Guest

Cisco Services Modules

Release Notes for Catalyst 6500 Series Switch Content Switching Module with SSL (CSM-S) Software Release 2.2(x)

  • Viewing Options

  • PDF (400.0 KB)
  • Feedback
Release Notes for Catalyst 6500 Series Content Switching Module with SSL Software Release 2.2(x)

Table Of Contents

Release Notes for Catalyst 6500 Series
Content Switching Module with SSL Software Release 2.2(x)

Contents

System Requirements

Memory Requirements

Hardware Supported

Software Requirements

Software Compatibility

Software Release 2.2(6)

Software Release 2.2(5)

Software Release 2.2(4)

Software Release 2.2(3)

Software Release 2.2(2)

Software Release 2.2(1)

Software Release 2.2(x) Features

New Features

New and Changed Information

Limitations and Restrictions

Open and Resolved Caveats in Software Release 2.2(6)

Open Caveats in Software Release 2.2(6) for CSM

Resolved Caveats in Software Release 2.2(6) for CSM

Open Caveats in Software Release 2.2(6) for SSL

Resolved Caveats in Software Release 2.2(6) for SSL

Open and Resolved Caveats in Software Release 2.2(5)

Open Caveats in Software Release 2.2(5) for CSM

Resolved Caveats in Software Release 2.2(5) for CSM

Open Caveats in Software Release 2.2(5) for SSL

Resolved Caveats in Software Release 2.2(5) for SSL

Open and Resolved Caveats in Software Release 2.2(4)

Open Caveats in Software Release 2.2(4) for CSM

Resolved Caveats in Software Release 2.2(4) for CSM

Open Caveats in Software Release 2.2(4) for SSL

Resolved Caveats in Software Release 2.2(4) for SSL

Open and Resolved Caveats in Software Release 2.2(3)

Open Caveats in Software Release 2.2(3) for CSM

Resolved Caveats in Software Release 2.2(3) for CSM

Open Caveats in Software Release 2.2(3) for SSL

Resolved Caveats in Software Release 2.2(3) for SSL

Open and Resolved Caveats in Software Release 2.2(2)

Open Caveats in Software Release 2.2(2) for CSM

Resolved Caveats in Software Release 2.2(2) for CSM

Open Caveats in Software Release 2.2(2) for SSL

Resolved Caveats in Software Release 2.2(2) for SSL

Open and Resolved Caveats in Software Release 2.2(1)

Open Caveats in Software Release 2.2(1) for CSM

Resolved Caveats in Software Release 2.2(1) for CSM

Open Caveats in Software Release 2.2(1) for SSL

Resolved Caveats in Software Release 2.2(1) for SSL

Troubleshooting

Message Banners

Server and Gateway Health Monitoring

Diagnostic Messages

Fault Tolerance Messages

Regular Expression Errors

XML Errors

Related Documentation

Cisco IOS Software Documentation Set

Obtaining Documentation and Submitting a Service Request


Release Notes for Catalyst 6500 Series
Content Switching Module with SSL Software Release 2.2(x)


Current Release: 2.2(6)—January 27, 2012
Previous releases: 2.2(5), 2.2(4), 2.2(3), 2.2(2), 2.2(1)

This publication describes the features, modifications, and caveats for the Catalyst 6500 Series Content Switching Module with SSL (CSM-S) software release 2.2(x) operating on a Catalyst 6500 series switch.


Note Except where specifically differentiated, the term "Catalyst 6500 series switches" includes both Catalyst 6500 series and Catalyst 6000 series switches.


Contents

System Requirements

New Features

New and Changed Information

Limitations and Restrictions

Open and Resolved Caveats in Software Release 2.2(6)

Open and Resolved Caveats in Software Release 2.2(5)

Open and Resolved Caveats in Software Release 2.2(4)

Open and Resolved Caveats in Software Release 2.2(3)

Open and Resolved Caveats in Software Release 2.2(2)

Open and Resolved Caveats in Software Release 2.2(1)

Troubleshooting

Related Documentation

Obtaining Documentation and Submitting a Service Request

System Requirements

This section describes the system requirements for the Catalyst 6500 series CSM-S software release 2.2(6).

Memory Requirements

The minimum recommended memory for a chassis with a CSM-S must include a Supervisor Engine with 256 MB of DRAM and an MSFC2 with 256 MB of DRAM. For specific requirements, consult the Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp)

Hardware Supported

Before you can use the Catalyst 6500 series CSM-S, you must have a Supervisor Engine 2 with an MSFC2 or a Supervisor Engine 720 and any module that has ports to connect server and client networks.


Caution The WS-X6066-SLB-S-K9 CSM-S is not fabric enabled, but the module can operate in a fabric-enabled chassis like any other nonfabric module.

Product Number
Minimum 1 Cisco IOS Software
Recommended 2 Cisco IOS
Software
Recommended Catalyst Operating System Software
Content Switching Module (WS-X6066-SLB-S-K9)
     

Supervisor Engine 2 with MSFC2

12.2(18)SXD

12.2(18)SXF15

Not applicable

Supervisor Engine 720 with MSFC3

12.2(18)SXE

12.2(18)SXF15

Not applicable

Supervisor Engine 720 -10G

12.2(33)SXI2

12.2(33)SXI2

Not applicable

Console Cable
     

72-876-01

 

Not applicable

Not applicable

Accessory Kit
     

800-05097-01

 

Not applicable

Not applicable

1 The minimum software release required to support the CSM-S hardware with a given Supervisor Engine to perform basic CSM-S configuration.

2 The base software release required to support new commands for a given CSM-S release.


Software Requirements


Note Support for the CSM-S is removed in Cisco IOS Software Release 12.2(33)SXH and later releases.



Note The CSM-S is not supported by the Catalyst operating system software.


Table 1 lists the software releases for the CSM-S;

Table 1 CSM-S Software Requirements 

CSM-S Software
Software Part Number
Hardware Module
Catalyst Operating System Software
Cisco IOS Software

2.2(6)

SC6K-2.2-CSM-S

WS-X6066-SLB-S-K9

Not Applicable

Cisco IOS software Release 12.2(18)SXD
and higher

2.2(5)

SC6K-2.2-CSM-S

WS-X6066-SLB-S-K9

Not Applicable

Cisco IOS software Release 12.2(18)SXD
and higher

2.2(4)

SC6K-2.2-CSM-S

WS-X6066-SLB-S-K9

Not Applicable

Cisco IOS software Release 12.2(18)SXD
and higher

2.2(3)

SC6K-2.2-CSM-S

WS-X6066-SLB-S-K9

Not Applicable

Cisco IOS software Release 12.2(18)SXD
and higher

2.2(2)

SC6K-2.2-CSM-S

WS-X6066-SLB-S-K9

Not Applicable

Cisco IOS software Release 12.2(18)SXD
and higher

2.2(1)

SC6K-2.2-CSM-S

WS-X6066-SLB-S-K9

Not Applicable

Cisco IOS software Release 12.2(18)SXD
and higher


Software Compatibility

The minimum version that is listed is required to support the CSM-S hardware with a given supervisor engine to perform basic CSM-S configuration.

The recommended version is the base version to support new commands for a given CSM-S release.


Note Support for the CSM-S is removed in Cisco IOS Software Release 12.2(33)SXH and later releases up to Release 12.2(33)SXI. The support for the CSM-S is reenabled in Cisco IOS Software Release 12.2(33)SXI2.


Table 2 lists the CSM-S software release compatibility.

Table 2 Cisco IOS Software on the Supervisor Engine and MSFC 

CSM-S Software
Cisco IOS Software

2.2(6)

12.2(18)SXD or higher for the features new to CSM-S release 2.2(6).

2.2(5)

12.2(18)SXD or higher for the features new to CSM-S release 2.2(5).

2.2(4)

12.2(18)SXD or higher for the features new to CSM-S release 2.2(4).

2.2(3)

12.2(18)SXD or higher for the features new to CSM-S release 2.2(3).

2.2(2)

12.2(18)SXD or higher for the features new to CSM-S release 2.2(2).

2.2(1)

12.2(18)SXD or higher for the features new to CSM-S release 2.2(1).


Software Release 2.2(6)

The CSM-S software release 2.2(6) is a combination of the following software releases:

CSM software release 4.3(6)

SSL software release 2.1(13s)

Software Release 2.2(5)

The CSM-S software release 2.2(5) is a combination of the following software releases:

CSM software release 4.3(5)

SSL software release 2.1(13s)

Software Release 2.2(4)

The CSM-S software release 2.2(4) is a combination of the following software releases:

CSM software release 4.3(4)

SSL software release 2.1(13s)

Software Release 2.2(3)

The CSM-S software release 2.2(3) is a combination of the following software releases:

CSM software release 4.3(3)

SSL software release 2.1(13s)

Software Release 2.2(2)

The CSM-S software release 2.2(2) is a combination of the following software releases:

CSM software release 4.3(2)

SSL software release 2.1(12s)

Software Release 2.2(1)

The CSM-S software release 2.2(1) is a combination of the following software releases:

CSM software release 4.3(1)

SSL software release 2.1(9)

Software Release 2.2(x) Features

CSM-S software release 2.2(x) contains feature sets that support SSL and functionality from earlier CSM releases. The tables in this section list supported feature sets.

Table 3 and Table 4 list the CSM features available in this release and in earlier CSM-S software releases.

