Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.9.0S
This section documents the resolved issues in Cisco ASR 1000 Series Aggregation Services Routers Release 3.9.0S.
Symptom: A Cisco 5400XM may reload unexpectedly.
Conditions: This symptom is intermittent and is seen only when the DSPs available are insufficient to support the number of calls.
Workaround: Ensure that sufficient DSPs are available for transcoding.
Symptom: When the retransmission number is changed, the next rekey does not reflect this change.
Conditions: Change the number of retransmissions from 2 to 5, and the number stays at 2; and when changing the retransmissions from 2 to 1, the number of retransmissions stays at 2. This happen for both unicast and multicast rekey.
Workaround: clear crypto gdoi and start over again.
Symptom: One or more linecards may fail to boot in an ASR1000 with an RP2 or there may be an error with the EOBC. %CMFP-3-STANDBY_EOBC_LINK_ERROR: F0: cman_fp: Standby EOBC link error detected.
Conditions: This symptom is observed with certain combinations of RP2 and ESP10.
Workaround: There is no workaround.
Symptom: DRAM Error Correction (ECC) is not properly enabled for memory modules installed on certain ASR1k-CC boards.
Conditions: For these DIMMs, ECC will not be enabled. The system will not be able to detect or correct any single bit errors which may occur during normal operation.The effect of these uncorrected bit errors could lead to unpredictable system behavior.
Workaround: The card or 2RU system must have the ROMMON upgraded to either version XNC, XND1, or 15.3(1r)S or later. Upon subsequent restart the system will run with the new ROMMON and ECC will function as expected. For full ROMMON upgrade instructions see: http://www.cisco.com/en/US/products/ps9343/prod_maintenance_guides_list.html. As a temporary workaround until the ROMMON upgrade can be performed, reset the card in question, this will clear the bit error and normal operation will resume, although ECC will still be disabled.
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
Symptoms: If an IPv4 or IPv6 packet is sent to a null interface, a Cisco ASR 1000 series router will not respond with an ICMP or ICMPv6 packet.
Conditions: This symptom occurs with a prefix routed to Null0 interface.
Workaround: There is no workaround.
Symptoms: After reload, ISDN layer 1 shows as deactivated. Shut/no shut brings the PRI layer 1 to Active and layer 2 to Multi-frame established.
Conditions: This symptom occurs when "voice-class busyout" is configured and the controller TEI comes up before the monitored interface.
Workaround: Remove the "voice-class busyout" configuration from the voice-port.
Symptom: SPA-4XCT3/DS0 spa reloads after doing fp reload.
Conditions: 1. Issue is seen on single fp system. 2. Issue is seen when serial interface are configured on the spa. 3. SPA-4XCT3/DS0 spa is installed in SIP40 only
Workaround: There is no workaround.
Symptom: The user is not notified about an error scenario relating to larger-than-allowed flow record of type performance-monitor being used in a Performance Monitor policy. This is misleading because the user may mistakenly believe that the Performance Monitor policy is correctly attached to the desired interface, but will find that monitoring of traffic is not working as expected.
Conditions: 1. The Performance Monitor feature is being used on ASR platform. 2. A flow record of type performance-monitor, which contains more than the maximum allowed fields has been configured. 3. The user is referencing the above flow record in a Performance Monitor policy which has been attached to a desired interface. The maximum number of fields allowed in a flow record = 30 "timestamp sys-uptime first" field "timestamp sys-uptime last" field. If absent, the timestamp fields are automatically added to the record. However, the total number of fields should still be less than or equal to 32.
Workaround: Use a flow record of type performance-monitor which has 32 or less fields.
Symptom: Expected ACL/sessions not found for most of the protocols.
Conditions: The symptom is observed with expected ACL/sessions.
Workaround: There is no workaround.
Symptom: Tracebacks are seen for PLATFORM_INFRA-5-IOS_INTR_OVER_LIMIT.
Conditions: This symptom is observed with RPSO.
Workaround: There is no workaround.
Symptom: Sometimes, users may face a "peer leak" situation with EzVPN.
Conditions: This symptom may occur when an NAT box gets reloaded/rebooted with live translations.
Workaround: Reload the router to clear the leaked peers.
Symptom: Tracebacks are seen when configuring the key server.
Conditions: This symptom occurs when configuring the key server.
Workaround: There is no workaround.
Symptom: Inconsistency between IOS CLI and platform state with regard to flow record configuration on the router. Reporting of Mediatrace statistics may fail, with the following error reported on the Mediatrace Initiator device: Metrics Collection Status: Fail (19, No statistic data available for reporting)
Conditions: This is a Flowdef modify event as a result of event consolidation. It can occur in the following scenario: 1. Detach the flowdef associated with a monitor. 2. Change the flowdef (add / delete fields). 3. Re-attach the flowdef to the monitor. For the Mediatrace symptom, the problem can occur when a route change occurs for the traffic being monitored.
Workaround: There is no workaround.
Symptom: The "retry-after" time in a 503 message is not used by the gateway (UAC) and retries seem fixed at 180 seconds.
Conditions: This symptom is observed when trying to register.
Workaround: There is no workaround.
Symptom: Call Menu (CM) tone may be detected and suppressed in the following call Flow: Modem - - [FXS] - - VG224 - - [MGCP] - - CUCM - - [SIP] - - CUBE - - [SIP] - - PSTN Modem connected to the VG224 places an outbound call to a destination in the PSTN. CM tone from the originating modem gets removed by the VG224. To verify the symptom, enable "debug voip hpi notification" and you would see a line "MODEM CM tone detected" in the debug output.
Conditions: SIP trunk provider does not support NSE based modem passthrough and hence VG224 was not configured with "mgcp modem passthrough".
Workaround: 1. Configure the FXS port as a non-mgcp port, disable fax relay and sg3-to-g3 suppression commands at the voip dial-peer level : dial-peer voice 99920 pots no service mgcpapp port 2/0 dial-peer voice 4001 voip destination-pattern 4001 session protocol sipv2 session target ipv4:<ip-address> codec g711ulaw no fax-relay sg3-to-g3 fax protocol none no vad 2. Downgrade to 15.1(3)T4.
Symptom: The crypto session stays in UP-NO-IKE state.
Conditions: This symptom occurs when using EzVPN.
Workaround: There is no workaround.
Symptom: Command "parameter type urlfpolicy" is not available in "policy-map type inspect urlfilter" configuration mode. This makes it impossible to configure IOS URLF in 15.2(3)T. Unable to call the "trend" keyword in the class-map under the policy-map.
Conditions: IOS 15.2(3)T and 15.2(1)T2(6) both show the same symptom.
Workaround: Downgrade to 15.2(2)T1.
Symptom: An MTP on a Cisco ASR router sends an "ORC ACK" message through CRC for the channel ID that is just received but does not reply to the ORC for the next channel.
Conditions: The symptom is observed when there is a very short time lapse between the ORC and CRC, say 1 msec.
Workaround: There is no workaround.
Symptom: A packet punt to RP due to incomplete adjacency gets processed by CoPP. This makes CoPP complex, because these punted packets are not directed to the system itself and requires the CoPP to be opened up.
Conditions: This symptom is observed with 3.5.2S and similar release and by current design.
Symptom: No MOH resource is allocated.
Conditions: Phone1 calls Phone2 over SIP trunk,Phone2 parks the call (MTP required is checked on SIPT).
Workaround: There is no workaround.
Symptom: Cisco IOSd crashes.
Conditions: This symptom occurs when you remove and add service policies on unsupported interfaces.
Workaround: There is no workaround.
Symptom: DO-EO Flow Around sip to sip with VCC call fails and causes "CCSIP_SPI_CONTROL" memory leaks.Note: With No transcoder involved in CUBE.
Conditions: CUBE configured with early offer forced and flow around globally under voice service VoIP and VCC, basic call fails with no transcoder enabled in the CUBE.
Workaround: Configure Transcoder in CUBE.
Symptom: Last reload reason in "show version" output is seen as LocalSoft after some reloads.
Conditions: The conditions under which these symptoms are observed is unknown.
Workaround: There is no workaround.
Symptom: The following is displayed on the logs: InterOp:Cube-NavTel : LTI: Video Xcode Call with plain Audio FAILS.
Conditions: This symptom is seen when video Xcode call with plain audio fails.
Workaround: There is no workaround.
Symptom: The Standby router crashes for an SRTP call on Active.
Conditions: This symptom occurs intermittently. This issue is seen due to a transient scenario, where unstable data from Active is checkpointed on Standby.
Workaround: There is no workaround.
Symptom: IKEv2 CERTREQ payloads exchanged by initiator and responder both contain all trustpoints and trustpools. This enhancement request is for limiting the size of the CERTREQ payload based on the configuration (global for responder, IKEv2 profile for initiator).
Conditions: None.
Workaround: There is no workaround.
Symptom: We get some failed debugs when we try to configure snmp-server CLI.
Conditions: This symptom is observed when you try to configure snmp-server CLI.
Workaround: There is no workaround.
Symptom: Certain attributes received from RADIUS might not be displayed as unsupported by IKEv2; printing messages similar to: *Apr 23 06:50:59.952: IKEv2:unsupported attr type 477 *Apr 23 06:50:59.952: IKEv2:unsupported attr type 476.
Conditions: Flexvpn on 15.2.2S software, but not exclusive to it.
Workaround: None should be needed. Attributes should be processed correctly.
Symptom: Memory leak Seen with HA Configs under load Conditions.
Conditions: HA under Load Conditions.
Workaround: There is no workaround.
Symptom: DSP not released when the IP call leg is abnormally disconnected by SIP SPI. This is not reproducible consistently. It is more of timing issue.
Conditions: SIP SPI abnormally disconnects the call with out sending 200 OK.
Workaround: Switch over to the secondary to recover DSP resources.
Symptom: Route not found on UUT for RRI testcases.
Conditions: When the testcase for RRI, reverse-route remote-peer 16.0.0.1 gateway is checked, route is not found on the router.
Workaround: There is no workaround.
Symptom: NBAR Field Extraction (AKA collect through IPFIX) does not work for flows over IPv6 tunnels.
Conditions: Relevant when configuring NBAR to classify inside the tunneled IPv6 flows. This is anyway not fully supported in the AVC eco-system in XE3.7.
Workaround: There is no workaround.
Symptom: URI based routing is not working when tel-uri is present in 302 contact header.
Conditions: Configure call route URL.
Workaround: There is no workaround.
Symptom: During OCSP revocation check the trustpoint source interface loopback address is also used as the destination address.
Conditions: During OCSP revocation check the source interface loopback address is also used as the destination address.
Workaround: Use the physical interface as the trustpoint source interface.
Symptom: SIP SPAs go in the out of service state in a scaled subinterface configuration (more than 2000 subinterfaces on a single Gigabit Ethernet port).
Conditions: This symptom occurs while performing ISSU between the iso1-rp2 and iso2-rp2 Cisco IOS XE Release 3.6S throttle image. After ISSU runversion, the SIP SPAs go in the out of service state. This issue is seen in a heavily scaled configuration. This issue is observed when there are 2000 to 3000 subinterfaces on a single SPA and the following limits are exceeded: Overall Dual stack VRFs per box : 2800 Dual stack limit on interface: 1000.
Workaround: This issue is not seen in the following scenario: 1. Before doing a load version from RP0 (initial active), issue the following command: asr1000# show ipv6 route table | inc IPv6 2. Note down the number of IPv6 route tables in the system. 3. Do a load version. 4. Wait for standby to come up to Standby hot. 5. Enable the standby console from RP0 (active). asr1000#configure terminal Enter configuration commands, one per line. End with CNTL/Z. asr1000(config)# asr1000(config)#redundancy asr1000(config-red)#main-cpu asr1000(config-r-mc)#standby console enable. 6. Log in to the standby console and issue the following command: asr1000-stby# show ipv6 route table | inc IPv6 Then, note down the number of IPv6 route tables in standby. If the number is less than the number noted at step 2, wait for some time and reverify till it reaches the number noted in step 2. 7. Issue ISSU runversion from RP0 (active).
Symptom: 3945 voice gateway crashes when the config file is download from CUCM. this is 112 FXS bundle.
Conditions: Once 96 ports have registered and when we try to register the 97 port on, the gateway will download the config from CUCM the router will crash
Workaround: One workaround is that we do a "no ccm manager config" this will stop the config download form CUCM, we would then have to do a manual config of the rest of the ports an other is to move to H323 as a protocol instead of MGCP
Symptom: Ikev1 session are not coming up on the spoke after sh/no sh on Hub tunnel interface.
Conditions: sh/no sh on Hub tunnel interface.
Workaround: There is no workaround.
Symptom: The ASR1002-X Series Aggregation Services Router with large numbers of MLPPP bundles may experience a crash.
Conditions: When the ASR1002-X Series Aggregation Services Router with large numbers of MLPPP bundles may experience a crash preceded by the following message followed by a traceback and eventual reload of the router; %CPPOSLIB-3-ERROR_NOTIFY: SIP0: cpp_cp: cpp_cp encountered an error.
Workaround: Keep the number of single-link MLPPP bundles under 4,000, and the total number of multi-member MLPPP bundles under 2,000.
Symptom: Call not going between SCCP and SIP phones.
Conditions: After configuring "no outbound-proxy" under the "voice register global", SCCP endpoints to SIP endpoints call is successful. After some time (approx. 10 minutes or more), the functionality reverts back to "outbound-proxy system", and the same call fails. The configuration still shows "no outbound-proxy" in the running-configuration.
Workaround: There is no workaround.
Symptom: Carried-id (source/target) CLI is not taken into effect when configured under dial-peer.
Conditions: Call-route url configured along with voice source-group CLI.
Workaround: There is no workaround.
Symptom: %PKI-4-CRLINSERTFAIL: Trustpoint "..." failed to verify CRL signature (error 1815:E_NAME_ENCODING : invalid encoded format for name).
Conditions: "chain-validation continue" is configured on a local trustpoint that is part of the certificate chain from the root CA to the peer.
Workaround: Configure either "chain-validation stop" or "revocation-check crl none" on all trustpoints in the chain.
Symptom: Netflow TimeStamp may show time drift compared to NTP time. This effect has been judged to be equal to about 50 seconds of lost time per day.
Conditions: Flexible or Traditional Netflow running on either an ESP40 based Forwarding Processor or on an ASR1001 platform.
Workaround: There is no workaround but when the time skew exceeds 10 minutes it should self correct.
Symptom: The router does not pass multicast traffic consistently; only some traffic passes.
Conditions: Occurs when you configure 255 EVCs spanning across different slots on the router.
Workaround: There is no workaround.
Symptom: Trace backs found.
Conditions: While copying the text file from the certificate server. Accessing https://msca-root/test.txt...
Workaround: There is no workaround.
Symptom: Cube Crash with SIP config.
Conditions: Call flow with forking with update, ie. 183 w/ SDP followed by 180 w/o SDP with a different To body (forked call). A resulting reinvite from CUCM causes CUBE to crash as it is applied to the forked call with no SDP causing the crash. voice class sip-profiles in configuration.
Workaround: There is no workaround.
Symptoms: Malformed RTCP packets are observed.
Conditions: This symptom occurs when DTMF interworking is enabled or SRTP/SRTCP is in use.
Workaround: Disable DTMF interworking if not required for the call.
Symptom: Trace back is seen when user part is greater than 32 characters in incoming 302 response contact header.
Conditions: CUBE in 302 consume mode. userpart in 302 contact header is greater than 32 characters.
Workaround: There is no workaround.
Symptom: TGW Failed to send BYE message after 200 OK.
Conditions: TGW Failed to send BYE message after 200 OK with 15.2(03.16)M0.1.
Workaround: There is no workaround.
Symptom: BQS queue output is different for FP10 and FP80.
Conditions: Output difference is seen while checking the "sh plat hard qfp ac fe qos queue out all d " output.
Workaround: There is no workaround.
Symptom: Source files cannot be referenced in the new project.
Conditions: New project requirement.
Workaround: There is no workaround.
Symptom: Cleartext send out from flexVPN VAI interface during session flap.
Conditions: Session delete and create.
Workaround: There is no workaround.
Symptom: CUBE reloads on testing DO-EO secure video call over CUBE when SDP passthru is enabled.
Conditions: The symptom is observed when running Cisco IOS interim Release 15.3(0.4)T.
Workaround: There is no workaround.
Symptom: CME reloads for E911 call ELIN translation for incoming FXS/FXO trunk.
Conditions: The symptom is observed from Cisco IOS interim Release 15.3(0.2)T.
Workaround: There is no workaround.
Symptom: Not able to retrieve Via header for sending OPTIONS response back.
Conditions: This issue is seen in OPTION message case.
