Table Of Contents
Release Notes for the Cisco Mobile Wireless Home Agent Feature in Cisco IOS Release 12.4(22)YD2
Determining the Software Version
SAMI Configuration Instructions
Basic IOS Configuration on Supervisor for SAMI Module
Cisco Mobile Wireless Home Agent Software Features in Release 12.4(22)YD2
Unresolved Caveats Prior to Cisco IOS Release 12.4(22)YD2
Caveats Resolved Prior to Cisco IOS Release 12.4(22)YD2
Caveats Resolved Prior to Cisco IOS Release 12.4(22)YD1
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for the Cisco Mobile Wireless Home Agent Feature in Cisco IOS Release 12.4(22)YD2
Published: November 13, 2009Revised: November 25, 2009, OL-21462-01
Cisco IOS Release 12.4(22)YD2 is a special release that is based on Cisco IOS Release12.4, with the addition of enhancements to the Cisco Mobile Wireless Home Agent (HA) feature. The Cisco IOS Release 12.4(22)YD2 is a release optimized for the Cisco Mobile Wireless Home Agent feature on the Cisco Service Application Module for IP (SAMI) for the Cisco 7600 Series. The physical interfaces supported on the Cisco 7600 Series platforms are mainly Fast Ethernet and Gigabit Ethernet, FlexWAN (ATM, Frame Relay), and the new line of Shared Port Adaptor (SPA) and SPA Interface Processor (SIP) line cards, and are independent of physical media.
Contents
These release notes include important information and caveats for the Cisco Home Agent software feature provided in Cisco IOS 12.4(22)YD2 for the SAMI card on the Cisco 7600 Internet Router platform.
Caveats for Cisco IOS Release 12.4 can be found on Cisco.com at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/tsd_products_support_series_home. html
Release notes for the Cisco 7600 Router can be found on Cisco.com at:
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_release_notes_list.html
This release note includes the following topics:
•MIBs
•Cisco Mobile Wireless Home Agent Software Features in Release 12.4(22)YD2
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
The Cisco Mobile Wireless Home Agent serves as an anchor point for subscribers, providing easy, secure roaming with quality of service (QoS) capabilities to optimize the mobile user experience. The Cisco Mobile Wireless Home Agent (HA) works in conjunction with a Foreign Agent (FA) and mobile node to provide an efficient Mobile IP solution.
System Requirements
This section describes the system requirements for Cisco IOS Release 12.4(22)YD2:
•Determining the Software Version
Memory Requirements
Table 1 shows the memory requirements for the Home Agent Software Feature Set that supports the SAMI blade on the Cisco 7600 Internet router platform.
Hardware Supported
For platform details and complete list of interfaces supported on 7600 series router, please refer to the following URL on Cisco.com:
http://www.cisco.com/en/US/products/hw/routers/ps368/index.htmlThe supported configuration for the HA based on the 7600 Series switch is dependent on the desired capacity, interface type to be deployed and whether IPSec support is required.
Before you install the Cisco HA, keep the following considerations in mind:
The SAMI requires either a Supervisor Engine 32, or a Supervisor Engine-720 (WS-SUP720-3BXL), with MSFC-3 (WS-SUP720)/PFC-3 (WS-F6K-PFC3BXL). For details, see the "Upgrading to a New Software Release" section in the Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers. SRB1 or higher is required for Sup32 and Sup720, and SRC is required for RSP720.
A Cisco SAMI module is required to run HA functionality. Each SAMI module supports 1 HA logical instance running on 6 processors.
For IPSec support, an IPSec VPN accelerator for the Catalyst platform (VPNSPA) is required per 7600 chassis.
Cisco MW HA Release 12.4(22)YD2 is supported on the following platforms:
•Cisco 7600 Internet Router platform—Please refer to the following URL for installation and configuration information:
http://www.cisco.com/en/US/docs/routers/7600/Hardware/Chassis_Installation/7600_Series_Router_Installation_Guide/pref.html
Software Compatibility
Cisco IOS Release 12.4(22)YD2 is a special release that is developed on Cisco IOS Release 12.4.
