Guest

Cisco Content Services Gateway

Release Notes for Cisco Content Services Gateway - 2nd Generation Release 3.5 Cisco IOS Release 12.4(22)MDA6

  • Viewing Options

  • PDF (644.6 KB)
  • Feedback
Release Notes for Cisco Content Services Gateway - 2nd Generation Release 3.5 Cisco IOS Release 12.4(22)MDA6

Table Of Contents

Release Notes for Cisco
Content Services Gateway -
2nd Generation Release 3.5
Cisco IOS Release 12.4(22)MDA6

Introduction

Features

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA6

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA5

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA4

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA3

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA2

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA

System Requirements

Memory Requirements

Hardware Supported

Software Requirements

Determining the Software Version

Prerequisites and Restrictions

Caveats for Cisco IOS Release 12.4(22)MDA6

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA5

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA4

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA3

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA2

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA1

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Documentation and Technical Assistance

Related Documentation

CSG2 Documentation

Release-Specific Documents

Platform-Specific Documents

Cisco IOS Software Documentation Set

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco
Content Services Gateway -
2nd Generation Release 3.5
Cisco IOS Release 12.4(22)MDA6


Revised: February 21, 2012
Current Release—12.4(22)MDA6

This publication describes the requirements, dependencies, and caveats for the Cisco Content Services Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2. These release notes are updated for every maintenance release.

Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4, located on Cisco.com.

Caveats

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.

All caveats in Cisco IOS Release 12.4 and Cisco IOS Release 12.4 T are also in Cisco IOS Release 12.4(22)MDA6.

For a list of the software caveats that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MDA6, see the "Caveats for Cisco IOS Release 12.4(22)MDA3" section.

For information on caveats in Cisco IOS Release 12.4, see Caveats for Cisco IOS Release 12.4, located on Cisco.com.

For information on caveats in Cisco IOS Release 12.4 T, see Caveats for Cisco IOS Release 12.4T, located on Cisco.com and the Documentation CD-ROM.

Using the Bug Navigator II

If you have an account with Cisco.com, you can use Bug Navigator II to find the most current list of caveats of any severity for any software release. To reach Bug Navigator II, log in to Cisco.com and click Software Center: Cisco IOS Software: Cisco Bugtool Navigator II.

This publication includes the following information:

Introduction

Features

System Requirements

Prerequisites and Restrictions

Caveats for Cisco IOS Release 12.4(22)MDA6

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA5

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA4

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA3

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA2

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA1

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Caveats for Cisco IOS Release 12.4(22)MDA

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

Documentation and Technical Assistance

Introduction

The CSG2 is an application that runs on the Cisco Service and Application Module for IP (Cisco SAMI), a high-speed processing module. The CSG2 provides content-aware billing, service control, traffic analysis, and data mining in a highly scalable, fault-tolerant package. The CSG2 provides the software required by mobile wireless operating companies and other billing, applications, and service customers.

The CSG2 runs on the Cisco SAMI, a new-generation high performance service module for the Cisco 7600 series router platforms. The CSG2 is typically located at the edge of a network in an Internet service provider (ISP) point of presence (POP), or Regional Data Center.

Features

This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation Release 3.5 Installation and Configuration Guide.

To see the software part numbers associated with each CSG2 release; the Supervisor hardware required by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release; and the minimum IOS level supported by each CSG2 release, see the "Software Requirements" section.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA6

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA5

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA4

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA3

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA2

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA6

The CSG2 software for Cisco IOS Release 12.4(22)MDA6 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA5" section.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA5

The CSG2 software for Cisco IOS Release 12.4(22)MDA5 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA4" section.

In addition, the CSG2 software for Cisco IOS Release 12.4(22)MDA5 supports the following new feature:

Enhanced CCA Failure Reporting

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA4

The CSG2 software for Cisco IOS Release 12.4(22)MDA4 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1" section.

In addition, the CSG2 software for Cisco IOS Release 12.4(22)MDA4 supports the following new features:

Configurable REGEX Memory

Configurable URL Map Normalization

Reuse of Idle RADIUS Proxy Ports

RTSP Teardown Reply Delay

User Session Continuation After PCRF Timeout

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA3

The CSG2 software for Cisco IOS Release 12.4(22)MDA3 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1" section.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA2

The CSG2 software for Cisco IOS Release 12.4(22)MDA2 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1" section.

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1

The CSG2 software for Cisco IOS Release 12.4(22)MDA1 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA" section.

In addition, the CSG2 software for Cisco IOS Release 12.4(22)MDA1 supports the following new features:

MIB Support for DIAMETER

MIB Support for Gx

MIB Support for Gx Load Management

MIB Support for Protocol Transaction Statistics

CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA

The CSG2 Release 3.5 software for Cisco IOS Release 12.4(22)MDA supports the entire feature set for the CSG2 Release 3.0 software for Cisco IOS Release 12.4(22)MD.

In addition, the CSG2 software for Cisco IOS Release 12.4(22)MDA supports the following new features:

Content Name Reporting

Offline Billing Control

Out-of-Order Forwarding of HTTP Packets

Packet Logging and Reporting

Policy Control via Gx Interface

Policy Matching for HTTP Downgrade

Policy Name Reporting

Protocol Transaction Statistics

Relative URI Matching

Skype V3.0 Support

Support for up to 32 Quota Servers

TCP Signature Reporting

Virtual Prepaid

System Requirements

This section describes the following memory and software requirements for CSG2:

Memory Requirements

Hardware Supported

Software Requirements

Determining the Software Version

For hardware requirements, such as power supply and environmental requirements, as well as hardware installation instructions, see the Service and Application Module for IP User Guide.

Memory Requirements

The CSG2 memory is not configurable.

The Cisco SAMI is available with a default 1 GB memory or an optional 2-GB memory.

Hardware Supported

Use of the CSG2 requires one of the following Cisco 7600 Series Routers and Supervisor Engines, and a module with ports to connect server and client networks:

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 (WS-SUP720) running Cisco IOS Release 12.4(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3B (WS-SUP720-3B) running Cisco IOS Release 12.4(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3BXL (WS-SUP720-3BXL) running Cisco IOS Release 12.2(33)SRB1 or later

Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card (WS-SUP32-GE-3B) running Cisco IOS Release 12.2(33)SRC or later and LCP ROMMON Version 12.2[121] or later on the Cisco SAMI

Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card and 10 Gigabit Ethernet Uplinks (WS-SUP32-10GE-3B) running Cisco IOS Release 12.4(33)SRC or later and LCP ROMMON Version 12.2[121] or later on the Cisco SAMI

Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3C (RSP720-3C-GE) running Cisco IOS Release 12.4(33)SRC or later

Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3CXL (RSP720-3CXL-GE) running Cisco IOS Release 12.2(33)SRC or later

Software Requirements

When referring to this section, keep the following considerations in mind:

Do not use the Supervisor Hardware Supported column to infer supervisor hardware support. Consult the Cisco IOS Upgrade Planner to determine which IOS releases support the desired supervisor hardware.