Table 3 CSM Feature Set Description 

Features
Supported Hardware

Supervisor 2 with MSFC2 with Cisco IOS software Release 12.2(18)SXD and higher

Supervisor Engine 720 Cisco IOS software Release 12.2(18)SXE and higher

Supported Protocols

TCP load balancing

UDP generic IP protocol load balancing

Special application-layer support for FTP and the Real Time Streaming Protocol (RTSP)

Layer 7 Functionality

Full regular expression matching

URL, cookie switching, Generic HTTP header parsing, HTTP method parsing

Miscellaneous Functionality

VIP connection watermarks

Backup (sorry server) and server farm

Optional port for health probes

IP reassembly

TCL (Toolkit Command Language) scripting

XML configuration interface

SNMP

GSLB (Global Server Load Balancing)-requires a license

Resource usage display

Configurable idle and pending connection timeout

Idle timeout for unidirectional flows

SSL Services Module (SSLM) integration for SSL load balancing

Real server names

TCP connection redundancy for all types of flows (TCP, UDP, and IP)

Fault tolerant show command enhancements

Cisco IOS SLB FWLB interoperation (IP reverse-sticky)

Multiple CSMs in a chassis

CSM and Cisco IOS-SLB functioning simultaneously in a chassis

Configurable HTTP 1.1 persistence (either all GETs are made to the same server or are balanced to multiple servers)

Fully configurable NAT

Server-initiated connections

Route health injection

Load-balancing Algorithms

Round-robin

Weighted round-robin (WRR)

Least connections

Weighted least connections

URL hashing

Source IP hashing (configurable mask)

Destination IP hashing (configurable mask)

Source and destination IP hashing (configurable mask)

Load Balancing Supported

Server load balancing (TCP, UDP, or generic IP protocols)

Firewall load balancing

DNS load balancing

Stealth firewall load balancing

Transparent cache redirection

Reverse proxy cache

SSL off-loading

VPN-IPSec load balancing

Generic IP devices and protocols

Stickiness

Cookie sticky with configurable offset and length

SSL ID

Source IP (configurable mask)

HTTP redirection

Redundancy

Sticky state

Full stateful failover (connection redundancy)

Health Checking

HTTP

ICMP

Telnet

TCP

FTP

SMTP

DNS

Return error-code checking

Inband health checking

User-defined TCL scripts

Management

SNMP traps

Full SNMP and MIB support

XML interface for remote CSM configuration

Back-end encryption support

Workgroup Manager Support

Server Application State Protocol (SASP)


Table 4 lists the CSM-S features in this release.

Table 4 CSM-S Feature Set Description 

Features
Supported Hardware

Supervisor Engine 2 with MSFC2

Supervisor Engine 720

Supported Software

Cisco IOS software Release 12.2(18)SXD with the Supervisor Engine 2

Cisco IOS software Release 12.2(18)SXE and higher with Supervisor Engine 720

SSL Features

SSL initiation

SSL version 2.0 forwarding

URL rewrite

HTTP header insertion

Wildcard proxy

Handshake Protocol

SSL 3.0

SSL 3.1/TLS 1.0

SSL 2.0 (only ClientHello support)

Session reuse

Session renegotiation

Session timeout

Symmetric Algorithms

ARC4

DES

3DES

Asymmetric Algorithms

RSA

Hash Algorithms

MD5

SHA1

Cipher Suites

SSL_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_DES_CSC_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

Public Key Infrastructure

RSA key pair generation for certificates up to 2048-bit

Secure key storage in CSM-S flash memory device

Certificate enrollment for client and server-type proxy services

Importing and exporting of key and certificate (PKCS12 and PEM)

Duplicating keys and certificates on standby CSM-S using the key and certificate import and export mechanism

Manual key archival, recovery, and backup

Key and certificate renewal using the CLI

Graceful rollover of expiring keys and certificates

Auto-enrollment and auto-renewal of certificates

Importing of certificate authority certificates by cut-and-paste or TFTP

Up to 8 levels of certificate authority in a certificate chain

Generating of self-signed certificate

Manual certificate enrollment using cut-and-paste or TFTP of PKCS10 CSR file

Peer (client and server) certificate authentication

Peer (client and server) certificates

Certificate security attribute-based access control lists

Certificate revocation lists (CRL)

Certificate expiration warning

TCP Termination

RFC 1323

Connection aging

Connection rate

NAT 1 /PAT 2

Client and server

Redundancy

No SSL access in standby state

For redundancy, use either two CSMs or two CSM-S not a mix of CSM and CSM-S for supported redundancy configuration

High Availability

Failure detection (SLB health monitoring schemes)

Module-level redundancy (stateless)

Serviceability

Password recovery

Statistics and Accounting

Total SSL connections attempt per proxy service

Total SSL connections successfully established per proxy service

Total SSL connections failed per proxy service

Total SSL alert errors per proxy service

Total SSL resumed sessions per proxy service

Total encrypted/decrypted packets/bytes per proxy service

Statistics displayed at 1 second, 1 minute, and 5 minutes traffic rate for CPU utilization and SSL-specific counters

1 NAT = Network Address Translation

2 PAT = Port Address Translation


New Features

Table 5 lists the features that have been added in CSM-S software release 2.2(x). For detailed information about using the new features, see the "New and Changed Information" section.

Table 5 New CSM-S Feature Set Description 

New Features in this Release
Description

New predictor type staticload added

When the configured predictor type is staticload, load balancing across real servers of the server farm will be based on a statically configured load value. Either the CLI or the XML configuration feature can be used to configure the predictor type and the load value of the real servers.

Enhanced show module csm slot vserver detail command

Displayed information from the show module csm slot vserver detail command now includes the virtual server's current load value and the number of virtual server transitions.


New and Changed Information

New predictor type staticload feature.

Supplementing the existing predictor types for server load balancing (such as round-robin, least connections, or address hashing), a new predictor type staticload has been added. When the configured predictor type is staticload, load balancing across real servers of the server farm will be based on a load value statically configured by the user.

The selection of the predictor type is made in the server farm configuration submode, as shown in this example:

Router(config-slb-sfarm)# predictor staticload
 
   

You can specify the static load for each real server in the real server configuration submode as shown in this example:

Router(config-slb-real)# staticload real_server_load
 
   

The range for the real_server_load argument is from 2 to 254. The default value of 2 indicates the least load, while a value of 254 indicates the maximum load.

As an alternative to the CLI, the XML configuration feature can be used to configure the predictor type and the load value of the real servers.

Enhanced show module csm slot vserver detail command.

Displayed information from the show module csm slot vserver detail command now includes the virtual server's current load value and the number of virtual server transitions. When the staticload predictor has been selected, the current load is the average of the configured static loads for the server farm. (If the staticload predictor is not selected, the current load shows the dynamic load of the virtual IP address.) The transition count indicates the number of times a load of 255 has been reported to the Global Site Selector (GSS).

The following is an example of the show module csm slot vserver detail command output:

Router# show module csm slot vserver detail
 
   
<vserver_name>, type = SLB, state = OPERATIONAL, v_index = 52
  virtual = <vserver_ip/mask>:<port> bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = sticky/connection, vlan = ALL, pending = 30, layer 7
  max parse len = 4000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = <current_connections>, total conns = <total_connections>
   current load = <avg.config.load>, transition count = <trans.count>
  Default policy:
    server farm = serverfarm_name, backup = <not assigned>
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       0            0            0        
 
   

New environment variable RHI_ADMIN_DISTANCE.

When the CSM-S advertises its route through route health injection (RHI), it reports the administrative distance as 0. The new environment variable RHI_ADMIN_DISTANCE allows you to change this reported distance value. The default is 0; the range is 0—255.


Note The current IOS software on the MSFC does not update its route table with the CSM-S' reported distance value. To force an update to the route table, bring the virtual server OUTOFSERVICE, then back to OPERATIONAL.


New environment variable PARSE_REVERSE_RESET.

When both sticky and persistent rebalance are configured, the CSM-S enables the PARSE_REVERSE_TRAFFIC flag for the session descriptor so that it will inspect all server replies. In rare cases, the PARSE_REVERSE_TRAFFIC flag is not cleared after parsing, and subsequent packets from the client are dropped as invalid packets. When the environment variable PARSE_REVERSE_RESET is set to 1 (enabled), the PARSE_REVERSE_TRAFFIC flag will be reset on the next received packet. The default is 0.

New environment variable REBALANCE_SAME_RULE.

On a persistent rebalance request, the CSM-S will rebalance only if a new policy is matched. When the environment variable REBALANCE_SAME_RULE is set to 1 (enabled), the CSM-S will force a rebalance regardless of which policy is matched. The default is 0 (rebalance only on new policy).

New environment variable ARP_VALIDATE_SOURCE_SUBNET.

When ARP_VALIDATE_SOURCE_SUBNET is set to 1 (enabled), the CSM-S will validate the source subnet of received ARP frames. An ARP frame from an incorrect source subnet will not be processed but will be eligible for repeating. The default is 1 (enabled). This variable was introduced in software release 4.2(7).

Limitations and Restrictions

A CSM-S will not respond to pings to the virtual server when it is configured with service termination. The server is operational and is passing TCP flows to the real servers, which are also operational. This example shows the configuration:

vserver test
 virtual a.b.c.d  tcp 0 service termination
 serverfarm servers1
 persistent rebalance
 domain shrun
 inservice
 
   

If you need to ping the virtual server, do not configure service termination on the virtual server.

Do not use the ping command in a TCL script for a destination that is one or more hops away.

The TCL ping() command uses an underlying ping function provided by VxWorks. The VxWorks ping contains a bug that causes the ping function not to display an error when the ping function receives an ICMP error message (for example, host-unreachable). The function remains in a wait loop until it receives a valid response.