Workaround: Use the las_option_request from ccb while retreiving Via header.
Symptom: Authentication of EzVPN fails.
Conditions: The symptom is observed with BR-->ISP-->HQ.
Workaround: There is no workaround.
Symptom: Traffic-class cannot be learned with delay as learning type reports incorrect number of TCs.
Conditions: configurate delay as learning type.
Workaround: There is no workaround.
Symptoms: Memory leak occurs during rekey on the IPsec key engine process.
Conditions: This symptom occurs after rekey, when the IPsec key engine does not release KMI memory, causing the IPsec key engine holding memory to keep increasing.
Workaround: Clear crypto session for IPsec key engine to release memory.
Symptom: Hung calls seen in show call active voice brief are as follows: 1502 : 26 36329310ms.1 -1 pid:1 Answer XXXYYY4835 connected dur 00:00:00 tx:0/0 rx:0/0 IP 0.0.0.0:0 SRTP: off rtt:0ms pl:0/0ms lost:0/0/0 delay:0/0/0ms g729r8 pre-ietf TextRelay: off media inactive detected:n media contrl rcvd:n/a timestamp:n/a long duration call detected:n long duration call duration:n/a timestamp:n/a.
Conditions: This symptom is observed when an inbound H225 call setup request to a CME gateway results in a hung call if a release complete is received while still in alerting state. This issue occurs only when the shared line is configured on the phone and the shared line is not registered.
Workaround: Remove the shared line or register the shared line.
Symptom: Incorrect phone screen display, when an incoming call is forwarded. Specifically, with the following config- alias 1 666 to 85004001 cfw 85004002 timeout 5
calling from external PSTN phone number ex:0612345678 To 4597, which is translated to 666, first rings the phone 85004001 and when it is ringing, screen phone display is OK. When the call is cfw'd to the second phone ( 85004002), the screen phone display : Forward 612345678 For 04929 (850... By 04929 (666) is incorrect.
The number 04929 is corresponding to the external phone number mask in CUCM of an other IP phone. The external phone number mask displayed is the field "name" or "description" of the FIRST ephone recorded in the SRST router ( see "call-manager-fallback ephone-dn" attached file), whatever the redirect phone number used the mask is ALWAYS the one of the first ephone recorded.
Conditions: 1. SRST 2. alias command, under call-manager-fallback.
Workaround: There is no workaround.
Symptom: Path Confirmation fails between 2 SIP phones in a blind transfer scenario over SIP trunk.
Conditions: This symptom is observed when no supplementary-service SIP refer is configured.
Workaround: Configure supplementary-service SIP refer.
Symptom: The show controller pos pm command does not display the correct SFP line type for 'SPA-1XOC12-POS'.
Conditions: Line type is shown as LONG MM for all SFPs in show controller pos pm.
Workaround: show hw-module subslot x/y transceiver #port idprom brief IDPROM for transceiver POS0/1/0: Description = SFP or SFP optics (type 3) Transceiver Type: = OC12 LR-1/STM4 L-4.1 (12).
Symptom: White noise after Transfer completion.
Conditions: SRTP-RTP xcoder is allocated on CUBE. Version 15.2(3)T1.
Workaround: There is no workaround.
CSCub13457
Symptom: Memory Leak seen at xcode_associate_local_stream.
Conditions: Leak could be seen for SIP-SIP transcoded call with mid-call UPDATE (with SDP) pass-through or UPDATE-to-ReINVITE cases.
Workaround: Disable UPDATE, instead use ReINVITE for mid-call renegotiations.
Symptom: A crash with traceback is seen, and all calls are dropped.
Conditions: This symptom is observed under all conditions.
Workaround: There is no workaround. The gateway crashes, and the soak time appears to be six weeks.
Symptom: On the ASR1K series of routers running the Flexible Netflow feature, when the command show flow monitor MON cache is issued timestamps are displayed as local wallclock time. These timestamps may be skewed by the time delta between how long the Route Processor (RP) has been up and how long the Forwarding Processor (FP or ESPXX) has been up. This delta is typically in the range of several minutes but it may be even longer than that.
Conditions: ASR1K router running Flexible Netflow when show flow monitor MON cache command is issued.
Workaround: There is no workaround.
Symptom: FlexVPN IKEv2 adding ipv4 address and not adding ipv6 address to the tunnel interface.
Conditions: Unassigned local pool on client.
Workaround: There is no workaround.
Symptom: Overlord crashes with 2000 crypto sessions (4000 IPSec SAs) upon repeatedly clearing and reestablishing the SAs.
Condition: The box is configured with 1K VRFs and 1K Virtual templates. And the crypto sessions are repeatedly cleared/reestablished.
Workaround: There is no workaround.
Symptom: sh pl software interface fp active name interfacexxx ip reassembly? command doesn't display reassembly parameter correctly.
Conditions: When the router is not configured reassembly max-reassembly value, it is using its default value 16. in this case, ios sh ip reassembly gigabitEthernet 0/0/0 will display this value correctly, but binos ( show platform software inter fp active name xxx ip reassembly) will not. Workaround: There is no workaround.
Symptom: Some of SIP calls between Cisco IOS Voice gateway and a remote SIP UA that is behind a NAT router may experience audio issue (one way audio) if a private IP address is being advertised by the remote site for the media connection.
Conditions: When Cisco IOS Voice gateway has a peer SIP UA that is behind a NAT router, and a private IP address is being advertised during the call setup by the remote side, you may need to enable, on the IOS Voice Gateway, support for Symmetric NAT traversal using "nat symmetric check-media-src" command to have the voice gateway to learn the media address and port from the first incoming RTP packet. But two consecutive 180 responses received by the IOS Voice gateway (during call setup) with different "To:" tags (what is a normal behavior of a SIP Proxy), is breaking this support for "SIP NAT symmetric" feature. And you will experience one way audio issue even though "nat symmetric check-media-src" is configured.
Workaround: There is no workaround.
Symptom: Call dropping issue was found while testing new network based features on AT&T's FlexReach network. The features are network-based Simultaneous Ringing and Sequential Ringing.
Conditions: The following is the behavior for Simultaneous Ringing: 1. Hopon call from PSTN to 7323204351 2. Both Phone 2 (7323204351) and Phone 3 (7323204350) ring 3. Phone 3 is answered, but immediately drops 4. Phone 2 stops ringing (I see CANCEL from AT&T for this call-id) 5. PSTN caller continues to hear ringback tone Per the attached trace, CUBE fails to send a 200 OK with SDP in response to AT&T's re-INVITE to open up the voice channel. For Sequential Ringing: 1. HOPON from 4085271217 (Phone 1) to Phone 3 (7323204350) 2. Note the INVITE has media attribute codec pref 18 0 100 ; INACTIVE 3. CUBE sends 100 Trying then 180 Ringing 4. Phone rings ~3X then call is cancelled by AT&T side by sending SIP CANCEL message 5. CUBE acknowledges by sending 200 ok followed by 487 Request Cancelled 6. AT&T sends INVITE to Phone 2 (7323204351) with media attribute codec pref 18 0 100 ; INACTIVE 7. CUBE sends 100 Trying then 180 Ringing 8. Upon answer - CUBE sends 200 ok with no codec pref in media attribute 9. AT&T sends re-INVITE - with no SDP 10. CUBE sends 100 Trying 11. AT&T sends BYE even before CUBE can send 200 ok 12. Caller from AT&T side hear continuous RINGBACK tone Again, per the attached trace on Sequential Ringing, CUBE fails to send a 200 OK with SDP in response to AT&T's re-INVITE to open up the voice channel. Per AT&T, their side might be sending the BYE because CUBE sends its initial 200 OK with SDP but no codec preference. (refer to Sim. Ring Trace).
Workaround: There is no workaround.
Symptom: Packets are dropped.
Conditions: 5cps basic sip call.
Workaround: Reduce the traffic load from 5 CPS to 2 CPS.
Symptom: The router crashes continuously after a normal reboot due to power or some other reason. Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1) uptime is 4 days, 11 hours, 38 minutes System returned to ROM by error - a Software forced crash, PC 0x88D26F0 at 07:42:45 UTC Sat May 5 2012 System restarted at 07:43:55 UTC Sat May 5 2012 System image file is "flash:c3900-universalk9-mz.SPA.150-1.M4.bin" ; Last reload type: Normal Reload ---------------------------- generated Traceback: Pre Hardware Replacement Crashinfo: ------------------------------------ #more flash0:crashinfo_20120519-165015-UTC ------------------ Traceback Decode: ------------------ tshakil@last-call-2% rsym c3900-universalk9-mz.150-1.M4.symbols.gz Uncompressing and reading c3900-universalk9-mz.150-1.M4.symbols.gz via /router/bin/zcat c3900-universalk9-mz.150-1.M4.symbols.gz read in Enter hex value: 0x88D1D88z 0x88D27C0z 0x729E558z 0x729E6F4z 0x495F298z 0x4962FC8z 0x88D1D88:fsm_crank(0x88d1d2c) 0x5c 0x88D27C0:fsm_exec_w_option(0x88d2650) 0x170 0x729E558:htsp_process_event(0x729e1d4) 0x384 0x729E6F4:htsp_main(0x729e62c) 0xc8 0x495F298:ppc_process_dispatch(0x495f274) 0x24 0x4962FC8:process_execute(0x4962e24) 0x1a4 Enter hex value: 0x88D1D88z 0x88D27C0z 0x729E558z 0x729E6F4z 0x495F298z 0x4962FC8z 0x88D1D88:fsm_crank(0x88d1d2c) 0x5c 0x88D27C0:fsm_exec_w_option(0x88d2650) 0x170 0x729E558:htsp_process_event(0x729e1d4) 0x384 0x729E6F4:htsp_main(0x729e62c) 0xc8 0x495F298:ppc_process_dispatch(0x495f274) 0x24 0x4962FC8:process_execute(0x4962e24) 0x1a4 Enter hex value: -------------------------------- Crash File Post Installation: ------------------------------ #more flash0:crashinfo_20120519-185725-UTC ------------------ Traceback Decode: ----------------- Enter hex value: 0x88D1D88z 0x88D27C0z 0x729E558z 0x729E6F4z 0x495F298z 0x4962FC8z 0x88D1D88:fsm_crank(0x88d1d2c) 0x5c 0x88D27C0:fsm_exec_w_option(0x88d2650) 0x170 0x729E558:htsp_process_event(0x729e1d4) 0x384 0x729E6F4:htsp_main(0x729e62c) 0xc8 0x495F298:ppc_process_dispatch(0x495f274) 0x24 0x4962FC8:process_execute(0x4962e24) 0x1a4 Enter hex value: 0x88D1D88z 0x88D27C0z 0x729E558z 0x729E6F4z 0x495F298z 0x4962FC8z 0x88D1D88:fsm_crank(0x88d1d2c) 0x5c 0x88D27C0:fsm_exec_w_option(0x88d2650) 0x170 0x729E558:htsp_process_event(0x729e1d4) 0x384 0x729E6F4:htsp_main(0x729e62c) 0xc8 0x495F298:ppc_process_dispatch(0x495f274) 0x24 0x4962FC8:process_execute(0x4962e24) 0x1a4 ---------------------------------------------------
Conditions: This symptom is observed with the following conditions: - MGCP gateway. - Take out all the modules from the router. - Put the modules one by one. - Apply the configuration. - The router is stable. The lab test recreated as follows: 1) Disable auto-configuration, that is, "no ccm-manager config". 2) Reload the gateway. 3) Enable the CCM manager configuration and the router does not crash.
Workaround 1: Bypass the start-up configuration and log in via ROMmon without any configuration. Add the configuration one by one. Once the configuration is added, save the configuration and reload the gateway.
Workaround 2: Shut down the router and add the cards one by one in slots 0, 1, 2, 3, and 4. The device is stable until the third slot is inserted and brought up. As soon the router is powered on, after adding the fourth slot, the crash starts. Shut down the router and remove the card in slot 4 (EVM-HD-8FXS/DID). Bring the device up without the card in slot 4 (EVM-HD-8FXS/DID). Remove the "mgcp" and "ccm-manager fallback-mgcp" configuration from the device because the console log is displaying the "Call Manager backhaul registration failed" error message. Shut down the router and add the card which was removed. Bring up the router. Read the ccm-manager fallback-mgcp command and do a "no mgcp/mgcp". The router becomes stable.
Workaround 3: Remove the ccm-manager config command by no ccm-manager config which tears down the connection from the call manager to the MGCP gateway. The gateway will not download the configuration from the call agent at the time of startup. Reload the router. Once the router is back and stable, readd the command.
Symptom: Connecting from Windows 7 L2TP/IPSec client to the VPN fails when using HSRP virtual IP as a gateway IP and Error 788 is displayed.
Conditions: This symptom is observed with Cisco IOS Release 15.2(3)T or later releases, and the Windows 7 L2TP/IPsec VPN client.
Workaround: Downgrade to Cisco IOS Release 15.1(3)T.
Symptom: CUBE reboot.
Conditions: Under recording load.
Workaround: There is no workaround.
Symptoms: Static tunnels between hubs and spokes fail to rebuild.
Conditions: The symptom is observed when you reload the hub on the DMVPN IPv6 setup with DPD on-demand enabled on all spokes.
Workaround: There is no workaround.
Symptom: Remote loopback messages under show interface and show controller output are not set correctly.
Conditions: This symptom occurs due to the remote loopback configuration.
Workaround: There is no workaround.
Symptom: Cube CME Call - Working with SCCP XCoding / Not Working with LTI.
Conditions: HA Configuration exists on Cube.
Workaround: Don't Configure HA.
Symptom: The netflow data is fragmented when an IPv6 exporter is used.
Conditions: The symptom occurs when:
– An IPv6 exporter is used
– A large amount of data is to be exported at once.
Workaround: There is no workaround.
Symptom: c all flow: PSTN--3rd party ---SIP--CUBE--SIP--3rd party--agent IOS version: c3900-universalk9-mz.SPA.151-3.T3 when CUBE receive multiple 183 session progress, for the 3rd 183 session progress <- the third 183 session progress -> PRACK 104 <-200 OK for INVITE ->ACK for INVITE -->REINVITE 105 <-200OK for PRACK 104 ->ACK 105
. The ACK for the PRACK has the wrong Cseq number. It should be 104 instead of 105.
Conditions: CUBE receives multiple 183 session progress.
Workaround: There is no workaround.
Symptom: A Cisco ASR1k series router resets its FP with FW NAT feature combination.
Conditions: A Cisco ASR1k series router resets its FP with FW NAT feature combination along with traffic.
Workaround: There is no workaround.
Symptom: When executing Media Forking with midcall codec change, memory leaks are found in Cisco ASR for CCSIP_SPI_CONTROL. After decoding, the memory leak is found to be for the function is_x_participant_sips() as it is not releasing the memory after allocated with some memory. This seems to be a side effect of one of the DDTS that was committed to Cisco IOS Release 15.3M&T (CSCtz96408).
Conditions: This symptom occurs when executing Media Forking with midcall codec change.
Workaround: The fix is done and is committed to Cisco IOS Release 15.3M&T.
Symptom: On ASR1K and related platforms, when configuring a Flow NetFlow (FNF) Performance Monitor with a record that has a large number of fields (typically 30 or more), the following traceback may be observed at the time that the Service Policy is bound to the interface: %FNF-3-FNF_FIELD_LIST_TOO_LARGE: Field_list too large, max 32.
Conditions: Configuring a Performance Monitor, typically with more than 30 fields, and binding it to an interface via a Service Policy.
Workaround: Reduce the number of fields. Using fewer than 30 should work, although it does depend on the exact fields in the record.
Symptom: Ping fails after doing EZVPN client connect if CEF is enabled.
Conditions: This symptom is observed with the Cisco IOS Release 15.3(0.8)T image. This issue is seen only for a specific topology, where the in/out interface is the same.
Workaround: There is no workaround.
Symptom: The memory of ESP is exhausted due to continuous leak in the cpp_ui_pfr TDL messages.
Conditions: This condition occurs when the show platform hardware qfp active feature pfr is used repeatedly.
Workaround: There is no workaround.
Symptom: The stand by RP of the Cisco ASR1000 routers might crash if the Stby-rp "cmand" core is written after ASR1013-PWR-DC replacement.
Conditions: This issue occurs either after an OIR of a power-supply or when similar events occur.
Workaround: There is no workaround.
Symptom: Configuration of CT3 controller Serial interfaces does not match between standby RPs. Several error messages such as there are generated :
%COMMON_FIB-4-FIBHWIDBMISMATCH: Mis-match between hwidb Serial1/0/1/2:0 (ifindex 634) fibhwidb Serial1/0/1/1:1 (ifindex 634) - appears on standby RP during controller configuration.