Each feature set is limited to those features that can be configured at the Minimum Cisco IOS Level Supported.

The following table lists the CSG2 and Cisco SAMI module part numbers and associated information for each CSG2 release:

CSG2 Release
CSG2 and Cisco SAMI Module Part Numbers
Supervisor Hardware Supported
Supervisor Software Minimum Cisco IOS Release Required for New Features
Supervisor Software Minimum Cisco IOS Level Supported

12.4(22)MDA6
12.4(22)MDA5
12.4(22)MDA4
12.4(22)MDA3
12.4(22)MDA2
12.4(22)MDA1
12.4(22)MDA

Cisco SAMI Module Part Numbers:

WS-SVC-SAMI-BB-K9
WS-SVC-SAMI-BB-K9=
MEM-SAMI-6P-2GB

CSG2 Software License Part Numbers:

SSAC30K9-12422MD
SSAC30K9-12422MD=

CSG2 Software Subscriber License Part Numbers:

FL-SC-10K-SUB
FL-SC-100K-SUB

CSG2 Software Upgrade License Part Numbers:

FL-SC-R1R2-UP

CSG2 Software and Cisco SAMI Module Bundle Part Numbers:

SAMI-CSG2-R2AS-K9=

WS-SUP720
WS-SUP720-3B
WS-SUP720-3BXL

12.2(33)SRB1

12.2(33)SRB1

WS-SUP32-GE-3B
WS-SUP32-10GE-3B

12.2(33)SRC

12.2(33)SRC

RSP720-3C-GE
RSP720-3CXL-GE

12.2(33)SRC

12.2(33)SRC


Determining the Software Version

To determine the version of Cisco IOS software that is currently running on your Cisco network device, log in to the CSG2 or Supervisor Engine and enter the show version EXEC command.

To show CSG2 versions, log in to the Supervisor Engine and enter the show module command in privileged EXEC mode.

To provide meaningful problem determination information, log in to the CSG2 or Supervisor Engine and enter the show tech-support command in privileged EXEC mode.

Prerequisites and Restrictions

For the latest prerequisites and restrictions for the CSG2, see the "Overview" chapter of the Cisco Content Services Gateway - 2nd Generation Release 3.5 Installation and Configuration Guide.

Caveats for Cisco IOS Release 12.4(22)MDA6

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA6.

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA6.

CSG2 Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA6:

CSCtl48268—CSG2: Diameter protocol error can cause memory corruption and crash

The CSG2 might crash as a result of a memory corruption or accessing an invalid address. The logs from the crashinfo show that the PCRF sent Diameter protocol errors.

CSCtl59093—CSG2 R5 crash during content inservice

When activating a content using the inservice command, the CSG2 might generate CPUHOG and CPUYIELD error messages.

For this problem to occur, all of the following conditions must be met:

A large number of match patterns must be configured.

A large number of the match patterns must be double-wildcard match patterns.

The CSG2 regular expression (regex) memory must be configured at or near the maximum setting.

CSCtn62963—Support HTTPS URL redirection

Modify the CSG2 to support HTTPS URL redirection.

CSCty02688—CSG2: Improper session synchronization during upgrade

When performing an in-service upgrade and synchronizing sessions from the active CSG2 Release 4, or any earlier release, to the standby CSG2 Release 5, or any later release, the synchronization might not complete correctly.

Workaround: Do not perform an in-service upgrade from CSG2 Release 4, or any earlier release, to CSG2 Release 5, or any later release.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA6.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage

The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.

For this problem to occur, all of the following conditions must be met:

The session timeout must be set to 50 seconds or greater.

The interface that the CSG2 uses to communicate with the iSCSI target must be down.

Workaround: Enter the following commands to enable the CSG2 to detect the failure after the session times out.

ip tcp mss 1460
ip tcp path-mtu-discovery

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA6 - Closed Caveats

The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA6:

CSCtj86047—Unable to disassociate iSCSI profile from the CSG2

The iSCSI configuration on the CSG2 cannot be modified. The following error is logged:

%Cannot modify in use target profile, first dissociate profile TEST from application

CSCtk98031—Target name not included in iSCSI login message

After modifying the iSCSI configuration, the iSCSI login fails.

The Cisco SAMI debug shows the following error message:

iSCSI ERROR: login error status class 2, status details 7

The server log shows the following error message:

Initiator did not specify target name in LOGIN request

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(22)MDA6:

CSCtd10712

The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:

NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)

Session Initiation Protocol (Multiple vulnerabilities)

H.323 protocol

All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.

Caveats for Cisco IOS Release 12.4(22)MDA5

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA5.

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA5.

CSG2 Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA5:

CSCsh25384—CP crash in csg_gtp_queue_and_send when running simple_redund

If a failover occurs and the no ip csg bma or no ip csg quota-server command is issued, the CSG2 might crash.

CSCti06218—Spurious memory access when sending fixed-format CDR

When the ip csg records format fixed command is configured to send fixed-format CDRs, a spurious memory access error might occur.

CSCti07167—SIP Invite method with map attributes matches wrong policy

A SIP Invite method with attribute maps always matches the default policy instead of the expected policy.

CSCti18302—CSG2 software forced reload after configuring no ip csg bma activate

The CSG2 software forced a reload after a configuration change.

For this problem to occur, all of the following conditions must be met:

The active BMA queues must be full with 20,000 elements waiting to be acknowledged.

The no ip csg bma activate 4 command must be configured.

The ip csg bma activate 4 sticky 60 must be configured.

CSCti35812—Reload triggered when parsing POP3 packet

When the CSG2 is performing Layer 7 parsing of POP3 or SMTP e-mail traffic, and an e-mail packet is received with a crafted malformed, header, a watchdog might trigger a reload of the CSG2.

CSCtj04285—Slow clearing of the quota server queues in the CSG2

During high traffic conditions the CSG2 clears the quota server queue too slowly.

Workaround: Reduce the quota server queue size, leaving the maximum transmission window size and the retransmission timer set to the defaults.

CSCtj09087—CSG2: Cannot preload a content that conflicts with CLI content

If the CSG2 tries to preload a content definition with IP filter parameters that match a content that has already been configured with CLI, the CSG2 does not allow the preloaded content to be brought inservice. The following message is displayed:

SAMI 9/3: CSG-3-PRELOAD ERR: Cannot bring content IP_ANY_PRELOAD inservice, it duplicates content IP_ANY_CLI

CSCtj25636—CCR-I resent to the backup before the original CCR-I is sent

When Diameter does not receive a response to a Diameter request from the PCRF within the configured timeout interval, the primary Diameter peer sends a CCR-I shortly after the backup has sent out the same CCR-I with the retransmit flag set.