If the destination host is in the same subnet (Layer 2 adjacent) as the CSM-S-configured VLAN, then the ICMP request either receives a valid response or is timed out. In this case, the ping() function will not stop responding.

The problem occurs when the destination IP address is one or more hops away. The router between the CSM-S and the destination host could respond with a "destination unreachable" message to the CSM-S if the router determined that the subnet for this IP address is unknown.

The CSM-S may block or drop all UDP data channels of an RTSP service if the client NAT is also enabled. This situation can occur when you configure a virtual server, which the CSM-S uses to parse the RSTP service, and on the same virtual server that you configure a client NAT on the server farm. In this situation, we recommend that you either remove the NAT client configuration from the server farm or remove the service RTSP from the virtual server.

If your configuration contains a pair of CSM-S modules in a single fault-tolerant group, and these paired modules are in an active-standby state, the modules might not retain the valid active-standby state if you add another CSM-S into this same fault-tolerant group. This action causes the fault-tolerant pair of modules to enter an invalid active-active state. In this case, remove the third CSM-S from the network and reboot the paired modules to allow them to recover their fault-tolerant state.

Configure a client NAT pool with the server farm IP address instead of using the static nat command. The static nat command is normally used for server-initiated connections. In software release 3.2(1), you can configure the NAT client static into a server farm to take advantage of the static NAT feature for traffic matching a virtual server. If you configured the NAT client static into a server farm for FTP or RSTP services, this traffic would not be able to pass through the CSM-S.

On systems that use Cisco IOS software and Catalyst operating system software, when you configure the Catalyst 6500 series switch to trust the DSCP priority bits of the incoming traffic, the CSM-S might reset the DSCP value to zero (0) if these frames are being forwarded by the CSM-S.

When you ping to a real server that is reached through a virtual server, which is configured with predictor forward, the ping might fail after the probe to the real server fails. This probe is configured in another server farm with failaction reassign. This example shows the configuration:

serverfarm <NAME>
 nat server
 no nat client
 predictor leastconns
 failaction reassign
 real name SERVER-A
   backup real name SERVER-B
   inservice
 real nameSERVER-B
   backup real name SERVER-A
   inservice
 probe <NAME>
 
   

If failaction reassign is not required (in case the servers do not share connection states and cannot accept connections opened on the other server), remove failaction or use failaction purge.

Internal ports on the CSM-S (dot1q, trunk, port-channel, and so on) are automatically configured, with the exception of the VLANs on the trunk, which must be manually added using the set trunk slot 1 vlan-list command in Catalyst operating system.

When configuring Route Health Injection (RHI), proxy ARP must be disabled on the Catalyst 6500 series chassis (proxy-ARP is enabled by default). You must disable proxy ARP on a per-interface basis in the interface submode. We recommend that you disable proxy ARP on the VLAN level using the no ip proxy arp command.

Slot 1 is reserved for the supervisor engine. Slot 2 can contain an additional redundant supervisor engine in case the supervisor engine in slot 1 fails. If a redundant supervisor engine is not required, you can insert the CSM-S in slots 2 through 6 on a 6-slot chassis, slots 2 through 9 on a 9-slot chassis, or slots 2 through 13 on a 13-slot chassis.

There is no support for client NAT of IP protocols other than TCP or UDP.

If neither a real server nor a corresponding virtual server has an explicitly configured TCP/UDP port, then probes requiring such a port are not activated. All CSM-S health probes other than ICMP periodically create connections to specific TCP or UDP ports on configured real servers. If a health probe is configured on a real server without a configured TCP or UDP port, the CSM-S chooses the TCP or UDP port to probe from the virtual servers with which the real server is associated. If neither the real server nor the virtual server has a configured port, the CSM-S simply ignores any configured probes requiring ports to that real server.

When configuring two CSM-S modules for fault tolerance, we recommend that you configure a dedicated link for the fault-tolerant VLAN.


Note Configuring stateful redundancy with CSM-S modules in separate chassis requires a gigabit link between the CSM-S modules.



Note CSM-S configuration synchronization is supported if the system uses Cisco IOS software in the supervisor engine. It is not supported if the system uses Catalyst operating system software in the supervisor engine.


The show mod csm slot tech all command may display IXP3 utilization above 100 percent when the cookie insert feature and other Layer 7 policies are active and CSM-S traffic suddenly stops and restarts. In response to this traffic fluctuation, the IXP3 clears and then reestablishes its tables. This activity overloads the IXP3, which results in the loss of some redundancy and slow path messages. The IXP3 recovers after the traffic level stabilizes. (CSCse91983)

In an active-standby connection state replication setup, the connection counters on the standby CSM-S were not the same as the counters on the active CSM-S. The active CSM-S correctly shows that the connections were load balanced to various servers within a server farm. On the standby CSM-S, all replicated connections are assigned to a single real server within a server farm. The number of connections shown in the standby CSM-S might be different from the number of connections seen in the active CSM-S. This is a minor issue and does not affect the service. (CSCei73146, CSCee75333)

Fragmented Layer 2 Tunneling Protocol (L2TP) tunneled packets are discarded by the CSM-S, and the Packets Repeat Reverse Fragmentation counter in the CSM-S increments quickly. This problem occurs when packets arrive out of order (the MF packets arrive last) and are separated in time by about 10 milliseconds. To avoid this issue, design the network so that all fragments follow the same path, forcing them to arrive in order and closer together. You can also configure a static route in the CSM so that the module knows where to send reassembled fragments that arrived in a reverse order. (CSCeg15173)

The total conns established counter applies only to an active CSM-S. The standby CSM-S might display the total established connections when there is a fault-tolerance switchover, but the total conns established counter remains unchanged. (CSCtn16345)

Open and Resolved Caveats in Software Release 2.2(6)

These sections describe the open and resolved caveats in CSM-S software release 2.2(6):

Open Caveats in Software Release 2.2(6) for CSM

Resolved Caveats in Software Release 2.2(6) for CSM

Open Caveats in Software Release 2.2(6) for SSL

Resolved Caveats in Software Release 2.2(6) for SSL

Open Caveats in Software Release 2.2(6) for CSM


Note For a description of CSM caveats resolved in CSM-S software release 2.2(6), see the "Resolved Caveats in Software Release 2.2(6) for CSM" section.


This section describes the open CSM caveats in CSM-S software release 2.2(6):

There are no open caveats in CSM software release 4.3(6).

Resolved Caveats in Software Release 2.2(6) for CSM


Note For a description of open caveats in CSM software release 2.2(6), see the "Open Caveats in Software Release 2.2(6) for CSM" section.


This section describes resolved caveats in CSM software release 4.3(6):

CSCtg41899

If a new regular expression domain match is added to the GSLB configuration, CSM does not match specific regular expression domains and a wrong A-record response is returned that does not match the correct policy map.

Workaround: None.

CSCtn86332

If a serverfarm going down or up is configured on multiple VIPs, the VIP state change syslog is sent for only one VIP and not for all the VIPs.

Workaround: None.

CSCtj90108

With the static NAT configured, server initiated connections may fail on a higher traffic rate.

Workaround: Disable static NAT.

CSCtk63031

The FTP connections do not time out and prevent new connections.

Workaround: Clear all connections associated with the server. Downgrade your CSM to any CSM release below 4.2(14). Clear all slowpath connections using slowpath_reap_sessions in VENUS.

CSCts71706

The sticky replication is not working on CSM 4.2(14).

Workaround: None.

Open Caveats in Software Release 2.2(6) for SSL


Note For a description of SSL caveats resolved in CSM-S software release 2.2(6), see the "Resolved Caveats in Software Release 2.2(6) for SSL" section.


This section describes the open SSL caveats in CSM-S software release 2.2(6):

There are no open caveats for SSL.

Resolved Caveats in Software Release 2.2(6) for SSL


Note For a description of open SSL caveats in CSM-S software release 2.2(6), see the"Open Caveats in Software Release 2.2(6) for SSL" section.


This section describes the SSL caveats resolved in CSM-S software release 2.2(6):

There are no resolved caveats for SSL.

Open and Resolved Caveats in Software Release 2.2(5)

These sections describe the open and resolved caveats in CSM-S software release 2.2(5):

Open Caveats in Software Release 2.2(5) for CSM

Resolved Caveats in Software Release 2.2(5) for CSM

Open Caveats in Software Release 2.2(5) for SSL

Resolved Caveats in Software Release 2.2(5) for SSL

Open Caveats in Software Release 2.2(5) for CSM


Note For a description of CSM caveats resolved in CSM-S software release 2.2(5), see the "Resolved Caveats in Software Release 2.2(5) for CSM" section.


This section describes the open CSM caveats in CSM-S software release 2.2(5):

There are no open caveats in CSM software release 4.3(5).

Resolved Caveats in Software Release 2.2(5) for CSM


Note For a description of open caveats in CSM software release 2.2(5), see the "Open Caveats in Software Release 2.2(5) for CSM" section.


This section describes resolved caveats in CSM software release 4.3(5):

CSCsh20330

An issue can occur with two operational vservers, VS1 and VS2, when vserver VS2 is tracking the primary vserver VS1. If vserver VS1 goes into OUTOFSERVICE mode because of probes or real server failures, vserver VS2 also goes into OUTOFSERVICE mode as expected. However, in a few seconds, vserver VS2 comes back into OPERATIONAL mode, even when the primary vserver VS1 is in OUTOFSERVICE mode.