IP addresses are assigned to wrong Serial interfaces. Due to mismatch of interfaces, during RP switchover traffic does not pass through.
Conditions: This condition occurs when the CT3 SPA is configured on a dual RP router
Workaround: There is no workaround.
Symptom: OSPF neighbor cannot bring up over point to multipoint atm bundles.
Conditions: This condition occurs when two Cisco ASR 1000 routers are directly connected with ATM pvc bundles, one end is point-to-point sub-interface and the remote is multipoint sub-interface. When you try to run OSPF over bundle, the OSPF neighbors bring up over point to multipoint atm bundles.
Workaround: Change to P2P ATM interface.
Symptom: Mid-call xcoder insertion does not happen when TCL app is involved in the call
Conditions: TCL app initially connects a SIP trunk call to SCCP phone and later transfers to CUE- voice mail
Workaround: Do not use TCL app or have same codec settings on either side of trunk
Symptom: Cisco ASR 1000 routers crashes consecutively.
Conditions: This condition occurs on Cisco ASR 1000 routers with ESP10 with ios 15.2(2)S
Workaround: There is no workaround
Symptom: No modem upspeed.
Conditions: This condition occurs when modem pass through protocol based configured include g711/silence suppression in the RINGING/200 OK
Workaround: Use SIP profile to strip "silence suppression off" in the incoming messges of the intial call setup
Memory corruption detected in memory, when allocated for RTCP statistic
Symptom: An error occurs when CALL_CONTROL-3-STAT_MEMORY_CORRUPTED: Memory corruption detected in memory=XYZ allocated for RTCP statistic.
Conditions: This condition is occurs when call involves trans-coding.
Workaround: There is no workaround.
Symptom: "CPPOSLIB-3-ERROR_NOTIFY F0: cpp_cp: cpp_cp encounters an error" log message with tracebacks. This results in a ESP crash or control plane or configuration events are not processed on the ESP.
Conditions: This symptom is observed with a combination of ESP20 or ESP40 and CC40 installed on a Cisco ASR 1006 router or Cisco ASR 1013 router. This issue is observed when the CC40 does not have SPAs installed in bay 0 or 2 and bay 1 or 3.
Workaround: If you have two or more SPAs installed in the CC40, ensure that there is a SPA in bay 0 or 2 and bay 1 or 3. If you only have one SPA installed in the CC40, there is no workaround.
Symptom: The Cisco ASR 1000 CPP crashes when shutting down core facing MPLS interfaces on NPE
Conditions: This condition occurs rarely.
Workaround: There is no workaround.
Symptom: when SIP gateway receives an INVITE with user=phone in the request URI, the prefix" " is removed from phone number. For example, when gateway receives the following INVITE INVITE sip: 1234567;npdi=yes@14.50.219.4:5060;user=phone SIP/2.0 It will route the call to 1234567, instead of 1234567
Conditions: This condition is observed when user=phone in the request URI.
Workaround: There is no workaround.
Symptom: ESP40 Crash seen with 4% traffic on a basic LSM setup. Basic LSM setup of PE-P-PE.
– 1 join for SM, 1 join for SSM, 1 join for Bidir. (Both v4 and v6)
– Router is performing a tail end (Disposition) function.
– Moment traffic hits the box, ESP 40 crashes. (4% of Gige line rate, 2% for v4 and 2% for v6)
Conditions: ESP40 crashes when traffic passes through the router.
Workaround: Disabling LRE fixes the issue set platform hardware qfp active feature multicast v4 lre off set platform hardware qfp active feature multicast v6 lre off.
Symptom: A show interface command on a SPA interface shows "0" for "unknown protocol drops", yet when the same interface is polled for ifInUnknownProtocols, a value is returned.
Conditions: This condition is observed during normal polling.
Workaround: There is no workaround.
Symptom: FP may crash while flapping sessions with ISG services, or flapping the ISG services themselves.
Conditions: This behavior might be seen on the Cisco ASR 000 routers running 15.1(2)S images or later. The ISG services involved must be Traffic Class services, and they may have any of L4R, DRL/Policing, or accounting-based features applied. The behavior may be observed when such services are quickly added and removed from a subscriber.
Workaround: There is no workaround.
Symptom: CUBE sends response to reinvite from CVP through proxy, not respecting Via header of reinvite. Response should be sent directly back to CVP
Conditions: SIP call routing from ITSP to CUBE to SIP Proxy to CVP. Initial transaction is handled through the proxy. With record route turned off the CVP sense reinvites directly to the CUBE, bypassing the proxy. The Via header of the reinvites indicated to send responses directly back to CVP. However the CUBE sends the responses to the proxy.
Workaround: There is no workaround.
Symptom: Traceback at FreeUInt64 on booting up router
Conditions: An ASR 1006 router running mcp_dev towards XE38 On booting up the router seeing a traceback
Workaround: The tracebacks are due to snmp-server enable traps entity-qfp mem-res-thresh. Disable the snmp-server enable traps entity-qfp mem-res-thresh.
Symptom: Occasionally, after full chassis reload, all ATM autovc fail to come up upon reception of PADI. CPE gets no PADO. All PPPoEoA sessions fail to establish on the chassis.
Conditions: Trigger unknown. This condition occurs intermittently, after full chassis reload, once every ~50 reloads.
Workaround: If the condition occurs, reload the chassis again.
Symptom: There is no way for customers to upgrade existing throughput licenses. (ex. from throughput_10g to throughput_20g)
Conditions: This symptom is not caused by any specific conditions.
Workaround: The throughput value can be obtained by installing the corresponding exact throughput license.
Symptoms: The show voice register pool on-hold brief command displays the same number (for both phone number and remote number) when both local and remote phone are put on-hold.
Conditions: This symptom is observed when with Cisco IOS Release 15.3(8)T.
Workaround: There is no workaround.
Symptom: Standby ESP100 reloaded.
Conditions: 4k IKEv2 IPv6 static crypto map 4k VRF (ivrf = fvrf). Running bi-directional IMIX traffic @ 4Gbps for 5 minutes.
Workaround: There is no workaround.
Symptom: Intermittently during Phase II rekey, after new SPIs are negotiated and inserted into SPD, old SPIs are removed and then VTI tunnel line protocol goes down
Conditions: This symptom is observed with Cisco IOS Release 15.2(3)T, with VTI over GRE.
Workaround: There is no workaround.
Symptom: While ringing, warm transfer committed which does not negotiate with video. Agent-1 complete transfer to Agent-2, while agent-2 is ringing and after sometime Agent-2 pick up the call.
Conditions: This symptom is observed when:
– Caller and Agent-1 had 2-way audio.
– Agent-1 did a warm transfer. Caller puts on hold and Agent-2 is ringing.
– Agent-1 complete the warm transfer. Still Agent-2 is ringing.
– After sometime Agent-2 pick up the call.
Workaround: There is no workaround.
Symptom: In legacy call-park mechanism, when a call is parked and if the parkee hangs up while waiting for the parked call to be answered, the final party who dials the park slot DN hears MOH and is put on hold and is unaware that the parkee has dropped the call.
Conditions: This symptom is observed in CME : 8 and 9 versions (tested till CME 9.0) IOS : 15.X (tested till 15.2(3)T1)
Workaround: Add the following under "telephony-service" to move from legacy call-park mechanism: call-park system application.
Symptom: The console reports "%FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image: PFR TT Enable download to CPP failed" and prints traceback. Also, ASR 1000 router may reload with fman_fp core file
Conditions: FMAN-FP reports PfR ERR log when there is PfR session flapping between MC and BR.
Workaround: There is no workaround.
Symptoms: Ping fails from host1 (192.168.1.2) to host2 (192.168.4.2).
Conditions: This symptom occurs when Suite-B is configured on IPsec sa.
Workaround: There is no workaround.
Symptom: Codec changes spontaneously during mid-session without a RE-INVITE
Conditions: This symptom occurs with the following conditions:
– Fax passthrough is configured.
– Codec negotiated is G711alaw, and changes to G729.
Workaround: There is no workaround.
Symptom: CLI changes in the show spi details command
Conditions: This symptom is not caused by any specific conditions.
Workaround: There is no workaround.
Symptom: - H323 GW disconnects call due to pre-ACF notify
A sample signaling flow: GK---(h323)----GW---(h323)---CVP <----SETUP------ <-----ARQ----- <----NOTIFY----- -----Disengage-> ------ACF---->
Conditions: - Notification is received by the GW prior to the ACF
Workaround: There is no workaround.
Symptoms: A Cisco router may experience alignment errors. These alignment errors may then cause high CPU.
Conditions: This symptom occurs as the alignment errors require using Get VPN. It is currently believed to be related to having the Get VPN running on a multilink interface, but this is not yet confirmed.
Workaround: There is no workaround.
Symptoms: Randomly, there is no audio if a call comes from the following call flow using G729: IP Phone -- CUCM -- ICT GK Controlled -- GK -- CME 9.1 -- Phone A and B If one of the phones in CME tries to GPickup the call randomly, it will have no audio. When this happens, if you check the codec directly in the phone, it is G711. However, when it works, it is G729. Everything is configured for G729. Even if you hard code the phone in CME to use G729, this issue will occur. This issue does not occur in CME 7.1.
Conditions: This symptom occurs if a call comes from GK as G729 and CME 9.1 is being used.
Workaround: Use CME 7.1 or enable fast start in CUCM Trunk by enabling the following check boxes:
– Media Termination Point Required
– Enable Outbound FastStart
Symptoms: SSL handshake between Cisco VCS and the Cisco ASR fails if the Cisco ASR 1000 router is running Cisco IOS XE Release 3.7S. image
Conditions: This symptom occurs in a working setup, if the Cisco ASR is upgraded to Cisco IOS XE Release 3.7S, then SSL handshake and subsequently SIP-TLS calls start to fail. If in the same setup, the Cisco ASR is downgraded back to Cisco IOS XE Release 3.5S or Cisco IOS XE Release 3.4.4S, then the calls work (without requiring any additional changes).
Workaround: There is no workaround.
Symptom: ASR1001 Feature Navigator does not show correct image to license mapping
Conditions: This condition is observed for ASR1001 ordering with or without licenses.
Workaround: There is no workaround
Symptom: show tech-support out is not displayed intermittently.
Conditions: This symptom is not caused by any specific conditions.
Workaround: Execute show log or any other show tech-support command, out is displayed again.
Symptom: Cisco ASR 1000 Routers may experience reloads on the ESP module due to a CPP driver fault during an in-2-out NAT translation..
Conditions: Issue has been observed with IOS 15.2S, but not in 15.1S when NAT is enabled. No other requirements known.
Workaround: Disable NAT or downgrade to a 15.1 release.
Symptom: Traceback is observed during RP switchover with mediatrace configuration, since SSO is not supported by mediatrace.
Conditions: This condition is observed when configure mediatrace and RP switchover is performed twice.
Workaround: There are two workarounds:
– Remove mediatrace configuration before running RP-switchover. Add mediatrace configuration on new active RP.
– If traceback occurred, remove mediatrace configuration and reapply it.
Symptom: After the second RP switchover, mcast traffic stop forwarding by PE.
Conditions: mVPN topo, during mcast traffic sending, do RP switchover on PE1.
Workaround: Using Clear ip mroute * to make the global MDT mroute re-built can restore mcast traffic before or after the second switch-over.
Symptoms: CRYPTO MAP ACL FILTERING TEST FAILED due to indent counters
Conditions: CRYPTO MAP ACL FILTERING TEST FAILED due to indent counters
Workaround: There is no workaround.
Symptom: GTPv0 request dropped and failed to create session
Conditions: This symptom is not caused by any specific conditions.
Workaround: There is no workaround.
Symptom: ASRNAT address leak may occur. This will show a larger number of allocated addresses in show interface nat stat command, then the translations that exist for that address via the show ip nat trans command
Conditions: This issue only occurs when a dynamic route-map configuration is used and the NAT sub-drop code ESP_CREATE_FAIL is incrementing (i.e. there must be ESP traffic).
Workaround: The leaked addresses can be reclaimed periodically by executing a clear ip nat trans * command, but that will be disruptive to users so this task should be schedule during off-hours.
Symptom: The maximum active memory for NBAR flows exceed the maximum allowed memory
Condition: 1RU platform XE3.8 installed. maximum flows set to 750000 you have traffic which contains flows higher than 750000
Workaround: There is no workaround.
Symptom: To enable CFA to 918079611, then press 'CFwdALL' softkey and enter any 4 digit number, then enter 918179611 and press end. After this we will be able to see "Forwarded to 918179611" on Phone.
Conditions: This condition is observed when SRST mode is configured with after hours.
Workaround: Remove the after hours configuration.
Symptoms: In a VTI scenario with HSRP stateless HA, the tunnel state on standby is up/up.
Conditions: This symptom occurs when HSRP is configured and there is no SSO configuration.
Workaround: There is no workaround.
Symptom: pw with backup
Conditions: switch between active/standby pw
Workaround: reload the boxes
Symptom: GTP: CPC response message is dropped.
Conditions: This condition occurs when cause is not equal 128.
Workaround: Resend the messages.
Symptom: On boot, the group member registers KS twice.
Conditions: This condition is observed only during bootup.
Workaround: There is no workaround.
Symptoms: The atm keyword in the show command disappears after a SPA power shut.
Conditions: This symptom occurs when a SPA card is powered shut and is brought back up using the no form of the previous command.
Workaround: There is no workaround.
Symptoms: If CUBE has midcall reinvite consumption enabled, it also consumes SIP 4XX responses. This behavior can lead to dropped or hung calls.
Conditions: This symptom occurs when midcall reinvite consumption is enabled.
Workaround: There is no workaround.
Symptom: Cannot ping SBC interface from ASR 1000 Router
Conditions: This condition is observed when
– SBC interface created with netmask /32
– SBC activated
Workaround:
– Deactivate SBC
– Delete SBC interface and re-create it again.
Symptom: ALG FTP44 does not work, fails to establish data path.
Conditions: This issue occurs under the following conditions:
Divide two networks into two vrf, both client and server reside in different network.
Topo: Client --- Gi 0/0/0 --- vasileft 1 --- vasiright 1 --- Gi 0/0/1 ---- Server (inside) (outside) (outside) (inside) vrf_in vrf_out
For vrf_in, there's dynamic NAT access-list 10 permit 10.0.0.0 0.255.255.255 ip nat pool in 202.120.0.2 202.120.0.10 prefix-length 24 ip nat inside source list 10 pool in vrf vrf_in overload.
For vrf_out there is one inside static nat ip nat inside source static 192.168.0.2 202.119.0.2 vrf vrf_out Client runs FTP active mode.
Workaround: Use dynamic NAT.
Symptom: Certificate validation fails with valid certificate.
Conditions: This symptom is observed during DMVPN setup with an empty CRL cache. This issue is usually seen on the responder side, but the initiator can also show this behavior.
Workaround: There is no known workaround.
Symptom: NHRP error message should indicate node IP that triggers the Error Syslog message format is changed to include the trigger source, source NBMA and destination addresses.
Example: %NHRP-3-PAKERROR: Received Error Indication from 10.0.0.2, code: administratively prohibited(4), (trigger src: 10.0.0.1 (nbma: 172.16.1.2) dst: 192.168.2.1), offset: 0, data: 00 01 08 00 00 00 00 00 00 FE 00 68 F4 03 00 34
Conditions: This condition is observed when NHRP error indication is received on the box.
Workaround: There is no workaround.
Symptom: Traffic not passing even it matches the filter conditions are met.
Conditions: This condition in observed when IPv4 and IPv6 co-exist in the interface configuration and with FW NAT configuration.
Workaround: Instead of using pre-natted source address in ACL, use post-nat source address.
For example, if the following static NAT is used, IP NAT inside source static 36.1.1.2 37.1.1.83
In order to allow traffic from host 36.1.1.2 to pass thru fireall, the ACL should be :
ip access-list extended foo-list permit ip host 36.1.1.2 any
Due to this list, the acl can be configured as follows to workaround the issue:
ip access-list extended foo-list permit ip host 37.1.1.83
Symptoms: One-way video from CTS-1000 to TS-7010 is seen in the following topology: CTS-1000 (v1.9.1) >>> CUCM 8.6.2aSU2 >>> CUCM 9.0 >>> CUBE 15.1.2T (2811) >>> CUBE 15.1.4M4 (2951) >>> CUCM9.0 >>> VCS X7.1 >>> TS-7010 2.2
Conditions: This symptom occurs when SDP Passthrough mode on CUBE is used.
Workaround: RTP payload types 96/97, which are associated with fax/faxack need to be remapped to some other unused values.