Cisco IOS Release 12.4(22)YD2 supports the same features that are in Cisco IOS Release 12.4, with the addition of the Cisco Mobile Wireless HA feature.
Determining the Software Version
To determine the version of Cisco IOS software running on your router, log in to the router and enter the show version EXEC command:
Router#show versionCisco IOS Software, SAMI Software (SAMI-H2IK9S-M), Version 12.4(22)YD2, RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2009 by Cisco Systems, Inc.Compiled Tue 03-Nov-09 23:47 by prod_rel_teamROM: System Bootstrap, Version 12.4(20080703:222712) [plin2-sami-bouncer 104], DEVELOPMENT SOFTWARERouter uptime is 1 minuteSystem returned to ROM by reload at 13:18:56 UTC Wed Nov 25 2009System restarted at 13:23:43 UTC Wed Nov 25 2009System image file is "c7svcsami-h2ik9s-mz.124-22.YD2.bin"Last reload reason: Reload command by adminThis product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email toexport@cisco.com.Cisco Systems, Inc. SAMI (MPC8500) processor (revision 2.2) with 786432K/262144K bytes of memory.Processor board ID SAD121202U0FS8548H CPU at 1250MHz, Rev 2.0, 512KB L2 Cache1 Gigabit Ethernet interface65536K bytes of processor board system flash (AMD S29GL256N)Configuration register is 0x2102Upgrading the SAMI Software
The SAMI comes pre-loaded with the operating system software. However, to take advantage of new features and bug fixes, you can upgrade your SAMI with a new version of the software when it becomes available.
The SAMI software (image name c7svcsamifeature-mz) is a bundle of images - comprised of images for the base card and daughter card components.
Each image in the bundle has its own version and release numbers. When an upgrade is initiated using the upgrade hw-module privileged EXEC command, the version and release numbers in the bundle are compared to the versions currently running. If the versions are different, that image is automatically upgraded.
Note The show module command displays the software version of the LCP image, not the version of the full SAMI bundle.
To upgrade the SAMI image, perform the following tasks:
Here is an example of the show module command:
sup#show module 2Mod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------2 1 SAMI Module (h2ik9s) WS-SVC-SAMI-BB-K9 SAD121202UKMod MAC addresses Hw Fw Sw Status--- ---------------------------------------- ------------ ------------ -------2 001f.6c89.0dca to 001f.6c89.0dd1 2.2 8.7(0.22)FW1 12.4(2009020 OkMod Sub-Module Model Serial Hw Status---- --------------------------- ------------------ ----------- ------- -------2 SAMI Daughterboard 1 SAMI-DC-BB SAD121204DZ 1.1 Ok2 SAMI Daughterboard 2 SAMI-DC-BB SAD121204CL 1.1 OkMod Online Diag Status---- -------------------2 Pass
For example, to perform an image upgrade on a SAMI in slot 2 of the Cisco 7600 chassis, enter the following commands:
Sup>Sup> enableSup# upgrade hw-module slot 2 software filetftp://10.1.1.1/c7svcsami-h2ik9sLoading c7svcsami-h2ik9s from <TFTP SERVER IPADDRESS> (via Vlan10):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 34940891 bytes]Sup# hw-module module 2 resetProceed with reload of module?[confirm]% reset issued for module 2Sup#Apr 18 17:53:16.149 EDT: SP: The PC in slot 2 is shutting down. Please wait ...Apr 18 17:53:33.713 EDT: SP: PC shutdown completed for module 2000151: Apr 18 17:53:33.713 EDT: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off(Reset)000152: Apr 18 17:57:52.033 EDT: %MLS_RATE-4-DISABLING: The Layer2 Rate Limiters have beendisabled.000153: Apr 18 17:57:51.513 EDT: %DIAG-SP-6-RUN_MINIMUM: Module 2: Running Minimal Diagnostics...000154: Apr 18 17:57:51.537 EDT: %DIAG-SP-6-DIAG_OK: Module 2: Passed Online Diagnostics000155: Apr 18 17:57:52.073 EDT: %OIR-SP-6-INSCARD: SAMI inserted in slot 2, interfacesare now online000156: Apr 18 17:57:59.589 EDT: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunksSup#SAMI Configuration Instructions
The following instructions outline the steps needed to install a new SAMI and configure it so that an application image is booting on the PPCs. These instructions assume that this is a brand new SAMI, not a board being transferred from another chassis.
