Cross-Platform Release Notes for Cisco IOS Release 15.3S
Release 15.3(3)S Caveats
Downloads: This chapterpdf (PDF - 442.0KB) The complete bookPDF (PDF - 2.71MB) | Feedback

Table of Contents

Caveats for Cisco IOS Release 15.3(3)S

Resolved Caveats—Cisco IOS Release 15.3(3)S3

Resolved Caveats—Cisco IOS Release 15.3(3)S2

Resolved Caveats—Cisco IOS Release 15.3(3)S1

Resolved Caveats—Cisco IOS Release 15.3(3)S

Caveats for Cisco IOS Release 15.3(3)S

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in this section.

In this section, the following information is provided for each caveat:

  • Symptoms—A description of what is observed when the caveat occurs.
  • Conditions—The conditions under which the caveat has been known to occur.
  • Workaround—Solutions, if available, to counteract the caveat.

Note If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and go to http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)


This section consists of the following subsections:

Resolved Caveats—Cisco IOS Release 15.3(3)S3

The caveats in this section are resolved in Cisco IOS Release 15.3(3)S3 but may be open in previous Cisco IOS releases.

  • CSCee32792

Symptom: A Cisco router reloads at “snmp_free_variable_element” while using SNMPv3 commands.

Conditions: This symptom occurs while using SNMPv3 commands.

Workaround: There is no workaround.

  • CSCte77398

Symptom: A Cisco ATM router configured with ATM PVC Range commands report the following error when attempting to configure a PVC Range:

Unable to configure PVC Range. Possibly multiple users configuring IOS simultaneously.
 

Conditions: This problem occurs randomly and even if there are no multiple sessions accessing the pvc-range at the same time.

Workaround: There is no workaround.

  • CSCtf31377

Symptom: IOS crashes due to processor pool memory corruption.

Conditions: This symptom occurs due to processor pool memory corruption. IOS generates one or more CLUE memory error messages similar to the following messages:

%CLUE-DFC3-3-SOR_CORRUPT: CLUE record corruption in start of record field, record id 3341, record starting address 0x5FFFFF90
 

This issue could also be seen on LAN cards of a Cisco 7600 router.

Workaround: There is no workaround.

  • CSCtq21722

Symptom: A Cisco switch may reload when configured for SNMP.

Conditions: This symptom is observed when SNMP inform hosts are configured.

Workaround: Remove the SNMP host configurations for SNMP informs.

Example: no snmp-server host x.x.x.x informs version 2c <removed>
 
  • CSCtx82890

Symptom: After removing the encapsulation on MFR member interface, tracebacks are observed.

Conditions: This symptom is observed when serial interface is configured with FR MLP configuration.

Workaround: There is no workaround.

  • CSCtz45833

Symptom: A Cisco router crashes with the following message:

Router crash: UNIX-EXT-SIGNAL: Segmentation fault(11), Process = MPLS TE LM
 

Conditions: This symptom occurs when a router acts as the mid point for MPLS-TE tunnels and performs an ERO expansion. In case the ERO expansion fails (due to IGP race conditions or inter-AS scenario) and backup tunnels are in use (for MPLS-TE FRR feature), the router may crash.

Workaround: Configure the head-ends to perform a full ERO computation to avoid mid points performing any ERO expansion. This can be done using the dynamic path option or by using the explicit path that specifies strict hops for each node along the desired LSP path (using "loose" hops or partial strict hops can lead to this issue).

  • CSCuc21859

Symptom: Memory leak is seen at ssf_owner_get_feature_sb.

Conditions: This symptom occurs when the discriminator configuration is with logging, as given in the below examples:

logging discriminator <NAME>
logging host x.x.x.x discriminator DEBUG
logging discriminator SysLog mnemonics drops NAME
 

Workaround: Remove the discriminator configuration from the logging configuration.

  • CSCuc60868

Symptom: A router randomly crashes either due to memory corruption at bgp_timer_wheel or memory chunks near bgp_timer_wheel (for example, BFD event chunks if BFD is configured or AtoM Manager chunks if LDP is configured). A crash occurs right after an LDP neighbor is up in the L2VPN setup.

Conditions: This symptom occurs when vpls bgp signaling is unconfigured and then reconfigured. Both L2VPN and BGP are unconfigured and reconfigured after all L2VPN and BGP data structures are fully deleted (about 3 minutes for 5 BGP VPLS prefixes). For the repro on file, OSPF (for IGP) is also unconfigured and reconfigured. Both LDP and BGP signalling are affected by this caveat.

Workaround: Avoid unconfiguring and reconfiguring BGP L2VPN.

  • CSCue27980

Symptom: A CPP crash triggered by NBAR may occur on Cisco ASR 1000 Series routers, Cisco 4000 Series ISR routers, and Cisco CSR 1000V routers.

Conditions: This symptom may occur under rare conditions of traffic mixture and rate when NBAR and NAT are both enabled.

Workaround: There is no workaround.

  • CSCue99098

Symptom: The standby ICS file system cannot be accessed while Domain-0 is in RPR mode.

Conditions: This symptom occurs when Domain-0 is in RPR mode.

Workaround: There is no workaround.

  • CSCug11351

Symptom: ISIS sessions flap on peer nodes when a switchover is performed on one of the nodes. This issue happens in the presence of ESM20G cards irrespective of whether the ISIS sessions flow through the card or not.

Conditions: The symptom occurs due to the presence of ESM20G cards in the setup.

Workaround: As this issue is only seen in the presence of ESM20G, move the configurations to another LC like ES+.

  • CSCug45421

Symptom: The standby RP crashes.

Conditions: Memory corruption occurs in certain cases when the following commands are executed in quick succession. It leads to a crash later when the memory is accessed. The issue is seen only with on-demand PVCs and when the commands are copied and pasted or executed using a script or tool.

configure terminal
interface ATM0/0/0.2 multipoint
range pvc 11/41 11/51
create on-demand
/* Prob commands begin */
pvc-in-range 11/45 exit no pvc-in-range 11/45
/* Prob commands end */
end
 

Workaround: Do not execute the commands in quick succession.

  • CSCuh05259

Symptom: Prompt is provided for configure replace command when file prompt quiet is configured.

Conditions: This symptom is observed when file prompt quiet has been configured.

Workaround: Use “force” along with the configure replace command.

  • CSCuh09324

Symptom: UDP based entries are not deleted from the flowmgr table resulting in crash, or poor system response, with CPU hog messages being shown.

Conditions: This symptom is observed in the following platforms:

Affected Platforms - images

ct5760-ipservicesk9.bin

cat3k_caa-universalk9.bin

cat4500e-universalk9.bin

The device is configured with UDP services that originate from the device. This includes but not limited to the following features:

TFTP

Energy Wise

DNS

Cisco TrustSec

Workaround: If you suspect that you are affected by this bug, please do the following, for confirmation:

Router#config terminal
service internal
end
Router#show flowmgr
 

The output of this command will show many lines entries holding with the same port numbers. Disabling the feature that is being held in the flows until an upgrade can be performed, is a workaround.

A reload is required to clear the held flows.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2013-6704 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6704

Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCuh45042

Symptom: Traffic on some GIG subinterfaces are seen to be dropped at the SPA. The SPA TCAM is seen to have two entries sharing the same logical address as a result of which one entry is seen to overwrite the other.

Conditions: This symptom was observed after a router/LC/SPA reload. The exact condition that triggers this symptom is not known.

Workaround: There is no workaround.

  • CSCuh51367

Symptom: An alignment traceback is seen in the L4F code.

Conditions: This symptom occurs when traffic from HTTP/HTTPS goes through Scansafe+l4f.

Workaround: There is no workaround.

  • CSCuh72000

Symptom: The TOS of one kind of PIM signaling packet is set to 6. When the packet is encapsulated into MPLS, the TOS value is copied to the EXP value. The packet will then be encapsulated into GRE/IP again, but the EXP value is not copied. PI just leaves the TOS in the IP/GRE header 0.

Conditions: This symptom does not occur under specific conditions.

Workaround: There is no workaround.

  • CSCui23099

Symptom: A Cisco router with an etherswitch module installed may have the internal interface from the router to the switch become wedged. This will cause any traffic which needs to be process switched to not work. In addition further traffic will throttle the interface.

This example is from a router in the lab. It is a 2811 with a NME-16ES-1G-P installed. This adds a new interface on the router which allows traffic from the etherswitch to the router. When specific traffic is send the interface becomes wedged. The telltale sign of the interface being wedged is having the input queue report more traffic than the size of the queue itself. For example:

GigabitEthernet1/0 is up, line protocol is up Input queue: 76/75/585/0 (size/max/drops/flushes); Total output drops: 0 0 runts, 0 giants, 585 throttles
 

Conditions: The exact conditions which cause this are unknown, but this has been seen with Wake On LAN (WOL) traffic being sent from a device connected to the etherswitch.

Workaround: Currently there is no work around other than to block the traffic.

  • CSCui29745

Symptom: Member links under MLPPP go down as the LCP negotiation of those PPP links fails.

Conditions: This symptom occurs after the router reloads and the traffic is flowing through the multilink.

Workaround: Reload SPA/LC on the other end of the link.

  • CSCui34165

Symptom: Port-channel QoS features might fail to work after a router reload, followed by QoS configuration modification.

Conditions: This symptom occurs when a vlan load-balanced port-channel is used with policy aggregation configuration where the QoS policy is configured on member links and the port-channel sub-interface, and after a system reload (configuration is from startup config).

Workaround: Reload the router without port-channel QoS configuration, and add port-channel QoS configuration to the running configuration after the router boots up.

  • CSCui37509

Symptom: Sub classification for HTTP content-encoding does not work if FNF with export per transaction configurations is added and removed and FNF with export per flow is added.

Conditions: This symptom occurs with HTTP content-encoding with FNF transaction and connection ID configurations.

Workaround: Add HTTP content-encoding with FNF connection ID configurations.

  • CSCui59004

Symptom: IOSd crashes while removing NTP server from the configuration.

Conditions: This may occur rarely, when removing “ntp server <hosname>” from configuration. NTP servers configured with IP addresses will not cause the same.

Workaround: Timing the “no ntp” configuration such that it does not overlap with the 60 second DNS resolution timer.

  • CSCui59927

Symptom: A memory leak is observed on a Cisco device due to IPSec which causes free memory to deplete to an extent where the device becomes unreachable.

Conditions: This symptom occurs when IPSec scaling is high.

Workaround: Reduce scaling of IPSec sessions.

  • CSCui64807

Symptom: An active RP crashes during FIB sync because of memory overrun when the standby sup becomes unavailable.

Conditions: This symptom occurs when redundant RPs are configured in SSO mode and the standby RP becomes unavailable (for instance because of crash or physical removal). The issue occurs only on Cisco 7600 RSP 720, Cisco 7600 Series Supervisor Engine 720, and Cisco 7600 platforms where the tableid “ISSU FOF LC” support is enabled. As of 03/17/2014, the tableid “ISSI FOF LC” feature is only supported on SY releases. This issue does not impact Cisco ASR 1000 Series platforms.

Workaround: There is no workaround.

  • CSCui79766

Symptom: Upgrading hardware platform from Cisco 2811 Integrated Services Router to Cisco 2911 Integrated Services Router introduces periodic, intermittent delay in the delivery of STUN packets to OEM (Motorola) equipment.

Conditions: This symptom occurs while upgrading hardware platform from Cisco 2811 Integrated Services Router to Cisco 2911 Integrated Services Router.

Workaround: There is no workaround.

  • CSCui83823

Symptom: When CU executes “show tech” or any show commands which gives a long output using putty, the SSH2 putty closes prematurely.

Conditions: This symptom is observed when “term length 0” is enabled. The putty session closes prematurely while executing “show tech show memory”.

Workaround: Redirect the output to a file.

  • CSCuj04178

Symptom: A crash occurs at vpdn_apply_vpdn_template_pptp.

Conditions: The conditions for this symptom are unknown.

Workaround: There is no workaround.

  • CSCuj09814

Symptom: A crash occurs while trying to reproduce the following situation:

New NAT translations may not be created if there are bindings already created by old translations.

Conditions: This symptom occurs when a NAT translation is unconfigured and reconfigured with a new address.

Workaround: There is no workaround.

  • CSCuj17818

Symptom: PPPoE is configured on radio interfaces. When a shut and no shut are issued on remote interface Router2, nine packets get stuck in the Router1 input queue.

Conditions: This problem is seen in Router1 when shut is issued on the Router2 interface to disconnect the PPPoE session between Router1 and Router2. In this case the Radio Emulator sends the PADQ packets to Router1 which gets stuck in input queue.

Workaround: Reloading the box to clear the input queue.

  • CSCuj49513

Symptom: License modify priority and license purge does not work on RSP2 and RSP1.

Conditions: This symptom occurs under the following conditions:

1. Get evaluation and permanent licenses for any license.

2. Issue license modify priority in order to change the priority. An error message is seen.

Workaround: There is no workaround.

  • CSCuj60533

Symptom: Repeated CPUHOG messages may be seen along with a crash when “reload” is issued just after a bootup.

Conditions: This symptom occurs when the line cards are still booting up and are in other states.

Workaround: Issue “reload” after the line cards have booted.

  • CSCuj64691

Symptom: When configuring redistribute connected under eigrp, a host route/32 on SVI is installed unexpectedly.

Conditions: This symptom is observed under the following conditions:

Configure a prefix to be in routing table with EIGRP as owner.

Redistribute connected interface to eigrp so that the local entry is same as the prefix.

Workaround: Disable STP for the VLAN of SVI (in this particular case).

  • CSCuj77998

Symptom: All packets that need to be encrypted may be dropped.

Conditions: This symptom occurs when traffic is flowing on an IPSec tunnel for a long duration without any rekey and the crypto sequence number overflows. It is observed only on Cisco ASR 1000 Series ESP 200.

Workaround: Have a shorter rekey interval.

  • CSCuj87667

Symptom: When value “xxx” of MPLS exp bits was copied to outer IP/GRE header TOS, the new TOS value should be “xxx00000” but now it’s “00000xxx”, so that the QoS information was broken.

Conditions: This symptom is observed in MPLS over GRE case.

Workaround: There is no workaround.

  • CSCul05056

Symptom: A Cisco router may crash when configuring NBAR or any other feature which enables NBAR internally. In the crash log file, the crash will be shown as a STACKLOW condition. Examples of this are:

%SYS-6-STACKLOW: Stack for process Config Probe running low, 0/12000 %SYS-6-STACKLOW: Stack for process SSH Process running low, 0/12000 %SYS-6-STACKLOW: Stack for process InitializeNbarAPI running low, 0/12000
 

Conditions: This crash is triggered by enabling NBAR directly or indirectly through another feature. Two such examples are configuring NAT on an interface or configuring NBAR on an interface. For example:

(config)#interface gigabitethernet0/1 (config-if)#ip nbar protocol-discovery
(config)#interface gigabitethernet0/1 (config-if)#ip nat inside
 

The router may not crash depending on how the configuration is done. For example configuring the feature over the console will not cause a crash. Configuring the feature over SSH, through FTP, Smart Install, etc though will cause the crash.

