Guest

Cisco IOS Software Releases 12.4 Mainline

Cross-Platform Release Notes for Cisco IOS Release 12.4, Part 6: Caveats for 12.4(1) through 12.4(12c)

  • Viewing Options

  • PDF (4.3 MB)
  • Feedback
Resolved Caveats—Cisco IOS Release 12.4(12c)

Table Of Contents

Resolved Caveats—Cisco IOS Release 12.4(12c)

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(12b)

Basic System Services

IP Routing Protocols

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(12a)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(12)

Basic System Services

EXEC and Configuration Parser

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(10c)

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(10b)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(10a)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(10)

Basic System Services

EXEC and Configuration Parser

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Terminal Service

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(8d)

Basic System Services

IP Routing Protocols

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(8c)

Basic System Services

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(8b)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(8a)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(8)

Basic System Services

EXEC and Configuration Parser

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7h)

IP Routing Protocols

Miscellaneous

TCP/IP Host-Mode Services

Resolved Caveats—Cisco IOS Release 12.4(7g)

Resolved Caveats—Cisco IOS Release 12.4(7f)

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7e)

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7d)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7c)

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7b)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7a)

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(7)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Protocol Translation

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(5c)

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(5b)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(5a)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Protocol Translation

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(5)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3j)

Resolved Caveats—Cisco IOS Release 12.4(3i)

Basic System Services

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3h)

Basic System Services

IBM Connectivity

IP Routing Protocols

Miscellaneous

TCP/IP Host-Mode Services

Resolved Caveats—Cisco IOS Release 12.4(3g)

Basic System Services

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3f)

Basic System Services

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3e)

Resolved Caveats—Cisco IOS Release 12.4(3d)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3c)

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3b)

IP Routing Protocols

Miscellaneous

Protocol Translation

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3a)

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(3)

Basic System Services

EXEC and Configuration Parser

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(1c)

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(1b)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(1a)

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.4(1)

Basic System Services

EXEC and Configuration Parser

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Obtaining Documentation and Submitting a Service Request


Resolved Caveats—Cisco IOS Release 12.4(12c)

Cisco IOS Release 12.4(12c) is a rebuild release for Cisco IOS Release 12.4(12). The caveats in this section are resolved in Cisco IOS Release 12.4(12c) but may be open in previous Cisco IOS releases.

IP Routing Protocols

CSCek47667

Symptoms: A router may not clear BGP routes when you enter the clear bgp ipv6 unicast * command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SXF but is not release-specific.

Workaround: There is no workaround.

CSCsi84089

Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.

Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.

Workaround: Add area 0 in the OSPF VRF processes.

Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.

CSCsi97586

Symptoms: A Cisco MGX-RPM-XF-512 resets after deleting Multicast VPN routing from a VRF and then deleting that VRF.

Conditions: This symptom has been observed on a system running Cisco IOS Release 12.4(6)T5 configured for Multicast VPN routing while deleting an interface.

Workaround: There is no workaround.

Miscellaneous

CSCsg99814

Symptoms: On a router that functions in a GRE over IPSec or Virtual Tunnel Interface (VTI) configuration, an access control list (ACL) may be bypassed when there is an ACL on the tunnel interface.

Conditions: This symptom is observed when the ACL on the tunnel interface is configured on the outbound physical interface on which the IPSec tunnel is terminated.

Workaround: Apply the outbound ACL on the protected LAN interface instead of on the tunnel interface.

CSCsi27540

Symptoms: A VSI session may become stuck in the "RESYNC_UNDERWAY" state, preventing LVC connections from being set up. This situation is not cleared automatically, and error messages are not flushed, as is shown in the output of the show controller vsi session command.

Conditions: This symptom is observed on a Cisco router that functions as a Label Switch Controller (LSC).

Workaround: There is no workaround.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi85641

Symptoms: When the Reverse Route Remote Peer option is enabled, packets may not be forwarded correctly.

Conditions: This symptom is observed when both CEF and the reverse-route remote-peer command are enabled. When you enable the debug ip cef drops command, typically, the following is shown:

CEF-Drop: Stalled adjacency for remote-physical-ip-addr on Ethernet1/0

for destination remote-protected-ip-addr

CEF-Drop: Packet for remote-protected-ip-addr -- encapsulation

Workaround: Disable CEF.

Alternate Workaround: Add a next hop to the reverse route, for example, by entering the reverse-route remote-peer ip-address command.

Wide-Area Networking

CSCsj10593

Symptoms: A terminating gateway (TGW) that is configured for Cisco ISDN Interconnect for Voice Gateways Solution may crash.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(15.6) and that functions as a TGW with all PRI switch types from the user to the network side. The symptom occurs when the isdn test call interf ace interface-number dialing-string command is entered at the platform on which the call is initiated, when the originating gateway (OGW) is configured for the National ISDN (primary-ni) switch type, and when the TGW is configured for the NT DMS-100 (primary-dms100) switch type. The symptom may also affect Release 12.4T.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(12b)

Cisco IOS Release 12.4(12b) is a rebuild release for Cisco IOS Release 12.4(12). The caveats in this section are resolved in Cisco IOS Release 12.4(12b) but may be open in previous Cisco IOS releases.

Basic System Services

CSCeb20967

Symptoms: A Route Switch Processor (RSP) may reload unexpectedly when a bus error with an invalid memory address occurs while packets are placed into a hold queue.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0 S, 12.1(14)E4, or 12.2 S when the following sequence of events occurs:

1. A packet is switched via Cisco Express Forwarding (CEF).

2. The egress interface has queueing/shaping configured.

3. The egress interface is congested, causing the packet to be placed into the hold queue.

Workaround: There is no workaround.

IP Routing Protocols

CSCsh02161

Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this prefix is removed from the BGP table.

Condition: This symptom is observed on a Cisco router that functions as an RR that advertises two of the same prefixes with different Route Distinguishers (RDs) when one of these prefixes redistributes itself and when the other prefix is a route that is learned from an RR client via iBGP.

Workaround: There is no workaround.

CSCsh80678

Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.

Workaround: Enter the no auto-summary command.

CSCsh90153

Symptoms: Connectivity is lost through a router when traffic is processed twice by NAT.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(8a), that is configured for NAT and PBR, and that has a firewall feature enabled. Under certain conditions, traffic is processed twice by NAT when it does not need to be.

Workaround: Remove the firewall configuration from the router.

Further Problem Description: Syslogs and the output of the show ip nat translation command show that traffic that is processed twice by NAT does not traverse the router.

CSCsi62559

Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.

Conditions: This symptom has been observed on a Cisco router running Cisco IOS Release 12.2(18) and later.

Workaround: Use ACLs to block invalid IP Control packets from reaching the control plane.

Miscellaneous

CSCek38201

Symptoms: A router may reload or display an alignment traceback when you enter the show crypto socket command.

Conditions: This symptom is observed on a Cisco router that has an OSPFv3 IPSecv6 configuration.

Workaround: There is no workaround. To prevent the symptom from occurring, do not enter the show crypto socket command in an OSPFv3 IPSecv6 configuration.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsf28509

Symptoms: When you enter the clear ip dhcp binding command to clear DHCP bindings, the corresponding DHCP-initiated subscriber sessions are not cleared.

Conditions: This symptoms is observed on a Cisco router that functions as an Intelligent Service Gateway (ISG).

Workaround: Enter the clear ip subscriber command to clear the subscriber sessions.

CSCsg21401

Symptoms: Calls may fail on a gatekeeper. When this situation occurs, you may not be able to Telnet or ping to the gatekeeper, and the logs of the gatekeeper contain several error messages with tracebacks that indicate "bad id in id_get". In addition, gateways may also unregister from the gatekeeper.

The following error message and traceback are generated when the symptom occurs:

%IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x6445D720) 
-Traceback= 0x6114DA04 0x622C7944 0x610F767C 0x610F8228 0x610F8138 0x6110C854 
0x6110CBB8 0x60074F1C 0x60063D74 0x60040B94 0x60052A84 0x6002637C 0x60028AB0
 
   

Symptoms: This symptom is observed on a Cisco platform that functions as a gatekeeper in an H.323 environment.

Workaround: There is no workaround.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg59326

Symptoms: When an ATM (that is, a cash machine, not a WAN platform) is connected to a switch service module, significant packet loss may occur.

Conditions: This symptom is observed on a Cisco 2800 series router.

Workaround: Change the Ethernet speed to 10 Mbps at both ends.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg78414

Symptoms: A sweep ping with a size of 4571 bytes may fail.

Conditions: This symptom is observed on a Cisco 7500 series when an ATM-IMA interface is configured with an MTU size of 7000 bytes.

Workaround: There is no workaround.

CSCsg96319

Symptoms: Anyone can have unprivileged Telnet access to a system without being authenticated, when a reverse SSH session is established with valid authentication credentials. This only affects reverse SSH sessions where a connection is made with the command ssh -l userid:number ip- address command.

Conditions: This symptom has been seen only when Reverse SSH Enhancement is used. This enhancement is documented at the following URL:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_rev_ssh_enhanmt_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Workaround: Configure reverse SSH with the ip ssh port portno rotary rotarygroup command. This configuration is explained at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#newq1

CSCsh33430

Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.

Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.

Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.

CSCsh75827

Symptoms: When a router that has the ssg intercept dhcp command enabled receives a DHCP packet from a host that has already logged out from a Subscriber Edge Services Manager (SESM), the router may unexpectedly reload because of a bus error.

Conditions: This symptom is observed on a Cisco router that functions as an SSG with PBHK enabled, when a host has received an IP address that is associated with a service (via the "J" Service-Info attribute), has logged out from the SESM, and then renews its IP address.

Workaround: There is no workaround.

CSCsh92914

Symptoms: A router may unexpectedly reload when you attempt to open a reversed SSH connection by using the SSHv1 protocol.

Conditions: This condition is observed on a Cisco router that runs Cisco IOS Release 12.4.

Workaround: Force the SSH transport to be SSHv2 by entering the ip ssh version 2 global configuration command.

CSCsh94526

Symptoms: When an acct-stop message is received for a non-RADIUS proxy user (that is, a normal IP user), a router that is configured for SSG crashes.

Conditions: This symptom is observed when SSG is configured for RADIUS proxy mode and when the ssg wlan reconnect command is enabled.

Workaround: There is no workaround.

CSCsh97579

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi04707

Symptoms: Configuring an AUX port for async interface through a non-slotted notation such as the interface async 1 command or slotted notation such as the interface async x/y/z command may not be possible on a Cisco 2851.

Conditions: This symptom has been observed on a Cisco 2851 router with Cisco IOS Release 12.4(13). This symptom has not been seen on Cisco IOS Release 12.4 (10) and earlier.

Workaround: There is no workaround.

CSCsi27767

Symptoms: One-way audio may occur when a call is transferred or picked up after having been on hold.

Conditions: This symptom is observed intermittently on a Cisco Communication Media Module (CMM) for calls that are transcoded because of a transfer or being placed on hold and for which the RTP stream terminates on the CMM.

The symptom appears to occur because of a significant change in the sequence numbers and timestamp of the RTP packets while the same SSRC is kept. You can identify this situation with a packet capture of the RTP stream.

Workaround: There is no workaround.

CSCsi42086

Symptoms: A memory leak may occur on a router that is configured for SSG when unsupported 3GPP attributes are received by SSG.

Conditions: This symptom is observed when SSG is configured to function in RADIUS proxy mode.

Workaround: Ensure that the unsupported 3GPP attributes are removed by filtering them before a RADIUS packet is received by SSG.

TCP/IP Host-Mode Services

CSCsi40766

Symptoms: H.323 calls on a Cisco IOS VoIP gateway may fail after the gateway has processed about 54,500 calls.

Conditions: This symptom is observed when H.323 uses TCP to transport signaling messages. When the Cisco IOS gateway must generate a unique port for the local TCP session, this port is selected from a range of open ports. When the number of times that an unique TCP session is created for the same IP address on the gateway exceeds 54,500, further attempts to create a local TCP port fail and calls are not completed.

The symptom occurs for H.323 calls only when a separate TCP session is established for the H.245 session. When H.245 tunneling is enabled or no H.245 session is established, the symptom does not occur for H.323 calls.

When the debug ip tcp transaction command is enabled on the gateway, the "TCP: Ran out of ports for network 0" debug output is generated when the symptom occurs.

Enabling debugs on a Cisco IOS gateway should always be done with caution to minimize impact to the performance of the router. As a minimum, ensure that logging to the console is changed from the default behavior of the debug level to, for example, an informational level.

Workaround: After the symptom has occurred, reload the Cisco IOS VoIP gateway. To prevent the symptom from occurring, ensure that for H.323 call processing all H.323 devices have H.245 tunneling enabled. This may not always be possible: for example, H.245 tunneling on Cisco CallManager is not supported.

Wide-Area Networking

CSCsh82513

Symptoms: The output of the show isdn active command may show disconnected calls.

Conditions: This symptom is observed on a Cisco router when analog modem calls are made after a normal ISDN digital call has been made.

Workaround: There is no workaround.

CSCsi21853

Symptoms: When you attempt to change the ISDN T306 timers, the changes are not accepted.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4.

Workaround: There is no workaround.

Further Problem Description: The ISDN T306 configuration updates the values of the ISDN T307 timers.

Resolved Caveats—Cisco IOS Release 12.4(12a)

Cisco IOS Release 12.4(12a) is a rebuild release for Cisco IOS Release 12.4(12). The caveats in this section are resolved in Cisco IOS Release 12.4(12a) but may be open in previous Cisco IOS releases.

Basic System Services

CSCsg21398

Symptoms: Cisco IOS may restart when receiving a crafted TACACS+ msg-auth-response-get-user packet after it sends out an initial TACACS+ recv-auth-start packet.

Workaround: There is no workaround.

CSCsg48183

Symptoms: A router may unexpectedly send an ARP request from all its active interfaces to the nexthop of the network of an SNMP server.

Conditions: This symptom is observed on a Cisco router that has the snmp-server host command enabled after any of the following actions occur:

You reload the router.

A switchover of the active RP occurs.

You enter the redundancy force-switchover main-cpu command.

Workaround: There is no workaround.

CSCsg48725

Symptoms: A TLB exception may occur on a Cisco platform that functions as a PE router in an MPLS environment, and the following error message may be generated:

TLB (load or instruction fetch) exception, CPU signal 10 (BadVaddr : DEADBEF3)

Conditions: This symptom is observed on a Cisco platform when TACACs accounting and authorization is enabled and when the TACACs server is reachable through the global routing table.

Workaround: Disable AAA. Is this not an option, there is no workaround.

CSCsh44174

Symptoms: After a router has crashed, another crash may occur while the crashinfo is being generated, and a traceback with memory addresses is displayed.

Conditions: This symptom is observed on a Cisco router when, during the crash, the data in key memory locations is written to a crashinfo file on the bootflash device of the router.

Workaround: Specify an alternate storage device to store the crashinfo in the startup configuration, for example, by adding the following line to the startup configuration:

exception crashinfo disk0:

CSCuk61422

Symptoms: CEF-switching does not function, and the output of the show adjacency interface interface-number detail command does not show any packets.

Conditions: This symptom is observed on a Cisco 7500 series that has an RSP when packets are switched to a multilink interface via CEF and when you enter the show adjacency interface interface-number detail for a multilink interface.

Workaround: There is no workaround.

IP Routing Protocols

CSCse97264

Symptoms: Two or more UDP NAT translations that relate to different requests may be assigned port numbers with the same inside global IP address.

Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.3(11)T9 when more than one IP phone attempts to register through a router that is configured for NAT Overload.

Workaround: There is no workaround.

CSCsf20947

Symptoms: A default route that is defined by the neighbor default-originate command may be ignored by the BGP neighbor.

Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the default route to be relearned.

Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default route.

CSCsg48509

Symptoms: The match-in-vrf keyword is missing from the ip nat inside source command, and the ip nat inside source command is not accepted at all in interface-configuration mode.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS interim Release 12.4(11.6a) or interim Release 12.4(12.03)T but may also affect other routers.

Workaround: There is no workaround.

CSCsg50321

Symptoms: A router may hang when you enter the clear ip nat translation * command.

Conditions: This symptom is observed on a Cisco 7500 series that has an RSP when you configure static NAT for an inside source address.

Workaround: There is no workaround.

CSCsg84883

Symptoms: NAT configurations are not removed.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

ISO CLNS

CSCsg28497

Symptoms: An IS-IS adjacency may flap when an RP switchover occurs.

Conditions: This symptom is observed on a Cisco router that is configured for IS-IS Multi-Topology, IS-IS NSF Awareness, and IPv4 and IPv6 unicast.

Workaround: There is no workaround.

Miscellaneous

CSCds25257

Symptoms: Gatekeeper Rejects new registration requests from CUCM or other H.323 endpoints with RRJ reason of duplicateAlias. Attempting to clear this stale registration fails with "No such local endpoint is registered, clear failed." message.

Conditions: CUCM H.225 trunks register to a gatekeeper (GK) cluster. GK1 and GK2 are members of the GK cluster. CUCM registers first to GK1 then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.

Once the H.225 trunk attempts to register with GK1, it gets rejected because the alternate registration is still present, and there is no way to clear it out.

10.9.20.3 34273 10.9.20.3 32853 SJC-LMPVA-GK-1 H323-GW A

ENDPOINT-ID: 450FC24400000000 VERSION: 5 AGE: 1618993 secs

SupportsAnnexE: FALSE

g_supp_prots: 0x00000050

H323-ID: SJC-LMPVA-Trunk_4

Workaround: Reset the gatekeeper with the shutdown command followed by the no shutdown command, or reboot the Cisco IOS GK.

CSCec12299

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.

CSCed57504

Symptoms: A router that is configured with a virtual template may reload unexpectedly.

Conditions: This symptom is observed on a Cisco router on which a session that uses a virtual-template is terminated and occurs when the session is cleared from a DSL CPE router that is the peer router for the connection.

Workaround: There is no workaround.

CSCek48251

Symptoms: When you enter the redundancy switch-activity force command on the active eRSC of a Cisco AS5850 while incoming VoIP H.323 calls and outgoing CAS calls are being processed, the standby eRSC does become the active eRSC and processes the calls but soon afterwards may crash at "csm_enter_idle_state."

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(9)T and that functions in RPR+ mode. The symptom may also affect Release 12.4.

Workaround: There is no workaround.

Further Problem Description: The symptom does not occur when PRI calls are being processed.

CSCek55511

Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.

Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.

Workaround: Disable SNMP polling for ccrpCPVGEntry.

CSCsg05350

Symptoms: A Cisco platform crashes due to a chunk memory leak and generates the following error messages and tracebacks:

%DSMP-3-INTERNAL: Internal Error : NO MEMORY

-Traceback= 0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50

0x6127F6BC

%DSMP-3-INTERNAL: Internal Error : NO MEMORY

-Traceback= 0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50

0x6127F6BC

%MARVEL_HM-3-HM_RULES_RELOAD: Health Monitor causing a reload due to

Fragmented processor_memory, Free processor_memory = 10402472

bytes, Largest processor_memory block = 522632 bytes

Conditions: This symptom is observed on a Cisco AS5850 when there is a chunk memory leak. However, the symptom is platform-independent and relates to the Distributed Stream Media Processor (DSMP).

Workaround: There is no workaround.

CSCsg08395

Symptoms: When one of the controllers of a VWIC-2MFT-E1 Voice/WAN interface card that is connected back-to-back to another router is shut down, ISDN L2 may go down on the second E1 controller of the VWIC-2MFT-E1.

Conditions: This symptom is observed on a Cisco 3725 that runs Cisco IOS interim Release 12.4(11.1).

Workaround: There is no workaround.

CSCsg28628

Symptoms: NAS pkg asynchronous calls fail after a redundancy switchover has occurred, and the following error message is generated:

Modems unavailable

Conditions: This symptom is observed on a Cisco AS5850 that functions in RPR+ mode. This situation may impact service.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the redundancy switchover command a couple of times to restore the Cisco AS5850 to normal operation.

CSCsg37423

Symptoms: The output of the show l2tun session l2tp command does not include interface information.

Conditions: This symptom is observed on a Cisco router that is configured for Xconnect.

Workaround: There is no workaround.

CSCsg39287

Symptoms: A memory leak and fragmentation may occur on a terminating H.323 gateway upon receipt of an H.225 Notify message, and the gateway may crash.

Conditions: This symptom is observed on a Cisco AS5400 that has been processing calls for a couple of days.

Workaround: There is no workaround. There would be a workaround if you could prevent the originating device from sending Notify messages. However, this is not an option in a typical Cisco CallManager IP Telephony (IPT) deployment.

CSCsg50187

Symptoms: CEF-switching does not function, and the output of the show adjacency interface interface-number detail command does not show any packets.

Conditions: This symptom is observed on a Cisco router when packets are switched to a multilink interface via CEF and when you enter the show adjacency interface interface-number detail for a multilink interface.

Workaround: There is no workaround.

CSCsg58832

Symptoms: Inconsistent lease times may occur on a router that functions as a DHCP relay agent. The lease expiration times may be reduced from the value that is specified by the server to as little as five minutes. After the new lease time has expired, the binding is then deleted.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or Release 12.4T, that is configured as a DHCP relay agent, and that has the ip dhcp smart-relay command enabled.

Workaround: Remove the ip dhcp smart-relay command from the configuration.

Alternate Workaround: Renew the IP address on the DHCP client.

CSCsg69124

Symptoms: A router crashes when the write memory and secure boot-image commands are executed simultaneously.

Conditions: This symptom is observed on a router that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

Further Problem Description: Note that the commands must be entered simultaneously for the symptom to occur. When the commands are entered one after the other (in any order), the symptom does not occur.

CSCsg69205

Symptoms: On a Cisco PE router that has the ip flow egress command enabled on an interface that connects to a CE router, the traffic streams that are destined for the CE router may not be captured.

Conditions: This symptom is observed when the MPLS interface is a multilink interface.

Workaround: Enter the mpls netflow egress command on the interface that connects the PE router to the CE router to enable the traffic streams to be captured by NetFlow. Once the traffic streams are being captured you can remove this command.

CSCsg76715

Symptoms: A device crashes when you delete an ACE that was inserted in the middle of the ACL rather than added at the end of the list.

Conditions: This symptom is observed when all of the following conditions are present:

The inserted ACE has a destination prefix length of 0, that is, is has an "any" statement instead of a destination address.

The ACL already has another ACE with the same SRC prefix length and an destination prefix length that is greater than 0 (that is, other than an "any" statement), and the inserted ACE has a lower sequence number than this other ACE.

The other ACE with a destination prefix length that is greater than 0 is deleted before you delete the inserted ACE.

Workaround: First, delete the inserted ACE. Then, delete the other ACE with the same SRC prefix length and an destination prefix length that is greater than 0.

Alternate Workaround: Delete the complete ACL.

CSCsg81585

Symptoms: After you stop sending stress traffic, an egress interface of an NM-4A/S stops sending all packets, that is, the output becomes stuck.

Conditions: This symptom is observed on a Cisco router when the following conditions are present:

MLP is configured.

There is an asynchronous physical layer on the serial interfaces.

A dialer session is established by the stress traffic.

Workaround: Enter the no ip route-cache command on the egress interface of the NM-4A/S. Note that doing so may increase the CPU usage.

CSCsg96462

Symptoms: A memory leak may occur in the SNASwitch process.

Conditions: This symptom is observed when the SNASwitch fails to free memory that is associated with maintaining the RTP history information when RTP pipes terminate under some conditions.

Workaround: There is no workaround.

Further Problem Description: The following messages may be generated when the processor memory has been exhausted:

%SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x6016CEA0,

alignment 0

Pool: Processor Free: 1628716 Cause: Memory fragmentation

Alternate Pool: None Free: 0 Cause: No Alternate pool

-Process= "SNA Switch", ipl= 0, pid= 64

To check if memory is leaking, enter the following commands (note the exact upper/lower cases that are used):

show snasw rtp

show memory summary | i GraphIt | Bytes

The first command displays all the RTP pipes. The second command displays a summary of all the memory with a "GraphIt" identifier. There should be approximately two blocks with the "GraphIt Client" identifier for each non-RSETUP RTP pipe.

If there are significantly more than two "GraphIt Client" blocks per RTP pipe, the SNASwitch is leaking memory.

CSCsh39318

Symptoms: A router may crash when the configured route limit is exceeded. When this situation occurs, the following error message is generated:

%MROUTE-4-ROUTELIMIT (x1): [int] routes exceeded multicast route-limit of

[dec] - VRF [chars]

Conditions: This symptom is observed on a Cisco 10000 series that is configured for Multicast VPN but is platform-independent.

Workaround: There is no workaround.

CSCsh58082

Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.

There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.

Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.

Wide-Area Networking

CSCek59078

Symptoms: An L2TPv3 session is established when voluntary tunneling is configured and both peers have corresponding configurations. However, after you configure a pseudowire on a virtual PPP interface on one of the peers, the session on this peer is up but the line protocol is down, an a "virtual-PPP1 is up, line protocol is down" error message is generated.

Conditions: This symptom is observed when the virtual PPP interface is first deleted via the no interface virtual-ppp number command and then reconfigured via the interface virtual-ppp number command before you configure a pseudowire on the virtual PPP interface.

Workaround: Before you configure a pseudowire on the virtual PPP interface, ensure that the virtual PPP interface has never been unconfigured via the no interface virtual-ppp number configuration command.

CSCek60025

Symptoms: A ping may be dropped in a PPP callback scenario.

Conditions: This symptom is observed on a Cisco router when Multilink PPP (MLP) and the dialer load-threshold command are enabled.

Workaround: There is no workaround.

CSCek60772

Symptoms: A crash occurs when commands are executed in a particular order.

Conditions: The crash occurs when the following commands are executed:

interface Dialer0

no dialer pool 1

shut

no interface Dialer0

interface Serial2/0

no dialer in-band

interface Dialer0

dialer remote-name dt3b7-4

no cdp enable

This happens because a freed value was not being set to NULL.

Workaround: There is no workaround

CSCek62099

Symptoms: When Multilink PPP (MLP) is enabled for a PPP over Ethernet (PPPoE) session, outbound packets are incorrectly sent without PPPoE headers. This situation causes packets to be dropped.

Conditions: This symptom is observed in Cisco IOS Release 12.4 on all software-forwarding routers and affects only packets that are not multilink-encapsulated (when the bundle has only a single link).

Workaround: Enter the ppp multilink fragment delay interface configuration command to force multilink headers to be applied to all outbound packets.

Alternate Workaround: Disable MLP.

CSCsb24255

Symptoms: A router may generate the following error message and a MALLOC failure may occur:

flex_dsprm_voice_connect: voice tdm connect failed

Conditions: This symptom is observed on a Cisco router that processes a large number of calls with a short call duration via an E1 PRI.

Workaround: There is no workaround.

CSCsf30493

Symptoms: When a T.37 onramp call is made, the following error message may be generated:

%CSM-3-NO_VDEV: No modems associated

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS interim Release 12.4(10.7). The symptom may not be platform-specific.

Workaround: There is no workaround.

CSCsg38412

Symptoms: When a Multilink PPP (MLP) session is established over an ISDN link, IPCP fails to negotiate. When the debug ppp negotiation command is enabled, you can see that IPCP packets from the peer are not processed. The output of the show interface command for the ISDN D-channel interface shows that the input queue limit is 0.

Conditions: This symptom is observed when the ISDN BRI or PRI interface is not configured as part of a dialer rotary group or dialer pool and when RADIUS is used to assign the multilink bundle to a VRF.

Workaround: Enter the dialer rotary-group command to assign the ISDN interface to a dialer.

CSCsg40885

Symptoms: A router crashes during an online insertion and removal (OIR) of a multilink interface.

Conditions: This symptom is observed on a Cisco 7200 series that is configured for MLP and PPP.

Workaround: Shut down the multilink interface before you perform an OIR.

CSCsg50202

Symptoms: When a BRI interface flaps rapidly, ISDN Layer 1 detects a link down state, but Layer 2 and Layer 3 may remain in the active state during the transition. This situation may cause the BRI interface to become stuck, and subsequent incoming and outgoing calls to be rejected.

Conditions: This symptom is observed when a cable is pulled out and put back rapidly.

Workaround: Enter the clear interface command on the affected BRI interface.

Alternate Workaround: Enter the shutdown command followed by the no shutdown command on the affected BRI interface.

CSCsg56148

Symptoms: Inbound GSM V.110 calls fail to train at a speed of 14400 bps.

Conditions: This symptom is observed on a Cisco AS5400 when the Bearer Capability (BC) does not match the Lower Layer Compatibility (LLC) in the ISDN setup message. The BC should take precedence over the LLC.

Workaround: If this an option, configure the ISDN switch to send the correct BC and LLC. If this is not an option, there is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(12)

This section describes possibly unexpected behavior by Cisco IOS Release 12.4(12). All the caveats listed in this section are resolved in Cisco IOS Release 12.4(12). This section describes severity 1 and 2 caveats and select severity 3 caveats.

Basic System Services

CSCek40101

Symptoms: If a Cisco 2800 series router is configured to do async tunneling using sync/async module with very slow speed like 2400bps or below, the sync/async line may get in stuck state. Entering the show tcp command on that stuck line shows CLOSED TCP connection with some unread input bytes, for example:

Router#sh tcp

tty0/2/0, connection 1 to host 172.16.242.129

Connection state is CLOSED, I/O status: 7, unread input bytes: 97

Connection is ECN Disabled

Local host: 172.16.146.249, Local port: 20514

Foreign host: 172.16.242.129, Foreign port: 23

....

....

Conditions: This symptom occurs only when the Cisco 2800 series router is used for async data tunneling at line speed of 2400 bps or lower with wic-2a/s card

Workarounds: See the following:

1. Issue the clear line x/y/z command to make that line usable again

2. Use Cisco IOS Release 12.3(14)T7, which does not show this issue as readily as Cisco IOS Release 12.4.

3. Use line speed higher than 2400 bps.

4. Use aux port of 2800 router.

CSCir00074

Symptoms: A router crashes when the casnDisconnect object is set to "true" for a PPPoE session.

Conditions: This symptom is observed on a Cisco 10000 series when you attempt to terminate the PPPoE session through SNMP by using the casnDisconnect object of the CISCO-AAA-SESSION-MIB.

Workaround: There is no workaround.

CSCsd26248

Symptoms: A memory leak may occur in the RADIUS process on a router that is configured for dot1x authentication but that does not have the aaa authentication dot1x command enabled. The memory leak may consume all free memory.

Conditions: This symptom is observed when the router receives attribute 24 (state) or attribute 25 (class) from a RADIUS server.

Workaround: There is no workaround.

CSCsd90876

Symptoms: Memory corruption occurs when a "| include" is used with a CLI command. An already in-use block gets freed and causes this corruption.

Conditions: This symptom can happen with any usage when a "| include" is used with a CLI command. It was found using a script for IPSec that resulted in "Crash on OIR of IPSec SLC module."

Workaround: There is no work around. It is a programming defect.

Further Problem Description: It is a rare corner case memory corruption when a block gets freed even when it is in use. It is caught by a script under stress testing conditions which results in such a rare condition. While using CLI and "| include" it is rare to get such a corruption. If it happens, it will lead to box reload.

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse79528

Symptoms: Serial and FDDI interfaces may not be detected.

Conditions: This symptom is observed only on a Cisco 7500 series that has an RSP.

Workaround: There is no workaround.

CSCse85200

Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround: Disable on interfaces where CDP is not necessary.

CSCse90357

Symptoms: Onramp and offramp fax calls fail to connect over E1 PRI and E1 R2 signaling.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.19a).

Workaround: There is no workaround.

CSCse90580

Symptoms: A Cisco router may crash due to a bus error while removing the ip flow egress command from an interface.

Conditions: The router must have the ip flow egress command previously configured on the interface.

Workaround: There is no workaround.

CSCsf19139

Symptoms: %RADIUS-3-NOSERVERS messages are logged after a reload in Cisco IOS Release 12.3(18). At this time, the RADIUS accounting tickets are not generated.

Conditions: This symptom has been observed on a Cisco AS5300 gateway.

Workaround: Enter into configuration mode and change the order of the servers under the server group.

CSCsf32390

Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.

Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.

Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:

event manager applet add-buffer

event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"

action 1.0 cli command "enable"

action 2.0 cli command "configure terminal"

action 3.0 cli command "buffers particle-clone 16384"

action 4.0 cli command "buffers header 4096"

action 5.0 cli command "buffers fastswitching 8192"

action 6.0 syslog msg "Reinstated buffers command"

EXEC and Configuration Parser

CSCse77357

Symptoms: A router may reject the creation of virtual Token Ring interface with any interface number from 0 to 9 and allow only the creation of virtual Token Ring interface with an interface number that is equal to or greater than 10.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.16) or a later release or Release 12.4(9.15)T or a later release.

Workaround: Manually configure the virtual Token Ring interface with a an interface number that is equal to or greater than 10.

Interfaces and Bridging

CSCsd74009

Symptoms: In a Cisco 7500 router with PA-2FE, when entering the shutdown command and then the no shutdown command on the current exit interface (PA-2FE) of the Border Router (Cisco 7500 series), the Border Router may not come to ACTIVE state on the MC.

Condition: This symptom has been seen in RSP routers with PA-2FE interface only.

Workaround: There is no workaround.

IP Routing Protocols

CSCek14600

Symptoms: A traceback has been seen on this release.

Conditions: The symptom has been observed on Cisco IOS interim Release 12.4(04) T1fc2.

Workaround: There is no workaround.

CSCek27981

Symptoms: The output of the ping is different than expected.

Conditions: This symptom has been observed after configuring the security options when the output of the ping is different than expected.

Workaround: There is no workaround.

CSCek51676

Symptom: Router crash on watchdog timeout.

Condition: Delete lots of interfaces with interface range command.

Workaround: There is no workaround.

CSCse29428

Symptoms: A crash is seen with %ALIGN-1-FATAL after showing %SYS-2- CHUNKEXPANDFAIL and %SYS-2-MALLOCFAIL repeatedly.

Conditions: This symptom is observed on a Cisco 3725 router that is running Cisco IOS Release 12.4(5a) with the c3725-advipservicesk9-mz image that is running IPSec VPN.

Workaround: There is no workaround.

CSCse56552

Symptoms: Connections fail through a router that uses CBAC. The pre-gen session is created, and the download or transfer begins. The pre-gen session times out and gets deleted from the router. Since the full session never gets established, the connection then times out on the host.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(8) and using CBAC outbound on the outside interface when policy based routing is applied.

Workaround: There is no workaround.

Further Problem Description: This bug was first seen in Cisco IOS Interim Release 12.4(7.24).

CSCse58419

Symptoms: The memory consumption by the Chunk Manager process increases over time.

Conditions: This behavior is observed on certain occasions when NAT is configured. When NVI with VRF is set in the system, the memory leaks rapidly. When NAT with VRF is set in the system, plus there is embedded address translation needed or skinny protocol traffic, the memory leaks in a slow pace.

Workaround: There is no workaround.

CSCse78454

Symptom: Two OSPFv3 interface commands:

ipv6 ospf <PID> area <area ID>

ipv6 ospf neighboor <address>

can disappear after ION process iprouting. iosproc crash or restarted.

Conditions: This symptom has been observed only with ION image.

Workaround: There is no workaround.

CSCse94682

Symptoms: A Cisco router with EIGRP configured might generate an error message like:

%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6097922C reading 0x70

Conditions: The symptom only occurs if the no ip next-hop-self eigrp command is configured.

Workaround: There is no workaround.

CSCse98590

Symptoms: The router will display SYS-2-MALLOCFAIL messages on the console, and various protocols will operate erratically as a result of a low memory condition.

Conditions: When a router has to duplicate incoming IPv4 multicast packets for transmission on multiple interfaces, and one of those interfaces is a GRE tunnel operating in GRE IPv6 mode, then memory used to duplicate that packet stream will not be freed. As a result, the router will soon exhaust all available memory.

Workaround: The router will not exhaust memory if packets do not need to be duplicated (for example, if they enter on one interface and only exit the box through another interface), or if they do not need to duplicate to a tunnel interface that is running GRE over IPv6 (for example, tunnel mode GRE IPv4 does not have this problem).

CSCse98834

Symptoms: When SNAT is configured and mapping-id is only added to static NAT statements, Dynamic NAT entries do not time out.

Workaround: Add mapping-id to dynamic NAT config if possible.

CSCsf02935

Symptoms: A router that is configured for OSPF Sham-Link and BGP redistribution may crash.

Conditions: This symptom is observed only in network topologies with OSPF routes that traverse two or more sham links. For example, the symptom may occur in a hub-and-spoke topology with sham links between the hub and two or more individual spokes. This symptom was observed on a Cisco 10000 series but may also occur on other platforms.

Workaround: There is no workaround.

CSCsg00860

Symptoms: Enabling NAT outside on the public interface terminates the VPN connection as GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.

Conditions: This symptom has been observed with the use of IP NAT outside on the public VPN interface.

Workaround: There are 2 workarounds:

1. Configure NAT translations for all traffic, to force NAT processing on the packet even if no address will actually be translated. Example:

ip nat inside source static 171.16.68.5 171.16.68.5
 
   

It is not a scalable workaround but may work for some deployments.

2. Configure an additional ACL entry in the inbound access-list to permit the incoming GRE traffic.

ISO CLNS

CSCek47888

Symptoms: When a Traffic Engineering (TE) tunnel is configured for IS-IS, a router may resignal the LSPs after the IP routing process is restarted, causing the LSP IDs to be changed.

Conditions: This symptom is observed on a Cisco router that runs a Cisco ION software image and that functions as a Designated Router (DR) in a LAN when you enter the process restart iprouting.iosproc command.

Workaround: On the router on which the IP routing process is restarted, for each LAN interface on which IS-IS is enabled, enter the isis priority number-value command, in which the number-value argument is 0. Doing so prevents the router from functioning as the DR in the LAN.

CSCse85158

Symptoms: Locally advertised networks that are configured for the NSAP address- family under BGP will not be readvertised once they have been cleared from the BGP table.

Conditions: Once the clear bgp nsap unicast * command has been issued, the networks will no longer appear in the output of the show bgp nsap unicast command.

Workaround: There is no workaround.

Miscellaneous

CSCef73349

On a Cisco 800 router running inter vrf forwarding between Ethernet0 and Ethernet2, the cef adjacency table might be deleted for entries out of Ethernet0.

Workaround: .no ip route-cache cef on both ethernet .arp timeout 10 .Static mac

CSCeg00531

Symptoms: A router crashes when you remove an ATM subinterface.

Conditions: This symptom is observed when the subinterface is configured with a LANE client that is configured for Multiprotocol over ATM (MPOA).

Workaround: There is no workaround.

CSCeg42877

Symptoms: PPPoA sessions are not coming up in autovcs after entering the shutdown interface configuration command followed by the no shutdown interface configuration command. Tracebacks are reported.

Conditions: This problem is found only if the QoS parameters are configured via the Radius server.

Workaround: Configure the QoS parameters through the command line interface (CLI).

CSCeg86867

Symptoms: An AAA server does not authenticate.

Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.

Workaround: There is no workaround.

CSCei39688

Symptom: An ATM PVC configured with OAM on a Cisco Router may fail to pass traffic even when PVC link status is up because of a CEF initialization failure.

Router#show ip interface brief | include ATM

ATM3/0/0 unassigned YES manual up up

ATM3/0/0.100 unassigned YES unset up up

ATM3/0/0.300 10.1.1.1 YES manual up up

ATM3/0/0.999 unassigned YES unset up up

Router#show cef interface brief | include

ATM ATM3/0/0 unassigned up dCEF

ATM3/0/0.100 unassigned down dCEF

ATM3/0/0.300 10.1.1.1 down dCEF

ATM3/0/0.999 unassigned down dCEF

Router#show ip cef | include 10.1.1. 10.1.1.0/30 attached ATM3/0/0.300

As CEF fails to initialize the ATM PVC, atm3/0/0.300, no /32 receive entries are created. Traffic destined for the subinterface's IP address is dropped.

Workaround: Issue "shut" and then "no shut" on the affected ATM subinterface or do not configure OAM on the PVC.

After the workaround has been applied:

Router#show ip cef | include 10.1.1. 10.1.1.0/30 attached ATM3/0/0.300 10.1.1.0/32 receive 10.1.1.1/32 receive 10.1.1.3/32 receive

CSCek36995

Symptoms: A static 0.0.0.0/0 route is configured with the object tracking feature. The route is then redistributed into RIP. Every 60 seconds, the route is validated and an additional, unnecessary nexthop entry is inserted into the RIP database. The number of these entries will then continue to grow until the route is removed from the database.

Example:

ip route 0.0.0.0 0.0.0.0 FastEthernet0 track 10

router#show ip rip database

0.0.0.0/0 auto-summary

0.0.0.0/0 redistributed

[1] via 0.0.0.0,

[1] via 0.0.0.0,

[1] via 0.0.0.0,

[1] via 0.0.0.0,

[1] via 0.0.0.0,

[1] via 0.0.0.0,

[1] via 0.0.0.0

Conditions: This symptom is platform-independent. IP forwarding and routing updates are not affected. Over time, the database will simply grow to an unnecessarily large size. The condition only occurs with the 0.0.0.0/0 route. Other routes are not affected.

Workaround: Do not use object tracking with the 0.0.0.0/0 route.

CSCek39470

Symptom: Cisco IOS router running Cisco IOS Release12.4 may experience per packet memory leak due to pak subblock leak in Process memPool (not in IO mem pool). The symptom is: "show proc mem 1" output seeing the first allocator's memory count is keep growing, and never decrease.

Condition: The leak is observed with BVI (Bridge-group Virtual Interface) interface configured with crypto ipsec tunnels. Specifically when the router is doing decryption, then send the decrypted packet to BVI interface.

Workaround: Shut down any BVI (Bridge-group Virtual Interface) if being used in a router with crypto ipsec configured.

CSCek45344

Symptoms: A Cisco AS5400XM gateway crashes after 24 hour stress with E1-R2 calls.

Conditions: This symptom occurs in stress conditions after a period of 24 hours.

Workaround: There is no workaround.

CSCek45461

Symptoms: Path confirmation fails for voice calls on a Cisco AS5850. One-way audio may occur with manual phones.

Conditions: These symptoms are observed on a Cisco AS5850 that processes MGCP, H.323, and SIP calls.

Workaround: There is no workaround.

CSCek46936

Release-note: Cisco 1700 router hangs or crashes while reloading when configured 56K line speed.

CSCek50172

Symptoms: An EEM policy with event interface can not be registered and traceback appears.

Conditions: This symptom has been observed when configuring the EEM policy with event interface, and specifying a poll-interval larger than 2097151.

Workaround: When configuring the EEM policy with event interface, specify poll- interval with value less than 2097151.

CSCek52778

Symptoms: Dialer idle timer is not reset by interesting traffic on ISDN NON- MLPP, Async MLPPP, Async PBR user sessions.

Conditions: This symptom is found on a Cisco AS5850 that is running Cisco IOS Release 12.4(7b). Problem may occur with involvement of virtual profiles.

Workaround: There is no workaround.

CSCek52801

Symptoms: Router reloads with corrupted program counter after entering set cos precedence table with longstring under policy-map.

Workaround: There is no workaround.

CSCek54481

Symptoms: HTTP query data is not cached on the HTTP Client.

Conditions: This symptom has been observed when making voice calls with a VXML script accessing the HTTP Server with query data (a question mark '?' after the URL). The response data from the HTTP Server is not cached on the HTTP Client, which is the Cisco IOS voice brower.

Workaround: Instead of using query (?) to retrieve a file from the HTTP Server, use a static file name with the query character (?).

CSCek55001

Symptoms: A router may crash when you enter the dir /recursive command.

Conditions: This symptom is observed on a router that has a Cisco IOS File System (IFS) and occurs only when 40 subdirectories are created. The symptom does not occur when you enter the dir command without the /recursive keyword.

Workaround: When more than 40 subdirectories are created, do not use the dir /recursive command. Rather, use the show disk command.

CSCin97669

Symptoms: The standby RP resets continuously because of synchronization failures.

Conditions: This symptom is observed on a Cisco router when you first perform and OIR of a VIP in which a port adapter is installed that supports both T1 and E1 (for example, a PA-MC-8TE1+ port adapter) and then an SSO switchover occurs.

Workaround: There is no workaround. You must power-cycle the standby RP to enable it to come up.

CSCin98932

Symptom: MDR reload a VIP with "micro reload slot#" can cause VIP crash

Conditions: VIP on 7500 platform may crash when Warm rebooted with "micro reload slot#" reloaded.