Upgrade Supervisor Image
You might need a new SUP image in order to recognize the SAMI. The SAMI requires either a Supervisor Engine 32, or a Supervisor Engine-720 (WS-SUP720-3BXL), with MSFC-3 (WS-SUP720)/PFC-3 (WS-F6K-PFC3BXL). For details, see the "Upgrading to a New Software Release" section in the Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers. SRB1 or higher is required for Sup32 and Sup720, and SRC is required for RSP720.
Insert the Board into the Chassis
After reloading the SUP, insert the SAMI into the chassis. Make sure to select a slot that has an empty slot above it so the cables can be easily connected.
Set up and connect a console port for the Itasca/LCP console. Also, set up and connect console ports to the PPC1 console. Even if only one will be used initially, there is a front panel port for each daughter card that will be enabled shortly. It will allow multiplexed access to all 3 processors.
Boot SAMI from the SUP
Perform the following tasks to boot the SAMI card from the SUP:
Step 1 Copy the latest LCP image to your TFTP server.
Step 2 Copy the image to the SUP.
Step 3 Add the following to the SUP configuration:
boot device module {slot} disk0:sb-csg2-image.binStep 4 Boot the board (LCP Console):
boot eobc:Step 5 After the SAMI card boots, log in using "admin" as both the username and password.
Upgrade the LCP ROMMON
The following steps illustrate how to upgrade the LCP ROMMON:
Step 1 Copy the latest stable LCP ROMMON image.
Step 2 Copy the latest LCP ROMMON image to the Itasca compact flash.
Step 3 Upgrade the ROMMON:
reprogram bootflash fur-image image:rommon-imageStep 4 Reload the blade (LCP Console):
reloadboot eobc: (from the rommon prompt)
Boot SAMI from Itasca CF
The following steps illustrate how to boot the SAMI from the Itasca compact flash:
Step 1 Copy the latest LCP image to the Itasca compact flash. Example (from LCP console).
Step 2 Add the boot command to the Itasca configuration:
boot system image:sb-csg2-mzg.bin
Note Remove any existing boot system commands first.
Step 3 Change the config register to auto boot the Itasca.
config-register 1Step 4 Reload the board.
Reprogram ROMMON on PPCs
To reprogram the ROMMON on the PPCs, perform the following tasks:
Step 1 Copy the latest LCP ROMMON image.
Step 2 Copy the image to the Itasca.
Step 3 Restart a PPC. Example (from LCP console):
testdc upgrade-rommon BOUNCER_RM.binStep 4 Set the ppc rommon to autoboot. Example (from the PPC console):
confreg 0x2102
Load and Run PPC Image
Perform the following tasks to load and run the PPC image:
Step 1 Copy the latest stable ppc application image.
Step 2 Copy the image to the Itasca. Example:
copy tftp://64.102.16.25/{username}/svcsami-h2ik9s.sami image:svcsami-h2ik9s.sami_060626Step 3 Restart a PPC. Example (from LCP console):
testdc restart svcsami-h2ik9s.sami_060626 proc 1
Required Base Configuration
A typical HA configuration requires that you define interfaces in three directions: PDSN/FA, home network, and AAA server. If HA redundancy is required, then you must configure another interface for HSRP binding updates between HAs. If you are running the HA on the SAMI, the HA will see the access to one GE port that will connect to Catalyst 7600 backplane. That port can be configured as a trunk port with sub-interfaces provided for each necessary network access.
VLANs can be defined corresponding to each interface: PDSN/FA, home network, AAA. In the case of multiple HA instances in the same 7600 chassis, the same VLAN can be used for all of them.