Workaround: A possible workaround may be to configure the feature over the console or through telnet.

  • CSCul13619

Symptom: When incoming ESP packet has as final destination a local interface on the GM itself (including loopback), the packet is recirculated after decryption causing it to be dropped. If the decrypted packet is only a transit one, for example, it is for a host on a connected LAN, all works as expected.

Conditions: This issue occurs due to getvpn, ipv6 and use of ingress ipv6 access lists.

Workaround: There is no workaround.

  • CSCul18552

Symptom: After a switchover, QoS policy map in standby is not synced as in the case of active.

Conditions: This symptom occurs after a switchover.

Workaround: There is no workaround.

  • CSCul24025

Symptom: A Cisco ASR 1000 Series router crashes at “__be_slaComponentProcessEvent” when ip sla udp-jitter is unconfigured.

Conditions: This symptom occurs when 1000+ IP SLA udp-jitter is configured and then all unconfigured immediately.

Workaround: There is no workaround.

  • CSCul24682

Symptom: L2TP LNS puts a non-negotiated magic number to LCP packets. The PPPoE client may terminate the session prematurely due to the unknown magic number.

Conditions: This symptom occurs when L2TP LAC does not negotiate the magic number with the PPPoE client and L2TP LNS does not renegotiate options with the PPPoE client.

Workaround: Configure lcp renegotiation always on L2TP LNS.

  • CSCul27924

Symptom: Customer experiences a crash on a Cisco ASR 1001 router during normal operation.

Conditions: This symptom is not observed under any specific conditions.

Workaround: There is no workaround.

  • CSCul29918

Symptom: A vulnerability in IPSec tunnel implementation of Cisco IOS Software could allow an unauthenticated, remote attacker to change the tunnel MTU or path MTU and potentially cause IPSec tunnel to drop.

The vulnerability is due to incorrect processing od certain ICMP packets. An attacker could exploit this vulnerability by sending specific ICMP packets to an affected device in order to change the configured MTU value of the tunnel interface. An exploit could allow the attacker to change the tunnel MTU or path MTU and potentially cause IPSec tunnel to drop.

Conditions: A device configured for IPSec VTI and with path-mtu-discovery disabled.

Workaround: Issue is caused by ICMP unreachables. Blocking ICMP is a workaround.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C

CVE ID CVE-2013-6694 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6694

Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCul32547

Symptom: During NTT EFT customers performed COA with parent session id as key and when it was attempted the Cisco ASR 1000 router reloads with the following trace code:

% 0x7fba0ee : __be___doprnt % 0x83e8bd4 : __be_vsnprintf % 0x83e8b7a : __be_snprintf % 0x3429013 : __be_encode_cisco_vsa % 0x3428909 : __be_encode_rad_vsa % 0x342b79c : __be_attrib_op_encode % 0x34451d4 : __be_build_radius_packet_from_list % 0x3444b3b : __be_build_radius_packet % 0x34432fd : __be_send_radius_pkt % 0x6d629d : __be_process_response_req % 0x6da280 : __be_process_aaa_request % 0x6d48e6 : __be_aaa_acct_proc
 

Conditions: This symptom occurs due to continuous printing.

Workaround: There is no workaround.

  • CSCul39964

Symptom: Sessions do not get cleared. They get stuck in WT_ST state.

Conditions: This symptom occurs when sessions are closed in bulk mode by shutting any trunk link or during a clear all session from DUT.

Workaround: There is no workaround.

More Info: The memory leak issue and WT_ST are related. Along with memory leak, sessions are not cleared on the active RP as they get stuck in WT_ST state.

asr1k-1#sh clock
07:18:07.045 CET Thu Nov 14 2013
asr1k-1#su
PTA : Locally terminated sessions
FWDED: Forwarded sessions
TRANS: All other sessions (in transient state)
TOTAL PTA FWDED TRANS
TOTAL 14465 0 6557 7908
GigabitEthernet0/0/0 3024 0 0 3024
GigabitEthernet0/0/1 2587 0 0 2587
GigabitEthernet0/1/0 2297 0 0 2297
GigabitEthernet0/1/1 6557 0 6557 0
asr1k-1#
asr1k-1#
asr1k-1#
asr1k-1#sh clock
07:20:08.295 CET Thu Nov 14 2013
asr1k-1#su
PTA : Locally terminated sessions
FWDED: Forwarded sessions
TRANS: All other sessions (in transient state)
TOTAL PTA FWDED TRANS
TOTAL 14465 0 6557 7908
GigabitEthernet0/0/0 3024 0 0 3024
GigabitEthernet0/0/1 2587 0 0 2587
GigabitEthernet0/1/0 2297 0 0 2297
GigabitEthernet0/1/1 6557 0 6557 0
asr1k-1#
asr1k-1#
asr1k-1#sh clock
07:46:34.113 CET Thu Nov 14 2013
asr1k-1#su
PTA : Locally terminated sessions
FWDED: Forwarded sessions
TRANS: All other sessions (in transient state)
TOTAL PTA FWDED TRANS
TOTAL 14465 0 6557 7908
GigabitEthernet0/0/0 3024 0 0 3024
GigabitEthernet0/0/1 2587 0 0 2587
GigabitEthernet0/1/0 2297 0 0 2297
GigabitEthernet0/1/1 6557 0 6557 0
asr1k-1#
asr1k-1#s
6557 sessions in FORWARDED (FWDED) State
7908 sessions in WAITING_FOR_STATS (WT_ST) State
14465 sessions totalUniq ID PPPoE RemMAC Port VT
VA State
SID LocMAC VA-st Type
5978 5978 0000.6ca3.0116 Gi0/0/0.2940148 1 Vi2.3091 WT_ST
b414.8901.8e00 VLAN: 294/148 UP
5979 5979 0000.6ca3.0117 Gi0/0/0.2940149 1 Vi2.3092 WT_ST
b414.8901.8e00 VLAN: 294/149 UP
6460 6514 0000.6ca3.0134 Gi0/0/0.2940178 1 Vi2.3354 WT_ST
b414.8901.8e00 VLAN: 294/178 UP
6454 6508 0000.6ca3.0135 Gi0/0/0.2940179 1 Vi2.3350 WT_ST
b414.8901.8e00 VLAN: 294/179 UP
6453 6507 0000.6ca3.0136 Gi0/0/0.2940180 1 Vi2.3349 WT_ST
b414.8901.8e00 VLAN: 294/180 UP
6518 6572 0000.6ca3.0137 Gi0/0/0.2940181 1 Vi2.3395 WT_ST
b414.8901.8e00 VLAN: 294/181 UP
6514 6568 0000.6ca3.0138 Gi0/0/0.2940182 1 Vi2.3393 WT_ST
b414.8901.8e00 VLAN: 294/182 UP
6516 6570 0000.6ca3.0139 Gi0/0/0.2940183 1 Vi2.3394 WT_ST
b414.8901.8e00 VLAN: 294/183 UP
6560 6614 0000.6ca3.013a Gi0/0/0.2940184 1 Vi2.3413 WT_ST
 
  • CSCul49375
Symptom: The Cisco ASR 1000 router displays the following messages in the logs: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x0) -Traceback= 1#cb40dca901558e45a65b881a8695af4f :400000+8653B3 :400000+893696 :400000+DF330C :400000+DED89B :400000+DF8643 :400000+1F57F36 :400000+1F4BBFB :400000+1F33BA7 :400000+1F336C1 :400000+1F34FF9 :400000+1F27763 :400000+1F29B16 :400000+2546FF3 :400000+2546EDD :400000+1F2930B
 

No new PPPoE sessions can be established anymore.

Conditions: The conditions to this symptom are unknown.

Workaround: Reload the device.

  • CSCul49852

Symptom: A router might see PPPoE-sessions in the WAITING_FOR_STATS (or WT_ST) status.

Conditions: This symptom was observed by specific users or because of using a specific profile or service like ShellMaps and Radius. The system is configured as BRAS aggregating PPPoEoA or -oE-sessions.

Workaround: There is no workaround.

  • CSCul50910

Symptom: After a random reload of chassis or SPA Gig on SPA-5X1GE-V2 loses L3 connectivity and ARP protocol failing.

Conditions: This symptom is observed on the Cisco 7600 router with SPA-5X1GE-V2.

Workaround: Reload SIP with SPA loaded in it.

  • CSCul52239

Symptom: Multicast traffic might get affected after an interface delete and reconfiguration. This is more likely to happen in dot1q subinterfaces in ES+ and specifically only if the delete and reconfiguration of the interface is done within 30 seconds.

Conditions: This symptom occurs in Cisco IOS Release 12.2SREx and Cisco IOS 15S based releases.

Workaround: Perform interface delete and reconfiguration with a time gap of one minute.

Further Problem Description: Perform the following steps to check if the issue is hit:

Note down the interface’s internal vlan:

PE2#sh vlan int usage | i GigabitEthernet2/24.904 2000 GigabitEthernet2/24.904

Get to SP console and do sh fid start <internal vlan> end <internal vlan>

PE2-sp#sh fid start 2000 end 2000 FID Id Protocol Bkt Enabled FE CAM Enabled Vlan Don’t Learn Age group ------ -------------------- -------------- ---- ----------- --------- 2000 no no 2000 yes 0x00

The issue is hit if “FE CAM Enabled” bit is set to “no”.

  • CSCul65614

Symptom: The FAN-MOD-6SHS module consumes more power than expected (should be around 180W).

#sh power
<SNIP> Fan Type Watts A @42V State ---- ------------------ ------- ------ ----- 1 FAN-MOD-6SHS 427.14 10.17 OK
 

Conditions: This symptom occurs when the ES+ Combo card is placed in slot-1 of 7600 chassis.

Workaround: Place ES+ Combo cards in any other slot other than slot-1 of 7600 chassis.

  • CSCul86211

Symptom: When LNS switches off while the sessions keep on establishing at LAC, LAC finds the l2tp db memory exhausted after sometime. Due to this, it fails to update the session in the database and during this period a crash is observed.

Conditions: This symptom occurs when LAC tries to add l2tp session in the database and fails to do so. In order to handle this error condition, LAC frees the l2tp and l2x session twice. This double free is the reason for crash.

Workaround: There is no workaround.

  • CSCul87037

Symptom: An “sg subrte conte” chunk leak occurs while roaming.

Conditions: This symptom occurs after an account log off and if service permit is configured in control policy. In case of a service permit, the subscriber remains unauthorized and is redirected to the portal once again. Post successful second account logon and the subscriber session is cleared by timeout or CLI, the leak is seen and the same client will not be able to create the session once again. The leak is seen after simulating for the second time account logon. And if service permit is configured.

In case of service disconnect configured under account logoff, account logon is not a practical scenario as the portal is not reachable for the client.

Workaround: Use service disconnect for event account-logoff.

class type control always event account-logoff
1 service disconnect delay 10
!
 
  • CSCul90667

Symptom: Error messages and tracebacks are printed to the console.

Conditions: This symptom occurs when IGP times out while Standby RP becomes NSR Active.

Workaround: Enable NSR under IGP to ensure no timeout occurs.

  • CSCul93523

Symptom: CPP 0 failure Stuck Thread(s) is detected and crashed when running NAT/ALG performance test with high malware SIP traffic.

Conditions: This symptom occurs when 2.2kps traffic with both NAT and non-NAT packets is set up.

Workaround: Disable SIP ALG if not required.

#no ip nat service sip udp port 5060
#no ip nat service sip tcp port 5060
 

More Info: This is a NAT issue and is only triggered by malware SIP traffic.

  • CSCul94087

Symptom: Output Packet drops is observed on the ATM IMA interface even when there is no live traffic and only signaling exchange between non-Cisco devices. Although output drops in most cases means low bandwidth issues but in this case, an entire site was down due to these drops.

Conditions: This symptom occurs under the following conditions:

1. Layer 2 cross connect is configured on Cisco device and non-Cisco device at other end.

2. Only signalling traffic flows through the devices.

3. IMA group is created for the ATM connectivity.

4. SPA-24CHT1-CE-ATM card is to be used for the ATM connection.

Workaround: Reload the SPA.

  • CSCul96778

Symptom: A router may crash and reload with BGP related traceback in an extremely rare timing condition while running “show ip bgp vpnv4 vrf XXXX nei A.A.A.A”.

Conditions: While making BGP related changes such as moving the same neighbor with quick operation of “no neighbor x.x.x.x” and then “neighbor x.x.x.x” across VRFs. Immediately after this, if we type a “show ip bgp vpnv4 vrf XXXX nei A.A.A.A” on a Cisco router running IOS and BGP, then in an extremely rare timing condition the router may crash. The possibility of this to happen increases if configuration and unconfiguration is done from one console and the show operation is done from other console.

Workaround: When doing configuration and unconfiguration and then show, it is better to serialize the operation rather than aggressively use multiple consoles to do all actions at the same time.

  • CSCum00056

Symptom: ASR IOSd crash occurs with the following error:

UNIX-EXT-SIGNAL: Segmentation fault(11), Process = ISG CMD HANDLER
 

Conditions: This symptom occurs when changes are made through RADIUS.

Workaround: There is no workaround.

  • CSCum04528

Symptom: A Cisco ASR 1002-X router might crash and reload writing a core file in the process.

Conditions: This symptom occurs with a Cisco ASR1002-X router running NAT with ALG traffic.

Workaround: There is no workaround.

  • CSCum07119

Symptom: Router generates tracebacks or crashes depending on platforms when show application ip route command is used concurrently with application route deletion.

Conditions: This symptom is observed when the show application ip route command is issued when JAVA onePK SDK is handling route replace operations.

Workaround:

1. Use show ip route command to display the application routes and not show application ip route command.

2. Use onePK GET ROUTE API to get the status of application added route.

3. Use show application ip route only when there is no route delete is in progress.

  • CSCum08864

Symptom: When there is a policy change (either KS or GM) in Pre-PAL, the Cisco ASR 1000 router registers again. This is because in TCAM, SA cannot be inserted or moved. An ACL merge was done in the ACE driver, and reregistration was triggered from there.

Post-PAL, ACL merge intelligence is moved to a control plane. ACL is changed and change flow priority occurs. The SA is inserted with second priority which cannot be handled by the device.

Conditions: This symptom occurs when an ACL changes on the KS or the GM.

