Guest

Cisco Content Services Gateway

Release Notes for Cisco Content Services Gateway - 2nd Generation Release 3.0 Cisco IOS Release 12.4(22)MD2

  • Viewing Options

  • PDF (560.3 KB)
  • Feedback
Release Notes for Cisco Content Services Gateway - 2nd Generation Release 3.0 Cisco IOS Release 12.4(22)MD2

Table Of Contents

Release Notes for Cisco
Content Services Gateway -
2nd Generation Release 3.0
Cisco IOS Release 12.4(22)MD2

Introduction

Features

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD2

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD1

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD

System Requirements

Memory Requirements

Hardware Supported

Software Requirements

Determining the Software Version

Prerequisites and Restrictions

Caveats for Cisco IOS Release 12.4(22)MD2

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MD1

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MD

CSG2 Software for Cisco IOS Release 12.4(22)MD - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Documentation and Technical Assistance

Related Documentation

CSG2 Documentation

Release-Specific Documents

Platform-Specific Documents

Cisco IOS Software Documentation Set

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco
Content Services Gateway -
2nd Generation Release 3.0
Cisco IOS Release 12.4(22)MD2


Revised: February 21, 2012
Current Release—12.4(22)MD2

This publication describes the requirements, dependencies, and caveats for the Cisco Content Services Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2. These release notes are updated for every maintenance release.

Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4, located on Cisco.com.

Caveats

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.

All caveats in Cisco IOS Release 12.4 and Cisco IOS Release 12.4 T are also in Cisco IOS Release 12.4(22)MD2.

For a list of the software caveats that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MD2, see the "Caveats for Cisco IOS Release 12.4(22)MD1" section.

For information on caveats in Cisco IOS Release 12.4, see Caveats for Cisco IOS Release 12.4, located on Cisco.com.

For information on caveats in Cisco IOS Release 12.4 T, see Caveats for Cisco IOS Release 12.4T, located on Cisco.com and the Documentation CD-ROM.

Using the Bug Navigator II

If you have an account with Cisco.com, you can use Bug Navigator II to find the most current list of caveats of any severity for any software release. To reach Bug Navigator II, log in to Cisco.com and click Software Center: Cisco IOS Software: Cisco Bugtool Navigator II.

This publication includes the following information:

Introduction

Features

System Requirements

Prerequisites and Restrictions

Caveats for Cisco IOS Release 12.4(22)MD2

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MD1

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MD

CSG2 Software for Cisco IOS Release 12.4(22)MD - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Documentation and Technical Assistance

Introduction

The CSG2 is an application that runs on the Service and Application Module for IP (SAMI), a high-speed processing module. The CSG2 provides content-aware billing, service control, traffic analysis, and data mining in a highly scalable, fault-tolerant package. The CSG2 provides the software required by mobile wireless operating companies and other billing, applications, and service customers.

The CSG2 runs on the SAMI, a new-generation high performance service module for the Cisco 7600 series router platforms. The CSG2 is typically located at the edge of a network in an Internet service provider (ISP) point of presence (POP), or Regional Data Center.

Features

This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation Release 3.0 Installation and Configuration Guide.

To see the software part numbers associated with each CSG2 release; the Supervisor hardware required by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release; and the minimum IOS level supported by each CSG2 release, see the "Software Requirements" section.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD2

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD1

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD2

The CSG2 software for Cisco IOS Release 12.4(22)MD2 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MD1" section.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD1

The CSG2 software for Cisco IOS Release 12.4(22)MD1 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MD" section.

In addition, the CSG2 software for Cisco IOS Release 12.4(15)MD3 supports the following new features:

Policy Matching for HTTP Downgrade

For more information, see Closed caveat CSCsq12202.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MD

The CSG2 Release 3.0 software for Cisco IOS Release 12.4(22)MD supports the entire feature set for the CSG2 Release 2.0 software for Cisco IOS Release 12.4(15)MD.

In addition, the CSG2 software for Cisco IOS Release 12.4(22)MD supports the following new features:

8-Byte TLVs

Alphanumeric Ordering of Contents and Services

Attribute Maps

Billing Chain Failure Notification

CDR Suppression for Unestablished TCP Connections

Default Billing Plan

Dual Quota

Enhanced Adaptability for Network-Generated Out-of-Order TCP Packets for Layer 4 Flows

Enhanced "show interface" Command

Enhanced "show ip csg radius detail" Command

Flexible Accounting for Retransmitted TCP Segments

License-Exceeded Notifications

Network Based Application Recognition (NBAR) Protocol Support

Per-User Uplink Next-Hop

Postpaid Services in Prepaid Billing Plans

Session-Based Quality of Service (QoS)

URL Maps for Interleaved RTSP

User Profile Requests for Quota Servers

New platform support:

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 (WS-SUP720) running Cisco IOS Release 12.4(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3B (WS-SUP720-3B) running Cisco IOS Release 12.4(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card and 10 Gigabit Ethernet Uplinks (WS-SUP32-10GE-3B) running Cisco IOS Release 12.4(33)SRC or later and LCP ROMMON Version 12.2[121] or later on the SAMI

Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3C (RSP720-3C-GE) running Cisco IOS Release 12.4(33)SRC or later

System Requirements

This section describes the following memory and software requirements for CSG2:

Memory Requirements

Hardware Supported

Software Requirements

Determining the Software Version

For hardware requirements, such as power supply and environmental requirements, as well as hardware installation instructions, see the Service and Application Module for IP User Guide.

Memory Requirements

The CSG2 memory is not configurable.

The SAMI is available with a default 1 GB memory or an optional 2-GB memory.