Symptoms: After Cisco IOS XE bootup, there are no static reverse routes inserted as a result of applying/installing and HA crypto map. The same issue is present on the HSRP standby device, namely, the static RRI routes will not get installed in case a failover occurs. The show cry map command can be used to verify that RRI is enabled. The show cry route command can be used to determine if RRI has happened and if it has been done correctly.
Conditions: This symptom is observed with the following conditions:
– Cisco IOS XE Release 3.5 up to Cisco IOS XE Release 3.7 - VRF-aware IPSec with stateless HA and static RRI - IPv4 Workaround: Removing and reentering the reverse-route static command into the configuration will actually trigger the route insertion.
Problem Description After IOS-XE bootup, there are no static reverse routes inserted as a result from applying/installing and HA crypto map. Same issue is present on the HSRP standby device, namely, the static RRI routes will not get installed in case a failover occurs. show cry map.
– can be used to verify that RRI is enabled show cry route - can be used to determine if RRI has happened and if its been done correctly Conditions IOS-XE 3.5 - 3.7 VRF aware IPSec with stateless HA and static RRI IPv4.
Workaround: Removing and re-entering the reverse-route static command into the configuration will actually trigger the route insertion.
Symptom: Phone calls to a Directory Number (DN) on a Cisco Communications Manager Express (CME) system gets continuous ringback tone instead of forwarding to a voicemail number or any other configured "call forward" destination.
Conditions: The problematic DN is a "shared line" between a SIP phone and a SCCP phone registered to the same Cisco CME system. Both SIP and SCCP phones that have the "shared line" are configured with the same "call forward' parameters. The CME system version is 9.0 or higher. The SCCP phone is "unregistered" from the CME system during the problem occurrence.
Workaround: Since the problem only happens when the SCCP phone is "unregistered" from the CME system, possible workarounds would be:
– Diagnose and fix the "unregistration" issue on the SCCP phone
– Configure the "shared line" on another SCCP phone that is registered and reset the phones
Symptom: Reload may occur when removing static rmap mapping.
Conditions: On ASR1k NAT very rarely reload may occur when removing static rmap mapping
Workaround: There is no workaround.
Symptom: Netflow was tested on NAT CGNmode, abnormal Netflow log was found. But no issues were found for the default mode.
Conditions: configure as CGN mode : ip nat log translations flow-export v9 udp destination 10.75.163.59 9995 ip nat settings mode cgn
Workaround: There is no workaround.
Symptom: In the ASR1K that has a LAC running IOS XE RLS3.5.2, disconnects the PPP session by TermReq without any reason, each time in the show pppoe stat incrementing the SSM DISCONNECT.
Conditions: This symptom occurs in the SSO mode, RP switchover.
Workaround: There is no workaround.
Symptom: A Cisco router running IOS-XE release 3.6.0S, IOS release 15.2(4)M or newer may reload.
Conditions: This condition is observed during key exchange with OCSP disable nonce configured.
Workaround: Disable 'ocsp disable-nonce'.
Symptom: Mod F: Shaper becomes inactive when policy-map rem/add back on sub-interfaces
Conditions: This issue occurs each time on rem/add on sub-interface.
Workaround: Changing shaper value reactivates shaper.
Symptom: With DMVPN phase2, the DMVPN hub is not responding to a resolution request for an address that the hub has an authoritative cache entry. Instead it's forwarding the request along the routed path.
Conditions: - This problem is observed in a DMVPN phase 2 deployment environment, where the hub router is configured with no ip nhrp cache non-authoritative command. - XE 3.6 and above.
Workaround: There is no workaround.
Symptoms: The Cisco ASR 1000 router running Cisco IOS Release 15.2(4)S acting as a GM in a Get VPN deployment starts using the most recent IPsec SA upon KS rekey instead of using the old key up to 30 seconds of expiration.
Conditions: This symptom is observed only in Cisco IOS Release 15.2(4)S.
Workaround: There is no workaround.
ASR1K GETVPN GM does not attempt registration after reload interface up
Symptoms: The Cisco ASR 1000 router being GM in a Get VPN deployment fails to start GDOI registration after a reload.
Conditions: This symptom occurs when running Cisco IOS Release 15.2(4)S. The following error is displayed in the show crypto gdoi command output after reload. Registration status: Not initialized.
Workaround: Use an EEM script to issue clear crypto gdoi command some time after boot time or issue this manually.
Symptom: configured permit-error, for 3GPP RLS7&8 req/resp, sessions are created, but for those unknown/unwanted IE, gtp counter does not work correctly.
Conditions: This condition is observed when permit-error is turned on.
Workaround: There is no workaround.
Symptom: Unable to ping direct connected peer ip address.
Conditions: This issue occurs under the following conditions:
– config ip reassembly on sub interface
– configure ipv6 reassembly on the same sub interface
– no sub interface
Workaround: There is no workaround.
Symptom: If there is a "peer.. fqdn..." statement in the startup-config
For example: crypto ikev2 client flexvpn flex peer 1 fqdn <FQDN>
Then after rebooting, the "peer..." statement may be missing from the running-config.
Conditions: This occurs because at boot time, when the startup-config is parsed, there is no DNS connectivity so the DNS resolution of the FQDN fails and hence the command is not accepted.
Workaround: Remove the peer and add it again with the "dynamic" keyword, i.e.: crypto ikev2 client flexvpn flex no peer 1 fqdn <FQDN> peer 1 fqdn <FQDN> dynamic
Note This process will delay the DNS resolution of the fqdn until the VPN tunnel is built.
Symptom: This is issue introduced in skyrise as part of a feature. This a display issue due to space length defined for displaying ipv6 addresses
Conditions: Media addresses being used is IPV6 and when show voip rtp connections is run.
Workaround: There is no workaround.
Symptom: IPv6 packet with Hop-By-Hop extension header is dropped when the packet is sent out to L2TP Virtual-Access interface.
Condition: Cisco ASR 1000 router is configured as L2TP LNS. At that time, EssUnsupPktType drop counter is incremented.
Workaround: There is no workaround.
Symptom: ESP crash.
Conditions: When SYN cookie protection is being triggered, and the packet TCP data offset is wrong.
Workaround: Do not configure SYN cookie protection.
Symptom: traceback message can be observed on the voice gateway %SDP-3-SDP_PTR_ERROR: Received invalid SDP pointer from application. Unable to process. -Traceback= 0x637B4F10z 0x61ADC2B4z 0x61A4886Cz 0x61AD6AC8z 0x619919BCz 0x6199A6C8z 0x61B30364z 0x61B3082Cz 0x63A7BCACz 0x63A7BC90z
Conditions: Router with IOS 15.1(3)T4
Workaround: There is no workaround.
Symptom: During system shutdown, occasionally the system will reboot, with a soft reset indication shutdown, before the system reaches a safe reboot state.
Conditions: This condition is observed when the system is trying to shutdown and system reaches an error state. the system unexpectedly reboots with a soft reset indication, but no core or tracefiles are saved.
Workaround: There is no workaround.
Symptom: When CUCM sends a single digit ASR is sending multiple NTE events as expected however the Marker bit is incorrectly set to TRUE most of them.
Conditions: ASR1006 running 15.2(2)S1 is configured as an MTP.
This problem is observed on the release 3.6.1 (asr1000rp1-adventerprisek9.03.06.01.S.152-2.S1) image.
The release 3.4.3 (asr1000rp1-adventerprisek9.03.04.03.S.151-3.S3.bin) image is not affected.
Workaround: There is no workaround.
Symptom: On serial interface the IOS counters for input packets, input errors and aborts increase even after the interface is administratively shutdown
Conditions: This symptom is not caused by any specific conditions.
Workaround: As this is a corner case situation, un-shutting and shutting down the interface may resolve the issue.
Symptom: ESP Crashes
Conditions: Configuration results in exhaustion of CPP external memory
Workaround: Ensure that the scale does not exceed supported configurations.
Symptom: ttl in CNAME record is reset
Conditions: DNS CNAME record
Workaround: There is no workaround.
Symptom: The console reports "[aom]: (ERR): Unable to find async context for AOM" and traceback.
Conditions: FMAN-FP reports PfR ERR log when there is PfR session flapping between MC and BR.
Workaround: There is no workaround.
Symptom: When using the command "call-policy-set copy source x destination y", the na-src-name-anonymous-table is not copied.
Conditions: If you copy the policy to a set number that did not previously exist, this problem does not occur; it only seems to happen if you reuse a number that was removed previously.
Workaround: Copy to new set number which has not been used before.
Symptom: Show controller pos pm command does not show correct SFP line type for All POS SPAs
Conditions: Line type is shown as LONG MM for all SFPs in show controller pos pm frp Sphinx/POS and SHORT SM for Iguana/Ninja
Workaround:
show hw-module subslot x/y transceiver #port idprom brief IDPROM for transceiver POS0/1/0: Description = SFP or SFP optics (type 3) Transceiver Type: = OC12 LR-1/STM4 L-4.1 (12)
Symptom: IPv6 DMVPN spoke failed to re-build tunnels with hubs.
Conditions: This symptom occurs when the tunnel interface on the spoke is removed and reapplied again.
Workaround: Reboot the spoke.
Symptom: IOS PKI server keeps updating CRL list even if PKI server is shut down. Found in 15.1.4.M, but may be more wide spread.
Conditions: This symptom is not caused by any specific conditions.
Workaround: Block access to CRL Distribution point so PKI server will not be able to upload updated CRLs.
Symptom: ISR running CME with AFW may experience bus error crashes and spurious accesses during call disconnect.
Conditions: This symptom is not caused by any specific conditions.
Workaround: There is no workaround.
Symptom: ISSU/ISSD would be failed.
Conditions: Always
Workaround: There is no workaround.
Symptom: PSTN user cannot hear the MOH when the call is put on hold.
Condition: If a call is put on hold after the previous call is parked using PARK softkey, the PSTN user cannot hear the MOH.
Workaround: The following workarounds are available:
– Use FAC code to park the call.
– Seize this DN and then release it to reset the park flag after parking a call.
Symptom: T1 controller will stay DOWN after switchover.
Condition: This symptom is seen when SATOP is configured on T1.
Workaround: Do a shut and no shut.
Symptom: Address Error exception is observed with ccTDUtilValidateDataInstance.
Condition: This symptom is observed with ccTDUtilValidateDataInstance.
Workaround: There is no workaround.
Symptom: IOS PKI certificate enrollment fails due to collision with another enrollment request.
Condition: IOS PKI auto-enrollment Multiple trustpoints are configured and try to enroll at same time. See error: CRYPTO_PKI: Failed to send the request. There is another request in progress.
Workaround: Use manual enrollment. Use different re-enrollment percentages on each trustpoint.
Symptom: SRTP - RTP fallback failure - CUBE sends back both 488 and 503
Condition: For a SRTP - RTP transcoding failure scenario, CUBE sends back both 488 and 503 response codes. It should reject the call with only 503 with the correct Warning Header.
Workaround: There is no workaround.
Symptom: After changing the grandparent shape rate via ancp, traffic is not shaped to the new rate.
Condition: PPPoE model F QoS. Via ancp, change the grandparent shape rate.
Workaround: There is no workaround.
Symptom: The maximum configurable PBHK (Port Bundle Host Key) source interfaces on an ASR1K router is random and could be as low as 1. Here is a sample error message seen on a customer's ASR1K router when adding 83rd source interface for PBHK: PortBundle: Unable to add source IP into list PortBundle: Command failed PortBundle: allowed number of source IPs: 82
Condition: Configure multiple PBHK source interfaces on an ASR1K router.
Workaround: There is no workaround.
Symptom: 3900e running 15.2(3)T1 crash at be_MediaOper_UpdateStats
Condition: 3900e running 15.2(3)T1 crash at be_MediaOper_UpdateStats
Workaround: There is no workaround.
Symptom: IOS Router Identity Certificate missing upon reboot.
Condition: Identity certificate imported into a trustpoint that does not contain the direct issuer Certificate Authority certificate.
Workaround: Import the identity certificate into the trustpoint which contains the issuer's certificate.
Symptom: Show version may report reload due to address error. Example: System returned to ROM by address error at PC 0x7F10BB0, address 0x4E1B383C at 23:46:01 EDT Mon Sep 10 2012 System restarted at 18:17:48 EDT Thu Sep 13 2012 System image file is "flash:c2951-universalk9-mz.SSA_8_5_ES2.1" Last reload type: Normal Reload Last reload reason: address error at PC 0x7F10BB0, address 0x4E1B383C This bug happens within IOS internal. It is not a common and at the same time, not a a rare occurrence.
Condition: Platform independent. Seen usually in 29xx and 39xx class routers. Originally seen in 15.2(2)T and 15.2(4)M release. Feature that need to be active for this crash to happen: Music on hold should be actively in use.
Workaround: There is no workaround. If you suspect that you are affected by this OR if you are proactively researching for known bugs to side-step, kindly engage your Account Team or your Advanced Services Team for guidance. Releases that have the fix include: 15.2(2)T3, 15.2(4)M3 and later releases.
Symptom: buffer overflow in opssl_parser corrupts OPSSLContext when all cipher suites were selected
Condition: This symptom occurs on working setup, when all the cipher suites were selected at openssl layer. This issue is observed from xe37 onwards.
Workaround: Instead of selecting all cipher suites, select required cipher suite.
Symptom: The voice gateway router is configured as a CME for handling ephone reloads due to spurious memory access.
Condition: This symptom occurs as the voice gateway router is capable of handling ephones. Reload is very specific to ephone handling.
Workaround: There is no workaround.
Symptom: Static routes created by RRI are created with the wrong mask for subnet ACLs.
Condition: This has been observed on an ASR1k and 7200 running IOS 15.2(4)S and 15.1(4)M.
Workaround: Configure a static route to the remote network manually.
Symptom: Reload indicating stuck thread may occur.
Condition: On clear ip nat translations vrf vrf-name*.
Workaround: Use clear ip nat trans * This issue exists only on Cisco IOS XE Release 3.7.1S.
Symptom: RP information is not learned when Auto-RP is configured for customer domain and the MA and RP candidate are on different PE.
Condition: MA and RP candidate are on different PE.
Workaround: There is no workaround.
Symptom: Permanent license disappear after the IOS upgrade or downgrade.
Conditions: This symptom occurs when:
– The ASR1001 IOS is upgraded from 03.05.02 or older to 03.06.00 or later.
– The IOS is downgraded from 03.06.00 or later to 03.05.02 or older.
Workaround: Without this fix: Do a license save from 3.4 before the upgrade and re-install in 3.6 in 34, save all the licenses to a file to bootflash 1RU#license save <file location> in 36, install back all the licenses from the file 1RU#license install <file location>.
With this fix: To avoid this, customers have to create a file in the bootflash called 1RU_34_36_ENFORCE_LICENSE_MIGRATION to enforce the migration of all the licenses before the upgrade process. The file will be removed automatically after the license migration.
For example: 1RU#license save bootflash:1RU_34_36_ENFORCE_LICENSE_MIGRATION For the routers, which are already experiencing this issue, customers can either try to reinstall the licenses or downgrade to 34, create the file in bootflash and upgrade with 36 or later image with this fix again.
Symptom: Tracebacks are seen.
Condition: When protocol mode dual-stack is enabled under telephony-service and create cnf-files is executed.
Workaround: There is no workaround.
Symptom: The following features: NBAR, FNF (AVC), Seawolf (FME), and Lhotse (AppNav)) may appear as being properly activated where as, they are not.
Condition: CFT infra that above listed features are not properly initialized.
Workaround: There is no workaround.
Symptom: ASR1K ucode crashes with scaled MLPPP configuration with sustained high data rates across most bundles.
Condition: Highly scaled MLPPP configuration with sustained high data rates across most bundles. Problem has only been seen with the ESP40. Likelihood of encountering this issue is lesser because this issue has only been seen in a lab environment under extremely high data rate conditions.
Workaround: There is no workaround.
Symptom: CUBE fails to resolve the configured DNS through a query when the SRV query fails.
Condition: This symptom occurs when running Cisco IOS Release 15.3(0.11)T.
Workaround: Use DNS SRV records for SIP servers.
Symptom: Router crashes when removing GDOI groups.
Conditions: KS has 100 GDOI groups being configured.
Workaround: There is no workaround.
Symptom: A pending issue update is seen at SSL CPP CERT on the Cisco ASR 1002, ESP-1000 platform.
Conditions: This symptom is observed with the following configuration: show platform software object-manager fp active pending-issue-update Update identifier: 128 Object identifier: 117 Description: SSL CPP CERT AOM show Number of retries: 0 Number of batch begin retries: 0.
Workaround: There is no workaround.
Symptom: Changes in the configured PPP multilink fragment size or fragment delay are not pushed down to the data path for Broadband MLPPP sessions. Note that this issue does not apply to MLPPP over Serial connections.