Workaround: There are four workarounds:

1. Manually clear GetVPN registration on the Cisco ASR 1000 router using clear crypto gdoi.

2. If permit ACL is appended to KS ACL or if ACL is removed from the bottom of KS ACL, then there is no flow priority change, and no issue is observed. The limitation with this workaround is that the group configuration on KS has only one SA. If "deny ACL" is added, a few packet drops are observed.

3. EEM script which monitors Rekey Syslog and clears the registration. This is the same as Workaround 1 but is automatically done. The disadvantage of this workaround is that Rekey syslog is same during normal rekey and policy change rekey. Hence reregistration occurs through normal rekey too.

Sample EEM script: event manager applet GM_RE_REG event syslog occurs 1 pattern “*GM_RECV_REKEY.*” action 10 syslog priority warnings msg “EEM trigger workaround for CSCum08864” action 20 CLI command “enable” action 30 CLI command “clear cry gdoi” pattern “Are you sure you want to proceed” action 40 CLI command “yes”

4. The ACL is swapped on KS with the new ACL and Rekey is done. The Cisco ASR 1000 GM will reregister. A small packet drop during reregistration is observed.

  • CSCum13378

Symptom: A Cisco ASR 1000 Series router configured as an IPSec endpoint may fail to reassemble fragmented ESP packets. During this failure state, the router will also log “%ATTN-3-SYNC_TIMEOUT” errors.

Conditions: This symptom occurs due to UDP packet of a specific size received on the clear side of the device.

Workaround: Use software crypto for large packets received on the clear side by configuring post-frag encryption - crypto ipsec fragmentation after-encryption. This will prevent the device from getting into the ATTN_SYNC state.

  • CSCum14830

Symptom: Leaking IPv6 routes is observed from a VRF table into the global table using BGP. These routes consist of the following:

1. BGP routes learned from the VRF IPv6 BGP peer.

2. Redistributed static and connected routes.

The BGP routes leak fine, but the redistributed static and connected routes have an issue. After the redistributed routes leak, the exit interface shows “null0”. Sometimes instead of showing the exit interface as “null0”, it shows a random interface which is a part of VRF and has IPv6 enabled on it.

Conditions: This symptom occurs with IPv6 redistributed connected and static routes into BGP VRF (could also be redistributed from other protocols as well but have not been tested).

Workaround: There is no workaround.

  • CSCum15232

Symptom: A Cisco IOS router may crash using LDAP while performing TLS operations.

Conditions: This symptom was observed in Cisco IOS Release 15.3(3)M1.4. Other versions can be affected as well.

Workaround: There is no workaround.

More Info: LDAP is used in IOS SSLVPN deployment to authenticate users.

  • CSCum16315

Symptom: Upon reload of a Cisco 7600 router configured with a CoPP policy containing IPv6 ACLs and DSCP matching, the CoPP is only applied to the active RSP as shown below.

After reload:

lab-7609-rsp-02#sh mod power

Mod Card Type Admin Status Oper Status --- -------------------------------------- ------------ ------------ 1 CEF720 48 port 10/100/1000mb Ethernet on on

5 Route Switch Processor 720 (Active) on on

6 Route Switch Processor 720 (Hot) on on

7 CEF720 8 port 10GE with DFC on on

8 CEF720 8 port 10GE with DFC on on

CoPP is applied to only the active RSP/SUP after reload:

lab-7609-rsp-02#sh policy-map control-plane in | inc class|Earl

class-map: COPPCLASS_MCAST (match-any)

Earl in slot 5 :

class-map: COPPCLASS_MGMT (match-any)

Earl in slot 5 :

class-map: COPPCLASS_ALLOW_ICMP (match-any)

Earl in slot 5 :

class-map: COPPCLASS_MONITORING (match-any)

Earl in slot 5 :

class-map: COPPCLASS_FILEXFER (match-any)

Earl in slot 5 :

class-map: COPPCLASS_REMOTEACCESS (match-any)

Earl in slot 5 :

class-map: COPPCLASS_OSPF (match-any)

class-map: COPPCLASS_LDP (match-any)

Earl in slot 5 :

class-map: COPPCLASS_BGP (match-any)

class-map: COPPCLASS_MISC (match-any)

class-map: COPPCLASS_UNDESIRABLE (match-any)

Earl in slot 5 :

class-map: COPPCLASS_IPV4_CATCHALL (match-any)

Earl in slot 5 :

class-map: COPPCLASS_IPV6_CATCHALL (match-any)

class-map: class-default (match-any)

Earl in slot 5 :

When this issue is triggered, the following error will be seen in the logs:

*Dec 14 02:33:14.579: %QM-2-TCAM_BAD_LOU: Bad TCAM LOU operation in ACL

This issue potentially exposes the device to a DoS vulnerability.

Conditions: This symptom occurs under the following conditions:

1. 7600 HA Environment.

2. CoPP IPV6 ACL with DSCP match.

3. Reload or Switchover.

Workaround: There are two workarounds for this issue.

1. Modify the CoPP Policy to remove IPV6 ACL/DSCP matching.

2. Remove and reapply the CoPP configuration as shown below:

lab-7609-rsp-02(config)#control-plane lab-7609-rsp-02(config-cp)#no service-policy in COPP lab-7609-rsp-02(config-cp)#service-policy in COPP lab-7609-rsp-02(config-cp)#end

CoPP is applied to all modulues as required:

lab-7609-rsp-02#sh policy-map control-plane in | inc class|Earl

class-map: COPPCLASS_MCAST (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_MGMT (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_ALLOW_ICMP (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_MONITORING (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_FILEXFER (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_REMOTEACCESS (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_OSPF (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_LDP (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_BGP (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_MISC (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_UNDESIRABLE (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_IPV4_CATCHALL (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: COPPCLASS_IPV6_CATCHALL (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

class-map: class-default (match-any)

Earl in slot 1 :

Earl in slot 5 :

Earl in slot 7 :

Earl in slot 8 :

PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.

Additional information on Cisco’s security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCum20242

Symptom: The RSP720 image bootup fails with the following messages:

rommon 2 > boot disk0:rsp72043-adventerprisek9-mz Initializing ATA monitor library... Self extracting the image... [OK] Error : memory requirements exceed available memory Memory required : 0x40286C44 *** System received a Software forced crash *** signal= 0x17, code= 0x4, context= 0x0
 

Conditions: This symptom could occur when the image size is very big (approximately greater than 220MB). This is not reported in any production images so far because their size is not big enough to hit this issue.

Workaround: There is no workaround.

  • CSCum24565

Symptom:

MPLS is being processed by the CPU instead of HW switching.

rem com sw show mls vlan-ram shows "0" value under vpn-num and netdr shows that mpls is being processed by the CPU:

Example: 7600# rem comm sw sh mls vlan-ram 1906 1906
TYCHO Vlan RAM Key: * => Set, - => Clear
vlan eom nf-vpn mpls mc-base siteid stats rpf vpn-num bgp-grp l2-metro rpf-pbr-ovr ----+---+------+----+-------+------+-----+---+-------+-------+--------+----------- 1906 * - * 0 0 - - 0 0 - * <<<=== vpn-num 0
 

There is a possibility of a high CPU due to interrupts.

Conditions: The symptom may occur on the Cisco 7600 Series Routers after an SSO is performed on PE with L2VPN in PFC VLAN mode.

Workaround:

1. Remove xconnect configuration from the subinterface and reconfigure it.

2. Shut/no shut the xconnect source interface.

  • CSCum29064

Symptom: Syncing dual-stack iWAG session to STANDBY does not occur.

Conditions: This symptom occurs when IPv4 and IPv6 FSOL is received from same client at ISG together (or very less time gap) for a dual-stack session. In this case, the session does not sync to STANDBY for the previous IPv6 FSOL and ISG gets a new IPv4 FSOL.

Workaround: There is no workaround.

  • CSCum34830

Symptom: A router crash is observed.

Conditions: This symptom occurs while performing VRRP and VRRS-related configuration changes.

Workaround: Unconfigure the ip pim redundancy <> command before deleting the subinterface or disabling PIM on an interface.

  • CSCum42586

Symptom: SLM does not work over the port-channel evc xconnect up mep.

Conditions: This symptom occurs when port-channel member links are on the same NP.

Workaround: There is no workaround.

  • CSCum61595

Symptom: Alignment errors are observed after upgrading to Cisco IOS Release 15.2(4)M5.

Jan 9 19:42:59.623 GMT: %ALIGN-3-CORRECT: Alignment correction made at 0x6477F81Cz reading 0x6BE87495 Jan 9 19:42:59.623 GMT: %ALIGN-3-TRACE: -Traceback= 0x6477F81Cz 0x647805D0z 0x6478FE70z 0x64751088z 0x64B99F4Cz 0x64B99FD4z 0x64752 284z 0x647525ACz
 

Conditions: This symptom does not occur under specific conditions.

Workaround: There is no workaround.

  • CSCum65501

Symptom: IPv6 CoPP ACL matches traffic incorrectly. Packets are not matched against IPv6 ACE of “permit icmp any any echo-request” or against “permit icmp any any echo-reply”. This causes traffic to be classified incorrectly.

Conditions: This symptom occurs with recent Cisco IOS images. Results are as expected on Cisco IOS Release 12.2(33)SRE9a. However, it is broken in Cisco IOS Release 15.2(4)S onwards.

Workaround: There is no workaround.

  • CSCum65604

Symptom: A Cisco router gets crashed.

Conditions: This symptom occurs when shut/no shut is performed on the access interface.

Workaround: There is no workaround.

  • CSCum71485

Symptom: An increasing number of TEKs are generated every 30 seconds.

Conditions: This symptom occurs under the following conditions:

1. Change the Group Identity on the Secondary KS causing encryption failure. Change the Group Identity on the Primary KS. All the GMs are deleted from the KSs.

2. Restore the Secondary Key Server. Wait for it to come up as Primary for the Group : GETVPN-GROUP-1.

3. Restore the Primary Key Server with Group : GETVPN-GROUP-1.

4. This creates a new TEK policy every 30 seconds from the newly elected Primary Key Server KS2. The sequence number for rekey remains 1.

5. KS1 is restored to be the primary role.

6. After the existing TEKs from KS2 are expired, it behaves normally.

Workaround: There is no workaround.

  • CSCum78363

Symptom: Local circuit keeps DOWN state.

Conditions: This symptom is observed when L2TPv3 session is configured.

Workaround: There is no workaround.

  • CSCum85813

Symptom: Shut primary static router and secondary static is not installed automatically.

Conditions: This symptom is seen on the sites where the BFD state of the backup static route is marked as “U” in the output of “show ip static route bfd”.

Workaround: Reinstall the default backup static route.

  • CSCum94408

Symptom: Intermittently, if a root’s CRL to validate sub does not get downloaded [Internal or External failures], and the CRL by sub gets downloaded, the following message will be seen:

[Debug crypto isakmp and Debug crypto pki m/t/v/c]
ISAKMP (35845): adding peer’s pubkey to cache ISAKMP:(35845): processing SIG payload. message ID = 0 %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
 

Conditions: This symptom occurs in Cisco IOS configured with the IKEv1, Authentication mode RSA-SIG [Certificates]. PKI Infrastructure is as follows:

Root -> Sub -> ID - Root and Sub Trustpoint have “revocation-check crl none”. Sub has “chain-validation continue Root”.

Workaround: Disable Revocation-check and Chain-validation under Sub Trustpoint.

  • CSCum95330

Symptom: Removing an Ethernet service instance which is a member of a bridge domain may cause the router to reload.

Conditions: This symptom is observed when the last service instance is removed from the bridge domain and there are still members of the bridge domain which are not service instances (such as VFIs).

Workaround: Completely unconfigure the bridge domain and reconfigure it.

  • CSCun00236

Symptom: MST TCNs are not sent over a port-channel access interface after an AED change.

Conditions: This symptom occurs with dual-home AEDs at a site with port-channels used as access links. The join or overlay interface goes down to cause an AED change.

Workaround: Use an EEM script to bounce access interfaces (port-channels). This should cause the access switches to flush their MAC tables and redirect traffic to the new AED.

  • CSCun01152

Symptom: A Cisco IOS-XE router reloads unexpectedly.

Conditions: This symptom occurs when a zone-based firewall is configured on the router. The crash occurs due to a timing condition which can occur when two loosely coupled flows are deleted at the same time. This was observed in an environment with a large number of active MSRPC sessions traversing the firewall.

Workaround: There is no workaround.

  • CSCun10381

Symptom: A traffic drop was observed because labels do not get programmed.

Conditions: This symptom occurs when scalable EoMPLS with L3VPN is configured. When notifications on atom-imps arrive, they have to get programmed.

Workaround: Clear ip route.

More Info: Traffic was seen to be dropped as the atom-imps could not be programmed because label entry could not be found for the atom-imps .

  • CSCun11782

Symptom: Rtfilter prefixes are sent with incorrect next-hop equal to next-hop of the default static route in GRT instead of BGP router-id.

Conditions: This symptom occurs with a default static route present in GRT pointing, for example, to the next-hop known behind the connected interface.

Workaround: Replace the default static route with a more specific static route or remove static and clear BGP.

  • CSCun13688

Symptom: The Cisco Catalyst 6500 Supervisor Engine 2T with CLNS routing configured crashes after show clnbs route.

Conditions: This symptom occurs when CLNS routing is configured.

Workaround: There is no workaround.

  • CSCun20187

Symptom: HSRP communication fails between two PEs (Cisco 7600 Series router) right after removing a neighbor from VFI.

Conditions: Assume that a VPLS circuit is running between more than two PEs say A,B, and C and HSRP is running between A and B. Removing VPLS peer C on either A or B would cause HSRP communication failure between A and B. This failure is not expected as data path is still available between A and B.

Workaround: Perform shut/no shut on the SVI.

  • CSCun28171

Symptom: An ISG will stop processing CoAs for a subscriber session when CoAs are received in rapid succession. The received CoAs are queued but never processed.

Conditions: This symptom occurs when multiple CoAs for a single subscriber session are received in short time (milliseconds).

Workaround: The subscriber session needs to be reset to recover. There is no workaround known yet to avoid the situation from happening.

  • CSCun28965

Symptom: “show ip nat translation filter range [inside | outside] [local|glocal] <start-ip> <end-ip>” does not filter the output as per the range specified.

Conditions: This symptom occurs on Cisco ASR 1000 Series router.

Workaround: There is no workaround.

  • CSCun31021

Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA)..

The vulnerability is due to a wrong handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted Main Mode packet to an affected device. An exploit could allow the attacker to cause dropping of valid, established IKE Security Associations on an affected device.

Conditions: This symptom occurs on a device configured to process an IKE request that already has a number of established security associations.

Workaround: There is no workaround.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C

CVE ID CVE-2014-2143 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143

Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCun36785

Symptom: A Cisco ASR1002X production router acting as a WAN-Aggregator reloads unexpectedly after pushing the AVC configuration from Cisco Prime infrastructure through an SSH session.