Hardware Supported

Use of the CSG2 requires one of the following Cisco 7600 Series Routers and Supervisor Engines, and a module with ports to connect server and client networks:

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 (WS-SUP720) running Cisco IOS Release 12.4(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3B (WS-SUP720-3B) running Cisco IOS Release 12.4(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3BXL (WS-SUP720-3BXL) running Cisco IOS Release 12.2(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card (WS-SUP32-GE-3B) running Cisco IOS Release 12.2(33)SRC or later and LCP ROMMON Version 12.2[121] or later on the SAMI

Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card and 10 Gigabit Ethernet Uplinks (WS-SUP32-10GE-3B) running Cisco IOS Release 12.4(33)SRC or later and LCP ROMMON Version 12.2[121] or later on the SAMI

Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3C (RSP720-3C-GE) running Cisco IOS Release 12.4(33)SRC or later

Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3CXL (RSP720-3CXL-GE) running Cisco IOS Release 12.2(33)SRC or later

Software Requirements

When referring to this section, keep the following considerations in mind:

Do not use the Supervisor Hardware Supported column to infer supervisor hardware support. Consult the Cisco IOS Upgrade Planner to determine which IOS releases support the desired supervisor hardware.

Each feature set is limited to those features that can be configured at the Minimum Cisco IOS Level Supported.

The following table lists the CSG2 and SAMI module part numbers and associated information for each CSG2 release:

CSG2 Release
CSG2 and SAMI Module Part Numbers
Supervisor Hardware Supported
Supervisor Software Minimum Cisco IOS Release Required for New Features
Supervisor Software Minimum Cisco IOS Level Supported

12.4(22)MD2
12.4(22)MD1
12.4(22)MD

SAMI Module Part Numbers:

WS-SVC-SAMI-BB-K9
WS-SVC-SAMI-BB-K9=
MEM-SAMI-6P-2GB

CSG2 Software License Part Numbers:

SSAC30K9-12422MD
SSAC30K9-12422MD=

CSG2 Software Subscriber License Part Numbers:

FL-SC-10K-SUB
FL-SC-100K-SUB

CSG2 Software Upgrade License Part Numbers:

FL-SC-R1R2-UP

CSG2 Software and SAMI Module Bundle Part Numbers:

SAMI-CSG2-R2AS-K9=

WS-SUP720
WS-SUP720-3B
WS-SUP720-3BXL

12.2(33)SRB1

12.2(33)SRB1

WS-SUP32-GE-3B
WS-SUP32-10GE-3B

12.2(33)SRC

12.2(33)SRC

RSP720-3C-GE
RSP720-3CXL-GE

12.2(33)SRC

12.2(33)SRC


Determining the Software Version

To determine the version of Cisco IOS software that is currently running on your Cisco network device, log in to the CSG2 or Supervisor Engine and enter the show version EXEC command.

To show CSG2 versions, log in to the Supervisor Engine and enter the show module command in privileged EXEC mode.

To provide meaningful problem determination information, log in to the CSG2 or Supervisor Engine and enter the show tech-support command in privileged EXEC mode.

Prerequisites and Restrictions

For the latest prerequisites and restrictions for the CSG2, see the "Overview" chapter of the Cisco Content Services Gateway - 2nd Generation Release 3.0 Installation and Configuration Guide.

Caveats for Cisco IOS Release 12.4(22)MD2

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MD2.

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MD2.

CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap

With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.

Workaround: Disable the exclude mms option redirect command.

CSCty02688—CSG2: Improper session synchronization during upgrade

When performing an in-service upgrade and synchronizing sessions from the active CSG2 Release 4, or any earlier release, to the standby CSG2 Release 5, or any later release, the synchronization might not complete correctly.

Workaround: Do not perform an in-service upgrade from CSG2 Release 4, or any earlier release, to CSG2 Release 5, or any later release.

CSG2 Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MD2:

CSCsh25384—CP crash in csg_gtp_queue_and_send when running simple_redund

If a failover occurs and the no ip csg bma or no ip csg quota-server command is issued, the CSG2 might crash.

CSCsz21796—Bad refcount possible on error from ssvc

If the CSG2 tries to send an HTTP redirect packet to a subscriber, the following error message might be generated:

%SYS-2-BADSHARE: Bad refcount function-name

CSCta97199—Unexpected repetitions of service reauthorizations

When performing RADIUS reauthorization and time-based billing, the CSG2 might repeat.

CSCtb31700—CSG2 R3: Transaction refund not accurate with tariff switch

If a tariff switch occurs for an open transaction that qualifies for refunding, the CSG2 reports a refund TLV in a transaction CDR with 0 bytes refunded. However, the transaction reports that IP packets/bytes were passed.

CSCtb37734—Potential access to a freed pointer

When removing a configured content, the CSG2 might crash.

CSCtb52211—Per-user QoS not applied with user-default billing plan

If user-default and qos profile are configured for a billing plan, and a user is assigned the billing plan via the default billing plan option, the configured QoS profile is not applied to the user.

CSCtb70452—CSG2: Continuation TLV correlator might not be unique

If the CSG2 generates Continue CDRs because the data for a record does not fit in a single IP packet, the BMA or quota server might associate data from a Continue CDR with an incorrect BMA or quota server record. This can occur because the CSG2 generates a correlator value in the Continue TLV that might not be unique per CSG2.