CSCtj73069—CSG2: Usage statistics are not replicated to redundant side during failover

The session usage statistics are not replicated to the standby CSG2.

CSCtj84347—CSG2: Relative URL matching fails due to bad host name in recomposed URL

If an HTTP.request-method: spans multiple TCP segments, with the host HTTP header field in the first TCP segment, relative URL matching might fail.

CSCtj99945—CSG2: Improper quota server load balancing

The assignment of user entries to quota servers for load-balancing might be askew. For example, if 100 user entries were created with two active quota servers configured, the expected behavior is that each quota server would be assigned about 50 user entries. However, the number of user entries assigned to each quota server might actually be asymmetric and inconsistent.

CSCtk13449—Simultaneous crashes on active/standby at dllobj_lite_add

A simultaneous reset might occur of two CSG2s operating in redundant mode.

CSCtk13992—CSG2 out of IDs: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)

In an eGGSN deployment with Gx-enabled users, the CSG2 might stop processing certain requests, such as Gx (Diameter requests), causing subscriber outages. The CSG2 might also fail to log in remotely over SSH, generating the following message:

SAMI 4/3: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x0)

CSCtk36462—Severe memory leak due to SNMP SMALL CHUNK - k_ccsProtocolStatsEntry_get

A severe memory leak might occur on the CSG2 when SNMP polling the following OIDs:

CISCO-CONTENT-SERVICES-MIB

ccsProtocolStatsEntry - 1.3.6.1.4.1.9.9.597.1.2.6.1
ccsBillingPlanStatsEntry - 1.3.6.1.4.1.9.9.597.1.2.7.1

CISCO-MOBILE-POLICY-CHARGING-CONTROL-MIB

cmpccPCRFMethodListStatsTableEntry - 1.3.6.1.4.1.9.9.690.1.2.2.1
cmpccProfileConfigTableEntry - 1.3.6.1.4.1.9.9.690.1.1.1.1

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA5.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

CSCtk35711—CSG2 takes 5 minutes to detect iSCSI failure due to network outage

The CSG2 might take up to five minutes to detect an iSCSI failure resulting from a network outage.

For this problem to occur, all of the following conditions must be met:

The session timeout must be set to 50 seconds or greater.

The interface that the CSG2 uses to communicate with the iSCSI target must be down.

Workaround: Enter the following commands to enable the CSG2 to detect the failure after the session times out.

ip tcp mss 1460
ip tcp path-mtu-discovery

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA5 - Closed Caveats

The following list identifies Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA5:

CSCtf55436—iSCSI session to EMC not reestablished after interface comes up

When an iSCSI connection with EMC on the GGSN drops due to a session timeout, and the user tries to log in again, the iSCSI session might not be reestablished.

CSCtf71296—iSCSI state is set incorrectly after session timeout

The iSCSI state in the show ip iscsi session command output displays as "Free" when the connection to the iSCSI target is brought down asynchronously.

CSCti10016—Huge amount of disk size loss after format

When formatting a disk that is 32 GB or larger, the show command displays only 4 GB free on the device.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(22)MDA5:

CSCtk35917

A service policy bypass vulnerability exists in the Cisco Content Services Gateway—Second Generation (CSG2) which runs on the Cisco Service Application Module for IP (SAMI). This vulnerability could allow in certain configurations:

Customers to access sites that would normally match a billing policy to be accessed without being charged to the end customer.

Customers to access sites that would normally be denied based on configured restriction policies.

Additionally Cisco IOS Software Release 12.4(24)MD1 on the CSG2 contains two vulnerabilities that can be exploited remotely, via an unauthenticated attacker resulting in a denial of service of traffic through the CSG2. Both these vulnerabilities require only a single content service to be active on the CSG2 and are exploited via crafted TCP packets. A three way hand-shake is not required to exploit either of these vulnerabilities.

No workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml

Caveats for Cisco IOS Release 12.4(22)MDA4

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA4.

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA4.

CSG2 Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA4:

CSCtf33305—CSG2: 150 Cisco-Flow-Description AVPs in a Gx rule freeze the card

When many Cisco-Flow-Description AVPs or Flow-Description AVPs are embedded within one Gx charging rule, the CSG2 might be unable to install the complete rule, the CSG2 console might become unresponsive, and the CSG2 CP CPU utilization might approach 100%.

CSCtg33015—Memory leak on standby CSG2 processors 4-8

A memory leak is observed on the standby CSG2 in a redundant CSG2 pair. The leak is seen only on processors 4-8 of the standby CSG2.

Comparing simultaneous show tech commands from the active and standby CSG2s, the show fastblk output of the show tech command on processors 4 through 8 of the standby CSG2 show a significantly higher memory consumption than the active CSG2. The memory consumption of the standby CSG2 also increases steadily over time.

The exact circumstances that cause this memory leak are unknown, but it is likely related to per-user or per-service QoS.

CSCtg68095—Match attribute a & m for SIP INVITE messages is not working

The match attribute m command for a SIP INVITE message does not work.

CSCtg70982—The secret RADIUS key specified with the ip csg radius endpoint command changes after each write memory operation

The secret RADIUS key for the endpoint that is displayed in the show run output changes as write memory operations are performed.

CSCtg90246—The PoD IP address is not assigned if the sticky user was created before the gateway sends the RADIUS Accounting Start message

If a user is created as a sticky user before the gateway sends the RADIUS Accounting Start message, the CSG2 fails to send the PoD or CoA for the user.

CSCtg98342—The CSG2 freezes for a few seconds after RADIUS Accounting ON/OFF messages

When RADIUS Accounting Off and RADIUS Accounting On messages are sent from the GGSN to the CSG2, the CSG2 freezes for several seconds.

CSCth09467—CSG2: The Accounting session ID is not used for RADIUS correlation

The accounting session ID is not used for RADIUS correlation to stop the user. The output of the show user command does not show the user's Correlator attribute. The CP leaks fastblk memory allocated for the RADIUS Correlator attribute.

For this problem to occur, all of the following conditions must be met:

The ip csg radius correlation command must be configured.

The RADIUS Accounting Start message must have Cisco VSA subattributes, but not "user_session_correlator=", so that the Acct-Session-Id (RADIUS attribute 44) is used for correlation.

CSCth13275—CSG2 is printing content out of service in progress although inservice

When a CSG2 content is inservice with a large number of sessions, and the inservice command is entered again, the CSG2 incorrectly displays the following message:

SAMI 1/3: 000113: Jun 3 00:33:02: %CSG-4-CFG_ERROR:
% Cannot bring content INT-IC-HTTP1 inservice, content out of service in progress -Process= "CSG BGCFG", ipl= 1, pid= 156

CSCth23631—FTP CDR Error: NewLine char in UserName, FileString and FTPCommand TLVs

The CDRs for Layer 7 FTP parsing include a NewLine character (0d 0a) after UserName, FileString, and FTPCommand TLVs.