Workaround: None.

CSCte28717

The source-ip sticky may stop working after an extended uptime of approximately 470 days or more. The CSM will not create a new sticky entry.

Workaround: None.

CSCte39053

The default expiration date of the cookies inserted by the CSM is Thursday, 1 Jan 2099, 01:01:50 GMT. After this time, the cookie-insert sticky will not work as expected.

Workaround: The default cookie expiration date can be changed by setting the COOKIE_INSERT_EXPIRATION_DATE environment variable on the CSM. For example, you can move the expiration date to May 25, 2020, by using the following commands:

Router# config t
Router(config)# mod csm 8
Router(config-module-csm# variable COOKIE_INSERT_EXPIRATION_DATE "Mon, 25 May 2020 
08:00:00 GMT"
 
   

Make sure to change the slot number. The new expiration date changes in the inserted cookies immediately because this change does not require a reboot of the CSM. This change will not affect the network traffic.

CSCtg56193

When the uptime of CSM is more than 828 days, the FTP or RTSP Layer 7 connections are not timing out.

Workaround: None.

CSCth52331

When a standby CSM reaches an uptime of 828 days, the standby CSM can assert mastership for a very short period (around 2 seconds), which creates an active/active situation.

Workaround: None.

CSCtg45008

A new variable, L7_TX_CORE_QUEUE_TIMEOUT, is added to address CSCsh53633, where the CSM that runs release 4.2(6) might reboot due to an IXP 3 and the type of crash is "L7 abort."

Variable Name: L7_TX_CORE_QUEUE_TIMEOUT

Rights: RW

Value: 1

Default: 1

Valid values: Integer (1 to 10).

Description: Time (in seconds) to wait for the Layer 7 TX Core queue to come out of the full state before asserting a core.

Workaround: None.

Open Caveats in Software Release 2.2(5) for SSL


Note For a description of SSL caveats resolved in CSM-S software release 2.2(5), see the "Resolved Caveats in Software Release 2.2(5) for SSL" section.


This section describes the open SSL caveats in CSM-S software release 2.2(5):

There are no open caveats for SSL.

Resolved Caveats in Software Release 2.2(5) for SSL


Note For a description of open SSL caveats in CSM-S software release 2.2(5), see the"Open Caveats in Software Release 2.2(5) for SSL" section.


This section describes the SSL caveats resolved in CSM-S software release 2.2(5):

There are no resolved caveats for SSL.

Open and Resolved Caveats in Software Release 2.2(4)

These sections describe the open and resolved caveats in CSM-S software release 2.2(4):

Open Caveats in Software Release 2.2(4) for CSM

Resolved Caveats in Software Release 2.2(4) for CSM

Open Caveats in Software Release 2.2(4) for SSL

Resolved Caveats in Software Release 2.2(4) for SSL

Open Caveats in Software Release 2.2(4) for CSM


Note For a description of CSM caveats resolved in CSM-S software release 2.2(4), see the "Resolved Caveats in Software Release 2.2(4) for CSM" section.


This section describes the open CSM caveats in CSM-S software release 2.2(4):

CSCte28717

The source-ip sticky may stop working after an extended uptime of approximately 470 days or more. The CSM will not create a new sticky entry.

Workaround: Reboot the CSM.

Resolved Caveats in Software Release 2.2(4) for CSM


Note For a description of open caveats in CSM software release 2.2(4), see the "Open Caveats in Software Release 2.2(4) for CSM" section.


This section describes resolved caveats in CSM software release 4.3(4):

CSCtd31622

The default expiration date of the cookies inserted by the CSM is Friday, 1 Jan 2010, 01:01:50 GMT. After this time, the cookie-insert sticky will not work as expected.

Workaround: The default cookie expiration date can be changed by setting the COOKIE_INSERT_EXPIRATION_DATE environment variable on the CSM. For example, you can move the expiration date to May 25, 2020, by using the following commands:

Router# config t
Router(config)# mod csm 8
Router(config-module-csm# variable COOKIE_INSERT_EXPIRATION_DATE "Mon, 25 May 2020 
08:00:00 GMT"
 
   

Make sure to change the slot number. The new expiration date changes in the inserted cookies immediately as this change does not require a reboot of the CSM. This change will not affect the production traffic.

CSCtc25780

In rare cases, when CSM fault tolerant (FT) synchronization is performed with the hw-module csm mod standby config-sync command and FT VLAN is intermittently down, the standby CSM may send out an ARP packet towards the Layer 2 adjacent nodes using its physical MAC-address, instead of its virtual MAC-address. This causes an outage until the ARP table cache is either cleared or times out.

Workaround: To prevent rapid failover in the standby CSM2 node, increase the failover timer to 120 seconds on both CSM nodes (active and standby).

Open Caveats in Software Release 2.2(4) for SSL


Note For a description of SSL caveats resolved in CSM-S software release 2.2(4), see the "Resolved Caveats in Software Release 2.2(4) for SSL" section.


This section describes the open SSL caveats in CSM-S software release 2.2(4):

There are no open caveats for SSL.

Resolved Caveats in Software Release 2.2(4) for SSL


Note For a description of open SSL caveats in CSM-S software release 2.2(4), see the"Open Caveats in Software Release 2.2(4) for SSL" section.


This section describes the SSL caveats resolved in CSM-S software release 2.2(4):

There are no resolved caveats for SSL.

Open and Resolved Caveats in Software Release 2.2(3)

These sections describe the open and resolved caveats in CSM-S software release 2.2(3):

Open Caveats in Software Release 2.2(3) for CSM

Resolved Caveats in Software Release 2.2(3) for CSM

Open Caveats in Software Release 2.2(3) for SSL

Resolved Caveats in Software Release 2.2(3) for SSL

Open Caveats in Software Release 2.2(3) for CSM


Note For a description of CSM caveats resolved in CSM-S software release 2.2(3), see the "Resolved Caveats in Software Release 2.2(3) for CSM" section.


This section describes open CSM caveats in CSM-S software release 2.2(3):

CSCsz25520

In rare cases, CSM-S may propagate an invalid MAC address table for VLAN 1 with an invalid MAC address back plane, across the CSM-S port channel Po259 to the back plane on management VLAN 1.

The following output displays an invalid MAC address across the CSM-S port channel Po259 to the back plane on management VLAN 1:

Console> enable show mac-address-table | inc 259
*    1  4000.6806.14d9   dynamic  Yes        205   Po259
*    1  4000.6c06.1eb1   dynamic  Yes         90   Po259
*    1  4000.3806.4227   dynamic  Yes         50   Po259
*    1  4000.2e06.47c0   dynamic  Yes        150   Po259
*    1  4000.6c06.916b   dynamic  Yes        255   Po259
*    1  4000.6b06.fe6b   dynamic  Yes        240   Po259
*    1  4000.3406.a2ce   dynamic  Yes        175   Po259
*    1  0000.3206.79e0   dynamic  Yes         15   Po259
*    1  0000.3206.8c3a   dynamic  Yes        135   Po259
*    1  4000.6806.13b8   dynamic  Yes         55   Po259
*    1  0000.3206.69d4   dynamic  Yes         10   Po259

Note Only the last 4 bytes of the MAC address change and point to VLAN 1 on the CSM-S port channel.


Workaround: None.

CSCsx64648

On a CSM-S module, the configuration synchronization times out with a large configuration. For example, the configuration synchronization that occurs at 16 K fails at 23 K.

Workaround: None.

Resolved Caveats in Software Release 2.2(3) for CSM


Note For a description of open CSM caveats in CSM-S software release 2.2(3), see the "Open Caveats in Software Release 2.2(2) for CSM" section


This section describes resolved CSM caveats in CSM-S software release 2.2(3):

This section describes resolved caveats in CSM-S software release 4.3(3):

CSCsm33035

When the CSM-S starts to load balance using the default policy, and then a GET request matches a URL under a subpolicy, the CSM-S forwards traffic to the real server without modifying the TCP acknowledgement number.

Workaround: Disable persistent rebalance.

CSCsq36042

When SSL stickiness is configured on a backup server farm, the CSM-S fails to perform NAT in some cases.

Workaround: Disable SSL stickiness on the server farm.

CSCsu39853

In rare cases, the CSM-S will stop responding to the CLI but will continue to pass traffic.

Workaround: None.

CSCso69828

When cookie-insert is configured on the CSM-S and the server sends the FIN/ACK immediately after its HTTP 200 OK response, the CSM-S may send some subsequent packets out of order and with an incorrect TCP sequence number.

Workaround: None.

CSCsz81041

The CSM-S does not send a reset upon receiving a synchronize acknowledgement (ACK) packet sent to a synchronize start (SYN) packet. This condition occurs in Layer 7 mode when the CSM-S opens a connection on the backend server, and if the server responds to the SYN with an ACK that has an invalid sequence number.

Workaround: None.

CSCsu92969

Configuring multiple server load balancing (SLB) policies in a particular order causes the connection counter in a real server in the server farm to erroneously report the default maximum connection (MAXCONN) limit of 4294967295 connections. When this condition occurs, the real server refuses new connections.

Workaround: Remove multiple SLB policies.

CSCsz81265

When configuring two virtual servers (Layer 3 and Layer 4) with the same virtual IP address, CSM-S drops the ICMP request to the virtual IP address. This condition occurs when both virtual servers are operational, and when there is no connection to the Layer 3 virtual server.

Workaround: Ensure that the Layer 3 virtual server is configured after the Layer 4 virtual server.