Workaround: Use "test crash" at VIP console to MDR reload VIP

CSCir00786

Symptoms: When you attempt to update the startup configuration from a file but the boot commands are incorrect or you are unauthorized to enter the boot commands, a boot configuration error message should be displayed, but this does not occur.

Conditions: This symptom is observed on a Cisco router after the startup configuration has been updated by SNMP.

Workaround: Perform the following tasks:

1. Copy the startup configuration to the running configuration.

2. Copy the running configuration to the startup configuration.

3. Verify manually that the boot commands are indeed correct and use the CLI to update the startup configuration.

CSCsb13010

Symptoms: NAT configurations didn't go through due to insufficient memory.

Conditions: This behavior was observed on a Cisco 831 router running Cisco IOS Interim Release 12.4(1.2)PI1a and also Interim Release 12.4(2.2)T.

Workaround: There is no workaround.

CSCsb24909

Symptoms: The router crashes when the Cisco IOS reaches AFW_Instance_IsType.

Conditions: This symptom has been observed on a Cisco AS5350 gateway using Cisco IOS Release 12.3(14)T3.

Workaround: There is no workaround.

CSCsc01531

Symptoms: The router may crash when trying to place more calls in the BACD queue than the configured queue length.

Conditions: This symptom has been observed when more calls are placed to BACD queue than the configured queue length.

Workaround: Set the codec under dialpeer to g711ulaw.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsc97398

Symptoms: The user information Layer 1 protocol may be included in the outgoing bearer capability and may be set to either G711 u-law or G711 A-law. Some PBXs may refuse the call because of this mismatch in the bearer capability.

Conditions: This symptom is observed when a call is made from H.323 to ISDN with unrestricted digital information bearer capability.

Workaround: There is no workaround.

CSCsd28214

Symptoms: A Cisco router that is running Cisco IOS Release 12.3(19) may crash due to a Watch Dog timeout while running the RIP routing protocol.

Conditions: The router may crash due to a Watch Dog timeout if an interface changes state at the exact same time a RIP route learned on that interface is being replaced with a better metric redistributed route. For example, RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0. If RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, then the RIP route will be removed. If, during this time the Fast Ethernet 1/0 interface goes down, then the router may potentially crash due to a Watch Dog timeout.

Workaround: There is no workaround.

CSCsd40723

Symptom: When the SESM pushes out new configuration to the ISG, the DHCP clients on dhcp-initiated sessions may not be able to obtain an ip address after the configuration push.

Conditions: This symptom has been observed when the ISG changes the classname for sessions which were initiated via DHCP.

Workaround: There is no workaround.

CSCsd67458

Symptoms: Dual-tone multifrequency (DTMF) double-digit/garbled digit is heard.

Conditions: This symptom occurs when a remote call is transferred to a local analog phone, and the DTMF key is depressed from the remote phone.

Workaround: There is no workaround.

CSCsd69469

*Router crashed for packet testcases when show align cli is given

CSCsd70835

*Router crashed stress at AFW_TclModule_CleanSubscriptions - Suite 4

CSCsd80745

Symptoms: A router that is configured for IPSec and ISAKMP may reload unexpectedly because of a bus error exception that is triggered by an address error exception.

Conditions: This symptom is observed rarely and can occur under conditions of isakmp negotiation when a new ike sa is being negotiated. The condition is aggravated when low lifetimes are used for ike and ipsec rekeying.

Workaround: There is no workaround.

CSCsd85852

Symptoms: When a PVC is shut down on the remote side, the PVC subinterface on a router transitions from the down state to the up state within one second, but then remains in the down state after the down retry timers expire.

Conditions: This symptom is observed on a Cisco router that is configured for Operation, Administration, and Maintenance (OAM) and Dynamic Bandwidth Selection (DBS).

Workaround: There is no workaround.

CSCsd87358

Symptoms: A Cisco router may crash when configuring a hierarchical service policy.

Conditions: This symptom is observed in a Cisco 7200 series router that is running Cisco IOS Release 12.3(6a). At the time of the crash, configuration contained missing keywords causing some of the configuration lines to be rejected and some classes without match statements.

Workaround: There is no workaround.

CSCse05642

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse18355

Symptoms: A Cisco AS5850-ERSC gateway reboots continuously with the message:

Bundled Rommon and FPGA versions are different from the current system version. Updating the system. This might take a while

System reload is required before upgrade can be done. Rebooting the system .. !

Conditions: This symptom has been observed when a Cisco AS5850-ERSC gateway is running Cisco IOS interim Release 12.4(7.24)T.COMP.

Workaround: Boot to ROM monitor mode and enter the following commands:

SKIP_UPGRADE=1 sync

This step skips the upgrade process. To revert back, enter the following commands:

unset SKIP_UPGRADE sync

CSCse23478

Symptoms: A user configured rip routing protocol like this:

router rip version 2 network ... network ... no auto-summary

now under a interface it is added:

interface x/y ip summary-address rip 0.0.0.0 0.0.0.0

However there is no route to 0.0.0.0/0 in the routing table.

Under this specific condition the router may generate a spurious memory access or depending on the platform, the router may crash.

Workaround: Before entering the ip summary router make sure that there is a route to 0.0.0.0/0 in the routing table.

CSCse28172

Symptom: RIP routes that point to the dialer interface remain in the routing table when a DSL link goes down. However the routes are removed from the RIP database.

Conditions: This symptom is observed on a Cisco 877 that runs Cisco IOS Release 12.4(4)T1 or Release 12.4(6)T when the dialer interface is located within a VRF. The symptom is both plaform- and release-independent.

Workaround: Clear the routing table.

CSCse28590

Symptom: Router crashes after entering some map-list commands under global config mode

Conditions: These commands can cause the crash, but they might not be the only commands would cause such crash:

map-list aaaaaaaaaabbbbbbbbbb

source-addr X121 100

dest-addr E164 100

map-list aaaaaaaaaabbbbbbbbbb

source-addr X121 100

dest-addr X121 100

map-list aaaaaaaaaabbbbbbbbbbcccc

Workaround: There is no workaround.

CSCse39191

Symptoms: A Cisco router that is running DHCP service will run out of memory eventually and will require a reload to recover. You can confirm this by issuing the show proc mem | inc DHCP command and seeing that the process named "DHCPD Receive" consumes an increasing amount of memory until the available memory is exhausted.

In addition, the number of AAA sessions will constantly increase and will not decrease when DHCP bindings expire. You can see this by noticing how the output of the show aaa session and show aaa user all commands show a constantly increasing number of sessions, with those associated with DHCP bindings never vanishing.

Conditions: This symptom has been observed on Cisco routers operating as a DHCP relay or server with one or more DHCP pools configured via the ip dhcp pool name command where accounting dhcp is configured in at least one pool, and the configured poolname is not the name of a valid AAA method list.

This symptom has been observed also when there is very little free processor memory on the router, enabling the allocation of some but not all data structures necessary to perform accounting for a DHCP binding.

Workaround 1: If you do not want AAA accounting for DHCP leases, disable accounting method MethListName in the DHCP pool by configuring no accounting method MethListName while in the pool configuration mode.

Workaround 2: If you want AAA accounting for DHCP leases, configure a valid accounting method list by configuring aaa accounting network methodlistname start-stop method1 where the configured method list name for the accounting method list EXACTLY matches the name provided on the accounting methodlistname line in the DHCP pool configuration.

CSCse40824

Symptom: router crashes at vxml_uri_compare

Conditions: This symptom has been observed when the router has been continuously running thousands of scripts loaded thru tftp.

Workaround: There is no workaround.

CSCse42444

Symptoms: When you run and monitor the cbQosCMDropPkt MIB variable, the counters may become stuck while the command line is growing properly. When you run and monitor the cbQosPoliceExceededPkt MIB variable, both counters report the same value.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(15)T13 but may also affect Release 12.4.

Workaround: There is no workaround.

CSCse43066

Symptoms: A Cisco Multiservice IP-to-IP Gateway (IPIPGW) may crash while functioning under stress.

Conditions: This symptom is observed on a Cisco IPIPGW that runs Cisco IOS interim Release 12.4(9.4) or interim Release 12.4(9.9)T.

Workaround: Configure slow start:

voice service voip h323 call start slow


Note The symptom does not occur in releases earlier than interim Release 12.4(9.4) or interim Release 12.7(7.24)T.


CSCse48814

Symptoms: A router crashes when you enter the ip nat outside interface configuration command on an interface.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS interim Release 12.4(9.13) or interim Release 12.4(09.19a) and that is configured for Network Based Application Recognition (NBAR).

Workaround: There is no workaround.

CSCse50445

Symptoms: A router that is configured for AutoQoS may crash when the stack for the Exec process is running low.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.13) or interim Release 12.4(09.19a).

Workaround: Enter the ip nbar protocol-discovery command.

CSCse50887

Symptoms: MGCP IOS Gateway sees the following:

%PARSER-4-BADCFG: Unexpected end of configuration file.

and then:

config term router(UNKNOWN-MODE)

Or, the show running-config command output is only 5 bytes.

Conditions: This symptom occurs under the following conditions:

Use MGCP with the ccm-manager config command

Have more than 20 MGCP end points (voice ports)

Run Cisco IOS Release 12.3(11)T or later releases

Reset device pool from Cisco CallManager

Workaround: Add the no ccm-manager config command.

CSCse55588

Symptoms: Several Cisco 836 routers crash at least once a day at memcpy with same traceback in YG4.

Conditions: This symptom has been observed on Cisco 836 routers.

Workaround: There is no workaround.

CSCse55652

Symptoms: A router that is configured for distributed CEF may reload because of a bus error.

Conditions: This symptom is observed on a distributed router such as a Cisco AS5850 or Cisco 7500 series that runs Cisco IOS Release 12.4.

Workaround: There is no workaround.

CSCse59775

Symptoms: A Cisco 3845 that is configured for voice may reload because of a software-forced crash that is caused by a Redzone memory corruption.

Conditions: This symptom is observed on a Cisco 3845 that runs Cisco IOS interim Release 12.4(9.15).

Workaround: There is no workaround.

CSCse63494

Symptoms: A router that is configured for Real-Time Protocol (RTP) may generate CPUHOG events and a traceback similar to the following:

%SYS-3-CPUHOG: Task is running for (128000)msecs, more than (2000)msecs (951/33),process = VOIP_RTCP. -Traceback= 0x60EA5A78 0x60EA5C5C 0x614AD39C 0x614B55BC 0x614B59A0

Alternatively, the router may unexpectedly reload and generate the following error message and traceback:

%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = VOIP_RTCP. - Traceback= 0x60EA5A58 0x60EA5C5C 0x614AD39C 0x614B55BC 0x614B59A0

%Software-forced reload Preparing to dump core...

Conditions: This symptom is observed on a Cisco router that receives a badly formatted RTP Control Protocol (RTCP) packet.

Workaround: There is no workaround.

Further Problem Description: Typically, the badly formatted RTCP packet is produced by a device that does not conform to the RFC 3550 standard.

CSCse64462

Symptom: A Cisco 7200 series router may encounter a block overrun with Redzone corruption, and subsequently crash if Turbo ACL is configured and the following command is entered:

clear eou all

Error messages similar to the following will be output, with associated tracebacks:

%SYS-3-OVERRUN: Block overrun at <address> (red zone <value>) %SYS-6-BLKINFO: Corrupted redzone blk <address>

Conditions: This symptom is observed on a Cisco 7200 series router running Cisco IOS Release 12.4 that is configured for Turbo ACL and when the following command is entered:

clear eou all

Workaround: Disable Turbo ACL by entering the following command:

no access-list compiled

CSCse66112

Symptom: Configure CFB/MTP on CMM ACT card using the sccp ccm CLI without any version. And add the MTP as the CMM on the call manager administration page.

Conditions: This symptom has been observed on a CMM running Cisco IOS Release 12.4(8) and on CCM version 5.X.

Workaround: Register the CFB/MTP with the version included in the SCCP ccm CLI.

CSCse68065

Symptom: Memory leakage is detected when malformed SIP packets are sent to Cisco IOS SIP platforms.

Conditions: SIP (CME, IPIPGW, voice gw) is configured.

Workaround: There is no workaround.

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse68355

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse69335

Symptoms: Media Gateway Control Protocol (MGCP) FXS/FXO port and Cisco IOS T1CAS resets during Hookflash transfer with CCM being the call agent.

Conditions: This symptom has been observed when two consecutive RQNT messages with S: rel event is received at the Cisco IOS gateway. In this condition, the second RQNT message will not be acknowledged by the Cisco IOS gateway. This results in reset of all the MGCP endpoints on the Cisco IOS gateway.

Workaround: There is no workaround.

CSCse71815

*Router crash when ip VRF forwarding is removed from crypto outside intf

CSCse73517

Symptom: When a Cisco 2821 is configured with 'warm-reboot count 3' and when it tries to boot Cisco IOS Release 12.4(9.9) or 12.4(9.10) or 12.4(9.12), it will fail and stuck in "Emulating mis-aligned store" loop.

Conditions: Cisco IOS Release 12.4(8) does not have this problem, but the problem starts from Release 12.4(9.9).

Workaround: Remove 'warm-reboot count 3' from the configurations.

CSCse75920

Symptoms: A Cisco router experiences a memory leak for the processes SCCP application and Chunk manager.

Conditions: The symptom has been observed after configuring the router for MTP and transcoding.

Workaround: There is no workaround.

CSCse79884

Symptoms: You may not be able to exit the session command.

Conditions: This symptom is observed on MWAM line card processors that are installed in a Cisco Catalyst 6500 series switch or a Cisco 7600 series router.

Workaround: If the session command is executed via a Telnet session to the supervisor engine: log in to the supervisor engine via its console to find out the line number in the output of the show user command that corresponds to the processor that is unable to exit from the session command. Look for IP address 127.0.0. <slot> <processor number used for session> to find the line number. Then, enter the clear line line number command to clear the session.

If the session command is executed from the MWAM console itself (which is stuck), there is no workaround.

CSCse82487

Symptom: Router crashes and emits Traceback at config_ip_keyswitch_dp_pattern.

Conditions: While issuing the command "dialplan-pattern 5 aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjj jjjjkkkkkkkkkkllllllllllmmmmmmmmmmnnnnnnnnnnooooooooooppppppppppqqqqqqqqqqrrrrrrrrrrs extension-length 32 extension-pattern string2 no-reg"

Workaround: There is no workaround.

CSCse85329

Symptoms: When you re-insert a PA-MC-8TE1+ port adapter in the same slot of a Cisco 7200 series via an OIR, the serial interface may enter the Down/Down state. When you enter the shutdown command followed by the no shutdown command on the T1 or E1 controller, the serial interface may transition to the Up/Down state, still preventing traffic from passing.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(7) or a later release.

Workaround: Reload the router.

CSCse87017

Symptom: Cisco IOS H.323 gateway may disconnect a transfer from 3rd party H.323 gateways after generating the an error message similar to the one below: %VOICE_IEC-3-GW: H323: Internal Error (Software Error): IEC=1.1.180.5.13.36 on callID 111

Conditions: Observed on 3845 running Cisco IOS Release 12.4Mainline and Cisco IOS Release 12.4T release

Workaround: There is no workaround.

CSCse88031

Symptom: User may be unable to add an uplink interface to an "ssg direction uplink member" group.

Conditions: 2821/2xVWIC2-2MFT-T1/E1 running c2800nm-advipservicesk9-mz.124-9.T

Issue seems to happen during an initial configuration of SSG global commands and may trigger when configuring global "ssg bind service" commands before interface "ssg direction uplink member" commands.

Workaround:

1. Configure 'ssg direction uplink member' interface commands before global 'ssg bind service' commands.

2. 'default interface ser0/1/1:0' followed by a router reload which then allows 'ssg direction uplink member' to be configured on new serial interface.

CSCse88516

Symptom: When testing Cisco IOS Release 12.4(9.15)T image, found CLI setting for jitter buffer playout delay Minimum doesn't work. Was able to set to 10ms with "playout-delay minimum low" on voip dial- peer, but debug shows it use 40ms.

Test topology:

analog phone---OGW(2800)---- VoIP(H.323)---TGW(2800)---Analog phone.

Conditions: It happened on palyout-delay mode setting is adaptive (default), not to fixed mode.

Configuration in Gateway: OGW:

dial-peer voice 1004 voip destination-pattern 1004 session target ipv4:1.1.2.199 playout-delay minimum low codec g711ulaw

TGW:

dial-peer voice 1004 voip incoming called-number 1004 playout-delay minimum low codec g711ulaw

dial-peer voice 91000 pots destination-pattern 10.. port 1/0/0

Workaround: Use playout-delay mode fixed to get jitter buffer playout delay Minimum 10ms.

CSCse89105

Symptoms: RADIUS packets may be dropped or extra memory may be allocated when RADIUS packets are sent.

Conditions: These symptoms are observed on a Cisco platform that is configured for SSG when a RADIUS packet with a length of more than 1024 bytes is sent.

Workaround: There is no workaround.

CSCse89373

Symptoms: A second PRI link gets deactivated, with no ability to process incoming and outgoing calls, when the second one is remotely, physically, manually (CLI command) deactivated.

Conditions: This symptom occurs when the first PRI is type primary-net5, and the second PRI is type primary-qsig. Deactivate the second PRI remotely or locally by physically disconnecting the cable or issuing the shutdown command under the corresponding E1 controller.

Workaround: There is no workaround.

CSCse89402

Symptoms: The CPU stack frame may become corrupted when a channel-group is configured on the T1/E1 controller.

Conditions: This symptom is seen on mainboard WIC slots when the slot is configured for the "no network-clock participate."

Workaround: Use the VWIC in "network-clock participate" when installed in the mainboard WIC slot of the router.

Further Problem Description: In most situations, no problems are seen. In rare cases, a crash may occur.

CSCse90702

Symptoms: A Frame Relay map may not be established after you perform an OIR of a line card.

Conditions: This symptom is observed on a Cisco 7600 series when the line card is configured with an MFR bundle.

Workaround: Create a static Frame Relay map.

Alternate Workaround: Perform an OIR at both ends simultaneously.

CSCse91102

Symptoms: A Cisco IAD 2430 IAD crashes on Cisco IOS Release 12.4(4)T2. Traceback decodes indicate memory corruption. The following events may also appear in the log:

%SYS-3-BADMAGIC: Corrupt block at %SYS-6-MTRACE: mallocfree: addr, pc %SYS-6-BLKINFO: Corrupted magic value in in-use block %SYS-6-MEMDUMP:

Conditions: The router crashes where the decodes indicate check heaps as the source with any or all of the following also included in decode:

crashdump validblock validate_memory checkheaps checkheaps_process

Workaround: There is no workaround.

CSCse93156

Symptoms: IP route configurations, when configured, are not getting visible on the running and startup configurations. CMTS is accepting the IP route configuration, and also the show ip route command is getting updated with configured routes.

Conditions: The symptom occurs while configuring static route. The configured route will not get visible on running and startup configurations.

Workaround: There is no workaround.

CSCse93695

Symptoms: Three-way calls that involve the Broadsoft SIP server and Cisco IAD2400 series Integrated Access Devices may not work.

Conditions: This problem is observed in Cisco IOS Release 12.4(9)T.

Workaround: There is no workaround.

CSCse97112

Symptoms: A Cisco router may reload due to a bus error.

Conditions: This symptom is observed after the following command is issued:

no x25 map compressedtcp a.d.c.d ip e.f.g.h [ options ]

This may cause an Address Error (load or instruction fetch) exception, CPU signal 10.

Workaround: There is no workaround.

CSCsf03530

Symptoms: A crash occurs on a router when it receives a message waiting indicator (MWI).

Conditions: This symptom is observed when unity sends a notify to the gateway (GW), and the GW is suppose to convert to QSIG MWI. The GW crashes while running Cisco IOS Interim 12.4(9.18)T.

Workaround: There is no workaround.

CSCsf03566

Symptoms: Software-forced crash (SFC) occurs due to memory corruption.

Conditions: The crash has been seen on a Cisco 7600 router running Cisco IOS Release 12.2(18)SXF5. This happens if the router is acting as an EZVPN sever and xauth is enabled when the crypto session is brought down.

Workaround: There is no workaround.

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsf06386

Symptom: A device running Cisco IOS may leak buffers in I/O memory. Overtime this will exhaust all of I/O memory and can prevent non-console access to the device.

Conditions: The device must be configured for SSG (Service Selection Gateway)

Workaround: There is no workaround.

CSCsf09186

Symptoms: When you enter the show ip route command to check on the installed routes, the output does not show the routes that have been installed by the RIP.

Conditions: This symptom is observed on a Cisco router when redistribution is enabled under the RIP.

Workaround: There is no workaround.

CSCsf09338

Symptoms: The calls coming from the CMM MTP has one-way audio when a call transfer is done on the other side.

Conditions: This symptom is observed when CMM is configured as MTP/XCode and running Cisco IOS Release 12.4(7b).

Workaround: There is no workaround.

CSCsf11937

Symptoms: When you enter the cd .../.../ command followed by a sequence of mkdir commands, the disk becomes corrupt.

Note that for the cd .../.../ command, ".../.../" are the arguments, that is, the arguments consist of more than two dots.

Conditions: This symptom is observed on a Cisco router that has an ATA file system.

Workaround: Enter the format command for the file system.

CSCsf11982

Symptoms: Cisco 7200 router will crash with ip sla monitor schedule configuration with Cisco IOS Release 12.4(10.5) release.

Conditions: The router will crash after issuing the below configuration:

config terminal ip sla monitor 1 type voip delay post-dial detect-point alert-ringing destination 8765432 end

config terminal ip sla monitor schedule 1 life 300 start-time now

Workaround: There is no workaround.

CSCsf12037

Symptoms: An SNA Switch router may reload and display the following error message:

System returned to ROM by bus error at PC 0x61504EB0, address 0x58

Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.3(18).

Workaround: There is no workaround.

CSCsf13740

Symptoms: A Cisco 7200 series router with VAM2+ Encryption/Compression engine, running Cisco IOS Release 12.4(10), may reload due to a bus error after a large service policy is applied to a Gig interface.

The following error messages may flood the console:

*crypto qos: get_shape_class fail, class=<name>

*crypto qos: get_shape_class fail, class=<name>

*crypto qos: get_shape_class fail, class=<name>

*crypto qos: get_shape_class fail, class=<name>

Crash: %ALIGN-1-FATAL: Corrupted program counter 06:30:27 MEST Fri Aug 18 2006 pc=0x7E000000 , ra=0x6633E958 , sp=0x64DE2E40

%ALIGN-1-FATAL: Corrupted program counter 06:30:27 MEST Fri Aug 18 2006 pc=0x7E000000 , ra=0x6633E958 , sp=0x64DE2E40

06:30:27 MEST Fri Aug 18 2006: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x7E000000

-Traceback= 0x7E000000 $0 : 00000000, AT : 63F00000, v0 : 00000001, v1 : 64DE2F90 a0 : 00000000, a1 : 663004BC, a2 : 00000188, a3 : 6454B6D0 t0 : 66419DD8, t1 : 661BFC08, t2 : 00000018, t3 : 00000000 t4 : 6410AD00, t5 : 00000001, t6 : 00000000, t7 : 00000000 s0 : 661BFE50, s1 : 66300940, s2 : 00000A61, s3 : 66302AC4 s4 : 6454AA3C, s5 : 618D9FF0, s6 : 663003A4, s7 : 63CA0000 t8 : 00000061, t9 : 6410AD00, k0 : 6571911C, k1 : 6080F4E4 gp : 63F0AA08, sp : 64DE2E40, s8 : 00000001, ra : 6633E958 EPC : 7E000000, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00374C80, MDHI : 00000000, BadVaddr : 7E000000 Cause 00000008 (Code 0x2):

TLB (load or instruction fetch) exception Process watchdog registers: $0 : 658FC0EC, AT : 00000000, v0 : 606CCE5C, v1 : 00000001 a0 : 658F9E6C, a1 : 00000000, a2 : 00000000, a3 : 658F6118 t0 : 00000000, t1 : 658FC0B8, t2 : 658FC0EC, t3 : 00000000 t4 : FFFFFFF7, t5 : 6080F4CC, t6 : 62B23BA8, t7 : 00000001 s0 : 00000000, s1 : 658F9E98, s2 : 6543A190, s3 : 00000018 s4 : 6543A190, s5 : 6643D788, s6 : 6497AA80, s7 : 6080F5A0 t8 : 662F5D6C, t9 : 00000001, k0 : 00000000, k1 : 658FC0B8 gp : 6497AA80, sp : 00000001, s8 : 658FC0EC, ra : 00000000 EPC : 658FC0B8, SP : 00000001, forkx : 00000000

Conditions: This symptom occurs when the router has a VAM+ encryption module.

Workaround: There is no workaround.

CSCsf17039

Symptoms: A router may crash when you configure On-Demand Address Pools (ODAP) with Dynamic Host Configuration Protocol (DHCP) and when the router that requests the address pool (subnet) runs out of available addresses.

Conditions: This symptom is observed in an MPLS-VPN network when you configure ODAPs on virtual home gateways (VHGs) and provider edge (PE) routers.

Workaround: There is no workaround.

CSCsf19418

Symptoms: A router may reload unexpectedly when you enter the show mpls ldp graceful-restart command.

Conditions: This symptom is observed when either of the following conditions are present:

When the command output has a "Down Neighbor Database" entry that expires by reaching the reconnect timeout limit while the command output is generating the neighbor address list.

When the command output is paged at the "--More--" string within the context of displaying addresses.

Workaround: Do not enter the show mpls ldp graceful-restart command when a graceful-restart database entry is about to expire. When the command output is paged at the "--More--" string within the context of displaying addresses and when the Down Neighbor Database entry may have expired, type the letter "Q" to abort any further output of addresses.

CSCsf19728

A new NextPort firmware needs to be bundled into Cisco IOS to address critical customer issues.

The firmware has two components: Module Controller Firmware, and SPE Firmware.

The MC firmware change allows a configurable change to facilitate Modem Pass Through for a specific POS client device, critical to a specific customer.

The SPE firmware is 10.4.1, and the associated fixes are listed in release notes located at:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/as5400/sw_conf/nxtprtrn/

CSCsf22493

Symptoms: The Cisco Communication Media Module (CMM) crashes when processing the UnsubscribeDtmf message.

Conditions: This symptom is observed when CMM XCODE/MTP is using Cisco IOS Release 12.4(8a) and RFC2833.

Workaround: There is no workaround.

CSCsf26617

Symptom: MGCP gateway will intermittently unregister from CallManager when calls to EVM FXS port are being made.

Conditions: MGCP gateway using EVM module with FXS port. A call is made to the FXS port and the Calling Party hangs up right away. The FXS called party then answers the call during the first ring.

Since the Calling party hangs up right away the CallManager will continue to send DLCX to the gateway. The gateway will not respond to three DLCXs and the CallManager will unregister the gateway.

Workaround:

Configure the EVM FXS ports to be H.323.

Use the vwic on the motherboard instead of the EVM

CSCsf27178

Symptom: Percentage based traffic shaping is not working.

Conditions: This symptom is observed on a Cisco router that is configured the percentage based traffic shaping an output policy

Workaround: There is no workaround.

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

CSCsf31178

Symptoms: HWIC-1GE-SFP may experience an issue where the Gig Ethernet interface is "stuck" in a Line UP/Protocol Down state. While in this state, the interface will not pass traffic. Clearing the interface or manually disabling/enabling will clear the condition. This symptom does not occur when 1000BASE-T SFP is used.

Conditions: A Loss of Signal (for example, unplugging the cable) may cause the interface to become stuck in a Line UP/Protocol Down state.

Workaround: Clearing the interface or manually shutting it down, then bringing it back up will clear the problem.

CSCsf97785

Symptom: eRSC got hung while bootup

Conditions: This symptom has been observed during bootup.

Workaround: There is no workaround.

CSCsf98345

Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.

Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.

Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.

CSCsf98608

Symptom: GK reloads when "no zone prefix SFO-GK-1 201201* gw-priority 10 SFO_trunk8_8 SFO_trunk6_6 SFO_trunk4_4 SFO_trunk2_2" command is issued on the Gatekeeper.

Conditions: This symptom has been observed when dynamic prefixes are used.

Workaround: There is no workaround.

CSCsf99378

Symptom: No form of "ip local pool poolname" is not accepted. Error message says it is an incomplete command.

Conditions: This symptom has been observed on Cisco IOS Release 12.4(10.8) image.

Workaround: There is no workaround.

CSCsg00602

Symptoms: A Cisco 3845 or Cisco 3825 router with AIM-VPN/HPII-PLUS(EPII-PLUS) may show the following symptoms:

1. Show alignment errors.

2. Crash by bus error.

3. XXX display by running the show crypto engine accel ring packet command.

4. If a telnet session, which shows symptom three, is cut by "clear line," its related exec process does not disappear and starts to occupy CPU.

Conditions: This failure is seen on the Cisco 2600, Cisco 2800, Cisco 3600, Cisco 3700, Cisco 3800, and Cisco 1800 series routers that are configured with an AIM-VPNII or AIM-VPNII PLUS Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM).

Workaround: Avoid running the show crypto engine accel ring packet command.

CSCsg03991

Symptoms: * build broke for snasw images

Workaround: There is no workaround.

CSCsg05140

Symptom: A Cisco AS5850 reloads unexpectedly during stress with sip calls.

Conditions: This symptom has been observed on Cisco AS5850 platform for plain SIP calls.

Workaround: There is no workaround.

CSCsg07907

Symptoms: A Cisco 3845 router unexpectedly reloads with bus error as seen in the show version when enabling DSP mini logger (voice dsp <slot> command history enable).

Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4 with conferencing enabled on the DSP slot that minilogger is being turned on for.

Workaround: Disable conferencing on that slot, if possible.

CSCsg15598

The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include:

Fragmented IP packets may be used to evade signature inspection.

IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The Cisco IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the Cisco IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

TCP/IP Host-Mode Services

CSCsd71318

Symptoms: A Cisco 2800 series router crashes whenever the connection to the URL filter server is reset due to network congestion or a warm or cold reload.

Conditions: This symptom has been observed when the router is running URL filtering with an external Websense or N2H2 server.

Workaround: There is no workaround for cold or warm reload. If the crash occurs due to network congestion or WAN reset, remove the condition that cause the connection to the URL filter to flap.

Wide-Area Networking

CSCek55209

Symptoms: When the ppp multilink endpoint mac lan-interface command or the ppp multilink endpoint ip ip-address command is configured, the router may unexpectedly reload if the multilink interface goes to the DOWN state, for example, when a PVC virtual circuit is unconfigured.

Conditions: This symptom is observed on a Cisco router that is configured for Multilink PPP.

Workaround: There is no workaround. Do not use these configuration commands in Cisco IOS Releases 12.3, 12.4 or 12.2SB without a fix for this DDTS.

CSCek56250

Symptoms: A router may reload while executing the show ppp multilink command.

Conditions: This symptom is observed when a multilink bundle goes down while the output is being generated.

Workaround: There is no workaround.

CSCir00712

Symptoms: On Cisco LAC software running Cisco IOS Release 12.3(14)T, when the fragmented data traffic is received on the LAC over the L2TP tunnel, the IP layer reassembles the packet and routes the packet on the wrong interface instead of consuming the L2TP data traffic locally.

Conditions: This symptom has been seen when fragmented L2TP data traffic is received on the LAC from the LNS over the L2TP tunnel.

Workaround: There is no workaround.

CSCsd75854

Symptoms: A router may generate a malformed PPPoE Active Discovery Offer (PADO) packet with two 802.1q tags. The first 802.1q tag contains the correct VLAN ID.

Conditions: This symptom is observed on a Cisco router when the Service-Name field in the PPPoE Active Discovery Initiation (PADI) packet is empty and not equal to the one that is configured on the router.

Workaround: Ensure that a correct Service-Name field in used in the PADI packet.

CSCsd93740

Symptoms: A Cisco router is acting as a X25 switch. Both standard X25 route statements and hunt-groups are being used.

After a period of normal operations, output of the show x25 hunt- group command shows status full for all hunt-groups where destinations are reachable over XoT.

Other hunt groups where calls are forwarded over X25 serial interfaces do not show this problem. When problem is present, calls cannot be forwarded via hunt groups, and configured redundant routes are used.

Workaround: Unconfigure/configure back all X25 routes helps to recover in some cases. However, in some cases router reload is needed.

CSCse12198

Symptoms: Individual B-channels on the primary T1 in the NFAS group sometimes go OOS for no reason.

Conditions: This symptom is observed when connected to a Cisco PGW that is running Cisco IOS Release 9.3(2). The Cisco AS5400 is connected to the Cisco PGW that is running RLM in the Signaling/Nailed mode.

Also, sometimes ISDN service goes OOS, and also channel states goes to 5 which is maintenance pending.

Workaround: When this happens, put ISDN service can be put back in service manually for individual CIC, but channel state cannot manually be put back in service unless the whole serial interface is bounced. This cannot be done when there is other traffic on the other b-channels.

CSCse34162

Symptoms: A Cisco router hangs after 5 to 10 minutes of passing traffic over a dialer interface.

Conditions: This symptom has been observed on a Cisco router running Cisco IOS Release 12.4(8) with PPP Multilink configured on a dialer interface and traffic is passing.

Workaround: There is no workaround. A reboot is required to recover.

CSCse55872

A router running Cisco IOS Release 12.3 or later may reload when a "default forwarding group <n>" command is entered.

Workaround: There is no workaround.

CSCse78652

Symptoms: The queuing mode on Multilink interfaces is erroneously defaulting to fair queuing instead of FIFO. This is causing distributed Cisco Express Forwarding (dCEF) to fail on Cisco 7500 routers.

Conditions: This symptom happens on all Multilink interfaces.

Workaround: There is no workaround.

CSCse79994

Symptoms: BRI Layer 2 remains in the ESTABLISH_AWAITING_TEI state instead of entering the MULTIPLE_FRAME_ESTABLISHED state.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.19a).

Workaround: There is no workaround.

CSCse81069

Symptoms: Unconfiguring the isdn service b_channel command is not taking effect. The command is not removed from the running configuration.

Conditions: This symptom occurs when configuring the isdn service b_channel command to a state other than the default value of 0 on the ISDN D channel.

Workaround: To remove the command, shut down the T1/E1 controller first and then unconfigure the command under the D channel serial interface.

CSCse98867

Symptoms: A router may reload when a multilink bundle goes down while packets are flowing.

Conditions: This symptom is observed on a router that is configured for Multilink PPP (MLP) with hardware compression.

Workaround: There is no workaround.

CSCsf03251

Symptoms: Primary and backup NFAS interfaces may transition from WAIT to OOS even after receiving "in-service" message from the PSTN.

Conditions: This symptom is observed on a Cisco AS5400XM that is running several Cisco IOS Release 12.4 mainline and Release 12.4T.

Workaround: There is no workaround.

CSCsf28839

Symptoms: When you change the encapsulation from Frame Relay to another type, a spurious memory access and tracebacks are generated.

Conditions: This symptom is observed on a Cisco router that has the encapsulation frame-relay command enabled on a serial interface when you assign the serial interface to an MFR interface, which causes the Frame Relay encapsulation to be removed from the serial interface.

Workaround: There is no workaround.

CSCsg15642

Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.

Conditions: This leak occurs when a SETUP message with Display IE is received.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(10c)

Cisco IOS Release 12.4(10c) is a rebuild release for Cisco IOS Release 12.4(10). The caveats in this section are resolved in Cisco IOS Release 12.4(10c) but may be open in previous Cisco IOS releases.

Basic System Services

CSCsg21398

Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted "msg-auth-response-get-user" TACACS+ packet is received.

Conditions: This symptom is observed after the Cisco platform had send an initial "recv-auth-start" TACACS+ packet.

Workaround: There is no workaround.

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IP Routing Protocols

CSCec12299

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.

CSCek47667

Symptoms: A router may not clear BGP routes when you enter the clear bgp ipv6 unicast * command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SXF but is not release-specific.

Workaround: There is no workaround.

CSCsf20947

Symptoms: A default route that is defined by the neighbor default-originate command may be ignored by the BGP neighbor.

Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the default route to be relearned.

Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default route.

CSCsg00860

Symptoms: Enabling NAT outside on the public interface terminates the VPN connection as GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.

Conditions: This symptom has been observed with the use of IP NAT outside on the public VPN interface.

Workaround: There are 2 workarounds:

1. Configure NAT translations for all traffic, to force NAT processing on the packet even if no address will actually be translated. Example:

ip nat inside source static 172.16.68.5 172.16.68.5

It is not a scalable workaround but may work for some deployments.

2. Configure an additional ACL entry in the inbound access-list to permit the incoming GRE traffic.

CSCsh02161

Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this prefix is removed from the BGP table.

Condition: This symptom is observed on a Cisco router that functions as an RR that advertises two of the same prefixes with different Route Distinguishers (RDs) when one of these prefixes redistributes itself and when the other prefix is a route that is learned from an RR client via iBGP.

Workaround: There is no workaround.

CSCsh80678

Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.

Workaround: Enter the no auto-summary command.

CSCsh90153

Symptoms: Connectivity is lost through a router when traffic is processed twice by NAT.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(8a), that is configured for NAT and PBR, and that has a firewall feature enabled. Under certain conditions, traffic is processed twice by NAT when it does not need to be.

Workaround: Remove the firewall configuration from the router.

Further Problem Description: Syslogs and the output of the show ip nat translation command show that traffic that is processed twice by NAT does not traverse the router.

CSCsi62559

Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.

Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.

CSCsi84089

Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.

Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.

Workaround: Add area 0 in the OSPF VRF processes.

Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.

CSCsi97586

Symptoms: A Cisco MGX-RPM-XF-512 resets after deleting Multicast VPN routing from a VRF and then deleting that VRF.

Conditions: This symptom has been observed on a system running Cisco IOS Release 12.4(6)T5 configured for Multicast VPN routing while deleting an interface.

Workaround: There is no workaround.

Miscellaneous

CSCds25257

Symptoms: A gatekeeper rejects new registration requests from a Cisco Unified CallManager (CUCM) or other H.323 endpoints with Registration Rejection (RRJ) reason of duplicateAlias. Attempting to clear this stale registration fails and a "No such local endpoint is registered, clear failed." error message is generated.

Conditions: This symptom is observed in the following topology:

CUCM H.225 trunks register to a gatekeeper (GK) cluster. Gatekeeper 1 (GK1) and gatekeeper 2 (GK2) are members of the GK cluster. The CUCM registers first to GK1, then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.

When the H.225 trunk attempts to register with GK1, it is rejected because the alternate registration is still present, and there is no way to clear it.

10.9.20.3 34273 10.9.20.3 32853 SJC-LMPVA-GK-1 H323-GW A

ENDPOINT-ID: 450FC24400000000 VERSION: 5 AGE: 1618993 secs

SupportsAnnexE: FALSE

g_supp_prots: 0x00000050

H323-ID: SJC-LMPVA-Trunk_4

Workaround: Reset the gatekeeper by entering the shutdown command followed by the no shutdown command, or reboot the affected GK.

CSCek38201

Symptoms: A router may reload or display an alignment traceback when you enter the show crypto socket command.

Conditions: This symptom is observed on a Cisco router that has an OSPFv3 IPSecv6 configuration.

Workaround: There is no workaround. To prevent the symptom from occurring, do not enter the show crypto socket command in an OSPFv3 IPSecv6 configuration.

CSCek45344

Symptoms: A Cisco AS5400XM gateway crashes after 24 hour stress with E1-R2 calls.

Conditions: This symptom occurs in stress conditions after a period of 24 hours.

Workaround: There is no workaround.

CSCek64789

Symptoms: A router that is configured as a voice gateway may crash because of a bus error. Just before the crash occurs, messages of the following type may be generated:

%ALIGN-1-FATAL: Corrupted program counter

Conditions: This symptom is observed on a Cisco 2811 that is configured as a Cisco Multiservice IP-to-IP Gateway (IPIPGW). However, the symptom is not platform-dependent.

Workaround: There is no workaround.

CSCsd28214

Symptoms: A Cisco router may crash because of a watch dog timeout while running the RIP routing protocol.

Conditions: This symptom is observed on a router that runs Cisco IOS Release 12.3(19) when an interface changes state at the exact same time that a RIP route that was learned on this interface is being replaced with a better metric redistributed route. For example, when RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0 interface and then RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, the RIP route is removed. However, when during this time the Fast Ethernet 1/0 interface goes down, the router may crash because of a watch dog timeout. Note that the symptom may also affect other releases.

Workaround: There is no workaround.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.

CSCse91102

Symptoms: A Cisco IAD 2430 IAD crashes on Cisco IOS Release 12.4(4)T2. Traceback decodes indicate memory corruption. The following events may also appear in the log:

%SYS-3-BADMAGIC: Corrupt block at

%SYS-6-MTRACE: mallocfree: addr, pc

%SYS-6-BLKINFO: Corrupted magic value in in-use block

%SYS-6-MEMDUMP:

Conditions: The router crashes where the decodes indicate check heaps as the source with any or all of the following also included in decode:

crashdump

validblock

validate_memory

checkheaps

checkheaps_process

Workaround: There is no workaround.

CSCsg08395

Symptoms: When one of the controllers of a VWIC-2MFT-E1 Voice/WAN interface card that is connected back-to-back to another router is shut down, ISDN L2 may go down on the second E1 controller of the VWIC-2MFT-E1.

Conditions: This symptom is observed on a Cisco 3725 that runs Cisco IOS interim Release 12.4(11.1).

Workaround: There is no workaround.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg59326

Symptoms: When an ATM (that is, a cash machine, not a WAN platform) is connected to a switch service module, significant packet loss may occur.

Conditions: This symptom is observed on a Cisco 2800 series router.

Workaround: Change the Ethernet speed to 10 Mbps at both ends.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg96319

Symptoms: When a reverse SSH session is established with valid authentication credentials, anyone can obtain unprivileged Telnet access to a system without being authenticated. This situation affects only reverse SSH sessions when a connection is made with the ssh -l userid :number ip-address command.

Conditions: This symptom is observed only when the Reverse SSH Enhancement is configured. This enhancement is documented at the following URL:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_rev_ssh_enhanmt_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Workaround: Configure reverse SSH by entering the ip ssh port portnum rotary group command. This configuration is explained at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#newq1

CSCsg99814

Symptoms: On a router that functions in a GRE over IPSec or Virtual Tunnel Interface (VTI) configuration, an access control list (ACL) may be bypassed when there is an ACL on the tunnel interface.

Conditions: This symptom is observed when the ACL on the tunnel interface is configured on the outbound physical interface on which the IPSec tunnel is terminated.

Workaround: Apply the outbound ACL on the protected LAN interface instead of on the tunnel interface.

CSCsh33430

Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.

Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.

Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.

CSCsh39318

Symptoms: A router may crash when the configured route limit is exceeded. When this situation occurs, the following error message is generated:

%MROUTE-4-ROUTELIMIT (x1): [int] routes exceeded multicast route-limit of

[dec] - VRF [chars]

Conditions: This symptom is observed on a Cisco 10000 series that is configured for Multicast VPN but is platform-independent.

Workaround: There is no workaround.

CSCsh58082

Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.

There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.

Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.

CSCsh75827

Symptoms: When a router that has the ssg intercept dhcp command enabled receives a DHCP packet from a host that has already logged out from a Subscriber Edge Services Manager (SESM), the router may unexpectedly reload because of a bus error.

Conditions: This symptom is observed on a Cisco router that functions as an SSG with PBHK enabled, when a host has received an IP address that is associated with a service (via the "J" Service-Info attribute), has logged out from the SESM, and then renews its IP address.

Workaround: There is no workaround.

CSCsh92914

Symptoms: A router may unexpectedly reload when you attempt to open a reversed SSH connection by using the SSHv1 protocol.

Conditions: This condition is observed on a Cisco router that runs Cisco IOS Release 12.4.

Workaround: Force the SSH transport to be SSHv2 by entering the ip ssh version 2 global configuration command.

CSCsh94526

Symptoms: When an acct-stop message is received for a non-RADIUS proxy user (that is, a normal IP user), a router that is configured for SSG crashes.

Conditions: This symptom is observed when SSG is configured for RADIUS proxy mode and when the ssg wlan reconnect command is enabled.

Workaround: There is no workaround.

CSCsh97579

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi27540

Symptoms: A VSI session may become stuck in the "RESYNC_UNDERWAY" state, preventing LVC connections from being set up. This situation is not cleared automatically, and error messages are not flushed, as is shown in the output of the show controller vsi session command.

Conditions: This symptom is observed on a Cisco router that functions as a Label Switch Controller (LSC).

Workaround: There is no workaround.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

CSCsi84017

Symptoms: When you reload a Cisco 2600 series, the router may hang.