The following section illustrates the required base configuration for the Cisco Mobile Wireless Home Agent:
Basic IOS Configuration on Supervisor for SAMI Module
To configure the Supervisor engine to recognize the SAMI modules, and to establish physical connections to the backplane, use the following commands:
For information on SAMI configuration details, please go to the following URL:
Note SAMI modules synchronize their timing functions from the Supervisor engine's clock timers. Do not configure the timers on each individual SAMI.
MIBs
Home Agent Release 5.0 introduces two new MIBs:
•CISCO-SLB-DFP-MIB
•CISCO-RADIUS-MIB
And the following MIBs are updated:
•CISCO-MOBILE-IP-MIB
•RADIUS-CLIENT-AUTHENTICATION-MIB
Old Cisco Management Information Bases (MIBs) will be replaced in a future release. Currently, OLD-CISCO-* MIBs are being converted into more scalable MIBs—without affecting existing Cisco IOS products or NMS applications. You can update from deprecated MIBs to the replacement MIBs as shown in Table 2.
Cisco IOS Feature Sets
The Cisco IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco IOS features.
Cisco IOS Release 12.4(22)YD2 supports the same feature sets as Cisco Release 12.4, with the exception that Cisco Release 12.4(22)YD2 includes the Cisco Mobile Wireless Home Agent feature. The HA 5.0 feature set is optimized for the Cisco SAMI blade on the 7600 Internet router.
Caution Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay due to United States government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.
Cisco Mobile Wireless Home Agent Software Features in Release 12.4(22)YD2
The Cisco IOS Release 12.4(22)YD2 supports the same feature sets as Cisco Release 12.4, with the exception that Cisco Release 12.4(22)YD2 includes the HA feature. The Cisco HA feature is optimized for the Cisco SAMI blade on the 7600 Internet router, and includes the following features:
This section lists features that were introduced or modified in Home Agent Release 5.2 for Cisco IOS Release 12.4(22)YD2:
•Support for Alternative MN Identifier
•Exclude NAI in Revocation Messages
•Reject Framed-IP if Already in Use
•GRE Key CVSE in Non-VRF Environment
The following features were introduced prior to Cisco IOS Release 12.4(22)YD2:
•Conserve Unique IP ID for FA-HA IP-in-IP Tunnel
•Setting Fragmentation Size of First Packet With Offset=0
•CoA for WiMAX Hotlining
•DNS Redirection with Monitoring
•NAI Authentication with Local MN-HA SPI and Key
•IP Redirect for Non-Hotlined Users
•In/Out Access List Per NAI/Realm
•HA - Realm Case-Insensitive Option
•FA-HA Auth Extension Mandatory
•Absolute Timeout Per NAI
•AAA Attributes for "ip mobile host/realm"
•VSE Support for China Telecom Attributes
•OM Metrics for 3GPP2 / WiMAX Bindings
•Single IDB for MIP/UDP Tunnels
•Redundancy Support for Hotlining
•No Authorization for Re-Reg / De-Reg
•Tunnel Stats via SNMP
•3GPP2 RRQ Without MHAE
•Single IP Infrastructure
•Home Agent Session Redundancy Infrastructure
•Automatic Intra-Chassis Configuration Synchronization
•Bounded Limit For Maximum Bindings
•Congestion Control Feature
•Foreign Agent Classification
•MAC Address as Show/Clear Binding Key
•Data Path Idle Timer
•Support for RFC 4917
•Address Assignment Feature
•Accounting Interim Sync
•RADIUS Accounting Support in Single IP Home Agent infrastructure
•Global Per Domain Accounting
•Support for Acct-Terminate-Cause
•Authentication Configuration Extension
•Support for Service and Application Module for IP (SAMI)—Up to 9 SAMI cards can be supported in a single Cisco 7600 Series Router chassis.
•Enhancements to Hot-lining
•Enhancements to Home Agent Quality of Service
•Framed-Pool Standard
•WiMAX AAA Attributes
•MS Traffic Redirection in Upstream Path
•Per Foreign-Agent Access-Type Support
•Priority-Metric for Local Pool
•Mobile IPv4 Host Configuration Extensions RFC4332
•Support for Mobile Equipment Identifier (MEID)
•Home Agent Accounting Enhancements
–Home Agent Accounting in a Redundant Setup
–Packet count and Byte count in Accounting Records
–Additional Attributes in the Accounting Records
–Additional Accounting Methods—Interim Accounting is Supported.
