cause the port number in the log message to be incorrect.

CSCeh68829 - When using advanced balance arrowpoint or location cookies, if the server packets are out of order and HTTP data arrives before the HTTP header, the CSS will not correctly adjust the tcp sequence number, resulting in corrupted data received on the client.

CSCeh70529 - With the CSS configured with an SSL module and url rewrite activated, if the HTTP 3XX response from the server contained the tag "Content-Location:" the URL rewrite failed because the HTTP tag in the packet was modified. The CSS should modify the \r\nLocation: <>\r\n" tag only instead of any HTTP tag that contains the word "Location:".

CSCeh70874 - When using the commit_vip_redundancy script to sync a config that includes ACLs and has authChallenge configured on the APP session, if the session secret ends with the string "app", the commit may fail.

CSCeh71185 - On a CSS configured with a Layer5 rule, when receiving a POST with multiple data packets, if one packet starts with the content "HEAD" it will be blocked by the CSS.

CSCeh75114 - When a POST is processed by the CSS, if the data that follows the POST begins with a CONNECT or GET, the CSS would erroneously interpret that to be an HTTP method. The CSS will now fully qualify all HTTP Methods to ensure that the POST data is not incorrectly processed as a valid HTTP method.

CSCeh76035 - When configuring an RMON alarm, if you suspend, activate, suspend and then enter the no rmon-alarm command, the CSS may reboot.

CSCeh72177 - HTTP methods that have an authority form (for example, CONNECT) were incorrectly rejected if the authority string had one '.' or more then three '.'.

CSCeh83740 - On a CSS with an SSL module configured with an SSL proxy list using a CRL and VIP/interface redundancy, the backup CSS does not download the CRL, causing DoS attacks.

CSCeh83762 - If the CSS was configured with services with encrypted http keepalives of type ssl-backend or ssl-initiation, memory may be leaked on the SSL module until eventually all memory blocks could be depleted and user SSL traffic would cease.

CSCeh86543 - If the CSS is configured for SSL Termination using a CRL list and the SSL module was in the process of retrieving the CRL when the global CRL record was deleted on the SCM, the SSL module may reboot. This may also occur when you issue the clear running-config command.

CSCeh86555 - The CSS may reboot when enabling OSPF due to an OSPF LSA update that contained the maximum Ethernet packet size.

CSCeh87082 - If the CSS was configured for logging to an SMTP server, when the CSS opened an SMTP connection to the mail host, the CSS was incorrectly detecting the "continue" character of "-". This caused the CSS and the SMTP mail host to get out of sync in the SMTP protocol and the sendmail connection would be terminated by the CSS prematurely, causing the sendmail to fail.

CSCeh89126 - If the CSS is configured for client authentication, SSL handshake failures may occur after the CSS has been rebooted if the client authentication certificate spanned multiple packets.

CSCeh89468 - A CSS running 7.50.0.5s will not match the HTTP method CONNECT on a Layer 5 content rule. You must configure a Layer 3 or Layer 4 content rule or the CSS will reset the HTTP CONNECT method. The HTTP method CONNECT will now properly match on a configured Layer 5 content rule and be load balanced to the appropriate server.

CSCeh89398 - When trying to set and enable the SNTP server through the GUI on the CSS running 7.4.1.11s, the following error may occur:

"An error occurred while processing your request. The request was not completed."

CSCeh97409 - If the CSS was configured with a protocol-only content rule (that is, "protocol tcp" but no "port") and the VIP range on the content rule was changed, a reboot was required for the configuration change to take effect even suspending and activating the content rule.

CSCei00983 - On a CSS with an SSL module, the available memory on the SSL module could drop significantly on a daily basis until all available memory was lost, severely impacting SSL traffic and requiring a reboot to recover the memory.

CSCei02447 - When an SSL module was configured for header insertion, the SSL header insertion was not occurring for all POSTs, and potentially GETs if the HTTP header terminator spanned multiple packets.

CSCei04797 - The CSS was allowing a scripted keepalive under a service to be configured, even if the script did not exist. Once the service was activated, the following error message appeared in the show service command display:

Script Error: Script failed to load. Is script present on disk?

CSCei08501 - The backup CSS does not download the CRL information in a box-to-box setup because the interfaces are not active. When the CSS moves from backup to master, the SSL module does not attempt to download the CRL after the interfaces become active. This prevents the backup CSS from having the correct CRL information until the first update is sent after it becomes the master CSS. Because of this condition, the backup CSS will not have the correct CRL information when it becomes the master CSS.