Conditions: This symptom is observed on a Cisco 2600 series when you attempt to run the c2600-entservices-mz image of Cisco IOS Release 12.4(9)T4. The symptom may also occur in other releases.

Workaround: There is no workaround.

Wide-Area Networking

CSCek60025

Symptoms: A ping may be dropped in a PPP callback scenario.

Conditions: This symptom is observed on a Cisco router when Multilink PPP (MLP) and the dialer load-threshold command are enabled.

Workaround: There is no workaround.

CSCsc39890

Symptoms: A router that is running Cisco IOS may reload unexpectedly.

Conditions: For this symptom to occur, the router must be configured for ISDN. One possible trigger is when using SNMP to poll information about calls while the calls are in the process of completing.

Workaround: There is no workaround.

CSCsf30493

Symptoms: When a T.37 onramp call is made, the following error message may be generated:

%CSM-3-NO_VDEV: No modems associated

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS interim Release 12.4(10.7). The symptom may not be platform-specific.

Workaround: There is no workaround.

CSCsh06841

Symptoms: A router may crash while establishing a PPP session.

Conditions: This symptom is observed when the ppp reliable-link interface configuration command is enabled on an interface that is bound to a dialer profile.

Workaround: Disable the ppp reliable-link interface configuration command, save the configuration, and reload the router. Disabling the command without reloading the router is not sufficient.

CSCsh82513

Symptoms: The output of the show isdn active command may show disconnected calls.

Conditions: This symptom is observed on a Cisco router when analog modem calls are made after a normal ISDN digital call has been made.

Workaround: There is no workaround.

CSCsi21853

Symptoms: When you attempt to change the ISDN T306 timers, the changes are not accepted.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4. The symptom may also affect Release 12.4T.

Workaround: There is no workaround.

Further Problem Description: The ISDN T306 configuration updates the values of the ISDN T307 timers.

CSCsi74960

Symptoms: A router crashes while sending large control packets between client and L2TP Network Server (LNS) in L2TP callback scenario.

Conditions: This symptom happens with a Cisco 7200 router that is running Cisco IOS interim Release 12.4(13.13)T1.

Workaround: There is no workaround.

CSCsj10593

Symptoms: A terminating gateway (TGW) that is configured for Cisco ISDN Interconnect for Voice Gateways Solution may crash.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(15.6) and that functions as a TGW with all PRI switch types from the user to the network side. The symptom occurs when the isdn test call interf ace interface-number dialing-string command is entered at the platform on which the call is initiated, when the originating gateway (OGW) is configured for the National ISDN (primary-ni) switch type, and when the TGW is configured for the NT DMS-100 (primary-dms100) switch type. The symptom may also affect Release 12.4T.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(10b)

Cisco IOS Release 12.4(10b) is a rebuild release for Cisco IOS Release 12.4(10). The caveats in this section are resolved in Cisco IOS Release 12.4(10b) but may be open in previous Cisco IOS releases.

Basic System Services

CSCsf32390

Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.

Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.

Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:

event manager applet add-buffer

event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"

action 1.0 cli command "enable"

action 2.0 cli command "configure terminal"

action 3.0 cli command "buffers particle-clone 16384"

action 4.0 cli command "buffers header 4096"

action 5.0 cli command "buffers fastswitching 8192"

action 6.0 syslog msg "Reinstated buffers command"

CSCsg03830

Symptoms: The tacacs-server directed-request command appears in the running configuration when is should be disabled. When you disable the command by entering no tacacs-server directed-request and reload the router, the command appears to be enabled once more.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for CSCsa45148, which disables the tacacs-server directed-request command by default.

A list of the affected releases can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa45148. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Temporary Workaround: Each time after you have reloaded the router, disable the command by entering no tacacs-server directed-request.

CSCsg48183

Symptoms: A router may unexpectedly send an ARP request from all its active interfaces to the nexthop of the network of an SNMP server.

Conditions: This symptom is observed on a Cisco router that has the snmp-server host command enabled after any of the following actions occur:

You reload the router.

A switchover of the active RP occurs.

You enter the redundancy force-switchover main-cpu command.

Workaround: There is no workaround.

CSCsg48725

Symptoms: A TLB exception may occur on a Cisco platform that functions as a PE router in an MPLS environment, and the following error message may be generated:

TLB (load or instruction fetch) exception, CPU signal 10 (BadVaddr : DEADBEF3)

Conditions: This symptom is observed on a Cisco platform when TACACs accounting and authorization is enabled and when the TACACs server is reachable through the global routing table.

Workaround: Disable AAA. Is this not an option, there is no workaround.

Interfaces and Bridging

CSCsg64182

Symptoms: VIP may crash due to a bus error.

Conditions: This symptom occurs when a dot1q subinterface on the VIP is configured with a service policy.

Workaround: Remove the service policy.

IP Routing Protocols

CSCsf27220

Symptoms: A Cisco 7500 series router with any ATM Port Adapter may crash.

Conditions: This symptom is observed when a router is configured with the Next Hop Resolution Protocol (NHRP) feature. When sending traffic, the router will crash.

Workaround: There is no workaround.

Miscellaneous

CSCed57504

Symptoms: A router reloads when a session using virtual-template configuration and terminated on this router is being cleared from the DSL CPE router that is the peer router for the connection.

Conditions: This symptom occurs when a session using virtual-template configuration and terminated on this router is being cleared from the DSL CPE router that is the peer router for the connection.

Workaround: There is no workaround.

CSCei39688

Symptoms: When a CEF initialization failure occurs, an ATM PVC that is configured for OAM may not pass traffic even though the PVC link status is up:

Router#show ip interface brief | include ATM

ATM3/0/0 unassigned YES manual up up

ATM3/0/0.100 unassigned YES unset up up

ATM3/0/0.300 10.1.1.1 YES manual up up

ATM3/0/0.999 unassigned YES unset up up

Router#show cef interface brief | include ATM

ATM3/0/0 unassigned up dCEF

ATM3/0/0.100 unassigned down dCEF

ATM3/0/0.300 10.1.1.1 down dCEF

ATM3/0/0.999 unassigned down dCEF

Router#show ip cef | include 10.1.1.

10.1.1.0/30 attached ATM3/0/0.300

When CEF fails to initialize the ATM PVC, atm3/0/0.300, no /32 receive entries are created. Traffic that is destined for the IP address of the subinterface is dropped.

Conditions: This symptom is observed on a Cisco router and occurs only when PAM is configured on the PVC.

Workaround: To prevent the symptom from occurring, do not configure OAM on the PVC. When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected ATM subinterface. After the workaround has been applied, the output of the show ip cef command shows the following:

Router#show ip cef | include 10.1.1.

10.1.1.0/30 attached ATM3/0/0.300

10.1.1.0/32 receive

10.1.1.1/32 receive

10.1.1.3/32 receive

CSCek48251

Symptoms: When you enter the redundancy switch-activity force command on the active eRSC of a Cisco AS5850 while incoming VoIP H.323 calls and outgoing CAS calls are being processed, the standby eRSC does become the active eRSC and processes the calls but soon afterwards may crash at "csm_enter_idle_state."

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(9)T and that functions in RPR+ mode. The symptom may also affect Release 12.4.

Workaround: There is no workaround.

Further Problem Description: The symptom does not occur when PRI calls are being processed.

CSCek55486

Symptoms: The native Gigabit Ethernet (GE) interface on an NPE-G1 card may reset unexpectedly.

Conditions: This symptom is observed on a Cisco 7200 series when the underrun counter for the native GE interface increments continuously. You can verify the underrun counter in the output of the show interfaces gigabitethernet slot/port command.

Workaround: There is no workaround.

CSCek55511

Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.

Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.

Workaround: Disable SNMP polling for ccrpCPVGEntry.

CSCek57655

Symptoms: A modem autoconfiguration fails.

Conditions: This symptom is observed in an asynchronous call.

Workaround: There is no workaround.

CSCsd50476

Symptoms: A serial link goes down.

Conditions: This symptom occurs when a T1/E1 controller that is configured with channel-group causes the serial link to go down. The CEM interface will not come up.

Workaround: There is no workaround.

CSCse18355

Symptoms: A Cisco AS5850-ERSC gateway reboots continuously with the message:

Bundled Rommon and FPGA versions are different from

the current system version. Updating the system.

This might take a while

System reload is required before upgrade can be done.

Rebooting the system ..

!

Conditions: This symptom has been observed when a Cisco AS5850-ERSC gateway is running Cisco IOS interim Release 12.4(7.24)T.COMP.

Workaround: Boot to ROM monitor mode and enter the following commands:

SKIP_UPGRADE=1

sync

This step skips the upgrade process. To revert back, enter the following commands:

unset SKIP_UPGRADE

sync

CSCse46964

Symptoms: Periodic high CPU utilization on CMM modules which can cause performance issues such as poor voice quality, missed control and registration MGCP messages, slow response to command line interface. The show process cpu history command will display spikes of 100% utilization on the gateway even during hours where low activity is present. "%ALIGN-3-CORRECT: Alignment correction made at 0x601504F4 reading 0x2225F84A" error messages will be recorded when the CMM gateway is rebooted. This can be seen in the show log command if logging buffered is enabled on the gateway. When this problem occurs, the output of the show alignment command will display a high and increasing count value for the same address.

Conditions: This symptom occurs when the CMM module is using Cisco IOS Release 12.4(8) or later releases, and the Catalyst 6000 supervisor module is a SUP720 that is running Native IOS.

Workaround: There is no workaround.

CSCse50887

Symptoms: MGCP IOS Gateway sees the following:

%PARSER-4-BADCFG: Unexpected end of configuration file.

and then:

config term router(UNKNOWN-MODE)

Or, the show running-config command output is only 5 bytes.

Conditions: This symptom occurs under the following conditions:

Use MGCP with the ccm-manager config command

Have more than 20 MGCP end points (voice ports)

Run Cisco IOS 12.3(11)T or later releases

Reset device pool from Cisco CallManager

Workaround: Add the no ccm-manager config command.

CSCse69335

Symptoms: Media Gateway Control Protocol (MGCP) FXS/FXO port and Cisco IOS T1CAS resets during Hookflash transfer with CCM being the call agent.

Conditions: This condition is seen when two consecutive RQNT messages with S: rel event is received at the Cisco IOS gateway. In this condition, the second RQNT message will not be acknowledged by the Cisco IOS gateway. This results in reset of all the MGCP endpoints on the Cisco IOS gateway.

Workaround: There is no workaround.

CSCse89373

Symptoms: A second PRI link gets deactivated, with no ability to process incoming and outgoing calls, when the second one is remotely, physically, manually (CLI command) deactivated.

Conditions: This symptom occurs when the first PRI is type primary-net5, and the second PRI is type primary-qsig. Deactivate the second PRI remotely or locally by physically disconnecting the cable or issuing the shutdown command under the corresponding E1 controller.

Workaround: There is no workaround.

CSCsf03412

Symptoms: The boot flash command or the boot TFTP crashes a router.

Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Interim Release 12.4(7.24)T.

Workaround 1: Use the boot flash: image name instead of boot flash: imagename command.

Workaround 2: Use Cisco IOS Release 12.3(11)T.

Workaround 3: Copy the image to flash and use the boot flash: imagename command, if the boot TFTP is the problem.

CSCsf31178

Symptoms: HWIC-1GE-SFP may experience an issue where the Gig Ethernet interface is "stuck" in a Line UP/Protocol Down state. While in this state, the interface will not pass traffic. Clearing the interface or manually disabling/enabling will clear the condition. This symptom does not occur when 1000BASE-T SFP is used.

Conditions: A Loss of Signal (for example, unplugging the cable) may cause the interface to become stuck in a Line UP/Protocol Down state.

Workaround: Clearing the interface or manually shutting it down, then bringing it back up will clear the problem.

CSCsf95938

Symptoms: There is a leak in middle buffers after all Onboard DSPRM Pools are depleted.

Conditions: This symptom is observed on a Cisco 3800 series router that is running Cisco IOS Release 12.4(7b) with support for CVP survivability.

Workaround: There is no workaround.

CSCsf98345

Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.

Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.

Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.

CSCsg05350

Symptoms: A Cisco AS5850 crashes due to a chunk memory leak. See the following:

Sep 9 13:07:04.428: %DSMP-3-INTERNAL: Internal Error : NO MEMORY -Traceback=

0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50 0x6127F6BC

Sep 9 13:07:04.468: %DSMP-3-INTERNAL: Internal Error : NO MEMORY -Traceback=

0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50 0x6127F6BC

Sep 9 13:07:04.744: %MARVEL_HM-3-HM_RULES_RELOAD: Health Monitor causing a

reload due to Fragmented processor_memory, Free processor_memory = 10402472

bytes, Largest processor_memory block = 522632 bytes

Conditions: This symptom occurs when there is a chunk memory leak.

Workaround: There is no workaround.

CSCsg07907

Symptoms: A Cisco 3845 router unexpectedly reloads with bus error as seen in the show version when enabling DSP mini logger (voice dsp slot command history enable).

Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4 with conferencing enabled on the DSP slot that minilogger is being turned on for.

Workaround: Disable conferencing on that slot, if possible.

CSCsg08491

Symptoms: A system may crash due to processor memory corruption.

Conditions: This symptom may occur upon the application of a crypto map to an interface.

Workaround: There is no known workaround.

CSCsg09208

Symptoms: A router that is running Cisco IOS may reload unexpectedly when applying an IPS policy to an interface.

Conditions: This symptom is seen with version 6 SDF files on Cisco IOS Release 12.4(10) and later releases.

Workaround: There is no workaround.

CSCsg11718

Symptoms: A VRF may become stuck in the "Delete Pending" state.

Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN and Half-Duplex VRF (HDVRF) when you delete the VRF and then associate it with an interface before it is completely deleted.

Workaround: To ensure that the VRF is properly deleted, enter the shutdown interface configuration command on the interface with which the VRF is associated or remove the interface with which the VRF is associated.

CSCsg12813

Symptoms: A Cisco AS5400 gateway may change its RTP sequence numbers after receiving an MDCX command The RTP Stream SSRC is always the same, but the sequence number seems to be randomly initiated again.

Conditions: This symptom occurs when MGCP receives a modification request from PGW for echo cancellation three seconds after the call is established.

Workaround: There is no workaround.

CSCsg15598

The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include:

Fragmented IP packets may be used to evade signature inspection.

IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The Cisco IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the Cisco IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsg18933

Symptoms: A RIP route is learned from a RIP neighbor via a dialer interface (or other virtual interface type). When the neighbor disconnects and the interface goes down, the RIP route is removed from the RIP database. However, the RIP route remains in the routing table.

Conditions:

RIP is configured with the no validate-update-source command.

RIP routes are learned via a virtual interface.

The virtual interface is using a negotiated address.

The problem is platform-independent.

Workaround: Use the clear ip route command to remove the affected routes from the routing table.

CSCsg28628

Symptoms: NAS pkg asynchronous calls fail after a redundancy switchover has occurred, and the following error message is generated:

Modems unavailable

Conditions: This symptom is observed on a Cisco AS5850 that functions in RPR+ mode. This situation may impact service.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the redundancy switchover command a couple of times to restore the Cisco AS5850 to normal operation.

CSCsg58832

Symptoms: Inconsistent lease times are seen on a router that is acting as DHCP relay agent. Lease expiration times may be reduced from the value specified by the server to as little as five minutes. The binding will then be deleted after the new lease time has expired.

Conditions: This issue has been observed on a router that is running Cisco IOS Release 12.4T that is configured as DHCP relay agent. The ip dhcp smart-relay command must be configured for this issue to exist.

Workaround 1: Remove the ip dhcp smart-relay command from configuration.

Workaround 2: Renew the IP address on DHCP client.

CSCsg69205

Symptoms: On a Cisco PE router, "ip flow egress" configured on the PE-CE link does not capture traffic streams destined for the CE router.

Conditions: This symptom occurs when the MPLS interface is a multilink interface.

Workaround: Configure "mpls netflow egress" on the interface towards the CE. Afterwards, this command can be removed, and the traffic is still captured by netflow.

CSCsg76715

Symptoms: A device crashes while removing an ACE, which was *inserted* in the middle of the ACL rather than added at the end of the list.

Conditions: This symptom occurs under the following conditions:

1. If the *inserted* ACE has dest prefix length as 0 i.e.. *any* statement in place of dest addr, and

2. ACL already has an ACE with same src prefix length and dest prefix length is greater than 0 (i.e.. other than any statement), and the *inserted* ACE should be lesser in seq no than this ACE, and

3. The ACE with dest prefix length greater than 0 is deleted before deleting the inserted ACE.

Workaround: Delete the Inserted ACE first (ACE with dest addr as any) and then delete the ACE with dest prefix length greater than 0 (or) deleting the complete ACL.

CSCsg96462

Symptoms: There is a memory leak in the SNASwitch process.

Conditions: SNASwitch fails to free memory associated with maintaining the RTP history information when RTP pipes terminate under some conditions.

Workaround: There is no workaround.

Further Problem Description: The following messages may be seen when processor memory has been exhausted:

%SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x6016CEA0,

alignment 0

Pool: Processor Free: 1628716 Cause: Memory fragmentation

Alternate Pool: None Free: 0 Cause: No Alternate pool

-Process= "SNA Switch", ipl= 0, pid= 64

To check if memory is leaking do the following commands (note the exact upper/lower case used):

show snasw rtp

show memory summary | i GraphIt | Bytes

The first command will display all the RTP pipes. The second command will display a summary of all the memory with a "GraphIt" identifier. There should be approximately two blocks with the "GraphIt Client" identifier for each non-RSETUP RTP pipe.

If there are significantly more than two "GraphIt Client" blocks per RTP pipe, then SNASwitch is leaking memory.

Wide-Area Networking

CSCek56250

Symptoms: A router may reload while executing the show ppp multilink command.

Conditions: This symptom is observed when a multilink bundle goes down while the output is being generated.

Workaround: There is no workaround.

CSCek59078

Symptoms: An L2TPv3 session is established when voluntary tunneling is configured and both peers have corresponding configurations. However, after configuring the pseudowire on UUT virtual-PPP interface, sessions on UUT and peer are UP, but "virtual-PPP1 is up, line protocol is down."

Conditions: For this symptom to occur, the virtual-ppp interface was previously deleted using the no interface virtual-ppp n command, and then reinstated using the interface virtual-ppp n command.

Workaround: Be certain that the virtual-PPP interface has never been unconfigured using the no interface virtual- ppp n configuration command since the router was booted.

CSCek62099

Symptoms: When PPP Multilink is enabled over a PPP over Ethernet (PPPoE) session, outbound packets are incorrectly sent without PPPoE headers. This causes them to be dropped.

Conditions: This symptom is observed in Cisco IOS version 12.4 on all software- forwarding router platforms. It only affects packets which are not multilink encapsulated (due to the bundle only having a single link).

Workaround: Either disable multilink PPP, or use the ppp multilink fragment delay interface command to force multilink headers to be applied to all outbound packets.

CSCir00712

Symptoms: When a LAC receives fragmented data traffic over an L2TP tunnel, the IP layer reassembles the packets and routes them over the wrong interface instead of processing them locally.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(14)T when fragmented L2TP data traffic is received on the LAC from the LNS over the L2TP tunnel. The symptom is release-independent.

Workaround: There is no workaround.

CSCsb24255

Symptoms: A router may generate the following error message and a MALLOC failure may occur:

flex_dsprm_voice_connect: voice tdm connect failed

Conditions: This symptom is observed on a Cisco router that processes a large number of calls with a short call duration via an E1 PRI.

Workaround: There is no workaround.

CSCsf96318

Symptom: QSIG (ISO) call back (ring back) fails between a Cisco 3745 router and a Cisco 1760 router.

Conditions: The call back fails.

Workaround: There is no workaround.

CSCsg15642

Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.

Conditions: This leak occurs when a SETUP message with Display IE is received.

Workaround: There is no workaround.

CSCsg38412

Symptoms: When a Multilink PPP (MLP) session is established over an ISDN link, IPCP fails to negotiate. When the debug ppp negotiation command is enabled, you can see that IPCP packets from the peer are not processed. The output of the show interface command for the ISDN D-channel interface shows that the input queue limit is 0.

Conditions: This symptom is observed when the ISDN BRI or PRI interface is not configured as part of a dialer rotary group or dialer pool and when RADIUS is used to assign the multilink bundle to a VRF.

Workaround: Enter the dialer rotary-group command to assign the ISDN interface to a dialer.

CSCsg40885

Symptoms: A router crashes during Online Insertion and Removal (OIR) on MLP- PPP on a Cisco 7200 platform.

Conditions: This symptom is observed on a Cisco 7200 router that is configured for MLP-PPP.

Workaround: Shut the multilink interface before doing an OIR.

CSCsg50202

Symptoms:

When BRI interface flaps rapidly, ISDN Layer 1 detects link down, but Layers 2 and 3 keep active state during the transition. This may cause the BRI interface to get stuck, where subsequent incoming/outgoing call is rejected.

Conditions:

The symptom may be observed when cable is pulled out and put back rapidly.

Workaround:

Issue the clear interface command or the shutdown command followed by the no shutdown command on the affected BRI interface.

CSCsg56148

Symptoms: Inbound GSM V.110 calls fail to train at a speed of 14400.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(10a)

Cisco IOS Release 12.4(10a) is a rebuild release for Cisco IOS Release 12.4(10). The caveats in this section are resolved in Cisco IOS Release 12.4(10a) but may be open in previous Cisco IOS releases.

Basic System Services

CSCir00074

Symptoms: A router crashes when the casnDisconnect object is set to "true" for a PPPoE session.

Conditions: This symptom is observed on a Cisco 10000 series when you attempt to terminate the PPPoE session through SNMP by using the casnDisconnect object of the CISCO-AAA-SESSION-MIB.

Workaround: There is no workaround.

CSCsd26248

Symptoms: A router set up to do dot1x authentication without accounting setup may experience a memory leak in process RADIUS until the process consumes all free memory.

Conditions: This leak occurs on a router doing dot1x authentication without dot1x accounting configured and is sent attributes 24 (state) or 25 (class) from the Radius server.

Workaround: There is no workaround.

CSCsf19139

Symptoms: %RADIUS-3-NOSERVERS messages are logged after a reload in Cisco IOS Release 12.3(18). At this time, the RADIUS accounting tickets are not generated.

Conditions: This symptom has been observed on a Cisco AS5300 gateway.

Workaround: Enter into configuration mode and change the order of the servers under the server group.

IP Routing Protocols

CSCek14600

Symptoms: A traceback has been seen on this release.

Conditions: The symptom has been observed on Cisco IOS interim Release 12.4(04) T1fc2.

Workaround: There is no workaround.

CSCse29428

Symptoms: A crash is seen with %ALIGN-1-FATAL after showing %SYS-2- CHUNKEXPANDFAIL and %SYS-2-MALLOCFAIL repeatedly.

Conditions: This symptom is observed on a Cisco 3725 router that is running Cisco IOS Release 12.4(5a) with the c3725-advipservicesk9-mz image that is running IPSec VPN.

Workaround: There is no workaround.

CSCse56552

Symptoms: Connections fail through a router that uses CBAC. The pre-gen session is created, and the download or transfer begins. The pre-gen session times out and gets deleted from the router. Since the full session never gets established, the connection then times out on the host.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(8) and using CBAC outbound on the outside interface when policy based routing is applied.

Workaround: There is no workaround.

Further Problem Description: This bug is first seen in Cisco IOS Interim Release 12.4(7.24).

CSCse58419

Symptoms: The memory consumption by the Chunk Manager process increases over time.

Conditions: This behavior is observed on certain occasions when NAT is configured. When NVI with VRF is set in the system, the memory leaks rapidly. When NAT with VRF is set in the system, plus there is embedded address translation needed or skinny protocol traffic, the memory leaks in a slow pace.

Workaround: There is no workaround.

CSCse94682

Symptoms: A Cisco router with EIGRP configured might generate an error message

like:

%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6097922C reading 0x70

Conditions: The symptom only occurs if the no ip next-hop-self eigrp command is configured.

Workaround: There is no workaround.

CSCse98590

Symptoms: The router will display SYS-2-MALLOCFAIL messages on the console, and various protocols will operate erratically as a result of a low memory condition.

Conditions: When a router has to duplicate incoming IPv4 multicast packets for transmission on multiple interfaces, and one of those interfaces is a GRE tunnel operating in GRE IPv6 mode, then memory used to duplicate that packet stream will not be freed. As a result, the router will soon exhaust all available memory.

Workaround: The router will not exhaust memory if packets do not need to be duplicated (for example, if they enter on one interface and only exit the box through another interface), or if they do not need to duplicate to a tunnel interface that is running GRE over IPv6 (for example, tunnel mode GRE IPv4 does not have this problem).

ISO CLNS

CSCse85158

Symptoms: Locally advertised networks that are configured for the NSAP address- family under BGP will not be readvertised once they have been cleared from the BGP table.

Conditions: Once the clear bgp nsap unicast * command has been issued, the networks will no longer appear in the output of the show bgp nsap unicast command.

Workaround: There is no workaround.

Miscellaneous

CSCeg86867

Symptoms: An AAA server does not authenticate.

Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.

Workaround: There is no workaround.

CSCek50172

Symptoms: An EEM policy with event interface can not be registered and traceback appears.

Conditions: This symptom has been observed when configuring the EEM policy with event interface, and specifying a poll-interval larger than 2097151.

Workaround: When configuring the EEM policy with event interface, specify poll- interval with value less than 2097151.

CSCek52778

Symptoms: Dialer idle timer is not reset by interesting traffic on ISDN NON- MLPP, Async MLPPP, Async PBR user sessions.

Conditions: This symptom is found on a Cisco AS5850 that is running Cisco IOS Release 12.4(7b). Problem may occur with involvement of virtual profiles.

Workaround: There is no workaround.

CSCsb13010

Symptoms: NAT configurations didn't go through due to insufficient memory.

Conditions: This behavior was observed on a Cisco 831 router running Cisco IOS Interim Release 12.4(1.2)PI1a and also Interim Release 12.4(2.2)T.

Workaround: There is no workaround.

CSCse05642

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse64462

Symptoms: A Cisco Systems 7200 series router may encounter a block overrun with Redzone corruption, and subsequently crash if Turbo ACL is configured and the following command is entered:

clear eou all

Error messages similar to the following will be output, with associated tracebacks:

%SYS-3-OVERRUN: Block overrun at <address> (red zone <value>)

%SYS-6-BLKINFO: Corrupted redzone blk <address>

Conditions: This symptom is observed on a Cisco 7200 series router running Cisco IOS Release 12.4 that is configured for Turbo ACL and when the following command is entered:

clear eou all

Workaround: Disable Turbo ACL by entering the following command:

no access-list compiled

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse75920

Symptoms: A Cisco router experiences a memory leak for the processes SCCP application and Chunk manager.

Conditions: The symptom has been observed after configuring the router for MTP and transcoding.

Workaround: There is no workaround.

CSCse89402

Symptoms: The CPU stack frame may become corrupted when a channel-group is configured on the T1/E1 controller.

Conditions: This symptom is seen on mainboard WIC slots when the slot is configured for the "no network-clock participate."

Workaround: Use the VWIC in "network-clock participate" when installed in the mainboard WIC slot of the router.

Further Problem Description: In most situations, no problems are seen. In rare cases, a crash may occur.

CSCse93695

Symptoms: Three-way calls that involve the Broadsoft SIP server and Cisco IAD2400 series Integrated Access Devices may not work.

Conditions: This problem is observed in Cisco IOS Release 12.4(9)T.

Workaround: There is no workaround.

CSCse97112

Symptoms: A Cisco router may reload due to a bus error.

Conditions: This symptom is observed after the following command is issued:

no x25 map compressedtcp a.d.c.d ip e.f.g.h [ options ]

This may cause an Address Error (load or instruction fetch) exception, CPU signal 10.

Workaround: There is no workaround.

CSCsf03566

Symptoms: Software-forced crash (SFC) occurs due to memory corruption.

Conditions: The crash has been seen on a Cisco 7600 router running Cisco IOS Release 12.2(18)SXF5. This happens if the router is acting as an EZVPN sever and xauth is enabled when the crypto session is brought down.

Workaround: There is no workaround.

CSCsf09338

Symptoms: The calls coming from the CMM MTP has one-way audio when a call transfer is done on the other side.

Conditions: This symptom is observed when CMM is configured as MTP/XCode and running Cisco IOS Release 12.4(7b).

Workaround: There is no workaround.

CSCsf22493

Symptoms: The Cisco Communication Media Module (CMM) crashes when processing the UnsubscribeDtmf message.

Conditions: This symptom is observed when CMM XCODE/MTP is using Cisco IOS Release 12.4(8a) and RFC2833.

Workaround: There is no workaround.

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

CSCsg00602

Symptoms: A Cisco 3845 or Cisco 3825 router with AIM-VPN/HPII-PLUS(EPII-PLUS) may show the following symptoms:

1. Show alignment errors

2. Crash by bus error

3. XXX display by running the show crypto engine accel ring packet command

4. If a Telnet session, which shows symptom 3, is cut by "clear line," its related exec process does not disappear and starts to occupy CPU.

Conditions: This failure is seen on the Cisco 1800, Cisco 2600, Cisco 2800, Cisco 3600, Cisco 3700, and Cisco 3800 series routers that are configured with an AIM-VPNII or AIM-VPNII PLUS Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM).

Workaround: Avoid running the show crypto engine accel ring packet command.

Wide-Area Networking

CSCek55209

Symptoms: If the ppp multilink endpoint mac interface command or the ppp multilink endpoint ip a.b.c.d command is configured, the router may unexpectedly reload if the multilink interface goes to the DOWN state, for example, when a PVC virtual-circuit is unconfigured.

Conditions: This symptom is observed on a router with Multilink PPP.

Workaround: Do not use these configuration commands in Cisco IOS Releases 12.3, 12.4 or 12.2SB without a fix for this DDTS.

CSCse12198

Symptoms: Individual B-channels on the primary T1 in the NFAS group sometimes go OOS for no reason.

Conditions: This symptom is observed when connected to a Cisco PGW that is running Cisco IOS Release 9.3(2). The Cisco AS5400 is connected to the Cisco PGW that is running RLM in the Signaling/Nailed mode.

Also, sometimes ISDN service goes OOS, and also channel states goes to 5 which is maintenance pending.

Workaround: When this happens, put ISDN service can be put back in service manually for individual CIC, but channel state cannot manually be put back in service unless the whole serial interface is bounced. This cannot be done when there is other traffic on the other b-channels.

CSCse34162

Symptoms: A Cisco router hangs after 5 to 10 minutes of passing traffic over a dialer interface.

Conditions: This symptom has been observed on a Cisco router running Cisco IOS Release 12.4(8) with PPP Multilink configured on a dialer interface and traffic is passing.

Workaround: There is no workaround. A reboot is required to recover.

CSCse81069

Symptoms: Unconfiguring the isdn service b_channel command is not taking effect. The command is not removed from the running configuration.

Conditions: This symptom occurs when configuring the isdn service b_channel command to a state other than the default value of 0 on the ISDN D channel.

Workaround: To remove the command, shut down the T1/E1 controller first and then unconfigure the command under the D channel serial interface.

CSCse98867

Symptoms: A router may reload when a multilink bundle goes down while packets are flowing.

Conditions: This symptom is observed on a router that is configured for Multilink PPP (MLP) with hardware compression.

Workaround: There is no workaround.

CSCsf03251

Symptoms: Primary and backup NFAS interfaces may transition from WAIT to OOS even after receiving "in-service" message from the PSTN.

Conditions: This symptom is observed on a Cisco AS5400XM that is running several Cisco IOS 12.4 mainline and 12.4T releases.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(10)

This section describes possibly unexpected behavior by Cisco IOS Release 12.4(10). All the caveats listed in this section are resolved in Cisco IOS Release 12.4(10). This section describes severity 1 and 2 caveats and select severity 3 caveats.

Basic System Services

CSCek33076

Symptoms: A RADIUS progress code is incorrectly reported for a call that fails at IPCP. The progress code reports that the Link Control Protocol (LCP) is the open state.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4(3a) and that is configured for AAA.

Workaround: There is no workaround.

CSCek37174

Symptoms: When you configure RADIUS servers via the AAA-SERVER-MIB, the expected behavior is that the last defined RADIUS server receives the lowest priority, but this does not occur.

Conditions: This symptom is observed on a Cisco router that is configured for AAA and that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCek40060

Symptoms: RADIUS server authentication may not function for dialup and PPP clients.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(7) and that has the radius-server retry method round-robin command enabled.

Workaround: Disable the radius-server retry method round-robin command. Note that the symptom does not occur in Release 12.3 or Release 12.3T.

CSCin99788

Symptoms: An %AAA-3-ACCT_LOW_MEM_TRASH error message is generated when a low-memory condition occurs. When this situation occurs, a memory leak may occur in AAA data.

Conditions: This symptom is observed when an interface flaps and causes a very large number of sessions to go down simultaneously, in turn generating a very large number of accounting stop records. In this situation, the I/O memory may be held for a long time when accounting records are send and when an AAA server is slow or unreachable.

Workaround: There is no workaround.

CSCsc91735

Symptoms: CyBus errors may occur during an HA switchover, causing most VIPs to be disabled on a Cisco 7500 series.

Conditions: This symptom is observed when MLP Multilink interfaces are configured on channelized T3 (CT3) port adapters.

Workaround: Reload microcode onto all affected VIPs.

CSCsc97727

Symptoms: An access point may crash when you add or remove TACACS servers via the CLI.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)JA1 or Release 12.3(7)JA2 and that has the aaa accounting commands level default list-name group groupname command enabled. The symptom may also occur in other releases.

Workaround: Disable the aaa accounting commands level default list-name group groupname command.

Alternate Workaround: Use RADIUS instead of TACACS.

CSCsd23056

Symptoms: Reverse Telnet may not function.

Conditions: This symptom is observed when AAA authentication is enabled for the asynchronous line over which you attempt to establish a reverse Telnet connection. The AAA authentication prompt takes the console output as input for the AAA authentication process, causing a login failure for reverse Telnet.

Workaround: There is no workaround.

CSCsd49133

Symptoms: Alarms are not populated in the ceAlarmTable and ceAlarmlist objects because the CISCO-ENTITY-ALARM-MIB does not function.

Conditions: This symptom is observed on a Cisco router when a connected interface at a peer device is shut down. In this situation, alarms should be populated in the ceAlarmTable and ceAlarmlist objects. Note that the output of the show facility-alarm status EXEC command does show the alarms correctly, but they are just not populated in the ceAlarmTable and ceAlarmlist objects.

Workaround: There is no workaround.

CSCsd55847

Symptoms: A ping does not go through completely.

Conditions: This symptom is observed after you have entered the microcode reload command.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.

CSCsd68168

Symptoms: A VIP crashes with a bus error and illegal accesses to low memory addresses.

Conditions: This symptom is observed when egress NetFlow is configured on a distributed platform such as a Cisco 7500 series router.

Workaround: Enter the ip flow egress command on any interface after both the RP and VIP have come up or disable the ip flow egress command.

CSCsd99763

Symptoms: A Cisco 7200 series router reloads unexpectedly while configuring BGP access list.

Conditions: This symptom is observed on a Cisco 7206VXR (NPE-G1) processor (revision A). The following commands serve as an example that causes router to reload unexpectedly:

config t

router bgp 100

neighbor EXTERNAL route-map MAP3 out

address-family ipv4 multicast

neighbor EXTERNAL route-map MAP3 out

!

ip as-path access-list 1 deny ^$

ip as-path access-list 2 permit ^(700)+(_1123)|_2374$|^(_700)+(_2374)+(_1123)+$

ip as-path access-list 3 permit _3400_

ip as-path access-list 4 permit ^(700)+(_3400)|_1123$|^700$|_23\[0-9\]$

!

route-map MAP3 permit 10

match as-path 1

!

route-map MAP3 deny 20

match as-path 2

!

route-map MAP3 permit 30

match as-path 3

!

route-map MAP3 permit 40

match as-path 4

set metric 300

end

Workaround: There is no workaround.

CSCse08044

Symptoms: A Cisco router may generate export packets in which the first flow record contains incorrect data such as incorrect IP addresses.

Conditions: This symptom is observed on a Cisco router that is configured for NetFlow and NetFlow Data Export.

Workaround: Disable NetFlow.

CSCse09594

Symptoms: A router crashes during the AAA authentication process for interfaces that are configured for PPP.

Conditions: This symptom is observed on a Cisco router when the memory is exhausted. For example, the symptom may occur on a router that attempts to bring up more PPP sessions while its memory usage is already higher than 99 percent of the capacity because of existing configuration and sessions.

Workaround: There is no workaround.

CSCse13952

Symptoms: After an SSO switchover has occurred on a PE router that functions in an AToM configuration, the standby RP may generate an "%ALIGN-1-FATAL: Corrupted program counter" error message, a bus error may occur, and the standby RP may crash.

Conditions: These symptoms are observed when the aaa accounting command is enabled with a TACACs+ server in the following configuration:

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Workaround: There is no workaround.

CSCse38956

Symptoms: A router crashes when you change the authentication method after the user on the client side has entered the user name and is prompted to enter the password but has not yet entered the password.

Conditions: This symptom is observed when you disable the aaa authentication enable default group radius command and enable the aaa authentication enable default group tacacs command, or the other way around, before the user on the client side has entered the password.

Workaround: There is no workaround.

CSCse49728

Symptoms: SNMPv3 informs are not sent out after a device reload.

Conditions: This symptom is observed when SNMPv3 informs have been configured, and the device is reloaded.

Workaround: Re-enter any of the snmp-server host commands.

CSCse52503

Symptoms: An RSP may generate tracebacks.

Conditions: This symptom is observed on a Cisco router that is configured for dCEF when you reload microcode onto the RSP. Note that the symptom is platform-independent.

Workaround: There is no workaround.

CSCse56743

Symptoms: A standby RSP does not come but enters ROMmon mode.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4 and that functions in an HA redundancy mode.

Workaround: There is no workaround.

CSCse69031

Symptoms: The console of a Cisco 7500 series may hang when you perform an OIR of three or four VIPS.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS interim Release 12.4(9.16).

Workaround: There is no workaround.

CSCse79528

Symptoms: Serial and FDDI interfaces may not be detected.

Conditions: This symptom is observed only on a Cisco 7500 series that has an RSP.

Workaround: There is no workaround.

CSCse90357

Symptoms: Onramp and offramp fax calls fail to connect over E1 PRI and E1 R2 signaling.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.19a).

Workaround: There is no workaround.

EXEC and Configuration Parser

CSCse77357

Symptoms: A router may reject the creation of virtual Token Ring interface with any interface number from 0 to 9 and allow only the creation of virtual Token Ring interface with an interface number that is equal to or greater than 10.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.16) or a later release or Release 12.4(9.15)T or a later release.

Workaround: Manually configure the virtual Token Ring interface with a an interface number that is equal to or greater than 10.

IBM Connectivity

CSCse17611

Symptoms: When DLSw Ethernet Redundancy is configured, circuits may be established through the wrong switch.

Conditions: This symptom is observed in the following configuration:

Clients are connecting to MAC A.

Mapping statements are configured so that Switch 1 has a mapping of MAC A = MAC A and Switch 2 has a mapping of MAC B = MAC A.

The output of the show dlsw transparent map shows that Switch 1 has the active mapping and that Switch 2 has the passive mapping. All circuits should be established on Switch 1, but instead they are established on switch 2.

The outputs of the show dlsw trans neighbor and show dlsw trans map commands show correct information, but the output of the show dlsw cir cache command shows state "negative" on Switch 1 and state "positive" on Switch 2.

Workaround: There is no workaround. Note that all circuits are up and running, but they just go through the wrong router.

Interfaces and Bridging

CSCek27833

Symptoms: Pings with a datagram size of 1485 and above are not going across the bridge.

Conditions: This symptom is observed on a serial interface configured for PPP and part of the bridge group on a Cisco router.

Workaround: Increase the MTU size on the interfaces. For example, configure an MTU of 1524.

CSCin97786

Symptoms: An online insertion and removal (OIR) of a Versatile Interface Processor (VIP) that is installed in a Cisco 7500 series may cause the Route Switch Processor (RSP) to stop responding.

Conditions: This symptom is observed when two FDDI port adapters are installed in the VIP.

Workaround: There is no workaround.

CSCsc66187

Symptoms: Error messages such as the following one may be generated on a Cisco 7500 series or Cisco 7600 series:

%CWPA-3-IPCALLOCFAIL: Failed to allocate IPC buffer for loveletter data

Conditions: This symptom is observed on a Cisco 7500 series and Cisco 7600 series that are configured with a 1-port Packet-over-SONNET OC-3c/STM-1 multimode port adapter (PA-POS-OC3MM) when you enter the no shutdown interface configuration command on the interface.

Workaround: There is no workaround.

CSCse17103

Symptoms: A Bridge Group Virtual Interface (BVI) stops receiving CLNS packets.

Conditions: This symptom is observed when the packets arrive via a dot1q subinterface that belongs to one bridge group and when another dot1q subinterface on the same physical interface belongs to another bridge group.

Workaround: Enter the clns router isis area-tag command on the physical subinterface.

Alternate Workaround: Enter the clns enable command on the dot1q subinterface, although doing so may cause problems with the connected end systems.

CSCse61893

Symptoms: A ping from a channelized T3 (CT3) port adapter may fail.

Conditions: This symptom is observed on a Cisco platform that is configured with a CT3 port adapter that functions in unchannelized mode.

Workaround: There is no workaround.

IP Routing Protocols

CSCed84633

Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.

Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea59206. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.

CSCej78303

Symptoms: A router may crash when you disable the ipv6 multicast-routing command.

Conditions: This symptom is observed when you enable and disable the ipv6 multicast-routing command multiple times while IPv6 Multicast traffic is being processed.

Workaround: There is no workaround.

CSCek29860

Symptoms: A Cisco router may experience a software-forced crash.

Conditions: This symptom is observed on a Cisco router that is configured for secure NAT (SNAT), NAT Stateful Failover, and HSRP.

Workaround: There is no workaround.

CSCek31478

Symptoms: When you modify an access control list (ACL) by entering the ip multicast boundary command, the command may not fully take effect.

Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(28)S4 or Release 12.0(32)S but appears to be platform- and release-independent.

Workaround: Disable and re-enter the ip multicast boundary command.

Alternate Workaround: Enter the clear ip mroute * command.

CSCek42134

Symptoms: NAT Virtual Interface (NVI) per VPN routing/forwarding (VRF) is broken from inside to outside. The router shows CEF drops for the destination prefix existing for a route for this prefix on VRF table.

Conditions: This symptom has been observed on Cisco IOS Release 12.3(14)T6 and interim Release 12.4(7.20)T.

Workaround: Configure static translation for the destination prefix to itself.

CSCek43945

Symptoms: A memory leak may occur on a router that is configured for NAT and the router may eventually run out of memory.

Conditions: This symptom is observed on a Cisco router when NAT is configured.

Workaround: There is no workaround.

CSCsc35609

Symptoms: In certain circumstances, if the static reservations are configured via the ip rsvp listener commands, an interface going down can cause the router to crash.

Conditions: This problem is seen under the following conditions:

1. Router is running RSVP; the ip rsvp bandwidth command is enabled.

2. Router has configured a receiver proxy with the ip rsvp listener command.

3. Router receives Path messages matching the proxy and sends out Resv messages corresponding to the received Path messages.

4. The interface on which the Path message is received goes down.

The problem is not seen if any of these conditions do not hold. For example, routers not running RSVP, or running RSVP only as a midpoint, or routers running MPLS/TE, do not see this problem.

Workaround: There is no workaround. Discontinuing the use of the ip rsvp listener command will prevent the crash.

CSCsc75426

Symptoms: A router that is configured for BGP and that has the ip policy-list command enabled may unexpectedly reload because of a bus error or SegV exception.

Conditions: This symptom is observed when BGP attempts to send an update with a "bad" attribute.

Workaround: There is no workaround.

CSCsd03021

Symptoms: When loading a large link state database from a third-party vendor router that runs Cisco IOS software, the CPU usage by OSPF may become very high, the router may generate CPUHOG messages, and it may take a long time to reach the FULL state, or the FULL state is not reached.

Conditions: These symptoms are observed in an environment in which packet drops occur. When the link state request that is sent from the Cisco IOS router is dropped, the routers may still continue to exchange DBD packets. However, the link stay request list on the Cisco IOS router may become long, and it may take a lot of CPU usage to maintain it.

Workaround: There is no workaround.

Further Problem Description: See also caveat CSCsd38572.

CSCsd68993

Symptoms: IPv6 multicast traffic forwarding may fluctuate.

Conditions: This symptom is observed on a Cisco router that is configured for PIM and that is configured with more than 2000 multicast streams.

