Table Of Contents
Release Note for the Cisco 11500 Series Content Services Switch
Contents
CSS Standard and Enhanced Feature Sets
Before Upgrading the CSS Software
Required Updates to Management Information Base (MIB) Files
Features in Software Version 7.40.0.04
Documentation Set for Software Version 7.40
Documentation Enhancements and Corrections
Operating Considerations
Software Version 7.40.3.05 Open Caveats, Resolved Caveats, and Command Changes
Software Version 7.40.3.05 Open Caveats
Software Version 7.40.3.05 Resolved Caveats
Software Version 7.40.3.05 Command Changes
Software Version 7.40.2.02 Open Caveats, Resolved Caveats, and Command Changes
Software Version 7.40.2.02 Open Caveats
Software Version 7.40.2.02 Resolved Caveats
Software Version 7.40.2.02 Command Changes
Software Version 7.40.1.03 Open Caveats, Resolved Caveats, and Command Changes
Software Version 7.40.1.03 Open Caveats
Software Version 7.40.1.03 Resolved Caveats
Software Version 7.40.1.03 Command Changes
Software Version 7.40.0.04 Open Caveats, Resolved Caveats, and Command Changes
Software Version 7.40.0.04 Open Caveats
Software Version 7.40.0.04 Resolved Caveats
Software Version 7.40.0.04 Command Changes
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Note for the Cisco 11500 Series Content Services Switch
March 17, 2006
Note 
The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.
Contents
This release note applies to the following software versions for the Cisco 11500 Series Content Services Switch (CSS):
•7.40.3.05 (version 7.40, release 3, build 5)
•7.40.2.02 (version 7.40, release 2, build 2)
•7.40.1.03 (version 7.40, release 1, build 3)
•7.40.0.04 (version 7.40, release 0, build 4)
For information on version 7.40 commands and features, refer to the CSS 7.40 documentation located in http://www.cisco.com.
This release note contains the following sections:
•CSS Standard and Enhanced Feature Sets
•Before Upgrading the CSS Software
•Required Updates to Management Information Base (MIB) Files
•Features in Software Version 7.40.0.04
•Documentation Set for Software Version 7.40
•Operating Considerations
•Software Version 7.40.3.05 Open Caveats, Resolved Caveats, and Command Changes
•Software Version 7.40.2.02 Open Caveats, Resolved Caveats, and Command Changes
•Software Version 7.40.1.03 Open Caveats, Resolved Caveats, and Command Changes
•Software Version 7.40.0.04 Open Caveats, Resolved Caveats, and Command Changes
•Obtaining Documentation
•Cisco Product Security Overview
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
CSS Standard and Enhanced Feature Sets
The CSS software is available in a Standard or optional Enhanced feature set. The Enhanced feature set contains all of the Standard feature set and also includes Network Address Translation (NAT) Peering, Domain Name Service (DNS), Demand-Based Content Replication (Dynamic Hot Content Overflow), Content Staging and Replication, and Network Proximity DNS. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features. Software version 7.40 no longer requires that you enter a license key for the Standard software feature set. The Enhanced software feature set, as well as the optional Secure Management feature, still require a license key in order to be activated.
Before Upgrading the CSS Software
Before you upgrade your CSS software, archive your custom scripts (including user profiles and custom script keepalives) by using the archive script or save_profile command. When you upgrade the software, the upgrade process creates a new /<current running version>/script directory, overwriting the current script directory. After the upgrade is done, use the restore filename script command to restore the scripts you archived. Refer to the Cisco Content Services Switch Administration Guide for detailed software upgrade instructions.
Required Updates to Management Information Base (MIB) Files
The MIBs in 7.40 have been modified to be consistent with other Cisco products within the Cisco private enterprise branch of the MIB tree. The modifications include a change to the enterprise OIDs (Object Identifiers). If you have created any customized network management applications, you must modify these applications in order to use the new OIDs in the modified MIBs in 7.40. If you continue to use the former Arrowpoint enterprise OIDs (.2467), the CSS will not recognize SNMP requests.
The former Arrowpoint enterprise MIB branch was:
•iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).arrowPoint(2467)
1.3.6.1.4.1.2467
The new Cisco enterprise MIB branch is:
•iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).cisco(9).ciscoMgmt(9).arrowPoint(368) 1.3.6.1.4.1.9.9.368
The .2467 needs to be replaced with 9.9.368 wherever it is used. For a graphical view of the updated MIB tree, refer to the Cisco Content Services Switch Administration Guide, Chapter 5, `Configuring Simple Network Management Protocol', Figure 5-2.
After you upgrade the CSS software, you must unload the current CSS MIBs and load the latest CSS MIBs in your network management station. The CSS MIBs are included in the CSS GZIP file. During the software upgrade, the MIBs are loaded into the CSS /mibs directory.
To update the CSS MIBs on your management station after you upgrade the CSS:
1. FTP the specific MIBs or the GZIP file (which contains all the MIBs) from the CSS MIBs (/v1 or /v2) directory to your management station.
2. Unload the CSS MIBs from the management application.
3. Load the MIBs into the management application.
Features in Software Version 7.40.0.04
The following new features are supported in software version 7.40.0.04. In addition to these features, Table 7 and Table 8 list CLI commands that are new or changed.