CSCsx37458

Under certain conditions, one or more VIPs on the CSM-S will not respond to the ping. This condition occurs when the same VIP is used in the virtual server and in a static NAT entry. The VIP may be displayed in the CSM ARP table as a SVR NAT entry instead of virtual server entry. You can display the CSM ARP table by using show mod csm slot arp command.

Workaround:

1. Suspend all virtual servers for the VIP address that have an uncertain VIP address.

2. Remove the static NAT configuration for that VIP.

3. Reactivate the virtual servers.

4. Add the static NAT again.

Open Caveats in Software Release 2.2(3) for SSL


Note For a description of SSL caveats resolved in CSM-S software release 2.2(3), see the "Resolved Caveats in Software Release 2.2(3) for SSL" section


This section describes the open SSL caveats in CSM-S software release 2.2(3):

Configuring NTP on the SSLM or CSM-S SSL-DC may interfere with the clock synchronization. Configuring the CSM-S SSL-DC to synchronize its clock using NTP might lead to the clock going out of synchronization.

Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSLM. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)

Resolved Caveats in Software Release 2.2(3) for SSL


Note For a description of open SSL caveats in CSM-S software release 2.2(3), see the "Open Caveats in Software Release 2.2(3) for SSL" section.


This section describes the resolved SSL caveats in CSM-S software release 2.2(3):

After normal operation, the SSLM stops inserting the header into the clear text traffic. This problem occurs only with software release 2.1(10).

Workaround: None. (CSCsh79045)

Open and Resolved Caveats in Software Release 2.2(2)

These sections describe the open and resolved caveats in CSM-S software release 2.2(2):

Open Caveats in Software Release 2.2(2) for CSM

Resolved Caveats in Software Release 2.2(2) for CSM

Open Caveats in Software Release 2.2(2) for SSL

Resolved Caveats in Software Release 2.2(2) for SSL

Open Caveats in Software Release 2.2(2) for CSM


Note For a description of CSM caveats resolved in CSM-S software release 2.2(2), see the "Resolved Caveats in Software Release 2.2(2) for CSM" section.


This section describes open CSM caveats in CSM-S software release 2.2(2):

CSCsu39853

In rare cases, the CLI becomes unresponsive while traffic passes normally.

Workaround: None.

CSCsh53633

A CSM-S running 2.1(5) had a reboot due to IXP 3. The type of crash was known as a "L7 abort."

Workaround: None.

Resolved Caveats in Software Release 2.2(2) for CSM


Note For a description of open CSM caveats in CSM-S software release 2.2(2), see the "Open Caveats in Software Release 2.2(2) for CSM" section.


This section describes resolved CSM caveats in CSM-S software release 2.2(2):

CSCsj26680

A CLI lockup can occur when the serverfarm threshold (vserver submode) command is issued. This condition can occur when the primary server farm contains hundreds of real servers that are down and the backup server farm takes over immediately. In this case, the CSM-S performance drops and the CLI becomes unresponsive.

Workaround: None.

CSCsj88014

A large delay can occur when updating LOAD using KAL-AP. When a Global Site Selector (GSS) is configured to probe a large number of virtual IP addresses with KAL-AP, the response to KAL-AP queries slows enough to make the GSS consider the virtual IPs to be down.

Workaround: Consolidate virtual servers to reduce their number, or use TCP keepalives instead.

CSCsi85407

Under a high traffic load, the CSM-S may halt unexpectedly. The console displays the error message: "P:\ixp1200\core\l7\l7_main.c(395) warning: TX Queue overflow. Shutting down CORE_TX_Q" followed by a core dump.

Workaround: None.

CSCsh94471

In rare cases, the CSM-S console becomes unresponsive and the show module csm num command indicates that the CSM-S is offline.

CSCsk43903

A pair of CSM-S configured for a fault-tolerant operation will both enter the active state after 828 days.

Workaround: None.

CSCsk29021

When persistent rebalance is configured, the CSM-S will reexamine a persistent GET and remap it if it matches a different policy. As part of the remapping, the CSM-S will send a reset to the old connection. If the header insert feature is configured, this reset message has an incorrect sequence number.

Workaround: None.

CSCsk50939

The CSM-S stops responding to CAPP-UDP requests from a Global Site Selector (GSS) after changing the CAPP-UDP setting from secure to no secure.

Workaround: Reload the CSM-S.

CSCsl23801

HSRP causes CSM-S static ARP entries to be overwritten with all zeros (00-00-00-00-00-00). This problem is an unintended result of a previous caveat resolution.

Workaround: None.

CSCsj05855

In rare cases, the CSM-S may reboot and create a core dump due to memory corruption.

Workaround: None.

CSCsl59508

When a server farm contains many real servers (for example, 100), the CSM-S may reboot and create a core dump when you add the predictor leastconns slowstart num command to the server farm.

Workaround: Do not use the slowstart command option.

CSCsk98543

The CSM-S console might lock up when a backup server farm is configured with a threshold and contains few real servers (for example, when you have fewer than ten real servers).

Workaround: Remove the threshold command.

CSCsl07382

When the CSM-S is configured for Global Server Load Balancing (GSLB), the active CSM-S can exhibit a slow memory leak.

Workaround: Monitor memory usage regularly by using the venus console. Open a session to the active CSM-S by entering the session slot x processor 0 command. At the CSM> prompt, enter the venus command. At the venus# prompt, enter the core_show_usage command. If available memory is less than 20 percent, schedule a reboot of the CSM-S. Because the memory leak occurs only on the active CSM-S, the standby CSM-S should be available to take over.

CSCsi58089

The CSM-S drops SASP server messages larger than 2816 bytes.

Workaround: Reduce the number of servers participating in SASP to reduce the length of the SASP messages.

CSCsl72371

When an XML call is contained in a TCL script probe, the CSM-S probe fails with a memory allocation failure and the CSM-S console becomes unresponsive.

Workaround: None.

CSCsi82468

If persistent rebalance is enabled in a virtual server that contains a redirect server farm, the CSM-S will send two redirect responses for multipacket GET requests. This condition causes high CPU usage.

Workaround: Disable persistent rebalance on the virtual server that contains a redirect server farm.

CSCso00578

A CSM-S configured for redundancy may have its CSRP replication status stuck in the INIT state.

Workaround: None.

CSCso33427

When the CSM-S is configured to load balance IPsec using one Layer 4 virtual server for IKE and another for ESP, the CSM-S fails to forward to the back-end real server any "ICMP can't fragment" messages received at the CSM-S virtual IP address and relating to the ESP flow.

Workaround: Possible workarounds include the following:

Reduce the server MSS to a value that will not exceed the MTU of the path to the client.

Reduce the CSM-S default MSS using the environment variable TCP_MSS_OPTION.

CSCso81900

When a NAT pool is modified while configured as part of an SLB policy to a virtual server, traffic is sent to the virtual server with a NAT-supplied source address of 0.0.0.0.

Workaround: Reboot the CSM-S.

CSCsq84207

Path MTU discovery (PMTUD) performed by a server behind a CSM-S does not work correctly if the CSM-S is performing a cookie insertion.

Workaround: Possible workarounds include the following:

Reduce the server MSS to a value that allows the cookie insertion without exceeding the MTU of the path to the client.

Reduce the CSM-S default MSS by using the environment variable TCP_MSS_OPTION.

Use a different type of stickiness for the server (for example, application cookies).

CSCsr79179

When the same gateway IP address is configured in both the gateway and route statements, the gateway statement will be ignored, although it will appear in the running configuration. After a failover or a reconfiguration, the active CSM-S will have no default route and will drop traffic.

Workaround: Possible workarounds include the following:

Use the route 0.0.0.0 0.0.0.0 gateway x.x.x.x command to install the default route.

Reload the CSM-S after the configuration synchronization.

Use a configuration that does not specify the same gateway address in the gateway and route statements.

CSCsm84686

When a client sends a SYN packet to a virtual server with the Explicit Congestion Notification (ECN) and Congestion Window Reduced (CWR) flags set, the CSM-S drops the SYN packet.

Workaround: Disable ECN on the client.

CSCsl40722

The CSM-S stops servicing load-balanced connections and probes due to a buffer leak.

Workaround: Periodically, enter the show mod csm slot tech-support all | i outstanding command. If small buffers reach 24500 or medium buffers reach 20000, the buffers are full and you must reboot the CSM-S.

Open Caveats in Software Release 2.2(2) for SSL


Note For a description of SSL caveats resolved in CSM-S software release 2.2(2), see the "Resolved Caveats in Software Release 2.2(2) for SSL" section.


This section describes the open SSL caveats in CSM-S software release 2.2(2):

Configuring NTP on the SSL-M or CSM-S SSL-DC may interfere with the clock synchronization. Configuring the CSM-S SSL-DC to synchronize its clock using NTP therefore might lead to the clock going out of synchronization.

Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSL-M. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)

SSLM stops accepting new SSL connections because of a depletion of connection IDs on the TCP processor. Enter the show ssl-proxy stats command. The condition can occur when there is an approximately 65K difference between the conn alloc counters and dealloc counters under TCP. Eventually when all the connection IDs are exhausted, the SSLM will not be able to initiate any more connections to the backend servers.

Workaround: Reload the module. (CSCek50983)

The SSLM fails to pass the entire POST to a server when the header insert is configured in SSL proxy service. This occurred with a POST that had a large payload.