The configuration push was successful onto the box, and the flow statistics were exported to the PI.

However, after 30 minutes, the router reloaded with a “CPP mcplo_ucode” crash and a “fman_fp” crash. The box is configured with IKEv2 DMVPN and basic NAT, along with BGP and EIGRP. Four static NHRP tunnels from different branch locations terminated onto this box. All traffic from the branches were encrypted, decrypted on this router and NAT was applied to the decrypted traffic before sending it out of the port-channel interface towards the production network.

Conditions: This symptom is observed on a Cisco ASR1002X router running CCO IOS-XE version 3.10.1 The crash has occurred only once. Currently AVC configurations have been backed out and the router is stable. This affects the AVC deployment on the network seriously.

Workaround: There is no workaround.

  • CSCun36866

Symptom: A Cisco router providing Layer 2 EoMPLS services may stop forwarding ingress and egress traffic for an xconnect for which a backup peer configuration has been applied.

Conditions: This symptom occurs in Cisco 7600 Series routers and Cisco ASR 1000 Series routers running Cisco IOS Release 15.3(3)S or 15.4(02)S with xconnect configured under a service instance.

Workaround: Clear the xconnect on the Cisco 7600 router side. Clearing the remote side does not have an effect.

  • CSCun41292

Symptom: On a Cisco ASR 1001 router running Cisco IOS Release 15.3(1)S, a crash occurs when the “show ip ei vrf X topo X.X.X.X/X” command is executed. The X.X.X.X/X must be in “FD is infinity” status in EIGRP as CSCtz01338.

asr1001_bew_03# show ip ei vrf * to all | i Infinity P 174.162.XX.XX/24, 0 successors, FD is Infinity, U, serno 37, refcount 1 snip P 174.180.XX.XX/29, 0 successors, FD is Infinity, U, serno 46, refcount 1 asr1001_bew_03# asr1001_bew_03# asr1001_bew_03# asr1001_bew_03# asr1001_bew_03# asr1001_bew_03#show ip ei vrf 1 to 174.162.XX.XX/24
Exception to IOS Thread: Frame pointer 0x7F63DF6602D0, PC = 0x1956C8D
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = Exec -Traceback= 1#980611ad3b9665cd80fe5178bcd6036a :400000+1556C8D :400000+1556B09 :400000+15569D1 :400000+157DE39 :400000+15197A2 :400000+1518659 :400000+156BA5E :400000+15591D1 :400000+1189768 :400000+1188E6D :400000+1186E15 :400000+484F270 :400000+11A1CA0
Fastpath Thread backtrace: -Traceback= 1#980611ad3b9665cd80fe5178bcd6036a c:7F64154A4000+BE002
Auxiliary Thread backtrace: -Traceback= 1#980611ad3b9665cd80fe5178bcd6036a pthread:7F640ED43000+A7C9
 

Conditions: This symptom occurs when X.X.X.X/X is in “FD is infinity” status in EIGRP.

Workaround: There is no workaround.

  • CSCun45272

Symptom:

1. Standby RP will have out-of-sync entries. With MPLS-TE NSR enabled, the standby RP will have out-of-sync entries which will result in flapping of the path-protected LSP of the tunnel after an SSO.

2. Leaking an LSP. A third LSP will be signaled and leaked (there is no management of the LSP). There are supposed to be two LSPs at steady state (primary and path protected), but with this defect, there will be primary, path protected, and leaked LSP.

Conditions: This symptom occurs with a reoptimization of a tunnel that has failed with path protection enabled.

Workaround: There is no workaround.

  • CSCun46486

Symptom: A Cisco device crashes every 2-3 days when the SNMPSET operation is used to create guest users.

Conditions: This symptom occurs when guest users are created through SNMPSET operations at a very high rate.

Workaround: There is no workaround.

  • CSCun48344

Symptom: A config-sync failure occurs due to the address-family ipv6 unicast vrf command during the immediate unconfiguration and reconfiguration of VRF definition.

Conditions: This symptom occurs with attached running configurations.

Workaround: There is no workaround.

  • CSCun49087

Symptom: A Cisco ASR 1002x router crashes.

Conditions: This symptom occurs during duty cycle testing with a lot of negative events in the DMVPN setup.

Workaround: There is no workaround.

  • CSCun73782

Symptom:

A vulnerability in LISP control messages processing on Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause a vulnerable device to disable CEF forwarding and eventually drop traffic passing through.

The vulnerability is due to insufficient checking of certain parameters in LISP control messages on ITR. An attacker could exploit this vulnerability by sending malformed LISP control messages to ITR. An exploit could allow the attacker to cause a vulnerable device to disable CEF forwarding and eventually drop traffic passing through.

Conditions: Malformed messages can only be generated by a device that is already registered to a LISP system: a valid ETR or ALT.

Workaround: There is no workaround.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C

CVE ID CVE-2014-3262 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3262

Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCun77010

Symptom: A router may crash after or during the execution of the show ipv6 ospf rib command.

Conditions: This symptom occurs when many routes or route paths are present in the OSPFv3 rib. The OSPFv3 rib is significantly recomputed during execution of commands.

Workaround: Limit the use of the show ipv6 ospf rib command.

  • CSCun97966

Symptom: When packets are sent to crypto a “txnpMaxMtuExceeded” message is seen.

Conditions: This symptom occurs only on Cisco ASR 1002x, ASR1000-ESP100, and ASR1000-ESP200 routers.

Workaround: There is no workaround.

  • CSCun99766

Symptom: A router crashes while making changes to an AppNav policy map or a class map.

Conditions: This symptom occurs under the following conditions:

Multiple AppNav controllers are used.

Sessions are created and can be seen using show service-insertion statistics sessions.

AppNav policy map and class map is modified when live traffic is redirected by AppNav.

Policy map or class map change results in a mismatch between AppNav controllers.

Workaround: When using AppNav Controller Group with multiple ACs, avoid changing the policy map or class map when there are active sessions present (use show service-insertion statistics sessions).

More Info: A crash occurs after a policy map or class map change results in changes to the existing session and subsequently a new connection matching this session is synced to the other ACs which are not aware of the new policy map or class map.

  • CSCuo16717

Symptom: PPPoX brings up sessions failure with IPv6 configurations.

Conditions: This symptom occurs when “vpdn authen-before-forward” is configured.

Workaround: Do not configure “vpdn authen-before-forward”.

Resolved Caveats—Cisco IOS Release 15.3(3)S2

The caveats in this section are resolved in Cisco IOS Release 15.3(3)S2 but may be open in previous Cisco IOS releases.

  • CSCtz73473

Symptom: In a rare multipath import configuration on IOS router, the following traceback is seen:

SW0: *May 4 12:08:40.175 PDT: %IPRT-3-INVALID_NEXTHOP: Duplicate ID 0x3 113.1.1.0/24 from bgp decode: 0x6770760 ---> ip_route_update+37C 0x59F7B20 ---> bgp_ipv4_rib_install+578 0x59F87C8 ---> bgp_ipv4_rib_update+108 0x5A8C524 ---> bgp_vpnv4_update_iprib+2C 0x59F8C24 ---> bgp_v4class_update_fwdtable_walker+60 ...
 

Though there is no operational impact, it disturbs the console with the above traceback.

Conditions: This symptom is observed when you configure the following in the VRF address family:

router bgp 200000
!
address-family ipv4 vrf 5
import path selection multipaths
maximum-paths eibgp 8
 

Workaround: Do not log output on console but make it buffered to keep console clean.

  • CSCuc53853

Symptom: A vulnerability exists in Cisco IOS switches where the remote, non-authenticated attacker can cause Denial of Service (DoS) by reloading an affected device. An attacker can exploit this vulnerability by sending a special combination of crafted packets.

Conditions: This symptom occurs when the HTTP server is enabled on the affected device.

Workaround: There is no workaround.

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVE ID CVE-2013-1100 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1100

Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCue14596

Symptom: The mib cfmFlowMetadataAppName value in the SNMP query should not include vendor information.

Conditions: This symptom occurs when the SNMP query is run for mib cfmFlowMetadataAppName and the following value is obtained:

cfmFlowMetadataAppName.2.1 = cisco telepresence-control
 

The vendor information “cisco” should be removed. The expected mib value should be as following:

cfmFlowMetadataAppName.2.1 = telepresence-control
 

Workaround: There is no workaround.

  • CSCue68714

Symptom: Newer released IOS-XE BGP, post Cisco IOS Release 15.2(4)S/XE3.7 not forming BFD session with the older implementations. This happens when using eBGP multi-hop to peer between two loopback interfaces on directly connected routers.

Conditions: This ddts adds a couple of options “[single-hop | multi-hop]” to the existing BGP-BFD knob “neighbor x.x.x.x fall-over [bfd] [check-control-plane-failure]”.

So, after the change the knob would be: “neighbor x.x.x.x fall-over [bfd] [single-hop | multi-hop] [check-control-plane-failure]”

**Note: Existing: “neighbor x.x.x.x fall-over [bfd]” --- This behavior would not be disturbed; so that we do not change the behavior that has been released as part of all the releases for more than three years now.

Add-on in this ddts:

1) “neighbor x.x.x.x fall-over [bfd] [single-hop] -- NEW-option “single-hop”; would force BGP to open a single-hop bfd session. Even in case of back-to-back ebgp update-source loopback with 2 hop BGP peering.

2) “neighbor x.x.x.x fall-over [bfd] [multi-hop] -- NEW-option “multi-hop”; would force BGP to open a multi-hop bfd session.

Workaround: There is no work around. ISR G2 should support BFD multi-hop feature.

More Info:ISR-G2 does not support multi-hop BFD, while ISR4400 supports multi-hop BFD. BFD multi-hop support for ISR-G2 needs to be provided, so that they can interop with ISR4400 and ASRs.

  • CSCue91343

Symptom: When more than three input sources are configured (2 gig inputs and 1 input to Metronome SPA) with various QL states, the configured input source on the Metronome SPA goes into a QL failed state.

Conditions: This symptom occurs when more than one input clock source is configured with at least one in the MN SPA. When the input source on the MN SPA is configured with the highest priority, it is selected as the best clock. When the quality of the input source is changed to a lower priority than the other two clock sources, it is seen to go into QL-FAILED.

Workaround: Shut/No shut the Gig interface at the near end where the OOR has occurred.

  • CSCug43009

Symptom: SYS-SP-2-MALLOCFAIL memory allocation fails due to I/O buffer memory leak in process_online_diag_pak.

Conditions: This symptom occurs when some diag packets get en-queued to a queue which is not being watched. Hence, there is no dequeueing on that queue which leads to I/O memory leak.

Workaround: Reload the box to clear the I/O pool when it is full.

  • CSCug45898

Symptom: A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected.

Cisco has released free software updates that address this vulnerability.

There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2106 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCug84789

Symptom: A vulnerability in the Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks models RSP720-3C-10GE and RSP720-3CXL-10GE could allow an unauthenticated, remote attacker to cause the route processor to reboot or stop forwarding traffic. The vulnerability is due to an issue in the Kailash field-programmable gate array (FPGA) versions prior to 2.6.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2107 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CCSCui88426

Symptom: A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.

The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.

Although IKEv2 is automatically enabled on a Cisco IOS Software and Cisco IOS XE Software devices when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet.

Only IKEv2 packets can trigger this vulnerability.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2108 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCue00996

Symptom: The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Cisco has released free software updates that address these vulnerabilities.

There are no workarounds to mitigate these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2111 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCuh33843

Symptom: The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Cisco has released free software updates that address these vulnerabilities.

There are no workarounds to mitigate these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2109 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCug92091

Symptom: When an IPv6 host is performing DAD and it is not yet present in the binding table it might log the following message:

%SISF-4-PAK_DROP: Message dropped A=:: G=FE80::84D2:B20F:7041:433D V=7 I=Gi1/0/13 P=NDP::NS Reason=Advertise while TENTATIVE
 

This packet is seen on other ports in the same VLAN without an impact to DAD. Hence the message is misleading.

Conditions: This symptom occurs when DAD packets are received on the switch and they can be logged as drops.

Workaround: There is no workaround.

  • CSCuh15049

Symptom: An EIGRP internal error log message appears along with tracebacks when EIGRP neighbors go down. The device might crash during the peer cleanup.

Conditions: This symptom is not observed under any specific conditions.

Workaround: There is no workaround.

  • CSCuh24317

Symptom: User-name is stored as uppercase always in IOS regardless of configuration.

Conditions: This symptom is observed when username displayed in “show running config” is always displayed in upper case regardless of the case in which user configured the user name while configuring the same.

Workaround: There is no workaround.

  • CSCuh36124

Symptom: Service Routing/SAF in Cisco IOS Release 15.2.X.X is experiencing HIGH cpu during a failover condition where the active SAF forwarder looses connection to the network causing the clients to switch to the secondary forwarder. This issue occurs if the forwarder, that becomes active, still has an active neighbor that it needs to send updated registration data to (so more than two forwarders are required to observe this defect). Due to the high CPU condition during this failover, clients can experience longer registration times increasing the outage window.

Conditions: It has been validated in the lab, that the condition only ocurrs when more than two forwarders are involved and all the forwarders are peered to each other via direct configured peers or network based EIGRP peers. The HIGH CPU is caused directly by the connection that exists between SAF forwarders to exchange data across the network, and not due to the client towards SAF forwarder data exchange.

Workaround: There is no workaround.

  • CSCuh41290

Symptom: After the unavailability of the LDAP CRL, no new CRL fetches can be done because LDAP waits for a reply infinitely and never times out.

Conditions: This symptom was first seen on Cisco IOS Release 15.1(4)M6 but is not exclusive to it.

Workaround: Set “revocation-check none” under affected trustpoint. Reload the router.

  • CSCuh56385

Symptom: Very slow propagation of data across a network of SAF forwarders after a fail over condition is observed. More than two SAF forwarders are required to observe this defect.

Conditions: This symptom occurs when there are more than two SAF forwarders in the network. After a fail over condition and the clients initiate advertising patterns into the standby forwarder, the propagation of these advertisements via update messages to the SAF peers can experience a 5 second inter-service advertisement delay.

Workaround: There is no workaround. Once the forwarder that suffered the fail over condition returns and establishes its neighbor relationships with its peers, the forwarders will update quickly.

  • CSCuh61135

Symptom: The ES+ card crashes with an unexpected exception to CPU:

vector 200, PC = 0x0
 

Conditions: The symptom is observed on the ES+ series linecards on a Cisco 7600 series router. The symptom is reported on the ES+ console and in the crashinfo file on the ES+ flash disk. It is not reported in the syslog.

Workaround: There is no workaround.

  • CSCuh69292

Symptom: LDAP moves in the stuck state.

Conditions: This issue is seen if the LDAP server becomes unavailable during LDAP transactions.