CSCei15420 - When a CSS is configured with VIP/Interface redundancy, critical reporters, and SNMP redundancy-transition traps enabled, it reboot when a reporter transitioned to down due to a string over-run on the trap text.

Software Version 7.50.1.03 Command Changes

Table 5 lists the commands and options that have been added in software version 7.50.1.03.

Table 5 CLI Commands Added in Version 7.50.1.03  

Mode
Command and Syntax
Description

All

zero group statistics

Clears all service and portmap statistics for all source groups displayed through the show group command.

Formerly, the zero all command in group configuration mode cleared these statistics. This command now clears the statistics for the group in the current mode.

zero sasp-agent label statistics

Clears all of the SASP statistics displayed through the show sasp-agent label statistics command.

The label variable is the label configured for the SASP agent through the global configuration sasp-agent command.

Global

ftp data-channel-timeout seconds

no ftp data-channel-timeout

Allows you to configure the time to wait to initiate the FTP data channel on an active or passive FTP connection when you configure the CSS for FTP content rule and source groups.

The seconds variable is the wait time in seconds. Enter a number from 5 to 20. The default value is 5. To reset the default wait time to 5 seconds, use the no ftp data-channel-timeout command.

sasp max-agent weight

no sasp max-agent

Configures the possible maximum weight that the SASP agent can report to the CSS. By default, the CSS supports a maximum weight of 64 reported by the SASP agent.

Because the CSS supports a weight range of 0 to 10, the CSS performs a weight scaling conversion calculation that maps the SASP weight range to the CSS weight range. If the SASP agent reports weights higher then 64, the CSS still maps them to a weight of 10. If the SASP agent reports a maximum weight less than 64, the full weight range of the CSS will not be used.

The weight variable is the maximum weight that the SASP agent will report to the CSS. Enter a number from 1 to 65535. The default value is 64. To reset the default value, use the no sasp max-agent command.

Owner-
Content

arpt-lct http-100-reinsert

no arpt-lct http-100-reinsert

Reinserts the arrowpoint (ARPT) cookie in the server response packet when the previous HTTP response packet contains a 100 Continue response. Use this command on a content rule configured with the advanced-balance arrowpoint-cookie command.

By default, the CSS always inserts an ARPT cookie in the first server response packet that begins with HTTP. More than likely during POST processing, the packet may contain a 100 Continue response instead of a 200 OK response. When the client receives the 100 Continue response with the inserted ARPT cookie, it may discard the response along with the cookie. Because the CSS does not reinsert the cookie when it receives a following 200 OK response, the client never uses the cookie and stickiness is broken. To reinsert the ARPT cookie in an HTTP server response if the previous packet contains a 100 Continue response, use the arpt-lct http-100-reinsert command.

To reset the default behavior of inserting the ARPT cookie in an ARPT cookie in the first server response packet that begins with HTTP, use the no arpt-lct http-100-reinsert command.

SSL-Proxy

[backend-server | ssl-server] number tcp [virtual | server] retrans milliseconds

no [backend-server | ssl-server] number tcp {server} retrans

The new retrans option allows you to adjust the retransmission timer for SSL transactions. On networks that experience a lot of packet loss, the transaction can take a long time.

The milliseconds variable is the minimum time in milliseconds for retransmission of SSL transactions. Enter a number form 50 to 500. The default value is 500. To reset the default value of 500 milliseconds, use the no form of the command.

See CSCei45775.

ssl-server number http-header insert-per-request

no ssl-server number http-header insert-per-request

The new insert-per-request option configures the CSS to insert HTTP headers in all HTTP requests within the same TCP connection.

By default, HTTP header insertion only occurs on the first HTTP request for a persistent HTTP connection. Subsequent requests within the same TCP connection are sent unmodified. To reset the default behavior on the CSS, use the no ssl-server number http-header insert-per-request command.

SuperUser

ssl force-crl-reload {name}

Forces the CSS to download all Certificate Revocation Lists (CRLs) or a specific CRL on any active SSL-proxy list on an active service configured with a service type of ssl-accel.

The name variable is the name of a specific CRL that you want to download. If you do not include a specific CRL name with this command, the CSS downloads any of the configured CRLs that are associated with an active SSL-proxy list on an active service.

You cannot download CRLs on a CSS in the backup state.


Table 6 lists the commands and options that have changed in software version 7.50.1.03.

Table 6 CLI Commands Changed in Version 7.50.1.03

Mode
Command and Syntax
Description

All

show ssl crl-record

Now includes a File Not Found field that increments when a CRL filename is not found on the CRL host.