CSCtb71637—%CSG-3-KUT_CLEANUP_ERROR on CSG2

The CSG2 might generate continual error messages:

SAMI 1/8: Aug 30 14:05:33 AEST: %CSG-3-KUT_CLEANUP_ERROR: OPENMOBILEWEB, ip= 10.227.179.191, uid= 61425166227, (1/48/2822/9217), -Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8 0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558 0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x45081C10

SAMI 1/8: Aug 30 14:08:00 AEST: %CSG-3-KUT_CLEANUP_ERROR: OPENMOBILEWEB, ip= 10.228.102.132, uid= 61425170578, (1/48/2054/9217), -Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8 0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558 0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x44E6AEC4

CSCtc21701—Stale VTY session

Under certain conditions, such as disconnecting a physical cable, a stale VTY might be created in the CSG2.

CSCtc76186—TCP sessions not closed to the server side

When both TCP peers decide to close a session, RFC 793 provides that each peer needs to send its own (FIN,ACK) and then also (ACK) to the (FIN,ACK) of the peer. However, the CSG2 might close the session before the last ACK exchange:

Instead of forwarding the last ACK from the client to the server, the CSG2 sends an RST to the client.

Instead of forwarding the last ACK from the server to the client, the CSG2 silently discards the last ACK.

Eventually the server side runs out of sockets

CSCtc82023—CSG2: Final qualified usage not correctly reported in service-level CDR

If service duration billing is enabled, BMA billing records might not accurately reflect the usage information sent in the final quota server update.

CSCtd32600—RADIUS Accounting Start dropped

A CSG2 configured as a RADIUS proxy might not forward some RADIUS Accounting Start packets (from the GGSN to the RADIUS server). The CSG2 drops the sessions due to lack of response from the RADIUS server.

CSCtf55741—CSG2 might not return recently-granted quota in a quota return

A prepaid charging gateway might report that the CSG2 is using more quota than is allowed.

CSCtg00838—CSG2 reload at rgx_is_epsilon

While parsing an HTTP header the SAMI might reload.

CSCtg33015—Memory leak on standby CSG2 processors 4-8

A memory leak is observed on the standby CSG2 in a redundant CSG2 pair. The leak is seen only on processors 4-8 of the standby CSG2.

Comparing simultaneous show tech commands from the active and standby CSG2s, the show fastblk output of the show tech command on processors 4 through 8 of the standby CSG2 show a significantly higher memory consumption than the active CSG2. The memory consumption of the standby CSG2 also increases steadily over time.

The exact circumstances that cause this memory leak are unknown, but it is likely related to per-user or per-service QoS.

CSCth09467—CSG2: The Accounting session ID is not used for RADIUS correlation

The accounting session ID is not used for RADIUS correlation to stop the user. The output of the show user command does not show the user's Correlator attribute. The CP leaks fastblk memory allocated for the RADIUS Correlator attribute.

For this problem to occur, all of the following conditions must be met:

The ip csg radius correlation command must be configured.

The RADIUS Accounting Start message must have Cisco VSA subattributes, but not "user_session_correlator=", so that the Acct-Session-Id (RADIUS attribute 44) is used for correlation.

CSCti35812—Reload triggered when parsing POP3 packet

When the CSG2 is performing Layer 7 parsing of POP3 or SMTP e-mail traffic, and an e-mail packet is received with a crafted malformed, header, a watchdog might trigger a reload of the CSG2.

CSCtj04285—Slow clearing of the quota server queues in the CSG2

During high traffic conditions the CSG2 clears the quota server queue too slowly.

Workaround: Reduce the quota server queue size, leaving the maximum transmission window size and the retransmission timer set to the defaults.

CSCtj73069—CSG2: Usage statistics are not replicated to redundant side during failover

The session usage statistics are not replicated to the standby CSG2.

CSCtj99945—CSG2: Improper quota server load balancing

The assignment of user entries to quota servers for load-balancing might be askew. For example, if 100 user entries were created with two active quota servers configured, the expected behavior is that each quota server would be assigned about 50 user entries. However, the number of user entries assigned to each quota server might actually be asymmetric and inconsistent.

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Open Caveats

The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MD2.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—RCaL on CSG2 is not working for port 10000

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

CSCsq92712—A SAMI processor might crash when using iSCSI-related commands

A SAMI processor might crash when you are configuring or unconfiguring iSCSI-related commands.

For this problem to occur, all of the following conditions must be met:

GGSN/Charging must be in maintenance mode.

The processor must be stressed with traffic flow across PDPs.

There must be a very high number of CDRs.

iSCSI backup must be used for charging records storage.

On the CSG2, control and traffic are on different processors. The iSCSI configuration and processing are only in the control CPU, and this issue is seen only when the CPU is at about 90%. The control CPU is not likely to ever reach 90%. Therefore, this issue is not likely to occur in the CSG2.

Workaround: None.

CSCsu24035—Terminating RCAL execution on SAMI LCP/PPC might cause an RCAL failure

If you use Ctrl-^ to terminate a remote console and logging (RCAL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCAL execute-on attempt might fail.

Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.

SAMI Software for Cisco IOS Release 12.4(22)MD2 - Closed Caveats

The following list identifies the Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MD2:

CSCsy65876—The show tech output is empty when debug information is written by the Cisco SAMI

Some debug information, such as the output from show tech and show sami config-mode commands, is missing from the debug information files in some or all of the PPCs of the Cisco SAMI that are generated prior to a reload, following a critical error.

This problem can occur when there is no active physical console connected to the PPC.

CSCsz42882—File systems not cleaned up when iSCSI link goes down

With iSCSI link flaps, stale file systems remain in the system. Once the stale file descriptors reach the maximum supported limit, new file systems cannot be created and the iSCSI link fails to come up.

CSCta44366--iSCSI connection not getting initiated from the CSG2

If the CSG2 is rebooted, and none of the configuration starts with ip csg, entering the ip csg iscsi profile command after the reboot does not initiate an iSCSI connection.