Conditions: If PPP multilink fragmentation is enabled on a Broadband MLPPP bundle before the bundle is established and the user later attempts to modify the fragment size or fragment delay, the resulting fragment size changes are not pushed down to the data path (i.e. the original fragment size configuration is retained). The IOS show ppp multilink command indicates that the new fragment size was applied but, in fact, the new fragment size may not yet be active.
Workaround: After changing the fragment size or fragment delay configuration, restart the Multilink PPP session. This can be accomplished via the
clear ppp interface Bundle-Virtual-Access-intf-name command.
Symptom: The PADI drops statistics shown in show interafces are not cleared.
Conditions: When there are PADI drops on any of the ATM interfaces, they are displayed in show interfaces. And, these are not cleared even after doing clear stats.
Workaround: There is no workaround.
Symptom: ASR crashes with fman_fp while unconfiguring in PBR scalability test.
Conditions: After the scalability test is performed with 1024 intefaces, crash is observed.
Workaround: There is no workaround.
Symptom: Traffic check fails for user-defined classes with HQoS policy.
Conditions: This condition occurs on sending traffic from ixia.
Workaround: There is no workaround.
Symptoms: Crash is observed when removing the crypto call admission limit ike in-negotiation-sa value configuration and clear crypto sessions, which triggers a connection from all the clients burdening the server and forcing it to crash within few seconds.
Conditions: This symptom happens only when 150 connections simultaneously try to establish connection with the head-end EzVPN server.
Workaround: Configure crypto call admission limit ike in-negotiation- sa 20 when scaling to 150 tunnels.
Symptom: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED messages along with tracebacks are seen.
Conditions: This symptom happens while configuring or unconfiguring the match message-id under class-map.
Workaround: There is no workaround.
Symptom: Observed (ERR): INTF: DELETE failed trace log.
Conditions: While creating Virtual Template Interface to test the L2TP scalability enhancements.
Workaround: There is no workaround.
Symptom: Unable to monitor the second power supply that is just inserted into the ASR 1001 Router.
Conditions: Insert the second power supply to the up and running ASR 1001 Router.
Workaround: Make sure all power supplies are inserted before booting up the ASR 1001 Router.
Symptoms: No-way audio is observed on hair-pinned calls back from CUBE to SIP Provider. The call flow is as follows: PSTN caller --Verizon---(sip)---ASR CUBE---(sip)---CUSP---(sip)---Genesis (SIP refer sent to transfer back to Verizon) -- CUSP - CUBE - Verizon -- PSTN
Conditions: This symptom is observed only after upgrading to Cisco IOS Release 15.2(2)S.
Workaround: Modify the diversion header on the transfer leg invite. Therefore, the Verizon handles the call differently.
Symptom: Ucode crashes when the GTP AIC inspects the packets.
Conditions: GTP AIC is configured.
Workaround: There is no workaround.
Symptom: Stale objects are seen on RP SWO.
Conditions: Delete IPv6 VRF tunnel that have FNF configured and then do rpswo.
Workaround: There is no workaround.
Symptom: PfR border router might get reloaded when PfR session flaps under session condition.
Conditions: PfR BR session flap under session condition, not likely to reproduce in the lab.
Workaround: There is no workaround.
Symptoms: A Cisco ASR 1000 hub on dual-hubs causes DMVPN crash. This issue is only seen in Cisco IOS XE Release 3.9S.
Conditions: This symptom is observed with shut or no shut of the tunnel interface.
Workaround: There is no workaround.
Symptom: GRE keepalives are going out unencrypted if the Tunnel interface is in up or protocol down state.
Conditions: This symptom occurs under the following conditions:
– ASR1k platform (reproduced on 3.4S through 3.7S)
– GRE/IPsec using tunnel protection
– Keepalives configured on GRE/IPsec tunnel
– Tunnel interface in protocol down state because of previously missed GRE keepalives
– PIM configured on Tunnel interface
– ip multicast-routing distributed command is configured globally.
Workaround: Disable ip multicast-routing distributed command (possible performance impact) or remove PIM configuration from Tunnel interface. The GRE keepalives will be encrypted as long as there is no CEF adjacency on the Tunnel interface when in protocol down state (i.e. no output from show adjacency tunnel number detail command).
Symptoms: Leaks are seen at nhrp_recv_error_indication.
Conditions: This symptom occurs only when the fix of CSCub93048 is present in the image.
Workaround: There is no workaround.
Symptoms: CUBE does not send a response to an early dialog UPDATE in a glare scenario.
Conditions: This symptom occurs when CUBE receives an early dialog UPDATE when it sends 200OK to INVITE and expects ACK.
Workaround: There is no workaround.
Symptom: One-way audio when using anti-trombone on a CUBE for a inbound call that is call forwarded back to the ITSP. After the call is forwarded, the CUBE never sends a Re-INVITE to the calling party to change the IP address from it's own IP to the IP of the ITSP. Therefore, the calling party doesn't get any audio. Whereas, the forwarded party hears the calling party fine.
Conditions: media anti-trombone command is configured under voice service voip.
Workaround: There is no workaround.
Symptoms: Static routes are not getting removed.
Conditions: This symptom is observed with Smap - Smap. Removal of CLI does not remove the static route.
Workaround: Remove the ACL before removing the SA.
Symptoms: IKEv2 STOP Accounting records show wrong counters for packets/octets, when the sessions are locally cleared using clear crypto sa command or clear crypto session command on ASR 1000 Routers.
Conditions: This symptom is observed with latest Cisco IOS XE Release 3.8S images when IKEV2-Accounting is enabled. This issue is easily reproducible with a single session, and may be service impacting as STOP Accounting records are usually used for billing purposes.
Workaround: The STOP records reflect the right counters when the disconnect is through the remote-end.
Symptom: Cannot make more than 4000 CUBE calls with the default configuration, and this can be a limitation for HA as well.
Conditions: Trying to make more than 4000 CUBE calls.
Workaround: In most cases, multiple media-address ranges can be configured, though this may not work for HA.
Symptom: An INVITE that contains a Replaces: header and also a parameter in the Request URI will be responded to with a SIP 481 Call Leg/Transaction Does Not Exist. The transfer that was the trigger of the INVITE with the Replaces: header will fail to complete.
Conditions: This was seen on CUBE when handling a triggered INVITE during a REFER based transfer.
Workaround: There is no workaround.
Symptom: Traceback is seen @ crypto_gdoi_gm_wavl_show_members_in_group.
Conditions: Execute the show crypto gdoi ks members A.B.C.D command on GETVPN group member.
Workaround: There is no workaround.
Symptom: cpp_cp_svr crash is observed.
Conditions: This symptom occurs on attaching service-policy to member link with port-channel configured.
Workaround: There is no workaround.
Symptom: The Reason: header in a SIP BYE may not be consistently passed from the incoming call-leg to the outgoing call-leg.
Conditions: This was seen on CUBE running 15.1(4)M through 15.2(4)M1.
Workaround: There is no workaround.
Symptom: When the peer's public key has outlived its usefulness, it will be marked for deletion and upon the next time, we search the public key cache, all peer public keys that are marked for deletion are removed. In the case of this defect, it has been observed that, after performing a manual CRL update (crypto pki crl request TrustPoint) whatever the content of the crl response, the router deletes keys according to the following sequence: 10 keys, next time 6 keys, then next time 4 keys and so on, i.e. 2/1/0. This occurs whatever the amount of revoked certificates inside the updated crl and it occurs also when the crl content does not change between different requests, i.e. when no certificates were revoked. So, the amount and number of keys to be deleted follows a pattern but the choice of key to be deleted is random. There is no negative impact on operation.
Conditions: Manual CRL update on a device running IOS 15.2(03)T. CRL caching is enabled.
Workaround: There is no workaround.
Symptom: In ASR CUBE-ENT platform, the show voice call rate table command displays the call per second (cps) information in histogram instead of tabular format.
Conditions: None.
Workaround: Use show call history stats cps table command instead. This command is available from Cisco IOS XE Release 3.8.
Symptoms: The SVTI always-up feature is broken.
Conditions: This symptom occurs in clear and rekey cases.
Workaround: Use shut and no shut commands.
Symptom: CUBE SP does not respond to any SIP messages sent across using TCP. SIP using UDP works fine. Call Flow: Multiple CUCM's ---> SIP --->CUBE SP--->Provider.
Conditions: This defect is noticed on 15.2(01)S01 and is only active when we have calls running SIP TCP. Reason for this behavior is that during the create or close transaction on TCP, the control buffer would be on hold. Therefore, if close of existing TCP connection is needed while the control buffer are all being held, the connection would be marked as dead but not able to notify corresponding peer, therefore the peer might still send data through that connection, which CUBE-SP would think as invalid and get dropped internally.
Workaround: As a workaround we need to send the SIP call as UDP instead of TCP.
Symptom: Traffic fails to pass on PW.
Conditions: Configure xconnect on EFP and do RP SSO.
Workaround: Reconfigure the EFP and xconnect.
Symptoms: A Cisco 3945 that is running 15.2(3)T2 and running as a voice gateway may crash. Just prior to the crash, these messages can be seen: %VOIP_RTP-6-MEDIA_LOOP: The packet is seen traversing the system multiple times and Delivery Ack could not be sent due to lack of buffers.
Conditions: This happens when a media loop is created (which is due to misconfiguration or some other call forward/transfer scenarios).
Workaround: Check the configurations for any misconfigurations, especially, with calls involving CUBE and CUCM.
Symptom: Incorrect Profile trunk-route 4 is getting configured when different profile trunk-route is configured under Voice service saf.
Conditions: Observed this issue in 15.3(0.13)T in c3945 platform.
Workaround: There is no workaround.
Symptoms: The NBAR classification granularity reduced for some protocols or some protocols may be classified as unknown.
Conditions: This symptom is observed when the following command is executed: test platform hardware qfp active feature nbar function sui_gmc_show_chunks_brief. If the errors? column has a non-zero value, it is most likely caused by the problem described here.
Workaround: Restarting NBAR will typically solve the problem. If a protocol pack is loaded, a simple way to restart NBAR would be to unload and reload the protocol pack. In order to workaround the problem and verify that the problem is resolved, perform the following steps:
1. Clear the above counters using the command: test platform hardware qfp active feature nbar function sui_gmc_reset_counters
2. Verify that the number of errors has been cleared: test platform hardware qfp active feature nbar function sui_gmc_show_chunks_brief
3. Enter configure mode: config terminal
4. Unload the protocol pack: no ip nbar protocol-pack protocol-pack-filename
5. Reload the protocol pack: ip nbar protocol-pack protocol-pack-filename
6. Verify the number of errors is 0: test platform hardware qfp active feature nbar function sui_gmc_show_chunks_brief
Symptom: High CPU on the 2911 router causing voice-ports going from S_CONNECT/S_TRUNKED to -/S_TRUNK_PEND after a few hours. This is an LMR deployment (Hool and Hooter config) Call flow: ============ Recording server (E&M port) <------- (E&M port) 2911 <--------IP link--------(((multicast source --application)))
Conditions: The High CPU was seen with the following IOS versions: c2900-universalk9-mz.SPA.152-4.M1.bin c2900-universalk9-mz.SPA.151-4.M2.bin 151-3.T4.bin
Root Cause Of The Issue: In the above IOS versions, the issue was observed in the udp_checksum() routine, which gets invoked in this case as the other endpoint is sending the checksum. Currently, the behavior is such that when it receives UDP checksum in incoming packet, it will try to compute it. Thereby, leading to the High CPU errors and causing the PVDMs to crash, which leads to the voice ports going to S_CONNECT/S_TRUNKED to -/S_TRUNK_PEND after a few hours.
Workaround: The following workarounds are available:
– Make sure that udp checksum is disabled on the other endpoint sending the packet to us.
– Have an image ready which basically ignores the udp checksum in the incoming packet, if the udp checksum is not important. The image was provided by the DE.
Symptom: Fp reload.
Conditions: ALG traffic with ACL limit configuration.
Workaround: Remove ACL limit configuration with ALG traffic.
Symptom: Traceback may appear on applying or removing Seawolf configuration.
Conditions: In very rare condition of massive applying or removing Seawolf configuration sequence, the traceback may appear.
Workaround: In case of traceback, remove the configuration and reapply it again.
Symptom: Packets with single digit MNC are not matched in L7 class-map Instead counters are increasing in class class-default Service-policy inspect gtpv1 : gtpv1_grx_inside_mcc_mnc Class-map: gtpv1_grx_inside_mcc_mnc (match-any) 0 packets, 0 bytes <<<< zero 30 second offered rate 0000 bps Match: mcc xxx mnc 1 Match: mcc xxx mnc 1 Class-map: class-default (match-any) 543464 packets, 11565497 bytes <<<< 30 second offered rate 19000 bps, drop rate 0000 bps Match: any
Conditions: Match criteria in L7 class-map define single digit MNC as follows: class-map type inspect gtpv1 match-any gtpv1_grx_inside_mcc_mnc match mcc xxx mnc 1 match mcc xxx mnc 1
Workaround: There is no workaround.
Symptoms: A Cisco 2951 that is running Cisco IOS Release 15.2(1)T1 may have a processor pool memory leak in CCSIP_SPI_CONTROL.
Conditions: The issue is seen when CUBE receives a PUBLISH request. At customer site, the issue was seen due to incorrect SIP trunk configuration, which resulted in PUBLISH requests to be sent to CUBE instead of CUSP.
Workaround: Correct the SIP Trunk configuration so that PUBLISH requests are not sent to CUBE.
Symptom: BFD flaps.
Conditions: Configure hardware BFD and configure egress ACL.
Workaround: Change the hardware BFD to software mode.
Symptom: Agent Stats corrupted on agent reset.
Conditions: Set timezone other than UTC on the CME router and reset the agent in EHG.
Workaround: There is no workaround.
Symptom: Call Flow: 9971 ---- SIP ---- CUCM ---- SIP ---- CUBE ---- SIP ---- Provider
Issue: Provider does not support video codecs, as soon as an INVITE with video codes in the SDP, provider is disconnecting the call. The customer wants to use Video capability for internal calls and when external call is made, is requesting if they can strip the Video attributes from SDP going in the INVITE to provider.
Conditions: Created voice class sip-profiles 1000 and applied under the outgoing dial-peer to provider. Voice class sip-profiles 1000 request INVITE sdp-header Video-Attribute remove request INVITE sdp-header Video-Media modify "m=video(.*)" request INVITE sdp-header Video-Bandwidth-Info remove Before applying the profile, below is the snippet of SDP rcv on CUBE: After applying the profile, the SDP is like below:
v=0 o=CiscoSystemsSIP-GW-UserAgent 1127 4805 IN IP4 10.59.0.6 s=SIP Call c=IN IP4 10.59.0.6 t=0 0 m=audio 17800 RTP/AVP 8 101 c=IN IP4 10.59.0.6 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20 c=IN IP4 10.59.0.6.
To remove the third c= line, tried the below under sip-profiles: not working as expected: request INVITE sdp-header Video-Session-Info REMOVE***Trying to add this line, to see if it will make any difference, however show run, displays Video-Session-Name request INVITE sdp-header Video-Connection-Info REMOVE***Trying to add this line, to see if it will make any difference, however show run, displays request INVITE sdp-header remove.
Workaround: If the customer does not have a requirement to have video for external calls, then much better option is to disable video at CUCM only for external calls. This can be done on CUCM by the following ways:
1. Create a new region on CUCM with video disabled.
2. Keep the SIP trunk to CUBE in that new region.
3. This way, internal calls can still have video, and there won't be any video coming to CUBE for external calls.
Symptom: show pla so ob fp active pending-ack-update command output hw dirty-bit has error.
Conditions:
Workaround: There is no workaround.
Symptom: Pseudotime skew between Secondary key servers and Primary key server.
Conditions: Clear crypto GDOI on the primary key server. It has been seen in 15.2(4)M1 but not in 15.1(4)M1.
Workaround: Clear crypto GDOI on all devices.
Symptom: Call Flow: PSTN->PRI->Voice GW->SIP->CUCM->IP phone. During an active call between PSTN and IP phone (non-secure), if the IP phone user presses the Hold key for second time call gets disconnected. Hold and Resume for the first time works fine. MOH server is using SRTP. Also, if the IP phone used is secure (SRTP), then call will not get disconnected; no matter, how many times the user presses the Hold and Resume keys. Customer has mixed mode cluster.
Conditions: When audio session between IP phone and VG is RTP and then the Hold key is pressed for the second time. The MOH uses Secure RTP.
Workaround: There is no workaround.
Symptom: Sometimes, cable detect test reported false (not connected) test result on FXOGS.