Workaround: There is no workaround.

  • CSCuh78173

Symptom: The EVC value shows as I state after a change from MPLS IP to PC MPLS IP.

Conditions: This symptom occurs when mpls ip is changed from interface to PC.

Workaround: Remove EVC configuration.

  • CSCuh86200

Symptom: A Cisco router crashes during a session churn with the following message:

Process = SSS Policy Manager.
 

Conditions: This symptom occurs when two service idle timeouts and a session timeout happens at the same time.

Workaround: Do not use the same idle/abs timeout for all services and sessions.

  • CSCuh91645

Symptom: WS-SUP720-3B crashes while receiving DHCP packets.

Conditions: This symptom occurs with the ip dhcp relay information policy-action encapsulate command.

Workaround 1. Use the ip dhcp relay information policy-action replace command.

Workaround 2. Use the no ip dhcp relay information trusted command.

  • CSCui04262
Symptom: An error syslog is seen on ASR1K BRAS running XE352.P3 Standby-RP, showing QOS service-policy installation failures:
1. Jun 13 14:43:55.323 CEST: %QOS-6-POLICY_INST_FAILED: Service policy installation failed 2. Jun 13 14:47:10.725 CEST: %QOS-3-INDEX_DELETE: class-group unable to remove index 00B6AA60
3. Jun 13 14:47:10.726 CEST: %QOS-3-UNASSIGNED: A CLASS_REMOVE event resulted in an (un)assigned index for class-group target-input-parent$class-default$IPBSA>ci=3#qu=3#qd=4#co=4#pu=police#ru=200K#pd=police#rd=300K<_IN$class-default
4. Jun 13 14:47:10.727 CEST: %QOS-6-RELOAD: Index removal failed, reloading self
 

Conditions: This symptom is observed when on ASR1K BRAS, running Cisco IOS Release XE352.P3, Version 15.2(1)S2, CUST-SPECIAL:V152_1_S2_CSCUA32331_4. When churning PPPoE sessions with 2 unique ISG/Shell map services per session, and after a manual RP Failover is done, after a while the error will be seen.

Workaround: There is no workaround.

  • CSCui46593

Symptom: CPU hog crash due to Mwheel Process.

Conditions: This symptom is observed in a normal operation.

Workaround: There is no workaround.

  • CSCui51363

Symptom: The multilink does not pass traffic even though it is in an up/up state.

Conditions: This symptom occurs when the auto DNR status is set and the sip400 ucode crashes.

Workaround: Perform a shut/no shut in the multilink.

  • CSCui56771

Symptom: When shutdown and no shutdown are executed at an external interface on a router acting as a PfR border, the router may unexpectedly reload.

Conditions: This symptom occurs on a Cisco router when heavy traffic is going through an external interface.

Workaround: There is no workaround.

  • CSCui59185

Symptom: A Cisco ASR 901 router crashes while booting up with memory lite disabled.

Conditions: This symptom is observed when RFLA is enabled with memory lite disabled.

Workaround: Enable memory lite.

  • CSCui61928

Symptom: The chunk mgr process consumes a lot of memory and does not free it up. This may lead to insufficient processor memory.

Conditions: This symptom occurs when a static BFD session constantly flaps. Dynamic BFD sessions are not affected.

Workaround: This situation can be avoided by the following:

1. Preventing a constantly flapping static BFD session.

2. Removing the BFD configuration.

3. Configuring BFD dampening (in the BFD template mode).

  • CSCui74609

Symptom: After a RSP switchover the backup pseudowire state is down and never recovers to standby state.

Conditions: This symptom occurs on CEM circuits in an SAToP environment after an SSO switchover.

Workaround: There is no workaround.

  • CSCui82519

Symptom: The receiver has a remote alarm after configuring “framing no-crc4” on the controller.

Conditions: This symptom occurs after configuring “framing no-crc4” on the controller.

Workaround: There is no workaround.

  • CSCui82817

Symptom: A tunnel with lower absolute metric is not advertised properly.

Conditions: This symptom occurs under the following conditions:

1. When there are multiple tunnels to a destination.

2. The tunnel with a better metric comes up.

3. When ISIS is used as IGP and both L1 and L2 are present and configured for TE.

Workaround: Clear the ISIS sessions.

  • CSCuj00746

Symptom: On performing an upgrade from 9.512 to 9.523, there is a label allocation failure in VPWS circuits as they are trying to utilize the labels that are already used by the VPLS circuits that are present in the database.

Conditions: This symptom occurs when both VPWS and VPLS circuits are configured on the same node before upgrading.

Workaround: Removing the VPLS circuit brings up the VPWS circuits. Reconfiguring the VPLS circuit is also successful with a different local label assigned.

  • CSCuj04703

Symptom: EIGRP OTP fails to form a neighbor relationship.

Conditions: This symptom occurs when the OTP is enabled. The E-RR denies adjacency due to “max neighbor” setting although “max neighbor” is not configured.

Workaround: There is no workaround.

  • CSCuj06347

Symptom: Cisco IOS and Cisco NX-OS software contain a vulnerability that could allow an authenticated, local attacker to poison the LISP map cache on the router configured as an Ingress Tunnel Router (ITR).

Conditions: This symptom occurs when an attacker has a privilege 0 local access to the ITR and executes lig commands.

Workaround:

1. Configure privilege exec level 1 lig, to prevent privilege level 0 users from executing the lig command.

2. Use separate VRFs for the EID and RLOC spaces, assuming the attacker does not have access to the RLOC case.

3. Using GETVPN or other crypto in the RLOC space may mitigate against this, but not in the common deployment scenario, where crypto maps are applied to the LISP0 interface.

PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.

  • CSCuj11232

Symptom: Changing the local label on an existing static (no signaling) Any Transport over MPLS (AToM) pseudowire, or changing the static pseudowire to a dynamic one (with LDP signaling) may cause traffic to fail to traverse the pseudowire.

Conditions: This symptom is observed when either the configured value of the static local label is changed, or if the pseudowire is changed to a dynamic one.

Workaround: Completely unconfigure the existing xconnect or pseudowire before entering the new configuration.

  • CSCuj23896

Symptom: The Cisco Catalyst 4500-X Series Switches crash while running wireshark.

Conditions: This symptom occurs when the following conditions are met:

1. “capture” is started with ipv4/ipv6/mac filter (using match keyword).

2. “capture” is stopped and modified to use different filter.

3. “capture” is started again.

Workaround: Avoid using monitor capture name match ipv4/ipv6/mac . Use an ACL/class-map which is created from the configuration mode.

  • CSCuj26593

Symptom: Simple IP Dual stack and IPv6 sessions failed to survive an RP switchover.

Conditions: This symptom occurs when the dual stack session exists.

Workaround: Do not use the dual stack session.

  • CSCuj30572

Symptom: With EIGRP and PFR configured, the router crashes after giving the following EIGRP messages:

000111: Sep 17 09:08:33.331: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.50.2.1 (Tunnel502) is down: Peer Termination received 000112: Sep 17 09:08:33.347: %DUAL-3-INTERNAL: EIGRP-IPv4 1: Internal Error -Traceback= 319D4CB4z 319EC5E4z 319EC7C8z 319E4950z 319EA760z 31A25008z 32C23084z 32C23068z
 

Conditions: This symptom occurs when PFR, OER, and EIGRP are configured.

The router under test has two EIGRP Peers HUB1 and HUB2. (Given metrics are only for illustration)

When EIGRP has a Prefix with 3 different Paths installed in following order

DRDB1 NH - HUB1, Metric 36571392 / 0 (Installed by PFR)

DRDB2 NH - HUB2, Metric 58322432 / 409600 ( x Hops away learnt from RouterX)

DRDB3 NH - HUB1, Metric 538004992/500409600 (y Hops away learnt from Router Y)

With these initial conditions, if neighborship with Router Y goes down, both PFR and EIGRP try to delete DRDB3 which results in inconsistent data structures with memory corruption. Any further access to memory will result in crash.

Workaround: Use other load-sharing methods instead of PFR.

More Info: Usuall, the crash is seen during the execution of the EIGRP route lookup function similar to the following:

0x33841E10:eigrp_pfr_get_drdb(0x33841ddc)+0x34 0x33842014:eigrp_pfr_route_lookup(0x33841e88)+0x18c
 
  • CSCuj41494

Symptom: Memory leak is observed when the Cloud Web Security (former scansafe) functionality is used on IOS versions containing the fix for CSCuh33843. Versions prior to Cisco IOS Release 15.3(3)M are unaffected since they did not get the fix for CSCuh33843.

Conditions: This symptom occurs when there is scansafe traffic handled by the TCP.

Workaround: Disable scansafe.

  • CSCuj47238

Symptom: There is a difference in the the Y1731 probe within show ip sla statistics.

Conditions: This symptom is seen in the Cisco 7600 series routers.

service instance 400 ethernet evc1000 description -- EVC Cliente BUSINESS--- encapsulation dot1q 400 second-dot1q 100 <==HERE rewrite ingress tag pop 2 symmetric <==HERE xconnect 172.16.12.6 1000 encapsulation mpls cfm mep domain OPM mpid 2
mdr-rm01#sh ip sla statistics 1 IPSLAs Latest Operation Statistics
IPSLA operation id: 1 Delay Statistics for Y1731 Operation 1 Type of operation: Y1731 Delay Measurement Latest operation start time: 12:06:21.041 CET Wed Sep 11 2013 Latest operation return code: OK Distribution Statistics:
Interval Start time: 12:06:21.041 CET Wed Sep 11 2013 Elapsed time: 50 seconds Number of measurements initiated: 44 <== HERE Number of measurements completed: 32 <== HERE Flag: OK
 

Workaround: There is no workaround.

  • CSCuj47554

Symptom: PBHK bundles are not released even after the session is cleared.

Conditions: This symptom occurs after the session is cleared and the port-bundle status is not shown correctly with show ip portbundle status command.

Workaround: There is no workaround.

  • CSCuj50396

Symptom: The flow exporter status becomes inactive.

Conditions: This symptom occurs after an RP switchover while checking flow monitor information.

Workaround: There is no workaround.

  • CSCuj50401

Symptom: An ND cache entry is not created for an ISIS IPv6 neighbour when an ISIS adjacency is established.

Conditions: This symptom occurs when ISIS IPv6 is configured and has an established adjacency with the neighboring node.

Workaround: There is no workaround.

Further Problem Description: The impact is negligible because the fix is an optimization. As an optimization a new entry is created in the ND cache when a new ISIS adjacency is established. The defect means that an ND cache entry is not created when an adjacency is established, causing slight delays when data starts flowing. An entry will be created normally when data flows to the neighbor.

  • CSCuj52396

Symptom: In a VPLS Inter-Autonomous System Option B configuration, the virtual circuits between the Autonomous System Border Router (ASBR) and the PE may fail to come up.

Conditions: This symptom is observed while initially establishing VCs after the ASBR has reloaded.

Workaround: The clear xconnect exec command can be used to clear the VCs that are down.

  • CSCuj52699

Symptom: A Cisco router crashes.

Conditions: This symptom is observed in a load or stress condition.

Workaround: There is no workaround.

  • CSCuj54036

Symptom: A Cisco c3900e router crashes during stress conditions.

Conditions: This symptom is observed when “content-scan” is enabled and the router is at stress conditions.

Workaround: There is no workaround.

  • CSCuj55540

Symptom: Exception is seen on the Cisco 3945E ISR router with whitelisted scansafe traffic.

Conditions: This symptom is observed when there is a lot of whitelisted traffic going through the ISR box.

Workaround: Disable whitelisting.

  • CSCuj57150

Symptom: The Cisco ASR 903 router crashes.

Conditions: This symptom occurs when a router reloads with link shut after the standby is inserted.

Workaround: Avoid this sequence once the standby comes up.

  • CSCuj57367

Symptom: A 10 gig line card crashes on a Cisco 7600 platform with the following or similar errors:

%SYS-DFC3-3-MGDTIMER: Uninitialized timer, timer stop, timer = 30CCCFB0. -Process= “RO Notify Timers”, ipl= 0, pid= 7 -Traceback= 2060E1BCz 2060E8E4z %SYS-DFC3-3-MGDTIMER: Uninitialized timer, timer stop, timer = 30CCD154. -Process= "RO Notify Timers", ipl= 0, pid= 7 -Traceback= 2060E1BCz 2060E8E4z %SYS-DFC3-3-MGDTIMER: Uninitialized timer, timer stop, timer = 30CCCFB0. -Process= "RO Notify Timers", ipl= 0, pid= 7 -Traceback= 2060E1BCz 2060E8E4z
08:54:43 Central Tue Oct 1 2013: Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x20642A08
 

Conditions: This symptom occurs when a large number of IPC messages are used.

Workaround: There is no workaround.

More Info: On mac-scaling, the L2-DRV application sends more ICC messages(though not always). But periodically( approximately 2-3 minutes), some burst of around 150 ICC messages are sent by the SP towards the RP. This means that mac-scaling has a direct correlation with the number of IPC messages being sent.

  • CSCuj64806

Symptom: VRRPv2 priority may be incorrectly calculated when tracking tunnel interfaces. After reloading the router, the track decrement value is decremented twice. As a result, VRRPv2 with tracking does not work as expected.

Conditions: This symptom is observed when you use tracking tunnel for VRRP priority.

Workaround: Use VRRPv3.

  • CSCuj65057

Symptom: The ip vrf forwarding command under aaa is deleted after reloading stack master.

Conditions: This symptom occurs when ip vrf forwarding VRF01 is deleted from the running-config after reloading the stack master switch.

--------- aaa new-model ! aaa group server tacacs+ TACACS+ ip vrf forwarding VRF01 ! ip vrf VRF01 rd x.x.x.x ---------
 

Workaround: Use the vrf definition command instead of the ip vrf command to define VRF. (This command is supported on Cisco IOS Release 12.2(58)SE or later releases.)

  • CSCuj65601

Symptom: Logging into a Cisco router through SSH and telnet with AAA fails.

Conditions: This symptom occurs when the TACACS server group contains IPv6 source interface. The IPv6 source interface needs to be removed and added. After this process the SSH and telnet stops working.

Workaround:

Workaround 1: On entering the no ipv6 tacacs source-interface GigabitEthernet0/0/0 command, enter end and wait for around 2 minutes. Enter the ipv6 tacacs source-interface GigabitEthernet0/0/0 command and wait for around 5 minutes. Login to the router through SSH or telnet.

Workaround 2. Enter the above commands in succession and then wait for 7 to 9 minutes to login into the router.

  • CSCuj66352

Symptom: A system crash is observed in the SNMP engine.

Conditions: This symptom occurs under the following conditions:

show subscriber session

polling the ISG-MIB

clearing the subscriber

Workaround: Do not use SNMP polling.