CSCth43275—CSG2 R5 Gx Preload: Service not updated when billing basis is changed

When attempting to update an existing preloaded service with a change to basis seconds connect, the service might fail to preload.

CSCth56243—Bad string length in csg_kut_show_user_gx_rule

In a CSG2 Gx environment in which there are more than 20 flow descriptions as part of a single Gx rule, the show ip users detail command might show a traceback and truncate the output.

CSCth61006—CSG2: %IPC-0-CFG_DOWNLOAD_ERROR seen upon reboot

After a reload, the CSG2 might log an IPC-0-CFG_DOWNLOAD_ERROR message, and the CSG2 might block user traffic. This problem can occur if more than 16 ip csg user profile or ip csg select commands are configured.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA4.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA4 - Closed Caveats

The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA4:

CSCtg50821—Crashed in crashdump

When the CSG2 crashes, the crash information file might be empty, or it might contain files with little or no content.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(22)MDA4:

CSCta20040

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-sip.shtml.

Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

Cisco Unified Communications Manager (CUCM) is affected by the vulnerabilities described in this advisory. The following Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Unified Communications Manager at the following location:

http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml

CSCte14603

A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml.

Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

CSCtf17624

The Cisco IOS Software Network Address Translation functionality contains three denial of service (DoS) vulnerabilities. The first vulnerability is in the translation of Session Initiation Protocol (SIP) packets, the second vulnerability in the translation of H.323 packets and the third vulnerability is in the translation of H.225.0 call signaling for H.323 packets.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-nat.shtml.

Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

CSCtf91428

The Cisco IOS Software Network Address Translation functionality contains three denial of service (DoS) vulnerabilities. The first vulnerability is in the translation of Session Initiation Protocol (SIP) packets, the second vulnerability in the translation of H.323 packets and the third vulnerability is in the translation of H.225.0 call signaling for H.323 packets.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-nat.shtml.

Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

CSCtg21685

Cisco IOS Software contains a vulnerability when the Cisco IOS SSL VPN feature is configured with an HTTP redirect. Exploitation could allow a remote, unauthenticated user to cause a memory leak on the affected devices, that could result in a memory exhaustion condition that may cause device reloads, the inability to service new TCP connections, and other denial of service (DoS) conditions.

Cisco has released free software updates that address this vulnerability. There is a workaround to mitigate this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-sslvpn.shtml.

Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

Caveats for Cisco IOS Release 12.4(22)MDA3

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA3.

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA3.

CSG2 Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA3:

CSCte81938—Spurious accesses

One or more spurious accesses might be seen on the CSG2 TPs. The following error messages are generated:

SAMI 7/5: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x4512C1C8 reading 0x3C
SAMI 7/5: %ALIGN-3-TRACE: -Traceback= 0x4512C1C8 0x4512DC4C 0x4512F540 0x450E5700 0x450E60BC 0x44514F04 0x44515110 0x44F95098

For this problem to occur, the following conditions must all be true:

There must be one or more HTTP sessions parsed at layer 7 (that is, sessions that match a CSG2 content configured with parse protocol http.

The CSG2 must be configured as part of a High Availability (HA) redundancy pair.

An HA switchover must occur, causing the standby CSG2 to become the active CSG2.

The HTTP sessions must survive the switchover. That is, the first packet for the session must arrive well before the switchover, and the last packet for the session must arrive well after the switchover.

The data for the HTTP sessions must arrive as IP fragments on the new active CSG2.

CSCte97026—RADIUS AVPs of some subscribers missing from CDRs

If a subscriber is created and replicated from an active CSG2 R3.0 to a standby CSG2 R3.5, the RADIUS AVPs for that subscriber might not be included in its CDRs.

CSCtf00838—The aaa group server diameter command causes the configuration to not propagate to TPs

If you add the aaa group server diameter command to an existing large CSG2 configuration, the configuration might not propagate to the TPs after a reboot.

CSCtf36840—Buffer overrun during attribute parsing of SIP packet

The CSG2 might crash when parsing SIP headers longer than 256 characters.

CSCtf51779—CSG2 fails to bring content in service due to REGEX error

The CSG2 might fail to bring a content in service due to the following REGEX error:

REGEX: regexp length <n>, bigger than allowed maximum length 128

CSCtf55741—The CSG2 might not return recently-granted quota in a quota return

After an upgrade to CSG2 Release 3.5, the CSG2 might use more quota than is allowed.

CSCtg00838—CSG2 reload at rgx_is_epsilon

While parsing an HTTP header, the SAMI might reload.

CSCtg01115—L4Flow "NetworkInit" flag not set correctly in intermediate UDP stat CDR

For a network-initiated UDP flow that is part of an RTSP session, the L4Flow "Network Initiated" flag is set correctly in the final "UDP Stats" CDR, but not in any "Intermediate UDP Stats" CDRs. In the "Intermediate UDP Stats" CDR, the flag is always set to zero, even if the flow is network-initiated.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA3.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA3 - Closed Caveats

The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA3:

CSCsz42882—File systems not cleaned up when iSCSI link goes down

With iSCSI link flaps, stale file systems remain in the system. Once the stale file descriptors reach the maximum supported limit, new file systems cannot be created and the iSCSI link fails to come up.

CSCta44366—iSCSI Connection not getting initiated from CSG2

If the CSG2 is rebooted, and none of the configuration starts with ip csg, entering the ip csg iscsi profile command after the re boot does not initiate an iSCSI connection.

Caveats for Cisco IOS Release 12.4(22)MDA2

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA2.

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

There are no Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA2.

CSG2 Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA2:

CSCta44366—iSCSI connection not getting initiated from CSG2

If the CSG2 is rebooted and the configuration does not begin with any of the ip csg commands, then after the reboot the iSCSI connection from the CSG2 is not initiated, even if the ip csg iscsi profile command is configured.

CSCtb04085—CSG 2 traceback - Bad refcount

The CSG2 might generate the following error message when it tries to send an HTTP redirect packet:

%SYS-2-BADSHARE: Bad refcount <function name>

CSCtb07467—Gx: User Prof Req not sent to obtain billing plan in case of PCRF failure

If pcrf failure continue is configured for a CSG2 profile, and the Diameter connection to the PCRF is down, or a protocol-related error is returned in a CCA-I from the PCRF, then the user profile request for a Gx user not sent until traffic begins to flow.

CSCtb70452—CSG2: Continue TLV correlator might not be unique

If the CSG2 generates a Continue CDR because the data does not fit in a single IP packet, and the correlator value in the Continue TLV is not unique for the CSG2, the BMA or quota server might associate data from the Continue CDR with an incorrect BMA or quota server record.

CSCtc21701—Stale VTY session issue

Under certain conditions, a stale VTY could be created in the CSG2 which can be detected using the output of the show ip csg users command.