•VRF Mapping on the RADIUS Server
•Conditional Debugging Enhancement
•Home Agent Redundancy Enhancements
–Redundancy with Radius Downloaded Pool Names
•CLI for IP-LOCAL-POOL-MIB
•Mobile-User ACLs in Packet Filtering
•IP Reachability
•DNS Server Address Assignment
•Mobile IP MIB Enhancements in Network Management, MIBs, and SNMP on the Home Agent
•Mobile IPv4 Registration Revocation
•HA Server Load Balancing
•Home Agent Accounting
•Skip HA-CHAP with MN-FA Challenge Extension (MFCE)
•VRF Support on HA
•Radius Disconnect
•Conditional Debugging
•Home Address Assignment
•Home Agent Redundancy
•Virtual Networks
•Mobile IP IPSec
•Support for ACLs on Tunnel Interface
•Support for AAA Attributes MN-HA-SPI and MN-HA SHARED KEY
•3 DES Encryption
•User Profiles
•Mobility Binding Association
•User Authentication and Authorization
•HA Binding Update
•Per User Packet Filtering
•Security
Feature Support
In addition to supporting Cisco IOS networking features, a Cisco 7600 series router configured as a Home Agent, supports the following Home Agent-specific features:
•Support for both intra-chassis and inter-chassis HA redundancy
•Support for static IP addresses assignment
–Public IP addresses
–Private IP addresses
•Support for dynamic IP addresses assignment
–Public IP addresses
–Private IP addresses
•Multiple flows for different Network Access Identifiers (NAIs) using static or dynamic addresses
•Multiple flows for the same NAI using different static addresses
•Foreign Agent Challenge extensions in RFC 3012 - bis 03
–Mobile IP Agent Advertisement Challenge Extension
–MN-FA Challenge Extension
–Generalized Mobile IP Authentication Extension, which specifies the format for the MN-AAA Authentication Extension
•Mobile IP Extensions specified in RFC 2002
–MN-HA Authentication Extension
–FA-HA Authentication Extension
•Reverse Tunneling, RFC 2344
•Mobile NAI Extension, RFC 2794
•Multiple tunneling modes between FA and HA
–IP-in-IP Encapsulation, RFC 2003
–Generic Route Encapsulation, RFC 2784
–MIP-UDP tunneling
•Binding Update message for managing stale bindings
•Home Agent redundancy support
•Mobile IP Extensions specified in RFC 3220
–Authentication requiring the use of SPI. section 3.2
•Support for Packet Filtering
–Input access lists
–Output access lists
•Support for proxy and gratuitous ARP
•Mobile IP registration replay protection using time stamps. Nonce-based replay protection is not supported.
All other software features in Cisco IOS Release 12.4 are described in the documentation for Cisco IOS Release 12.4, which can be found at: http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.html
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
Caveats for Cisco IOS Releases 12.4 can be found on CCO at http://www.cisco.com/en/US/products/ps6350/prod_release_notes_list.html
The Open Caveats section lists open caveats that apply to the current release and might also apply to previous releases.
The Resolved Caveats section lists caveats resolved in a particular release, which may have been open in previous releases.
Note If you have an account with CCO, you can use the Bug Toolkit to find caveats of any severity for any release. You can reach the Bug Toolkit at http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Open Caveats
The following caveats are unresolved in Cisco IOS Release 12.4(22)YD2:
•CSCtc87434—Binding Table Does not Synch After Redundancy Failovers
Syncing of HA-RK key to standby fails with following error
MobileIP: SR: *@* Parsing HA-RK NVSE(65) of HA IP #.#.#.# of length #
MobileIP: SR: *@* Unknown CP-CP extension : 172; 1099 bytes are not
processed !!!
This condition occurs on an HA running in a redundant environment when doing multiple switchovers.
Workaround: the problem is not present as long as the third failover is avoided.