CSCtd17963—Unexpected exception while debuginfo collected due to IXP Health-Monitoring failure leading to crash

During a Health-Monitoring failure in SAMI, each processor writes more than one debuginfo file. Some of the debuginfo files are incomplete and there will be crashinfo written in the name of debuginfo.

CSCtg50821—Crashed in crashdump

When the CSG2 crashes, the crash information file might be empty, or it might contain files with little or no content.

Caveats for Cisco IOS Release 12.4(22)MD1

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MD1.

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MD1.

CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap

With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.

Workaround: Disable the exclude mms option redirect command.

CSG2 Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MD1:

CSCsj17103—CSG2: Timestamps in Service Stop Notify not consistent

The CSG2 might generate a CDR with a Connection timestamp that is one second earlier than the Service-Start timestamp.

CSCsq12202—CSG2: Downgraded HTTP traffic should match catchall policy if configured

When the CSG2 detects an HTTP protocol error, such as non-HTTP traffic hitting content that is configured with parse protocol http, it downgrades to Layer 4 inspection. The CSG2 allows all remaining traffic to pass through, and reports the traffic in the Unassigned Bytes TLV.

To be consistent with the CSG1, after downgrading to Layer 4 inspection the CSG2 should match the current transaction to the catchall policy in the content, if there is one configured. If no catchall policy is configured, then the CSG2 should use the block configuration in the content to determine whether to forward or block the traffic.

CSCsu31071—Rollback is broken for some CSG2 maps, policies, and contents

Configuration rollback does not work for CSG2 maps, policies, and contents.

CSCsv60284—R3: The show interface command is very slow when the CSG2 is under stress

The show interface command returns output from all of the TPs and the CP. When The CSG2 is under stress, the command might take up to 2 minutes to display output.

CSCsv60425—R3: Memory allocation failures under stress when routes are configured incorrectly

The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its processors with a %SYS-2-MALLOCFAIL error message.

For this problem to occur, all of the following conditions must be met:

There must be no route to a given subscriber or server network.

There must be no default route.

There must be no next-hop (reverse) configured for the content.

CSCsv83744—Failure to complete cold-bulk results in HA stall

If a spanning tree loop occurs in an HA network, a standby CSG2 might become stuck in COLD-BULK state for several hours.

CSCsv86553—CSG2 R3: Some HTTP traffic failed to count retransmission and extra crlf

A session might reset if the CSG2 is unable to count retransmitted or out-of-order packets. This problem can occur if the CSG2 does not have enough resource to count retransmitted or out-of-order packets, or if malformed packets caused packet counting errors.

CSCsv95317—R3: Possible configuration failure when using more than one console

If you use more than one virtual teletype terminal (VTY console) when interacting with the CSG2 (for example, using one VTY to enter show commands and another to enter configuration commands), one of the VTYs might hang and the CSG2 will not allow further configuration commands. The CSG2 issues the following message:

Config failed, CSG being configured by line

You must reboot the CSG2 before continuing.

CSCsv95675—CSG2: Quota is not credited back to the user when the quota server fails and passthrough is configured

Quota which could not be returned to the quota server is not credited back to the user.

For this problem to occur, all of the following conditions must be met:

Passthrough must be configured for the service.

The current quota must have been granted by the quota server with a quota timeout.

The CSG2 must be unable to successfully deliver the Quota Return message to the quota server (due to server failure).

CSCsw51743—Unsupported CSG2 commands visible in CLI

The following commands specific to the CSG2 appear in the command line interface (CLI), but they are not supported and should not be used:

clear ip csg event-trace packet
debug ip csg event-trace packet
ip csg event-trace packet
show ip csg event-trace packet

CSCsw63284—The CSG2 miscalculates retries for NTP, no warning given when failed

If NTP is not configured or synced with the configured NTP server, the CSG2 consumes all received packets, and even ping commands to local interfaces fail. Debugs show that the CEF receives the packet, but it is consumed by the CSG2.

CSCsw66339—A maximum-length VRF name might be improperly handled by the CISCO-CONTENT-SERVICES-MIB

If a user configures a 32-character VRF name, and the VRF is used in a user database, BMA, or quota server definition, the CSG2 might experience buffer overflow problems, due to SNMP queries on the CISCO-CONTENT-SERVICES-MIB.

CSCsx18737—The debug ip csg qs detail command might cause the CSG2 to crash when a Quota Push Request is received

The CSG2 might crash when the debug ip csg qs detail command is configured and a nonstandard Quota Push Request message is received.

CSCsx33049—Service Reauthorization Request (SRAR) sent as first request

If the ip csg quota-server retransmit command is set to 5 or lower, and a quota server fails over, the CSG2 might send a Service Reauthorization Request (SRAR) before sending a Service Authorization Request.

CSCsx47053—Syslog not generated immediately after User Table size exceeds license limit

When the number of users exceeds the licensed value, configured with the ip csg license warning-enable command in global configuration mode, the first syslog message is generated after five minutes:

SAMI 8/3: *Feb 5 09:17:11.555: %CSG-4-CSG_LICENSE_LIMIT_REMINDER_SYSLOG: KUT limit exceeded the license limit: Number of users accessing network concurrently has exceeded the license limit

CSCsx72588—The ip csg entries user idle duration pod command is required for CSG2 PoD to work

Packet of Disconnect (PoD) can be configured at either the global level or at the billing plan level. Each level should work independently of the other. However, PoD is not working unless the ip csg entries user idle duration pod command is configured in global configuration mode.

CSCsy20141—Memory leak when a content with policy in service using attribute maps

The CSG2 might experience a slow memory leak when adding attribute map matches.