  • CSCuj72553

Symptom: The OSPF router may stay without a router LSA after NSF restarts which means that routing in the OSPF domain is seriously affected.

Conditions: This symptom occurs under the following conditions:

OSPF NSF is terminated for some reason.

mpls traffic-eng nsr is configured.

Workaround: Remove mpls traffic-eng nsr.

More Info: The following is an example of show ip ospf nsf after a failed NSF:

Router#sh ip ospf 1 nsf
Routing Process "ospf 1"
IETF Non-Stop Forwarding enabled
restart-interval limit: 120 sec
Last IETF NSF restart 03:33:06 ago terminated after 5 secs, reason: Event nbr 1-way
IETF NSF helper support enabled
Cisco NSF helper support enabled
Restart resync LSA state: TE has requested data
Restart resync Adj state: TE has requested data
OSPF restart state is NO_RESTART
Handle 140515696469576, Router ID 10.1.1.1, checkpoint Router ID 0.0.0.0
Config wait timer interval 10, timer not running
Dbase wait timer interval 120, timer not running
Router#
Router LSA generation is prevented by flag described on lines:
Restart resync LSA state: TE has requested data
Restart resync Adj state: TE has requested data
Note: TE resync is not completed, although NSF is completed.
 
  • CSCuj75952

Symptom: The Cisco ASR 1000 route processor reloads.

Conditions: This symptom occurs during PPPoA session establishment if CAC determines that resources are low and HW-assisted CAC needs to be enabled. The router is used to terminate PPPoA sessions and Call Admission Control (CAC) is enabled.

Workaround: Disable Call Admission Control.

  • CSCuj78636

Symptom: A memory leak is observed in the IP Switching segment.

Conditions: This symptom occurs if a subscriber roams with the same MAC address but a different IP address . This happens only for L2 roaming and not for L3 roaming.

Workaround: There is no workaround.

  • CSCuj82897

Symptom: The “control-word” length is not set properly for small HDLC packets running over HDLC AToM VC with SIP-200. For example: SPA-8XCHT1/E1.

Conditions: This symptom occurs when HDLC AToM VC with SIP-200 is deployed, for example, SPA-8XCHT1/E1, will result in a packet length mismatch issue or dropping by the remote PE router when HDLCoverMPLS runs over the Ethernet link adding an additional padding which cannot be classified at all.

Workaround:Use SIP-400.

  • CSCuj88523

Symptom: In a pseudowire redundancy configuration, traffic may fail to flow after a switchover to a backup pseudowire.

Conditions: This symptom occurs on the Cisco 7600 series routers.

Workaround: Execute the following commands on the attachment circuit interface:

shutdown

no shutdown

  • CSCuj94571

Symptom: To run the BERT test, remove “keepalive” from the interface. After completing the BERT test, adding “keepalive” causes the standby RSP to reset.

Conditions: This symptom is consistent and affects 15.1(3)S1.

Workaround: After the completion of the BERT test, remove the BERT test with “no bert pattern qrss interval <interval>” and then add “keepalive”. This will avoid standby RSP reset.

  • CSCuj96186

Symptom: When auto-tunnel and RSVP graceful restart are configured, the standby crashes after an SSO (NSR is not configured).

Conditions: This symptom occurs under the following conditions:

Configure auto-tunnel

Configure RSVP graceful restart without NSR

Perform an SSO

Workaround: Disable RSVP graceful restart or remove the auto-tunnel configuration.

  • CSCuj99537

Symptom: Not all LI streams that are properly configured via SNMPv3 and appropriate ACLs and are programmed in TCAM, are intercepted and forwarded towards MD.

Conditions: This symptom occurs in an SIP-400 based LI.

Workaround: Remove and reapply the problematic tap but it doesn’t prevent the problem from reoccurring if new LI taps are applied via SNMPv3

  • CSCuj99819

Symptom: MVPN GRE tunnels are not established.

Conditions: BGP has a VPN peer configured using an update-source that does not have PIM enabled.

Workaround: There is no workaround.

  • CSCul01067

Symptom: Memory leak occurs in process and I/O memory.

Conditions: This symptom is observed when NTPv6 is configured, for example; “ntp server ipv6 2001::1”

Workaround: Remove the NTPv6 configuration.

  • CSCul04006

Symptom: The c7600rsp72043 router crashes while booting from the bootdisk with the following error message:

Unable to open file to add LC tar bootdisk:c7600rsp72043-advipservicesk9-mz.152-4.S3a.bin
 

Conditions: This symptom occurs while booting from the “bootdisk” on a c7600rsp72043 router.

Workaround:

1. After the new image file or the image file which is to be upgraded is copied to “sup-bootdisk”, run the verify command to check that the new image file is copied properly. “verify /md5 sup-bootdisk:/<new-image-file> <expected-checksum>” The expected checksum can be found from the CCO site. If “verify” succeeds, then the new image can be booted.

2. Format “sup-bootdisk” and copy the new image to “sup-bootdisk” and run the “verify” command as mentioned above. If “verify” succeeds, then the boot can be tried.

  • CSCul04692

Symptom: A T1 controller flaps in CHT1/ET1 SPA.

Conditions: This symptom is seen in T1 mode with “cablelength short 100ft” or “cablelength long 0db” when connected with a PURA box.

Workaround: Configure “cablelength long -7.5db”.

  • CSCul10573

Symptom: On receiving a BGP update from a neighbor, the router will send an illegal network notification and flap the session.

Conditions: This symptom occurs when the prefix received is a Leaf A-D route (RFC 6514) with an S-PMSI route serving as the Route Key.

Workaround: There is no workaround.

  • CSCul11738

Symptom: Scaling to maximum number of TE tunnels fails.

Conditions: This symptom occurs when there are sufficient tail-end tunnels on the node.

Workaround: There is no workaround.

  • CSCul11995

Symptom: An L2TPv3 session fails to establish and Cisco IOS receives a StopCCN message from the peer with the following message in response to its ICRP message: “No handler for attr 68 (68)”

Conditions: This symptom occurs when IOS device peers with non-IOS devices send IETF L2TPv3 Pseudowire Type AVP (IETF AVP 68) in an ICRP message.

Workaround: There is no workaround.

  • CSCul12583

Symptom: L4R is not removed after an account logon when DRL is present.

Conditions: This symptom occurs if per user merge is present.

Workaround: There is no workaround.

  • CSCul14571

Symptom: Cisco router can crash after OSPFv3 is unconfigured from an interface.

Conditions: This symptom is observed when NSR is enabled.

Workaround: Unconfigure NSR before unconfiguring OSPFv3 from an interface.

More Info: This is extremely rare issue; the OSPFv3 should be in a process of checkpointing LSA from primary RP to standby while an interface from which the LSA was received is unconfigured.

  • CSCul19814

Symptom: After collecting “raw netflow” data, the active switch crashes. The show flow monitor v4 cache command causes the reboot of the switch with the following message:

%SCHED-3-TRASHING: Process thrashing on watched message event.
 

Conditions: This symptom occurs due to the show flow monitor command.

Workaround: There is no workaround.

  • CSCul19906

Symptom: A crash is seen on the Cisco ASR router with crashinfo and core with following messages:

Exception to IOS Thread:
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = EIGRP-IPv4
 

Conditions: This symptom occurs with a Cisco ASR router routing EIGRP.

Workaround: There is no workaround.

  • CSCul21314

Symptom: A system crashes under stressed conditions when running low on memory.

Conditions: This symptom occurs with a first hop security configuration when the system is running very low on memory.

Workaround: There is no workaround.

  • CSCul27327

Symptom: On the Cisco c7600 router, if PIM is configured on the port-channel and on the port members, any failure on one of the port members will disable the FE CAM.

Conditions: This symptom occurs when PIM is configured on the port members.

Workaround:

1. Do not configure PIM sparse-mode on the port members even though the CLI is accepted.

2. In case the PIM sparse-mode is configured on the port members, remove it from the port members and the port-channel and then reapply the PIM configuration on the port-channel only.

More Info: A similar issue (CSCtf75608) is seen on the Cisco Catalyst 6500 Series Switches, but the workaround is to configure PIM on the port-channel and the port members to avert the FE CAM to be disabled in the event of one of the port members failing.

  • CSCul31953

Symptom: The wrong value is fetched for a plaintext MTU of an IPSec SA

Conditions: This symptom occurs after configuring Cisco Group Encrypted Transport VPN(GETVPN) on Cisco Locator/ID Separation Protocol(LISP) xTR router.

Workaround: There is no workaround.

  • CSCul40898

Symptom: After reloading the router or fresh service-instance configuration, traffic received from the access is sent to the core without a dummy VLAN header. This traffic is received by a remote PE2 and sent to switch with a missing VLAN header. Therefore CE2 drops received packets. When the issue is removed, captured traffic in the core contains a dummy VLAN header.

Conditions: This symptom is occasionally observed when the router is reloaded and is consistently observed when a new service instance is configured as an xconnect member.

Workaround: Perform shutdown followed by no shutdown on the service instance.

  • CSCul47135

Symptom: On Cisco ASR 1000 routers, services are not removed or applied from the active subscriber sessions when CoA is sent from the radius server. The router sends wrong values in response to the CoA request packet.

Conditions: This symptom occurs when 15.2(20130918:081157) is run.

Workaround: There is no workaround.

  • CSCul52731

Symptom: WLC could crash at pthread_create(). Debug messages are seen when trying to activate NBAR.

Conditions: This symptom is observed during normal activation of NBAR on WLC.

Workaround: There is no workaround.

  • CSCul54254

Symptom: Invalid LSAs are not flushed by the router which has their Advertising Router ID. Specifically, Router LSAs which do not have LSID of 0 will not be flushed if the router does not re-originate them, and any LSA with a type that the router does not recognize.

Lingering LSAs could lead to incorrect routing in some very obscure instances. For example, stale Router LSA fragments from two neighboring routers would need to remain in the network. There would not be a routing problem if only one router’s stale Router LSA fragment was allowed to linger.

Conditions: There are several possible scenarios that could lead to this symptom. One example is that a router is configured with many interfaces attached to an OSPFv3 instance such that it originates more than one Router LSA fragment. Then the router is reloaded before the configuration is saved, and after the reload it does not reoriginate some of the Router LSA fragments.

Workaround: There is no workaround.

  • CSCul56207

Symptom: A standby RP crashes.

Conditions: This symptom is seen on a Cisco ASR 1000 router used for PPPoEoA-aggregation when configuring a range/pvc. It was seen together with the following error message:

asr(config-if-atm-range)pvc-in-range 10/45 %ERROR: Standby doesn’t support this command ^ % Invalid input detected at ’^’ marker.
 

Workaround: There is no workaround.

  • CSCul72121

Symptom: Continuous trace backs on the PTF console is observed and PTF crashes during a soak.

Conditions: This symptom occurs under the following conditions:

1. Create an MDS profile as attached.

2. Leave the setup for soak for 12 hours.

Workaround: Reload ACT and SBY PTF.

  • CSCul75876

Symptom: A router may crash in an OSPF process during reconfiguration.

Conditions: This symptom occurs under the following conditions:

1. Configure the router with “ipfrr” in area 0.

2. Connect router to area 0 through two links. For some route one interface is the primary path, and the second is the repair path.

3. Configure router as ABR, that is, have a non-zero area with a neighbor. Do not configure “ipfrr” in the non-zero area. Quickly remove the IP address from both the interfaces in area 0 and router the may crash.

Workaround: Changes to the reconfiguration procedure will avoid the crash.

Shutdown the interface before removing the IP

Remove the IP from one interface in area 0, wait for a few seconds and remove the IP address from the second interface in area 0.

  • CSCum04512

Symptom: When an RP switchover is done (which is head end for 500 TE tunnel and tail end for 500 TE tunnels), the RSVP label is assigned to the TE tunnel change and this in turn causes a traffic loss of 45 seconds on the pseudowire which is directed through these tunnels.

Conditions: This symptom occurs under the following conditions:

TE RID under the IGP is configured as a loopback other than the first one.

SSO is performed.

Workaround: Configure the TE router ID under the IGP to be the first loopback interface.

  • CSCum11118

Symptom: A Cisco ISR router crashes due to stack overflow in the “ADJ background” process. The following syslog may be seen just before the crash:

000105: Dec 9 04:08:44.447 UTC: SYS-6-STACKLOW Stack for process ADJ background running low, 20/6000
 

Conditions: The conditions to this symptom are unknown.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 15.3(3)S1

The caveats in this section are resolved in Cisco IOS Release 15.3(3)S1 but may be open in previous Cisco IOS releases.

  • CSCtn72925

Symptoms: PFR fails to get notified about interface state changes.

Conditions: The issue is seen specifically when using Frame Relay and Multilink Frame Relay subinterfaces as PFR external exits and the main interface flaps.

Workaround: Use the clear pfr master * command.

  • CSCts99455

Symptom: BR FP crash occurs on a Cisco ASR 1000 series router when the Master Controller controls applications through PBR.

Conditions: This symptom occurs when the PfR Master Controller tries to enforce its path selection for application traffic (PBR based route control). The FP on BRs crashes and reloads.

Workaround: There is no workaround.

  • CSCtz98228

Symptom: On the Cisco 3900e platform, a crash and router reload occurs without generating any crashinfo and traceback.

Conditions: This symptom could be seen with HTTP traffic intercepted by the content-scan feature. It is mostly seen during the content-scan session creation.

Workaround: Disable the content-scan feature.

  • CSCue50101

Symptom: ATM OAM packets are not being sent on the L2TPv3 tunnel when configured in transparent mode.

Conditions: This symptom is observed when you enable oam-pvc manage on the CE.

Workaround: There is no workaround.

  • CSCuf53543

Symptom: MPLS-TP L2 VCs are down after an SIP reload and RP switchover.

Conditions: This symptom occurs when VCs are configured through an MPLS-TP tunnel in a hardware redundant platform.

Workaround: There is no workaround.

  • CSCuf56776

Symptom: After a linecard is removed and reinserted (OIR), traffic may fail to pass through some virtual circuits which have been configured for pseudowire redundancy.

Conditions: This symptom is observed when the first segment ID in the redundancy group is numerically greater than the second segment.

PE1#show ssm id | inc 1st 1stMem: 16394 2ndMem: 12301 ActMem: 12301 1stMem: 16394 2ndMem: 12301 ActMem: 12301
After the OIR is performed, it can be seen that the segments are reversed on the linecard.
ESM-20G-12#sh ssm id | inc 1st 1stMem: 12301 2ndMem: 16394 ActMem: 12301 1stMem: 12301 2ndMem: 16394 ActMem: 12301
 

Workaround: There is no workaround.

  • CSCuf86171

Symptom: The DHCP snooping database agent can get stuck while using FTP as the transfer protocol.