Workaround: There is no workaround.

CSCsd84489

Symptoms: A platform that is configured for Open Shortest Path First (OSPF) and incremental Shortest Path First (SPF) may crash when changes occur in the OSPF topology.

Conditions: This symptom is observed on a Cisco platform that has the ispf command enabled when changes occur in the OSPF topology that cause the intra-area routes to be updated.

Workaround: Disable the ispf command.

CSCse04037

Symptoms: A ping or a Telnet connection from an inside gateway to an outside gateway through a router that is configured for NAT may fail because of an error in the NAT table lookup process.

Conditions: This symptom is observed on a Cisco router when the preserve-port keyword is not configured in the ip nat service command and occurs whether or not NAT Overload is configured.

Workaround: There is no workaround.

CSCse04220

Symptoms: The BGP table version remains stuck at 1, and the router may crash.

Conditions: This symptom is observed when you enter the clear bgp ipv4 uni * command for IPv4 or the clear bgp ipv6 uni * command for IPv6. The symptom may also occur when you enter the clear bgp nsap uni * command for an ATM network service access point (NSAP) address family.

Workaround: Enter the clear ip bgp * command to clear the sessions, purge the BGP table, and prevent the router from crashing.

CSCse07118

Symptoms: A router may reload unexpectedly when using the transmit- interface interface command when there is an OSPF point-to-point adjacency in the interface.

Conditions: The unexpected reload is seen when the OSPF is point-to-point, either because it is, for example, a serial interface, or when using the ip ospf network point-to-point interface-level configuration command.

Workaround: Issue a shutdown command before using the transmit-interface command if there is an OSPF adjacency in the interface being configured.

CSCse44079

Symptoms: The CPU usage may reach 100 percent in the IGMP Input process when a ULD interface is down.

Conditions: This symptom is observed on a Cisco router that has a UDL interface that is connected to a satellite link after you have upgraded the Cisco IOS software image from Release 12.4(5a) to Release 12.4(7a).

Workaround: There is no workaround.

CSCse51804

This caveats consists of two symptoms, two conditions, and two workarounds:

1. Symptom 1: A DMVPN tunnel may flap at regular intervals. The NHRP cache entry at the hub expires a long time before its expiration time.

Condition 1: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.4 when the DMVPN tunnel is up and when you enter the show ip nhrp brief and clear ip nhrp commands. When the tunnel comes up again (because of the NHRP registration by the spoke), the NHRP cache entry expires a long time before its expiration time.

Workaround 1: Do not enter the show ip nhrp brief command.

2. Symptom 2: A DMVPN tunnel may flap at regular intervals. The NHRP cache entry at the hub expires a long time before its expiration time.

Condition 2: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.4(6)T or a later release and occurs without any specific action.

Workaround 2: There is no workaround.

CSCse55265

Symptoms: A ping fails via NAT because of an encapsulation failure.

Conditions: This symptom is observed on a Cisco 7200 series that is configured for NAT and that has both the ip nat inside source static and ip nat outside source static commands enabled. The symptom is platform-independent.

Workaround: There is no workaround.

ISO CLNS

CSCsd87651

Symptoms: A Cisco router that is configured for RPR or RPR+ may reload its standby RP when a configuration change is made to IS-IS.

The reload of the standby RP is proceeded by the following error messages:

%HA-3-SYNC_ERROR: Parser no match. %HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1).

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4. Note, however, that the symptom is platform-independent for Release 12.4 and its derivatives. Any of the IS-IS global configuration commands may trigger the symptom. Following are a few examples of these IS-IS global configuration commands:

is-type level-2-only

lsp-gen-interval level-2 5 50 100

redistribute eigrp

Workaround: There is no workaround.

CSCse40346

Symptoms: Tracebacks may be generated when you configure IS-IS and LDP features, for example, when you enter the no ip router isis area-tag command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(32)SY but may also occur in other releases.

Workaround: There is no workaround.

CSCuk60585

Symptoms: A router that is configured for redistribution into ISO-IGRP may crash.

Conditions: This symptom is observed when the configuration is nvgened.

Workaround: There is no workaround.

Miscellaneous

CSCef09119

Symptoms: CPUHOG tracebacks may be generated when you bring up 30,000 PPPoE sessions and then remove an input policy map from a virtual template on a broadband PTA.

Conditions: This symptom is observed on a Cisco router that functions as a broadband PTA and that is configured with 31,500 ATM subinterfaces, an input policy map, an output policy map with an CBWFQ policy, and 128,000 queues.

Workaround: There is no workaround.

CSCef29090

Symptoms: The throughput for TCPClear sessions on a Cisco AS5850 may not be as expected and there may be a slow response time.

Conditions: This symptom is observed on a Cisco AS5850 with TCPclear sessions.

Workaround: There is no workaround.

CSCeh86525

Symptoms: A router crashes when you attach an inbound service policy with a police feature.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 that supports Multiprocessor Forwarding (MPF).

Workaround: There is no workaround.

CSCei84353

Symptoms: A router crashes when you remove an Embedded Event Manager (EEM) applet.

Conditions: This symptom is observed on a Cisco 12000 series that runs an interim release for Cisco IOS Release 12.0(32)S but is not platform- and release-dependent. This symptom occurs under the rare occasion that the EEM applet is removed while EEM is attempting to trigger the applet for execution.

Workaround: Perform the following three steps:

1. Before you remove the EEM applet, disable EEM applet scheduling by entering the event manager scheduler applet suspend command.

2. Remove the applet.

3. After you have removed the applet, re-enable EEM applet scheduling by entering the no event manager scheduler applet suspend command.

CSCej29710

Symptoms: Unable to send EEM type system SNMP trap notifications.

Conditions: This symptom occurs when users want to send EEM SNMP system type trap notifications upon triggering of a policy.

Workaround: In EEM applet mode if a user desires an SNMP notification upon event trigger, they should specify it as an action by using the action snmp-trap command. In EEM TCL policies, use the action_snmp_trap TCL command.

CSCek26155

Symptoms: A recursive pattern scan loop can occur when the Embedded Event Manager (EEM) CLI ED attempts to scan for patterns provided by action CLI commands.

Conditions: This issue occurs when an applet contains a CLI event that is scanning for a pattern that is given as a CLI command in one of its actions. See the following example:

event manager applet one

event cli pattern "show version" sync yes

action 1 cli command "show version"

In this example the action being performed causes the event to trigger in a loop.

Workaround: Do not use an action CLI command containing a pattern that matches the CLI event pattern.

CSCek26492

Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCek34049

Symptoms: A Cisco AS5850 that is configured for RPR+ may be unable to process more than 1990 MGCP voice calls. With more than 1990 MGCP voice calls, any of the following symptoms may occur:

Many DSP may time-out.

Active calls may hang.

Spurious memory accesses and tracebacks may be generated.

Incoming calls may be dropped.

NextPort SPE ports may be stuck in the "a" state.

Conditions: These symptoms are observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(3d) or Release 12.4(7a).

Workaround: There is no workaround. A Cisco AS5850 that is used to its full capacity (4 CT3 worth of MGCP calls) may not scale beyond 1990 calls. When the symptoms have occurred, reload the Cisco AS5850.

CSCek37686

Symptoms: A Cisco AS5350 may reload because of a bus error (SIG=10).

Conditions: This symptom is observed when SNMP is configured and when SNMP queries are made into the Cisco AS5350.

Workaround: Disable SNMP or stop polling the router.

CSCek38136

Symptoms: When you deploy VoIP using PVDM2 / 5510 DSP modules, a hissing sound may be heard before the ringback tone starts on the calling side.

Conditions: This symptom is observed only with 5510 DSP modules. The symptom does not occur with 549 DSP modules.

Workaround: There is no workaround.

CSCek41338

Symptoms: A router reloads when you enter the peer default ipv6 address pool pool-name command in template-configuration mode.

Condition: This symptom is observed on a Cisco router that is configured for IPv6.

Workaround: A workaround is not applicable because the peer default ipv6 address pool pool-name command in template-configuration mode is not supported in an IPv6 configuration and should not be entered as such.

CSCek42816

Symptoms: A voice gateway reloads while bulk calls are being processed.

Conditions: The symptom is observed on a Cisco voice gateway that runs VXML applications that stream voice when the voice gateway receives prompts from an HTTP server.

Workaround: Enter the ivr prompt streamed none command on the voice gateway.

CSCek43562

Symptoms: After an SDM client has properly connected to an SSH server, the SDM client hangs when you attempt to close the connection.

Conditions: This symptom is observed only with an SDM client, which uses a third-party vendor Java-based SSH client package.

Workaround: There is no workaround.

CSCek43642

Symptoms: When you try to remove an Embedded Event Manager (EEM) policy that has event criteria specified via the event_register_appl Tcl command extension, the attempt fails.

Conditions: This symptom is observed when two or more Embedded Event Manager policies are configured and when only one of these policies has event criteria specified via the event_register_appl Tcl command extension.

Workaround: There is no workaround.

CSCek45461

Symptoms: Path confirmation fails for voice calls on a Cisco AS5850. One-way audio may occur with manual phones.

Conditions: These symptoms are observed on a Cisco AS5850 that processes MGCP, H.323, and SIP calls.

Workaround: There is no workaround.

CSCek47283

Symptoms: A router cannot be reloaded by entering the reload command, and the following message is displayed when you attempt to reload the router:

The startup configuration is currently being updated. Try again.

Conditions: This symptom is observed under rare conditions and may be triggered after an "Invalid pointer value in private configuration structure" error message is displayed (as seen in caveat CSCin98933). This symptom is observed in Cisco IOS interim Release 12.3(19.7), interim Release 12.4(6.5), and interim Release 12.4(6.5)T, and in later releases.

Workaround: There is no workaround.

CSCek47653

Symptoms: A voice gateway may crash because of a bus error that is related to an MGCP Visual Message Waiting Indicator (VMWI) function.

Conditions: This symptom is observed on a Cisco IAD 2430 that runs Cisco IOS Release 12.3(14)T2. The symptom may also affect Release 12.4 and Release 12.4T.

Workaround: There is no workaround.

CSCin97669

Symptoms: The standby RP resets continuously because of synchronization failures.

Conditions: This symptom is observed on a Cisco router when you first perform and OIR of a VIP in which a port adapter is installed that supports both T1 and E1 (for example, a PA-MC-8TE1+ port adapter) and then an SSO switchover occurs.

Workaround: There is no workaround. You must power-cycle the standby RP to enable it to come up.

CSCin99565

Symptoms: A router that is configured for SSG may reload unexpectedly.

Conditions: This symptom is observed when both the Transparent Auto-Logon (TAL) and Port-Bundle Host-Key (PBHK) SSG features are enabled and when it takes a long time before the AAA server responds.

Workaround: There is no workaround.

CSCin99687

Symptoms: An SNMP walk of the dsx1IntervalTable results in an infinite loop.

Conditions: This symptom is observed on a Cisco router that is configured with a PA-MCX-8TE1 or PA-MC-2T3+ port adapter.

Workaround: There is no workaround.

CSCsa70712

Symptoms: When you reload a CMM in one slot, the CMM in another slot reloads too, and the console of the supervisor engine shows an "EarlRecoveryPatch Reset" error message for the CMM that you intentionally reloaded.

Conditions: This symptom is observed on a Cisco Catalyst 6000 series and Cisco 7600 series when you enter the reload command via the console of the CMM.

Workaround: Do not reload the CMM via its console. Rather, enter the hw-module module slot number reset command for the CMM on the supervisor engine.

CSCsb42470

Symptoms: The output of the show interfaces sum and the show interfaces tunnel commands is inconsistent.

Conditions: This symptom is observed when CEF switching is enabled and when IPsec tunnel protection or VTI is applied to a tunnel interface.

Workaround: Disable CEF switching and use fast-switching or process-switching.

Further Problem Description: The output of the show interfaces tunnel command shows the wrong number of packets that are switched per second, and the number of bytes that have been switched is shown incorrectly.

CSCsb54378

Symptoms: A router may reload due to software forced crash.

Conditions: This problem has been observed when initiating a Secure Shell (SSH) session from the router or when copying a file to/from the router via SCP.

Workaround: Do not initiate SSH or SCP sessions from the router.

Further Problem Description: This was observed on a Cisco 2811 router that was running Cisco IOS Release 12.4(4)T.

Prior to the crash, the router logs a series of %SYS-3-CPUHOG messages and will eventually crash with %SYS-2-WATCHDOG. See the following example:

*Mar 29 11:29:35.938: %SYS-3-CPUHOG: Task is running for (128004)msecs, more than (2000)msecs

(1426/5),process = Virtual Exec.

-Traceback= 0x41DC8E2C 0x41DC9098 0x41BAA6E0 0x41BA6990 0x41B96B4C 0x41BA6768 0x41BA7490 0x41BA7750

0x41BAC854 0x41BA120C 0x40C27024 0x40C26760 0x41BA203C 0x40C73E58 0x40C926E8 0x41834200

*Mar 29 11:29:35.942: %SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Virtual Exec.

-Traceback= 0x41A23CC8 0x41BAA3D8 0x41BA6A08 0x41B96B4C 0x41BA6768 0x41BA7490 0x41BA7750 0x41BAC854

0x41BA120C 0x40C27024 0x40C26760 0x41BA203C 0x40C73E58 0x40C926E8 0x41834200 0x418341E4

%Software-forced reload

CSCsb95563

Symptoms: On rare occasions, Embedded Event Manager (EEM) may cause a crash when you deregister an EEM policy.

Conditions: This symptom is observed on a Cisco Catalyst 6000 series but is platform-independent.

Workaround: There is no workaround.

CSCsb99936

Symptoms: The show ephone command reveals a call is stuck in the SEIZE state instead of progressing to the correct state during a call.

Conditions: This symptom has been observed when an H.323 call is placed from CME to a non-CME H.323 endpoint.

Workaround: There is no workaround.

CSCsc12255

Symptoms: When you deploy VoIP on an NM-HDV2 network module that is configured with a PVDM2-64 module, a hissing sound may be heard before the ringback tone starts on the calling side.

Conditions: This symptom is observed only with an NM-HDV2 network module. Note that the symptom does not occur with an NM-HDV network module.

Workaround: There is no workaround.

CSCsc13670

Symptoms: The backup configurations that are generated by the Archive feature may be truncated.

Conditions: This symptom is observed when you reload the router with the Archive feature enabled.

Workaround: Enter the privileged mode.

CSCsc18707

Symptoms: No error message is printed out when running an Embedded Event Manager (EEM) policy that is not registered with the none event detector.

Conditions: This symptom occurs when executing event manager run policy name or action label policy policy name command, but the policy is not registered with the none event detector.

Workaround: There is no workaround.

CSCsc41527

Symptoms: The chkflash command for a flash file system does not function.

Conditions: This symptom is observed on a Cisco router that has a flash file system.

Workaround: Do not enter the chkflash command. Rather, enter the format command.

Further Problem Description: The fix for this caveat re-implements the fsck command.

CSCsc70644

Symptoms: A CLI session may become stuck during the configuration of QoS.

Conditions: This symptom is observed on a Cisco router after you have entered the show policy-map interface command.

Workaround: There is no workaround.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsc72828

Symptoms: Sweep ping with packet size 1439 fails.

Conditions: This symptom occurs when dLFIoATM is configured on a Cisco 7500 series router.

Workaround: There is no workaround.

CSCsc97398

Symptoms: The user information Layer 1 protocol may be included in the outgoing bearer capability and may be set to either G711 u-law or G711 A-law. Some PBXs may refuse the call because of this mismatch in the bearer capability.

Conditions: This symptom is observed when a call is made from H.323 to ISDN with unrestricted digital information bearer capability.

Workaround: There is no workaround.

CSCsd04075

Symptoms: The voice ports of a Cisco IOS Voice over IP (VoIP) gateway that terminates fax calls may lock up and not accept any new calls. The following error messages may be generated on the console or syslog (if enabled):

%HPI-3-CODEC_NOT_LOADED: channel:2/0/0 (171) DSP ID:0x1, command failed as codec not loaded 0

- Traceback= 615D2FA8 615C8528 617D5044 617D5258 61BBCD44 61BBD764 617BAE88 617BBD38 6138720C

Conditions: This symptom is observed on a Cisco 3600 series router but is not platform-dependent.

Workaround: Disable T.38 and use fax passthrough.

CSCsd07028

Symptoms: Tracebacks may be seen when issuing the clear pppoe all command while unconfiguring the virtual circuit (VC).

Conditions: This symptom is observed when a Cisco router crashes when the PPPOE session is cleared by issuing the clear pppoe all command.

Workaround: There is no workaround.

CSCsd16006

Symptoms: Stale routing entries may be created on a Cisco MWG Home Agent (HA) when a mobile node (MN) deregisters or is handed off (that is, the MN moves from one foreign agent to another foreign agent). This situation affects the routing of mobile traffic.

Conditions: This symptom is observed when NAT Traversal (NAT-T) is enabled and applied to mobile bindings.

Workaround: There is no workaround.

CSCsd18739

Symptoms: When a router is configured for IPv6-NAT-PT the router goes into a software forced reload when the show ipv6 nat translations verbose command is executed. The following error message is displayed:

%Software-forced reload Preparing to dump core...

Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.4(3b).

Workaround: Do not execute the show ipv6 nat translations verbose command.

CSCsd20327

Symptoms: Web Cache Communication Protocol (WCCP) for service 90 is going up and down on a Cisco router that runs Cisco IOS Release 12.4(3b)B. The router has services 81, 82 and 90 configured. The only service that has a problem is 90. The packet traces indicate that the router is sometimes responding to "Here_I_Am" messages from the cache with "I_See_You" messages that contain an incorrect destination IP address. This situation leads to a loss of WCCP service.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(3b) but may also affect other releases.

Workaround: There is no workaround.

CSCsd34114

Symptoms: A router that has the ip local pool command enabled in an IPv6 configuration may reload under rare circumstances.

Conditions: This symptom is observed when the local pool must allocate prefixes to the same user name on multiple interfaces in a specific order, then releases one of the prefixes, and then attempts to allocate a new prefix.

The interfaces that the prefixes are allocated on, and the ordering of the events, must follow a very specific pattern in order for the symptom to occur.

Workaround: Use per-user prefixes from a RADIUS server, or in a DHCP-PD configuration, use the prefix allocation per DUID.

Further Information: IP local pools in an IPv6 configuration are used by DHCP-PD and by IPv6 Control Protocol (IPv6CP) for IPv6 over PPP links. However, the symptom is unlikely to occur with IPv6CP.

CSCsd34529

Symptoms: A Cisco router may crash when a policy map is simultaneously displayed and unconfigured.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4T but may also affect Release 12.4. The symptom occurs when the show policy-map command is entered via one CLI session while the no policy-map policy-map-name command is entered via another CLI session.

Workaround: There is no workaround.

CSCsd35555

Symptoms: The TDM crossconnect for a T1/E1 WIC does not function.

Conditions: This symptom is observed on a Cisco IAD 2400 series that is configured with a VIC2-2MFT-T1/E1 WIC.

Workaround: Use the native T1/E1 slot to install the WIC in.

CSCsd37629

Symptoms: Alignment errors and a bus error may occur on a Cisco platform that has the ip inspect command enabled.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: Disable the ip inspect command.

CSCsd41586

Symptoms: When issuing a show running-config command, a system might experience a crash due to bus error.

Conditions: This symptom was seen when the show startup-config command was still in progress in another terminal window and output did not finish yet.

Workaround: Make sure that show startup-config command is not in use when issuing a show running-config command.

Further Problem Description: This issue has only been seen on a Cisco 10000 series router but could affect other systems as well. Other concurrent access to NVRAM could lead to similar problems.

CSCsd57360

Symptoms: A software crash may occur on a Cisco 3700 series that is configured with a VWIC2-2MFT-T1/E1 when you first enter the clock source independent command on the T1 controller and then configure a channel group.

Conditions: This symptom is observed when the following sequence of events occurs:

1. You remove the channel group configuration from the T1 controller.

2. You enter the clock source independent command on the T1 controller and you either set the clock source to internal or to line.

3. You configure a channel group.

Workaround: Do not enter the clock source independent command.

CSCsd62621

Symptoms: Packet loss in the form of ignores and overruns may occur on a Cisco 2621XM with a WIC-2T when you enter any of the following commands:

write memory

show running-config

show controllers

Conditions: This symptom is observed on a Cisco 2621XM that runs Cisco IOS Release 12.4(7) when the serial port of the WIC-2T clocks at 8 Mbps and when 6.61 Mbps of traffic runs bidirectionally through the interface.

Workaround: Do not enter the write memory, show running-config, or show controllers command while the serial port of the WIC-2T is processing traffic.

CSCsd65073

Symptoms: A PE router crashes while reconfiguring Multicast Virtual Routing and Forwarding (MVRF) with different default MDT address after removing the previous default MDT address.

Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS interim Release 12.4(7.15). The PE router is configured with two MVRFs.

Workaround: There is no workaround.

CSCsd65289

Symptoms: When applying a service-policy to a subinterface, the router crashes.

Conditions: This problem happens on an ATM subinterface with a large amount of subinterfaces with service-policies applied.

Workaround: There is no workaround.

CSCsd66800

Symptoms: A gateway-controlled T.38 fax relay between an MGCP gateway and another gateway may be disconnected unexpectedly.

Conditions: This symptom is observed on a Cisco platform that is configured for Voice xGCP.

Workaround: There is no workaround.

CSCsd70119

Symptoms: A Media Termination Point (MTP) does not generate an RFC 2833 event on a second call leg when it should do so.

Conditions: This symptom is observed when a call from a CallManager version 5.0 invokes an MTP and an RFC 2833 event and when the call is supported on both endpoints that are connected via the MTP.

For example, a Cisco 7860 IP phone that is configured for SCCP sends a DTMF via both SCCP and RFC 2833. In this situation, the MTP receives an RFC 2833 event from the Cisco 7860 IP phone and a SCCP DTMF notification from the CallManager for the same DTMF event. This function properly, but the MTP does not generate the RFC 2833 event on the second call leg when it should do so.

Workaround: In the above-mentioned example, disable RFC 2833 DTMF on the Cisco 7860 IP phone.

CSCsd73526

Symptoms: When a Cisco Content Services Switch (CSS) is used in a Customer Voice Portal (CVP) configuration, the Cisco IOS Voice Browser may be unable to play the media file. The CSS does send the HTTP Redirect message that points to the CVP, but the gateway does not react.

Conditions: This symptom is observed on a Cisco AS5400HPX Universal Gateway after you have upgraded this platform from Cisco IOS Release 12.3(3a) to Release 12.4(3b). Other software components in the configuration are CVP 3.1 SR1, ICM 6.0, and Cisco CallManager 4.1(3)SR2.

Workaround: Bypass the Cisco CSS, and point the VXML application directly to the CVP.

CSCsd74000

Symptoms: A slot controller such as a slot controller of a VIP4-80 may reset because of a TLB (load or instruction fetch) exception.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(17b) or Release 12.4, that has T1 or E1 port adapters installed in the slot that is controlled by the slot controller that resets, and that has NBAR configured.

Workaround: Remove the NBAR configuration.

CSCsd74729

Symptoms: A crypto map may become "incomplete" and IPsec negotiation may fail.

Conditions: This symptom is observed on a Cisco platform when the ip vrf forwarding vrf-name interface configuration command is removed from an interface or changed.

Workaround: Remove and re-apply the crypto map configuration to the interface.

CSCsd76444

Symptoms: A Cisco router may reload unexpectedly with a "Signal 0" without a stack trace in the crash info file.

Conditions: This symptom is observed on a Cisco 10000 series that has a PRE and that is configured for SSG. However, the symptom is platform-independent and may occur on any router that is configured for SSG.

Workaround: There is no workaround.

CSCsd76528

This caveat consists of two symptoms, two conditions, and two workarounds:

1. Symptom 1: None of the policy classes after the first child policy of a hierarchical QoS policy take effect when you reload the router.

Condition 1: This symptom is observed on a Cisco 7304 that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.

Workaround 1: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the service-policy output interface configuration command to enable the child policies to take effect. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.

2. Symptom 2: On a Cisco 10000 series that is configured with hierarchical queueing policies, when you remove the match vlan command for a VLAN that matches a dot1q subinterface, the queues that are allocated to the subinterface are not cleared, allowing traffic to continue to flow through these queues.

Condition 2: This symptom is observed on a Cisco 10000 series that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.

Workaround 2: There is no workaround. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.

CSCsd79195

Symptoms: An I/O memory leak may occur on a Cisco router that is configured with an 8-port async/sync serial network module (NM-8A/S) and hardware crypto accelerators.

Conditions: This symptom is observed when the qos pre-classify command is enabled on the crypto map and tunnel interface.

Workaround: Disable the qos pre-classify command.

CSCsd80745

Symptoms: A router that is configured for IPSec and ISAKMP may reload unexpectedly because of a bus error exception that is triggered by an address error exception.

Conditions: This symptom is observed rarely and occurs when data leaks during IPSec rekeying. Both IPSec and ISAKMP life times are configured as the recommended values of respectively 3600 seconds and 86,400 seconds. The router may crash when the data is used 65,536 times.

Workaround: There is no workaround.

CSCsd80754

Symptoms: The active router in an HSRP configuration may not respond to an ARP request for the virtual IP address. When the symptom occurs, both routers in the HSRP configuration have correct HSRP and ARP entries. Entering the clear arp command on the standby router in the HSRP configuration does not resolve the problem.

Conditions: This symptom is observed when the same HSRP virtual IP address exists in different HSRP groups on different routers.

Workaround: Enter the no standby redirects command to prevent the symptom from occurring.

CSCsd81861

Symptoms: A router may unexpectedly reload due to a bus error after being reloaded or power cycled. The last console output in the crashinfo will be the ima-group group number command before the crash.

Conditions: The router must have the ip telnet source- interface command or the ip tftp source-interface command configured to use an IMA sub-interface as the source. There also must be at least one ATM interface in the IMA group.

Workaround: Remove the IMA interface from the source interface command in the configuration.

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM)

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


CSCsd85852

Symptoms: When a PVC is shut down on the remote side, the PVC subinterface on a router transitions from the down state to the up state within one second, but then remains in the down state after the down retry timers expire.

Conditions: This symptom is observed on a Cisco router that is configured for Operation, Administration, and Maintenance (OAM) and Dynamic Bandwidth Selection (DBS).

Workaround: There is no workaround.

CSCsd87399

Symptoms: When the globally unique identifier (GUID) header is configured in the base-16 format, about 40 percent of the SIP calls may fail with a "500 response".

Conditions: This symptom is observed in a normal configuration on a gateway and dial peers when the GUID header is configured in the base-16 format (that is, with 35 characters) instead of the base-10 format (that is, with 43 characters).

Workaround: There is no workaround.

CSCsd87652

Symptoms: On a Cisco 7200 series router, random packet drops are seen when a GRE tunnel fragments packets, and the tunnelled packets are encrypted.

Conditions: The problem is seen on a Cisco 7200 series router when CEF is configured, and fragmentation occurs on the tunnel, and a crypto map is configured on the physical output interface.

Workaround: Disable CEF.

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd93522

Symptoms: An NPE-G2 crashes when you first enter the no ima-group command, then you enter the atm vc command for the IMA group, and finally you enter the show vc command.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with an IMA port adapter.

Workaround: First configure an IMA group. Then, configure a VC for this IMA group.

CSCsd93833

Symptoms: A router may reload when you unconfigure an ATM TDM connection on an E1 controller.

Conditions: This symptom is observed on a Cisco 3600 series router.

Workaround: There is no workaround.

CSCsd98525

Symptoms: An SSH version 2 (SSHv2) session is terminated prematurely.

Conditions: This symptom is observed when large chunks of data are transferred in the SSHv2 session, for example, when the show tech command is entered and the command output is transferred in the SSHv2 session.

Workaround: Use SSH version 1.

CSCse01124

Symptoms: The Hot Standby Router Protocol (HSRP) may not come up and may remain in the "Init" state, which can be verified in the output of the show standby brief command.

Conditions: This symptom is observed when dampening is configured on a native Gigabit Ethernet interface of a Cisco 7200 series or on a Fast Ethernet interface of a PA-FE-TX port adapter. Other types of interfaces are not affected.

Workaround: When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the Gigabit Ethernet and Fast Ethernet interfaces of all routers of the standby group.

To prevent the symptom from occurring, remove dampening from the Gigabit Ethernet and Fast Ethernet interfaces.

CSCse01143

Symptoms: IPC does not function after an RPR+ switchover has occurred,

Conditions: This symptom is observed on a Cisco 7500 series that is configured for RPR+ and dLFIoLL.

Workaround: Reload the microcode onto the router.

CSCse01847

Symptoms: When agentless hosts are allowed network access, a loss of connectivity may occur during reauthentication.

Conditions: This symptom is observed when the host does not have a Cisco Trust Agent (CTA) configured.

Workaround: There is no workaround.

Further Problem Description: When an agentless host is authorized for network access, a dynamic access policy is applied for the host. This access policy is removed at the beginning of the reauthentication process, and re-applied at the end of reauthentication process. During the reauthentication process, no access policy is applied for the host. This situation may cause a disruption to network access.

CSCse03855

Symptoms: An IP phone display remains stuck at "Enter Number" for the duration of an outgoing call to the PSTN.

Conditions: This symptom is observed when the IP phone runs CME version 3.3 and is connected to a BRI ISDN interface on a Cisco router that runs Cisco IOS Release 12.4. When you enable the debug isdn q931 command, the following message is displayed in response to an outgoing setup message:

ISDN BR0/2/0 Q931: RX <- SETUP_ACK pd = 8 callref = 0x83
Channel ID i = 0x89
Progress Ind i = 0x8288 - In-band info or appropriate now available

Workaround: Prevent the Telco from sending the following information in the setup_ack message:

Progress Ind i = 0x8288 - In-band" information or appropriate now available

Note that the symptom does not occur in Cisco IOS Release 12.3(11)T10 and with CME version 3.2.

CSCse11638

Symptoms: A voice gateway reloads while bulk calls are being processed.

Conditions: The symptom is observed on a Cisco voice gateway that runs VXML applications that stream voice prompts from an HTTP server.

Workaround: Enter the ivr prompt streamed none command on the voice gateway.

CSCse12154

Symptoms: A router may crash because of a bus error when you enter the copy scp command to copy a configuration.

Conditions: This symptom is observed on a Cisco router that is configured for SSH.

Workaround: Do not use SCP. Rather, use Remote Copy Protocol (RCP) or use a TFTP transfer.

CSCse15025

Symptoms: An analog or digital CAS port enters a state in which inbound or outbound calls, or both, may no longer function through the port.

Conditions: This symptom is observed on a Cisco 2800 series and Cisco 3800 series that function as gateways with analog or digital CAS ports that use PVDM2 DSP modules.

When this problem occurs, it impacts multiple ports that share the same signaling DSP. The output of the show voice dsp signaling EXEC command shows which DSP is used by a port for signaling. The symptom may occur more often for ports that use DSP 1 on the PVDM2 module for signaling.

Because this issue impacts the signaling channels, it has been seen that calls either will not connect at all through impacted ports or in some cases when multiple simultaneous calls are present on adjacent voice ports/timeslots, the call may connect momentarily before being disconnected.

If a problem occurs only on a single voice port, there is another problem, not this caveat (CSCse15025). PRI/BRI calls are not affected because PRI/BRI does not utilize the DSP for signaling purposes.

When the symptom occurs with either a VIC2-xFXO or EVM DID/FXS module, enter the terminal monitor command followed by the test voice port port- number si-reg-read 39 1 command for one of the affected ports. The output typically should be a single octet value for register 39. When the symptom occurs, information for Registers 40, 41, and 42 is presented and some of the registers show double- octet information. See the example output (2) below.

When the symptom occurs with FXS or analog E&M modules, enter the terminal monitor command followed by the test voice port port- number codec-debug 10 1 command for one of the affected ports. The output typically should be a single octet value for each register. See the example output (4) below.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, you must reload the gateway to restore proper operation.

Further Problem Description: The changes in CSCse15025 includes changes in CSCsc11833 and CScsd90851. These changes have been shown to help mitigate this problem in the majority of cases.

There is a further detection and reset mechanism in CSCse15025 that will recover the DSP which is in this state. This mechanism will trigger immediately if the impacted voice port is an analog FXO port. For other voice ports, a delay in the detection will be present and it is possible to see the symptom of this problem before the recovery code triggers.

Note that the reset mechanism will cause any active calls utilizing the DSP in question to be dropped.

It is recommended if running with modules which can be impacted by this issue to upgrade to a release of software which contains the changes in CSCse15025. If the DSP is reset and the below output is seen, contact the TAC for further assistance. Note that this output is sent at debug level and it is recommended to enable either syslog or logging buffered on the gateway.

Logging buffered on the gateway is enabled through the global command logging buffered 50000 debug as an example to set the logging buffered to use 50K bytes of processor memory for logging. The output of the log can be seen with the Exec command show log.

----

Example output when detection and recovery code on gateway triggers:

*May 31 14:30:43.343: TDM pointers: 0100 0100 0115 0115. Deltas: 0001 0000.

*May 31 14:30:43.347: Received alarm indication from dsp(0/1)

0030 0000 0080 0000 0013 4100 2E2E 2F2E 2E2F 6D6F 6475 6C65 732F 7363 6865 6475 6C65 2F64 6562 7567 2E63 2833 3634 2900

*May 31 14:30:43.347: ../../modules/schedule/debug.c(364)

*May 31 14:30:43.347: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/0, changed state to Administrative Shutdown

*May 31 14:30:43.647: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/1, changed state to Administrative Shutdown

*May 31 14:30:43.947: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/2, changed state to Administrative Shutdown

*May 31 14:30:44.247: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/3, changed state to Administrative Shutdown

*May 31 14:30:48.147: Crash dump CLI may not be configured, not able to get crash info, slot 0, dsp 1

*May 31 14:30:48.147: DSPDUMP - Recover slot 0 dsp 1

*May 31 14:30:48.147: DSPDUMP - ka sent 0, ka_cnt 51193, skip_ka 103079

*May 31 14:30:50.579: %DSPRM-5-UPDOWN: DSP 1 in slot 0, changed state to up

*May 31 14:30:50.947: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/0, changed state to up

*May 31 14:30:51.219: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/1, changed state to up

*May 31 14:30:51.371: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/2, changed state to up

*May 31 14:30:51.523: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/3, changed state to up

----

Following are command output examples:

1. Following is an example of normal output for FXO and EVM FXS ports.

For FXO ports, the value is usually 0x01 but for EVM FXS the value can be different. When you run the above-mentioned command, the expected output is that a single octet is displayed and only for register 39. (This command does not work for VIC-4FXS and VIC2-xFXS modules).

router#term mon

router#test voice port 0/3/3 si-reg-read 39 1

router#

Values read from SiLabs Codec connected to DSP 0, channel 11:

--------------------------------------------------------------

Register 39 = 0x01

2. Following is an example of output for FXO and EVM FXS ports that indicates that the symptom has occurred. Note that the exact output for the register values is different, but when the symptom occurs, different lines with information are displayed as shown below:

router#term mon

router#test voice port 0/3/3 si-reg-read 39 1

router#

Values read from SiLabs Codec connected to DSP 0, channel 11:

--------------------------------------------------------------

Register 39 = 0x5CB8

Register 40 = 0xFFFF

Register 41 = 0xFFFF

Register 42 = 0xFFFF

3. Following is an example of normal output for FXS and analog E&M modules. The values that are listed in a normal case may be different, but only four registers of a single octet should be displayed.

Values read from PEB2465 Codec connected to DSP 02 (channel 0):

---------------------------------------------------------------

Extended Register Values (XR4..XR1) = 00, CC, 50, 11

4. Following is an example of output for FXS and analog E&M modules that indicates that the symptom has occurred.

Values read from PEB2x65 Codec connected to DSP 0, channel 1:

------------------------------------------------------------

Extended Register Values (XR4..XR1) = D001, B83C, 3FF1, 63AC

CSCse16494

Symptoms: Traffic does not flow after a Route Processor Redundancy Plus (RPR+) switchover has occurred.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4 and that is configured for RPR+.

Workaround: After the RPR+ switchover has occurred, reload microcode onto the router.

CSCse16497

Symptoms: A Cisco VG224 may not boot and may generate the following error message:

... Error : glue magic numbers do not correspond

*** System received a Software forced crash *** ...

Conditions: This symptom is observed on a Cisco VG224 that runs Cisco IOS interim Release 12.4(7.24)T1 but may also affect Release 12.4.

Workaround: There is no workaround.

CSCse17175

Symptoms: The line protocol may go down on some of the serial interfaces of a 1-port multichannel STM-1 single mode port adapter.

Conditions: This symptom is observed on a Cisco router when the maximum number of channel groups (256) is configured on the port adapter.

Workaround: There is no workaround.

CSCse17317

Symptoms: A router may during an E1R2 test for different country codes and codecs.

Conditions: This symptom is observed on a Cisco router only when E1R2 digital semi-compelled signaling is used.

Workaround: There is no workaround.

CSCse22172

Symptoms: A Cisco 3845 may crash when you enter the copy system:running-config command to copy the configuration to a USB flash device.

Conditions: This symptom is observed on a Cisco 3845 that runs Cisco IOS interim Release 12.4(9.4).

Workaround: There is no workaround.

CSCse22900

Symptoms: The outgoing MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table.

Conditions: This symptom is observed when there are two paths to a VPN prefix from the same egress next-hop router with different outgoing labels and when one path is a multipath candidate and the other path is not. The symptom occurs when the non-multipath candidate is withdrawn.

Workaround: Two paths to a VPN prefix from the same egress next-hop typically indicates a provisioning error and should be avoided. When the symptom has occurred, enter the clear ip route command for the prefix in the VRF.

CSCse23302

Symptoms: A stale LDP targeted session is not removed after a session flap has occurred, which can be verified in the output of the show mpls ldp neighbor command.

Conditions: This symptom is observed on a Cisco router when the LDP targeted session is removed and quickly re-added.

Workaround: There is no workaround.

CSCse24889

Symptoms: Malformed SSH packets may cause a memory leak.

Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after malformed SSH packets have been received.

Workaround: There is no workaround. You can reduce the number of locations that can connect to the router by using a VTY access list, as in the following example:

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 2 deny any

line vty 0 4

access-class 2 in

end

More information about configuring VTY access lists is available in the following Cisco Tech Notes: http://www.cisco.com/warp/public/707/confaccesslists.html.

CSCse25166

Symptoms: A traceback may be generated when you enter the show funi pvc interface serial x/y command.

Conditions: This symptom is observed on a Cisco router when a null data structure is accessed.

Workaround: There is no workaround.

CSCse25331

Symptoms: After upgrading the Cisco IOS on a Cisco 7200 series router that is using a PA-A3-IMA, shaping accuracy problems can be observed. The PVC is shaped at a rate bigger than the configured value.

Conditions: This problem is observed on a Cisco 7200 series router.

Workaround: There is no workaround.

CSCse34097

Symptoms: When a voice call is made to one of the busy channels of BRI/PRI port, the call gets rejected and then another call is made to the available port. The call gets connected, and the user hears an annoying hissing sound.

Conditions: The procedure to recreate this scenario is the following:

Phone a & b ---OGW --VoIP --TGW(2611) --BRI/PRI --PBX -- phone c & d

Phone a calls phone c;

Phone b calls phone c;

Phone b calls phone d;

Phone d picks up and hears a hissing noise.

Workaround: There is no workaround.

CSCse35588

Symptoms: Performance degrades when you add the inspect dns keywords in the Firewall policy table.

Conditions: This symptom is observed when on a Cisco router and occurs because the inspect dns keywords use the old IDS code.

Workaround: Do not add the inspect dns keywords. Rather, add the udp keyword in the Firewall policy table.

CSCse39330

Symptoms: A router does not boot when you first enter the secure boot-image command followed by the format disk command and then you use the secure image to attempt to boot the router.

Conditions: This symptom is observed on a Cisco router that has an ATA file system.

Workaround: There is no workaround.

CSCse39452

Symptoms: OGW rejects incoming OLC from an alternate endpoint when the slow start procedure is used and so the call is rejected.

Conditions: This symptom has been observed when OGW is configured to use the slow start procedure.

Workaround: There is no workaround.

Further Problem Description: OGW is configured to use the slow start procedure. OGW receives alternate endpoints in the ACF. The call on the primary endpoint fails after H.245 procedures are completed and logical channel are opened. Now OGW tries the call on alternate endpoint, but it rejects the incoming OLC from the alternate endpoint, thus resulting in call failure.

CSCse42444

Symptoms: When you run and monitor the cbQosCMDropPkt MIB variable, the counters may become stuck while the command line is growing properly. When you run and monitor the cbQosPoliceExceededPkt MIB variable, both counters report the same value.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(15)T13 but may also affect Release 12.4.

Workaround: There is no workaround.

CSCse42951

Symptoms: A spurious memory traceback may be generated during Certificate Authority (CA) enrollment.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.9)T but may also affect Release 12.4.

Workaround: There is no workaround.

CSCse42991

Symptoms: A memory leak may occur in the CEF Scanner process of a Cisco 7200 VXR router that has an NPE-G1 processor when a virtual-template interface is configured to perform CEF load balancing on a per-packet basis instead of a per-destination basis.

Conditions: This symptom is observed on a 7204VXR that functions as an LNS and that runs the c7200-js-mz image of Cisco IOS Release 12.3(15) or the 7200-js-mz image of Cisco IOS Release 12.3(19). The symptom may also occur in other releases.

Workaround: Use the default CEF load balancing on a per-destination basis. If you need to configure loadbalancing on a per-packet basis, disable IP CEF accounting by entering the no ip cef accounting per-prefix non-recursive command.

CSCse43066

Symptoms: A Cisco Multiservice IP-to-IP Gateway (IPIPGW) may crash while functioning under stress.

Conditions: This symptom is observed on a Cisco IPIPGW that runs Cisco IOS interim Release 12.4(9.4) or interim Release 12.4(9.9)T.

Workaround: Configure slow start:

voice service voip

h323

call start slow

Note that the symptom does not occur in releases earlier than interim Release 12.4(9.4) or interim Release 12.7(7.24)T.

CSCse44240

Symptoms: No call may come up on a Cisco AS5400 or Cisco AS5850. The debug shows that DSP calls fails. Calls on SS7-H.323-SS7 legs and H.323-SS7-H.323 legs fail. (Setup calls on PRO-H.323-PRI legs are successful.)

Conditions: These symptoms are observed on a Cisco AS5400 and Cisco AS5850 that run Cisco IOS interim Release 12.4(9.11) in either an IUA or RLM configuration. The symptoms occur only when the originating gateway runs Release 12.4(9.11); the symptoms do not occur when both the originating and terminating gateways run Release 12.4(9.11).

Workaround: There is no workaround.

CSCse45425

Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.

CSCse46908

Symptoms: A router may crash when you configure an IPv6 interface with a policy route map.

Conditions: This symptom is observed on a distributed platform when you first configure an IPv6 interface with an access control list (ACL) with a very long name and then configure a policy route map with a very long name.

Workaround: Do not use very long names for ACLs and policy route maps.

CSCse48814

Symptoms: A router crashes when you enter the ip nat outside interface configuration command on an interface.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS interim Release 12.4(9.13) or interim Release 12.4(09.19a) and that is configured for Network Based Application Recognition (NBAR).

Workaround: There is no workaround.

CSCse48847

Symptoms: A router that functions as a Home Agent (HA) may crash while it processes an AAA response and sends it back to the Mobile Node (MN) via a tunnel that is established between the HA and a Foreign Agent (FA). The symptom occurs because the memory stack becomes low on the HA.

Conditions: This symptom is observed on a Cisco router that functions as an HA and that runs Cisco IOS interim Release 12.4(9.13).

Workaround: There is no workaround.

CSCse49985

Symptoms: A software-forced crash may occur on a Cisco 3745, and an error message similar to the following may be displayed:

rcojx67-vgw01-3745 uptime is 1 day, 16 hours, 19 minutes

System returned to ROM by error - a Software forced crash, PC 0x60A87D38 at 15:59:36 GMT Tue May 16 2006

System restarted at 16:00:35 GMT Tue May 16 2006

System image file is "flash:c3745-ipvoice-mz.123-14.T3.bin"

Conditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.3(14)T3 only when there are some memory allocation failures. The symptom may also affect Release 12.4.

Workaround: There is no workaround.

CSCse50445

Symptoms: A router that is configured for AutoQoS may crash when the stack for the Exec process is running low.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.13) or interim Release 12.4(09.19a).

Workaround: Enter the ip nbar protocol-discovery command.