CSCtc76186—TCP sessions not closed to the server side

When both of the TCP peers decide to close a session, each peer must send its own FIN/ACK and then also ACK the FIN/ACK of the peer. The CSG2 appears to close the session before the last ACK exchange:

Instead of forwarding the last ACK from the client to the server, it sends an RST to the client.

Instead of forwarding the last ACK from the server to the client, it silently discards the last ACK.

After a while, the server side might run out of sockets.

CSCtc82023—CSG2: Final qualified usage not correctly reported in service-level CDRs

If service duration billing is enabled on the CSG2, BMA billing records might not accurately reflect the usage information sent in the final quota server update.

CSCtd02296—CSG2: A quota server-specified billing plan should not override a PCRF-specified billing plan

If the CSG2 requests a billing plan from the quota server, while the PCRF specifies a billing plan in a CCA-U or RAR message (that is, after the initial CCA-I), the user billing plan might be different from the plan specified by the PCRF via Gx. This problem can also occur if a billing plan is sent in a RADIUS Accounting Interim Update.

CSCtd26609—R4: The standby CSG2 reloads running Gx users

If sessions have been created for traffic hitting rules for Gx users, and, while the sessions are still open, you remove the rules from the Gx users, or remove the Gx users, the standby CSG2 reboots.

CSCtd32600—RADIUS Accounting Start dropped

When the CSG2 is configured as a RADIUS proxy, it might not forward some RADIUS Accounting Start packets from the GGSN to the RADIUS server. The CSG2 drops the sessions due to a lack of response from the RADIUS server.

CSCtd67896—CSG2: A Gx Service Status Update without QoS should not remove QoS

The service QoS might not match the PCRF-specified QoS.

For this problem to occur, all of the following conditions must be met:

The PCRF must send a Service-Status AVP with Cisco-QoS AVP.

The PCRF must update the Service-Status AVP without Cisco-QoS AVP.

The CSG2 must create a service instance with the same name as the Service Name specified in the Service-Status AVP.

CSCte72972—CSG2: Only 4096 service rules allocated

If there are more than 4096 service rule objects are configured, subscriber traffic can pass through the CSG2 without being charged to a service. (A service rule is consumed for each content/policy pair in a service that is specified in a billing plan.)

CSCte79276—CSG2 CCR-I prepaid-request-number not zero

The CSG2 sporadically sends a CCR-I message with a CC-Request-Number AVP that is not set to zero. A PCRF implementation that expects a zero value will reject or ignore the non-zero CCR-I, resulting in a subscriber connection failure.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA2.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA2 - Closed Caveats

The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA2:

CSCsy65876—The show tech output is empty when debug information is written by the Cisco SAMI

Some debug information, such as the output from show tech and show sami config-mode commands, is missing from the debug information files in some or all of the PPCs of the Cisco SAMI that are generated prior to a reload, following a critical error. This problem can occur when there is no active physical console connected to the PPC.

CSCtb83004—The input queue drops increments every 7-to-10 seconds on GigabitEthernet 0/0 with minimal traffic

When unknown Layer 2 packets reach the Home Agent, the show interface GigabitEthernet 0/0 input queue might drop increments with minimal traffic. This problem does not impact any data traffic from the mobile nodes.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(22)MDA2:

CSCsy09250

Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.

Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sccp.shtml.

CSCsz45567

A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP).

A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can cause the device to restart the mpls_ldp process.

A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml

CSCsz48614

Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected by two denial of service vulnerabilities that may result in a device reload if successfully exploited. The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny Call Control Protocol (SCCP) messages.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.

CSCsz48680

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Remote code execution may also be possible.

Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.

CSCsz49741

Devices running Cisco IOS Software and configured for Cisco Unified Communications Manager Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) operation are affected by two denial of service vulnerabilities that may result in a device reload if successfully exploited. The vulnerabilities are triggered when the Cisco IOS device processes specific, malformed Skinny Call Control Protocol (SCCP) messages.

Cisco has released free software updates that address these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-cucme.shtml.

CSCsz75186

Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote unauthenticated attacker to cause an affected device to reload or hang. The vulnerability may be triggered by a TCP segment containing crafted TCP options that is received during the TCP session establishment phase. In addition to specific, crafted TCP options, the device must have a special configuration to be affected by this vulnerability.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-tcp.shtml.

CSCsz89904

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Remote code execution may also be possible.

Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.

CSCta19962

The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version of Cisco IOS Software.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if H.323 is not required.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.

CSCtb93855

The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version of Cisco IOS Software.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if H.323 is not required.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-h323.shtml.

Caveats for Cisco IOS Release 12.4(22)MDA1

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA1.

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA1:

CSCta44366—iSCSI connection not getting initiated from CSG2

If the CSG2 is rebooted and the configuration does not begin with any of the ip csg commands, then after the reboot the iSCSI connection from the CSG2 is not initiated, even if the ip csg iscsi profile command is configured.

Workaround: Before rebooting the CSG2, configure any of the ip csg commands and save the configuration.

CSCtb04085—CSG 2 traceback - Bad refcount

The CSG2 might generate the following error message when it tries to send an HTTP redirect packet:

%SYS-2-BADSHARE: Bad refcount <function name>

Workaround: None.

CSCtb70452—CSG2: Continue TLV correlator might not be unique

If the CSG2 generates a Continue CDR because the data does not fit in a single IP packet, and the correlator value in the Continue TLV is not unique for the CSG2, the BMA or quota server might associate data from the Continue CDR with an incorrect BMA or quota server record.

Workaround: There is no guaranteed workaround. The CSG2 typically sends Continue CDRs due to reporting of a large number of RADIUS attributes or protocol headers. If you can modify your configuration to report fewer attributes and protocol headers, that might reduce or eliminate the sending of Continue CDRs by the CSG2.

CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA1:

CSCsj17103—CSG2: Timestamps in Service Stop Notify not consistent

The CSG2 might generate a CDR with a Connection timestamp that is one second earlier than the Service-Start timestamp.

CSCsx83748—The pcrf failure continue command has the same effect as pcrf failure terminate command when PCRF is down

Even if the PCRF is down, the pcrf failure continue command should allow users to be created. However, if the PCRF is down, the pcrf failure continue command does not work, and users cannot be created.

CSCsz92620—R3.5: allocation failures for quota server token and QoS profile fastblk

When there is high traffic load on the CSG2, the output from the show fastblk command might indicate that the quota server and QoS memory pools experienced allocation failures. Some user sessions might be denied.

CSCta06896—CSG2 R3.5 Gx: Incorrect error code when removing static object in preload

If the PCRF attempts to install or remove an object on the CSG2 which has already been configured, the CSG2 rejects the attempt but returns the wrong error code to the PCRF.

CSCta07579—R3.5 Traceback clearing user running WAP traffic

Doing Layer 7 WAP inspection, a KUT_CLEANUP_ERROR traceback is dumped to the console when the CSG2 attempts to remove a WAP user from the User Table. the user is not removed from the User Table.