CSCsy41471—Speedup recovery of RADIUS packet drop due to buffer depletion

If the CSG2 depleted the RADIUS attribute pool while processing a large number of RADIUS requests at a very high rate, it might fail to proxy RADIUS requests to the RADIUS server, while the "radius attribute" and "radius deny" counters continue to increase.

CSCsy48289—The powered-off standby CSG2 is not picking up the QoS profile from the active CSG2

A per-user QoS signaled from the quota server might not be replicated from the active CSG2 to the standby CSG2. If a failover occurs, traffic for that subscriber is either not subject to any QoS or is subject to the configured QoS, if any.

For this problem to occur, all of the following conditions must be met:

The QoS must be associated with the subscriber, not with a specific service.

The QoS must be signaled from the quota server, not configured.

The QoS must be present on the active CSG2 before the standby CSG2 boots up.

CSCsy57839—CSG2: RADIUS debug can cause traceback and card reloading

If the CSG2 is configured for RADIUS endpoint or RADIUS proxy, and the debug ip csg radius command is entered, the CSG2 might reload.

CSCsy73456—The CSG2 might crash after Stack for process CSG BGCFG running low

The CSG2 might crash with the following messages in the crash information file:

SAMI 4/3: Mar 25 13:58:30.665 ISR: %SYS-6-STACKLOW: Stack for process CSG BGCFG running low, 0/24000

%Software-forced reload

13:58:30 ISR Wed Mar 25 2009: Unexpected exception to CPU: vector 1500, PC = 0x4504A33C, LR = 0x4504A298

-Traceback= 0x4504A33C 0x4504A298 0x4504F6B4 0x4504F844 0x44E40654 0x450A0FCC 0x4504C384 0x4504FA64

For this problem to occur, all of the following conditions must be met:

A large map must be configured.

The map must contain many match statements, wildcards, and Boolean operators.

The map must be changed and the content put back in service.

CSCsy85405—Crash in HTTP code when the records delay command is configured

The CSG2 might reload under certain conditions.

For this problem to occur, all of the following conditions must be met:

The data flow must match a CSG content configured with policies that require HTTP deep packet inspection (accounting type http).

The user must be a prepaid user.

The records delay command must be configured under the HTTP content.

A retransmitted pipelined request or response packet must result in temporary quota exhaustion and a subsequent service reauthorization request to the quota server.

The transaction must close before the response is received from the quota server.

CSCsy93255—CSG2 traceback when clearing user entries

Under certain RTSP load and stress conditions, some entries remain in the CSG2 User Table. Trying to clear this state results in a traceback.

CSCsz07709—Distributed configuration and output fails after heavy stress

Entering distributed show commands, such as show proc cpu, from a Telnet or Supervisor Engine session into the SAMI module, while the CSG2 is under heavy stress, might cause the CSG2 to hang and fail at CPU 4.

Attempts to change the configuration results in the following message after exiting configuration mode:

%PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "CSG config rollback", ipl= 0, pid= 122

CSCsz42035—CSG2: Quota Server bombarded with reauth requests for free service

For a prepaid subscriber with zero quota using a service with zero weight, the CSG2 might generate multiple reauthorization requests within a few seconds.

CSCsz43573—QoS rate-limit and drops TLV not reported in NBAR CDRs

The CSG2 NBAR CDRs might not report the QoS rate-limit TLV or QoS drop TLV.

For this problem to occur, all of the following conditions must be met:

One or more of the active contents must be configured with the parse protocol nbar command.

The subscriber or service that uses the content must have QoS either configured or signaled.

CSCsz59223—CSG2: Users on the standby CSG2 might be removed even though they are on the active CSG2

In a stateful redundant CSG2 configuration, the standby CSG2 User Table might not contain all of the subscribers that are present in the active CSG2 User Table.

This problem can occur if the standby CSG2 receives a RADIUS Accounting On or Off message from a GGSN, then receives a RADIUS Accounting Start message from the GGSN before completing processing of the RADIUS Accounting On or Off message.

This problem can also occur if the clear ip csg user command is entered.

CSCsz69398—Memory leak - Leakage of RADIUS attributes

The CSG2 might encounter a memory leakage that results in a malloc failure of RADIUS attributes and prevents the CSG2 from processing incoming RADIUS requests.

CSCta07579—R3.5 Traceback clearing user running WAP traffic

Doing Layer 7 WAP inspection, a KUT_CLEANUP_ERROR traceback is dumped to the console when the CSG2 attempts to remove a WAP user from the User Table. the user is not removed from the User Table.

CSCta21064—CSG2: HTTP might reserve and not charge or cancel reserved quota

If an HTTP packet consists of retransmitted bytes of a previous transaction, and new bytes of a new transaction, a service's "reserved", as displayed in the output of the show ip csg user all detail command, might keep incrementing.

CSCta39130—Byte reporting in resize TCP with RETX for multiple transactions

When a retransmitted packet has multiple transactions, the reported IP bytes for each transaction in that packet are incorrect.

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Open Caveats

The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MD1.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—RCaL on CSG2 is not working for port 10000

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

CSCsq92712—A SAMI processor might crash when using iSCSI-related commands

A SAMI processor might crash when you are configuring or unconfiguring iSCSI-related commands.

For this problem to occur, all of the following conditions must be met:

GGSN/Charging must be in maintenance mode.

The processor must be stressed with traffic flow across PDPs.

There must be a very high number of CDRs.

iSCSI backup must be used for charging records storage.

On the CSG2, control and traffic are on different processors. The iSCSI configuration and processing are only in the control CPU, and this issue is seen only when the CPU is at about 90%. The control CPU is not likely to ever reach 90%. Therefore, this issue is not likely to occur in the CSG2.

Workaround: None.