CSCse52987

Symptoms: The line protocol on a newly configured SRP interface may remain down and does not come up after you have entered the no shutdown command.

Conditions: This symptom is observed on a Cisco router that has an SRP/DPT port adapter.

Workaround: There is no workaround.

CSCse53224

Symptoms: All of the (six) processors on a Multiprocessor WAN Application Module (MWAM) crash and reload continuously, causing the MWAM to remain inaccessible.

Conditions: This symptom is observed on an MWAM that is installed in a Cisco Catalyst 6500 series or Cisco 7600 series and that runs Cisco IOS interim Release 12.4(9.9) or a later release.

Workaround: There is no workaround.

CSCse55522

Symptoms: A Versatile Interface Processor (VIP) with CT3 PA crashes continuously.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS interim Release 12.4(9.9).

Workaround: There is no workaround.

CSCse55652

Symptoms: A router that is configured for distributed CEF may reload because of a bus error.

Conditions: This symptom is observed on a distributed router such as a Cisco AS5850 or Cisco 7500 series that runs Cisco IOS Release 12.4.

Workaround: There is no workaround.

CSCse56129

Symptoms: On a Cisco VG224 that is manufactured in May 2006 or later and that contains the new analog codec for the onboard analog FXS voice port, a voice port that is registered to a CallManager Express that runs Cisco IOS Release 12.4(4)XC may incorrectly detect a hookflash when a call is being picked up.

Conditions: This symptom is observed when, during the call pick-up, the CME sends an onhook to the port of the Cisco VG224, presents a new call, and immediately instructs the port to enter the connected state. During this sequence of events, the voice port on the Cisco VG224 incorrectly reports a hookflash. Note that the symptom may also occur in Release 12.4 or Release 12.4T.

Workaround: Enter the no supervisory disconnect lcfo command for the voice port of the Cisco VG224.

Further Problem Description: To find out whether or not the Cisco VG224 has the new analog codec installed, enter the show version command and look in the output for the following:

On-Board Twenty-Four FXS Analog Voice Module V2.1

A Cisco VG224 that does not have the new analog codec installed shows the following in the output of the show version command:

On-Board Twenty-Four FXS Analog Voice Module V1.3

CSCse56660

Symptoms: Inbound calls to FXO ports on Cisco IOS VoIP gateways connect, but audio is not present.

Conditions: With caller-id enable configured on FXO ports, the call will connect, but no audio is heard. When this occurs, the following error message can be seen at debug level:

Jun 20 01:41:15.855: mbrd_e1t1_vic_connect: setup failed

Jun 20 01:41:15.855: flex_dsprm_tdm_xconn: voice-port(0/0/1), dsp_channel (/0/2/0)

Workaround: Disable caller id on the voice-port.

CSCse59775

Symptoms: A Cisco 3845 that is configured for voice may reload because of a software-forced crash that is caused by a Redzone memory corruption.

Conditions: This symptom is observed on a Cisco 3845 that runs Cisco IOS interim Release 12.4(9.15).

Workaround: There is no workaround.

CSCse63494

Symptoms: A router that is configured for Real-Time Protocol (RTP) may generate CPUHOG events and a traceback similar to the following:

%SYS-3-CPUHOG: Task is running for (128000)msecs, more than (2000)msecs (951/33),process = VOIP_RTCP.

-Traceback= 0x60EA5A78 0x60EA5C5C 0x614AD39C 0x614B55BC 0x614B59A0

Alternatively, the router may unexpectedly reload and generate the following error message and traceback:

%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = VOIP_RTCP. -

Traceback= 0x60EA5A58 0x60EA5C5C 0x614AD39C 0x614B55BC 0x614B59A0

%Software-forced reload

Preparing to dump core...

Conditions: This symptom is observed on a Cisco router that receives a badly formatted RTP Control Protocol (RTCP) packet.

Workaround: There is no workaround.

Further Problem Description: Typically, the badly formatted RTCP packet is produced by a device that does not conform to the RFC 3550 standard.

CSCse68355

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse79884

Symptoms: You may not be able to exit the session command.

Conditions: This symptom is observed on MWAM line card processors that are installed in a Cisco Catalyst 6500 series switch or a Cisco 7600 series router.

Workaround: If the session command is executed via a Telnet session to the supervisor engine: log in to the supervisor engine via its console to find out the line number in the output of the show user command that corresponds to the processor that is unable to exit from the session command. Look for IP address 127.0.0. <slot> <processor number used for session> to find the line number. Then, enter the clear line line number command to clear the session.

If the session command is executed from the MWAM console itself (which is stuck), there is no workaround.

CSCse85329

Symptoms: When you re-insert a PA-MC-8TE1+ port adapter in the same slot of a Cisco 7200 series via an OIR, the serial interface may enter the Down/Down state. When you enter the shutdown command followed by the no shutdown command on the T1 or E1 controller, the serial interface may transition to the Up/Down state, still preventing traffic from passing.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(7) or a later release.

Workaround: Reload the router.

CSCse89105

Symptoms: RADIUS packets may be dropped or extra memory may be allocated when RADIUS packets are sent.

Conditions: These symptoms are observed on a Cisco platform that is configured for SSG when a RADIUS packet with a length of more than 1024 bytes is sent.

Workaround: There is no workaround.

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCuk60910

Symptoms: A Cisco IOS router may detect a memory corruption and reload.

Conditions: An interface on the system must be configured for Van Jacobsen TCP header compression, using the ip tcp header-compression command, and connected to a third-party system.

Workaround: There is no workaround.

Terminal Service

CSCej00344

Symptoms: A router that is configured for X.25 routing may reload unexpectedly.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(14)T2 with an X.25-over-TCP (XOT) configuration. The symptom may also affect Release 12.4 and Release 12.4T.

Workaround: There is no workaround.

Wide-Area Networking

CSCek28604

Symptoms: A Cisco AS5400 reloads unexpectedly because of a memory leak in the ISDN L2 process.

Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.4(7) and that functions in a call manager-backhaul configuration after running under stress for about 24 hours.

The output of the show processes memory command, collected in regular intervals, shows a memory leak in the ISDN L2 process. The amount of memory that is held by the ISDN L2 process is very large, and the amount of free processor memory is small when the router reloads unexpectedly. This symptom is not observed on a Cisco AS5850, but may also occur on this platform when it runs under stress for more than 24 hours.

Workaround: Enter the isdn k 1 command on all backhauled serial interfaces.

CSCek40618

Symptoms: A router may crash by address error (load or instruction fetch) exception during normal operation.

Conditions: This symptom has been observed when the router is configured with VPDN and Multilink PPP, using Virtual-Template interfaces.

Workaround: There is no workaround.

CSCin98788

Symptoms: When a BBA group that is associated with a live PPPoE session is removed, the session is not cleared.

Conditions: This symptom is observed with either a named or a global BBA group.

Workaround: There is no workaround.

CSCsd19867

Symptoms: BRI interfaces does not come up when you reload a router. You must enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected BRI interfaces to bring them up.

Conditions: This symptom is observed when you enter the no isdn spoofing command and reload the router.

Workaround: Disable the no isdn spoofing command.

CSCsd38761

Symptoms: A router may crash when the AAA per-user attribute idletime is specified in the user profile.

Conditions: This symptom is observed on a Cisco router that is configured for PPP and AAA.

Workaround: Do not specify the AAA per-user attribute idletime in the user profile.

CSCsd72854

Symptoms: When IS-IS is configured on an MLP interface of a 6-port channelized T3 Engine 0 line card, the line card may fail to come up because PPP fails to negotiate OSICP on the MLP interface.

Conditions: This symptom is observed on a Cisco 12000 series router after you have reloaded the router.

Workaround: Increase the PPP timeout retry interval to 10 seconds by entering the ppp timeout retry 10 command on the interface. (The default timeout retry interval is 2 seconds).

CSCsd74130

Symptoms: When an HSSIRSET, SERRSET, or FDDIRSET error message is generated or when the output becomes stuck, a VIP does not come up during its first recovery attempt.

Conditions: This symptom is observed on a Cisco platform that is configured with a VIP when a CCB timeout occurs during an IDB reset or when the output becomes stuck.

Workaround: There is no workaround.

CSCsd81350

Symptoms: When asynchronous serial interfaces are used as member links in multilink PPP bundles, the router may crash due to memory corruption.

Conditions: This problem can occur under conditions where multilink fragmentation is done, and where the bundle includes at least one member link that is an asynchronous interface.

Workaround: Disable fragmentation on the bundle interface for any bundle that may include asynchronous links as members. Alternatively, if the use of multilink is not a requirement, disable multilink on the asynchronous interfaces.

CSCse05777

Symptoms: A router may reload unexpectedly when you configure more multilink interfaces than the maximum number that the router can support. The router should not reload but should generate an error message.

Conditions: This symptom is observed on any Cisco router that imposes a limit on the number of multilink interfaces.

Workaround: Do not exceed the maximum number of multilink interfaces.

CSCse16539

Symptoms: VPDN loadbalancing incorrectly biases to one LNS (IP address) instead of sharing the session load between the different LNSs after LNS return from the busy list.

Conditions: This occurs when multiple LNSs are configured for one vpdn-group and are unreachable. They are moved to the busy list. Once the LNSs become reachable again, this problem occurs.

Workaround: There is no workaround.

CSCse19642

Symptoms: The ISDN Layer-2 status may become "TEI_ASSIGNED" and may remain in this state even when you enter the clear interface command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4, Release 12.4(2)XA1, or Release 12.4(6)T and occurs under the following conditions:

X.25 is configured on a D channel for use in Japan with an ISDN carrier.

Both the B channel and D channel are used.

The clear interface bri 0 command is enabled.

In Layer-2 sequence, the router receives an "SABMEp" message irregularly between "IDREQ" and "IDASSN" messages from the ISDN switch.

Workaround: Reload the router.

Alternate Workaround: Disconnect and connect the cable on the U reference point (between the Telco and the DSU) and enter either one of the following command combinations instead of the clear interface bri 0 command:

The clear interface bri 0:0 and clear interface bri 0:1 commands.

The clear interface bri 0:0 and clear interface bri 0:2 commands.

CSCse45182

Symptoms: When a PPPoE server receives a second PADI from a client (that is, a PADI with the same unique client ID), the PPPoE server may send a PADS with an unknown MAC address.

Conditions: This symptom is observed on a Cisco platform that functions as a PPPoE server that has established a PPPoE session with a client and occurs while PPP LCP negotiation is in progress.

Workaround: There is no workaround.

CSCse64924

Symptoms: A router crashes when you configure a Frame Relay PVC bundle with Frame Relay FRF.9 payload compression.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.15)T but may also affect other releases.

Workaround: There is no workaround.

CSCse71875

Symptoms: A router may crash when you enter the frame-relay inverse-arp ip dlci command.

Conditions: This symptom is observed when you attempt to configure a hunt-group member.

Workaround: Do not enter the frame-relay inverse-arp ip dlci command. Rather, configure the hunt-group master dialer interface.

CSCse78652

Symptoms: The queuing mode on Multilink interfaces is erroneously defaulting to fair queuing instead of FIFO. This is causing distributed Cisco Express Forwarding (dCEF) to fail on Cisco 7500 routers.

Conditions: This symptom happens on all Multilink interfaces.

Workaround: There is no workaround.

CSCse79994

Symptoms: BRI Layer 2 remains in the ESTABLISH_AWAITING_TEI state instead of entering the MULTIPLE_FRAME_ESTABLISHED state.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.19a).

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(8d)

Cisco IOS Release 12.4(8d) is a rebuild release for Cisco IOS Release 12.4(8). The caveats in this section are resolved in Cisco IOS Release 12.4(8d) but may be open in previous Cisco IOS releases.

Basic System Services

CSCse66080

Symptoms: A memory leak may occur in the Entity MIB API process.

Conditions: This symptom is observed when an entity is registered with the same name as an entity that is already registered.

Workaround: There is no workaround.

CSCsf32390

Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.

Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.

Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:

event manager applet add-buffer 
 event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"
 action 1.0 cli command "enable"
 action 2.0 cli command "configure terminal"
 action 3.0 cli command "buffers particle-clone 16384"
 action 4.0 cli command "buffers header 4096"
 action 5.0 cli command "buffers fastswitching 8192"
 action 6.0 syslog msg "Reinstated buffers command"
 
   

CSCsg21398

Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted "msg-auth-response-get-user" TACACS+ packet is received.

Conditions: This symptom is observed after the Cisco platform had send an initial "recv-auth-start" TACACS+ packet.

Workaround: There is no workaround.

CSCsg48183

Symptoms: A router may unexpectedly send an ARP request from all its active interfaces to the nexthop of the network of an SNMP server.

Conditions: This symptom is observed on a Cisco router that has the snmp-server host command enabled after any of the following actions occur:

You reload the router.

A switchover of the active RP occurs.

You enter the redundancy force-switchover main-cpu command.

Workaround: There is no workaround.

CSCsg48725

Symptoms: A TLB exception may occur on a Cisco platform that functions as a PE router in an MPLS environment, and the following error message may be generated:

TLB (load or instruction fetch) exception, CPU signal 10 (BadVaddr : DEADBEF3)

Conditions: This symptom is observed on a Cisco platform when TACACs accounting and authorization is enabled and when the TACACs server is reachable through the global routing table.

Workaround: Disable AAA. If this not an option, there is no workaround.

CSCsj44081

Cisco IOS Software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS Software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or a Cisco IOS software restart.

Recommended Action: Collect "show tech-support" command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the %DATACORRUPTION-1-DATAINCONSISTENCY message and note those to your support contact.

IP Routing Protocols

CSCec12299

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.

CSCek47667

Symptoms: A router may not clear BGP routes when you enter the clear bgp ipv6 unicast * command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SXF but is not release-specific.

Workaround: There is no workaround.

CSCsf20947

Symptoms: A default route that is defined by the neighbor default-originate command may be ignored by the BGP neighbor.

Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the default route to be relearned.

Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default route.

CSCsg00860

Symptoms: Enabling NAT outside on the public interface terminates the VPN connection as GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.

Conditions: This symptom has been observed with the use of IP NAT outside on the public VPN interface.

Workaround: There are 2 workarounds:

1. Configure NAT translations for all traffic, to force NAT processing on the packet even if no address will actually be translated. Example:

ip nat inside source static 172.16.68.5 172.16.68.5

It is not a scalable workaround but may work for some deployments.

2. Configure an additional ACL entry in the inbound access-list to permit the incoming GRE traffic.

CSCsh02161

Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this prefix is removed from the BGP table.

Condition: This symptom is observed on a Cisco router that functions as an RR that advertises two of the same prefixes with different Route Distinguishers (RDs) when one of these prefixes redistributes itself and when the other prefix is a route that is learned from an RR client via iBGP.

Workaround: There is no workaround.

CSCsh80678

Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.

Workaround: Enter the no auto-summary command.

CSCsh90153

Symptoms: Connectivity is lost through a router when traffic is processed twice by NAT.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(8a), that is configured for NAT and PBR, and that has a firewall feature enabled. Under certain conditions, traffic is processed twice by NAT when it does not need to be.

Workaround: Remove the firewall configuration from the router.

Further Problem Description: Syslogs and the output of the show ip nat translation command show that traffic that is processed twice by NAT does not traverse the router.

CSCsi62559

Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.

Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.

CSCsi84089

Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.

Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.

Workaround: Add area 0 in the OSPF VRF processes.

Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.

CSCsi97586

Symptoms: A Cisco MGX-RPM-XF-512 resets after deleting Multicast VPN routing from a VRF and then deleting that VRF.

Conditions: This symptom has been observed on a system running Cisco IOS Release 12.4(6)T5 configured for Multicast VPN routing while deleting an interface.

Workaround: There is no workaround.

Miscellaneous

CSCds25257

Symptoms: A gatekeeper rejects new registration requests from a Cisco Unified CallManager (CUCM) or other H.323 endpoints with Registration Rejection (RRJ) reason of duplicateAlias. Attempting to clear this stale registration fails and a "No such local endpoint is registered, clear failed." error message is generated.

Conditions: This symptom is observed in the following topology:

CUCM H.225 trunks register to a gatekeeper (GK) cluster. Gatekeeper 1 (GK1) and gatekeeper 2 (GK2) are members of the GK cluster. The CUCM registers first to GK1, then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.

When the H.225 trunk attempts to register with GK1, it is rejected because the alternate registration is still present, and there is no way to clear it.

 
   
10.9.20.3       34273 10.9.20.3       32853 SJC-LMPVA-GK-1    H323-GW A
    ENDPOINT-ID: 450FC24400000000  VERSION: 5  AGE: 1618993 secs  
SupportsAnnexE: FALSE
    g_supp_prots: 0x00000050
    H323-ID: SJC-LMPVA-Trunk_4
 
   

Workaround: Reset the gatekeeper by entering the shutdown command followed by the no shutdown command, or reboot the affected GK.

CSCed57504

Symptoms: A router that is configured with a virtual template may reload unexpectedly.

Conditions: This symptom is observed on a Cisco router on which a session that uses a virtual-template is terminated and occurs when the session is cleared from a DSL CPE router that is the peer router for the connection.

Workaround: There is no workaround.

CSCek38201

Symptoms: A router may reload or display an alignment traceback when you enter the show crypto socket command.

Conditions: This symptom is observed on a Cisco router that has an OSPFv3 IPSecv6 configuration.

Workaround: There is no workaround. To prevent the symptom from occurring, do not enter the show crypto socket command in an OSPFv3 IPSecv6 configuration.

CSCek45344

Symptoms: A Cisco AS5400XM gateway crashes after 24 hour stress with E1-R2 calls.

Conditions: This symptom occurs in stress conditions after a period of 24 hours.

Workaround: There is no workaround.

CSCek47653

Symptoms: A voice gateway may crash because of a bus error that is related to an MGCP Visual Message Waiting Indicator (VMWI) function.

Conditions: This symptom is observed on a Cisco IAD 2430 that runs Cisco IOS Release 12.3(14)T2. The symptom may also affect Release 12.4 and Release 12.4T.

Workaround: There is no workaround.

CSCek48251

Symptoms: When you enter the redundancy switch-activity force command on the active eRSC of a Cisco AS5850 while incoming VoIP H.323 calls and outgoing CAS calls are being processed, the standby eRSC does become the active eRSC and processes the calls but soon afterwards may crash at "csm_enter_idle_state."

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(9)T and that functions in RPR+ mode. The symptom may also affect Release 12.4.

Workaround: There is no workaround.

Further Problem Description: The symptom does not occur when PRI calls are being processed.

CSCek55486

Symptoms: The native Gigabit Ethernet (GE) interface on an NPE-G1 card may reset unexpectedly.

Conditions: This symptom is observed on a Cisco 7200 series when the underrun counter for the native GE interface increments continuously. You can verify the underrun counter in the output of the show interfaces gigabitethernet slot/port command.

Workaround: There is no workaround.

CSCek64188

Symptoms: An error message indicating memory leak and pending transmission for IPC messages is displayed as follows:

*Dec  3 01:31:31.792: %IPC-5-WATERMARK: 25642 messages pending in xmt for the 
port Primary RFS Server Port(10000.C) from source seat 2150000
*Dec  3 01:32:01.489: %SYS-2-MALLOCFAIL: Memory allocation of 4268 bytes 
failed from 0x9F32944, alignment 32
 
   

Conditions: This issue is triggered by CSCeb05456 and is applicable only if your Cisco IOS image has integrated the fix of CSCeb05456.

Workaround: Periodically, reload the router so that the IPC buffer pool will be reinitialized.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsd28214

Symptoms: A Cisco router may crash because of a watch dog timeout while running the RIP routing protocol.

Conditions: This symptom is observed on a router that runs Cisco IOS Release 12.3(19) when an interface changes state at the exact same time that a RIP route that was learned on this interface is being replaced with a better metric redistributed route. For example, when RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0 interface and then RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, the RIP route is removed. However, when during this time the Fast Ethernet 1/0 interface goes down, the router may crash because of a watch dog timeout. Note that the symptom may also affect other releases.

Workaround: There is no workaround.

CSCsd34529

Symptoms: A Cisco router may crash when a policy map is simultaneously displayed and unconfigured.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4T but may also affect Release 12.4. The symptom occurs when the show policy-map command is entered via one CLI session while the no policy-map policy-map-name command is entered via another CLI session.

Workaround: There is no workaround.

CSCsd80754

Symptoms: The active router in an HSRP configuration may not respond to an ARP request for the virtual IP address. When the symptom occurs, both routers in the HSRP configuration have correct HSRP and ARP entries. Entering the clear arp command on the standby router in the HSRP configuration does not resolve the problem.

Conditions: This symptom is observed when the same HSRP virtual IP address exists in different HSRP groups on different routers.

Workaround: Enter the no standby redirects command to prevent the symptom from occurring.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse18355

Symptoms: A Cisco AS5850-ERSC gateway reboots continuously with the message:

Bundled Rommon and FPGA versions are different from
 the current system version. Updating the system.
 This might take a while
 
   
 System reload is required before upgrade can be done.
 Rebooting the system ..
 !
 
   

Conditions: This symptom has been observed when a Cisco AS5850-ERSC gateway is running Cisco IOS interim Release 12.4(7.24)T.COMP.

Workaround: Boot to ROM monitor mode and enter the following commands:

SKIP_UPGRADE=1 
sync
 
   

This step skips the upgrade process. To revert back, enter the following commands:

unset SKIP_UPGRADE
sync 
 
   

CSCse24889

Symptoms: Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.

Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.

Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:

config t
ip ssh version 1
end
 
   

Alternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:

10.1.1.0/24 is a trusted network that
is permitted access to the router, all
other access is denied
 
   
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 99 deny any
 
   
line vty 0 4
access-class 99 in
end
 
   

Further Problem Description:

For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cntrl_acc_vtl_ps6350_TSD_Products_Configuration_Guide_Chapter.html

For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:

http://www.cisco.com/warp/public/707/ssh.shtml

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.

CSCse75920

Symptoms: A Cisco router experiences a memory leak for the processes SCCP application and Chunk manager.

Conditions: The symptom has been observed after configuring the router for MTP and transcoding.

Workaround: There is no workaround.

CSCse91102

Symptoms: A Cisco IAD 2430 IAD crashes on Cisco IOS Release 12.4(4)T2. Traceback decodes indicate memory corruption. The following events may also appear in the log:

%SYS-3-BADMAGIC: Corrupt block at 
%SYS-6-MTRACE: mallocfree: addr, pc 
%SYS-6-BLKINFO: Corrupted magic value in in-use block 
%SYS-6-MEMDUMP:
 
   

Conditions: The router crashes where the decodes indicate check heaps as the source with any or all of the following also included in decode:

crashdump 
validblock
validate_memory
checkheaps
checkheaps_process
 
   

Workaround: There is no workaround.

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsg07907

Symptoms: A Cisco 3845 router unexpectedly reloads with bus error as seen in the show version when enabling DSP mini logger (voice dsp <slot> command history enable).

Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4 with conferencing enabled on the DSP slot that minilogger is being turned on for.

Workaround: Disable conferencing on that slot, if possible.

CSCsg15598

The Intrusion Prevention System (IPS) feature set of Cisco IOSÆ contains several vulnerabilities. These include:

Fragmented IP packets may be used to evade signature inspection.

IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml

CSCsg18933

Symptoms: A RIP route is learned from a RIP neighbor via a dialer interface (or other virtual interface type). When the neighbor disconnects and the interface goes down, the RIP route is removed from the RIP database. However, the RIP route remains in the routing table.

Conditions: - RIP is configured with the no validate-update-source command. - RIP routes are learned via a virtual interface. - The virtual interface is using a negotiated address. - The problem is platform-independent.

Workaround: Use the clear ip route command to remove the affected routes from the routing table.

CSCsg28628

Symptoms: NAS pkg asynchronous calls fail after a redundancy switchover has occurred, and the following error message is generated:

Modems unavailable

Conditions: This symptom is observed on a Cisco AS5850 that functions in RPR+ mode. This situation may impact service.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the redundancy switchover command a couple of times to restore the Cisco AS5850 to normal operation.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg59326

Symptoms: When an ATM (that is, a cash machine, not a WAN platform) is connected to a switch service module, significant packet loss may occur.

Conditions: This symptom is observed on a Cisco 2800 series router.

Workaround: Change the Ethernet speed to 10 Mbps at both ends.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsg76715

Symptoms: A device crashes when you delete an ACE that was inserted in the middle of the ACL rather than added at the end of the list.

Conditions: This symptom is observed when all of the following conditions are present:

The inserted ACE has a destination prefix length of 0, that is, is has an "any" statement instead of a destination address.

The ACL already has another ACE with the same SRC prefix length and an destination prefix length that is greater than 0 (that is, other than an "any" statement), and the inserted ACE has a lower sequence number than this other ACE.

The other ACE with a destination prefix length that is greater than 0 is deleted before you delete the inserted ACE.

Workaround: First, delete the inserted ACE. Then, delete the other ACE with the same SRC prefix length and an destination prefix length that is greater than 0.

Alternate Workaround: Delete the complete ACL.

CSCsg96319

Symptoms: When a reverse SSH session is established with valid authentication credentials, anyone can obtain unprivileged Telnet access to a system without being authenticated. This situation affects only reverse SSH sessions when a connection is made with the ssh -l userid :number ip-address command.

Conditions: This symptom is observed only when the Reverse SSH Enhancement is configured. This enhancement is documented at the following URL:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_rev_ssh_enhanmt_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Workaround: Configure reverse SSH by entering the ip ssh port portnum rotary group command. This configuration is explained at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#newq1

CSCsg99814

Symptoms: On a router that functions in a GRE over IPSec or Virtual Tunnel Interface (VTI) configuration, an access control list (ACL) may be bypassed when there is an ACL on the tunnel interface.

Conditions: This symptom is observed when the ACL on the tunnel interface is configured on the outbound physical interface on which the IPSec tunnel is terminated.

Workaround: Apply the outbound ACL on the protected LAN interface instead of on the tunnel interface.

CSCsh33430

Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.

Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.

Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.

CSCsh39318

Symptoms: A router may crash when the configured route limit is exceeded. When this situation occurs, the following error message is generated:

%MROUTE-4-ROUTELIMIT (x1): [int] routes exceeded multicast route-limit of [dec] - VRF 
[chars]
 
   

Conditions: This symptom is observed on a Cisco 10000 series that is configured for Multicast VPN but is platform-independent.

Workaround: There is no workaround.

CSCsh58082

Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.

There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.

Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.

CSCsh75827

Symptoms: When a router that has the ssg intercept dhcp command enabled receives a DHCP packet from a host that has already logged out from a Subscriber Edge Services Manager (SESM), the router may unexpectedly reload because of a bus error.

Conditions: This symptom is observed on a Cisco router that functions as an SSG with PBHK enabled, when a host has received an IP address that is associated with a service (via the "J" Service-Info attribute), has logged out from the SESM, and then renews its IP address.

Workaround: There is no workaround.

CSCsh94526

Symptoms: When an acct-stop message is received for a non-RADIUS proxy user (that is, a normal IP user), a router that is configured for SSG crashes.

Conditions: This symptom is observed when SSG is configured for RADIUS proxy mode and when the ssg wlan reconnect command is enabled.

Workaround: There is no workaround.

CSCsh97579

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi27540

Symptoms: A VSI session may become stuck in the "RESYNC_UNDERWAY" state, preventing LVC connections from being set up. This situation is not cleared automatically, and error messages are not flushed, as is shown in the output of the show controller vsi session command.

Conditions: This symptom is observed on a Cisco router that functions as a Label Switch Controller (LSC).

Workaround: There is no workaround.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

CSCsi84017

Symptoms: When you reload a Cisco 2600 series, the router may hang.

Conditions: This symptom is observed on a Cisco 2600 series when you attempt to run the c2600-entservices-mz image of Cisco IOS Release 12.4(9)T4. The symptom may also occur in other releases.

Workaround: There is no workaround.

TCP/IP Host-Mode Services

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Wide-Area Networking

CSCek59078

Symptoms: An L2TPv3 session is established when voluntary tunneling is configured and both peers have corresponding configurations. However, after you configure a pseudowire on a virtual PPP interface on one of the peers, the session on this peer is up but the line protocol is down, an a "virtual-PPP1 is up, line protocol is down" error message is generated.

Conditions: This symptom is observed when the virtual PPP interface is first deleted via the no interface virtual-ppp number command and then reconfigured via the interface virtual-ppp number command before you configure a pseudowire on the virtual PPP interface.

Workaround: Before you configure a pseudowire on the virtual PPP interface, ensure that the virtual PPP interface has never been unconfigured via the no interface virtual-ppp number configuration command.

CSCsb24255

Symptoms: A router may generate the following error message and a MALLOC failure may occur:

flex_dsprm_voice_connect: voice tdm connect failed
 
   

Conditions: This symptom is observed on a Cisco router that processes a large number of calls with a short call duration via an E1 PRI.

Workaround: There is no workaround.

CSCsc39890

Symptoms: A router that is running Cisco IOS may reload unexpectedly.

Conditions: For this symptom to occur, the router must be configured for ISDN. One possible trigger is when using SNMP to poll information about calls while the calls are in the process of completing.

Workaround: There is no workaround.

CSCsf30493

Symptoms: When a T.37 onramp call is made, the following error message may be generated:

%CSM-3-NO_VDEV: No modems associated
 
   

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS interim Release 12.4(10.7). The symptom may not be platform-specific.

Workaround: There is no workaround.

CSCsh06841

Symptoms: A router may crash while establishing a PPP session.

Conditions: This symptom is observed when the ppp reliable-link interface configuration command is enabled on an interface that is bound to a dialer profile.

Workaround: Disable the ppp reliable-link interface configuration command, save the configuration, and reload the router. Disabling the command without reloading the router is not sufficient.

CSCsh82513

Symptoms: The output of the show isdn active command may show disconnected calls.

Conditions: This symptom is observed on a Cisco router when analog modem calls are made after a normal ISDN digital call has been made.

Workaround: There is no workaround.

CSCsi74960

Symptoms: A router crashes while sending large control packets between client and L2TP Network Server (LNS) in L2TP callback scenario.

Conditions: This symptom happens with a Cisco 7200 router that is running Cisco IOS interim Release 12.4(13.13)T1.

Workaround: There is no workaround.

CSCsj10593

Symptoms: A terminating gateway (TGW) that is configured for Cisco ISDN Interconnect for Voice Gateways Solution may crash.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(15.6) and that functions as a TGW with all PRI switch types from the user to the network side. The symptom occurs when the isdn test call interface interface-number dialing-string command is entered at the platform on which the call is initiated, when the originating gateway (OGW) is configured for the National ISDN (primary-ni) switch type, and when the TGW is configured for the NT DMS-100 (primary-dms100) switch type. The symptom may also affect Release 12.4T.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(8c)

Cisco IOS Release 12.4(8c) is a rebuild release for Cisco IOS Release 12.4(8). The caveats in this section are resolved in Cisco IOS Release 12.4(8c) but may be open in previous Cisco IOS releases.

Basic System Services

CSCsf19139

Symptoms: %RADIUS-3-NOSERVERS messages are logged after a reload in Cisco IOS Release 12.3(18). At this time, the RADIUS accounting tickets are not generated.

Conditions: This symptom has been observed on a Cisco AS5300 gateway.

Workaround: Enter into configuration mode and change the order of the servers under the server group.

CSCsg03830

Symptoms: The tacacs-server directed-request command appears in the running configuration when is should be disabled. When you disable the command by entering no tacacs-server directed-request and reload the router, the command appears to be enabled once more.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for CSCsa45148, which disables the tacacs-server directed-request command by default.

A list of the affected releases can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa45148. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Temporary Workaround: Each time after you have reloaded the router, disable the command by entering no tacacs-server directed-request.

Miscellaneous

CSCek55511

Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.

Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.

Workaround: Disable SNMP polling for ccrpCPVGEntry.

CSCsd50476

Symptoms: A serial link goes down.

Conditions: This symptom occurs when a T1/E1 controller that is configured with channel-group causes the serial link to go down. The CEM interface will not come up.

Workaround: There is no workaround.

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCse03855

Symptoms: An IP phone display remains stuck at "Enter Number" for the duration of an outgoing call to the PSTN.

Conditions: This symptom is observed when the IP phone runs CME version 3.3 and is connected to a BRI ISDN interface on a Cisco router that runs Cisco IOS Release 12.4. When you enable the debug isdn q931 command, the following message is displayed in response to an outgoing setup message:

ISDN BR0/2/0 Q931: RX <- SETUP_ACK pd = 8 callref = 0x83

Channel ID i = 0x89

Progress Ind i = 0x8288 - In-band info or appropriate now available

Workaround: Prevent the Telco from sending the following information in the setup_ack message:

Progress Ind i = 0x8288 - In-band" information or appropriate now available

Note that the symptom does not occur in Cisco IOS Release 12.3(11)T10 and with CME version 3.2.

CSCse42141

Symptoms: T38 fax calls fail when they come inbound through DID Analog ports. In the debug h245 asn1, there is no OLCAck sent back towards the fax server.

Conditions: This symptom was only reproduced on analog ports. PRI works with the same configuration.

Workaround: Send the fax call through a PRI.

CSCse89373

Symptoms: A second PRI link gets deactivated, with no ability to process incoming and outgoing calls, when the second one is remotely, physically, manually (CLI command) deactivated.

Conditions: This symptom occurs when the first PRI is type primary-net5, and the second PRI is type primary-qsig. Deactivate the second PRI remotely or locally by physically disconnecting the cable or issuing the shutdown command under the corresponding E1 controller.

Workaround: There is no workaround.

CSCsf03412

Symptoms: The boot flash command or the boot TFTP crashes a router.

Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Interim Release 12.4(7.24)T.

Workaround 1: Use the boot flash:<image name> instead of boot flash <imagename> command Workaround 2: Use Cisco IOS Release 12.3(11)T.

Workaround 3: Copy the image to flash and use the boot flash:<imagename> command, if the boot TFTP is the problem.

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

CSCsf31178

Symptoms: HWIC-1GE-SFP may experience an issue where the Gig Ethernet interface is "stuck" in a Line UP/Protocol Down state. While in this state, the interface will not pass traffic. Clearing the interface or manually disabling/enabling will clear the condition. This symptom does not occur when 1000BASE-T SFP is used.

Conditions: A Loss of Signal (for example, unplugging the cable) may cause the interface to become stuck in a Line UP/Protocol Down state.

Workaround: Clearing the interface or manually shutting it down, then bringing it back up will clear the problem.

CSCsf95938

Symptoms: There is a leak in middle buffers after all Onboard DSPRM Pools are depleted.

Conditions: This symptom is observed on a Cisco 3800 series router that is running Cisco IOS Release 12.4(7b) with support for CVP survivability.

Workaround: There is no workaround.

CSCsf98345

Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.

Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.

Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.

CSCsg05350

Symptoms: A Cisco AS5850 crashes due to a chunk memory leak. See the following:

Sep 9 13:07:04.428: %DSMP-3-INTERNAL: Internal Error : NO MEMORY

-Traceback= 0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50 0x6127F6BC

Sep 9 13:07:04.468: %DSMP-3-INTERNAL: Internal Error : NO MEMORY

-Traceback= 0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50 0x6127F6BC

Sep 9 13:07:04.744: %MARVEL_HM-3-HM_RULES_RELOAD: Health Monitor causing a

reload due to Fragmented processor_memory, Free processor_memory = 10402472 bytes,

Largest processor_memory block = 522632 bytes

Conditions: This symptom occurs when there is a chunk memory leak.

Workaround: There is no workaround.

CSCsg11718

Symptoms: A VRF may become stuck in the "Delete Pending" state.

Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN and Half-Duplex VRF (HDVRF) when you delete the VRF and then associate it with an interface before it is completely deleted.

Workaround: To ensure that the VRF is properly deleted, enter the shutdown interface configuration command on the interface with which the VRF is associated or remove the interface with which the VRF is associated.

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The Cisco IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the Cisco IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsg69205

Symptoms: On a Cisco PE router, "ip flow egress" configured on the PE-CE link does not capture traffic streams destined for the CE router.

Conditions: This symptom occurs when the MPLS interface is a multilink interface.

Workaround: Configure "mpls netflow egress" on the interface towards the CE. Afterwards, this command can be removed, and the traffic is still captured by netflow.

Wide-Area Networking

CSCir00712

Symptoms: On Cisco LAC software running Cisco IOS Release 12.3(14)T, when the fragmented data traffic is received on the LAC over the L2TP tunnel, the IP layer reassembles the packet and routes the packet on the wrong interface instead of consuming the L2TP data traffic locally.

Conditions: This symptom has been seen when fragmented L2TP data traffic is received on the LAC from the LNS over the L2TP tunnel.

Workaround: There is no workaround.

CSCse05777

Symptoms: A router may reload unexpectedly when you configure more multilink interfaces than the maximum number that the router can support. The router should not reload but should generate an error message.

Conditions: This symptom is observed on any Cisco router that imposes a limit on the number of multilink interfaces.

Workaround: Do not exceed the maximum number of multilink interfaces.

CSCse12198

Symptoms: Individual B-channels on the primary T1 in the NFAS group sometimes go OOS for no reason.

Conditions: This symptom is observed when connected to a Cisco PGW that is running Cisco IOS Release 9.3(2). The Cisco AS5400 is connected to the Cisco PGW that is running RLM in the Signaling/Nailed mode.

Also, sometimes ISDN service goes OOS, and also channel states goes to 5 which is maintenance pending.

Workaround: When this happens, put ISDN service can be put back in service manually for individual CIC, but channel state cannot manually be put back in service unless the whole serial interface is bounced. This cannot be done when there is other traffic on the other b-channels.

CSCse34162

Symptoms: A Cisco router hangs after 5 to 10 minutes of passing traffic over a dialer interface.

Conditions: This symptom has been observed on a Cisco router running Cisco IOS Release 12.4(8) with PPP Multilink configured on a dialer interface and traffic is passing.

Workaround: There is no workaround. A reboot is required to recover.

CSCse78652

Symptoms: The queuing mode on multilink interfaces erroneously defaults to fair-queuing instead of FIFO, causing distributed Cisco Express Forwarding (dCEF) to fail.

Conditions: This symptom is observed on a Cisco 7500 series and occurs for all multilink interfaces. However, the symptom is platform-independent.

Workaround: There is no workaround.

CSCse81069

Symptoms: Unconfiguring the isdn service b_channel command is not taking effect. The command is not removed from the running configuration.

Conditions: This symptom occurs when configuring the isdn service b_channel command to a state other than the default value of 0 on the ISDN D channel.

Workaround: To remove the command, shut down the T1/E1 controller first and then unconfigure the command under the D channel serial interface.

CSCsg15642

Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.

Conditions: This leak occurs when a SETUP message with Display IE is received.

Workaround: There is no workaround.

CSCsg38412

Symptoms: When a Multilink PPP (MLP) session is established over an ISDN link, IPCP fails to negotiate. When the debug ppp negotiation command is enabled, you can see that IPCP packets from the peer are not processed. The output of the show interface command for the ISDN D-channel interface shows that the input queue limit is 0.

Conditions: This symptom is observed when the ISDN BRI or PRI interface is not configured as part of a dialer rotary group or dialer pool and when RADIUS is used to assign the multilink bundle to a VRF.

Workaround: Enter the dialer rotary-group command to assign the ISDN interface to a dialer.

CSCsg40885

Symptoms: A router crashes during Online Insertion and Removal (OIR) on MLP- PPP on a Cisco 7200 platform.

Conditions: This symptom is observed on a Cisco 7200 router that is configured for MLP-PPP.

Workaround: Shut the multilink interface before doing an OIR.

CSCsg50202

Symptoms: When BRI interface flaps rapidly, ISDN Layer 1 detects link down, but Layers 2 and 3 keep active state during the transition. This may cause the BRI interface to get stuck, where subsequent incoming/outgoing call is rejected.

Conditions: The symptom may be observed when cable is pulled out and put back rapidly.

Workaround: Issue the clear interface command or the shutdown command followed by the no shutdown command on the affected BRI interface.

Resolved Caveats—Cisco IOS Release 12.4(8b)

Cisco IOS Release 12.4(8b) is a rebuild release for Cisco IOS Release 12.4(8). The caveats in this section are resolved in Cisco IOS Release 12.4(8b) but may be open in previous Cisco IOS releases.

Basic System Services

CSCir00074

Symptoms: A router crashes when the casnDisconnect object is set to "true" for a PPPoE session.

Conditions: This symptom is observed on a Cisco 10000 series when you attempt to terminate the PPPoE session through SNMP by using the casnDisconnect object of the CISCO-AAA-SESSION-MIB.

Workaround: There is no workaround.

CSCsd26248

Symptoms: A router set up to do dot1x authentication without accounting setup may experience a memory leak in process RADIUS until the process consumes all free memory.

Conditions: This leak occurs on a router doing dot1x authentication without dot1x accounting configured and is sent attributes 24 (state) or 25 (class) from the Radius server.

Workaround: There is no workaround.

IP Routing Protocols

CSCek14600

Symptoms: A traceback has been seen on this release.

Conditions: The symptom has been observed on Cisco IOS interim Release 12.4(04) T1fc2.

Workaround: There is no workaround.

CSCse29428

Symptoms: A crash is seen with %ALIGN-1-FATAL after showing %SYS-2- CHUNKEXPANDFAIL and %SYS-2-MALLOCFAIL repeatedly.

Conditions: This symptom is observed on a Cisco 3725 router that is running Cisco IOS Release 12.4(5a) with the c3725-advipservicesk9-mz image that is running IPSec VPN.

Workaround: There is no workaround.

CSCse56552

Symptoms: Connections fail through a router that uses CBAC. The pre-gen session is created, and the download or transfer begins. The pre-gen session times out and gets deleted from the router. Since the full session never gets established, the connection then times out on the host.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(8) and using CBAC outbound on the outside interface when policy based routing is applied.

Workaround: There is no workaround.

Further Problem Description: This bug is first seen in Cisco IOS Interim Release 12.4(7.24).

CSCse58419

Symptoms: The memory consumption by the Chunk Manager process increases over time.

Conditions: This behavior is observed on certain occasions when NAT is configured. When NVI with VRF is set in the system, the memory leaks rapidly. When NAT with VRF is set in the system, plus there is embedded address translation needed or skinny protocol traffic, the memory leaks in a slow pace.

Workaround: There is no workaround.

CSCse98590

Symptoms: The router will display SYS-2-MALLOCFAIL messages on the console, and various protocols will operate erratically as a result of a low memory condition.

Conditions: When a router has to duplicate incoming IPv4 multicast packets for transmission on multiple interfaces, and one of those interfaces is a GRE tunnel operating in GRE IPv6 mode, then memory used to duplicate that packet stream will not be freed. As a result, the router will soon exhaust all available memory.

Workaround: The router will not exhaust memory if packets do not need to be duplicated (for example, if they enter on one interface and only exit the box through another interface), or if they do not need to duplicate to a tunnel interface that is running GRE over IPv6 (for example, tunnel mode GRE IPv4 does not have this problem).

CSCsf27220

Symptoms: A Cisco 7500 series router with any ATM Port Adapter may crash.

Conditions: This symptom is observed when a router is configured with the Next Hop Resolution Protocol (NHRP) feature. When sending traffic, the router will crash.

Workaround: There is no workaround.

ISO CLNS

CSCse85158

Symptoms: Locally advertised networks that are configured for the NSAP address- family under BGP will not be readvertised once they have been cleared from the BGP table.

Conditions: Once the clear bgp nsap unicast * command has been issued, the networks will no longer appear in the output of the show bgp nsap unicast command.

Workaround: There is no workaround.

Miscellaneous

CSCej14709

Symptoms: Minimal Disruptive Restart (MDR) does not function on a VIP4-50.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4.

Workaround: There is no workaround.

Further Problem Description: This caveat was opened to resolve an issue with enhanced Fast Software Upgrade (eFSU) for the Cisco 7500 series. However, the EFSU issue was resolved before EFSU was introduced in a hidden release for the Cisco 7500 series. (The EFSU feature is not generally available.)

CSCek45461

Symptoms: Path confirmation fails for voice calls on a Cisco AS5850. One-way audio may occur with manual phones.

Conditions: These symptoms are observed on a Cisco AS5850 that processes MGCP, H.323, and SIP calls.

Workaround: There is no workaround.

CSCek52778

Symptoms: Dialer idle timer is not reset by interesting traffic on ISDN NON- MLPP, Async MLPPP, Async PBR user sessions.

Conditions: This symptom is found on a Cisco AS5850 that is running Cisco IOS Release 12.4(7b). Problem may occur with involvement of virtual profiles.

Workaround: There is no workaround.

CSCin99565

Symptoms: A router that is configured for SSG may reload unexpectedly.