Global

flow persist-span-ooo

no flow persist-span-ooo

This command formerly was in Debug mode. This command enables the reordering of persistent spanning packets. By default, the CSS disables the reordering of persistent spanning packets. To reset the default behavior, use the no flow persist-span-ooo command.

flow set-port-zero enable | disable

This command formerly was in Debug mode. This command enables or disables the CSS to pass traffic using a TCP/UDP source or destination port of 0. By default, the CSS disables the passing of traffic using port 0.

Use the enable keyword to enable the passing of traffic using a TCP/UDP source and destination port of 0.

Note The CSS normally logs traffic with source or destination ports of 0 as a denial-of-service (DOS) attacks. If you enable traffic on port 0, the CSS does not log the flows as denial-of-service attacks.

Use the disable keyword to reset the CSS to its default behavior of not passing traffic using a TCP/UDP source and destination port of 0.

flow tcp-del-ack

no flow tcp-del-ack

This command formerly was in Debug mode. This command enables TCP delayed acknowledgements (ACK) for Layer 5 spanning packets. By default, the CSS disables TCP delayed ACK for Layer 5 spanning packets. To reset the default behavior, use the no flow tcp-del-ack command.

ospf advertise ip_address subnet_mask {metric}

The range for the metric variable is now 0 to 16777215. It was formally 1 to 16777215.

rip advertise ip_address subnet_mask {metric}

The range for the metric variable is now 0 to 15. It was formally 1 to 15.

Group

zero all

Formerly, this command cleared all service statistics for all source groups displayed through the show group command. This command now clears the statistics for the group in the current mode. It also now clears the portmap statistics.

To clear a all service statistics for all source groups displayed through the show group command, use the zero group statistics commands available in any mode.


Software Version 7.50.0.04 Open Caveats, Resolved Caveats, and Command Changes

The following sections contain the open caveats, resolved caveats, and command changes in software version 7.50.0.04:

Software Version 7.50.0.04 Open Caveats

Software Version 7.50.0.04 Resolved Caveats

Software Version 7.50.0.04 Command Changes

Software Version 7.50.0.04 Open Caveats

The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:

CSCeg64394 - In an ASR redundancy configuration, the sticky tables may not synchronize completely after the backup CSS is rebooted.

CSCeg69358 - When you configure the expiration time and date for a location cookie using the location-cookie expiration command or the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie or the arrowpoint-cookie expiration command only when necessary.

CSCeg84467 - Duplicate addresses can appear when the heartbeat circuit between two CSSs is configured with the redundancy protocol.

CSCeh00709 - When you configure the CSS using the IP advanced-route-remap command, the command does not take affect on services that are local to the CSS.

CSCeh18228 - When you configure the CSS virtual router with a critical reporter that is in a Backup state, thus placing the virtual router into the Master(ReportBkup) state, the CSS incorrectly brings the dormant flows to an active state. The CSS should keep these flows in a dormant state until the reporter is master again.

CSCeh38202 - Client authentication fails when the client certificate spans multiple packets.

Software Version 7.50.0.04 Resolved Caveats

The following caveats were resolved in software version 7.50.0.04:

CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.

CSCeg25641 - According to RFC 2068, Hypertext Transfer Protocol - HTTP/1.1, if `chunked' is in a HEAD response, the CSS should ignore it, and not try to look for more data. However, the CSS continues to look for more data, which causes the keepalive to fail.

CSCeg35174 - During a secure HTTPS transfer, the CSS sends out several hundred KBs, waits between 3.5 and 5 seconds, and then sends out another several hundred KBs. The CSS repeats this pattern until the transfer is complete. The delay between bulk transfers adds to the transfer time for the file locally. Note that this delay does not impact standard HTTP file transfers, only secure HTTP file transfers.

CSCeg37717 - When running heavy client authentication traffic in which the client sends a chained certificate, traffic will eventually stop. If you use the show system resources command several times, the memory on the SSL module drops quickly to approximately 140 MB, and then traffic stops until you reboot the CSS.

CSCeg40291- While running a custom keepalive script in a Global Server Load Balancing (GSLB) environment, both CSSs reboot (that is, the CSS running the script and its peer). The CSS running the script creates a core dump, but the peer CSS reboots without creating a core dump.

CSCeg40412 - If you configure the CSS with an invalid CA certificate when using client authentication, the CSS may incorrectly process the request. This only occurs when you configure a failure method of type redirect. This also only occurs when using IE browsers. When you use Netscape browsers, the CSS sends a redirect to the client.