CSCsu24035—Terminating RCAL execution on SAMI LCP/PPC might cause an RCAL failure

If you use Ctrl-^ to terminate a remote console and logging (RCAL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCAL execute-on attempt might fail.

Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.

SAMI Software for Cisco IOS Release 12.4(22)MD1 - Closed Caveats

The following list identifies the Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MD1:

CSCsw74149—I/O memory depleted if a packet has ICMP source and destination IP addresses that are the same as the PPC interface IP address

If a packet has an ICMP source and destination IP address that is the same as the PPC interface IP address, the SAMI runs out of I/O memory, and the following message appears:

%SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x45407D18, alignment 32

CSCsw78449—A SAMI processor might crash and console might hang when removing the iSCSI configuration

A SAMI processor might crash when removing the ISCSI configuration using the no ip iscsi profile command.

CSCsw97850—SAMI status LED should be orange during shutdown

The SAMI Status LED is remaining green during shutdown. It should change to orange during shutdown.

CSCsz86656—SAMI is not setting the DBUS trust bit to 1

The SAMI is not setting the DBUS trust bit to 1, which in turn causes the Cisco 7600 Series Router to remark the DSCP of the packets.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD1:

CSCsq24002

Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.

CSCsr18691

Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available within the workarounds section of the posted advisory.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml

CSCsu24505

Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

CSCsu50252

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsv04836

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.

CSCsv48603

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsv75948

Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

CSCsw47076

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsx07114

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsx70889

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.

CSCsy15227

Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.

There are no workarounds that mitigate this vulnerability.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml

CSCsy54122

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

Caveats for Cisco IOS Release 12.4(22)MD

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MD.

CSG2 Software for Cisco IOS Release 12.4(22)MD - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD - Open Caveats

SAMI Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MD - Open Caveats

The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MD.

CSCsu31071—Rollback is broken for some CSG2 maps, policies, and contents

Configuration rollback does not work for CSG2 maps, policies, and contents.

Workaround: Instead of rollback, use regular configuration commands to undo previous configuration changes.

CSCsv60284—R3: The show interface command is very slow when the CSG2 is under stress

The show interface command returns output from all of the TPs and the CP. When The CSG2 is under stress, the command might take up to 2 minutes to display output.

Workaround: Reduce the stress to the CSG2 or use the execute all show interface command.

CSCsv60425—R3: Memory allocation failures under stress when routes are configured incorrectly

The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its processors with a %SYS-2-MALLOCFAIL error message.

For this problem to occur, all of the following conditions must be met:

There must be no route to a given subscriber or server network.

There must be no default route.

There must be no next-hop (reverse) configured for the content.

Workaround: Configure the route, the default route, or the next-hop IP address.

CSCsv95317—R3: Possible configuration failure when using more than one console

If you use more than one virtual teletype terminal (VTY console) when interacting with the CSG2 (for example, using one VTY to enter show commands and another to enter configuration commands), one of the VTYs might hang and the CSG2 will not allow further configuration commands. The CSG2 issues the following message:

Config failed, CSG being configured by line

You must reboot the CSG2 before continuing.

Workaround: Use only one VTY at a time when interacting with the CSG2.

CSCsv95675—CSG2: Quota is not credited back to the user when the quota server fails and passthrough is configured

Quota which could not be returned to the quota server is not credited back to the user.

For this problem to occur, all of the following conditions must be met:

Passthrough must be configured for the service.

The current quota must have been granted by the quota server with a quota timeout.

The CSG2 must be unable to successfully deliver the Quota Return message to the quota server (due to server failure).

Workaround: None.

CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap

With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.

Workaround: Disable the exclude mms option redirect command.

CSG2 Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MD:

CSCso63210—CSG2 R2: Many users idling out of the CSG2 User Table degrades performance

If an idle timer is configured for the User Table, and if thousands of users idle out at the same time, the rate at which the CSG2 can handle incoming RADIUS messages is reduced.

CSCsl57813—CSG2: Some show commands do not honor term length break sequence

When entering CSG2 show commands that collect and display information from all of the CPUs in the CSG2, the output might not break or pause as expected based on the term length configuration. If that happens, long output can scroll off-screen unexpectedly.

This problem does not occur for information gathered from the CP, whether in a distributed command or otherwise.

CSCsq05068—CSG2 R2: Prepaid RADIUS stress causes packet loss to the quota server

In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of the responses from the quota server.

CSCsq06947—CSG2: Unable to scale to 500K CSG2 User Table entries with 5 or more ip csg report radius attribute commands configured

When the CSG2 receives a higher-than-expected rate of RADIUS Accounting Starts with a large number of RADIUS attributes from the Network Access Server (NAS), it might deny the RADIUS requests because it cannot grow the buffer pool fast enough.

CSCsq17440—CSG2 R2: Incorrect request type used in RTSP AoC for interleaved

During Layer 7 inspection for RTSP, the quota server receives an incorrect content authorization request of type 0x08 (RTSP TCP). The request should be of type 0x09. The problem occurs when the RTSP session is transporting data over the control session (interleaved).

CSCsq25027—CSG2 R1: Incorrect service selected after removing configuration of billing plan

If you remove a configured billing plan or service using the no option (for example, no ip csg billing), and you then configure a new billing plan or service and assign it to a new transaction, the CSG2 might assign the wrong services to the transaction.

CSCsq31810—The CSG2 R2 HSRP stays disabled after group change

If the standby ip command is removed from a protected interface on the standby router, then reapplied, the reapplication fails, and output from the show standby command is empty.