Conditions: This symptom is observed when both the Transparent Auto-Logon (TAL) and Port-Bundle Host-Key (PBHK) SSG features are enabled and when it takes a long time before the AAA server responds.

Workaround: There is no workaround.

CSCsc97398

Symptoms: The user information Layer 1 protocol may be included in the outgoing bearer capability and may be set to either G711 u-law or G711 A-law. Some PBXs may refuse the call because of this mismatch in the bearer capability.

Conditions: This symptom is observed when a call is made from H.323 to ISDN with unrestricted digital information bearer capability.

Workaround: There is no workaround.

CSCsd37629

Symptoms: Alignment errors and a bus error may occur on a Cisco platform that has the ip inspect command enabled.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: Disable the ip inspect command.

CSCsd88768

Symptoms: With PPP multilink configured on serial links on PA-MCX-8TE1,the following error message may be seen:

%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0

Conditions: With PPP multilink configured on serial links on PA-MCX-8TE1 and when traffic is flowing, the following error message may be seen:

%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0

Workaround: There is no workaround.

CSCse05642

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse50887

Symptoms: MGCP IOS Gateway sees the following:

%PARSER-4-BADCFG: Unexpected end of configuration file.

and then:

config term router(UNKNOWN-MODE)

Or, the show running-config command output is only 5 bytes.

Conditions: This symptom occurs under the following conditions:

Use MGCP with the ccm-manager config command

Have more than 20 MGCP end points (voice ports)

Run Cisco IOS Release 12.3(11)T or later releases

Reset device pool from Cisco CallManager

Workaround: Add the no ccm-manager config command.

CSCse55652

Symptoms: A router that is configured for distributed CEF may reload because of a bus error.

Conditions: This symptom is observed on a distributed router such as a Cisco AS5850 or Cisco 7500 series that runs Cisco IOS Release 12.4.

Workaround: There is no workaround.

CSCse63494

Symptoms: A router that is configured for Real-Time Protocol (RTP) may generate CPUHOG events and a traceback similar to the following:

%SYS-3-CPUHOG: Task is running for (128000)msecs, more than (2000)msecs

(951/33),process = VOIP_RTCP.

-Traceback= 0x60EA5A78 0x60EA5C5C 0x614AD39C 0x614B55BC 0x614B59A0

Alternatively, the router may unexpectedly reload and generate the following error message and traceback:

%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = VOIP_RTCP. -

Traceback= 0x60EA5A58 0x60EA5C5C 0x614AD39C 0x614B55BC 0x614B59A0

%Software-forced reload

Preparing to dump core...

Conditions: This symptom is observed on a Cisco router that receives a badly formatted RTP Control Protocol (RTCP) packet.

Workaround: There is no workaround.

Further Problem Description: Typically, the badly formatted RTCP packet is produced by a device that does not conform to the RFC 3550 standard.

CSCse64462

Symptom: A Cisco Systems 7200 series router may encounter a block overrun with Redzone corruption, and subsequently crash if Turbo ACL is configured and the following command is entered:

clear eou all

Error messages similar to the following will be output, with associated tracebacks:

%SYS-3-OVERRUN: Block overrun at <address> (red zone <value>)

%SYS-6-BLKINFO: Corrupted redzone blk <address>

Conditions: This symptom is observed on a Cisco 7200 series router running Cisco IOS Release 12.4 that is configured for Turbo ACL and when the following command is entered:

clear eou all

Workaround: Disable Turbo ACL by entering the following command:

no access-list compiled

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse68355

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse69335

Symptoms: Media Gateway Control Protocol (MGCP) FXS/FXO port and Cisco IOS T1CAS resets during Hookflash transfer with CCM being the call agent.

Conditions: This condition is seen when two consecutive RQNT messages with S: rel event is received at the Cisco IOS gateway. In this condition, the second RQNT message will not be acknowledged by the Cisco IOS gateway. This results in reset of all the MGCP endpoints on the Cisco IOS gateway.

Workaround: There is no workaround.

CSCse85329

Symptoms: When you re-insert a PA-MC-8TE1+ port adapter in the same slot of a Cisco 7200 series via an OIR, the serial interface may enter the Down/Down state. When you enter the shutdown command followed by the no shutdown command on the T1 or E1 controller, the serial interface may transition to the Up/Down state, still preventing traffic from passing.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(7) or a later release.

Workaround: Reload the router.

CSCse89105

Symptoms: RADIUS packets may be dropped or extra memory may be allocated when RADIUS packets are sent.

Conditions: These symptoms are observed on a Cisco platform that is configured for SSG when a RADIUS packet with a length of more than 1024 bytes is sent.

Workaround: There is no workaround.

CSCse89402

Symptoms: The CPU stack frame may become corrupted when a channel-group is configured on the T1/E1 controller.

Conditions: This symptom is seen on mainboard WIC slots when the slot is configured for the "no network-clock participate."

Workaround: Use the VWIC in "network-clock participate" when installed in the mainboard WIC slot of the router.

Further Problem Description: In most situations, no problems are seen. In rare cases, a crash may occur.

CSCse93695

Symptoms: Three-way calls that involve the Broadsoft SIP server and Cisco IAD2400 series Integrated Access Devices may not work.

Conditions: This problem is observed in Cisco IOS Release 12.4(9)T.

Workaround: There is no workaround.

CSCse97112

Symptoms: A Cisco router may reload due to a bus error.

Conditions: This symptom is observed after the following command is issued:

no x25 map compressedtcp a.d.c.d ip e.f.g.h [ options ]

This may cause an Address Error (load or instruction fetch) exception, CPU signal 10.

Workaround: There is no workaround.

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsf09338

Symptoms: The calls coming from the CMM MTP has one-way audio when a call transfer is done on the other side.

Conditions: This symptom is observed when CMM is configured as MTP/XCode and running Cisco IOS Release 12.4(7b).

Workaround: There is no workaround.

CSCsf22493

Symptoms: The Cisco Communication Media Module (CMM) crashes when processing the UnsubscribeDtmf message.

Conditions: This symptom is observed when CMM XCODE/MTP is using Cisco IOS Release 12.4(8a) and RFC2833.

Workaround: There is no workaround.

CSCsg00602

Symptoms: A Cisco 3845 or Cisco 3825 router with AIM-VPN/HPII-PLUS(EPII-PLUS) may show the following symptoms:

1. show alignment errors

2. crash by bus error

3. XXX display by running the show crypto engine accel ring packet command

4. if a telnet session, which shows symptom three, is cut by "clear line," its related exec process does not disappear and starts to occupy CPU.

Conditions: This failure is seen on the Cisco 2600, Cisco 2800, Cisco 3600, Cisco 3700, Cisco 3800, and Cisco 1800 series routers that are configured with an AIM-VPNII or AIM-VPNII PLUS Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM).

Workaround: Avoid running the show crypto engine accel ring packet command.

Wide-Area Networking

CSCek28604

Symptoms: A Cisco device may reload ("System returned to ROM") unexpectedly due to a memory leak in the ISDN L2 process.

Conditions: This symptom is observed on a Cisco device that functions in a call manager-backhaul configuration after running under stress for about 24 hours.

The output of the show processes memory, collected in regular intervals shows a memory leak in the ISDN L2 process. The amount of memory that is held by the ISDN L2 process will be very large and growing.

Workaround: Enter the isdn k 1 command on all backhauled serial interfaces.

CSCek55209

Symptoms: If the ppp multilink endpoint mac interface command or the ppp multilink endpoint ip a.b.c.d command is configured, the router may unexpectedly reload if the multilink interface goes to the DOWN state, for example, when a PVC virtual-circuit is unconfigured.

Conditions: This symptom is observed on a router with Multilink PPP.

Workaround: Do not use these configuration commands in Cisco IOS Releases 12.3, 12.4 or 12.2SB without a fix for this DDTS.

CSCek56250

Symptoms: A router may reload while executing the show ppp multilink command.

Conditions: This symptom is observed when a multilink bundle goes down while the output is being generated.

Workaround: There is no workaround.

CSCse79994

Symptoms: BRI Layer 2 remains in the ESTABLISH_AWAITING_TEI state instead of entering the MULTIPLE_FRAME_ESTABLISHED state.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.19a).

Workaround: There is no workaround.

CSCse98867

Symptoms: A router may reload when a multilink bundle goes down while packets are flowing.

Conditions: This symptom is observed on a router that is configured for Multilink PPP (MLP) with hardware compression.

Workaround: There is no workaround.

CSCsf03251

Symptoms: Primary and backup NFAS interfaces may transition from WAIT to OOS even after receiving "in-service" message from the PSTN.

Conditions: This symptom is observed on a Cisco AS5400XM that is running several Cisco IOS 12.4 mainline and 12.4T releases.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(8a)

Cisco IOS Release 12.4(8a) is a rebuild release for Cisco IOS Release 12.4(8). The caveats in this section are resolved in Cisco IOS Release 12.4(8a) but may be open in previous Cisco IOS releases.

Basic System Services

CSCek33076

Symptoms: A RADIUS progress code is incorrectly reported for a call that fails at IPCP. The progress code reports that the Link Control Protocol (LCP) is the open state.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4(3a) and that is configured for AAA.

Workaround: There is no workaround.

CSCin99788

Symptoms: %AAA-3-ACCT_LOW_MEM_TRASH error message spewed when run into low memory, and AAA related data could be leaked after hitting this condition.

Conditions: The likely trigger is an interface flap with a huge number of sessions going down simultaneously generating enormous accounting-stop records. A sluggish/unreachable AAA server IO memory would be held for a long time retrying to send the accounting records.

Workaround: There is no workaround.

CSCsc97727

Symptoms: An access point may crash when you add or remove TACACS servers via the CLI.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)JA1 or Release 12.3(7)JA2 and that has the aaa accounting commands level default list-name group groupname command enabled. The symptom may also occur in other releases.

Workaround: Disable the aaa accounting commands level default list-name group groupname command.

Alternate Workaround: Use RADIUS instead of TACACS.

CSCsd99763

Symptoms: A Cisco 7200 series router reloads unexpectedly while configuring BGP access list.

Conditions: This symptom is observed on a Cisco 7206VXR (NPE-G1) processor (revision A). The following commands serve as an example that causes router to reload unexpectedly:

config t

router bgp 100

neighbor EXTERNAL route-map MAP3 out

address-family ipv4 multicast

neighbor EXTERNAL route-map MAP3 out

!

ip as-path access-list 1 deny ^$

ip as-path access-list 2 permit ^(700)+(_1123)|_2374$|^(_700)+(_2374)+

(_1123)+$

ip as-path access-list 3 permit _3400_

ip as-path access-list 4 permit ^(700)+(_3400)|_1123$|^700$|_23\[0-9\]$

!

route-map MAP3 permit 10

match as-path 1

!

route-map MAP3 deny 20

match as-path 2

!

route-map MAP3 permit 30

match as-path 3

!

route-map MAP3 permit 40

match as-path 4

set metric 300

end

Workaround: There is no workaround.

CSCse49728

Symptoms: SNMPv3 informs are not sent out after a device reload.

Conditions: This symptom is observed when SNMPv3 informs have been configured, and the device is reloaded.

Workaround: Re-enter any of the snmp-server host commands.

Interfaces and Bridging

CSCek27833

Symptoms: Pings with a datagram size of 1485 and above are not going across the bridge.

Conditions: This symptom is observed on a serial interface configured for PPP and part of the bridge group on a Cisco router.

Workaround: Increase the MTU size on the interfaces. For example, configure an MTU of 1524.

IP Routing Protocols

CSCed84633

Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.

Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea59206. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.

CSCek29860

Symptoms: A Cisco router may experience a software-forced crash.

Conditions: This symptom is observed on a Cisco router that is configured for secure NAT (SNAT), NAT Stateful Failover, and HSRP.

Workaround: There is no workaround.

CSCek42134

Symptoms: NAT Virtual Interface (NVI) per VPN routing/forwarding (VRF) is broken from inside to outside. The router shows CEF drops for the destination prefix existing for a route for this prefix on VRF table.

Conditions: This symptom has been observed on Cisco IOS Release 12.3(14)T6 and Interim Release 12.4(7.20)T.

Workaround: Configure static translation for the destination prefix to itself.

CSCek43945

Symptoms: A memory leak may occur on a router that is configured for NAT and the router may eventually run out of memory.

Conditions: This symptom is observed on a Cisco router when NAT is configured.

Workaround: There is no workaround.

CSCse04037

Symptoms: A ping or a Telnet connection from an inside gateway to an outside gateway through a router that is configured for NAT may fail because of an error in the NAT table lookup process.

Conditions: This symptom is observed on a Cisco router when the preserve-port keyword is not configured in the ip nat service command and occurs whether or not NAT Overload is configured.

Workaround: There is no workaround.

CSCse04220

Symptoms: The BGP table version remains stuck at 1 following the issue of the clear bgp ipv4 uni * command for IPv4 or the clear bgp ipv6 uni * command for IPv6.

Issuing the clear bgp ipv4 uni * or clear bgp ipv6 uni * commands may also result in a crash.

Conditions: This symptom occurs when issuing the clear bgp ipv4 uni * or clear bgp ipv6 uni * commands.

Workaround: Using the clear ip bgp * command clears the sessions, and the BGP table is purged. The clear ip bgp * command will also avoid crashing the router.

ISO CLNS

CSCuk60585

Symptoms: A router that is configured for redistribution into ISO-IGRP may crash.

Conditions: This symptom is observed when the configuration is nvgened.

Workaround: There is no workaround.

Miscellaneous

CSCeg03885

This caveat consists of two symptoms, two conditions, and two workarounds, and only refers to routers that are configured with MPLS TE tunnels:

Symptom 1: Momentary packet loss may occur during tunnel reoptimization, usually several times between the creation of a new tunnel and the cleanup of the old tunnel. Sometimes, longer packet loss may occur during tunnel reoptimization.

Condition 1: This symptom is observed on any MPLS TE tunnel when the reoptimized label switched path (LSP) traverses a midpoint or headend router that runs Cisco IOS Release 12.0(25)S4.

Workaround 1: There is no workaround.

Symptom 2: Permanent bad labels may be present after MPLS TE tunnel reoptimization.

Condition 2: This symptom is observed on a router that runs a Cisco IOS image that does not include the fix for CSCed21063 and that functions in a network in which some routers run Cisco IOS Release 12.0(25)S4. With the exception of Release 12.0(25)S4 itself, Cisco IOS software releases that are listed in the "First Fixed-in Version" field at the following location are not affected: http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed21063.

Workaround 2: There is no workaround. To recover from the symptoms, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected TE tunnel interface.

CSCei84353

Symptoms: A router crashes when you remove an Embedded Event Manager (EEM) applet.

Conditions: This symptom is observed on a Cisco 12000 series that runs an interim release for Cisco IOS Release 12.0(32)S but is not platform- and release-dependent. This symptom occurs under the rare occasion that the EEM applet is removed while EEM is attempting to trigger the applet for execution.

Workaround: Perform the following three steps:

1. Before you remove the EEM applet, disable EEM applet scheduling by entering the event manager scheduler applet suspend command.

2. Remove the applet.

3. After you have removed the applet, re-enable EEM applet scheduling by entering the no event manager scheduler applet suspend command.

CSCej29710

Symptoms: Unable to send EEM type system SNMP trap notifications.

Conditions: This symptom occurs when users want to send EEM SNMP system type trap notifications upon triggering of a policy.

Workaround: In EEM applet mode if a user desires an SNMP notification upon event trigger, they should specify it as an action by using the action snmp-trap command. In EEM TCL policies, use the action_snmp_trap TCL command.

CSCek26155

Symptoms: A recursive pattern scan loop can occur when the Embedded Event Manager (EEM) CLI ED attempts to scan for patterns provided by action CLI commands.

Conditions: This issue occurs when an applet contains a CLI event that is scanning for a pattern that is given as a CLI command in one of its actions. See the following example:

event manager applet one

event cli pattern "show version" sync yes

action 1 cli command "show version"

In this example the action being performed causes the event to trigger in a loop.

Workaround: Do not use an action CLI command containing a pattern that matches the CLI event pattern.

CSCek42816

Symptoms: A voice gateway reloads while bulk calls are being processed.

Conditions: The symptom is observed on a Cisco voice gateway that runs VXML applications that stream voice when the voice gateway receives prompts from an HTTP server.

Workaround: Enter the ivr prompt streamed none command on the voice gateway.

CSCek43642

Symptoms: When you try to remove an Embedded Event Manager (EEM) policy that has event criteria specified via the event_register_appl Tcl command extension, the attempt fails.

Conditions: This symptom is observed when two or more Embedded Event Manager policies are configured and when only one of these policies has event criteria specified via the event_register_appl Tcl command extension.

Workaround: There is no workaround.

CSCek47283

Symptoms: A router cannot be reloaded by entering the reload command, and the following message is displayed when you attempt to reload the router:

The startup configuration is currently being updated. Try again.

Conditions: This symptom is observed under rare conditions and may be triggered after an "Invalid pointer value in private configuration structure" error message is displayed (as seen in caveat CSCin98933). This symptom is observed in Cisco IOS interim Release 12.3(19.7), interim Release 12.4(6.5), and interim Release 12.4(6.5)T, and in later releases.

Workaround: There is no workaround.

CSCsb95563

Symptoms: On rare occasions, Embedded Event Manager (EEM) may cause a crash when you deregister an EEM policy.

Conditions: This symptom is observed on a Cisco Catalyst 6000 series but is platform-independent.

Workaround: There is no workaround.

CSCsb99936

Symptoms: The show ephone command reveals a call is stuck in the SEIZE state instead of progressing to the correct state during a call.

Conditions: This symptom has been observed when an H.323 call is placed from CME to a non-CME H.323 endpoint.

Workaround: There is no workaround.

CSCsc18707

Symptoms: No error message is printed out when running an Embedded Event Manager (EEM) policy that is not registered with the none event detector.

Conditions: This symptom occurs when executing event manager run policy name or action label policy policy name command, but the policy is not registered with the none event detector.

Workaround: There is no workaround.

CSCsd20327

Symptoms: Web Cache Communication Protocol (WCCP) for service 90 is going up and down on a Cisco router that is running Cisco IOS Release 12.4(3)B. The router has services 81, 82 and 90 configured. The only service having a problem is 90. The packet traces indicate that the router is sometimes responding to Here_I_Am messages from the cache with I_See_You messages containing an incorrect destination IP address. This leads to a loss of WCCP service.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(3)B.

Workaround: There is no workaround.

CSCsd34114

Symptoms: A router that is running Cisco IOS with an IPv6 localpools configuration may reload under rare circumstances.

Conditions: The IPv6 localpool has to allocate prefixes to the same username on multiple interfaces in a specific order, then release one of the prefixes, and try to allocate a new prefix.

The interfaces that the prefixes are allocated on, and the ordering of the events, need to follow a very specific pattern in order to create the issue.

Workaround: Use Per-User prefixes from a RADIUS server, or in DHCP-PD, use the prefix allocation per DUID.

Further Information: IPv6 localpools are currently used by IPv6CP (IPv6 over PPP links) and DHCP-PD.

This problem is unlikely to be observed with IPv6CP.

CSCsd66800

Symptoms: MGCP Gateway Controlled T38 fax-relay call is getting disconnected.

Conditions: This symptom has been observed while making a Gateway-controlled fax call using MGCP.

Workaround: There is no work around.

CSCsd73526

Symptoms: When using CSS in a design for CVP, the Cisco IOS Voice Browser cannot play the media file after upgrading the Cisco IOS from Cisco IOS Release 12.3(3a) to Release 12.4(3b). CSS does send the HTTP Redirect pointing to CVP, but the gateway does nothing with it.

Conditions: This symptom has been observed when the following are present:

AS5400HPX

Cisco IOS Release 12.4(3b)

CVP 3.1 SR1

ICM 6.0

CallManager 4.1(3) SR 2

Workaround: Bypass CSS, and point the VXML application directly to CVP.

CSCsd76444

Symptoms: There is an unexpected reload of a Cisco router that is running PRE experiencing Signal 0 reload with no stack contents.

Conditions: This symptom is observed on a Cisco 10000 series router that is running PRE.

Workaround: There is no workaround.

CSCse01124

Symptoms: The Hot Standby Router Protocol (HSRP) may not come up and may remain in the "Init" state, which can be verified in the output of the show standby brief command.

Conditions: This symptom is observed when dampening is configured on a native Gigabit Ethernet interface of a Cisco 7200 series or on a Fast Ethernet interface of a PA-FE-TX port adapter. Other types of interfaces are not affected.

Workaround: When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the Gigabit Ethernet and Fast Ethernet interfaces of all routers of the standby group.

To prevent the symptom from occurring, remove dampening from the Gigabit Ethernet and Fast Ethernet interfaces.

CSCse15025

Symptoms: An analog or digital CAS port enters a state in which inbound or outbound calls, or both, may no longer function through the port.

Conditions: This symptom is observed on a Cisco 2800 series and Cisco 3800 series that function as gateways with analog or digital CAS ports that use PVDM2 DSP modules.

When this problem occurs, it impacts multiple ports that share the same signaling DSP. The output of the show voice dsp signaling EXEC command shows which DSP is used by a port for signaling. The symptom may occur more often for ports that use DSP 1 on the PVDM2 module for signaling.

Because this issue impacts the signaling channels, it has been seen that calls either will not connect at all through impacted ports or in some cases when multiple simultaneous calls are present on adjacent voice ports/timeslots, the call may connect momentarily before being disconnected.

If a problem occurs only on a single voice port, there is another problem, not this caveat (CSCse15025). PRI/BRI calls are not affected because PRI/BRI does not utilize the DSP for signaling purposes.

When the symptom occurs with either a VIC2-xFXO or EVM DID/FXS module, enter the terminal monitor command followed by the test voice port port- number si-reg-read 39 1 command for one of the affected ports. The output typically should be a single octet value for register 39. When the symptom occurs, information for Registers 40, 41, and 42 is presented and some of the registers show double- octet information. See the example output (2) below.

When the symptom occurs with FXS or analog E&M modules, enter the terminal monitor command followed by the test voice port port- number codec-debug 10 1 command for one of the affected ports. The output typically should be a single octet value for each register. See the example output (4) below.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, you must reload the gateway to restore proper operation.

Further Problem Description: The changes in CSCse15025 includes changes in CSCsc11833 and CScsd90851. These changes have been shown to help mitigate this problem in the majority of cases.

There is a further detection and reset mechanism in CSCse15025 that will recover the DSP which is in this state. This mechanism will trigger immediately if the impacted voice port is an analog FXO port. For other voice ports, a delay in the detection will be present and it is possible to see the symptom of this problem before the recovery code triggers.

Note that the reset mechanism will cause any active calls utilizing the DSP in question to be dropped.

It is recommended if running with modules which can be impacted by this issue to upgrade to a release of software which contains the changes in CSCse15025. If the DSP is reset and the below output is seen, contact the TAC for further assistance. Note that this output is sent at debug level and it is recommended to enable either syslog or logging buffered on the gateway.

Logging buffered on the gateway is enabled through the global command logging buffered 50000 debug as an example to set the logging buffered to use 50K bytes of processor memory for logging. The output of the log can be seen with the exec command show log.

Example output when detection and recovery code on gateway triggers:

*May 31 14:30:43.343: TDM pointers: 0100 0100 0115 0115. Deltas: 0001 0000.

*May 31 14:30:43.347: Received alarm indication from dsp(0/1)

0030 0000 0080 0000 0013 4100 2E2E 2F2E 2E2F 6D6F 6475 6C65 732F 7363 6865

6475 6C65 2F64 6562 7567 2E63 2833 3634 2900

*May 31 14:30:43.347: ../../modules/schedule/debug.c(364)

*May 31 14:30:43.347: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/0,

changed state to Administrative Shutdown

*May 31 14:30:43.647: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/1,

changed state to Administrative Shutdown

*May 31 14:30:43.947: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/2,

changed state to Administrative Shutdown

*May 31 14:30:44.247: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/3,

changed state to Administrative Shutdown

*May 31 14:30:48.147: Crash dump CLI may not be configured, not able to get

crash info, slot 0, dsp 1

*May 31 14:30:48.147: DSPDUMP - Recover slot 0 dsp 1

*May 31 14:30:48.147: DSPDUMP - ka sent 0, ka_cnt 51193, skip_ka 103079

*May 31 14:30:50.579: %DSPRM-5-UPDOWN: DSP 1 in slot 0, changed state to up

*May 31 14:30:50.947: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/0,

changed state to up

*May 31 14:30:51.219: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/1,

changed state to up

*May 31 14:30:51.371: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/2,

changed state to up

*May 31 14:30:51.523: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/3,

changed state to up

Following are command output examples:

1) Following is an example of normal output for FXO and EVM FXS ports.

For FXO ports, the value is usually 0x01 but for EVM FXS the value can be different. When you run the above-mentioned command, the expected output is that a single octet is displayed and only for register 39. (This command does not work for VIC-4FXS and VIC2-xFXS modules).

router#term mon

router#test voice port 0/3/3 si-reg-read 39 1

router#

Values read from SiLabs Codec connected to DSP 0, channel 11: --------------------------------------------------------------

Register 39 = 0x01

2) Following is an example of output for FXO and EVM FXS ports that indicates that the symptom has occurred. Note that the exact output for the register values is different, but when the symptom occurs, different lines with information are displayed as shown below:

router#term mon

router#test voice port 0/3/3 si-reg-read 39 1

router#

Values read from SiLabs Codec connected to DSP 0, channel 11: --------------------------------------------------------------

Register 39 = 0x5CB8

Register 40 = 0xFFFF

Register 41 = 0xFFFF

Register 42 = 0xFFFF

3) Following is an example of normal output for FXS and analog E&M modules. The values that are listed in a normal case may be different, but only four registers of a single octet should be displayed.

Values read from PEB2465 Codec connected to DSP 02 (channel 0): ---------------------------------------------------------------

Extended Register Values (XR4..XR1) = 00, CC, 50, 11

4) Following is an example of output for FXS and analog E&M modules that indicates that the symptom has occurred.

Values read from PEB2x65 Codec connected to DSP 0, channel 1: ------------------------------------------------------------

Extended Register Values (XR4..XR1) = D001, B83C, 3FF1, 63AC

CSCse16494

Symptoms: Traffic does not flow after a Route Processor Redundancy Plus (RPR+) switchover has occurred.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4 and that is configured for RPR+.

Workaround: After the RPR+ switchover has occurred, reload microcode onto the router.

CSCse34097

Symptoms: When a voice call is made to one of the busy channels of BRI/PRI port, the call gets rejected and then another call is made to the available port. The call gets connected, and the user hears an annoying hissing sound.

Conditions: The procedure to recreate this scenario is the following:

Phone a & b ---OGW --VoIP --TGW(2611) --BRI/PRI --PBX -- phone c & d

Phone a calls phone c;

Phone b calls phone c;

Phone b calls phone d;

Phone d picks up and hears a hissing noise.

Workaround: There is no workaround.

CSCse39452

Symptoms: OGW rejects incoming OLC from an alternate endpoint when the slow start procedure is used and so the call is rejected.

Conditions: This symptom has been observed when OGW is configured to use the slow start procedure.

Workaround: There is no workaround.

Further Problem Description: OGW is configured to use the slow start procedure. OGW receives alternate endpoints in the ACF. The call on the primary endpoint fails after H.245 procedures are completed and logical channel are opened. Now OGW tries the call on alternate endpoint, but it rejects the incoming OLC from the alternate endpoint, thus resulting in call failure.

CSCse45425

Symptoms: VAM2 resets with the message "Free Pool stuck". The IPSec SAs are transferred to software crypto. This causes 100% CPU.

Conditions: The decrypted packet total size does not match the total length in its IP header.

Workaround: There is no workaround for the VAM2 reset. However, during the VAM2 recovery, disable software encryption by issuing the no crypto engine software ipsec command to force encryption back to hardware.

CSCse49985

Symptoms: A Cisco 3745 router crashes due to a software-forced crash. An error message similar to the following is displayed:

rcojx67-vgw01-3745 uptime is 1 day, 16 hours, 19 minutes

System returned to ROM by error - a Software forced crash, PC 0x60A87D38

at 15:59:36 GMT Tue May 16 2006

System restarted at 16:00:35 GMT Tue May 16 2006

System image file is "flash:c3745-ipvoice-mz.123-14.T3.bin"

Conditions: This symptom has been observed with a Cisco 3745 router running Cisco IOS Release 12.3(14)T3. This symptom is also seen when there are some memory allocation failures.

Workaround: There is no workaround.

CSCse56660

Symptoms: Inbound calls to FXO ports on Cisco IOS VoIP gateways connect, but audio is not present.

Conditions: With caller-id enable configured on FXO ports, the call will connect, but no audio is heard. When this occurs, the following error message can be seen at debug level:

Jun 20 01:41:15.855: mbrd_e1t1_vic_connect: setup failed

Jun 20 01:41:15.855: flex_dsprm_tdm_xconn: voice-port(0/0/1), dsp_channel

(/0/2/0)

Workaround: Disable caller id on the voice-port.

CSCuk60910

Symptoms: A Cisco IOS router may detect a memory corruption and reload.

Conditions: An interface on the system must be configured for Van Jacobsen TCP header compression, using the ip tcp header-compression command, and connected to a third party system.

Workaround: There is no workaround.

Wide-Area Networking

CSCek40618

Symptoms: A router may crash by address error (load or instruction fetch) exception during normal operation.

Conditions: This symptom has been observed when the router is configured with VPDN and Multilink PPP, using Virtual-Template interfaces.

Workaround: There is no workaround.

CSCsd19867

Symptoms: BRI interfaces does not come up when you reload a router. You must enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected BRI interfaces to bring them up.

Conditions: This symptom is observed when you enter the no isdn spoofing command and reload the router.

Workaround: Disable the no isdn spoofing command.

CSCsd81350

Symptoms: When asynchronous serial interfaces are used as member links in multilink PPP bundles, the router may crash due to memory corruption.

Conditions: This problem can occur under conditions where multilink fragmentation is done, and where the bundle includes at least one member link that is an asynchronous interface.

Workaround: Disable fragmentation on the bundle interface for any bundle that may include asynchronous links as members. Alternatively, if the use of multilink is not a requirement, disable multilink on the asynchronous interfaces.

CSCse16539

Symptoms: VPDN loadbalancing incorrectly biases to one LNS (IP address) instead of sharing the session load between the different LNSs after LNS return from the busy list.

Conditions: This occurs when multiple LNSs are configured for one vpdn-group and are unreachable. They are moved to the busy list. Once the LNSs become reachable again, this problem occurs.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(8)

This section describes possibly unexpected behavior by Cisco IOS Release 12.4(8). All the caveats listed in this section are resolved in Cisco IOS Release 12.4(8). This section describes severity 1 and 2 caveats and select severity 3 caveats.

Basic System Services

CSCea36491

Symptoms: When a Telnet session is made to a router after a VTY session pauses indefinitely, the user in the Telnet session may not be able to enter the configuration mode. When these symptoms occur, interfaces may enter the wedged state with Simple Network Management Protocol (SNMP) traffic.

Conditions: This behavior is observed on ATM and Packet over SONET (POS) interfaces. This behavior is not platform-specific.

Workaround: Disable Simple Network Management Protocol (SNMP) configuration traps by entering the no snmp-server enable traps config global configuration command.

CSCee41892

Symptoms: A VIP4-80 card may fail to load the Cisco IOS software image. When this situation occurs, the following error messages are generated:

%DBUS-3-SW_NOTRDY: DBUS software not ready after HARD_RESET, elapsed 13056, status 0x0

%DBUS-3-WCSLDERR: Slot 2, error loading WCS, status 0x4 cmd/data 0xDEAD pos 97

%DBUS-3-WCSLDERR: Slot 2, error loading WCS, status 0x4 cmd/data 0xDEAD pos 99

%UCODE-3-LDFAIL: Unable to download ucode from system image in slot 2, trying rom ucode

%RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 2

Conditions: This symptom is observed on a Cisco 7500 series when you enter the microcode reload command.

Workaround: There is no workaround.

Further Problem Description: The symptom may also occur because of improperly installed line cards. If this situation occurs, re-install the line cards.

CSCef68681

Symptoms: A CBUS complex may occur, causing all VIPs to reload and to be reconfigured. In turn, this situation prevents the router from being accessible for 30 seconds.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0S when you change the MTU of an already existing interface or when you add a new interface. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCeg24855

Symptoms: A platform reloads after you enter the aaa route download 2 command.

Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(11)T2.

Workaround: There is no workaround.

CSCej30903

Symptoms: A router allows logging into the root (or any other configured) view without prompting for a password.

Conditions: This symptom is observed when no method list is configured for login service.

Workaround: Configure a method list for the login service.

CSCek27271

Symptoms: The IPSLA test packets returned by the IPSLA responder for the UDP jitter operation have ToS value of 0 instead of the value configured for the operation. Because of this, the two IPSLA UDP jitter operations between same source and responder routers with just the different ToS configurations will report the same round trip time even though the expected values are different.

Conditions: This symptom has been observed on the routers configured with an IP SLA User Datagram Protocol (UDP) jitter operation with microseconds precision and has the ToS value configured.

Workaround: There is no workaround.

CSCek32365

Symptoms: A Cisco 7500 series that is configured with more than two VIP 4-80 or VIP 6-80 processors may crash during the boot process and may not boot at all.

Conditions: This symptom is observed on a Cisco 7500 series that runs a Cisco IOS software image that includes he fix for caveat CSCei45236. A list of the affected releases can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCei45236. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

CSCek36902

Symptoms: A Cisco 7500 series may generate a "%CBUS-3-CMDONPROC" error message and a traceback.

Conditions: This symptom is observed on a Cisco 7500 series with a Fast Serial Interface Processor (FSIP) when you perform an OIR.

Workaround: There is no workaround.

CSCek40060

Symptoms: RADIUS server authentication may not function for dialup and PPP clients.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(7) and that has the radius-server retry method round-robin command enabled.

Workaround: Disable the radius-server retry method round-robin command. Note that the symptom does not occur in Release 12.3 or Release 12.3T.

CSCsb30875

Symptoms: Active eRSC on a Cisco AS5850 gateway could hang after RPR+ failover, if the aaa accounting system command is configured.

Conditions: The symptom has been observed under the following conditions:

1. RPR+ failover occurred.

2. Console connection window closed & reopened to the newly active eRSC after failover.

Workaround: There are two workarounds.

1. The eRSC hang will not happen if no attempt is made to close and reopen the console session with newly active eRSC after failover.

2. Remove the aaa accounting system command from the configuration.

CSCsb43767

Symptoms: RADIUS stop packets that are sent to a RADIUS server may contain an incorrect value for the NAS-Port attribute (RADIUS IETF attribute 5). Information that is related to the asynchronous interface is not included in the Cisco-NAS-port VSA.

Conditions: This symptom is observed on when a Cisco router sends stop packets to a RADIUS server via an asynchronous interface.

Workaround: There is no workaround.

CSCsb71584

Symptoms: A spurious memory access is generated in the "aaa_string_vsa_prefix_to_protocol" function.

Conditions: This symptom is observed on a Cisco platform that is configured for Network Admission Control (NAC).

Workaround: There is no workaround.

CSCsc19289

Symptoms: MC-T1 is disabled and wedged when changing the MTU size on the MC-T1 interface.

Conditions: This symptom has been observed when dLFIoLL is configured on a Cisco 7500 router and the MTU size on MX-serial interface is changed.

Workaround: Remove and replace the MC-T1 or micro reload the MC-T1.

CSCsc27380

Symptoms: On the console of the active RSP of a Cisco 7500 series, "IPC_RSP_CBUS-3-NOHWQ" error messages are generated.

Conditions: This symptom is observed on a Cisco 7500 series that functions in SSO mode when you remove the standby RSP via a soft OIR.

Workaround: There is no workaround.

CSCsc70055

Symptoms: A Cisco 7200 series may crash when you perform a graceful OIR of a port adapter that is processing traffic.

Conditions: This symptom is observed mostly when the port adapter processes ingress traffic.

Workaround: Do not perform a graceful OIR. Rather, perform a manual OIR.

CSCsd10306

Symptoms: IP SLA packets are dropped in the network. They may also cause a buffer leak on some Cisco routers. Frequency of the problem is very low, less then 1%.

Conditions: This symptom is observed on IP SLA packets that have an MPLS label applied on the source router.

Workaround: There is no workaround.

Further Problem Description: The IP SLA packets in question have a corrupted IP header.

CSCsd20739

Symptoms: A router that has a GRE IPSec tunnel may hang and all routing neighbors may be dropped.

Conditions: This symptom is observed when the GRE IPSec tunnel is configured for PIM sparse mode and OSPF, when traffic levels are moderate, and when you enter the ip flow egress command on a tunnel interface.

Workaround: Do not enter the ip flow egress command on a tunnel interface. When the symptom has occurred, disable NetFlow Export to restore proper router operation.

CSCsd23056

Symptoms: Reverse Telnet may not function.

Conditions: This symptom is observed when AAA authentication is enabled for the asynchronous line over which you attempt to establish a reverse Telnet connection. The AAA authentication prompt takes the console output as input for the AAA authentication process, causing a login failure for reverse Telnet.

Workaround: There is no workaround.

CSCsd26831

Symptoms: When you enter the show snmp mib ifmib ifindex, the router generates an "% Incomplete command" error message because the carriage return option is not present.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(7.4).

Workaround: There is no workaround.

CSCsd63874

A traceback may occur in the "send_link_monitor_config_cmd" function and the following error message may be generated:

%CBUS-3-CMDONPROC: Cmd not interrupt protected

Conditions: This symptom is observed on a Cisco 7500 series.

Workaround: There is no workaround.

CSCsd63890

Symptoms: A traceback is generated on a Cisco platform that has NetFlow configured on an interface.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4 or Release 12.4T when you enter the ip route-cache flow or ip flow ingress command on an interface.

Workaround: Do not configure NetFlow on an interface.

CSCsd65404

Symptoms: Control packets are not properly marked with the ToS setting that is specified in an IP SLA probe. Only the data packets are marked with the configured ToS setting.

Conditions: This symptom is observed when an IP SLA probe is configured via SNMP. Note that the symptom does not occur when the IP SLA probe is configured via the CLI.

Workaround: Configure the IP SLA probe via the CLI. However, this workaround does not scale well for networks in which a large number of probes must be configured.

EXEC and Configuration Parser

CSCsd32923

Symptoms: A router may unexpectedly reload with a bus error when you enter a command while the command buffer is full of white space.

Conditions: This symptom is observed when you enter a partial command and when the tab key is used while the command buffer is full.

Workaround: There is no workaround.

Interfaces and Bridging

CSCdp08975

Symptoms: Even though traffic is flowing through ATM VCs, the status of the ATM VCs may change unexpectedly.

Conditions: This symptom is observed on a Cisco 7200 series that has RFC1577 configured on the main interface and that does not function as an Address Resolution Protocol (ARP) server.

Workaround: Do not configure RFC1577 on the main interface. Rather, configure RFC1577 on a subinterface.

CSCek27126

Symptoms: A router may crash when you remove a label-controlled ATM (LC-ATM) subinterface and may generate an "%ALIGN-1-FATAL: Corrupted program counter" error message.

Conditions: This symptom is observed on a Cisco 7200 series but may be platform-independent.

Workaround: Shut down the main interface before you remove the subinterface.

CSCsc66187

Symptoms: Error messages such as the following one may be generated on a Cisco 7500 series or Cisco 7600 series:

%CWPA-3-IPCALLOCFAIL: Failed to allocate IPC buffer for loveletter data

Conditions: This symptom is observed on a Cisco 7500 series and Cisco 7600 series that are configured with a 1-port Packet-over-SONNET OC-3c/STM-1 multimode port adapter (PA-POS-OC3MM) when you enter the no shutdown interface configuration command on the interface.

Workaround: There is no workaround.

CSCsd41989

Symptoms: A T3 controller remains down when loopback local is configured.

Conditions: This symptom is observed on a Cisco platform that is configured with a channelized T3 port adapter when the T3 controller is in an unavailable seconds (UAS) state.

Workaround: Remove the cause of the UAS state for the T3 controller.

CSCsd49253

Symptoms: A Cisco 7200 series may reload unexpectedly when an Automatic Protection Switching (APS) switchover occurs on Packet over SONET (POS) interfaces that are configured for redundancy.

Conditions: This symptom is observed on a Cisco 7200 series.

Workaround: There is no workaround.

CSCsd63918

Symptoms: A router reloads unexpectedly when you enter the bridge-group bridge-group command as part of an ATM PVC configuration.

Conditions: This symptom is observed on a Cisco router that is configured with an ATM port adapter such as a PA-A2 port adapter.

Workaround: There is no workaround.

IP Routing Protocols

CSCeg39601

Symptoms: The IPv6 multicast RP encapsulation tunnel remains down.

Conditions: This symptom occurs on the configuration of the ipv6 pim rp-address command. The resulting encapsulation tunnel is created but remains always in down state.

Workaround: There is no workaround.

CSCej78303

Symptoms: A router may crash when you disable the ipv6 multicast-routing command.

Conditions: This symptom is observed when you enable and disable the ipv6 multicast-routing command multiple times while IPv6 Multicast traffic is being processed.

Workaround: There is no workaround.

CSCek25582

Symptoms: Spurious memory accesses may be (continuously) generated at the "igmp_process_timers" function.

Conditions: This symptom is observed on a Cisco router that is configured for multicast routing.

Workaround: There is no workaround.

CSCek32244

Symptoms: Not all classful networks are locally generated in the BGP table.

Conditions: This symptom is observed on a Cisco router that has the auto-summary command enabled and occurs when classful networks are provided before the routes are made available in the routing table.

Workaround: There is no workaround.

CSCek33991

Symptoms: A router may reset unexpectedly when it is in the midst of output of the results of the show interface dampening command, and the interface is deleted from another vty connection.

Conditions: This symptom can be encountered if concurrent connections are opened to a router, and the show interface dampening command is issued while interface(s) are deleted.

Workaround: Ensure interfaces with dampening configured are not deleted while the show interface dampening command can be possibly issued on another vty.

CSCsa87034

Symptoms: When you attempt to clear the routing table, the neighbor is brought down instead.

Conditions: This symptom is observed when you enter the clear bgp ipv4 unicast * or clear bgp ipv6 unicast * command, causing respectively the IPv4 neighbor or IPv6 neighbor to be brought down.

Workaround: There is no workaround.

CSCsc00378

Symptoms: Changes in an export map are not picked up by the BGP Scanner.

Conditions: This symptom is observed on a Cisco router that functions as a PE router when you apply an export map to a VRF and when the interface that connects the PE router to a CE router is configured for OSPF.

Workaround: Enter the clear ip ospf process command to enable the BGP Scanner to pick up the changes in the export map.

CSCsc19256

Symptoms: When NAT overload is configured on a PE router, a traceroute from a VRF client to a gateway fails when the PE router is indirectly connected to the gateway via a VPN interface or generic interface.

Conditions: This symptom is observed on a Cisco router that functions as a PE router and that has NAT overload configured.

Workaround: There is no workaround.

CSCsc46337

Symptoms: When about thousand eBGP connections are opened between two routers that are connected back-to-back, additional point-to-point eBGP connections between the routers are not established even if IP connectivity between the BGP next-hops is provided.

Conditions: This symptom is observed when one Cisco router functions as a PE router and the other Cisco router functions as a CE router that has VRF-lite configured.

Workaround: Reload the PE router to enable all sessions to become established, including the ones that previously were not established.

CSCsc56595

Symptoms: When an OSPFv3 router has more IPv6 prefixes in a single OSPFv3 area than can be advertised in a single intra-area prefix Link State Advertisement (LSA) that is small enough to be advertised via the normal IPv6 Maximum Transmission Unit (MTU), the additional IPv6 prefixes are not advertised.

Conditions: This symptom is observed when many interfaces with IPv6 global addresses are configured in a single OSPFv3 area and when the size of the LSA is less than the normal IPv6 interface MTU.

Workaround: Spread the IPv6 interfaces over multiple OSPFv3 areas.

CSCsc62333

Symptoms: Application Layer Gateway (ALG) traffic does not traverse a router that is configured for NAT and that has a NAT Virtual Interface (NVI)

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4 or Release 12.4T. The symptom is platform-independent.

Workaround: There is no workaround.

CSCsc72090

Symptoms: A router that is configured for EIGRP may fragment packets if the MTU on the interface is set to a value that is lower than 1500 bytes. This situation may cause additional overhead for the receiving router that must reassemble the packets.

Conditions: This symptom is observed on a Cisco router that transmits packets that are larger than the MTU on the interface and occurs because EIGRP does not automatically adjust to the value of the MTU on the interface.