CSCeg46589 - A scripted keepalive using socket waitfor in the script may fail with a "Script error" at the socket waitfor line. The service will therefore be down. Conditions: The socket waitfor must be expecting a string that matches exactly the data the service is sending. Workaround: Either configure socket waitfor to a shorter string (1 byte less is sufficient) than what the service sends or configure the service to send a string that is longer (1 byte more is sufficient) than what the socket waitfor expects.

CSCeg47732 - When the CSS sends a reset to a client that contains a redirect to an IE browser, the client receives a blank page. But, when the client refreshes the page, the issue is resolved. This problem only occurs on IE browsers. The problem is not seen when you use Netscape, Mozilla or opera browsers.

CSCeg50573 - If the CSS receives a UDP packet, places it on a vector for future processing, and starts processing the vector, it may incorrectly reference a null pointer and reboot.

CSCeg52668 - If SSH connections from a client are dropped without a FIN or a RESET, the CSS eventually times out the connection on its side but will not release the socket. This prevents the CSS from accepting new connections.

CSCeg60264 - When you configure the CSS with keepalives with the keepalive tcp-close fin command, the TCPFAST ports may become stuck. Over time, all the ports could become stuck, causing the keepalives to fail.

CSCeg60985 - A scripted keepalive may cause the box to unexpectedly reboot due to a double delete.

CSCef61128 - The CSS may reboot when it receives an out of sequence or malformed SSH protocol message.

CSCeg62476 - When you configure an SSL server with URL rewrite on the CSS and then the CSS receives a 3XX HTTP response that does not contain the Location field in the first packet, the SSL connection could fail.

CSCeg67414 - When an SSL server Hello spans two packets and you configure the tcp-close command with a FIN, the ssl keepalive type fails.

CSCeg72635 - When you configure the CSS to respond to DNS requests domain names by using the content rule add dns command and the CSS is using firewall load balancing (FWLB), the CSS may send a DNS response to the wrong firewall.

CSCeg72741 - The CSS could fail to NAT when using ACLs with source groups under certain conditions.

CSCeg72773 - When you configure the CSS for content replication, constructing a file name for replication the root directory could not be found. The CSS will now correctly handle this condition.

CSCeg76469 - Issues with passive FTP failing when the server reuses ports and the file to be transferred is very small.

CSCeg81363 - If a Telnet session fails the authentication of the username and password pair to the CSS and then immediately disconnects at the same moment that the CSS was disconnecting the session due to the failure, the CSS could hang. At this point Telnet, console, SSH and FTP access is denied until you reboot the CSS.

CSCeg82005 - A CWD (change working directory) command was issued through an FTP connection and the pathname contained more than 31 directories. Because the CSS only supports 31 directories in the pathname, the CSS could unexpectedly reboot.

CSCeg83161 - When you configure the CSS with an ISC port, walking the apFlowMgrStatIfTable MIB could cause the following message to appear in the sys.log file:

FLOWMGR-3: GetPortFlowStats CE = 0

CSCeg84248 - When loading v1 MIBs on HP OpenView, the CISCO-SMI warning message is displayed.

CSCeg85065 - Deliveries of error logs for internal messages may cause the CSS to unexpectedly reboot.

CSCeg85854 - SNMP causes memory leaks.

CSCeh00595 - An SNMP GET NEXT of the apFlowMgrExtSlotFlowStats table on a chassis that is not fully populated could cause the CSS to reboot.

CSCeh05837 - When ASR is configured, the CSS does not replicate a load-balanced data channel in an FTP connection to the backup CSS.

CSCeh09415 - When ASR is configured, dormant flows incorrectly time out on the backup CSS.

CSCeh18285 - The CSS immediately ARPs when the spanning-tree topology changes.

CSCeh20456 - Suspending and activating services that are used in an SSL proxy list may cause an active session that is in use to be deleted. This will cause the CSS to reboot.

Software Version 7.50.0.04 Command Changes

Table 7 lists the commands that have been added in software version 7.50.0.04. Table 2 lists the commands that have changed in software version 7.50.0.04.