CSCta12428—Gx: CCR-U not generated when volume threshold reached

When user traffic is forwarded during the time the CSG2 is waiting for a CCA-U in response to a CCR-U, sent after reaching the volume threshold, the CSG2 might not send a CCR-U (for volume threshold reached) and might not account for all traffic in a CCR-F (volume usage).

CSCta18278—CSG2 R3.5: Service is set to prepaid by default for postpaid billing plan

Services under a postpaid billing plan are set to prepaid mode if the Online Billing AVP is not sent by the PCRF.

CSCta18470—Gx: CSG2 returns result-code 2001 for CLI content object not inservice

If a preload service object references a content or policy that is configured on the CSG2 via the CLI, the preload object fails to install. However, the error code that the CSG2 returns to the PCRF does not explicitly indicate the cause of the failure.

CSCta19594—Gx: Replicate session for content not set unless delay specified

The replicate session flag is not set for a content which is sent from the PCRF via preload. This problem can occur if the PCRF does not send the replicate-session-delay AVP along with the replicate-session AVP. That is, the PCRF must send the replicate-session-delay AVP along with the replicate-session AVP for this flag to be set.

CSCta21064—CSG2: HTTP might reserve and not charge or cancel reserved quota

If an HTTP packet consists of retransmitted bytes of a previous transaction, and new bytes of a new transaction, a service's "reserved", as displayed in the output of the show ip csg user all detail command, might keep incrementing.

CSCta27609—[CSG2-R3.5] CSG2 crash while sending segmented MMS URL for WAP

The CSG2 crashes while sending a segmented MMS URL for WAP.

For this problem to occur, all of the following conditions must be met:

You must configure a policy, content, and service for WAP.

You must initiate a WAP session from the client side with a segmented MMS URL.

You must configure a server to receive the packets.

CSCta28453—Gx: The "interval time" displayed in the output for the show user detail command is a very large number

If the timer trigger for a Gx rule is disarmed and then rearmed throughout the installation of a single Gx rule, and a CSG2 failover occurs, then the" interval time" displayed in a Gx rule for a user is not accurate on the backup CSG2.

CSCta37804—CSG2 R3.5: No CCR-F sent when clear ip csg user all is configured on the new active CSG2

After a CSG2 failover, the new active CSG2 might delay sending the CCR-F when removing replicated Gx users.

CSCta39130—Byte reporting in resize TCP with RETX for multiple transactions

When a retransmitted packet has multiple transactions, the reported IP bytes for each transaction in that packet are incorrect.

CSCta70187—Content inactive until recreated; cannot bring content WAP-WAP2 inservice

If a change is made on the standby CSG2, and a content is taken out of service, the CSG2 might not be able to bring the content back inservice. The following error message is generated:

% Cannot bring content <*> inservice, content out of service in progress

CSCta87311—CSG2: Diameter Gx Session-Id might not be unique

A CSG2 Gx subscriber might not be allowed access to the network. This problem might occur when multiple GGSNs are using the same CSG2, and the GGSNs send the same value for the 3GPP-Charging-Id for different subscribers.

CSCta97199—Unexpected repetitions of service reauthorizations

When the CSG2 is performing RADIUS reauthorization and time-based billing at the same time, the CSG2 might repeat RADIUS service reauthorizations.

CSCtb23799—Gx: Attributes not reinitialized during service reinstall via preload

When modifying an existing configured object, such as a service, a service parameter is not reset to the default value when not specifically defined in a PUSH message from the PCRF.

CSCtb31700—CSG2 R3: Transaction refund not accurate with tariff switch

When a tariff switch occurs for an open transaction, and the transaction also qualifies for refunding, a refund TLV is reported in a transaction CDR with 0 bytes refunded. However, the transaction reports that IP packets/bytes were passed.

CSCtb37734—Potential access to a freed pointer

The CSG2 might crash when removing a configured content.

CSCtb52211—Per-user QoS not applied with user-default billing plan

When a user is assigned a billing plan via the default billing plan option, the QoS profile configured under that billing plan is not applied to the user.

CSCtb55974—Cannot configure TACACS on CSG2 12.4(22)MDA - %PARSER-6-EXPOSEDLOCKRELEA

When trying to configure TACACS on the CSG2, the following message is displayed:

SAMI 1/3: Aug 15 03:07:35 AEST: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (10.176.6.144)
SAMI 1/3: Aug 15 03:07:35 AEST: %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "CSG config rollback", ipl= 0, pid= 125

The configuration is removed when exiting configuration mode.

CSCtb71637—%CSG-3-KUT_CLEANUP_ERROR on CSG2

The CSG2 generates the following error messages continuously:

SAMI 1/8: Aug 30 14:05:33 AEST: %CSG-3-KUT_CLEANUP_ERROR: OPENMOBILEWEB, ip= 10.227.179.191, uid= 61425166227, (1/48/2822/9217), -Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8 0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558 0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x45081C10
SAMI 1/8: Aug 30 14:08:00 AEST: %CSG-3-KUT_CLEANUP_ERROR: OPENMOBILEWEB, ip= 10.228.102.132, uid= 61425170578, (1/48/2054/9217), -Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8 0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558 0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x44E6AEC4

CSCtb80937—No Service Stop sent if Service Auth Resp does not contain Quadrans TLV

If the Service Authorization Response has only the DROP action code but not the Quadrans TLV, and a subscriber is not authorized to use a service, the CSG does not send out a Service Stop.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA1.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats

The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA1:

CSCsz86656—Cisco SAMI is not setting the DBUS trust bit to 1

The Cisco SAMI is not setting the DBUS trust bit to 1, which in turn causes the Cisco 7600 Series Router to remark the DSCP of the packets.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(22)MDA1:

CSCsq24002

Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.

CSCsu50252

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsv48603

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsx70889

Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.

CSCsy15227

Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.

There are no workarounds that mitigate this vulnerability.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml

CSCsy54122

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsz38104

The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml.

Caveats for Cisco IOS Release 12.4(22)MDA

This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or Cisco SAMI software for Cisco IOS Release 12.4(22)MDA.

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA.

CSCsx83748—The pcrf failure continue command has the same effect as pcrf failure terminate command when PCRF is down

Even if the PCRF is down, the pcrf failure continue command should allow users to be created. However, if the PCRF is down, the pcrf failure continue command does not work, and users cannot be created.

Workaround: None.

CSG2 Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA:

CSCsq12202—CSG2: Downgraded HTTP traffic should match catchall policy if configured

When the CSG2 detects an HTTP protocol error, such as non-HTTP traffic hitting content that is configured with parse protocol http, it downgrades to Layer 4 inspection. The CSG2 allows all remaining traffic to pass through, and reports the traffic in the Unassigned Bytes TLV.

To be consistent with the CSG1, after downgrading to Layer 4 inspection the CSG2 should match the current transaction to the catchall policy in the content, if there is one configured. If no catchall policy is configured, then the CSG2 should use the block configuration in the content to determine whether to forward or block the traffic.