Workaround: There is no workaround.

Further Problem Description: The fix for this caveat prevents EIGRP from sending packets that are larger than the MTU of the interface MTU in order to prevent fragmentation.

CSCsc76327

Symptoms: When a VRF route is redistributed into the MP-BGP cloud, a routing loop may occur for the prefix (that represents the VRF route) between the EIGRP cloud and the MP-BGP cloud.

Conditions: This symptom is observed on a Cisco router that functions as a PE router when the following conditions are present:

The router has EIGRP configured on the link to a CE router.

The router has a static VRF route that is redistributed into the configuration that is defined by the address-family vrf vrf-name command and that is part of the BGP routing process.

Workaround: There is no workaround. Applying a route map with a pre-bestpath option does not resolve the loop.

CSCsc78813

Symptoms: While using NAT in an overlapping network configuration, the IP address inside a DNS reply payload from the nameserver is not translated at the NAT router.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(18) and that has the ip nat outside source command enabled. The symptom could also occur in Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCsc94867

Symptoms: A traceback is generated in the log after NAT entries are created on a PE router that is configured for NAT and that has a static NVI.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(5.12) or interim Release 12.4(5.13)T2.

Workaround: There is no workaround.

CSCsc98828

Symptoms: PIM becomes disabled on an output interface, preventing packets from being sent, and causing the SR flag to be set after 60 seconds on the router that functions as the first hop.

Conditions: This symptom is observed on a Cisco router that is configured for IPv6 PIM.

Workaround: There is no workaround.

CSCsd01824

Symptoms: Extended NAT entries that are created by outside static NAT translation in a VRF SNAT environment do not age out and remain in the translation table until you enter the clear command.

Conditions: This symptom is observed when the ip nat outside source static command is configured in a VRF SNAT environment on a Cisco router that runs Cisco IOS Release 12.4.

Workaround: If this is an option, use the ip nat inside source static command in the VRF SNAT environment.

CSCsd13124

Symptoms: A candidate Cisco Bootstrap Router (BSR) that is configured for PIM version 2 and that is elected as a BSR does not change back to a candidate BSR immediately after the BSR interface is shut down but waits until the timer expires. This situation prevents another candidate BSR from becoming a BSR until the first BSR changes back to a candidate BSR when the timer expires.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(7) but may also affect other releases.

Workaround: There is no workaround.

CSCsd15770

Symptoms: High CPU utilization occurs during PPPoEoQinQ session setup.

Conditions: This symptom occurs when Internet Group Management Protocol (IGMP) is enabled.

Workaround: There is no workaround.

CSCsd16043

Symptoms: A Cisco IOS platform that is configured for Auto-RP in a multicast environment may periodically lose the RP to group mappings.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(17) when the RP drops the Auto-RP announce messages, which is shown in the output of the debug ip pim auto-rp command. This situation may cause a loss of multicast connectivity while the RP mappings are purged from the cache. See the following output example:

Auto-RP(0): Received RP-announce, from ourselves (X.X.X.x), ignored

Note that the symptom may also affect Cisco IOS Release 12.4 and Release 12.4T.

Workaround: Create a dummy loopback interface (do not use the configured IP address in the whole network) and use the ip mtu to configure the size of the MTU for the RP interface to 1500 and the size of the MTU for the dummy loopback interface to 570, as in the following examples:

interface Loopback1

ip address 10.10.10.10 255.255.255.255

ip mtu 570

ip pim sparse-mode

end

(This example assumes that the Auto-RP interface is loopback 0.)

interface Loopback0

ip address 10.255.1.1 255.255.255.255

ip mtu 1500

ip pim sparse-dense-mode

end

CSCsd17747

Symptoms: When you enter the ip pim vrf register-source command on an interface and then delete the interface or its IP address, the command remains in the configuration. This situation causes the bulk synchronization to fail and the standby RP to reset continuously after an RP switchover has occurred. Then, because the register source (the interface) cannot be found, a BEM failure occurs.

Conditions: These symptoms are observed when the interface forwards traffic from a nondefault VRF and when the interface has a register source configured.

Workaround: Remove the ip pim vrf register-source command from the interface before you delete the interface or its IP address.

CSCsd27388

Symptoms: A ping from a source to a destination fails because of an encapsulation failure.

Conditions: This symptom is observed on a Cisco 7200 series that is configured for NAT and that has the ip nat inside source static command enabled on a VRF.

Workaround: There is no workaround.

CSCsd33445

Symptoms: A Cisco platform that is configured for Next Hop Resolution Protocol (NHRP) may display an error message similar to the following:

%SYS-3-MGDTIMER: Running timer, init, timer = 0xXXXXXXXX Process= "NHRP",
ipl= 0, pid= YYY

Conditions: This symptom is observed in a DMVPN environment.

Workaround: There is no workaround.

CSCsd48962

Symptoms: SNAT allocates the "rt_aux_managed_init" string during the first NAT entry creation and a subsequent NAT entry creation triggers the allocation of subsequent memory in NAT and SNAT. When you enter the clear ip nat trans * command to free the NAT translation, the rtree memory is not freed, causing a memory leak.

When you enter the show processes memory command, you see that memory is being held but that does not necessarily mean that there is a leak. Only if the held memory is still held upon clearing the NAT table does it mean that there is a leak.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(7.6) and that is configured for SNAT.

Workaround: There is no workaround.

CSCsd52667

Symptoms: When you alter the configuration of the ip nat pool command, the router may hang, crash, or both.

Conditions: This symptom is observed on a Cisco router when you enter the following commands in sequence:

ip nat pool address 255.255.255.255 255.255.255.255

ip nat pool no address 255.255.255.255 255.255.255.255

or

no ip nat pool name

Workaround: There is no workaround.

CSCsd64173

Symptoms: A router may reload unexpectedly because of a bus error crash after you have removed a summary-prefix IPv6 OSPF command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)SXF but may also occur in other releases. The symptom occurs only when the summary-prefix IPv6 OSPF command is configured without any redistribute commands.

Workaround: Configure a redistribute command under the IPv6 OSPF configuration.

CSCsd67591

Symptoms: A router may crash when you modify parameters of the route-map command for a redistribution statement.

Conditions: This symptom is observed when you modify the parameters of the route-map command for a redistribution statement of an OSPF process that was deleted.

Workaround: Delete the redistribution statement before you delete the OSPF process.

CSCsd84489

Symptoms: A platform that is configured for Open Shortest Path First (OSPF) and incremental Shortest Path First (SPF) may crash when changes occur in the OSPF topology.

Conditions: This symptom is observed on a Cisco platform that has the ispf command enabled when changes occur in the OSPF topology that cause the intra-area routes to be updated.

Workaround: Disable the ispf command.

CSCuk58462

Symptoms: When a route map is configured, routes may not be filtered as you would expect them to be filtered.

Conditions: This symptom is observed on a Cisco router that is configured for BGP and that functions in an MPLS VPN environment.

Workaround: There is no workaround.

Further Problem Description: The symptom does not occur for redistributed route maps.

ISO CLNS

CSCsb89900

This caveat consists of two symptoms, two conditions, and two workarounds:

1. Symptom 1: Corrupted timer data structures may cause tracebacks in an IS-IS environment.

Condition 1: This symptom is observed when an IS-IS instance is configured for IPv6 interfaces only, when the IS-IS instance has a passive interface, and when you take the following actions:

- You enter the no router isis command.

- You then re-enable IS-IS, including on the passive interface, which then becomes an active
   IPv6 interface.

Workaround 1: Do not configure a passive interface if an IS-IS instance is configured for an IPv6 interface only. If you must configure a passive interface in an IS-IS instance, do not enable IS-IS on this passive interface after you have disabled IS-IS at the global via the no router isis command.

2. Symptom 2: IS-IS may crash or function unreliably because of uninitialized or freed data structures.

Condition 2: This symptom is observed when a passive interface is configured and when the following actions occur:

- IS-IS is disabled on all interfaces (whether IPv4 or IPv6 interfaces), one by one on.

- Then, the no router isis command is entered to disable IS-IS globally.

- Next, IS-IS is globally enabled and the passive interface is made active via the ip router isis
   or ipv6 router isis command.

Workaround: Do not use a passive interface in an IS-IS environment. If you must use a passive interface in an IS-IS environment, prevent the actions that are described in Condition 2.

CSCsc63871

Symptoms: When IS-IS and CLNS are configured, a router may enter a state in which only one adjacency is shown in the output of the show clns interface command, even though the show clns neighbors command may correctly display all the neighbors that are connected to the interface.

When this situation occurs and any one of the neighbors on the segment goes down, all routing updates may be lost. The single adjacency is torn down and despite the fact that the output of the show clns neighbors command still shows the neighbors, routing stops because there are no adjacencies.

Conditions: This symptom is observed when an adjacency goes down while it is still in the INIT state. The symptom occurs because the adjacency counter is incorrectly decremented.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that reports only one adjacency.

Alternate Workaround: Enter the clear clns neighbors command on the affected router.

CSCsd87651

Symptoms: A Cisco router that is configured for RPR or RPR+ may reload its standby RP when a configuration change is made to IS-IS.

The reload of the standby RP is proceeded by the following error messages:

%HA-3-SYNC_ERROR: Parser no match.
%HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1).

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4. Note, however, that the symptom is platform-independent for Release 12.4 and its derivatives. Any of the IS-IS global configuration commands may trigger the symptom. Following are a few examples of these IS-IS global configuration commands:

is-type level-2-only

lsp-gen-interval level-2 5 50 100

redistribute eigrp

Workaround: There is no workaround.

Miscellaneous

CSCeb05456

Symptoms: A Cisco platform may reset its RP when two simultaneous write memory commands from two different vty connections are executed, and messages similar to the following may appear in the crashinfo file:

validblock_diagnose, code = 10

current memory block, bp = 0x48FCC7D8,
memory pool type is Processor
data check, ptr = 0x48FCC808

next memory block, bp = 0x491AC060,
memory pool type is Processor
data check, ptr = 0x491AC090

previous memory block, bp = 0x48FCBBE8,
memory pool type is Processor
data check, ptr = 0x48FCBC18

The symptom is intermittent and is related to the way NVRAM is accessed.

Conditions: This symptom is observed on a Catalyst 6000 series Supervisor Engine 720 that runs Cisco IOS Release 12.2(18)SXD but is platform- and release-independent.

Workaround: Set the boot configuration to non-NVRAM media such as a disk or bootflash by entering the following commands:

boot config disk0:
filename
nvbypass

CSCec15400

Symptoms: A Versatile Interface Processor 4 (VIP4) with an E1 controller may reload unexpectedly and display the following error message:

%ALIGN-1-FATAL: Illegal access to a low address addr=0x28, pc=0x604716A8, ra=0x604711FC, sp=0x60D66628

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.2(15)T2, Release 12.2(15)T5, or Release 12.3.

Workaround: There is no workaround.

CSCee72997

Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml

CSCef29090

Symptoms: The throughput for TCPClear sessions on a Cisco AS5850 may not be as expected and there may be a slow response time.

Conditions: This symptom is observed on a Cisco AS5850 with TCPclear sessions.

Workaround: There is no workaround.

CSCeg03019

Symptoms: CEF may not work over different tunnels.

Conditions: This symptom has been observed when both GRE and IPIP tunnels are configured and the packet traverses both.

Workaround: There is no workaround.

CSCeg55213

Symptoms: Ethernet VLAN data counters may not be updated for a virtual circuit (VC) that is configured for Xconnect.

Conditions: This symptom is observed on a Cisco platform that has the EoMPLS VLAN mode enabled.

Workaround: There is no workaround.

CSCeg86172

Symptoms: Ports may hang and remain in the "UNREGISTERED" state when you enter the no sccp command followed by the sccp command.

Conditions: This symptom is observed when you enter the commands while the ports are in the process of registration to the CME because a switchover has occurred.

Workaround: Enter the no stcapp command followed by the stcapp command before you enter the no sccp command followed by the sccp command. Note that the no sccp command removes the protocol stack but does not re-register the ports.

CSCeh08545

Symptoms: A router that performs a dynamic DNS update to remove a host name may crash.

Conditions: This symptom is observed on a Cisco router when an interface that is configured to use dynamic DNS updates and acquire an IP address via DHCP has the no ip-address command enabled.

Workaround: There is no workaround.

CSCeh22026

Symptoms: The standby RP of a Cisco 7304 that functions in a high-availability mode may reload unexpectedly.

Conditions: This symptom is observed under various circumstances, one of which is the following:

The Cisco 7304 is configured with a port adapter carrier card in which a PA-MC-2T3+ port adapter is installed and you enter the no channelized command for one of the ports of the port adapter.

Workaround: Do not enter the no channelized command for a port of the PA-MC-2T3+ port adapter. Rather, configure the startup configuration to include the no channelized command for the port of the PA-MC-2T3+ port adapter.

CSCeh34040

Symptoms: Incoming traffic is lost when the IP Source Tracker feature is enabled on an interface. A ping times out.

Conditions: These symptoms are observed when the ip source-track command is enabled on a local interface. Even when you enter the no ip source-track command, traffic does not resume.

Workaround: First write down the IP address of the affected interface, then enter the no ip source-track command followed by the no ip address command on the affected interface, and finally enter the ip address command on the affected interface.

CSCeh60551

Symptoms: Certain malformed client certificates may cause an Access Point (AP) to crash.

Conditions: This symptom is observed on a Cisco platform that functions as an AP and that runs Cisco IOS Release 12.3(2)JA2 or Release 12.3(4)JA when EAP-TLS is configured. The symptom may also occur in other releases.

Workaround: Issue a new client certificate.

CSCei05246

Symptoms: After an OIR of a PA-MC-E3 port adaptor that is installed in a VIP6-80, the serial interfaces do not transmit. The message "not transmitting" is generated, followed by "output frozen." After these messages, a Cbus Complex occurs.

Conditions: This symptom is observed on a Cisco 7500 series.

Workaround: There is no workaround.

CSCei49231

Symptoms: A router may crash when a large number of calls passes through an E1 CAS link.

Conditions: This symptom is observed on a Cisco 3800 series that has an E1 CAS link that is configured for E&M wink start signaling.

Workaround: There is no workaround.

CSCei86389

Symptoms: You cannot change the user locale to the RU or NL language.

Condition: This symptom is observed on a Cisco 7960 IP phone.

Workaround: There is no workaround. If this is an option for you, use the default user locale, which is the US language.

CSCej11073

Symptoms: An attempt to re-enable SSG fails after you have entered the no ssg enable force-cleanup command because the SSG unconfiguration process enters an infinite loop.

Conditions: This symptom is observed on a Cisco router that has about 4000 live sessions.

Workaround: There is no workaround.

CSCej27978

Symptoms: A CE router that is configured for VRFLite does not receive Auto-RP mappings.

Conditions: This symptom is observed when MDS is enabled on the multilink interface that connects the CE router and the PE router.

Workaround: Configure process switching on the multilink interface that connects the CE router and the PE router by entering the no ip mroute-cache interface configuration command.

CSCej87817

Symptoms: Policing does not drop any packets after the packets are sent or received at a rate that is much higher than the committed information rate (CIR).

Conditions: This symptom is observed on a Cisco 7500 series router but is not platform dependent.

Workaround: There is no workaround.

CSCek24468

Symptoms: Dangling bearer channels or voice DSP channels may occur.

Conditions: This symptom is observed under heavy stress with short duration calls on a Cisco platform such as a Cisco AS5400 or Cisco AS5850 that functions as a gateway.

Workaround: There are no workaround.

CSCek24782

Symptoms: A Cisco platform that is configured for ISDN and AAA may reload unexpectedly.

Conditions: This symptom is observed on a Cisco 5400XM that functions under stress. The symptom is platform-independent.

Workaround: There is no workaround.

CSCek26044

Symptoms: The following message may be displayed on the console when you enter the write memory command or the copy nvram:startup-config command is configured for any SRC configuration:

NV: Invalid Magic found in NVRAM.....Erase of configuration files recommended

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release 12.4(6.7) or interim Release 12.4(6.6)T and affects the following platforms: Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3825, Cisco 3845, and a BCM-based Cisco AS5400.

Workaround: There is no workaround.

CSCek26158

Symptoms: A memory leak may occur on a router that is configured for Embedded Event Manager (EEM).

Conditions: This symptom is observed when EEM Tcl policies are registered to run on the router.

Workaround: There is no workaround.

CSCek26311

Symptoms: A router may crash when certain IP options are changed on a virtual template while PPP sessions are being terminated.

Conditions: This symptom is observed on a Cisco router when a large number (50,000) of PPP session is being terminated.

Workaround: Do not change the configuration of the virtual template while a large number of PPP sessions is being terminated.

CSCek26492

Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCek27156

Symptoms: The EzVPN connection may fail when you send interesting traffic.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(3c).

Workaround: There is no workaround.

CSCek27181

Symptoms: Cisco Land Mobile Radio (LMR) VoIP may not function.

Conditions: This symptom is observed when multicast if configured.

Workaround: There is no workaround.

CSCek27424

Symptoms: A Cisco 7200 series reloads unexpectedly when you boot the router with Cisco IOS Release 12.4.

Conditions: This symptom is observed on a Cisco 7200 series that is configured for voice.

Workaround: There is no workaround.

CSCek29792

Symptoms: A router that is configured for voice may crash because of a bus error and an error message similar to the following may be generated:

Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x400BA2B8

Conditions: This symptom is observed when all the following conditions occur:

1. Redirection is triggered by a feature other than Call Forward Busy or Call Forward All.

2. The calling party such as a user with an FXS phone does not support redirection.

3. If a TCL script is used, the rerouteMode is set to REDIRECT_ROTARY.

4. The rerouteNumber is an invalid E.164 number or URL.

Workaround: There is no workaround.

CSCek30748

Symptoms: A router reloads when you enter the tunnel protection ipsec profile vpnprof command.

Conditions: The symptom can be observed on a Cisco 7200 series but may be platform-independent.

Workaround: There is no workaround.

CSCek33253

Symptoms: NextPort modems that function in a T1 CAS signaling configuration do not dial all the DTMF digits successfully.

Conditions: This symptom is observed when you enter valid DTMF digits such as # and * in a dial string.

Workaround: Use MICA modems instead of NextPort modems.

Alternate Workaround: Use ISDN PRI T1 instead of T1 CAS signaling.

CSCek34049

Symptoms: A Cisco AS5850 that is configured for RPR+ may be unable to process more than 1990 MGCP voice calls. With more than 1990 MGCP voice calls, any of the following symptoms may occur:

Many DSP may time-out.

Active calls may hang.

Spurious memory accesses and tracebacks may be generated.

Incoming calls may be dropped.

NextPort SPE ports may be stuck in the "a" state.

Conditions: These symptoms are observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(3d) or Release 12.4(7a).

Workaround: There is no workaround. A Cisco AS5850 that is used to its full capacity (4 CT3 worth of MGCP calls) may not scale beyond 1990 calls. When the symptoms have occurred, reload the Cisco AS5850.

CSCek34261

Symptoms: A Cisco Integrated SONET/SDH Router (ISR) may crash in the "gt96k_mbrd_bri_set_bandwidth" function.

Conditions: This symptom is observed on a Cisco 1800 series, Cisco 2800 Series, and Cisco 3800 series that function as an ISR when an incoming call is placed with 32 KB bandwidth. Note that the symptom does not occur with a call with 56 KB or 64 KB bandwidth.

Workaround: Deny the invalid incoming call by entering the isdn caller command on the ISR.

CSCek34617

Symptoms: A spurious memory access is generated when the router is booting up after a power-cycle or reload.

Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3700 series, and Cisco 3800 series that have a virtual asynchronous auxiliary interface configured.

Workaround: Remove the interface async1 command from the running configuration and reload the router.

CSCek35122

Symptoms: VLAN subinterface counters are not updated for an EoMPLS interface.

Conditions: This symptom is observed when VLAN packets are switched into a L2VPN Pseudowire Switching environment.

Workaround: Use Xconnect show commands such as the show mpls l2tr vc detail command or show l2tun session all command to gather information about the VLAN subinterface counters.

Alternate Workaround: Use pseudowire MIBs to gather information about the VLAN subinterface counters. For example, use the VcPerfTotalInHCBytes (cpwVcPerfTotalInHCBytes) object, which is the equivalent of the ifInOctets input traffic statistic that are not updated for the EoMPLS interface.

CSCek37177

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177.

There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCek37686

Symptoms: A Cisco AS5350 may reload because of a bus error (SIG=10).

Conditions: This symptom is observed when SNMP is configured and when SNMP queries are made into the Cisco AS5350.

Workaround: Disable SNMP or stop polling the router.

CSCek38136

Symptoms: When you deploy VoIP using PVDM2 / 5510 DSP modules, a hissing sound may be heard before the ringback tone starts on the calling side.

Conditions: This symptom is observed only with 5510 DSP modules. The symptom does not occur with 549 DSP modules.

Workaround: There is no workaround.

CSCek38939

Symptoms: The input error counter may not be incremented for packet errors such as runts, CRC errors, and overrun errors.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1.

Workaround: There is no workaround.

CSCin85894

Symptoms: This caveat consists of two symptoms, two conditions, and two workarounds:

1. Symptom 1: A "%SYS-3-MGDTIMER" error message followed by a traceback may be generated at the "mgd_timer_complain_uninit" function when an extended ACL is configured with the same name as an active reflexive ACL.

Condition 1: This symptom is observed when the extended ACL is configured with the same name as the reflexive ACL, when the reflexive timer expires at the moment of configuration, and when the dynamic entries of the reflexive ACL are still in place when you configure the extended ACL.

Workaround 1: Wait until the reflexive timer expires before you configure an extended ACL with same name as a reflexive ACL.

2. Symptom 2: A software-forced reload may occur when a standard ACL is configured with the same name as an active reflexive ACL.

Condition 2: This symptom is observed when the standard ACL is configured with the same name as the reflexive ACL, when the reflexive timer expires at the moment of configuration, and when the dynamic entries of the reflexive ACL are still in place when you configure the standard ACL.

Workaround 2: Wait until the reflexive timer expires before you configure a standard ACL with same name as a reflexive ACL.

CSCin86885

Symptoms: A VIP6-80 in which a PA-MC-STM-1SMI is installed may crash.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS interim release for Release 12.0(31)S after link flaps occur on the PA-MC-STM-1SMI that has QOS configured on its serial interfaces.

Workaround: There is no workaround.

Symptoms: When you configure bindings through the ssg bind direction downlink global configuration command, the bindings are not applied to interfaces.

Conditions: This symptom are observed on a Cisco platform that is configured for SSG.

Workaround: Configure bindings through the interface configuration command mode instead of through the global configuration command mode. You can use the following command:

interface type number ssg direction {downlink | uplink}

Following is an example:

Router(config)# interface FastEthernet 1/0
Router(config-if)# ssg direction downlink

CSCin98933

Symptoms: When you enter the write memory, copy running-config startup-config, or copy file nvram:startup-config command, or when the router boots, the router may displays the following error message:

NV: Invalid Pointer value(6357F3CC) in private configuration structure

Conditions: This symptom is observed under the following conditions:

1. The router runs Cisco IOS interim Release 12.4(06.05), interim Release 12.4(06.05)T, or later releases, that is, the Cisco IOS image integrates the fix for caveat CSCsc61630.

2. The error message is generated when the NVRAM is corrupted. This type of NVRAM corruption occurs in rare conditions.

3. The router is a Cisco 2600 series, Cisco 2800 series, Cisco 3725, Cisco 3745, Cisco 3825, Cisco 3845, Cisco AS5400, Cisco RPM, or Cisco RPM-XF. The symptom does not occur on a Cisco 7200 series or on a Cisco 7500 series that has an RSP.

Workaround: Enter the erase nvram: or write erase command to initialize the NVRAM block geometry. Then, enter the write memory command to copy the running configuration to the startup configuration. This is a quick, temporary solution. For permanent a solution, see the "Further Problem Description."

Note: Ensure that you have a backup copy of the startup configuration in some other storage device.

Alternate Workaround: Save the running configuration to a storage device other than NVRAM.

Further Problem Description: The symptom occurs because there is a stale, unerased private-configuration pointer in NVRAM, other than the original private-configuration pointer. Because this pointer is an invalid one, the Cisco IOS software image detects this corruption and reports this error.

When you have upgraded the Cisco IOS software image to one that integrates the fix for caveat CSCin98933, take the following steps:

1. Create a backup copy of all the required files in NVRAM.

2. Erase the entire NVRAM by entering the erase /all nvram: command, thereby ensuring that there are no stale pointers in NVRAM and that the NVRAM device is filled with 0x0 or 0xFF patterns.
Note: The erase nvram: or write erase command erases only the partial contents of NVRAM.

3. Next, restore the files that were previously in NVRAM back to NVRAM via the copy and write memory commands.

In addition, ensure that the Cisco IOS software images that your router is running integrates the fix for caveats CSCin99301 and CSCsd13227 because caveat CSCin98933 may trigger caveats CSCin99301 and CSCsd13227.

CSCin99301

Symptoms: The router cannot be reloaded using the reload command. The following message is displayed when trying to reload the router:

The startup configuration is currently being updated. Try again.

Conditions: This symptom occurs in some rare conditions. It may be triggered after the "Invalid pointer value in private configuration structure" message is displayed (as seen in CSCin98933 and CSCsd63356).

Workaround: There is no workaround other than power cycling the router.

CSCsa63173

Symptoms: CEF may not be updated with a new path label that is received from a BGP peer.

Conditions: This symptom is observed when a Cisco router that is configured for IPv4 BGP Label Distribution and multipath receives a BGP update that changes only the MPLS label to a non-bestpath multipath. In this situation, the router does not update the forwarding plane, causing dropping or misbranding of traffic because of label inconsistencies between the BGP table and the forwarding table.

Workaround: There is no workaround.

CSCsa95310

Symptoms: For an internally switched ATM link between two RPM blades in a Cisco MGX series, when a PE router blade is connected to another router blade that functions as a Label Switch Controller (LSC), the "physical" sw1.x on the PE router and the XTagNN interface on the LSC may be in the UP state, but an LDP adjacency is never created, preventing traffic from flowing over the ATM interface.

When the symptom occurs, the output of show ip interface brief command on either side of the connection shows that the line is up but the output show mpls ldp discovery command does not show any output for the affected ATM interface.

Conditions: This symptom is observed occasionally when you run automated scripts on the platforms.

Workaround: When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command for the affected ATM interface. Doing so re-enables the traffic to flow.

CSCsb11565

Symptoms: On a Cisco CallManager side, only the calling number is seen, and there is no information that the call is a forwarded call.

Conditions: This symptom is observed when calls are forwarded to a Cisco CallManager by a Cisco Unified CallManager Express (CME) and when the parameter "redirect reason" is incorrectly set.

Workaround: There is no workaround.

CSCsb12253

Symptoms: A Cisco 2600 series may fail to establish a connection with a Cisco CallManager.

Conditions: This symptom is observed on a Cisco 2600 series that runs Cisco IOS Release 12.4 or Release 12.4T and that is configured for SCCP.

Workaround: Reboot the Cisco 2600 series.

CSCsb40304

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb52900

Symptoms: An inconsistency may occur in the outlabel information that is used by BGP and MPLS forwarding.

Conditions: This symptom is observed when there are two route reflectors (RRs) that advertise the same route and when one of the routes is the best path. The symptom occurs when the following conditions are present:

The PE router that is the source restarts, causing the prefix to be readvertised with a new label.

The RR that forms the non-best path delays the withdrawal and readvertisement of the prefix, for example, because the RR has a heavy load.

This situation causes BGP to function with the new label but MPLS forwarding to function with the old label.

Workaround: Enter the clear ip route network command for the affected prefix.

CSCsb59829

Symptoms: A Network Admission Control (NAC) device that is associated with a VPN concentrator may prevent a host from accessing the network.

Conditions: This symptom is observed when the following conditions occur:

1. A non-Cisco Trust Agent (CTA) host accesses the network with IP address A.

2. Based on the access policies that the NAC device receives from the Access Control Server (ACS), the NAC device provides access to the non-CTA host.

3. When the non-CTA host is removed, the same IP address (IP address A) that was associated with the non-CTA host is now assigned to another host.

Workaround: When the hold timer of the NAC device expires, the new host is automatically detected. If the session timeout and termination action are associated with a non-responsive host (NRH), the posture of the new host can be validated during revalidation.

CSCsb69271

Symptoms: The voice path confirmation fails due to time-out while waiting for the DTMF tone.

Conditions: The channels on the CallGen are timed-out waiting for DTMF tones, sent by the other channels. This is not specific to a particular DTMF tone, this is random.

Workaround: There is no workaround.

CSCsb71243

Symptoms: A SIP gateway may not process an incoming REFER request that does not include a "Referred-By" header and turns a "400 Bad Request" response.

Conditions: This symptom is observed on a Cisco platform that functions as a SIP gateway.

Workaround: There is no workaround.

Further Problem Description: RFC3515 does not mandate that a "Referred-By" header is included in a REFER request.

CSCsb72082

Symptoms: A router crashes when a call from the PSTN to a SIP gateway is disconnected.

Conditions: This symptom is observed when the Record-Route header in any message that is received by the gateway is more than 128 bytes long.

Workaround: Reduce the length of the Record-Route header to less than 128 bytes.

CSCsb76671

Symptoms: Intermittent one-way audio (PSTN hears dead air) on inbound ISDN call through Cisco VoIP AS5850 gateway.

Conditions: This symptom has been observed to occur with inbound ISDN calls with outbound SIP calls towards a Cisco MeetingPlace server. Numerous calls which are transferred via SIP REFER contribute to the gateway get into this state.

Workaround: There is no workaround to prevent the gateway from getting into this state. Once in this state, reloading the gateway will help clear this condition for awhile.

CSCsb82045

Symptoms: Some bindings may not be synchronized when a Cisco router that functions as an active Home Agent R3.0 is reloaded as part of the initial bulk synchronization process.

Conditions: This symptom is observed only when the ip mobile home-agent redundancy hsrp-group-name virtual-network address address command is enabled. This command is required for normal and bulk synchronization of bindings for VRF users. The address argument in the command represents the VRF subnet.

Workaround: Enable redundancy by entering the ip mobile home-agent redundancy hsrp-group-name command, that is, without the virtual-network address keyword and address argument.

CSCsc00038

Symptoms: A call that is made from an SCCP phone to an analog phone that is connected to a SIP gateway sets up fine. However, when you press the DTMF digits on the SCCP phone, the DSP on a POTS interface crashes.

Conditions: This symptom is observed when the SIP gateway and MTP are configured on the same router, when the SCCP phone and the SIP gateway are registered to a Cisco CallManager, and when the Cisco CallManager inserts MTP into the call.

Workaround: There is no workaround.

CSCsc04377

Symptoms: High CPU utilization may occur in the "HTTP CORE" process of a router that is configured for proxy authentication, and proxy authentication attempts may remain in the "INIT" state.

Conditions: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.3T, Release 12.4, or Release 12.4T.

Workaround: There is no workaround.

CSCsc04961

Symptoms: The [no] negotiation auto configuration command causes confusion.

Conditions: For RJ-45 port on GIgE interfaces, this CLI has no effect. This causes confusion as user(s) are expecting identical behavior between RJ-45 and SFP (i.e. Fibre). To clarify further, according to IEEE, RJ-45 at 1000 Mbps must have Autonegotiation always ON; and that the RJ-45 behavior is undefined if Forced mode is used at 1000 Mbps. Also in case of RJ-45 we always keep Flow Control on by default. Whereas in case of SFP the [no] negotiation auto CLI controls Hardware flow-control. This is observed on Cisco IOS Releases 12.3 and also Cisco IOS Release 12.4T. This flow-control feature is further being investigated, and this Release-note may be updated accordingly.

Workaround: Encourage users to not use this CLI currently when using RJ-45 ports for platform GigE interfaces on Cisco 3825 and Cisco 3845.

Further Problem Description: The confusion results because this CLI is supported currently only for SFP (i.e. Fibre media). It does two things for SFP:

1. Sets the mode to either Forced or Autonegotiation depending on [no] option selected or not.

2. Removes or adds XON/XOFF hardware flow control support depending on [no] option selection.

CSCsc11636

Symptoms: A router requires a very long time to boot (more than 5 minutes, potentially hours). Also, changes to the QoS configuration may require long times.

Conditions: This symptom is observed when the QoS configuration has a complex arrangement of many policies that reference many access control entries (ACEs) through a number of class maps. The time required is, roughly, proportional to the number of combinations of interfaces, policies, classes, and ACEs. For example, if each of 200 interfaces has a QoS policy, each policy uses five class maps, each class map references two ACLs, and each ACL has 30 entries, there are 60,000 combinations.

Workaround: Either reduce the number of combinations of interfaces, policies, class maps, and ACEs, or load the configuration in two stages. The first stage (from NVRAM) should contain the interface and ACL definitions, and the second stage (from another file) should contain the classes and policies.

CSCsc11833

Symptoms: An analog or digital CAS port enters a state in which inbound or outbound calls, or both, may no longer function through the port.

Conditions: This symptom is observed on a Cisco 2800 series and Cisco 3800 series that function as gateways with analog or digital CAS ports that use PVDM2 DSP modules.

It may take some time for the symptom to occur, but when it does occur, it impacts multiple ports that share the same signaling DSP. The output of the show voice dsp signaling EXEC command shows you which DSP is used by a port for signaling. The symptom may occur more often for ports that use DSP 1 on the PVDM2 module for signaling.

If a problem occur only on a single voice port, there is another problem, not this caveat (CSCsc11833). PRI/BRI calls are no affected because PRI/BRI does not utilize the DSP for signaling purposes,.

When the symptom occurs with either a VIC2-xFXO or EVM DID/FXS module, enter the terminal monitor command followed by the test voice port port-number si-reg-read 39 1 command for one of the affected ports. The output typically should be a single octet value for register 39. When the symptom occurs, information for Registers 40, 41 and 42 is presented and some of the registers show double-octet information. See the example output (2) below.

When the symptom occurs with FXS or analog E&M modules, enter the terminal monitor command followed by the test voice port port-number codec-debug 10 1 command for one of the affected ports. The output typically should be a single octet value for each register. See the example output (4) below.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, you must reload the gateway to restore proper operation.

Further Problem Description: When you run a Cisco IOS software image that integrates the fix for this caveat (CSCsc11833) and the symptom still occurs, contact the TAC.

Following are command output examples:

1. Following is an example of normal output for FXO and EVM FXS ports.

For FXO ports, the value is usually 0x01 but for EVM FXS the value can be different. When you run the above-mentioned command, the expected output is that a single octet is displayed and only for register 39. (This command does not work for VIC-4FXS and VIC2-xFXS modules).

router#term mon

router#test voice port 0/3/3 si-reg-read 39 1

router#

Values read from SiLabs Codec connected to DSP 0, channel 11:

--------------------------------------------------------------

Register 39 = 0x01

2. Following is an example of output for FXO and EVM FXS ports that indicates that the symptom has occurred. Note that the exact output for the register values is different, but when the symptom occurs, different lines with information are displayed as shown below:

router#term mon

router#test voice port 0/3/3 si-reg-read 39 1

router#

Values read from SiLabs Codec connected to DSP 0, channel 11:

--------------------------------------------------------------

Register 39 = 0x5CB8

Register 40 = 0xFFFF

Register 41 = 0xFFFF

Register 42 = 0xFFFF

3. Following is an example of normal output for FXS and analog E&M modules. The values that are listed in a normal case may be different, but only four registers of a single octet should be displayed.

Values read from PEB2465 Codec connected to DSP 02 (channel 0):

---------------------------------------------------------------

Extended Register Values (XR4..XR1) = 00, CC, 50, 11

4. Following is an example of output for FXS and analog E&M modules that indicates that the symptom has occurred.

Values read from PEB2x65 Codec connected to DSP 0, channel 1:

------------------------------------------------------------

Extended Register Values (XR4..XR1) = D001, B83C, 3FF1, 63AC

CSCsc12255

Symptoms: When you deploy VoIP on an NM-HDV2 network module that is configured with a PVDM2-64 module, a hissing sound may be heard before the ringback tone starts on the calling side.

Conditions: This symptom is observed only with an NM-HDV2 network module. Note that the symptom does not occur with an NM-HDV network module.

Workaround: There is no workaround.

CSCsc12570

Symptoms: The codec upspeed, for example, from G729 to G711ulaw, or the codec downspeed, for example, from G711ulaw to G729, does not occur. Other call parameter changes that are packet stream-related such as VAD and PLAYOUT do not occur as expected.

Conditions: This symptom is observed when the codec type or other packet stream parameters are modified by using MDCX or through the TDM side of the call module, via VTSP.

Workaround: There is no workaround.

CSCsc14208

Symptoms: When you change the IP address of a loopback interface that functions as the ID for a TE router, TE auto-mesh tunnels do not reestablish a connection with that router. Also, static TE tunnels for which the destination is modified to match the new loopback IP address cannot reestablish their connection and the tunnels remain down.

Conditions: This symptom is observed when all of the following conditions occur:

OSPF is configured to flood TE advertisements in a given area via the mpls traffic-eng area area-number command.

OSPF is configured to use the loopback interface for which the IP address is modified as the ID for the TE router via the mpls traffic-eng router-id loopback command.

TE tunnels or auto-mesh tunnels are configured with the destination set as the IP address of the loopback interface that is mentioned above.

You change the IP address of the loopback interface that is used as the ID for the TE router.

Workaround: If you need to change the loopback address that is used as the ID for the TE router, follow these steps:

1. Shut down the loopback interface.

2. Modify the IP address of the loopback interface.

3. Bring up the loopback interface.

When the loopback interface address was changed and the symptom has occurred, clear the OSPF routing process in order for the tunnels to be reestablished by entering the clear ip ospf process command.

CSCsc18999

Symptoms: When you enter the clear subscriber sessions all command, the router reloads.

Conditions: This symptom is observed when Transparent Autologon (TAL) is used with ISG for control over DHCP addressing and when the router is using nearly all available CPU cycles and RAM.

Workaround: Do not you enter the clear subscriber sessions all command.

CSCsc28313

Symptoms: Dot1x ports may be unresponsive and ports that are unauthenticated may become stuck unauthenticated.

Conditions: This symptom is observed when dot1x is configured on more than one routed port and when the line protocol goes down on one of the ports because the remote connection goes down. The remaining ports that are configured for dot1x may become and remain unresponsive until the line protocol on the first port comes back up automatically.

Workaround: Enter the no dot1x system-auth-control followed by the dot1x system-auth-control to globally reset the dot1x configuration.

CSCsc35024

Symptoms: A Cisco 2600 series with an E1 WIC may crash when you enter the channel-group timeslots command.

Conditions: This symptom is observed when the router runs Cisco IOS Release 12.3(15b) or an earlier release, when a service policy is applied on a subinterface, and when traffic is being processed by the router. The symptom could occur in Release 12.4 or Release 12.4T.

Workaround: Remove the service policy before you change the time slot.

CSCsc37281

Symptoms: TCP connections may not be established between an end device that has TCP stacks that are not RFC-compliant and a platform that has a Cisco IOS firewall enabled.

Conditions: This symptom is observed when the platform that has the Cisco IOS firewall enabled enforces strict checking for a TCP Window Scale option per RFC1323 section 2.

Workaround: There is no workaround. Note that the Cisco IOS firewall functions properly.

Further Problem Description: This is an enhancement request. For Cisco IOS software images that implement this enhancement, the Cisco IOS firewall makes an exception to RFC1323 section 2 so TCP connections can be established between the platform that has the Cisco IOS firewall enabled and an end device has TCP stacks that are not RFC-compliant.

CSCsc39491

Symptoms: Cisco Security Monitoring, Analysis, and Response System (MARS) reports a parsing error for the log received from CICS for signature alerts seen on Cisco IOS IPS participating in the Cisco ICS.

Conditions: MARS is set up to receive events from CICS about signature alerts seen on Cisco IOS IPS participating in ICS.

Workaround: There is no workaround.

CSCsc40236

Symptoms: Incorrect outgoing labels are installed for BGP-IPv4 Multipath prefixes.

Conditions: This symptom has been observed anytime that a label changes from a BGP-IPv4 Multipath peer.

Workaround: Clearing the BGP neighbor should allow the correct labels to be installed.

CSCsc40952

Symptoms: Phones that are configured for Cisco VT Advantage feature will not register with SRST if they are engaged in SRST fallback operation.

Conditions: This symptom is observed when using the following:

Cisco CallManager Version 5.0 (1.51.225)

Cisco 2600 product line for SRST

Cisco IOS Release 12.4

Workaround: Unplug connection to Cisco VT Advantage.

CSCsc50341

Symptoms: A router may lose its PVC configuration.

Conditions: This symptom is observed on a Cisco router that has an IMA group configured on an AIM-ATM on which the atm bandwidth dynamic command is enabled. The symptom occurs when the following events occurs:

1. You use a Telnet session to enter the show policy-map interface command for the interface on which the IMA group is configured and the session is waiting for a key stroke at the "more" prompt.

2. On the far end of the connection, either the T1/E1 cable that provides the connection is pulled out or the shutdown command is entered.

Workaround: There is no workaround.

CSCsc55822

Symptoms: There are four different symptoms, all with the same conditions. These symptoms do not occur in any specific order:

UDP packets that are smaller than 40 bytes are dropped when the UDP checksum is set to 0.

Extended enhanced UDP (Ecudp) packets with a CSRC list are malformed; the "CC" bit is located at the wrong place.

When the CSRC list becomes null, the context is not updated to reflect this change.

When you enter the debug ip rtp header-compression command followed by the debug ip rtp errors command, the output may display the wrong packet type. (This situation is of a cosmetic nature.)

Conditions: These symptoms are observed when you generate UDP packets that are smaller than 40 bytes and when the UDP checksum is set to 0. The UDP packets are generated on a serial interface that has enhanced RTP header compression enabled in IETF format via the ip rtp header-compression ietf-format command.

Workaround for the UDP packets: Send UDP packets that are smaller than 40 bytes with UDP checksums enabled.

Workaround for the other symptoms: There is no workaround.

CSCsc58556

Symptoms: A Cisco router may crash when an EEM Tcl policy runs.

Conditions: This symptom is observed when the available memory is very low.

Workaround: Increase the available memory. if this not an option, there is no workaround.

CSCsc58919

Symptoms: Packets from a DMVPN tunnel with QoS pre-classification are not classified correctly on the physical interface in the child policy-map of an HQS framework. The access-lists used do not match.

Conditions: This happens on a Cisco 1841 router running Cisco IOS Release 12.4 (4)T.

Workaround: There are two possible workarounds:

Disable hardware acceleration.

Use static crypto-maps in place of DMVPN.

CSCsc65165

Symptoms: A Cisco 7200 series reloads unexpectedly when you enter the hw-module slot slot-number stop command for a T3 port adapter.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with 100 EzVPN IVRFs on a DS3 interface of the T3 port adapter.

Workaround: There is no workaround.

CSCsc68262

Symptoms: A Cisco 2821 may crash intermittently.

Conditions: This symptom is observed on a Cisco 2821 that switches Encapsulating Security Payload (ESP) packets. The symptom may not be platform-specific.

Workaround: There is no workaround.

CSCsc70644

Symptoms: User CLI sessions would be stuck on all Cisco routers while configuring QoS.

Conditions: This symptom has been observed after executing a show policy-map interface command with Cisco IOS Release 12.4T.

Workaround: There is no workaround.

CSCsc76061

Symptoms: When PPPoA and a virtual template are used, ARP requests are not bridged from a LAN through a DSL connection.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(8)YI3 or Release 12.4(4)T when BVI is configured to bridge remote LANs to DSL connections that use PPPoA with virtual templates and aal5ciscoppp encapsulation. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCsc76407

Symptoms: Router-originated packets that are subject to encryption are bypassing the Quality of Service (QoS) feature. This prevents QoS from giving priority to protocol packets (for example BGP), which in turn can cause these protocol packets to be dropped when the outgoing link is congested.

Conditions: This symptom is observed when router-originated packets are IPSec encrypted.

Workaround: Disable CEF and fast switching and use process switching.

CSCsc79700

Symptoms: URL filtering takes an excessively long time to revert to the allow mode if a URL Filtering Server is unavailable.

Conditions: This symptom is observed when a communication loss occurs between the router and the URL Filtering Server because of a failure or an excessive load on the URL Filtering Server, or because of a network connectivity failure between the router and the URL Filtering Server.

Workaround: There is no workaround.

CSCsc80670

Symptoms: When you power-up the router or enter the shutdown interface configuration command followed by the no shutdown interface configuration command for the on-board Fast Ethernet 0/0 interface, the interface may enter the "FastEthernet0/0 is up, line protocol is down" state.