Conditions: Cable detect test and incoming call to FXOGS are running at the same time.
Workaround: There is no workaround.
Symptoms: On dual RP configurations, a standby route processor might crash when establishing new interfaces (could be PPP sessions).
Conditions: This symptom is observed when IDB reuse is turned on, for a dual RP configuration, and when some interfaces are deleted and created again.
Workaround: Turn off the IDB reuse option.
Symptom: cpp_cp_svr crash is seen.
Conditions: This symptom occurs on removing service-policy from main int.
Workaround: There is no workaround.
Symptom: During SIP attack, NAT causes ESP lock-up.
Conditions: SIP registration attack.
Workaround: Using ACL to block SIP attack.
Symptom: Remote-Party-ID is missing in the SIP Re-Invites.
Conditions: When using newer CUBE version 8.7.
Workaround: Currently not identified.
Symptom: show platform h q a f nat data dynbin command output gets into a loop.
Conditions: When executed on ASR 1000 Routers.
Workaround: Use show ip nat trans command and it’s filters for showing this information
Symptoms: A crash occurs while running CME smoke regression.
Conditions: This symptom is observed while running CME smoke regression.
Workaround: There is no workaround.
Symptom: When cpp_fm_vmr_ops_execute_OPTIMIZE() function queries the TCAM manager for number of free entries in TCAM, then cpp_fm_free_tcam_entry_query() throws an error sometimes.
Conditions: This is always invoked for all the configurations that are attached.
Workaround: A running count to keep track of free entries in TCAM has been implemented. This solution might not work for a configuration whose size is as big as the size of TCAM.
Symptoms: About 10 minutes after CUBE boot, the router crashes with the following traceback: Traceback= 5B01805 46158ED 45F4F57 45BB19E 45BA1CF 451D6DC 4525549 45252D9 4519C30 45196A9 4778FFD. After the reload from the crash, it may take sometime before it crashes again.
Conditions: This symptom occurs when CUBE receives the SIP REFER message with the Refer-To header having no user part.
Workaround: There is no workaround.
Symptoms: RRI routes are not installed in DMAP. reverse-route is a configuration in the DMAP. This prevents packets from being routed through the intended interface, and hence packet loss occurs.
Conditions: This symptom is observed when a simple reverse-route is configured in DMAP without any gateway options.
Workaround: There is no workaround.
Symptom: While clearing the counters, we are seeing the error message. %IOSXE-3-PLATFORM: R0/0: kernel: /scratch/mcpre/BLD-BLD_V153_1_S_XE38_THROTTLE_LATEST_20121015_080026/os/linux/drivers/binos/i2c/psmcu/psmcu_main.c:read_from_psmcu (line 185): i2c_smbus_read_byte() returned -110. Other potential errors: %IOSXE-3-PLATFORM: R0/0: kernel: /auto/mcpbuilds13/release/03.08.00.S/BLD-03.08.00.S/os/linux/drivers/binos/i2c/psmcu/psmcu_main.c:read_from_psmcu (line 175): MCU set pointer command failed, -5.
Conditions: Error message should not been seen, while clearing the counters.
Workaround: There is no workaround.
Symptom: An incoming INVITE that is received by CUBE with a Replaces: header will dropped that Replaces if the outgoing INVITE must hunt through multiple outbound dial-peers.
Conditions: This was seen on CUBE in a SIP to SIP configuration running 15.2(4)M1.10
Workaround: There is no workaround.
Symptoms: Execution of the show run command and other commands such as copy run start and show access-list cause the router to stop for a few minutes before completing.
Conditions: This symptom is observed with Cisco ISR G2 routers. This issue is seen only with IPv6 configured and used.
Workaround: There is no workaround.
Symptom: Memory leak.
Conditions: periodic.
Workaround: There is no workaround.
Symptoms: RSA keys are not generated correctly.
Conditions: This symptom occurs when you first clear the RSA keys that are already generated on the router, and then generate the RSA keys.
Workaround: There is no workaround.
Symptom: High PPS in the single flow traffic can reduce the overall system performance by 90%.
Conditions: This symptom occurs only when there is a very large PPS in the single flow traffic and when NBAR is enabled
Workaround: There is no workaround.
Symptom: NAT address pool exhaustion with high DNS traffic.
Conditions: Payload addresses in DNS PTR record NATed without active NAT bindings. RFC 2694 suggests that DNS PTR queries should not be translated if no active bindings are found in the NAT translation table. Per current implementation, new NAT dynamic bindings are created when processing DNS PTR queries, eventually, contributing to NAT address pool exhaustion.
Workaround: The following workarounds are available:
– Add deny ACL to avoid NAT translation of unknown payload addresses in the DNS PTR query.
– Turn off DNS application-level gateway (ALG) service, if possible.
Symptom: Ucode crash when h323 ALG traffic passed through router.
Conditions: This symptom is seen with ALG traffic.
Workaround: Remove HSL logging. Problem is not seen.
Symptom: Show call active video compact command doesn't show any active video calls while testing EO-EO Secure Video Call over CUBE when SDP PassThru is enabled.
Conditions: This symptom occurs on running with IOS version- 15.3(0.14)T.
Workaround: There is no workaround.
Symptoms: IPsec SAs are not getting deleted even after removing ACL.
Conditions: This symptom occurs when using the IPsec feature with Cisco IOS Release 15.3(0.18)T0.1.
Workaround: There is no workaround.
Symptoms: In ASR B2B HA setup, the new active router crashes at ccsip_send_ood_options_ping immediately after switchover with OOD OPTIONS enabled.
Conditions: This crash is seen in the following scenarios:
– Standby router has OOD OPTIONS enabled either because it is present in startup configuration or enabled after boot-up.
– Disable OOD OPTIONS.
– When Switchover happens.
Workaround: Reload standby router once after OOD OPTIONS configuration changes from enabled to disabled.
Symptom: 2X1GE-SYNCE (metronome) SPA does not boot on a 2RU (Cisco ASR 1002).
Conditions: This symptom is observed from Cisco IOS XE Release 3.7.0S onwards, when the metronome SPA (2X1GE-SYNCE) fails to boot on a 2RU. An error message indicating that the SPA is not supported is displayed on the RP console.
Workaround: There is no workaround.
Symptom: The GETVPN/GDOI Secondary Cooperative Key Server (COOP-KS) does not download the policy, that is, when the show crypto gdoi ks policy command is issued on the Secondary COOP-KS and the command output shows that no policy is downloaded and Group Members (GMs) registering to the Secondary COOP-KS fail to register without any warning or error message.
Conditions: This symptom is observed when the GETVPN/GDOI group (with COOP configured) has an IPSec Profile configured with one of the following transforms in its transform-set: - esp-sha256-hmac - esp-sha384-hmac - esp-sha512-hmac
Workaround: Use esp-sha-hmac as the authentication transform.
Symptom: QFP crashes with ICMPv4 error packets when ZBF debugs are enabled (debug platform hardware qfp active feature firewall datapath global all detail).
Conditions: This symptom is observed when ZBF debugs are enabled.
Workaround: Do not enable ZBF debugs with detail or drop keywords for all traffic. Instead, enable ZBF debugs only for the traffic you like to debug. For more information, See CSCtf45361.
Symptom: GTPv1 memory chunk leak.
Conditions: This symptom is observed when the GTP AIC is configured
Workaround: There is no workaround.
Symptom: %NAT: VRF ID 2385 does not exist is seen in the output of show run vrf.
Conditions: If a VRF is defined without configuring an address-family, then this message is displayed when the user executes the show running vrf command.
Workaround: The show command output is valid. This has no impact on functionality.
Symptom: Error %Port <> is being used by system while configuring the static nat with the same ports for different IP addresses as shown below, we can sometimes get an error message %Port 1720 is being used by system: ip nat inside source list IP_PBX_MP_NAT_ACL_PUB interface Loopback12 overload ip nat inside source list IP_PBX_MP_NAT_ACL_SUB interface Loopback13 overload IP NAT inside source static tcp 161.92.7.42 1720 interface Loopback12 1720 ip nat inside source static tcp 161.92.7.43 1720 interface Loopback13 1720 This issue happens when we have nat with overload statements configured before we configure static nat for ports.
Conditions: This happens if we have NAT with overload statements are configured first. Workaround: Remove all NAT statments and configure the static NAT before the NAT overload. (Note that we will get the failure message again at the reload time since the commands are nvgenned with the overload command first.)
Symptom: The nat64 map-t subcommands cannot be syntax checked when running config check syntax.
Conditions: This applies only when the user runs config check syntax in the syntax check mode.
Workaround: There is no workaround.
Symptom: VFR subblock remains without CLI IP virual-reassembly displayed.
Conditions: This symptom is observed when NAT is enabled without VFR and VFR is re-enabled.
Workaround: Do not enable the VFR manually.
Symptom: CPP crashes on overlord when the show command is executed.
Conditions: There is no known conditions.
Workaround: There is no workaround.
Symptom: Ingress QoS policy-maps on frame-relay type interfaces do not correctly show QoS policy-map packet counters.
Conditions: This problem only occurs when egress QoS policy-maps are attached to a frame-relay sub-interface and to a frame-relay DLCI on that same sub-interface.
Workaround: Apply egress QoS policy-maps to only the frame-relay sub-inteface or to the frame-relay DLCI.
Symptom: IKEv2 framed route support on server is required.
Conditions: IKEv2 framed route support on server is required.
Workaround: There is no workaround.
Symptom: RTSP Timeout doesn't work on VXML GW when Bargein is set to N. IOS 15.1.M4 CVP 9.01 ICM 9.02. When the vxml GW receives the following, RTSP will not timeout <prompt bargein="false" cisco-maxtime="30s" cisco-typeaheadflush="false" > <audio src="rtsp://10.2.247.40/rtpencoder/moh.sdp" fetchtimeout="4s" /> When the vxml GW receive the following, RTSP will timeout at 30 seconds <prompt bargein="true" cisco-maxtime="30s" cisco-typeaheadflush="false" > <audio src="rtsp://10.2.247.40/rtpencoder/moh.sdp" fetchtimeout="4s" />
Conditions: This symptom is observed when Bargein is set to N.
Workaround: There is no workaround.
Symptoms: Path confirmation fails for blind transfer scenarios for both SIP Line and trunk-side scenarios.
Conditions: This symptom is observed if no supplementary-service sip refer is configured.
Workaround: Configure supplementary-service sip refer.
Symptom: Unexpected logs printed in the console during configuration. *Oct 17 06:54:50.711: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F1: fman_fp_image: PORTLIST: (tcp/50.1.1.1 port 4096 - 5119) download to CPP failed *Oct 17 06:54:50.534: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image: PORTLIST: (tcp/50.1.1.1 port 4096 - 5119) download to CPP failed.
Conditions: This Symptom is seen when the configuration includes dynamic PAT (Port Address Translation) with the interface overload.
Workaround: There is no workaround.
Symptom: The packet is dropped with the reason NatIn2out.
Conditions: This symptom is observed due to the PAT.
Workaround: There is no workaround.
Symptom: RP is crashed.
Conditions: This symptom is observed after flapping the ATM sub-interface that is configured with the ATM bundle 8192 times
Workaround: There is no workaround.
Symptom: Values of certain flows have incorrect jitter values when MMON is activated on non-video UDP traffic jitter.
Conditions: Non video and/or UDP traffic is being injected to the MMON engine. May also happen on video traffic before it is classified as such (first few packets). This is self corrective. This is unlikely to happen as usually MMON is enabled on specific media flows.
Workaround: There is no workaround.
Symptom: QFP crashes.
Conditions: Packets are replicated and field in_interface in pkt_state is invalid.
Workaround: There is no workaround.
Symptom: Ucode crashes.
Conditions: This symptom is observed while testing the frf12 feature.
Workaround: There is no workaround.
Symptoms: When a dynamic cryptomap is used on the Virtual Template interface, SAs are not created and the testscripts fail. This issue occurs because the cryptomap configurations are not added to the NVGEN, and hence there is no security policy applied on the Virtual Template interface.
Conditions: This symptom occurs only when a dynamic map is used on the Virtual Template interface. However, this issue is not seen when the tunnel protection is used on the Virtual Template interface or when a dynamic map is used on the typical physical interface.
Workaround: There is no workaround apart from using tunnel protection on the Virtual Template interface.
Symptom: The following message can be seen on Cisco ASR routers which runs IOS-XE: FAILED: File [location]:[name] is not a valid consolidated package file.
Conditions: Multiple conditions can lead to this error message. One of these is if the specified file doesn't exist at the path specified. The reason for failure is not clear.
Workaround: There is no workaround.
Symptom: The router is crashed with ucode traceback.
Conditions: This symptom occurs while adding 32 Service Node Group under Service Context and removing them.
Workaround: There is no workaround.
Symptom: When TCP SYN packet is sent with no specified MSS, the default value is set to 0, not to 536, as on other platfroms.
Conditions: TCP SYN packet is sent with no MSS specified.
Workaround: There is no workaround.
Symptom: Receive a for_us packet with multiple (thousands of) tunnel headers, make ESP crash.
Conditions: Router A-------Router B-------Router C there is a tunnel T1 between A and C. In the router A, there is a PBR that makes the packets from B transmitted through T1. In router B there is a default route pointing to A. Then in router A a packet is transmitted through T1 encapsulated with a GRE header. When this packet arriving at router B, due to the flapping of route between B and C, it cannot be sent to C. But it will be sent to A because of the default route. When the packet arriving at A, according to the PBR rule, it will be transmitted through T1 again encapsulated one more GRE header. again and again, this packet will be encapsulated with thousands of GRE header. At last, when the route between B and C no longer flaps, it will arrive at C, and make C crash.
Workaround: Workaround for customer's scenario: Customer can configure a ACL in router C 's tunnel T1 interface, deny the packet if it has an inner header with the same src addr and dst addr with outer header. But this workaround can't cover the scenario of an attack packet encapsulated with multiple different tunnel headers.
Symptom: Perf-mon flow timeout or expiry takes longer than expected
Conditions: The functionality related to timeout or expiry of flows after media stop event seems to be taking longer than expected. The related configs are: - monitor params interval duration <x" and timeout <y>, under policy-map class submode or - cache timeout.. <x> and history size <value> timeout <y> under Perf-mon flow monitor config mode
Workaround: There is no workaround.
Symptom: sip-notify is not getting negotiated in the mid-call. After the midcall invite, rtp-nte to sip-notify dtmf negotiation falls to rtp-nte to default inband-voice
Conditions: This symptom is observed with IOS version: 15.3(1.2)T.
Workaround: There is no workaround.
Symptom: CallManager intermittently fails to reply to SIP messaging when a hostname is present in the host field. This will occur when CallManager fails to resolve the hostname quickly enough resulting in the messaging being dropped.
Conditions: This symptom is observed TCP or TLS is used. UDP will not experience this issue.
Workaround: Do not use a hostname in the host field for SIP messaging.
Symptom: 2921 crashed twice due to http caching. The crashes happened in about 1 month from each other. At least one of them was triggered by issuing clear http client cache. However not every issue of "clear http client cache" causes the crash.
Conditions: This symptom is obsrved when 912 is running as a gateway.
Workaround: There is no workaround.
Symptom: IP may reload during MDR due to ESI reconciliation failure with active ESP.
Conditions: Extremely rare race condition.
Workaround: There is no workaround.
Symptoms: The WCCP stops working after adding Cisco IOS Zone Based Firewall (ZBF. Message of WCCP packets being redirected can be seen but not leaving the Cisco ASR router.
Conditions: This symptom is observed when Cisco ASR router with netflow and ZBF is enabled under the same interfaces.
Workaround: Disable netflow on all the interfaces.
Symptom: Phase 2 for EzVPN client with split network and VTI does not come up if IPSec SA goes down.
Conditions: The root cause of the issue is that IPsec SA is not being triggered after IPsec SA is down due to no traffic. So in spite of traffic IPsec SA is not coming up leading to packet drops in client network. The same problem is not seen with Cisco IOS Release 15.0(1)M7. This behavior is introduced post-PAL where virtual-interface creates a ruleset where traffic cannot trigger IPsec SA again once IPsec SA is deleted.
Workaround The following are workarounds for this symptom:
– Configure ip sla on EZVPN client for split networks, so that IPSec SA will not go down.
– Remove virtual-interface from EZVPN client profile if it is not needed.
Symptom: The ucode crash is seen.
Conditions: This symptom occurs when configuring or unconfiguring the static NAT in B2BHA setup.
Workaround: There is no workaround.
Symptom: Incorrect show running-config all after running no vxml audioerror.
Conditions: This symptom occurs when there is no vxml audioerror in the show running-config all command.
Workaround: Run show running-config.