For this problem to occur, one or more of the following conditions must be met:

The interface must be associated initially with a specific standby group. It must then be removed from that group, assigned to another group, then reassigned to the original group. For example:

interface gigabitEthernet 0/0.10
no standby 1 ip
standby 5 ip 10.10.30.105
no standby 5 ip
standby 1 ip

The standby version 2 command must be configured on the interface.

CSCsq52319—CSG2 memory is depleted when HTTP and SIP are configured on the same 1 GB SAMI

If both HTTP and SIP are configured on the same 1 GB SAMI, the CSG2's memory might be depleted. If this occurs, the CSG2 might deny incoming RADIUS requests.

CSCsq79149—CSG2 R2: Define New Units flag in Qualified TLVs for basis second transaction

TLVs that report units, such as the Qualified Usage TLV, might report a value of 1 (second) when basis second transaction is configured.

CSCsq90709—CSG2: The show ip csg user all command might not display some sticky user entries

The output from the show ip csg users all command might include some but not all of the sticky user entries.

CSCsr42444—The CSG2 does not allow user traffic in a VPN session in transparent mode

With a Cisco VPN client and a Cisco VPN concentrator, in a VPN session in IPSec transparent mode, no user traffic flows. The VPN connection is established, but traffic does not flow.

CSCsr43716—CSG2: RTSP crash due to URL fastblk memory corruption

While performing Layer 7 parsing of RTSP traffic, the CSG2 might crash if it receives a DESCRIBE message containing a URL that exceeds 512 bytes.

CSCsr45063—CSG2 - IMAP improperly handles token > 255 bytes

The CSG2 reloads with a crash indication.

The CSG2 might reload while performing L7 inspection of IMAP traffic if certain fields within the flow are >256 bytes.

CSCsr52175—Ping failure after excessive interface updates and error messages from IXP

If any combination of the following situations occurs:

Configuring thousands of exception dump commands with different addresses

Removing thousands of interfaces from the configuration

Thousands of HSRP state changes from ACTIVE to STANDBY on an interface

Then the following message might appear on the console:

%PLATFORM-1-DP_HM_FAIL: Failed to receive response from Fail to send message to IXP: Msgcode : %d
. Check `sami health-monitoring' configuration and see `show sami health-monitoring' for more info

Thereafter, although the interface might be UP on the CP, pings to the interface fail. Packets can be seen leaving the CSG2 from the interface, but data to the interface is not seen by the CP.

CSCsr57168—ServiceStop lost during quota server failure if User Table entry deleted

If multiple quota servers are active, and the user logs off during a quota server failover, the CSG2 might fail to generate a ServiceStop message. This might result in the user session not being billed correctly.

CSCsr88505—CSG2 - Policy priority values greater than 511 should not be permitted

The CSG2 allows the configuration of priority values up to 65535 for policies within content rules. However, the underlying code only allows values up to 511. Configuring a priority higher than 511 results in the content rule matching only the default policy.

CSCsr93270—Year and month incorrect in BCD timestamps

If you configure the following commands:

records granularity service bytes 10240000 seconds 3600
ip csg records format fixed
 
   

Then CDRs for the service might report start and stop dates with years and months in the wrong format.

CSCsu03235—CSG2 - Redirection on zero quota grant not working with AoC enabled

If a service is configured for Advice of Charge, the CSG2 might fail to redirect a user when zero quota is received from the quota server in a Service Authorization Response.

CSCsu37742—Special SIP INVITE causing CSG2 to crash

CSG might crash when performing Layer 7 SIP inspection. The crash can occur while the CSG2 is parsing an incorrectly formed SIP INVITE request (that is, a SIP INVITE request in which the SDP portion of the message contains extra carriage return and line feed characters).

CSCsu64671—[CSG2-R2] No Service Reauthorization to quota server during MS roaming

In Cisco CSG2 running R2 image, service reauthorization might not be sent to the quota server during roaming.

For this problem to occur, all of the following conditions must be met:

The user must be a prepaid user.

Service must be configured with basis seconds.

RADIUS reauthorization must be configured in the CSG2.

The CSG2 must receive a RADIUS interim accounting update with different values for the configured RADIUS attributes.

CSCsv01597—R3: Special SIP INVITE causing DATA Corruption traceback

When the CSG2 performs Layer 7 SIP parsing on a packet that contains a SIP or SDP header token that exceeds 256 bytes, a DATA CORRUPTION traceback might be displayed on the console.

CSCsv12836—CSG2: The Qualified Remaining Quota TLV does not carry more than 4 bytes

If duration-based billing is configured, and the remaining quota is very large (greater than 2147483647), the CSG2 might not use the upper 4 bytes of the Qualified Remaining Quota TLV.

CSCsv27593—CSG2 R2 - Duration-based billing shows incorrect usage value in the SvcReAuthReq Usage TLV

If duration-based billing is configured, and there is a difference between the remaining quota and the quota required for the current transaction, and the last billable timestamp is very large (greater than 2147483647), the CSG might show an incorrect usage value in the SvcReAuthReq message.

CSCsv42769—CSG2 R3: Unable to configure the no form of the idle (CSG2 service) command

If a service contains at least one rule (content/policy), the CSG2 does not allow the idle to be reset by entering the idle (CSG2 service) command.

CSCsv66930—CSG2 crash at csg_kut_svc_timeout

A WS-SVC-SAMI-BB-K9 service blade running an c7svcsami-csg-mz or c7svcsami-csgk9-mz image might reload.

For this problem to occur, all of the following conditions must be met:

A CSG2 User Table entry for a subscriber must be deleted due to a trigger such as a RADIUS Accounting Stop message.

The subscriber must be using a prepaid service.

The traffic that maps to the prepaid service must be FTP or HTTP traffic parsed at Layer 7, or any Internet Protocol (IPv4) traffic parsed at Layer 4.