Conditions: This symptom is observed when the Fast Ethernet 0/0 interface is connected to particular third-party vendor media converters that are placed in series, as in the following topology:

Cisco 1718 (fa0/0) -- media converter<-->media converter --(fa 0/1) Cisco 2950

The symptom does not occur when you do not use media converters.

Workaround: Replace the media converters with those of another third-party vendor. If you need more information, contact the Cisco TAC.

CSCsc81637

Symptoms: A Cisco IOS VoIP gateway may reload unexpectedly.

Conditions: This symptom is observed on a gateway such as a Cisco 2800 series or Cisco 3800 series that supports time-division multiplexing (TDM) hairpinning between voice modules. Under rare circumstances, the gateway may unexpectedly reload when a call is hairpinned between ports on the gateway.

Workaround: There is no workaround.

CSCsc83192

Symptoms: A router may crash when threats are continuously sent and removed from a controller and when simultaneously access control list (ACL) entries are checked by entering the show ip access-lists command.

Conditions: This symptom is observed when an ACL entry is being displayed and when simultaneously the same entry and the next entry are being deleted.

Workaround: Do not enter the show ip access-lists command while a dynamic ACL entry is being deleted.

CSCsc84858

Symptoms: A router may crash because of a bus error when you enter the no policy-map command.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 and that runs Cisco IOS Release 12.3(10c). The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCsc85575

Symptoms: No audio is received from a Cisco 7931 IP phone.

Conditions: This symptom is observed when a call is made between a Cisco 7960 IP phone and a Cisco 7931 IP phone. The user of the Cisco 7960 IP phone experiences one-way audio intermittently while the user of the Cisco 7931 IP phone does not experience this symptom.

Workaround: Reset the Cisco 7931 IP phone.

CSCsc89979

Symptoms: When an event is triggered for an EEM applet, a "sequence number out of sync" error message is generated on the router.

Conditions: This symptom is observed when the "action cli info type cli frequency" command action is defined in the EEM applet.

Workaround: There is no workaround.

CSCsc90694

Symptoms: The standby RP of a Cisco 7500 series may unexpectedly reload.

Conditions: This symptom is observed when the Cisco 7500 series functions in RPR+ mode and when you perform an OIR of a VIP that is in a disabled analyzed wedged state.

Workaround: There is no workaround.

CSCsc90715

Symptoms: PPPoE sessions are not established.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release version 12.4(6.3) but may also occur in other releases of Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCsc90972

Symptoms: When the DHCP Address Allocation Using Option 82 feature is enabled, multiple classes cannot be given an address range.

Conditions: This symptom is observed on a Cisco router that has the ip dhcp class command enabled.

Workaround: Follow these steps to assign an address range for multiple classes:

1. Enter the global configuration mode.

2. Enter the ip dhcp pool vlan global configuration command.

3. Enter the class classname command

4. Configure the address range.

CSCsc93952

Symptoms: Only one PRI channel instead of all PRI channels is busied out when Advanced Voice Busy-Out (AVBO) is used.

Conditions: This symptom is observed on a Cisco router when the busyout monitor interface command is enabled and when the interface for which the command is enabled is shut down.

Workaround: There is no workaround.

CSCsc94359

Symptoms: The BGP table and CEF forwarding table may have mismatched labels for prefixes that are learnt from a remote PE router.

Conditions: This symptom is observed on a Cisco router that functions as a PE router when an eBGP session flap or route flap occurs on the remote PE router. A new label for the prefix is learnt from the remote PE router, but forwarding may not be updated properly.

Workaround: There is no workaround. When the symptom has occurred, and to correct the situation, enter the clear ip route vrf vrf-name network command on the PE router that has mismatched labels.

CSCsc95234

Symptoms: When the stcapp global configuration command is enabled, the command is not accepted and the following error messages are generated:

STCAPP: Internal error: Unable to create codec list... exiting stcapp shutdown initiated... waiting for calls to clear. stcapp shutdown complete.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(6.3) but may also affect Release 12.4T.

Workaround: There is no workaround.

CSCsc96983

Symptoms: The following error message is generated and a Gigabit Ethernet interface stops receiving traffic, causing traffic to be dropped:

%Y88E8K-3-ILP_MSG_TIMEOUT_ERROR: GigabitEthernet1/0: EtherSwitch Service Module RBCP ILP messages timeout

Conditions: This symptom is observed on a Cisco 2800 series, Cisco 3700 series, and Cisco 3800 series that are not configured with an inline power supply. Note that the symptom does not occur when the routers are configured with an inline power supply.

Workaround: There is no workaround. When the symptom has occurred, reload the router to re-enable the router to operate properly.

CSCsc98158

Symptoms: When you configure a router as both an EzVPN client and an EzVPN server and when you apply the crypto map to the interface of the router, the EzVPN client connection may fail to complete phase 1. Debugs on the concentrator show retransmissions of the phase-1 packet that is stuck in the "MM_NO_STATE" state. The headend rejects the retransmission because the headend cannot match on a phase 1 retransmission.

When the EzVPN client attempts to connect to the headend, the EzVPN client transmits only the configured ISAKMP proposals that are meant for the applied crypto map. Because these ISAKMP proposals do no include an "xauth" proposal, the headend rejects these ISAKMP proposals, and the EzVPN client stops transmitting the EzVPN ISAKMP proposals. However, when the crypto map is removed from the interface, the EzVPN client starts to retransmit the EzVPN ISAKMP proposals.

Conditions: This symptom is observed on a Cisco router that is configured as both an EzVPN client and an EzVPN server and that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCsd00206

Symptoms: Intercepted packets may be switched to a mediation device in the process path.

Conditions: This symptom is observed on a Cisco platform that is configured for CEF.

Workaround: Disable CEF switching in order to ensure that packets are switched in the fast path.

CSCsd01836

Symptoms: The router crashes when you configure a crypto map in sparse mode.

Conditions: This symptom is observed on a Cisco router that is configured for IPSec and multicast.

Workaround: There is no workaround.

CSCsd02602

Symptoms: All channels on a multichannel T3 port adapter may go down. The router may then reload unexpectedly due to a software forced crash. If not, all of the channels in the T3 may stay down until corrective action is taken.

The following messages may appear one or more times in the router or VIP log:

%CT3-3-MBOXSENDM: Failed to send msg MBOXP_MSG_T1_DISABLE to bay 1 firmware

On a Cisco 7200 router, the following messages may be seen in the log:

CT3SW WatchDog not cleared, WatchDog = 2
CT3SW WatchDog not cleared, WatchDog = 3

On a Cisco 7500 router, the following messages may be seen in the log:

%CT3 5/8: Illegal Love Letter, cmd 0
%CT3 5/9: Illegal Love Letter, cmd 0

Conditions: This symptom affects routers using two-port multichannel T3 port adapters, the PA-MC-2T3 and the PA-MC-2T3+. The symptom occurs when one or more of the T1's in either T3 sees framing errors. One-port multichannel T3 port adapters, the PA-MC-T3 and the PA-MC-T3+, are not affected.

Workaround: There is no workaround to prevent this problem. Possible corrective actions are listed below:

Possible Corrective Actions for the Cisco 7200 router:

1. Remove and reinsert the affected port adapter.

2. Simulate removal and reinsertion with these exec mode commands in sequence: hw-module slot slot- number stop hw-module slot slot- number start 3. Reload the router.

Possible Corrective Actions for the Cisco 7500 router:

1. Remove and reinsert the VIP with the affected port adapter.

2. Use the configuration mode command: microcode reload 3. Reload the router.

CSCsd02954

Symptoms: Some CEF entries are missing from some VRFs, as shown in the output of the show ip cef inconsistency now command.

Conditions: This symptom is observed after an OIR or reload of a Cisco 12000 series GE ISE line card. However, the symptom is not specific to a Cisco 12000 series and may also occur on other platforms.

Workaround: There is no workaround. When the symptom has occurred, enter the clear ip cef epoch command to recover the CEF entries. If this does not recover the CEF entries, enter the clear ip route vrf command.

Further Problem Description: The symptom is observed for local "receive" entries, such as /32 entries for a VRF loopback interface. However, the symptom may also occur for other types of VRF FIB entries.

CSCsd04075

Symptoms: A Cisco IOS Voice Over IP Gateway terminating fax calls may have its voice ports lock up and not accept any new calls. The following messages may be seen (but not mandatory) on the console or syslog (if applicable):

%HPI-3-CODEC_NOT_LOADED: channel:2/0/0 (171) DSP ID:0x1, command failed as codec not loaded 0

- Traceback= 615D2FA8 615C8528 617D5044 617D5258 61BBCD44 61BBD764 617BAE88 617BBD38 6138720C

Conditions: This symptom is observed on a Cisco 3600 series router but is not platform dependent.

Workaround: Disabling T.38 and using passthrough resolves the issue.

CSCsd04665

Symptoms: A blind transfer of an encrypted intercluster call to an encrypted H.323 gateway causes one-way audio.

Conditions: This symptom is observed in the following scenario that includes Cisco CallManager 5.0 platforms:

Encrypted SIP phone --> CCM1 --> H.323 ICT --> CCM2 --> Encrypted SCCP phone --> Encrypted H.323 gateway

When a user of the SIP phone calls the SCCP phone and when the user of the SCCP phone performs a blind transfer to the H.323 gateway, the resulting call has one-way audio. The audio exists in the SIP to H.323 direction, but does not exist in the H.323-to-SIP direction. This occurs for encrypted calls only.

During the blind transfer an open logical channel is sent to the H.323 gateway to establish the media stream from the SIP to H.323 gateway. Later, a close logical channel message followed by an open logical channel message is sent to the gateway to update the media encryption key. At this point, the H.323-to-SIP stream (in the opposite direction from the direction in which the close and open logical channel messages have been sent) is sent to the wrong IP address. It appears to change from being sent to the SIP phone to being sent to the IP address of the CCM1. The change of IP address may be triggered by the "H245Connect" message that follows the close and open logical channel messages.

Workaround: Disable encryption.

CSCsd07007

Symptoms: When a router is booted, the following error message and tracebacks are generated:

SYS-2-INTSCHED: sleep for level 3 -Process= Init

Conditions: This symptom is observed during initialization of the router with basic configurations after you have loaded the Cisco IOS software image.

Workaround: There is no workaround.

CSCsd07033

Symptoms: A router crashes and generates a traceback at the "p_dequeue" function.

Conditions: This symptom is observed on a Cisco router when you unconfigure the pvc range command.

Workaround: There is no workaround.

CSCsd07448

Symptoms: The output of the show access-list command shows that a time-based named extended ACL is not consistent between the RP and a line card.

Conditions: This symptom is observed when you configure a time range and named extended ACL and when you enter the ip cef distributed command.

Workaround: There is no workaround.

CSCsd07729

Symptoms: A router generates the following message:

%SSG-5-SSG_TAL_NR: SSG TAL : No response from AAA server. AAA server might be down or overloaded.

A few minutes later, a "%SYS-2-CHUNKBADMAGIC" error causes the router to reload unexpectedly.

Conditions: This symptom is observed on a Cisco router that is configured for SSG.

Possible Workaround: Enter the no memory lite command.

CSCsd08862

Symptoms: A router may crash because of a bus error when you enter the show interface command for a virtual-access interface or subinterface.

Conditions: This symptom is observed when you enter the show interface command while a session that is associated with the virtual-access interface or subinterface is being cleared.

Workaround: There is no workaround.

CSCsd09067

Symptoms: The output of show policy-map interface command is not in the expected order: the estimated bandwidth information is placed at the top.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCsd10942

Symptoms: When three or more DN buttons are configured on a Cisco IP Phone Expansion Module 7914 that is attached to a Cisco 7900 series Unified IP phone, one or more DN buttons may get stuck in offhook condition.

Conditions: This symptom is observed when the DN buttons on the IP phone are randomly and repeatedly pressed.

Workaround: Reset the IP phone.

CSCsd10975

Symptoms: When the error message "duplicate channel names" is seen on the console, the router has to be rebooted to run Embedded Event Manager (EEM) policies again.

Conditions: This symptom occurs when multiple EEM policies were configured and triggered on a Cisco IOS router. It could lead to the duplicate channel names error.

Workaround: There is no workaround.

CSCsd11646

Symptoms: On a router that runs Multiprotocol Label Switching (MPLS), the "%SYS-3-OVERRUN:" and "%SYS-6-BLKINFO" error messages may be generated and a software-forced crash may occur on the router.

Conditions: This symptom is observed when you enter the show mpls ldp discovery command under the following condition:

There are multiple LDP adjacencies configured through one interface.

The adjacencies between peers through this interface have not been fully established for some peers.

The unestablished LDP adjacencies are coming while you enter the show mpls ldp discovery command.

Workaround: Do not enter the show mpls ldp discovery command while multiple LDP adjacencies are coming up. Rather, enter the show mpls ldp neighbor [detail] command while multiple LDP adjacencies are coming up.

CSCsd11678

Symptoms: When you enter the secure boot-config command followed by the secure boot-image command, and you complete formatting the disk, the output of the show secure bootset command does not display the active status.

Conditions: This symptom is observed on a Cisco router that has an ATA file system.

Workaround: There is no workaround.

CSCsd12941

Symptoms: The CPU usage may remain at 99 percent for a long time when NMS polls the ipRouteTable via the SNMP protocol.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(28)S or Release 12.0(31)S when there is a large number of routes in the routing table. The symptom may also occur in other releases.

Workaround: Exclude the ipRouteTable from the SNMP view.

CSCsd13227

Symptoms: When saving the current configuration to NVRAM, the following error message is displayed:

%Error opening nvram:/startup-config (Device or resource busy)

Conditions: This symptom is observed when the router runs Cisco IOS Release 12.4(7), Release 12.4(8)T, or later releases. Enter the show version command to detect the Cisco IOS release that is running on the router. This symptom occurs randomly and rarely.

This symptom may be occur when caveat CSCin98933 is present in the Cisco IOS software image.

This symptom is observed on the following platforms: Cisco 2600 series, Cisco 2800 series, Cisco 3725, Cisco 3745, Cisco 3825, Cisco 3845, Cisco RPM, Cisco RPMXF cards, and the Cisco AS5400. The symptom does not occur on the Cisco 7200 series and Cisco 7500 series routers with an RSP routers.

Workaround: Follow these steps:

1. Create a backup copy of the current configuration on a storage device other than NVRAM.

2. Reload the router.

3. Erase the "entire" NVRAM by entering the erase /all nvram: command.

4. Restore the configuration by copying the backup configuration to NVRAM and by entering the copy startup-config running-config command.

CSCsd13419

Symptoms: A Cisco 3700 series that functions as an RSVP agent may generate a Cisco IOS crash file in flash memory.

Conditions: This symptom is observed in a topology that includes a Cisco CallManager that is configured for RSVP and two RSVP agents that function as transcoders, one of which is the affected Cisco 3700 series.

Workaround: There is no workaround.

CSCsd13920

Symptoms: CEF switching is broken for voice traffic on some interfaces, which breaks the transcoding feature. The caller then experiences no voice path.

Conditions: This symptom has been observed on some network modules and interfaces.

Workaround: Disable the ip cef command.

CSCsd14445

Symptoms: A router crashes when you unconfigure the resource pool of a customer profile.

Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.4(5b) or Release 12.4(7) and could also occur in Release 12.4T. The symptom may be platform-independent.

Workaround: Do not unconfigure a customer profile when an active session on the platform uses the customer profile.

CSCsd15546

Symptoms: A Cisco router that is configured as a DHCP relay may not append option 82 (that is, the Relay Agent option), even when the router is configured to do so in the following way:

ip dhcp relay information option

no ip dhcp relay information check

ip dhcp relay information trust-all

Conditions: This symptom is observed when the DHCP message contains an invalid option according to RFC 2132; for example, option 12 with length 0.

Workaround: Ensure that the DHCP messages that are sent to the Cisco router that functions as a DHCP relay contain valid options. If you cannot ensure this, there is no workaround.

CSCsd16977

Symptoms: A crash can be observed by segmentation violation (SegV) on a Cisco 2651XM-V-CCME.

Conditions: This symptom is observed occasionally when a fax is being sent through the router. This problem has been seen with Cisco IOS Releases 12.3(14) T and later versions through Cisco IOS Release 12.4(5).

Workaround: There is no workaround.

CSCsd17527

Symptoms: A Cisco platform that functions as a Cisco CallManager Express (CME) reloads unexpectedly when you create multiple pools.

Conditions: This symptom is observed on a Cisco 2800 series that functions as a CME. The symptom may be platform-independent.

Workaround: Do not create multiple pools.

CSCsd19980

Symptoms: A router that functions as a DHCP client may crash.

Conditions: This symptom is observed on a Cisco router when you change the DHCP service through the ip address dhcp command or when DHCP is configured more than once.

Possible Workaround: Before you make any changes, stop the DHCP service by entering the no ip address dhcp command followed by the ip address dhcp command.

CSCsd20429

Symptoms: A router may reload because of a bus error when you enable the SSG TCP Redirect feature.

Conditions: This symptom is observed when you enable the SSG TCP Redirect feature for unauthenticated user redirection and when there are users being redirected.

Workaround: There is no workaround.

CSCsd20733

Symptoms: FXO ports that are configured for DID and that are controlled by MGCP respond to an AUEP message with an "Endpt Unknown" message.

Conditions: This symptom is observed when a Cisco router is reloaded or a voice port is configured before a dial peer is configured.

Workaround: There is no workaround.

CSCsd24224

Symptoms: The standby RP reloads unexpectedly because of a synchronization failure.

Conditions: This symptom is observed when a Stateful Switchover (SSO) occurs and when the no exception crashinfo file device:filename command is in present in the configuration.

Workaround: Enable the creation of a diagnostic file by entering the exception crashinfo file device:filename command.

CSCsd24311

Symptoms: SDF files are not loaded onto a router from a TFTP server.

Conditions: This symptom is observed with any NAT mode (static, dynamic, overload, or off) and with either fast switching, flow switching, or CEF switching configured.

Workaround: There is no workaround.

CSCsd25758

Symptoms: A router may crash when you run an SNMP query for the CiscoCBQosMIB.

Conditions: This symptom is observed on a Cisco router that has IP Header Compression (IPHC) in the Class-Based Weighted Fair Queueing (CBWFQ) configuration.

Workaround: There is no workaround.

CSCsd27683

Symptoms: An H.323 gateway may not initiate an H.245 TCP connection, and a call may be dropped unexpectedly.

Conditions: This symptom is observed on a Cisco platform that functions as an H.323 gateway and that runs Cisco IOS Release 12.4(7) when the terminating gateway or Cisco CallManager sends an Alert message with an H.245 address and a Progress Indicator (PI) of 1,2,8 in its response to a fast start setup message.

Workaround: Configure "progress_ind alert strip" on the outgoing dial peer.

Alternate Workaround: Enter the call start slow command under the voice service VoIP H.323 mode as shown below:

voice service voip

h323

call start slow

Further Problem Description: When an H.323 gateway initiates a fast start call to another gateway or Cisco CallManager, the terminating gateway or Cisco CallManager sends a slow start Alert message with an H.245 address and a PI of 1,2,8. The user of the phone that connects to the originating gateway expects a ringing tone from the terminating gateway, but does not hear a ringing tone, even though the phone that is connected to the terminating gateway does ring. When the phone that is connected to the terminating gateway is not picked up (and, therefore, no Connect message is sent), the call is dropped. The symptom does not occur when there is no PI in the Alert message.

CSCsd29308

Symptoms: The NAS port value is not incorrect in RADIUS packets, that is the access-requests and accounting requests are incorrect.

Conditions: This symptom is observed on a Cisco platform that is configured for SSG and occurs for QinQ users over an IP connection.

Workaround: There is no workaround.

CSCsd29364

Symptoms: Service Selection Gateway (SSG) does not send attribute NAS-PORT [5] on the access request packet for a prepaid service reauthorization.

Conditions: This symptom occurs when SSG is configured, and User is a prepaid user.

Workaround: There is no workaround.

CSCsd30244

Symptoms: The router crashes on busyout of a CT3 card.

Conditions: This symptom has been observed only after the router is booted with no T1 configuration on the T3 controller.

Workaround: There is no workaround.

CSCsd30533

Symptoms: Duplicate IPsec flows may be created on the responder side during IPsec Quick Mode (QM) negotiation, leaving one flow with IPsec SAs and the other flow empty. This situation may cause multiple IPsec SAs to be created.

Conditions: This symptom is observed during the creation of IPsec SAs when the IPsec module fails to find the existing flow.

Workaround: There is no workaround.

CSCsd31198

Symptoms: Packets may exceed the PCR, causing large packets to be dropped by an ATM switch.

Conditions: This symptom is observed when a VBR-nrt PVC is configured on an NM-1A-OC3-POM network module with the PCR identical to the SCR and when the cell delay variation tolerance (CDVT) is violated at low traffic rates. The symptom may also occur when a CBR PVC is configured on an NM-1A-OC3-POM network module.

Workaround: Set the SCR to a slightly lower value than the PCR or do not configure a CBR PVC. Verify that the SCR and PCR settings are correct by entering the show controller atm slot/port command and ensuring that the SCR is a value other than 0, as in the following command output example:

Tx bytes (489890600), Tx packets (360325), PCR/SCR (10240/10230)

CSCsd33134

Symptoms: A router reloads unexpectedly when HTTP client sockets hang.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(11)T2, or a later release, including Release 12.4 and Release 12.4T, when VXML is used to play long audio prompts that are streaming from an HTTP server.

Workaround: Enter the ivr prompt streamed none command on the router.

CSCsd35474

Symptoms: A router may crash during the certificate upgrade process for a Cisco Unified IP Phone that is registered to a Cisco Unified Call Manager Express.

Conditions: This symptom is observed on a Cisco router, is platform-independent, and relates to the Public Key Infrastructure (PKI).

Workaround: There is no workaround.

CSCsd35555

Symptoms: The TDM crossconnect for a T1/E1 WIC does not function.

Conditions: This symptom is observed on a Cisco IAD 2400 series that is configured with a VIC2-2MFT-T1/E1 WIC.

Workaround: Use the native T1/E1 slot to install the WIC in.

CSCsd38247

Symptoms: A router that is configured with IP tunnels may crash and generate the following error message:

%ALIGN-1-FATAL: Illegal access to a low address

Conditions: This symptom is observed on a Cisco router when you enter the default keepalive 3 5 command on a tunnel interface.

Workaround: There is no workaround.

CSCsd38693

Symptoms: Renaming a file to a string that contains multiple trailing dots ("." characters) corrupts the file system on ATA, CF, and USB flash storage devices.

Conditions: This symptom is observed when you enter the following commands to rename the file:

rename disk0:file2 disk0:file3...

Workaround: Avoid renaming a file that contains multiple trailing "." characters. When the symptom has occurred and the file system is no longer accessible, you must reformat the disk by entering the format disk0: command.

CSCsd39519

Symptoms: A Media Gateway Control Protocol (MGCP) gateway hangs when voice calls come in from either the IP or the PSTN side in which a leg of the call is on a BRI Voice Interface Card (VIC). The gateway stops responding and does not process any traffic. The only way to bring the router back is to power-cycle it.

Conditions: This symptom is observed for every call over a BRI VIC/WIC if the MGCP gateway runs Cisco IOS Release 12.4(4)T1 or later releases. The symptom may also occur in Release 12.4.

Workaround: There is no workaround. The symptom is not observed when the MGCP gateway runs Cisco IOS Release 12.4(4)T.

CSCsd40153

Symptoms: An ASBR has "No Label" as its outgoing label for a peer ASBR interface address.

Conditions: This symptom is observed when the following conditions occur:

An ISP network (ISP network A) has two ASBRs that peer with one ASBR in another ISP network (ISP network B).

IGP routing (OSPF or any other IGP) is configured between the ASBRs in ISP network A.

A BGP session between one ASBR in ISP network A and the ASBR in ISP network B flaps.

After about 5 minutes, all routes that are reachable via the ASBRs in ISP network A and the ASBR in ISP network B have "No Label" as their outgoing label.

Workaround: Enter the clear ip route network command.

CSCsd40334

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd41070

Symptoms: Calls are dropped because of a backhaul link failure during a switchover of a Cisco PGW 2200 Softswitch.

Conditions: This symptom is observed on a redundant Cisco PGW 2200 Softswitch system that is connected to a Cisco AS5850 and that is configured for MGCP-controlled PRI backhaul. Calls drop after the switchover of the Cisco PGW 2200 Softswitch because there is a disconnect between the Layer 2 and the D channel.

Workaround: There is no workaround.

CSCsd43706

Symptoms: A Cisco router crashes while executing the show policy-map interface command.

Conditions: Configure the service policy with CBWFQ and WRED based on prec and Explicit Congestion Notification (ECN).

Workaround: There is no workaround.

CSCsd44118

Symptoms: When running TCL/VXML applications that perform Media Play, the gateway (GW) leaks memory. If the GW continues to run, eventually it will run out of memory. When there is no memory left on the GW, the GW could crash.

Conditions: This symptom is observed when Cisco IOS Media Play code forgets to release a memory at the end of Media Play.

Workaround: There is no workaround. Contact Multiservices TAC (IOS) and request a patch.

CSCsd46323

Symptoms: The standby RP reboots when you perform an OIR of an active VIP that is installed in any slot of the router.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS interim Release 12.4(7.10) and that is configured for RPR, RPR+, or SSO. The symptom may also affect other releases.

Workaround: There is no workaround.

CSCsd46403

Symptoms: When a call enters an E1 R2 line on a Cisco platform and is sent via an H.323 link to an endpoint, the endpoint does connect the call but the Cisco platform does not send a "TX ANSWERED" message on the CAS leg, causing a dead air condition for the call.

Conditions: This symptom is observed on a Cisco AS5350, Cisco AS5350XM, Cisco AS5400, and Cisco AS5400XM that run a Cisco release later than Cisco IOS Release 12.3(11)T9. The symptom may also occur in other releases.

Workaround: There is no a workaround.

CSCsd46569

Symptoms: It may take 10 seconds before a first call-waiting tone is played instead of being played immediately. If this situation occurs, the subsequent tones are played every 10 seconds.

Conditions: This symptom is observed on a Cisco router that functions as a CME and that runs Cisco IOS Release 12.4 or Release 12.4T. The symptom occurs with either firmware version 7.2(2) or version 7.2(4).

Workaround: There is no workaround.

CSCsd47734

Symptoms: A memory leak may occur when you run an EEM Tcl policy.

Conditions: This symptom is platform- and release-independent.

Workaround: There is no workaround.

CSCsd51429

Symptoms: A Cisco router that is running SNASw that has lost connectivity on an HPR-IP link shows the link state as active with the show snasw link command. The message "%SNASW-4-LDLC_CTRL_LOG_1: EXCEPTION - 81 - LDLC command frame retry limit exceeded" appears, but a message "%SNASW- 3-EVENT: Link station XXXX deactivated" does not. The mainframe product correctly shows the link as inactive.

The link cannot be reactivated. Trying to stop the link with the snasw stop link command leaves the link in Pending Inactive state.

Conditions: This symptom occurs when there is an outage between the SNASw router and the mainframe, such as an IP failure, interface failure, or mainframe reload.

Workaround: There is no workaround. The SNASw subsystem must be restarted with the snasw stop command followed by the snasw start command to clear the condition.

Further Problem Description: This problem was caused by a bad code fix in CSCej78434.

CSCsd56683

Symptoms: When you leave a voice mail for an IP phone that is not registered, the MWI light does not come on when the IP phone reregisters.

Conditions: This symptom is observed on a Cisco device that is configured for Cisco Unified CallManager Express (CME).

Workaround: There is no workaround.

CSCsd58220

Symptoms: The callee's phone rings continuously even after the caller goes on- hook.

Conditions: When the caller goes on-hook, the gateway receives idle and does not recognize the idle. The call does not get disconnected and the callee keeps hearing the ringing tone continuously.

Workaround: The callee has to pick up the phone for the call to be dropped.

CSCsd58381

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd61780

Symptoms: A router crashes because of errors from checkheaps.

Conditions: This symptom is observed when hundreds of CLI commands are entered in virtual-template mode.

Workaround: There is no workaround.

CSCsd64304

Symptoms: A router crashes and generates a traceback when you attempt to import certificates.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(7.15) but may also occur in Release 12.4T.

Workaround: There is no workaround.

CSCsd65549

Symptoms: SSH sessions are not established.

Condition: This symptom is observed when you attempt to make an SSH connection to a Cisco router that is configured for SSH version 1.

Workaround: There is no workaround.

CSCsd65602

Symptoms: The MGCP state may change to "Shutting Down" when you unconfigure MGCP after a COT-related call has been made.

Conditions: This symptom is observed on a Cisco router when you enter the no mgcp command.

Workaround: There is no workaround.

CSCsd67958

Symptoms: A router that functions as a Home Agent (HA) and that is configured for PIM may crash when a neighbor with a higher Layer 3 address attempts to become the Designated Router (DR).

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(7.15) and that functions as an HA when the following conditions are present:

The Mobile IP HA feature creates and deletes mobile IP tunnels.

The interfaces on the HA and its neighbor are configured for sparse-dense mode PIM.

The symptom may also occur in other releases.

Workaround: If PIM must be configured on the tunnel interfaces, select high values for the tunnel interface numbers to prevent the Mobile IP HA feature from using the same numbers for the mobile IP tunnels.

Alternate Workaround: Configure PIM on the tunnel interfaces before the Mobile IP HA feature creates any mobile IP tunnels.

CSCsd72965

Symptoms: A ping between two WIC-2T WAN Interface Cards (WICs) that are connected back-to-back fails at 8 MHz in V.35 mode.

Conditions: This symptom is observed on a Cisco 2610XM and Cisco 2611XM that are connected back-to-back via WIC-2T WICs when the clock rate is configured to function at 8 MHz in V.35 mode.

Workaround: There is no workaround.

Further Problem Description: Even though the clock rate is configured to function at 8 MHz, both the Cisco 2610XM and the Cisco 2611XM generate a clock rate of 9.7 Mhz.

CSCsd73749

Symptoms: Traffic that is processed by PVCs with a small bandwidth on an NM-1M-OC3-POM network module may encounter large latencies and may be dropped from the output queue.

Conditions: This symptom is observed on a Cisco router that is configured with an NM-1A-OC3-POM network module when the PVCs have a small bandwidth that is less than 10 Mbps.

Workaround: There is no workaround.

Further Problem Description: The fix for this caveat provides the following solution:

On ATM line cards, the SAR mechanism has a queue for each PVC. Two thresholds are associated with each PVC queue: the high watermark and low watermark. The high watermark defines the number of cells that the queue can hold.

The watermark values are used to apply a flow control mechanism between the host and the SAR on the NM-1A-OC3POM network module. When cells start backing up in the SAR, the SAR sends a notification to the host as soon as the queue inside the SAR builds up to a high watermark. At this point, the VC is marked as throttled and packets start backing up in the Cisco IOS software hold queues. At the same time, the SAR is draining out the packets. When the SAR reaches the low watermark, another notification is sent to the host. The VC is marked as "Open" and traffic to the VC resumes. The problem is caused by the low values that are configured for the high and low watermarks on the SAR.

To configure watermark values that are suitable for your applications, use the queue-depth command, which is available in a Cisco IOS software image that integrates the fix for caveat CSCsd73749.

The command syntax and usage are explained below:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int atm 1/0
Router(config-if)#pvc 1/1
Router(config-if-atm-vc)#queue-depth ?
<1-65535> queue depth high watermark, in cells

Router(config-if-atm-vc)#queue-depth 200 ?
<1-200> queue depth low watermark, in cells

Router(config-if-atm-vc)#queue-depth 200 100 ?
<cr>

Router(config-if-atm-vc)#queue-depth 200 100
Router(config-if-atm-vc)#end
Router#
%SYS-5-CONFIG_I: Configured from console by console

Note that the default values of watermarks are not changed in a Cisco IOS software image that integrates the fix for caveat CSCsd73740.

Guidelines for configuring the watermarks are as follows:

A high watermark translates into larger queue build-up inside the SAR, affecting the latency of LLQ-type traffic. A low watermark translates into the use of the traffic shaping mechanism within the SAR. If a low watermark is too low, the SAR may drain its queue entirely, causing a breakage of traffic shaping.

In general, if you need to change the watermark values, follow these guidelines:

For better latency, decrease the high watermark value.

For a higher number of cells in the queue or for better TCP performance, increase the high watermark value.

Do not configure the low watermark value to be equal to the high watermark value because this defeats the purpose of the flow control mechanism.

Even though the queue-depth command allows a high watermark value up to 65535, we do not recommended that you configure such a high watermark value. A high watermark value translates into queues within the SAR. How high the value of the high watermark can be is defined by the SAR memory. For example, with 1024 VCs, when the high watermark is configured above 400 cells, the SAR may run out of memory, causing packet drops to occur.

Detailed guidelines about high and low watermark values will be provided in a separate document. As a rough guideline, default values of high and low watermarks for PVCs with a bandwidth of less than 1 Mbps are 50 and 10. The symptom may occur with these values. However, when you multiply these values by a factor of 4 via the queue-depth command such that the new values are 200 and 40, the symptom no longer occurs.

CSCsd74000

Symptoms: A slot controller such as a slot controller of a VIP4-80 may reset because of a TLB (load or instruction fetch) exception.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(17b) or Release 12.4, that has T1 or E1 port adapters installed in the slot that is controlled by the slot controller that resets, and that has NBAR configured.

Workaround: Remove the NBAR configuration.

CSCsd77724

Symptoms: A router that is configured as a Service Selection Gateway (SSG) and that has the TCP Redirect feature enabled may reload unexpectedly.

Conditions: This symptom is observed under a rare condition when there are multiple unauthenticated TCP Redirect mappings on an interface and when the SSG subblock of this interface goes down.

Workaround: There is no workaround.

CSCsd79558

Symptoms: When tunnel protection is configured on a tunnel interface, an IPSec session may fail to come up.

Conditions: This symptom is observed when the tunnel vrf vrf-name command is changed on the tunnel interface.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, remove and re-add the tunnel interface.

CSCsd79879

Symptoms: Reverse Route injection for IPSec in an EzVPN server and EzVPN client may remove routes from existing connections.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or a release up to and including interim Release 12.4(7.8) when the following conditions are present:

There are dynamic clients in a VRF environment.

The reverse-route remote-peer ip-address command is configured underneath a dynamic map.

The remote peer changes its IP address.

The combination of the above-mentioned conditions causes a situation in which the old SA remains from the previous IP address while there is also a new SA. When the old SA times out, the refcount decrements to zero, causing the RRI entry to be removed from the table of the EzVPN server. At this time, both the EzVPN server and the EzVPN client have IPSec SAs and could send traffic, but the EzVPN server cannot correctly route the traffic.

Workaround: Clear the IPSec SAs for the EzVPN server. When the EzVPN server reconnects, a new RRI entry is created.

Alternate Workaround: If this is an option, remove the reverse-route remote-peer ip-address command.

CSCsd98525

Symptoms: An SSH version 2 (SSHv2) session is terminated prematurely.

Conditions: This symptom is observed when large chunks of data are transferred in the SSHv2 session, for example, when the show tech command is entered and the command output is transferred in the SSHv2 session.

Workaround: Use SSH version 1.

CSCse01143

Symptoms: IPC does not function after an RPR+ switchover has occurred,

Conditions: This symptom is observed on a Cisco 7500 series that is configured for RPR+ and dLFIoLL.

Workaround: Reload the microcode onto the router.

CSCse01847

Symptoms: When agentless hosts are allowed network access, a loss of connectivity may occur during reauthentication.

Conditions: This symptom is observed when the host does not have a Cisco Trust Agent (CTA) configured.

Workaround: There is no workaround.

Further Problem Description: When an agentless host is authorized for network access, a dynamic access policy is applied for the host. This access policy is removed at the beginning of the reauthentication process, and re-applied at the end of reauthentication process. During the reauthentication process, no access policy is applied for the host. This situation may cause a disruption to network access.

CSCse17317

Symptoms: A Cisco router crash is observed while testing E1R2 test for different country codes and codecs.

Conditions: This problem is seen while using E1R2 digital semi-compelled signaling only.

Workaround: There is no workaround.

CSCuk57037

Symptoms: A router may crash when a serial interface of a neighboring router is brought up.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that is earlier than Release 12.4(8) and that is configured for IP Multicast when some interfaces on the router are configured for PIM. The symptom occurs when the serial interface that is brought up on the neighboring router is configured for PIM and the connecting interface on the Cisco router is not configured for PIM.

Workaround: Depending on the desired operation for the link, either enable PIM at both ends or disable PIM at both ends.

TCP/IP Host-Mode Services

CSCee73956

Symptoms: The Generalized TTL Security Mechanism (GTSM), formerly known as BGP TTL Security Hack (BTSH), checks the time-to-live (TTL) value of the packets at the application level, which is not efficient. Also, GTSM does not stop the establishment of a TCP connection for a packet with an invalid TTL value.

Conditions: This symptom is observed on a Cisco platform that has the neighbor neighbor-address security ttl hops hop-count command configured in a BGP environment.

Workaround: There is no workaround.

CSCek12203

Symptoms: When you enter the copy ftp disk command, the copy operation may fail and cannot be terminated, further copy commands may fail, and a TCP vty session for the purpose of troubleshooting the situation may fail and cannot be terminated.

Conditions: These symptoms are observed on a Cisco platform when the FIN flag is set in the initial ESTAB message from a neighbor. You must reload the router to recover from the symptoms.

Workaround: Do not enter the copy ftp disk command. Rather, enter the copy tftp disk command.

Wide-Area Networking

CSCed51827

Symptoms: When you ping a router, the following error message is generated on the router:

%IPFAST-2-PAKSTICK: Corrupted pak header for Virtual-Access3, flags 0x80

Conditions: This symptom is observed when PPP Multilink (MLP) over L2TP is configured.

Workaround: There is no workaround.

CSCeh64479

Symptoms: A router reloads unexpectedly when an apparent Layer Two Forwarding (L2F) packet is received.

Conditions: This symptom is observed on a Cisco 10000 series that is configured for Virtual Private Dialup Network (VPDN). However, the symptom is not platform-specific.

Workaround: There is no workaround.

CSCej20215

Symptoms: Calls could not be placed once the router was upgraded from Cisco IOS Release 12.3(14)T to Cisco IOS Release 12.4(3).

Conditions: This symptom has been observed with Cisco IOS 12.4(3) and placing calls using the E1 EuroISDN link.

Workaround: Install Cisco IOS Release 12.3(14)T.

CSCek17486

Symptoms: When you attempt to place a call over an ISDN BRI interface that is not yet up, the router reloads with the following stack decode:

0x61a2a698:etext(0x610a5790)+0x984f08 0x603344dc:gt96k_mbrd_bri_set_bandwidth(0x603343dc)+0x100 0x6011e298:bri_isdn_set_bandwidth(0x6011e1f8)+0xa0 0x61a2a698:etext(0x610a5790)+0x984f08 0x6011e298:bri_isdn_set_bandwidth(0x6011e1f8)+0xa0 0x61a2a6b8:etext(0x610a5790)+0x984f28 0x6042da28:host_connect(0x6042d500)+0x528 0x61a2a728:etext(0x610a5790)+0x984f98 0x6043bf7c:process_rxstate(0x6043b9a8)+0x5d4 0x61a2a790:etext(0x610a5790)+0x985000 0x60426500:Host_Start(0x604264f0)+0x10

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for caveat CSCsc67930. A list of the affected releases can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc67930. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

CSCek25684

Symptoms: When you remove a map group from an interface, the router may reload.

Conditions: This symptom is observed while Frame Relay SVC is coming up.

Workaround: Shut down the interface before you remove the map group from the configuration.

CSCek28575

Symptoms: A router reloads at the "process_modem_command" function during a test that involves asynchronous media.

Conditions: This symptom is observed on a Cisco AS5400 but is not platform-dependent.

Workaround: There is no workaround.

CSCek31660

Symptoms: For VPDN sessions that are established with a LAC, the RADIUS progress code in the Stop record may be different from the RADIUS progress code in the Start record.

Condition: This symptom is observed on a Cisco platform such as a Cisco AS5400 that runs Cisco IOS Release 12.4.(3a) but may also affect Release 12.4T.

Workaround: There is no workaround.

CSCsb64662

This caveat consists of two symptoms, two conditions, and two workarounds:

1. Symptom 1: Multicast packets that traverse a Frame Relay virtual circuit (VC) bundle are dropped.

Condition 1: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0S.

Workaround 1: There is no workaround.

2. Symptom 2: Multicast packets that traverse a Frame Relay virtual circuit (VC) bundle are process-switched.

Condition 2: This symptom is observed with Cisco IOS Release 12.3.

Workaround 2: There is no workaround.

CSCsc89546

Symptoms: An L2TP tunnel comes up on a shutdown loopback interface.

Conditions: This symptom is observed when an L2TP tunnel is initiated on a shutdown loopback interface.

Workaround: There is no workaround.

CSCsc93002

Symptoms: When configuring transparent bridging of IP over Frame Relay, MAC entries are not seen in the ARP-cache.

Conditions: The symptom has been observed when sending ping packets through the transparent bridge over Frame Relay between the end systems.

Workaround: There is no workaround.

CSCsc95588

Symptoms: A Cisco router reloads when you enter the show log, show interface, or show caller command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5b) but may occur in any Cisco IOS 12.3 release and in other releases as well. The symptom may occur when PPP sessions go down while the output of a show command is suspended.

Workaround: There is no workaround.

CSCsd01816

Symptoms: Multilink interfaces do not recover after a T1 link in a bundle flaps.

Conditions: This symptom is observed when two Cisco router are connected back-to-back via two channelized OC-3 connections with 168 T1 links and when the multilink bundles are created with two T1 links each.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected multilink interfaces.

CSCsd06510

Symptoms: Unexpected drops may occur in the Multilink Frame Relay (MFR) output hold queue. The drops persist under a very low (25 pps) transmit rate.

The MFR output hold queue may become congested, causing all traffic to fail.

After you have disabled the traffic source or shut down the ingress interface, the MFR output hold queue may take as long as 15 minutes to "drain."

Conditions: These symptoms are observed on a Cisco router when you run multicast traffic over GRE tunnel interfaces that in turn use an MFR interface for transport.

Workaround: Disable multicast fast-switching.

CSCsd11874

Symptoms: When you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on an MFR interface when the bundle links are down, the serial interfaces that are associated with the MFR interface remain in the IDLE state.

Conditions: This symptom is observed on a Cisco router that is configure for MFR.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on each serial interface that is associated with the MFR interface.

CSCsd28564

Symptoms: When adding or removing PPP over Frame Relay (PPPoFR) configuration on a Cisco 7500 series router, the following error message is displayed:

%RSP-3-RESTART: cbus complex

Conditions: This symptom occurs on a Cisco 7500 series router when PPPoFR configuration is added or removed.

Workaround: There is no workaround.

CSCsd42088

Symptoms: A router may become unresponsive and crash during bootup, and %SYS-3-CPUHOG errors message may be generated for the Frame Relay ARP process.

Conditions: This symptom is observed on a Cisco router that has the ip address dynamic command enabled on a Frame Relay subinterface that is connected to a peer that also has the ip address dynamic command enabled.

Workaround: Because the configuration that is described in the Conditions is an invalid configuration, ensure that the peer has a valid IP address when the ip address dynamic command is enabled on the router.

CSCsd47777

Symptoms: Any PPP session that runs on a subinterface may crash.

Conditions: This symptom is observed with PPPoA, PPPoE, or VPDN sessions on a subinterface.

Workaround: Enter the no virtual-template subinterface command globally.

CSCsd51082

Symptoms: An ISDN Layer 2 may not become active after a failure.

Conditions: This symptom is observed when ISDN backhaul is configured.

Workaround: There is no workaround.

CSCsd74130

Symptoms: When an HSSIRSET, SERRSET, or FDDIRSET error message is generated or when the output becomes stuck, a VIP does not come up during its first recovery attempt.

Conditions: This symptom is observed on a Cisco platform that is configured with a VIP when a CCB timeout occurs during an IDB reset or when the output becomes stuck.

Workaround: There is no workaround.

CSCsd79611

Symptoms: L2TP sessions are not established when multihop is configured.

Conditions: This symptom is observed when SGBP is configured in a multihop environment. The L2TP sessions fail to be established because the source IP address is marked as down.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.4(7h)

Cisco IOS Release 12.4(7h) is a rebuild release for Cisco IOS Release 12.4(7). The caveats in this section are resolved in Cisco IOS Release 12.4(7h) but may be open in previous Cisco IOS releases