•CSCtc89986—DHCP Release Sent From Active Home Agent During "Reload"
DHCP release is sent from the active Home Agent during a `reload'.
The issue is observed with a Home Agent running 12.4(22)YD in a redundant setup.
Workaround: none.
When the active Home Agent is forcefully reloaded using the reload command, the active HA sends "DHCP RELEASE" messages to the DHCP server for all leased IP address. This leads to clearing the resources on DHCP Server.
Ideally "DHCP RELEASE" should not be sent for proxy clients in redundant setup as the sessions will get synced to the standby.
Unresolved Caveats Prior to Cisco IOS Release 12.4(22)YD2
The following caveats are unresolved in Cisco IOS Release 12.4(22)YD1:
•CSCtb39102—Session Not Synced to Standby When MTU Size is 1600
The session does not get synched to the standby unit from the active unit if MTU is configured as 1600 bytes in the Gigabit0/0 interface of the SAMI. The router could possibly RF induced self-reload.
This problem could happen on a redundant system with MTU size configured as 1600 bytes.
Workaround: configure the default MTU size of 1500 byes.
•CSCtb41029—HomeAgent: DHCP Redundancy Issues in HA5.0/HA5.1
The improper behavior of DHCP redundancy contexts between active and standby HA with or without switchover are observed when the Home Agent is acting as a DHCP Proxy Client. And, the issue is seen on HA5.0 and HA5.1.
This condition occurs when the Home Agent is acting as DHCP Proxy Client to lease the IP addresses from the DHCP Server for MIP sessions by configuring ip mobile host nai word address pool dhcp-proxy-client dhcp-server dhcp-server-ip interface Loopback60 aaa.
Workaround: none.
•CSCtb46311—Conditional Debugging For Radius Debugs Not Working
RADIUS logs are not displayed.
This condition occurs when RADIUS debugs are enabled along with conditional debugging.
Workaround: none.
Resolved Caveats
The following caveats are resolved in Cisco IOS Release 12.4(22)YD2:
•CSCtb25158—Bulk Sync Not Happening For All DHCP Returned Attributes
–Configure DHCP pool with DNS Server Address, Default-Gateway etc. options.
–Send Host-Config request from FASIM.
–Check in the debugs that all DHCP returned attributes are not syncing to standby card (DNS Server Address, Default-Gateway)
Because of this, after switchover, the new active card is sending Default-Gateway incorrectly on re-registration. As a result, a few attributes are not synching to standby card..
Workaround: none.
•CSCtb39102—Session Not Synced to Standby When MTU Size is 1600
The session does not get synched to the standby unit from the active unit if MTU is configured as 1600 bytes in the Gigabit0/0 interface of the SAMI. The router could possibly RF induced self-reload.
This problem could happen on a redundant system with MTU size configured as 1600 bytes.
Workaround: configure the default MTU size of 1500 byes.
•CSCtb41029—HomeAgent: DHCP Redundancy Issues in HA5.0/HA5.1
The improper behavior of DHCP redundancy contexts between active and standby HA with or without switchover are observed when the Home Agent is acting as a DHCP Proxy Client. And, the issue is seen on HA5.0 and HA5.1.
This condition occurs when the Home Agent is acting as DHCP Proxy Client to lease the IP addresses from the DHCP Server for MIP sessions by configuring ip mobile host nai word address pool dhcp-proxy-client dhcp-server dhcp-server-ip interface Loopback60 aaa.
Workaround: none.
•CSCtb46311—Conditional Debugging For Radius Debugs Not Working
RADIUS logs are not displayed.
This condition occurs when RADIUS debugs are enabled along with conditional debugging.
Workaround: none.
•CSCtb48982—Acct-Interim-Interv: local Value Gets Overwritten by access-accept Value
The HA overrides the locally configured periodic value for sending Accounting Interim to the value received in Access-Accept message
This condition occurs when the HA receives a Acct-Interim-Interval attribute in Access-Accept message from the Radius Server, and also has aaa accounting update periodic x configured locally.
Workaround: none.