CSCsv76023—Unable to configure multiple RADIUS monitors for the same server

If you have already configured a RADIUS monitor for a RADIUS server address, and you try to configure another RADIUS monitor for that address but for a different port, the CSG2 might not allow you to do so.

SAMI Software for Cisco IOS Release 12.4(22)MD - Open Caveats

The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MD.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—RCaL on CSG2 is not working for port 10000

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

CSCsq92712—A SAMI processor might crash when using iSCSI-related commands

A SAMI processor might crash when you are configuring or unconfiguring iSCSI-related commands.

For this problem to occur, all of the following conditions must be met:

GGSN/Charging must be in maintenance mode.

The processor must be stressed with traffic flow across PDPs.

There must be a very high number of CDRs.

iSCSI backup must be used for charging records storage.

On the CSG2, control and traffic are on different processors. The iSCSI configuration and processing are only in the control CPU, and this issue is seen only when the CPU is at about 90%. The control CPU is not likely to ever reach 90%. Therefore, this issue is not likely to occur in the CSG2.

Workaround: None.

CSCsu24035—Terminating RCAL execution on SAMI LCP/PPC might cause an RCAL failure

If you use Ctrl-^ to terminate a remote console and logging (RCAL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCAL execute-on attempt might fail.

Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.

SAMI Software for Cisco IOS Release 12.4(22)MD - Closed Caveats

The following list identifies the Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MD:

CSCsk10568—The total displayed in the show process cpu command output is less than the interrupt

When the GGSN is under stress, such as CPU utilization more than 96%, the output of the show process cpu command might be incorrect.

CSCsl72185—SAMI module status shows Shutdown even when it boots up

When the SAMI image is upgraded from the Supervisor Engine using the upgrade command, it executes correctly, but the output of the show module command displays a module status of Shutdown when it should be Other. When the SAMI comes online, the status is shown correctly as OK.

CSCso02063—The SAMI allows the configuration of maximum transmission unit (MTU) sizes greater than 3,000 bytes in the Power PC (PPC), but packet fragments of more than 3,000 bytes are dropped

Packet fragments larger than 3,000 bytes are dropped by the SAMI,.

For this problem to occur, all of the following conditions must be met:

The incoming packet interface must be configured to allow MYTU sizes greater than 3,000 bytes.

Packets larger than 3,000 bytes must be sent through that interface to the SAMI.

CSCsq38262—Sup32: PPCs fail to download the configuration unless the boot string is configured in the Supervisor

The SAMI processors fail to download the configuration from the Supervisor Engine. EOBC traffic does not work. The session from the Supervisor Engine to processors 1-8 does not work.

For this problem to occur, one or more of the following conditions must be true:

Supervisor Engine 32 must be used in the chassis without executing the boot eobc upgrade command.

LCP ROMMON version 121 must have been used at some time on the SAMI.

The SAMI must be moved from a Supervisor Engine 32 to a Supervisor Engine 720 or Route Switch Processor 720, or vice versa.

Booting via EOBC must be used with different version of the Supervisor Engine.

CSCsq47043—Standby crashes when re-configuring standby ip command

A router functioning as the standby for a Hot Standby Routing Protocol (HSRP) group might reload when it is dissociated from that group and then re-associated with it.

CSCsr30768—SUP32: EOBC boot of SAMI failing from bootflash of Supervisor Engine

If the SAMI bundle is present in the bootflash or sup-bootflash of the Supervisor Engine 32, an EOBC boot of the SAMI might fail and the SAMI might enter power-down state.

CSCsu66533—A software crash due to process watchdog timeout does not reload the SAMI

The SAMI processor might hang if it encounters a very rare software error.

CSCsv15306—SAMI bring-up does not detect a Nitrox hardware failure

If there is a hardware failure in the Nitrox module of the card, the PPC Processors boot up fine, but the Boot Log of Processor 0 shows a Loading Nitrox driver failure.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(24)MD1:

CSCsu11522—A voice gateway might crash when processing a valid SIP message

A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.

Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.

CSCsu70214

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

Documentation and Technical Assistance

This section contains the following information:

Related Documentation

Obtaining Documentation and Submitting a Service Request

Related Documentation

Use these release notes with these documents:

CSG2 Documentation

Release-Specific Documents

Platform-Specific Documents

Cisco IOS Software Documentation Set

CSG2 Documentation

For more detailed installation and configuration information, see the following publication:

Cisco Content Services Gateway - 2nd Generation Release 3 Installation and Configuration Guide

Release-Specific Documents

The following documents are specific to Cisco IOS Release 12.4 and are located at Cisco.com:

Cisco IOS Release 12.4 Mainline Release Notes

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Release Notes

Cisco IOS Release 12.4 T Release Notes

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 T > Release Notes


Note If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. You can reach Bug Navigator II on Cisco.com at http://www.cisco.com/support/bugtools.


Product bulletins, field notices, and other release-specific documents on Cisco.com at:

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline

Platform-Specific Documents

These documents are available for the Cisco 7600 series router platform on Cisco.com and the Documentation CD-ROM:

Cisco Service and Application Module for IP User Guide

Cisco 7600 series routers documentation:

Cisco 7600 Series Cisco IOS Software Configuration Guide

Cisco 7600 Series Cisco IOS Command Reference

Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM, unless you specifically ordered the printed versions.

Documentation Modules

Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a corresponding command reference guide. Chapters in a configuration guide describe protocols, configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference guide list command syntax information. Use each configuration guide with its corresponding command reference. The Cisco IOS documentation modules are available on Cisco.com at:

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Command References

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Command References > Configuration Guides


Note To view a list of MIBs supported by Cisco, by product, go to: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.