Symptom: One-way voice audio issue is seen over CUBE after session re-INVITE is sent.
Conditions: This symptom is observed with the following call flows:
– Signaling: Cisco IP phone ==> CUCM ==> CUBE ==> CCIPL ==> CCIPL IP phone
– Media: Cisco IP phone <=== sRTP ==> CUBE <== RTP ==> CCIPL IP phone
Workaround: Do not use SRTP on the CUCM <-> CUBE leg.
Symptom: The performance of urpf with acl gets downgraded.
Conditions: The downgrading has been found since 15.3(01)S.
Workaround: There is no workaround.
Symptom: For some reason the EzVPN server send the savepwd off. When it does, the client fails to establish the connection.
Conditions: There is no known conditions.
Workaround: Run the client in interactive mode authentication.
Symptom: A crash occurs in CME while accessing a stream in sipSPIDtmfRelaySipNotifyConfigd.
Conditions: This symptom occurs in CME.
Workaround: There is no workaround.
Symptom: Match not APN is not working.
Conditions: This symptom occurs during the basic GTP message flow.
Workaround: There is no workaround.
Symptoms: The extension mobility feature is failing.
Conditions: This symptom is observed in Cisco IOS Release 15.3(2)T.
Workaround: There is no workaround.
Symptom: CPP CVLA traceback appears.
Conditions: This may happen during monitor configuration rollback when configuration fails.
Workaround: There is no workaround.
Symptom: Traceback is seen in 302 consume SDP pass through scenario.
Conditions: This symptom occurs when the UUT is failing on 15.3(0.19)S.
Workaround: There is no workaround.
Symptom: Traffic is be redirected to WCCP client even when defined as deny in wccp redirect ACL.
Conditions: WCCP on ASR1K.
Workaround: The following are the workarounds for this symptom:
– Move the deny entries before the permits when possible (especially for deny... host...), but it still may not work in some situation.
– Use different redirect ACLs for each service, and remove the unnecessary ones for specific services.
Symptom: The Cisco router crashes upon clearing of the AppNav counters.
Conditions: This symptom can occur in a normal running device.
Workaround: There is no workaround.
Symptom: T1 Controller will not be marked as DOWN when there are alarms after RP Switchover.
Conditions: RP Switchover.
Workaround: SPA Soft OIR.
Symptom: There is no sync of SADB on an active router when it reloads from the current standby router.
Conditions: This symptom occurs when the active and standby routers are up. Whenever a session is up, there is a sync of SADB from active to standby. When active reloads and is up, there is no sync of SADB from the current active router.
Workaround: Remove the isakmp-profile configuration under the crypto map.
Symptoms: After the reload, ISDN layer 1 shows as deactivated. Shut or no shut brings the PRI layer 1 to Active and multiframe is established in layer 2.
Conditions: This symptom occurs when voice-class busyout is configured and the controller TEI comes up before the monitored interface.
Workaround: Remove the voice-class busyout configuration from the voice-port.
Symptom: The VG224 phone can not hear FAC tone.
Conditions: This symptom is observed during the config cptone br under voice-port.
Workaround: Change cptone to us.
Symptom: The cpp_svr crashes.
Conditions: This symptom is obsrved with Policy-Aggregator scalability config.
Workaround: There is no workaround
Symptom: The SPA buffer oversubscription causes a message to be logged indicating the packet drops in the SPA.
Conditions: This symptom is observed during reconfiguration, flow-control cannot be set correctly on the ESP resulting in broken flow-control on the interface being reconfigured.
Workaround: There is no workaround.
Symptom: Traceback appears and the packet is dropped with uRPF specific cause.
Conditions: Remove and add uRPF and ACL configuration in the following manner while the traffic is runnin:, copy remove_config running and copy add_config running.
Workaround: There is no workaround.
Symptom: The cpp_svr crashes.
Conditions: This symptom is obsrved with Policy-Aggregator scalability config.
Workaround: There is no workaround.
Symptom: iDivert call to voicemail failed in flow-around mode for both consult and blind transfer scenarios
Conditions: This symptom is observed when running with IOS version 15.3(1.4)T.
Workaround: There is no workaround.
Symptom: CPC request message is passed by AIC and sent to another side.
Conditions: This symptom is observed when the IMSI is invalid.
Workaround: There is no workaround.
Symptom:CPP crash with core dump file and traceback.
Conditions: This symptom is observed when the session setup rate is 10.
Workaround: There is no workaround.
Symptom: ASR router may crash running under heavy load
Conditions: This issue is considered an extreme corner case caused by the exhaustion of resources combined with the aggressive polling of information through CLI while the system is overloaded.
Workaround: There is no workaround.
Symptom: CPP error and traceback when ATM PVC sub-interface deleted or reconfigured.
Conditions: This symptom is observed when ATM PVC in sub-interface is configured under ATM PVP.
Workaround: There is no workaround.
Symptom: Accesses to the midplane EERPOM or power supply fails.
Conditions: This symptom is observed when the system has dual RPs.
Workaround: There is no workaround.
Symptom: Router crash at speed dial.
Conditions: This symptom occurs during the speed dial.
Workaround: There is no workaround.
Symptom: This is a backout of the PI commit of CSCuc10263.
Conditions: The initial implementation of enabling logging to CC required dependency on the PI code committed. But after the code review for the PD the PI commit is not required. Hence Backing out.
Workaround: There is no workaround
Symptom: CUBE could not handle multiple 18x responses with different to-tags in early dialog.
Conditions: When 18x responses doesn't contain SIP Contact header.
Workaround: Include Contact header in 18x responses.
Symptom: The interface hierarchy gets corrupted during OIR such that subsequent reconfiguration events lead to a system crash. Impacted Platforms: ESP-100 and VXE-2, aka Yoda platforms. Not Impacted Platforms: All CPP10 platforms, i.e. ESP-10, ESP-20, ESP-40, etc. It also does not impact Overlord and ultra.
Conditions: The FRF.12 P3 queue is not removed from the interface during OIR. The code assumes all features would have been removed from the interface before the default queue is removed. When the default queue is re-added while the P3 is already active, its sub-hierarchy is built on top of the leaf node for the P3 queue. This causes the hierarchy to grow exponentially to a point where programming the hardware fails.
Workaround: Remove FRF.12 before OIR and re-apply it after OIR. While this should work when done manually or via a script, it may be unreliable in the real world where OIR could occur due to swapping out one SPA for another unless the user remembers to disable FRF.12 before swapping the SPAs.
Symptom: Dialling FAC (Feature Access Codes) in the On-Hook state and then going Off-hook causes the phone to dial the last called number (Redial Operation).
Conditions: This symptom occurs when FAC (Feature Access Codes) Standard or Custom is configured.
Workaround: There is no workaround.
Symptom: See some drops: FirewallInvalidZone 12676.
Conditions: ASR with WCCP and ZBF and netflow both configured.
Workaround: Ping the destination on ASR1000 before introducing WCCP traffic.
Symptoms: Packet drop might be observed during IP Security (IPSec) rekey.
Conditions: This symptom is observed on a Cisco ASR1000 series router when functioning as an IPSec termination and aggregation router, with Internet Key Exchange.
Workaround: There is no workaround.
Symptom: DHCP reply message was dropped in the data plane after RPSO or clear ipv6 neighbor.
Conditions: This symptom is observed during the following situations:
– Setup DHCPv6 binding
– Clear IPv6 neighbor or RPSO and without traffic before adjacency convergence then DHCP reply message will be dropped in data plane.
Workaround: The following are the workarounds:
– Send downstream traffic to the client that will re-learn the neighbor.
– Clear IPv6 route X::X/prefix <dhcp installing route> to re-learn the neighbor.
– Client is reconnected after the timeout of DHCP session.
– Client sends RS or NS.
Symptom: ERSPAN only could monitor ZBFW interface Rx packets.
Conditions: ERSPAN packets will be drop if the ERSPAN output interface is not in same zone with moitor interface
Workaround: Configure ERSPAN output interface with same zone with monitored interface
Symptom: ucode along with the fman_fp cores is seen in the supporting FP80 router.
Conditions: This symptom is observed on the flapping member link interface in the UUT.
Workaround: There is no workaround.
Symptom: Many tracebacks are printed in the console when GTPv2 messages are handled.
Conditions: Attached configuration is imported. It can be triggered too if layer 7 drop is configured.
Workaround: There is no workaround.
Symptom: ucode along with fman_fp core seen in UUT with GTP_AIC_FUNC_POLICY_CHANGE
Conditions: This symptom is observed while sending traffic from SGSN.
Workaround: There is no workaround.
Symptom: sh per-call buffer list output shows an extra 'I' in the LAST UPDATED column.
Conditions: This symptom is observed when the Per-Call debugging is enabled
Workaround: There is no workaround.
Symptom: Memory leak in GTP PDP pool.
Conditions: GTP AIC must be configured.
Workaround: There is no workaround.
Symptom: Communication broken. Update PDP context requests are dropped if GSN address is not identical with GSN address provided in Create PDP context request.
Conditions: 3GPP communication on GRX interface. Roaming mobile users from GRX to inside can have different GSN address information.
Workaround: There is no workaround.
Symptom: Due to the change of CSCud35735: ASR1K: ucode crash @gtp_aic_match_policy. It is a defense for smtp aic, as the function call re_multi_match_ascii may result crash?
Conditions: When the function re_multi_match_ascii meet some invalid array address,it would return 0xFFFFFFFF as the match length,here in smtp aic,it should be protected from this exception?
Workaround: There is no workaround.
Symptom: The two causes are:
– Might be no monitoring.
– Trackback message appears in log: 1#7e4ed294e9cee774e6d357fbecf1228d errmsg:CB20000 2230 cpp_common_os:D1AD000 BBB0 cpp_common_os:D1AD000 B9C0 cpp_common_os:D1AD000 1903C cpp_fnf_svr_lib:FE68000 15D64 cpp_fnf_svr_lib:FE68000 1C2D0 cpp_fnf_svr_lib:FE68000 18E84 cpp_common_os:D1AD000 10A94 cpp_common_os:D1AD000 110CC evlib:CEF1000 E0DC evlib:CEF1000 104C4 cpp_common_os:D1AD000 127E8:10000000 4710 c:A526000 1E938 c:A526000 1EAE0.
Conditions: The issue occurs:
– On 3.8 Ver: Happens randomly if HTTP tool is deployed several times.
– On 3.7 Ver: Happens randomly if AVC1.5 tool is deployed several times.
Workaround: Reapply the configuration.
Workaround: There is no workaround needed here as this is the data used for the information about the peer for the user. No impact.
Symptom: ESP reload
Conditions: ASCII ALG traffic requiring TCP seq/delta fixup on payload length change due to address translation. This reload could occur rarely with very long lived TCP connections. Workaround: Turn off the ALG likely causing the issue.
Symptom: Client/Server IPs are interchanged in CLI sh serv-in statis conn on Peer AC's.
Conditions: Client/Server IPs are interchanged in CLI sh serv-in statis conn on Peer AC's. This symptom is observed when there are 4 AC's in the ACG and the context is up and Operational. Some traffic is sent and only one AC owns that flow. When the CLI sh service-inse statis conn is executed on the AC, which owns the flow it shows the right output. But when the same command is executed on other AC's the Client and Server IP 's are interchanged.
Workaround: There is no workaround.
Symptom: Stale PVP object seen.
Conditions: Do a RP switchover with a PVP configured on ATM port and cdvt global config enabled on Barbarian SPA.
Workaround: There is no workaround.
Symptom: QFP may reload.
Conditions: The known conditions for this are to have oneFirewall and NAT configured on a ASR1002-X, but crash is intermittent.
Workaround: There is no workaround.
Symptom: The first and last timestamps shown in the output of show flow monitor <name> cache command shows incorrect values on an ASR1K with RP1 route processors.
Conditions: This symptom occurs during the following situations:
– Attach a record that contains timestamp sys-uptime first and / or timestamp sys-uptime last field(s) to a monitor. Predefined records such as "netflow-original" already have these fields defined.
– Under the interface config mode, configure the above defined monitor using [ip | ipv6 | mpls] flow monitor <name> (sampler) [input | output]
– Issue the following show command to see the cached records: show flow monitor <name> cache.
– In the output of the above show command, the values displayed for the first and last timestamp fields can be incorrect.
Workaround: There is no workaround.
Symptom: map-request is missing in xTR.
Conditions: This symptom is observed in the CLI lig self all.
Workaround: There is no workaround.
Symptom: Hit a ipfrag traceback. Mar 12 20:18:34: IOSXE-3-PLATFORM F0: cpp_cp: QFP:0.0 Thread:116 TS:00000154141676112657 FRAG-3-REASSEMBLY_ERR Reassembly/VFR encountered an error: Failed to restore packet persist state -Traceback=1#414e7dc23f4098796bcf8e5a8b3063ad 804c085b 8051a7ae 80276582 80277b0d 80277b6f 80475481 800976d1 804b07e9 Mar 12 20:18:48: IOSXE-3-PLATFORM F0: cpp_cp: QFP:0.0 Thread:082 TS:00000154156360067524 ATTN-3-SYNC_TIMEOUT msecs since last timeout 154149821, missing packets 43
Conditions: Thiis symptom is observed when fragments received and fragments reassembly related packets are dropped.
Workaround: There is no workaround.
Symptom: FP crash.
Conditions: up to 70~80K translation sessions, SIPand H323 mixed traffic
Workaround: There is no workaround.
Symptoms: The Gateway fails to send ACK after 200 OK while testing DNS/SRV Lookup on a VOIP peer with weight/priority.
Conditions: This symptom is observed when a Cisco router is loaded with c2900-universalk9-mz.SSA.153-1.7.T image.
Workaround: There is no workaround.
Symptom: hash table not memset for ALG during intialization.
Conditions: This symptom occurs during the following conditions:
– Start sip/h323/... traffic
– Establish NAT session over 60~70K
– Send CLI combinations with below actions:
- clear ip nat trans *
- shutdown inside / outside traffic interfaces
- remove nat/alg config
- reconfig nat/alg and unshut interfaces
Workaround: There is no workaround.
Symptom: Extended data forwarding outage when MLPPPoLNS session forwarded to a new link due to a OSPF link change. Possible MLPPP member link session flap.
Conditions: When a MLPPPoLNS session is defined using a member link session with multiple paths to the destination LAC via OSPF, if the member link session interface changes after the session is active a extended data forwarding outage may occur due to the OSPF link change. Possible MLPPP member link session flap may also occur.
Workaround: There is no workaround. Also keep in mind that even with the fix associated with bug report, per packet load balancing is NOT supported with MLPPP. Only per destination packet load balancing.
Symptom: No-way voice occurs after transferring external calls to an external recipient. The PBX does a external transfer and uses a new transaction leg which indicates that media should be hair pinned on the SBC, but no media is heard. PBX(A)----SIP-----SBC(B)----SIP-----service-provider(C)
The following are the different Call scenarios:
– PBX(A) user dials external party (towards C) the calls is answered.
– PBX(A) user presses the conference/transfer key which places the call on hold. MOH is heard by the external party.
– PBX(A) user dials external party (towards c) and the call is answered.
– PBX(A) user completes the call transfer.
– The call transfer is completed, but no audio is heard, by either A or B.
Conditions: The issue occurs only when all of the below conditions happen together:
– One side has nat enabled and rtp comes before sdp offer/answer is completed.
– Four calls are modified to two hair pin call sets, that is two calls are hair pined.
Later call modification makes four calls hair pined together
Workaround: There is no workaround.
Symptom:ESP crashed with multicast service reflect config when recieving udp fragmented packets
Conditions: multicast service reflect configured udp fragments recieved in the VIF interface.
Workaround: There is no workaround.
Symptom: In a Flex scale setup, few of the framed routes do not get installed even though all the sessions come up fine. As a result, traffic flow is affected.
Conditions: Perform clear crypto session on the headend. Sessions will be triggered again from SVTI. For few of the sessions, framed route is not installed.
Workaround: There is no workaround.
Symptom: The router crashes due to a hardware interrupt.
Conditions: When FRF.12 is configured on ESP100 or 1RUVE2, the recycle queue cannot be changed on-the-fly because there may be packets inflight that will be enqueued to this queue by the hardware.
Workaround: There is no workaround.
Symptom: na-src-adj table does not work for text userid.
Conditions: This symptom is seen always.
Workaround: There is no workaround.
Symptom: iDivert call to voice mail failed after call forward
Conditions: When running with IOS version - 15.3(1.8)T
Workaround: There is no workaround.
Symptom: Build breakage occurs due to CSCub81489 partial export to mcp_dec.
Conditions: This symptom is observed with export to mcp_dec.
Workaround: There is no workaround.