Workaround: Remove the header insert configuration from the proxy service. (CSCse31785)

When performing a URL rewrite, the location URL in a 302 redirect includes an "80." For example, http://192.168.45.10:80/. (CSCse92180)

The location string for URL rewrites is being incorrectly rewritten in some cases. For example, a URL rewrite rule is given in the configuration for the URL, www.cisco.com, and the redirected location field contains the following string:

http://user.microsoft.com/dir/test.jsp?login=https://www.cisco.com

The location string is being incorrectly rewritten as follows:

http://user.microsoft.com/dir/test.jsp?login=httpswww.cisco.com

The rule is supposed to be rewritten if the host portion of the URL matches www.cisco.com. In the situation described here, that is not the case. No rewrite is supposed to occur. In addition, the rewrite should not affect the string https://www.cisco.com so far into the location field. (CSCsg65505)

HTTP POST transactions fail when the total header size is exactly 1536 bytes and when the http-hdr insert policy is used. (CSCsh30757)

After upgrading to SSL software release 2.1(5), the SSL proxy service might remain in a down state with a "No Server/Next HOP MAC" reason, even though the server is reachable. This situation might occur after reload.

Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)

If you delete the route to the real server from the SSL proxy VLAN, and then configure another SSL proxy VLAN with the same network as the server IP address, the SSL proxy service goes into a "down" state and the proxy status shows "No Server VLAN," even though the real server is reachable from the SSL Services Module.

Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)

The SSL Services Module does not support client certificate insertion for SSL client proxy service. If you apply an HTTP header policy to a client proxy service and configure the HTTP header policy with client certificate insertion and other headers, error messages are displayed, and the configuration is not accepted. Output from the show running-config command and the show ssl-proxy service service_name command does not show that the HTTP header policy is attached to the client proxy service; however, the SSL Services Module continues to insert the other configured HTTP headers (other than client certificate headers) into the request.

Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)

The SSL Services Module with a virtual TCP policy that is configured with a low TCP maximum segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side, might experience a software-forced reset due to exhausted resources if the following events occur simultaneously:

The real server is unreachable.

There is a burst of approximately 26,000 TCP SYN requests to establish a client connection.

All connections enter the ESTABLISHED state in TCP before the HTTP requests are sent on any of the connections.

The HTTP requests are more than three times the size of the negotiated MSS value.

Workaround: Do one of the following:

Stabilize the real server so that it is reachable.

If the SSL Services Module is used with a Content Switching Module (CSM), enable the health probe for a real server on the CSM. (CSCed53976)

When you configure trustpoints for manual or TFTP enrollment and enter the crypto ca certificate query command, the router loses certificates after it is reloaded.

Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)

On systems that are running Catalyst operating system software on the supervisor engine and are configured with high availability, if you reset the SSL Services Module after a switchover, the supervisor engine displays the following error:

Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module 
resetting...
 
   

The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)

If you add a trailing "/" to the url value in the enrollment url url command for a trustpoint, the SSL Services Module sends the following GET request during certificate authority authentication:

GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0

The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.

Workaround: Do not enter a trailing "/" to the url value in the enrollment url url command for a trustpoint. (CSCed33492)

If you configure a URL rewrite rule, and a server redirects a client to a website that does not have a trailing "/" in the URL, the SSL Services Module does not rewrite the URL.

Workaround: Configure the server to add a trailing "/" to the relocation string. (CSCec46997)

Automatic enrollment might not work correctly if the router does not have a hardware clock (calendar) or if you have not configured a network time protocol (NTP) server.

Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.

Workaround 2: Reset the enrollment timer by doing the following:

a. Copy the "crypto ca trustpoint trustpoint_label" and "crypto ca certificate chain name" information from the running configuration.

b. Delete the trustpoint by entering the no crypto ca trustpoint trustpoint_label command.

c. Paste the trustpoint and certificate chain information to the configuration. (CSCec19596)

If multiple certificate authority certificates in the database have the same subject name, the certificate chain might contain the wrong certificate authority certificate. If the SSL Services Module is configured as an SSL server, it will send the wrong certificate authority certificate in the chain to the client, which could result in authentication and handshake failures.

Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)

The SSL Services Module does not rewrite the URL if the HTTP header that specifies the relocation string spans more than one TCP segment. (CSCec74017)

When you import a certificate from a PKCS12 or PEM file, or when you manually input a certificate authority certificate to the module and the certificate contains an invalid extension, the SSL peer might reject the certificate.

Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)

Importing a self-signed certificate with the key pair of the issuer is not supported by the Cisco IOS PKI system. (CSCea48145)

Windows 2000 certificate authorities occasionally reject certificate enrollment requests that are issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the .net version of the certificate authority but not on the Windows 2000 version.

Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)

There is no help string for the test crypto pki self command, and the generated self-signed certificate is not displayed by the show crypto ca certificate command. (CSCea50887)

The Cisco IOS PKI system cannot recover from an authentication failure, which results in a failed enrollment.

Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)

The Cisco IOS PKI system does not validate the issuer when using manual enrollment. As a result, a certificate chain may have a root certificate that belongs to one certificate authority and a router certificate that was issued by another certificate authority. (CSCea57072)

For manual certificate enrollment, if the URL string ends with a slash ("/") after the TFTP server name or address (for example, tftp://ipaddress/), the system tries to open a file named ".ca" from the TFTP server.

Workaround: Specify the filename in the URL. (CSCea32058)

If you import a key pair and a self-signed certificate from a PKCS12 file to a trustpoint and assign the certificate to a proxy service, installation of the certificate fails after you reboot the system, and the proxy service remains in the "no cert" state.

Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)

Cutting and pasting the hexadecimal values of a certificate into the configuration from the terminal can cause the data entry to fail.

Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)

When you upgrade the image using the copy tftp: pclc#mod-fs: command, the command accepts any filename. You will not receive an image name validation when you upgrade the maintenance partition from the application partition or upgrade the application partition from the maintenance partition. For example, if you attempt to upgrade the application partition after booting the module in the application partition, the upgrade fails. (CSCdz23639)

Cisco Discovery Protocol (CDP) is not supported on the SSL Services Module; however, the CLI is available. (CSCdz24446)

The module might take longer to boot if there are client NAT pools in the startup configuration. The delay is proportional to the number of NAT pools in the configuration. With the maximum supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)

Exporting a PKCS12 file using FTP can take up to 20 minutes if a file with the same name exists on the remote host. (CSCdy85233)

When query mode is configured and there are multiple trustpoints using the same certificate authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after a Cisco IOS software reboot.

Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM. (CSCdz03802)

Syslog messages indicating that proxy services are in the UP state may not be printed for all services configured in the system while booting. (CSCdy61618)

Do not configure the internal port Ethernet0/0. Any configuration on Ethernet0/0 results in unexpected behavior of the SSL Services Module. (CSCdy72229)

If you enter the clear arp command on the SSL Services Module, all proxy services go into a "down" state and then go into an "up" state. (CSCdy77843)

When query mode is configured, entering the no crypto ca certificate query command on the running configuration does not stop the periodic polling for certificates. (CSCdy46075)

When certificate query mode is configured, an "invalid input" message may be displayed on the console following a fingerprint. This message displays when a certificate is read from NVRAM when Cisco IOS software reboots, and it does not indicate a real error condition. (CSCdy43112)

On systems that are running Cisco IOS software and are configured with route processor redundancy plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switchover (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut down, and its status will remain as "Other."

Workaround: Reset the module, and then shut down the module. (CSCee37656)

Resolved Caveats in Software Release 2.2(2) for SSL


Note For a description of open SSL caveats in CSM-S software release 2.2(2), see the "Open Caveats in Software Release 2.2(2) for SSL" section.


This section describes the SSL caveats resolved in CSM-S software release 2.2(2):

No new resolved caveats.

Open and Resolved Caveats in Software Release 2.2(1)

These sections describe the open and resolved caveats in CSM-S software release 2.2(1):

Open Caveats in Software Release 2.2(1) for CSM

Resolved Caveats in Software Release 2.2(1) for CSM

Open Caveats in Software Release 2.2(1) for SSL

Resolved Caveats in Software Release 2.2(1) for SSL

Open Caveats in Software Release 2.2(1) for CSM


Note For a description of CSM caveats resolved in CSM-S software release 2.2(1), see the "Resolved Caveats in Software Release 2.2(1) for CSM" section.


This section describes open CSM caveats in CSM-S software release 2.2(1):

CSCsj26680

A CLI lockup can occur when the serverfarm threshold (vserver submode) command is issued. This condition can occur when the primary server farm contains hundreds of real servers that are down and the backup server farm takes over immediately. In this case, the CSM-S performance drops and the CLI becomes unresponsive.

Workaround: None.

CSCsj88014

A large delay in updating LOAD using KAL-AP can occur. When a Global Site Selector (GSS) is configured to probe a large number of virtual IP addresses with KAL-AP, the response to KAL-AP queries slows enough to make the GSS consider the virtual IPs to be down.

Workaround: Consolidate virtual servers to reduce their number, or use TCP keepalives instead.

CSCsh53633

In rare cases, a CSM-S had a reboot due to IXP 3. The type of crash was "L7 abort."

Workaround: None.

CSCei73146

In an active-standby connection state replication setup, the connection counters on the standby CSM-S were not the same as the counters on the active CSM-S. The active CSM-S correctly shows that the connections were load balanced to various servers within a server farm. On the standby CSM-S, all replicated connections are assigned to a single real server within a server farm. The number of connections shown in the standby CSM-S might be different from the number of connections seen in the active CSM-S. This is a minor issue and does not affect the service.

Workaround: None.