The following is the output of “show ip dhcp snooping database”:

Agent URL : <FTP URL> Write delay Timer : 300 seconds Abort Timer : 300 seconds
Agent Running : Yes Delay Timer Expiry : 0 (00:00:00) <<<<< Delay timer is at zero, but process will never re-start Abort Timer Expiry : Not Running
Last Succeded Time : 02:09:53 PDT Thu Jun 6 2013 <<<<< Time will never update Last Failed Time : None Last Failed Reason : No failure recorded.
Total Attempts : 12 Startup Failures : 0 Successful Transfers : 11 Failed Transfers : 0 Successful Reads : 1 Failed Reads : 0 Successful Writes : 10 Failed Writes : 0 Media Failures : 0
 

Conditions: This symptom occurs while using FTP as the protocol to transfer the DHCP snooping binding database to an external server.

Workaround: Use another file transport mechanism like SCP or TFTP. Once the issue occurs, the only known workaround is to reload the affected device.

  • CSCug50340

Symptom: PW traffic is not flowing after SSO/card reset the active PTF card.

Conditions: The symptom is observed with the following conditions:

1. Create a unprotected tunnel between the active PTF card and create a PW.

2. Apply the table map. Bi-directional traffic is flowing fine.

3. SSO/reset the active PTF card in node 106 (4/1).

4. Now tunnel core port is in standby card.

5. Observed bi-directional traffic is not flowing once the card becomes up.

6. Again reset the active PTF card (5/4).

7. Observe uni-directional traffic only is flowing.

Workaround: Delete the PW and recreate it again. However, note that if you do an SSO/card reset, the issue reappears.

  • CSCug71297

Symptom: An SP crash is observed at the below RPC call block during an ISSU upgrade after commit version. SP: Frames of RPC pf_issu_sp2rp process (pid 579) on 16 (proc|slot) after blocking rpc call failed: 42342B84

Conditions: This symptom occurs during ISSU commit version while saving the configuration.

Workaround: There is no workaround.

  • CSCug45898

Symptom: A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected.

Cisco has released free software updates that address this vulnerability.

There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2106 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CCSCui88426

Symptom: A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.

The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.

Although IKEv2 is automatically enabled on a Cisco IOS Software and Cisco IOS XE Software devices when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet.

Only IKEv2 packets can trigger this vulnerability.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2108 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCue00996

Symptom: The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Cisco has released free software updates that address these vulnerabilities.

There are no workarounds to mitigate these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2111 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCuh33843

Symptom: The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

Cisco has released free software updates that address these vulnerabilities.

There are no workarounds to mitigate these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat


Note The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.


Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Conditions: See published Cisco Security Advisory

Workaround: See published Cisco Security Advisory

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C

CVE ID CVE-2014-2109 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCuh21740

Symptom: There is a deletion and addition of VRFs with MVPNV6 configurations.

Conditions: This symptom occurs when PIM VRF neighbors are not up.

Workaround: Reload the router.

  • CSCuh32439

Symptom: A linktrace targeted at the MAC address of a remote MIP fails with no response seen from the router with the target MIP despite the fact that a linktrace targeted at a MEP or MIP beyond that MIP fully succeeds (including recording the existence of the MIP that cannot be targeted directly).

Conditions: This symptom is seen only when all of the following conditions are true:

a. The router on which the target MIP is on uses the “Bridgeport” model of assigning MAC addresses to MPs (currently, this is just Cisco ASR 901 router).

b. The target MIP is on a port channel interface.

c. The target MIP is not on the port that the linktrace will ingress on.

Workaround: Linktraces to MIPs or MEPs beyond the failing MIP will succeed and return the relevant information for the untargetable MIP.

  • CSCuh40617

Symptom: Ping fails when “encap dot1q” is configured on an FE SPA inserted in bay 1 of flexwan.

Conditions: This symptom is observed when FE SPA is inserted in bay 1 of flexwan.

Workaround: Move the SPA to bay 0 of flexwan.

  • CSCuh44420

Symptom: When a Cisco IOS router with one or more mpls ldp neighbors undergoes an mpls ldp router-id configuration change and non-stop routing had been previously enabled and disabled prior to the router-id configuration change, sessions fail to become NSR-ready once mpls ldp nsr is reconfigured.

Conditions: This symptom occurs when the mpls ldp router-id is reconfigured after mpls ldp nsr has been enabled and then disabled. After the router-id change, mpls ldp nsr must be reconfigured in order to encounter this issue.

Workaround: Reload the standby RP.

  • CSCuh44476

Symptom: After an SSO, some VCs are not displayed for certain neighbors.

Conditions: This symptom occurs after an SSO on a box which has VFIs with autodiscovery BGP and BGP signalling with more than two remote PEs.

Workaround: There is no workaround.

  • CSCuh48840

Symptom: Cisco Router crashes.

Conditions: This symptom is observed under the following conditions:

a. Sup-bootdisk formatted and copied with big size file, like copy 7600 image file around 180M size

b. Reload box, and during bootup try to write file to sup-bootdisk (SEA write sea_log.dat 32M bytes)

c. Then the issue appear

d. When the issue seen, check the sea_log.dat always with 0 byte

e. No matter where (disk0 or bootdisk) to load image.

f. No matter sea log disk to sup-bootdisk or disk0:. I reproduced the issue with “logg sys disk disk0:” config.

SEA is calling IFS API to create sea_log.dat, looks like IFS creating file hungs SP.

sea_log.c : sea_log_init_file() -> ifs_open() -> sea_zero_log() -> ifs_lseek() -> ifs_write()
 

Workaround: There is no workaround.

  • CSCuh51897

Symptom: LC crashed with following error messages:

Jun 11 03:55:05.641: %SYS-DFC2-2-NOBLOCK: printf with blocking disabled. -Process= ’’NDE - IPV6’’, ipl= 7, pid= 165 Jun 11 03:55:44.165: %CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 31 seconds [2/0] Jun 11 03:56:44.761: %CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 91 seconds [2/0] Jun 11 03:57:02.441: %XDR-6-XDRIPCNOTIFY: Message not sent to slot 2/0 (2) because of IPC error timeout. Disabling linecard. (Expected during linecard OIR) Jun 11 03:57:14.761: %CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 121 seconds [2/0] Jun 11 03:58:14.762: %CPU_MONITOR-SP-3-TIMED_OUT: CPU_MONITOR messages have failed, resetting module [2/0] Jun 11 03:58:14.826: %C7600_PWR-SP-4-DISABLED: power to module in slot 2 set off (Heartbeat Messages Not Received From Module)
 

Conditions: IPv6 NetFlow enabled on device

Workaround: Disable IPv6 NetFlow

  • CSCuh80492

Symptom: The system crashes and it causes a reload. Messages that can be seen on the console indicate there is a “NULL pointer dereference”. For example:

BUG: unable to handle kernel NULL pointer dereference
 

This is followed by a stack trace.

Conditions: This symptom occurs due to lack of proper locking semantics on the variables controlling the IPC namespace. This crash is unlikely to occur in normal situations. The user will need to have shell access and then access a task file under /proc (for example: /proc/29208/ns/ipc) which gives statistics on the IPC namespace.

Workaround: There is no workaround.

  • CSCuh91225

Symptom: A router crashes at pki_import_trustpool_bundle.

Conditions: The call-home reporting command will enable smart callhome using HTTPS and send an inventory message to register for smart callhome. If the certificate which is required by HTTPS does not exist in the device, it will try to download it which causes the crash.

Workaround: There is no workaround.

  • CSCuh94799

Symptom: When a Port-channel interface with a carrier delay of 0 milliseconds and one or more service instances configured is removed, an unexpected process termination occurs.

Conditions: The issue will be seen only when there is both carrier delay of ms 0 configuration and service instance configuration under a Port channel interface, and that Port-channel interface is removed.

Workaround: There are several work arounds:

1. Remove the service instance(s) from the Port-channel interface before deleting the interface.

2. Remove the carrier delay from the Port-channel before deleting the interface.

3. Configure a non-zero carrier delay instead of a 0 carrier delay.

4. Don’t use carrier-delay on port-channel interfaces in conjunction with service instances. Instead use carrier-delay on port-channel member interfaces.

The use of “lacp fast-switchover” on the port-channel interface can also help to avoid the need for carrier-delay in cases where redundant LACP member links are in use.

  • CSCuh97838

Symptom: Increased CPU Interrupt utilization due to process switching of packets.

Conditions: Configured CESoUDP on the remote PE, but no CESoUDP is configured on the local Cisco ASR 901 router.

Workaround: There are two workarounds:

a. Configure the CESoUDP on the local 901 before configure on the remote PE. Or,

b. Remove the CESoUDP from the remote PE.

  • CSCui04530

Symptom: Upon FPD upgrade, you get this error on Cisco IOS c7600 switch:

! %FPD_MGMT-3-BUNDLE_EXTRACT_ERROR: Cannot extract the ssc-600-fpd.bndl bundle from sup-bootdisk:c7600-fpd-pkg.151kg - The required bundle is not in the package file. Please make sure that you have the right FPD image package file. % Cannot get the required data from the indicated file, please verify that you have a valid file and entered a valid URL. !
 

Conditions: This symptom is observed under the following conditions:

IOS: c7600s72033-advipservicesk9-mz.122-33.SRB3
CARDS: WS-SSC-600 WS-IPSEC-3
CLI: upgrade hw-module slot x fpd file sup-bootdisk:c7600-fpd-pkg.151-3.S2.pkg
 

Workaround: Upgrade to FPD image that includes corresponding *.bndl image.

  • CSCui25696

Symptom: Cisco ASR 1002-X router experiences a watchdog reset due to a kernel core dump triggered by a possible divide-by-zero condition.

Conditions: This symptom can occur under any condition.

Workaround: There is no workaround.

  • CSCui26581

Symptom: Small memory leak is seen when accessing certain parts of PTP MIB

Conditions: This symptom occurs when the following OIDs in the PTP MIB are accessed:

cPtpClockRunningPacketsSent: 1.3.6.1.4.1.9.9.760.1.2.4.1.5 cPtpClockRunningPacketsReceived: 1.3.6.1.4.1.9.9.760.1.2.4.1.6 cPtpClockPortRunningPacketsReceived: 1.3.6.1.4.1.9.9.760.1.2.9.1.13 cPtpClockPortRunningPacketsSent: 1.3.6.1.4.1.9.9.760.1.2.9.1.14 cPtpClockPortAssociatePacketsSent: 1.3.6.1.4.1.9.9.760.1.2.11.1.8 cPtpClockPortAssociatePacketsReceived: 1.3.6.1.4.1.9.9.760.1.2.11.1.9 cPtpClockPortAssociateInErrors: 1.3.6.1.4.1.9.9.760.1.2.11.1.10, cPtpClockPortAssociateOutErrors: 1.3.6.1.4.1.9.9.760.1.2.11.1.11
 

Workaround: Exclude the above OIDs

  • CSCui30036

Symptom: Cisco ASR 1001 IDC maverick SPA(ASR1001-IDC-8XT1E1) will not bootup.

Conditions: This issue is observed with latest Cisco IOS Release XE3.10 and mcp_dev image.

Workaround: There is no workaround. Use image prior to Cisco IOS Release XE3.10.

  • CSCui33454

Symptom: Unidirectional traffic flow is observed for PFC based EoMPLS PW due to lost FIB entries in hardware. Receive counter under VC statistics does not increment on one side of PW.

Counter for VC statistics in “receive” direction does not increment, only send counter increases.

Conditions: This symptom is observed under the following conditions:

a. EoMPLS PW provisioned on PFC/DFC based linecard

b. The issue is triggered with FIB changes toward the xconnect neighbor peer.

Workaround:

1. “Soft” workaround: Remove and configure back affected xconnect, or “hard” WA in case soft will not help

2. “Hard” workaround: Linecard reload in case of DFC based AC linecard - Supervisor reload in case of non-DFC based AC linecard

  • CSCui47602

Symptom: Traces at IDMGR-3-INVALID_ID when queried for mplsTunnelTable MIB.

Conditions: This symptom occurs when there is a GETONE SNMP query for non-existing mplsTunnelTable entries.

Workaround: Avoid using GETONE SNMP query for non-existing objects. Use GETNEXT queries instead of GETONE whenever possible.

  • CSCui62441

Symptom: Complete traffic drop for few seconds is seen after few minutes of performing SSO switchover.

Conditions: This symptom occurs only after a few minutes of performing an SSO switchover. NSR is not configed for RSVP.

Workaround: There is no workaround.

  • CSCui67308

Symptom: Cisco IOS Router constantly crashes after enabling TE tunnel over BDI interface.

Conditions: This symptom is observed when TE tunnel is exits a BDI interface. This is not a supported design.

Workaround: Use physical interface for TE tunnels.

  • CSCui67919

Symptom: QoS policy applied on AToM SVI is not getting any matches - until user remove and re-apply the policy; once the policy is re-applied, the policy works as expected. However, the QoS counters are not getting updated and you cannot verify the policy statistics with “show policy-map interface x/x”.

Conditions: This symptom is observed when the xconnect is applied under SVI and the core facing line card is ES20 running Cisco IOS Release 15.2(4)S3a.

Workaround: Re-apply the policy. Please note that QoS counters in “show policy-map interface xx” will not work but the policy comes in effect after re-applying it.

  • CSCui85019

Symptom: When the command show xconnect is entered, it may result in a memory leak. This can be observed by entering the command show memory debug leaks chunks and seeing entries like this:

router#show memory debug leaks chunks Adding blocks for GD...
I/O memory
Address Size Alloc_pc PID Alloc-Proc Name
Chunk Elements:
AllocPC Address Size Parent Name
Processor memory
Address Size Alloc_pc PID Alloc-Proc Name AA3F8B4 2348 6D0B528 97 Exec
PW/UDP VC event trace
 

Conditions: This symptom is observed when one or more xconnects are configured with UDP encapsulation.

Workaround: There is no workaround.

  • CSCui87915

Symptom: The VC is not going down after the access interface is down.

Conditions: This symptom occurs in scalabled eompls under port-channel and shut the member link.

Workaround: The EFPs under the member link can be re-configured once the member link is down.

  • CSCuj16742

Symptom: In a pseudowire redundancy configuration, packets may fail to flow even though the xconnect virtual circuit appears to be up.

Conditions: This symptom has been observed when the xconnect is re-provisioned while the primary pseudowire is down and the backup pseudowire is up. The issue has only been observed on Circuit Emulation (CEM) attachment circuits, but it is possible other attachment circuit types may be affected as well.

Workaround: Completely unconfigure the xconnect and then reconfigure it.

  • CSCuj17482

Symptom: On a device running low on memory, an EFP is attempted to be deleted, but fails due to lack of memory. The second attempt at removing that same EFP causes the router to restart.