•CSCtb64346—IP Redirect Feature With Non-hotline Profile Does Not Work When Destination is Not on the Routing Table
The IP redirect feature with non-hotline profile does not work when its destination is not on the routing table.
This condition occurs when
–non-hotline profile with IP redirect.
–There is no route information for the redirected destination.
–next-hop any-traffic is configured (because the destination is not on the routing table).
Workaround: add a route information for the destination to the routing table.
•CSCtb83004—Input Queue Drops Increment Every 7-10 Seconds on G0/0 With Minimal Traffic
The show interface GigabitEthernet 0/0 input queue drops increments with minimal traffic.
This happens when unknown L2 packets reach the Home Agent. This does not impact any data traffic from the mobile nodes.
Workaround: none.
Caveats Resolved Prior to Cisco IOS Release 12.4(22)YD2
The following caveats are resolved in Cisco IOS Release 12.4(22)YD1:
•CSCsw47076
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsv48603
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsx07114
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsx25880
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml.
•CSCsy15227
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
•CSCsy26261—Key Value Displayed Wrongly in Standby HA
–Configure load-sa for a realm.
–Use hmac-md5 algorithm with ascii key value for MN-HA authentication
–Use AAA to send MN-HA authenticator
–Display the cached spi/key value in standby.
–It will show the ascii value in hex.
This is just a display problem and does not affect functionality
Workaround: none.
•CSCsy54122
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsz38104
The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml.
•CSCsz91894—Session Timeout Should Be Able to Display More Than 2^32 Value
Currently there is no direct API to display such a large value [136 year] for the timers that get started based on AAA downloaded session timeout.
To reproduce this condition, configure "session timeout 4294967295" or "attribute 27 numeric 4294967295".
Any timer starts for this value, is not able to display it.
Workaround: none.
•CSCta00770— Previous DNS Servers Info Persists in Bindings for Full NAI
Mobile IP bindings incorrectly retain the previous configured DNS value.
This is seen only for full an NAI Mobile Node user.
Workaround: none.
•CSCta00810—After local SA Removed for Full-NAI, locals for Realm Not Being Used
The locally configured MN-HA security association (SA) is not used in some scenarios.
The following conditions exist:
–Configure MN-HA security association (SA) for both full NAI and the corresponding realm.
–Now, unconfigure SA for full-NAI.
–When the same full-NAI user tries registering, the local SA configured for the corresponding realm is not used. Because of this the authentication may fail.
Workaround: If a separate SA for full-NAI is not needed, do not configure. Configure SA for realm only.
•CSCta41989—clear ip mob sec empty load is Causing Tracebacks
Spurious memory access tracebacks are seen in Home Agent.
This is seen while issuing the clear ip mob sec empty load command.
Workaround: none.
•CSCta55764—IPC Config Synch Error
The following error appears on the Home Agent when ip mobile home-agent data-path-idle 2 is configured.
Error Message %IPC-4-CFG_SYNC_ERROR: Configuration Sync error: IPC Communication failure in sending cmd to TPThis condition occurs when there is a large number of mobile IP session active (500k), all this sessions get updated with data path idle time.
Workaround: configure ip mobile home-agent data-path-idle when there is no active sessions or a few number of sessions.
•CSCta58990—HA Reloads When Secure Host is Configured With Full NAI for Overlap IP VRF
The HA reloads when same overlapping IP address is used across two bindings under two different vrfs.
The following conditions exist:
a. ip mobile secure host has to be configured for full nai MN.
b. Static HoA assignment (RRQ HoA is non-zero).
c. Open/Close and Open should happen.
Workaround: none.
•CSCta62685—VRF is Not Applied For MN When Configured Before VRF Configuration
The VRF is not applied for the MN when configured before the VRF configuration.Conditions:</B>
The following conditions exist:
–Configure ip mobile host CLI for domain
–Configure ip mobile secure host nai for full NAI MN.
–Configure VRF for the domain
Workaround: after configuring VRF, unconfigure secure host and configure again.
•CSCta65964—Dynamic User Not Cleared in show ip mobile host Output
SA and Dynamic users details of the opened binding are still present even though the binding is cleared.