CSCeg15173

Fragmented Layer 2 Tunneling Protocol (L2TP) tunneled packets are discarded by the CSM-S, and the Packets Repeat Reverse Fragmentation counter in the CSM-S increments quickly. This problem occurs when packets arrive out of order (the MF packets arrive last) and are separated in time by about 10 milliseconds.

Workaround: Design the network so that all fragments follow the same path, forcing them to arrive in order and closer together. You can also configure a static route in the CSM-S so that the module knows where to send reassembled fragments that arrived in a reverse order.

CSCsi85407

Under high traffic load, the CSM-S may halt unexpectedly. The console displays the error message: "P:\ixp1200\core\l7\l7_main.c(395) warning: TX Queue overflow. Shutting down CORE_TX_Q" followed by a core dump.

Workaround: None.

Resolved Caveats in Software Release 2.2(1) for CSM


Note For a description of open CSM caveats in CSM-S software release 2.2(1), see the "Open Caveats in Software Release 2.2(1) for CSM" section.


This section describes resolved CSM caveats in CSM-S software release 2.2(1):

CSCse21474

The show module csm number conns command lists the RTSP data channel in the INIT state when it should be displayed in the ESTAB (established) state.

Workaround: If this is a UDP session, check both odd and even table entries to determine the actual state of the RTSP data channel.

CSCsg40988

The CSM-S halts with the following system log (syslog) error: "%CSM_SLB-3-UNEXPECTED: Module 3 unexpected error: FPGA3 exception encountered."

Workaround: None.

CSCsg84530

The CSM-S reloads unexpectedly with the following syslog error: "%CSM_SLB-3-UNEXPECTED: Module 3 unexpected error: PPC exception." The console displays the error message "PPC exception type 1792 on FTReplFlow(0C247500h)" followed by a core dump.

Workaround: None.

CSCsi29132

Clients sending persistent connections to a CSM-S virtual server may see a long delay after an HTTP request. This situation can occur when the virtual server is configured with persistence rebalance and with sticky cookies learned through the server. The CSM-S may not be forwarding the request to the server if the preceding request had an out-of-order response from the server.

Workaround: Remove persistence rebalance or remove cookies from the virtual server.

CSCsj75481

The CSM-S is not passing SYN-ACK in a policy-based routing (PBR) network when the ROUTE_UNKNOWN_FLOW_PKTS environment variable is set to 2. This environment variable specifies whether to route SYN or non-SYN packets that do not match any existing flows.

Workaround: Downgrade to a CSM-S version lower than 2.1(3).

Open Caveats in Software Release 2.2(1) for SSL


Note For a description of SSL caveats resolved in CSM-S software release 2.2(1), see the "Resolved Caveats in Software Release 2.2(1) for SSL" section.


This section describes the open SSL caveats in CSM-S software release 2.2(1):

Configuring NTP on the SSL-M or CSM-S SSL-DC may interfere with the clock synchronization. Configuring the CSM-S SSL-DC to synchronize its clock using NTP therefore might lead to the clock going out of synchronization.

Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSL-M. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)

SSLM stops accepting new SSL connections because of a depletion of connection IDs on the TCP processor. Enter the show ssl-proxy stats command. The condition can occur when there is an approximately 65K difference between the conn alloc counters and dealloc counters under TCP. Eventually when all the connection IDs are exhausted, the SSLM will not be able to initiate any more connections to the backend servers.

Workaround: Reload the module. (CSCek50983)

The SSLM fails to pass the entire POST to a server when the header insert is configured in SSL proxy service. This occurred with a POST that had a large payload.

Workaround: Remove the header insert configuration from the proxy service. (CSCse31785)

When performing a URL rewrite, the location URL in a 302 redirect includes an "80." For example, http://192.168.45.10:80/. (CSCse92180)

The location string for URL rewrites is being incorrectly rewritten in some cases. For example, a URL rewrite rule is given in the configuration for the URL, www.cisco.com, and the redirected location field contains the following string:

http://user.microsoft.com/dir/test.jsp?login=https://www.cisco.com

The location string is being incorrectly rewritten as follows:

http://user.microsoft.com/dir/test.jsp?login=httpswww.cisco.com

The rule is supposed to be rewritten if the host portion of the URL matches www.cisco.com. In the situation described here, that is not the case. No rewrite is supposed to occur. In addition, the rewrite should not affect the string https://www.cisco.com so far into the location field. (CSCsg65505)

HTTP POST transactions fail when the total header size is exactly 1536 bytes and when the http-hdr insert policy is used. (CSCsh30757)

After upgrading to SSL software release 2.1(5), the SSL proxy service might remain in a down state with a "No Server/Next HOP MAC" reason, even though the server is reachable. This situation might occur after reload.

Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)

If you delete the route to the real server from the SSL proxy VLAN, and then configure another SSL proxy VLAN with the same network as the server IP address, the SSL proxy service goes into a "down" state and the proxy status shows "No Server VLAN," even though the real server is reachable from the SSL Services Module.

Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)

The SSL Services Module does not support client certificate insertion for SSL client proxy service. If you apply an HTTP header policy to a client proxy service and configure the HTTP header policy with client certificate insertion and other headers, error messages are displayed, and the configuration is not accepted. Output from the show running-config command and the show ssl-proxy service service_name command does not show that the HTTP header policy is attached to the client proxy service; however, the SSL Services Module continues to insert the other configured HTTP headers (other than client certificate headers) into the request.

Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)

The SSL Services Module with a virtual TCP policy that is configured with a low TCP maximum segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side, might experience a software-forced reset due to exhausted resources if the following events occur simultaneously:

The real server is unreachable.

There is a burst of approximately 26,000 TCP SYN requests to establish a client connection.

All connections enter the ESTABLISHED state in TCP before the HTTP requests are sent on any of the connections.

The HTTP requests are more than three times the size of the negotiated MSS value.

Workaround: Do one of the following:

Stabilize the real server so that it is reachable.

If the SSL Services Module is used with a Content Switching Module (CSM), enable the health probe for a real server on the CSM. (CSCed53976)

When you configure trustpoints for manual or TFTP enrollment and enter the crypto ca certificate query command, the router loses certificates after it is reloaded.

Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)

On systems that are running Catalyst operating system software on the supervisor engine and are configured with high availability, if you reset the SSL Services Module after a switchover, the supervisor engine displays the following error:

Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module 
resetting...
 
   

The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)

If you add a trailing "/" to the url value in the enrollment url url command for a trustpoint, the SSL Services Module sends the following GET request during certificate authority authentication:

GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0

The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.

Workaround: Do not enter a trailing "/" to the url value in the enrollment url url command for a trustpoint. (CSCed33492)

If you configure a URL rewrite rule, and a server redirects a client to a website that does not have a trailing "/" in the URL, the SSL Services Module does not rewrite the URL.

Workaround: Configure the server to add a trailing "/" to the relocation string. (CSCec46997)

Automatic enrollment might not work correctly if the router does not have a hardware clock (calendar) or if you have not configured a network time protocol (NTP) server.

Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.

Workaround 2: Reset the enrollment timer by doing the following:

a. Copy the "crypto ca trustpoint trustpoint_label" and "crypto ca certificate chain name" information from the running configuration.

b. Delete the trustpoint by entering the no crypto ca trustpoint trustpoint_label command.

c. Paste the trustpoint and certificate chain information to the configuration. (CSCec19596)

If multiple certificate authority certificates in the database have the same subject name, the certificate chain might contain the wrong certificate authority certificate. If the SSL Services Module is configured as an SSL server, it will send the wrong certificate authority certificate in the chain to the client, which could result in authentication and handshake failures.

Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)

The SSL Services Module does not rewrite the URL if the HTTP header that specifies the relocation string spans more than one TCP segment. (CSCec74017)

When you import a certificate from a PKCS12 or PEM file, or when you manually input a certificate authority certificate to the module and the certificate contains an invalid extension, the SSL peer might reject the certificate.

Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)

Importing a self-signed certificate with the key pair of the issuer is not supported by the Cisco IOS PKI system. (CSCea48145)

Windows 2000 certificate authorities occasionally reject certificate enrollment requests that are issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the .net version of the certificate authority but not on the Windows 2000 version.

Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)

There is no help string for the test crypto pki self command, and the generated self-signed certificate is not displayed by the show crypto ca certificate command. (CSCea50887)

The Cisco IOS PKI system cannot recover from an authentication failure, which results in a failed enrollment.

Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)

The Cisco IOS PKI system does not validate the issuer when using manual enrollment. As a result, a certificate chain may have a root certificate that belongs to one certificate authority and a router certificate that was issued by another certificate authority. (CSCea57072)

For manual certificate enrollment, if the URL string ends with a slash ("/") after the TFTP server name or address (for example, tftp://ipaddress/), the system tries to open a file named ".ca" from the TFTP server.

Workaround: Specify the filename in the URL. (CSCea32058)

If you import a key pair and a self-signed certificate from a PKCS12 file to a trustpoint and assign the certificate to a proxy service, installation of the certificate fails after you reboot the system, and the proxy service remains in the "no cert" state.

Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)

Cutting and pasting the hexadecimal values of a certificate into the configuration from the terminal can cause the data entry to fail.

Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)

When you upgrade the image using the copy tftp: pclc#mod-fs: command, the command accepts any filename. You will not receive an image name validation when you upgrade the maintenance partition from the application partition or upgrade the application partition from the maintenance partition. For example, if you attempt to upgrade the application partition after booting the module in the application partition, the upgrade fails. (CSCdz23639)

Cisco Discovery Protocol (CDP) is not supported on the SSL Services Module; however, the CLI is available. (CSCdz24446)

The module might take longer to boot if there are client NAT pools in the startup configuration. The delay is proportional to the number of NAT pools in the configuration. With the maximum supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)

Exporting a PKCS12 file using FTP can take up to 20 minutes if a file with the same name exists on the remote host. (CSCdy85233)

When query mode is configured and there are multiple trustpoints using the same certificate authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after a Cisco IOS software reboot.

Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM. (CSCdz03802)

Syslog messages indicating that proxy services are in the UP state may not be printed for all services configured in the system while booting. (CSCdy61618)

Do not configure the internal port Ethernet0/0. Any configuration on Ethernet0/0 results in unexpected behavior of the SSL Services Module. (CSCdy72229)

If you enter the clear arp command on the SSL Services Module, all proxy services go into a "down" state and then go into an "up" state. (CSCdy77843)

When query mode is configured, entering the no crypto ca certificate query command on the running configuration does not stop the periodic polling for certificates. (CSCdy46075)

When certificate query mode is configured, an "invalid input" message may be displayed on the console following a fingerprint. This message displays when a certificate is read from NVRAM when Cisco IOS software reboots, and it does not indicate a real error condition. (CSCdy43112)

On systems that are running Cisco IOS software and are configured with route processor redundancy plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switchover (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut down, and its status will remain as "Other."

Workaround: Reset the module, and then shut down the module. (CSCee37656)

Resolved Caveats in Software Release 2.2(1) for SSL


Note For a description of open SSL caveats in CSM-S software release 2.2(1), see the "Open Caveats in Software Release 2.2(1) for SSL" section.


This section describes the SSL caveats resolved in CSM-S software release 2.2(1):

No new resolved caveats.

Troubleshooting

CSM-S error messages may be received and reported in the system log (syslog). This section describes these messages.

Message Banners

When syslog messages are received, they are preceded by one of the following banners (where # is the slot number of the CSM-S module):

Error Message    CSM_SLB-4-INVALIDID Module # invalid ID 
00:00:00: CSM_SLB-4-DUPLICATEID Module # duplicate ID
00:00:00: CSM_SLB-3-OUTOFMEM Module # memory error
00:00:00: CSM_SLB-4-REGEXMEM Module # regular expression memory error
00:00:00: CSM_SLB-4-ERRPARSING Module # configuration warning
00:00:00: CSM_SLB-4-PROBECONFIG Module # probe configuration error
00:00:00: CSM_SLB-4-ARPCONFIG Module # ARP configuration error
00:00:00: CSM_SLB-6-RSERVERSTATE Module # server state changed
00:00:00: CSM_SLB-6-GATEWAYSTATE Module # gateway state changed
00:00:00: CSM_SLB-3-UNEXPECTED Module # unexpected error
00:00:00: CSM_SLB-3-REDUNDANCY Module # FT error
00:00:00: CSM_SLB-4-REDUNDANCY_WARN Module # FT warning
00:00:00: CSM_SLB-6-REDUNDANCY_INFO Module %d FT info
00:00:00: CSM_SLB-3-ERROR Module # error
00:00:00: CSM_SLB-4-WARNING Module # warning
00:00:00: CSM_SLB-6-INFO Module # info
00:00:00: CSM_SLB-4-TOPOLOGY Module # warning
00:00:00: CSM_SLB-3-RELOAD Module # configuration reload failed
00:00:00: CSM_SLB-3-VERMISMATCH Module # image version mismatch
00:00:00: CSM_SLB-4-VERWILDCARD Received CSM-SLB module version wildcard on slot #
00:00:00: CSM_SLB-3-PORTCHANNEL Portchannel allocation failed for module #
00:00:00: CSM_SLB-3-IDB_ERROR Unknown error occurred while configuring IDB

Server and Gateway Health Monitoring

Error Message    SLB-LCSC: No ARP response from gateway address A.B.C.D.

Explanation    The configured gateway A.B.C.D. did not respond to ARP requests.

Error Message    SLB-LCSC: No ARP response from real server A.B.C.D.

Explanation    The configured real server A.B.C.D. did not respond to ARP requests.

Error Message    SLB-LCSC: Health probe failed for server A.B.C.D on port P.

Explanation    The configured real server on port P of A.B.C.D. failed health checks.

Error Message    SLB-LCSC: DFP agent <x> disabled server <x>, protocol <x>, port <x>

Explanation    The configured DFP agent has reported a weight of 0 for the specified real server.

Error Message    SLB-LCSC: DFP agent <x> re-enabled server <x>, protocol <x>, port <x>

Explanation    The configured DFP agent has reported a non-zero weight for the specified real server.

Diagnostic Messages

Error Message    SLB-DIAG: WatchDog task not responding.

Explanation    A critical error occurred within the CSM-S hardware or software.

Error Message    SLB-DIAG: Fatal Diagnostic Error %x, Info %x.

Explanation    A hardware fault was detected. The hardware is unusable and must be repaired or replaced.

Error Message    SLB-DIAG: Diagnostic Warning %x, Info %x.

Explanation    A non-fatal hardware fault was detected.

Fault Tolerance Messages

Error Message    SLB-FT: No response from peer. Transitioning from Standby to Active.

Explanation    The CSM-S detected a failure in its fault-tolerant peer and has transitioned to the active state.

Error Message    SLB-FT: Heartbeat intervals are not identical between ft pair.
SLB-FT: Standby is not monitoring active now.

Explanation    Proper configuration of the fault-tolerance feature requires that the heartbeat intervals be identical between CSM-S modules within the same fault-tolerance group, which is currently not the case. The fault-tolerance feature is disabled until the heartbeat intervals have been configured identically.

Error Message    SLB-FT: heartbeat interval is identical again

Explanation    The heartbeat intervals of different CSM-S modules in the same fault-tolerance group have been reconfigured to be identical. The fault-tolerance feature will be re-enabled.

Error Message    SLB-FT: The configurations are not identical between the members of 
the fault tolerant pair.

Explanation    In order for the fault-tolerance system to preserve the sticky database, the different CSM-S modules in the fault-tolerance group must be identically configured, which is not currently the case.

Regular Expression Errors

Error Message    SLB-LCSC: There was an error downloading the configuration to hardware
SLB-LCSC: due to insufficient memory. Use the 'show ip slb memory'
SLB-LCSC: command to gather information about memory usage.
SLB-LCSC: Error detected while downloading URL configuration for vserver %s.

Explanation    The hardware does not have sufficient memory to support the desired set of regular expressions. A different set of regular expressions must be configured for the system to function properly.

Error Message    SLB-REGEX: Parse error in regular expression <x>.
SLB-REGEX: Syntactic error in regular expression <x>.

Explanation    The configured regular expression does not conform to the regular expression syntax as described in the user manual.

Error Message    SLB-LCSC: Error detected while downloading COOKIE policy map for 
vserver <x>.
SLB-LCSC: Error detected while downloading COOKIE <x> for vserver <x>.

Explanation    An error occurred in configuring the cookie regular expressions for the virtual server. This error is likely due to a syntactic error in the regular expression (see below), or there is insufficient memory to support the desired regular expressions.

XML Errors

When an untolerated XML error occurs, the HTTP response contains a 200 code. The portion of the original XML document with the error is returned with an error element that contains the error type and description.

This example shows an error response to a condition where a virtual server name is missing:

      <?xml version="1.0"?>
      <config>
       <csm_module slot="4">
        <vserver>
         <error code="0x20">Missing attribute name in element
 
   
vserver</error>
        </vserver>
       </csm_module>
      </config>
 
   

The error codes returned also correspond to the bits of the error tolerance attribute of the configuration element. Returned XML error codes are as follows:

XML_ERR_INTERNAL          = 0x0001,
XML_ERR_COMM_FAILURE      = 0x0002,
XML_ERR_WELLFORMEDNESS    = 0x0004,
XML_ERR_ATTR_UNRECOGNIZED = 0x0008,
XML_ERR_ATTR_INVALID      = 0x0010,
XML_ERR_ATTR_MISSING      = 0x0020,
XML_ERR_ELEM_UNRECOGNIZED = 0x0040,
XML_ERR_ELEM_INVALID      = 0x0080,
XML_ERR_ELEM_MISSING      = 0x0100,
XML_ERR_ELEM_CONTEXT      = 0x0200,
XML_ERR_IOS_PARSER        = 0x0400,
XML_ERR_IOS_MODULE_IN_USE = 0x0800,
XML_ERR_IOS_WRONG_MODULE  = 0x1000,
XML_ERR_IOS_CONFIG        = 0x2000
 
   

The default error_tolerance value is 0x48, which corresponds to ignoring unrecognized attributes and elements.

Related Documentation

For more detailed installation and configuration information, refer to the following publications:

Regulatory Compliance and Safety Information for the Catalyst 6500 Series Switches

Catalyst 6500 Series Content Switching Module Configuration Note

Catalyst 6500 Series Content Switching Module Command Reference

Catalyst 6500 Series Content Switching Module Installation and Verification Note

Catalyst 6500 Series Switch Installation Guide

Catalyst 6500 Series Switch Module Installation Guide

Catalyst 6500 Series Switch Software Configuration Guide

Catalyst 6500 Series Switch Command Reference

Catalyst 6500 Series System Message Guide

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide

Catalyst 6500 Series Switch Cisco IOS Command Reference

For information about MIBs, refer to this URL:

http://www.cisco.com/go/mibs

Cisco IOS Software Documentation Set

Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.