Conditions: This symptom occurs when the a lot of configuration has been applied to the device, causing high memory usage.

Workaround: Do not over-configure the device.

  • CSCuj30702

Symptom: This bug is specific to port channel sub interface configuration in ES+ card. This bug is not relevant to any other port channel configuration in ES+, that is, EVC/Bridge-Domain over PoCH sub-int etc, and other card types, such as ES20/ LAN cards are free from this bug. Any type of IP communication on port channel sub interfaces in ES+ cards fail. Such an issue is seen only with port channel sub interfaces on ES+ and not seen with port channel main interfaces.

Conditions: This symptom will only be seen with images where the fix of CSCuh40617 is integrated.

Workaround: The connections will work fine if it is moved to the main interface or by using EVC BD configurations.

  • CSCuj31151

Symptom: If an impedance option is specified for an external clock in the network-clock input-source configuration, other configuration (such as hold-off or wait-to-restore) may fail to be applied.

Conditions: This can be seen when using external clock inputs with an impedance option specified.

Workaround: It may be possible to achieve the desired behaviour using global configuration (for example global hold-off or wait-to-restore configuration), if not, there is no workaround.

Resolved Caveats—Cisco IOS Release 15.3(3)S

  • CSCtz34776

Symptom: Increased CPU Interrupt utilization due to process switching of packets.

Conditions: The symptom is observed when the CEM circuit goes down, since one of CESoUDP end points also goes down.

Workaround: Bring down the TDM connection at the other end of the CESoUDP.

  • CSCtz69969

Symptom: Changing the speed of one of the member interfaces of a port-channel causes a traceback on the Cisco ASR 901 and the node reloads.

Conditions: This symptom occurs when you execute the “speed” CLI to change the speed of one of the member interfaces belonging to a port-channel.

Workaround: In order to change the speed of one of the port-channel members, remove that member interface from the port-channel, change the speed, and add it back to the port-channel.

  • CSCud13208

Symptom: Satellite is showing no alarm on authentication fail.

Conditions: The symptom is observed on 901nv satellite. No alarm (major/critical/minor) is turned on when there is a serial number mismatch. This feature tested on 901nv when it acts in satellite mode which is connected to a Cisco ASR 901 router.

While bringing up the satellite we can configure the “901 serial number” under the configuration “nv satellite” on the host. If there is a serial number mismatch then satellite state will be in “State: Authentication failed” and the connection will not be established. During this authentication fail we expect the major alarm should be signaled on the satellite side. But currently we are not seeing any alarm turned on at the satellite side.

Common Test bed:

IXIA--[Host ASR9k RO chassis]------(ICL)-------[901 Satellite] ----IXIA
RP/0/RSP0/CPU0:umangasr9k#show nv satellite status satellite 111
Tue Nov 20 08:17:13.868 UTC
Satellite 111
-------------
State: Authentication failed
Type: asr901
Description: sat111
MAC address: 4055.3989.8a34
IPv4 address: 111.0.0.1
Configured Serial Number: 123
Received Serial Number: CAT1546U04V
Configured satellite fabric links:
Bundle-Ether111
---------------
State: Satellite Ready
Port range: GigabitEthernet0/0/0-9
Discovered satellite fabric links:
GigabitEthernet0/2/0/17: Satellite Ready; No conflict
GigabitEthernet0/2/1/0: Satellite Ready; No conflict

Satellite is in Authentication failed state due to difference in serial numbers.

Workaround: You can identify this issue by executing the following command:

show nv satellite status satellite 111

If state is “Authentication failed” and serial numbers are different then you should reconfigure satellite with the proper serial number.

  • CSCud33454

Symptom: 10 Gig interface is disabled after reload.

Conditions: The symptom is observed when the REP feature is configured on a 10Gig interface in 1Gig mode. Initially with this configuration, the interfaces comes up fine. But after reloading the Cisco ASR 901 router, the interfaces will be shown in down/down state while the neighbor state will still be up/up.

Workaround: Remove and reapply REP configurations on the interface or toggle the interface on the neighbor end.

  • CSCud58457

Symptom: Standby interface stays UP/UP after a reload:

BGL.S.15-ASR1004-1#sh int des
Interface Status Protocol Description
Te0/0/0 down down
Te0/1/0 up up
Te0/2/0 down down
Te0/3/0 up up
Gi0 admin down down

It should be like this :

BGL.S.15-ASR1004-1#sh int des
Interface Status Protocol Description
Te0/0/0 down down
Te0/1/0 up up
Te0/2/0 down down
Te0/3/0 standby mode down
Gi0 admin down down

Conditions: The symptom is observed when “backup interface” and “carrier-delay” are configured under the interface:

interface TenGigabitEthernet0/1/0
backup interface TenGigabitEthernet0/3/0
ip address 10.163.137.29 255.255.255.224
logging event link-status
carrier-delay up 1
carrier-delay down msec 0
cdp enable
hold-queue 4096 in
hold-queue 4096 out
!
interface TenGigabitEthernet0/3/0
mac-address d867.d9dd.ff10
no ip address
logging event link-status
carrier-delay up 1
carrier-delay down msec 0
cdp enable
hold-queue 4096 in
hold-queue 4096 out
!

Workaround: Flap the standby interface.

  • CSCud67287

Symptom: A bcmx_l3_egress_multipath_destroy error is reported on the console.

Conditions: The symptom is observed with MPLS and ECMP in core.

Workaround: There is no workaround.

  • CSCud79447

Symptom: Auto negotiation is being disabled on reload if speed is configured on gig port.

Conditions: The symptom is observed if you enable autonegotiation on copper ports and configure speeds then reload the router.

Workaround: There is no workaround.

  • CSCue54917

Symptom: 10G license is shown “in use” when the interface is admin down after installing the license dynamically (after deleting the license and reinstalling it again).

Conditions: The symptom is observed when you shut down the tengig interfaces then remove the license, then reinstall the license. The tengig license will show “in use” even though the interfaces are admin down.

Workaround: Give a “no shut” to the interfaces.

  • CSCue67669

Symptom: The CFM session goes down.

Conditions: Default encapsulation cannot be configured on only one CE facing interface. It must be configured on both interfaces of PE (CE facing as well as core facing) when “ethernet cfm global” is configured.

Workaround: Remove “ethernet cfm global”.

  • CSCue68589

Symptom: The imaGroupNumTxCfgLinks missing in the SNMP response for IMA interface detailed CLI. The CLI output shows:

ImaGroupNumTxCfgLinks = 1 ImaGroupNumRxCfgLinks = 1<<<<These are missing in the SNMP output
ImaGroupNumTxActLinks = 1 ImaGroupNumRxActLinks = 1

 

but the same is missing in the SNMP response for the query.

Conditions: The symptom is observed when you configure “ima group” and query for ImaGroupNumTxCfgLinks through SNMP.

Workaround: There is no workaround.

  • CSCue78182

Symptom: A Cisco ASR 901 Boundary Clock (BC) is not working with ASR 903 BC. PTP stops working after some time and keystone CPU utilization goes to 100%. The ASR 901 stops sending signalling messages.

Conditions: The symptom is observed with a Cisco ASR 901 BC and an ASR 903 BC.

Workaround: There is no workaround.

  • CSCue87627

Symptom: 10G interfaces are not coming up with devices other than a Cisco ASR 901.

Conditions: The symptom is observed when you connect 10g or 1g SFPs. In 1og interfaces with other devices links are not coming up.

Workaround: There is no workaround.

  • CSCue88662

Symptom: Unconfiguration or change of split-horizon group for bridge-domain does not take effect.

Conditions: The symptom is observed when a service instance is already configured with one split-horizon group.

Workaround: Reload the device.

  • CSCue96798

Symptom: Telnet sessions beyond four are not allowed.

Conditions: The symptom is observed when a line vty configuration is enabled and you access telnet simultaneously with more than four sessions.

Workaround: There is no workaround.

  • CSCuf25253

Symptom: The following errors are seen:

pstorm_bcm_prog_backup_adj_entry:576: bcmx_mpls_tunnel_initiator_set failed. Err: -6 Label= 0
pstorm_mfi_backup_adj_endchain_add:1415: pstorm_bcm_prog_adj_entry failed
pstorm_mfi_backup_adj_add:1473: pstorm_mfi_backup_adj_endchain_modified failed.

Conditions: The symptom is observed with a ring set up with remote LFA FRR enabled. Every flap in primary or backup path will trigger the L3 tunnel resource leak in hardware.

Workaround: There is no workaround.

  • CSCuf26488

Symptom: Traffic for ECMP IPv6 prefixes drops.

Conditions: The symptom is observed immediately after IPv6 neighbors expire.

Workaround: Configure “ipv6 nd cache expire <expiry_timer> refresh” on the IPv6 interface.

  • CSCuf35663

Symptom: Cisco ASR 901 MST interoperability does not work with RSTP and STP and port will be blocked.

Conditions: The symptom is observed with MSTP interoperability with RSTP or STP.

Workaround: Configure MSTP only on both sides.

  • CSCuf51632

Symptom: Cisco ASR 901 10G: Default MTU for TenGigabitEthernet port in 1G mode is 1518.

Conditions: The symptom is observed when the TenGigabitEthernet port is in 1G mode.

Workaround: Manually configure MTU to 9215 on the TenGigabitEthernet interface.

  • CSCuf54567

Symptom: Traffic failure.

Conditions: The symptom is observed with:

RFC3107.

Equal Cost Multipath (ECMP).

EoMPLS.

Workaround: Avoid ECMP.

  • CSCug15952

Symptom: %QOS-3-INDEX_EXISTS error message is shown and router crashes.

Conditions: The symptom is observed when sessions are bought up and the collision IDs with dynamic policy names are synced to standby from active. When the sessions time out and restart, the same dynamic policy names are synced to HA tree on standby again without cleaning up the tree earlier and the crash will happen.

Workaround: Avoid the same session reestablishment before rebooting the router.

  • CSCug24016

Symptom: ISIS does not work when MTU is configured as 9216 and even L2 payload allowed is not 9216.

Conditions: The symptom is observed when MTU is configured as 9216.

Workaround: Use MTU as 9198.

  • CSCug28440

Symptom: Traffic drops with TAG ADJ.

Conditions: The symptom is observed when you boot up with a set of configurations.

Workaround: Shut/unshut EVC and SVI.

  • CSCug31561

A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device.

Cisco has released free software updates that address this vulnerability. There are no workarounds to this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp

Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication.

Individual publication links are in “'Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html

  • CSCug37591

Symptom: Interface status up/up without fiber connection.

Conditions: The symptom is observed under the following conditions:

1. Make the 10G link up.

2. Shut one side interface link.

3. Remove the cable from interface.

4. Unshut the interface.

Interface will be up/up without cable.

Workaround: There is no workaround.

  • CSCug58253

Symptom: Traffic drop seen for 40ms in one stream when access interface which carries another stream is shut.

Conditions: The symptom is observed when the failure and recovery of one shorthaul interface impacts another shorthaul’s uplink/downlink traffic.

Workaround: There is no workaround.

  • CSCug61041

Symptom: The command rewrite ingress tag pop 1 symmetric has no effect.

Conditions: This has been observed on Cisco IOS Release 15.3(2)S with the below steps:

1. Configure xconnect without rewrite as:

interface GigabitEthernet0/10
negotiation auto
cdp enable
service instance 100 ethernet
encapsulation dot1q 100
xconnect 10.0.0.1 100 encapsulation mpls

2. Then if you configure rewrite ingress tag pop 1 symmetric the issue is hit (no rewrite happens).

Workaround: The clear xconnect all command will solve the problem.

  • CSCuh07349

Symptom: A Cisco 7600 Sup may crash due to SP memory corruption.

Conditions: This issue is observed on an REP enabled router, which is part of an REP segment. The exact trigger for this issue is not clear.

Workaround: There is no workaround.

  • CSCuh09412

Symptom: A Cisco ASR 1000 running ISG with “radius-proxy session-restart” crashes when WiFi clients are roaming between hotspots.

Conditions: The symptom is observed if a client roams between WiFi access points and the accounting-stop message from the initial access point does not reach the ISG where the subscriber session is active as can sometimes be the case of roaming between access points on a wireless LAN controller.

Workaround: Disable “radius-proxy session-restart” and reload the chassis to clear the session-cache.

  • CSCuh43252

Symptom: After upgrading to Cisco IOS Release 15.0(2)SE3, you can no longer authenticate using TACACS. The TPLUS process on the switch will be pushing the CPU up to 99%.

Conditions: The symptom is observed when you use TACACS for authentication.

Workaround: Downgrade the switch to a version prior to 15.0(2)SE3.

  • CSCuh43255

Symptom: The BGP task update-generation process may cause the router to reload, in a rare timing condition when there is prefix flap and there is high scale of prefixes going through update-generation, including the flapping prefix.

Conditions: The symptom is observed when the Cisco ASR router is acting as a route server for BGP along with having various route-server contexts. The router does not do any forwarding. It merely processes control plane traffic.

Workaround: There is no workaround.

More Info: The setup is the same as mentioned in this doc:

http://www.cisco.com/en/US/docs/ios/ios_xe/iproute_bgp/configuration/guide/irg_route_server_xe.html .

  • CSCuh46481

Symptom: Cisco ASR 901 crashes while booting up.

Conditions: The symptom is observed while booting up the router with a weekly image which has a profile configuration (L3VPN, L2VPN, REP).

Workaround: There is no workaround.

  • CSCuh48666

Symptom: Router crashes and reloads with dynamic EID scaling.

Conditions: The symptom is observed with dynamic EID scaling.

Workaround: There is no workaround.

  • CSCuh57839

Symptom: Clock quality level stuck and QL-DNU and not synchronized with the quality level of the clock source.

Conditions: This occurs when a synchronization interface that was previously down comes back up.

Workaround: There is no workaround.

  • CSCuh60010

Symptom: Router crashes after defaulting the interface and also while unconfiguring the RSVP.

Conditions: The symptom is observed after defaulting the interface.

Workaround: There is no workaround.

  • CSCtx34208

Symptom: Gig 0/4 is not getting selected as sync-e clock source.

Conditions: The symptom is observed with the following conditions:

1. Gig 0/4 has media-type as SFP.

2. Gig 0/4 is selected as clock source for the board.

Workaround: Increase the global hold-off time from 300ms to 1800ms using the following command will allow gi0/4 to be selected as clock source:

Router(config)# network-clock hold-off 1800 global
 

Increase the global hold-off time to 1800ms and the flap will not be seen. However, traffic drops will still be present.

More Information: This issue is not seen on other ports or copper mode of Gig 0/4.

  • CSCui03965

Symptom: Standby RP keeps on booting after ISSU upgrade of standby RP

Conditions: The symptom is observed after an ISSU upgrade of the standby RP.

Workaround: There is no workaround.