CSCsu31071—Rollback is broken for some CSG2 maps, policies, and contents

Configuration rollback does not work for CSG2 maps, policies, and contents.

CSCsv23706—CSG2: PoD send too early

The CSG2 might send a Packet of Disconnect (PoD) to a user, even if the user has enough quota.

For this problem to occur, all of the following conditions must be met:

The user must be a prepaid user.

The user must have either a high number of sessions or long-lived sessions.

PoD must be requested by the quota server.

CSCsv60284—R3: The show interface command is very slow when the CSG2 is under stress

The show interface command returns output from all of the TPs and the CP. When The CSG2 is under stress, the command might take up to 2 minutes to display output.

CSCsv60425—R3: Memory allocation failures under stress when routes are configured incorrectly

The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its processors with a %SYS-2-MALLOCFAIL error message.

For this problem to occur, all of the following conditions must be met:

There must be no route to a given subscriber or server network.

There must be no default route.

There must be no next-hop (reverse) configured for the content.

CSCsv66930—CSG2 crash at csg_kut_svc_timeout

The CSG2 might crash when the User Table entry for a subscriber is deleted due to a trigger, such as the receipt of a RADIUS Accounting Stop message.

The crash might also occur if the subscriber is using a prepaid service and the traffic that maps to the service is FTP or HTTP traffic parsed at Layer 7, or any IPv4 traffic parsed at Layer 4.

CSCsv86553—CSG2 R3: Some HTTP traffic failed to count retransmission and extra crlf

A session might reset if the CSG2 is unable to count retransmitted or out-of-order packets. This problem can occur if the CSG2 does not have enough resource to count retransmitted or out-of-order packets, or if malformed packets caused packet counting errors.

CSCsv93751—CSG2: %SYS-2-LINKED: Bad enqueue of 0 in queue

The CSG2 might display the following message in the log:

Bad enqueue of 0 in queue xxxxxx

CSCsv95317—R3: Possible configuration failure when using more than one console

If you use more than one virtual teletype terminal (VTY console) when interacting with the CSG2 (for example, using one VTY to enter show commands and another to enter configuration commands), one of the VTYs might hang and the CSG2 will not allow further configuration commands. The CSG2 issues the following message:

Config failed, CSG being configured by line

You must reboot the CSG2 before continuing.

CSCsv95675—CSG2: Quota is not credited back to the user when the quota server fails and passthrough is configured

Quota which could not be returned to the quota server is not credited back to the user.

For this problem to occur, all of the following conditions must be met:

Passthrough must be configured for the service.

The current quota must have been granted by the quota server with a quota timeout.

The CSG2 must be unable to successfully deliver the Quota Return message to the quota server (due to server failure).

CSCsw18163—CSG2 R3 - Quota Return not carrying 8-byte values

When the CSG2 tries to return a quadrans value that exceeds a maximum long value, the Qualified Quadrans TLV in a Quota Return might truncate the 8-byte quadrans value to the lower 4 bytes.

CSCsw34838—Error in Traffic Received when transmitted over 500 VRF VLANs 6 CPU

If bidirectional traffic is sent over 500 VRF VLANs across 6 CPU of a Cisco SAMI, the Cisco SAMI might drop some packets, or some of the packets might become corrupted.

CSCsw66339—A maximum-length VRF name might be improperly handled by the CISCO-CONTENT-SERVICES-MIB

If a user configures a 32-character VRF name, and the VRF is used in a user database, BMA, or quota server definition, the CSG2 might experience buffer overflow problems, due to SNMP queries on the CISCO-CONTENT-SERVICES-MIB.

CSCsw68626—Router crashes after executing the no server name command in AAA

When using the no server name command to remove the configured server name from an AAA server group, the 7200 router might crash.

CSCsw74149—I/O memory depleted if a packet has ICMP source and destination IP addresses that are the same as the PPC interface IP address

If a packet has an ICMP source and destination IP address that is the same as the PPC interface IP address, the Cisco SAMI runs out of I/O memory, and the following message appears:

%SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x45407D18, alignment 32

CSCsx18737—The debug ip csg qs detail command might cause the CSG2 to crash when a Quota Push Request is received

The CSG2 might crash when the debug ip csg qs detail command is configured and a nonstandard Quota Push Request message is received.

CSCsx47053—Syslog not generated immediately after User Table size exceeds license limit

When the number of users exceeds the licensed value, configured with the ip csg license warning-enable command in global configuration mode, the first syslog message is generated after five minutes:

SAMI 8/3: *Feb 5 09:17:11.555: %CSG-4-CSG_LICENSE_LIMIT_REMINDER_
SYSLOG: KUT limit exceeded the license limit: Number of users accessing network concurrently has exceeded the license limit

CSCsx72588—The ip csg entries user idle duration pod command is required for CSG2 PoD to work

Packet of Disconnect (PoD) can be configured at either the global level or at the billing plan level. Each level should work independently of the other. However, PoD is not working unless the ip csg entries user idle duration pod command is configured in global configuration mode.

CSCsy17587—Memory leak with bad SCTP configuration

If the CSG2 is configured for redundancy with ipc zone, association, and protocol sctp commands, and the SCTP configuration is invalid, the CSG2 might experience a memory leak with the following message:

%CHKPT-3-UNKNOWNMSG: Unknown message received from peer on standby for client (0).

In addition, the output from the show memory command shows a decreasing amount of available I/O memory, and the output from the show buffers command shows an incrementing number of VeryBig buffers allocated on processor 3.

For this problem to occur, the invalid SCTP configuration must be configured with a remote port that is equal to the remote's local port, plus one, as shown in the following sample configuration. In this sample configuration, the local port is 5000 on each side. Therefore, the remote port on each side should also be 5000, but is incorrectly configured as 5001.

Side 1 configuration

ipc zone default
 association 1
  protocol sctp
   local-port 5000
    local-ip <x.x.x.x>
   remote-port 5001
    remote-ip <y.y.y.y>
 
   

Side 2 configuration

ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip <y.y.y.y>
   remote-port 5001
    remote-ip <x.x.x.x>
 
   

CSCsy20141—Memory leak when a content with policy in service using attribute maps

The CSG2 might experience a slow memory leak when adding attribute map matches.

CSCsy48289—The powered-off standby CSG2 is not picking up the QoS profile from the active CSG2

A per-user QoS signaled from the quota server might not be replicated from the active CSG2 to the standby CSG2. If a failover occurs, traffic for that subscriber is either not subject to any QoS or is subject to the configured QoS, if any.

For this problem to occur, all of the following conditions must be met:

The QoS must be associated with the subscriber, not with a specific service.

The QoS must be signaled from the quota server, not configured.

The QoS must be present on the active CSG2 before the standby CSG2 boots up.