This conditions occurs when you enable the revocation and clear the binding on HA using the clear ip mobile binding all command.
Workaround: Delete the new recovery compared mn node after deleted registration revocation entry ASK for MN.
•CSCta74909—HA Crashed While Displaying lot of Bindings
HA crashed while displaying lot of bindings.
The condition occurs when a binding gets deleted, while executing show ip mobile binding.
While displaying binding information, if the MN structure gets freed due to deletion of the binding, it results into crash.
Workaround: terminal length should not be set to 1 or 0.
•CSCta75127— Memory Leak Found on TPs After Sending For Long Times With Acls
When packets from downstream are dropped by per user/realm ACL, memory leak of 180K (for 2.2Gbps for 2 hours) is observed.
This condition occurs when you configure a per user/realm ACL which denies the packet in the downstream and send downstream packets.
Workaround: none.
•CSCta98702—"attribute 44 include-in-access-req" Configured But Not Going in Access-Req
The Accounting Session-ID is not included in Access-Request.
This issue occurs under the following conditions:
–"radius-server attribute 44 include-in-access-req" is configured on the HA.
–Accounting is enabled on the HA.
Workaround: none.
•CSCsy60479—Configuration Sync Error for Tunnel Template
A configuration sync error was observed during MIP session creation or deletion using the Tunnel Template feature.
This condition occurs when a Tunnel Template is applied to an HA IP address.
Workaround: none.
•CSCsy78653—Unable to Configure ip mob sec host After Modifying Named ACLs
This problem occurs when operator configures or modifies or updates a named extended ACL, and then tries to configure a security association for MN-HA authentication for a realm/NAI.
In this scenario, local configuration of the security association is not possible due to a bug in the ACL component (refer to CSCsy69542)
This DDTS fixes the problem in the IP-mobile component, and acts as a temporary solution until the actual problem is fixed by the ACL team.
Workaround: Modify or update the local security association for MN-HA authentication before modifying a named extended ACL.
•CSCsy89105—When ACL Denies a Packet From the MN, Packet Counter Decrements in Some Cases
A data packet from the MN is received by the HA through IP/IP, GRE/IP or MIP/UDP binding. If the ACL is configured for this particular user, and the packet gets denied, the ACL counters get incremented twice.
This happens only when the packet gets denied with ACLs.
Workaround: none
•CSCsy98146—Traceback Seen on HA During Bulk Synch
A traceback appears on the standby HA during bulk sync of Mobile IP sessions.
This condition occurs in a redundancy setup with the HA 5.0 release. When the standby comes up and a bulk sync occurs, a traceback appears on the router console.
Workaround: none.
•CSCsz23375—Bindings Not Getting Synced to Standby With NAI Configured for DHCP
Binding does not sync from the active device to the standby device
This condition occurs when the NAI is configured with DHCP proxy option, then only, the binding (which brought up with that NAI) does not sync from the active to the standby.
Workaround: none
•CSCsz30815—Tracebacks in HA with High HA-RK Lifetime
Tracebacks are observed on the HA while starting HA-RK lifetime timer.
This condition occurs when you download an HA-RK lifetime value is greater than 2147483 seconds.
Workaround: Use an HA-RK lifetime value of less than 2147483 seconds.
Caveats Resolved Prior to Cisco IOS Release 12.4(22)YD1
The following caveats are resolved in Cisco Home Agent Release 12.4(22)YD:
•CSCsu11522
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
•CSCsv38166
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
Related Documentation
Except for feature modules, documentation is available as printed manuals or electronic documents. Feature modules are available online on CCO and the Documentation CD-ROM.
Use these release notes with these documents:
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.4T:
•Cisco Mobile Wireless Home Agent Feature for Cisco IOS Release 12.4(22)YD2 at the following url:
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22yd2/feature_guide/ha_5_2_feat.html
Platform-Specific Documents
Documentation specific to the Cisco 7600 Router is located at the following location:
•On Cisco.com at: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Copyright © 2009, Cisco Systems, Inc.
All rights reserved.