Symptom: ucode crash is seen with nat tgn mode and CLI operation during traffic
Conditions: This issue occurs during the conditions:
– setup sip/h323 traffic
– shut ->clear ip nat tr * -> unshut
– remove ip nat shut clear ip nat tr *
Workaround: There is no workaround.
Symptom: The control process crashes during the reconfigurations on ESP100 or 1ruve2.
Conditions: This issue occurs during the reconfigurations such as adding a hierarchical policy to an ATM, changing a class-of-service for an ATM VC, etc. and results in a new scheduling hierarchy.
Workaround: There is no workaround.
Symptom: The vTCP reset storm is observed in NAT/ALG back-to-back deployment.
Conditions: The issue occurs during the following conditions:
– A TCP NAT session is established between two ASR1K.
– Abnormal ALG packets are received from both the sides.
– An additional TCP segment is received by ASR 1K after ASR1K sends out the TCP RST.
Workaround: Manually clear the affected NAT session.
Symptom: fp20 & fp40 cards crashes if single bit parity error occurs on TCAM device#1.
Conditions: TCAM (hardware) single bit parity errors are very rare and recoverable. Due to a defect in fault recovery code FP crashes instead of recovering from this hardware error.
Workaround: There is no workaround. May not run into this problem again after FP is rebooted.
Symptom: The crashinfo file is not generated.
Conditions: This issue is specific to the ASR1K and the RP1. RP2 doesn’t have this issue. It has been seen for Software Forced Crashes.
Workaround: There is no workaround.
Symptom: The log messages for REJECT Create Session Response message is not printed in the sys-log.
Conditions: This symptom is observed when the GTP AIC is configured in the UUT.
Workaround: There is no workaround.
Symptom: SPA-2CHT3-CE-ATM is flapping with Nortel Passport due to the fast bouncing of up or down 10s, after the interface is brought up.
Conditions: This symptom is observed in E3 and DS3 mode.
Workaround: There is no workaround.
Symptom: Some IPv6 subscribers fail to come up in a scenario in which there is a frequent session churn.
Conditions: The issue occurs on an ASR 1K router, for IPv6 subscribers that have traffic classes configured. It occurs when the sessions are torn down soon after coming up. It can also involve a change to a session's complement of traffic classes shortly after coming up, but before being torn down. A number of pending objects can register in the output of the show platform software object-manager fp active statistics command.
Workaround: Remove the pending objects by performing an FP switchover on ASR 1K routers that have two of them. Before performing an FP switchover, make sure that there are not any pending objects on the standby FP. This can be determined by using the command show platform software object-manager fp standby statistics. If the standby FP has pending object counts when the system is in steady-state, it should be reloaded and checked for pending objects after it comes back. If the new pending object counts reach is 0, then proceed with an FP switchover.
Symptom: Outbound traffic does not flow.
Conditions: This symptom occurs when configuring the IPv4 VRF aware IPSec with crypto maps with ivrf=ivrf1 and fvrf=global.
Workaround: There is no workaround.
Symptom: The ESP100 is crashed.
Conditions: The issue occurs when the NAT is configured, TCP segments size is larger then 26K, ESP100, or 1002-X.
Workaround: Add no payload-option in the nat entry to disable all alg or disable a specific DNS tcp alg by using the command no ip nat service dns tcp.
Symptom: Reload of standby QFP can (rarely) occur.
Conditions: This symptom is observed when IOS-XE NAT is configured and is used in HA mode (either intrabox or box-to-box) and a clear ip nat trans or NAT configuration is changed while there are translations.
Workaround: There is no workaround, but this is a very rare condition.
Symptom: The MMA objects are not removed after policy detach. This can be seen with the following CLI command: show platform software object-manager fp active object-type-count | inc mma. Eventually, this can lead to a failure in applying a Seawolf configuration.
Conditions: This symptom is observed during the massive sequence of policy attach or detach operations.
Workaround: There is no workaround.
Symptom: Records are not generated even after several configurations.
Conditions: This symptom is observed during Config replace or any other massive performance policy configuration.
Workaround: There is no workaround.
Symptom: The FP is crashed.
Conditions: The issue occurs when the QoS is configured on physical interface, which is bind to a BDI interface. Stile is configured on the same BDI interface.
Workaround: There is no workaround.
Note Stile is not supported on BDI interfaces and must not be configured on it.
Symptom: Incorrect MMON/ART metrics reported and/or crash.
Conditions: The issue occurs in some rare cases, when:
– Packets of the same flow are processed by FME on more than one interfaces.
– FME processes from the second interface and continues further, ends due to some error (rare case).
Workaround: There is no workaround
Symptom: The ESP cpp_cp_svr process crashes, with the trace back pointing to the cpp_ess_ea_ffr_entry_free function.
Conditions: The issue occurs during the session teardown.
Workaround: There is no workaround.
Symptom: Tunnel QoS is broken.
Conditions: This symptom is observed when the tunnel target interface is ATM sub-interface.
Workaround: There is no workaround.
Symptom: Presence of FP core file.
Conditions: Under certain very rare (unreproducible in lab) conditions, multicast LRE code can run out of rbufs while serially processing the packets, presumably, because feature chain is executed.
Workaround: Disabling MLRE through the configuration command platform multicast lre off can be done if condition occurs.
Symptom: CPPOSLIB-3-ERROR_NOTIFY error messages are reported while trying to configure the inspect policy for the ZBF in ASR1K.
Conditions: ZBF config, good number of entries in the ACL maps under the class-map
Workaround: Reload the ESP and remove the ACL entry that is creating the issue.
Symptom: An error message SBC: SBC ^T^U^\V is not configured is printed when activating sbc.
Conditions: The issue occurs when the activate command is Run just after the command media-address ipv4...
ASR-1001-CCN-7(config)#sbc test ASR-1001-CCN-7(config-sbc)#sbe ASR-1001-CCN-7(config-sbc-sbe)#media-address ipv4 1.20.0.2 vrf vrfa ASR-1001-CCN-7(config-sbc-media-address)#activate SBC: SBC ^A^T not configured.
Workaround: exit sbc, and enter sbc again, then Run the activate command.
Symptom: AVC functionality (performance monitor and media-net) was missing from advipservices image. It was only present in adventerprise.
Conditions: When loading an advipservices image, AVC functionality could not be configured.
Workaround: There is no workaround.
Symptom: The ASR 1000 router can result in a ucode crash when the box is running NAT with oer keyword and also running PfR.
Conditions: The issue occurs when the NAT is configured with the oer keyword on NAT mapping and PfR is used for traffic optimization, doing a shut or no shut on a PfR external link also happens to be the NAT outside interface, which can result in a crash if the traffic is flowing.
Workaround: Avoid doing a manual shut or no shut on the PfR external interfaces when running with NAT. If you must do a shut or no shut, shut down the NAT inside the interface first, then do a clean ip nat trans * and then shut the PfR interface
Symptom: Sometimes the fman_aom_cce traceback is seen.
Conditions: This symptom is observed only with certain configurations
Workaround: There is no workaround.
Symptom: ASR1K router that is running the NAT with a keyword oer in the NAT overload mapping can cause disruption to the NATted sessions when the PfR feature changes the exit link.
Conditions: ASR1K router that is running the NAT with PfR with a oer keyword in the NAT configuration can result in this condition.
Workaround: There is no workaround.
Symptom: The ASR1K ESP crashes (ucode core file created) when compressed packets are sent on a Multilink PPP interface using IOS XE 3.5 and earlier ASR1K software images. On IOS XE3.6 and later ASR1K software images a crash does not occur, but routed traffic on configured interfaces are not forwarded. But, local traffic between the peer routers can be forwarded. In all releases, routed traffic will be dropped on any other interfaces (for example, PPP, Multilink PPP, HDLC, and so on.) configured for this mode of compression.
Conditions: The issue occurs if the legacy IOS compression feature compress [mppc | stac | predictor] is configured on any interface (for example, PPP, Multilink PPP, HDLC, and so on.). If this feature is configured on a Multilink PPP interface then the ESP crash can be encountered if using an IOS XE3.5 or earlier ASR1K software image.
Workaround: Remove the compress [mppc | stac | predictor] feature configuration from all interfaces as this functionality is not supported on the ASR1K. The software fix associated with this bug report will be removing this configuration option from the ASR1K.
Symptom: Kingpin: plim tx drop if gi0/0/0 is used as tunnel source physical interface.
Conditions: The issue occurs when Gige interface as SVT tunnel source interface and 4K QoS policy is applied to 4K SVTI tunnel.
Workaround: There is no workaround.
Symptom: An ASR1K running 03.06.00.S.152-2.S can crash due to a NAT bind age timing.
Conditions: This issue is a rare timing condition which is triggered by the RG infra toggle.
Workaround: There is no workaround.
Symptom: The GTPv2 drop counter increments, when actually, no messages are dropped.
Conditions: The issue occurs when the cause value in Create Session Response is 78.
Workaround: There is no workaround
Symptom: Router reload.
Conditions: The issue occurs during the heavy AVC traffics.
Workaround: There is no workaround.
Symptom: Cannot include "." in the variable name, used in header editor.
Conditions: The issue occurs always.
Workaround: There is no workaround
Symptom: When configuring an ACL for both IPv4 and IPv6 in a policy-map, the policy-map does not work properly.
Conditions: The issue occurs when an ACL is configured for both IPv4 and IPv6 in a policy-map and when the policy-map is attached to an interface or control-plane.
Workaround: Use IPv4 ACL and IPv6 ACL in a same class-map with match-any.
Symptom: When traffic is sent with VLAN2 tag between two ixia ports through ASR1004 as below. After executing the command show controller, input vlan errors can be found and the counter increases without any packet drops. It is also found that when show interface command is executed, the value of input errors counter under related interface is 0
Conditions: There is no known condition for this symptom.
Workaround: There is no workaround.
Symptom: Symptom: The aggregation-type prefix-length of PfR cannot be configured to less than 16. If so, the number of learned prefix will be much less than what it must be.
Conditions: The issue occurs when PfR is enabled.
Workaround: It is better to configure the aggregation-type prefix-length of PfR to greater than 24.
Symptom: Symptom: The current session for control plane is too small.
Conditions: The issue occurs during the basic GTPv1 configuration, and GTPv1 traffic.
Workaround: There is no workaround.
Symptom: There is no functional impact to the system performance, warning messages will be seen only during initialization of the router and there are no security concerns on these units: *Dec 16 17:58:02.432: IOSXE_PLATFORM-3-WDC_INVALID_LENGTH WDC length can not be determined: 65535. *Dec 16 17:58:10.703: PLATFORM_SCC-1-AUTHENTICATION_FAIL Chassis authentication failed *Dec 16 17:58:10.703: IOSXE_AUTHENTICATE-2-AUTHENTICATE_FAILED. The platform authentication failed.
Conditions: Programming of Quack & WDC (Watch Dog Certificate) was accidently disabled in manufacturing during the regression testing. This caused units to ship without Quack & WDC programming. These messages show up at boot up for these specific units that had the quack disabled
Workaround: There is no workaround.
Symptom: Need to backout due to the hardware limitation.
Conditions: Fix not needed due to the hardware limitation.
Workaround: There is no workaround.
Symptom: FDT charts in CM GUI are improper.
Conditions: This symptom is observed due to the inconsistency between actual output of show policy-map target service-context command and its XML equivalent.
Workaround: Check the corresponding WAAS (WAE) TCP graphs for achieved optimization.
Symptom: If a new ATM PVP shaper is configured during the runtime and then a ATM VC with that VPI value is configured, tracebacks will be generated. Router operation will continue but QoS configuration for the VC and VP will be incorrect.
Conditions: A new PVP must be configured and a new VC is configured with that VPI.
Workaround: Configure the new PVP shapers, save the configuration, reboot the router. After the router is rebooted, VCs configured in the shaped VPs will have the correct QoS configuration.
Symptom: SBC CLI hung.
Conditions: The issue occurs while configuring the signaling-peer-port when the adj is attached, the new vty terminal would be hung.
Workaround: There is no workaround.
Symptom: NTE cannot pass through.
Conditions: The issue occurs for a transcoding call.
Workaround: There is no workaround.
Symptom: 6RD and MPLSoGRE tunnel perf drop in x39 throttle more than 5% compared to 3.8 throttle
Conditions: Perform 6RD and MPLSoGRE tunnel decapsulation.
Workaround: There is no workaround.
Symptom: Show service-insertion statistics service-node-group command produces incomplete or incorrect output when multiple SNGs are configured under the service-context.
Conditions: Multiple SNGs are configured under the service-context
Workaround: There is no workaround.
Symptom: Retransmitted SIP request message is calculated for related SIP method counter, however, the counter for other request counter also gets incremented.
Conditions: This symptom is observed during an ongoing transmission.
Workaround: There is no workaround.
Symptom: The Create Session Response message is dropped.
Conditions: This symptom is observed when the TEID in Create Session Response message is 0.
Workaround: There is no workaround.
Symptom: BFD flaps continuously upon ESP switchover.
Conditions: This symptom is observed during the ESP switchover.
Workaround: There is no workaround.
Symptom: Non-HDLC traffic (Non standard, but customer defined traffic) coming through HDLC interface gets dropped by ASR1K.
Conditions: Normal L2TPv3 configuration.
Workaround: There is no workaround.
Symptom: The command show platform software memory chunk qfp-control-process qfp active shows that there are memory leaks from CPP STILE Server CTX Chunk. There are three cases of this memory leak:
Case 1: When NBAR is active, there is a leak of 40 bytes every 10 seconds.
Case 2: When NBAR is active, there is a leak of 60 bytes every 10 seconds.
Case 3: When NBAR is not active, there is a leak of 20 bytes every 10 seconds.
Conditions: Case 1 is observed when the router is running an image with a version prior to 15.3(1)S. Cases 2 and 3 are observed when the router is running version 15.3(1)S or later.
Workaround: There is no workaround.
Symptom: TDL incompatibility
Conditions: This symptom is seen with the ISSU.
Workaround: There is no workaround.
Symptom: No Symptoms as such. PTP will come up as a process on both IOS and BINOS.
Conditions: This symptom is seen when the router is upgraded to XE39 image.
Workaround: There is no workaround, the PTP process comes up on IOS and BINOS.
Symptom: A very small FM memory leak is observed.
Conditions: When attach, detach, or modify a classification policy, a small leak exists.
Workaround: There is no workaround.
Symptom: Tracebacks or ESP reload is seen with INFRA-3-INVALID_GPM_ACCESS error msg on standby.
Conditions: This symptom is seen under low memory conditions.
Workaround: There is no workaround.
Symptom: On ASR1K, with GTP ZBFW pinholes are opened on GTP-U on the initiating side. Traffic back is dropped, since the UDP-SRC port of the initiation side is changed from xxxx to 2152.
Conditions: This symptom is observed when GTP ZBFW is enabled.
Workaround: There is no workaround.
Symptom: Whenever we clear the counters using clear counters only the interface counters are getting cleared. Controllers counters never get cleared unless the router is rebooted. In this case, controller is SPA-2XT3/E3.
Conditions: This symtom is observed only on ASR1K.
Workaround: Reboot the router.
Symptom: Local and remote UDP ports are not set correctly in the inbound IPSec Security Association (SA).
Conditions: This symptom is observed on a Cisco ASR1000 series router when functions as an IP Security (IPSec) termination and aggregation router, and when Tunnel-protection (TP) or Virtual Tunnel Interface (VTI) is deployed, and when IPSec sessions are established behind the Network Address Translation (NAT).
Workaround: There is no workaround.
Symptom: An ASR1K or ISR 4400 router may experience service interruptions and may encounter a QFP microcode software exception. The log will indicate that the router processor has crashed and restarted.
Conditions: The router is performing DMVPN tunneling or is operating as an AppNav controller while collecting data for AVC.
Workaround: There is no workaround.
Symptom: The Delete PDP Context Response message is dropped.
Conditions: This symptom is observed when Delete PDP Context Request is rejected.
Workaround: There is no workaround.
Symptom: BDI interface stops forwarding the traffic.
Conditions: This symptom is observed when there is a loop in data path.
Workaround: Recreate the BDI interface.
Symptom: Console corruption is seen sometimes when the punt keepalive packet drop happens during bootup of the router.
Conditions: This symptom is observed when punt keepalive packet is dropped and other console activity is going on at the same time.
Workaround: Punt keepalive messages can be disabled in the config, but it is not a recommended setting as it can mask punt failures.
Symptom: Ping fails when NAT64, PAT, and ZBFW are configured.
Conditions: Valid zone-pair is configured & ZBFW sessions exists, IPv6 ping fails from pagent. This happens only with NAT64, PAT, and ZBFW combination.
Workaround: There is no workaround.