Table 7 CLI Commands Added in Version 7.50.0.04 

Mode
Command and Syntax
Description

All modes

show http-methods

Displays the HTTP method parsing configuration and processing status. For information about the fields in the show http-methods command output, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

SuperUser and all configuration modes

show sasp

Displays the SASP manager state and configuration on the CSS. For information about the fields in the show sasp command output, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

show sasp-agent label {active-list| inactive-list|statistics}

Displays information for services associated with an SASP agent and SASP statistical data. For information about the use of this command, and its argument, and options, and output fields, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

show sasp-agent-summary

Displays the configuration and state information for all SASP agents on a CSS. For information about the fields in the show sasp-agent-summary command output, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

SuperUser

clock summer-time name [recurring {start_week start_day start_month hh:mm end_week end_day end_month hh:mm {offset}}|date dateStart monthStart yearStart hh:mm dateEnd monthEnd yearEnd hh:mm {offset}]

no clock summer-time

Sets daylight saving time (DST) on the CSS. Use the no form of this command to disable DST on the CSS.

For information about the use of this command, and its keywords, arguments, and options, refer to the Cisco Content Services Switch Getting Started Guide

Global

arp mac-down-immediate

no arp mac-down-immediate

Configures the CSS to immediately send an ARP request for an IP address associated with that MAC address, thus immediately repopulating the entries in bridge forwarding table.

By default, when the CSS receives a Down event for a MAC address in the bridge forwarding table, it may not send an ARP request to an IP address associated with that MAC address for up to 60 seconds to refresh the table. During this time, the bridge flows through the CSS to the MAC address could fail. Use the no form of this command to reset the default behavior

http-method parse RFC2518-methods|user-defined-method "method_name" {uri [wildcard|authority|url]}

no http-method parse RFC2518-methods|user-defined-method method_name

Configures the CSS to support all HTTP methods defined in RFC-2518 and configure user-defined methods. Use the no form of this command to disable the parsing of RFC-2518 extension methods or remove a user-defined method.

For information about the use of this command, and its keywords, arguments, and options, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

http-method statistics clear

Clears the Hit Counter fields for the methods displayed through the show http-methods command.

http-redirect-option [fin-rst|fin-fin|rst-rst]

Configures the CSS to send specific TCP FIN and RST flags with HTTP 302 redirect messages. By default, when the CSS sends an HTTP 302 redirect message, it sends a FIN flag on an initial connection and RST flags on subsequent requests in a persistent connection.

For information about the use of this command, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

sasp {unique-id "name"}

no sasp

Enables SASP on the CSS and optionally configures a unique SASP ID for the CSS. Use the no form of this command to disable SASP on the CSS.

For information about the use of this command, and its option and argument, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

sasp-agent label ip_address port

no sasp-agent label {ip_address port}

Configures an SASP agent on the CSS. The no form of this command to remove the agent from the CSS.

For information about the use of this command and its arguments, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

Keepalive

type http {persistent} {encrypt}

The new encrypt option allows you to configure an encrypted persistent or non-persistent HTTP HEAD or GET keepalive for SSL back-end or initiation servers. Encrypted HTTP keepalives allow the CSS to verify the full SSL handshake and the data returned from the server. For more information on encrypted keepalives, refer to the Cisco Content Services Switch SSL Configuration Guide.

Service

keepalive type http {persistent} {encrypt}

Owner-Content

add sasp-agent label

Adds an existing SASP agent to the content rule. When you add the agent to a rule, the CSS populates the agent group with the services configured on the rule.

For information about the use of this command, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

remove sasp-agent

Removes the configured SASP agent from the content rule.

SSL Proxy List

ssl-server number http-header [client-cert-field|server-cert-field| session-field] default_field "configured_field"

no ssl-server number http-header [client-cert-field|server-cert-field
|session-field] {default_field}

Allows you to configure the client-certificate, server-certificate, or session field value of the HTTP header tag that is inserted during a client connection. Use the no form of this command to reset the value for a default SSL client-certificate, server-certificate, or session field.

For information about the use of this command, and its keywords and arguments, refer to the Cisco Content Services Switch SSL Configuration Guide.


Table 8 lists the commands that changed in software version 7.50.0.04.

Table 8 CLI Commands Changed in Version 7.50.0.04 

Mode
Command and Syntax
Description

Global

sntp [primary-server | secondary-server] ip_address {version number}

sntp [primary-server-poll-interval | secondary-server-poll-interval] seconds

no sntp [primary-server | secondary-server]
|[
primary-server-poll-interval | secondary-server-poll-interval]

The sntp command has been modified to allow the configuration of a primary or secondary SNTP server on the CSS, and their poll intervals. For information about the use of this command, and its keywords and arguments, refer to the Cisco Content Services Switch Getting Started Guide.

This command and its no form replaces the previous version of the sntp command:

sntp [server ip_address {version number}|poll-interval seconds]

no sntp [server|poll-interval]


Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

© 2006 Cisco Systems, Inc. All rights reserved.