CSCsy57824—WAP 1.x AoC URL redirect fails with meter exclude mms wap

With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.

CSCsy57839—CSG2: RADIUS debug can cause traceback and card reloading

If the CSG2 is configured for RADIUS endpoint or RADIUS proxy, and the debug ip csg radius command is entered, the CSG2 might reload.

CSCsy57924—CSG2: Memory leak when removing RADIUS VSA configuration

If a large number of reporting RADIUS VSA subattributes are configured or unconfigured for the CSG2, a large number of messages like the following is generated:

0x4518DEAC 0000000272 0000000001 0000000272 CSG RADIUS VSA

CSCsy73456—The CSG2 might crash after Stack for process CSG BGCFG running low

The CSG2 might crash with the following messages in the crash information file:

SAMI 4/3: Mar 25 13:58:30.665 ISR: %SYS-6-STACKLOW: Stack for process CSG BGCFG running low, 0/24000

%Software-forced reload

13:58:30 ISR Wed Mar 25 2009: Unexpected exception to CPU: vector 1500, PC = 0x4504A33C, LR = 0x4504A298

-Traceback= 0x4504A33C 0x4504A298 0x4504F6B4 0x4504F844 0x44E40654 0x450A0FCC 0x4504C384 0x4504FA64

For this problem to occur, all of the following conditions must be met:

A large map must be configured.

The map must contain many match statements, wildcards, and Boolean operators.

The map must be changed and the content put back in service.

CSCsy85405—Crash in HTTP code when the records delay command is configured

The CSG2 might reload under certain conditions.

For this problem to occur, all of the following conditions must be met:

The data flow must match a CSG content configured with policies that require HTTP deep packet inspection (accounting type http).

The user must be a prepaid user.

The records delay command must be configured under the HTTP content.

A retransmitted pipelined request or response packet must result in temporary quota exhaustion and a subsequent service reauthorization request to the quota server.

The transaction must close before the response is received from the quota server.

CSCsy93255—CSG2 traceback when clearing user entries

Under certain RTSP load and stress conditions, some entries remain in the CSG2 User Table. Trying to clear this state results in a traceback.

CSCsz07709—Distributed configuration and output fails after heavy stress

Entering distributed show commands, such as show proc cpu, from a Telnet or Supervisor Engine session into the Cisco SAMI module, while the CSG2 is under heavy stress, might cause the CSG2 to hang and fail at CPU 4.

Attempts to change the configuration results in the following message after exiting configuration mode:

%PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "CSG config rollback", ipl= 0, pid= 122

CSCsz42035—CSG2: Quota Server bombarded with reauth requests for free service

For a prepaid subscriber with zero quota using a service with zero weight, the CSG2 might generate multiple reauthorization requests within a few seconds.

CSCsz43573—QoS rate-limit and drops TLV not reported in NBAR CDRs

The CSG2 NBAR CDRs might not report the QoS rate-limit TLV or QoS drop TLV.

For this problem to occur, all of the following conditions must be met:

One or more of the active contents must be configured with the parse protocol nbar command.

The subscriber or service that uses the content must have QoS either configured or signaled.

CSCsz59223—CSG2: Users on the standby CSG2 might be removed even though they are on the active CSG2

In a stateful redundant CSG2 configuration, the standby CSG2 User Table might not contain all of the subscribers that are present in the active CSG2 User Table.

This problem can occur if the standby CSG2 receives a RADIUS Accounting On or Off message from a GGSN, then receives a RADIUS Accounting Start message from the GGSN before completing processing of the RADIUS Accounting On or Off message.

This problem can also occur if the clear ip csg user command is entered.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Open Caveats

The following list identifies Open caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA.

CSCsj81608—The show cdp command fails

The show cdp entry * command output is empty.

Workaround: None.

CSCsm31641—Port 10000 needs to be reserved for WISM card

The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.

Workaround: Use the default port 4000 for RCAL, or any port other than 10000.

Cisco SAMI Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats

The following list identifies the Closed caveats in the Cisco SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA:

CSCsu39672—Sometimes Cisco SAMI LCP reloads while copying bundle to LCP CF during upgrade

The Cisco SAMI blade might reload while upgrading from the Supervisor Engine. The line control processor (LCP) crashes while copying an image to the Cisco SAMI from the Supervisor Engine. This problem can occur when you terminate an upgrade then immediately attempt another upgrade.

CSCsw97850—Cisco SAMI status LED should be orange during shutdown

The Cisco SAMI Status LED is remaining green during shutdown. It should change to orange during shutdown.

CSCsw78449—A Cisco SAMI processor might crash and console might hang when removing the iSCSI configuration

A Cisco SAMI processor might crash when removing the ISCSI configuration using the no ip iscsi profile command.

Cisco Product Security Incident Response Team (PSIRT) - Closed Caveats

The following list identifies Cisco PSIRT closed caveats that impact Cisco IOS Release 12.4(22)MDA:

CSCsr18691

Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available within the workarounds section of the posted advisory.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml

CSCsu24505

Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

CSCsu70214

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsv04836

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.

CSCsv75948

Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

CSCsw47076

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsx07114

A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.

CSCsx25880

A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml.

Documentation and Technical Assistance

This section contains the following information:

Related Documentation

Obtaining Documentation and Submitting a Service Request

Related Documentation

Use these release notes with these documents:

CSG2 Documentation

Release-Specific Documents

Platform-Specific Documents

Cisco IOS Software Documentation Set

CSG2 Documentation

For more detailed installation and configuration information, see the following publication:

Cisco Content Services Gateway - 2nd Generation Release 3.5 Installation and Configuration Guide

Release-Specific Documents

The following documents are specific to Cisco IOS Release 12.4 and are located at Cisco.com:

Cisco IOS Release 12.4 Mainline Release Notes

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Release Notes

Cisco IOS Release 12.4 T Release Notes

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 T > Release Notes


Note If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. You can reach Bug Navigator II on Cisco.com at http://www.cisco.com/support/bugtools.


Product bulletins, field notices, and other release-specific documents on Cisco.com at:

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline

Platform-Specific Documents

These documents are available for the Cisco 7600 series router platform on Cisco.com and the Documentation CD-ROM:

Cisco Service and Application Module for IP User Guide

Diameter Credit Control Application feature guide

Cisco 7600 series routers documentation:

Cisco 7600 Series Cisco IOS Software Configuration Guide

Cisco 7600 Series Cisco IOS Command Reference

Release Notes for Cisco IOS Release 12.2SR for the Cisco 7600 Series Routers

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM, unless you specifically ordered the printed versions.

Documentation Modules

Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a corresponding command reference guide. Chapters in a configuration guide describe protocols, configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference guide list command syntax information. Use each configuration guide with its corresponding command reference. The Cisco IOS documentation modules are available on Cisco.com at:

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Command References

Documentation > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Command References > Configuration Guides


Note To view a list of MIBs supported by Cisco, by product, go to: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.