•SSL HTTP header insertion - Cisco Content Services Switch SSL Configuration Guide
•SSL client authentication - Cisco Content Services Switch SSL Configuration Guide
•SSL client initiation - Cisco Content Services Switch SSL Configuration Guide
•HTTP custom header matching - Cisco Content Services Switch Content Load-Balancing Configuration Guide
•Script and profile preservation on upgrade - Cisco Content Services Switch Administration Guide
•Configurable flow-state table - Cisco Content Services Switch Content Load-Balancing Configuration Guide
•SIP aware load balancing - Cisco Content Services Switch Content Load-Balancing Configuration Guide
•Source group changes - Cisco Content Services Switch Content Load-Balancing Configuration Guide
•Port mapper - Cisco Content Services Switch Content Load-Balancing Configuration Guide
•MIB changes - Cisco Content Services Switch Administration Guide
•Longer URL redirect - Cisco Content Services Switch Content Load-Balancing Configuration Guide
•1000BASE-T -Cisco 11500 Content Services Switch Hardware Installation Guide
•Default subnet mask changed from 0.0.0.0 to 255.255.255.0 - Cisco Content Services Switch Getting Started Guide
Documentation Set for Software Version 7.40
The documentation set for software version 7.40 now includes the Cisco Content Services Switch Getting Started Guide and the Cisco Content Services Switch SSL Configuration Guide. The complete documentation set contains the publications listed below.
Document Title
|
Description
|
Cisco 11500 Series Content Services Switch Hardware Installation Guide
|
This guide provides information for installing, cabling, and powering the Cisco 11500 series CSS. In addition, this guide provides information about CSS specifications, cable pinouts, and hardware troubleshooting.
|
Cisco Content Services Switch Getting Started Guide
|
This guide describes how to perform initial administration and configuration tasks on the CSS, including:
•Booting the CSS for the first time and a routine basis, and logging in to the CSS
•Configuring the username and password, Ethernet management port, static IP routes, and the date and time
•Configuring DNS server for hostname resolution
•Configuring sticky cookies with a sticky overview and advanced load-balancing method using cookies
•Finding information in the CSS documentation with a task list
•Troubleshooting the boot process
|
Cisco Content Services Switch Administration Guide
|
This guide describes how to perform administrative tasks on the CSS, including booting and logging in to the CSS, upgrading your CSS software, and configuring the following:
•User profile and CSS parameters
•Logging, including displaying log messages and interpreting sys.log messages
•DNS server for hostname resolution
•User profile and CSS parameters
•SNMP
•RMON
•XML documents to configure the CSS
•CSS scripting language
•Offline Diagnostic Monitor (Offline DM) menu
|
Cisco Content Services Switch Redundancy Configuration Guide
|
This guide describes how to perform CSS redundancy configuration tasks, including:
•VIP and virtual interface redundancy
•Adaptive session redundancy
•Box-to-box redundancy
|
Cisco Content Services Switch Routing and Bridging Configuration Guide
|
This guide describes how to perform routing and bridging configuration tasks on the CSS, including:
•Management ports, interfaces, and circuits
•Spanning-tree bridging
•Address Resolution Protocol (ARP)
•Routing Information Protocol (RIP)
•Internet Protocol (IP)
•OSPF protocol
•Cisco Discovery Protocol (CDP)
•Dynamic Host Configuration Protocol (DHCP) relay agent
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
This guide describes how to perform CSS content load-balancing configuration tasks, including:
•Services
•Owners
•Content rules
•Sticky parameters
•Flow and port mapping
•HTTP header load balancing
•Content caching
•Content replication
|
Cisco Content Services Switch Global Server Load-Balancing Configuration Guide
|
This guide describes how to perform CSS global load-balancing configuration tasks, including:
•Domain Name Service (DNS)
•DNS Sticky
•Content Routing Agent
•Client-Side Accelerator
•Network proximity
|
Cisco Content Services Switch Security Configuration Guide
|
This guide describes how to perform CSS security configuration tasks, including:
•Controlling access to the CSS
•Secure Shell Daemon protocol
•Radius
•TACACS+
•Firewall load balancing
•Secure Socket Layer (SSL) termination with the SSL Acceleration Module
|
Cisco Content Services Switch SSL Configuration Guide
|
This guide describes how to perform CSS SSL configuration tasks, including:
•SSL certificate and keys
•SSL termination
•Back-end SSL
•SSL initiation
|
Cisco Content Services Switch Command Reference
|
This reference provides an alphabetical list of all CLI commands including syntax, options, and related commands.
|
Cisco Content Services Switch Device Management User's Guide
|
This guide describes how to use the Device Management user interface, an HTML-based Web-based application that you use to configure and manage your CSS.
|
Documentation Enhancements and Corrections
The following enhancements and corrections apply to the 7.40 documentation set.
•The -norlog and -notrap flags are available for the commit_vip_redundancy script. The syntax is:
commit_vip_redundancy -nolog -notrap
–The -norlog option reduces the number of log messages that the CSS sends to the configured log host during the script.
–The -notrap option reduces the number of traps that the CSS sends to the configured trap host during the script.
•The CSS performs a urlrewrite search in the follow order:
1. Exact match.
2. Postfix wildcard match using the shortest prefix (for example, will match on "ssl-server 1 urlrewrite 7 cis*" before matching on "ssl-server 1 urlrewrite 12 cisco.*").
3. Prefix wildcard match using the shortest match (for example, will match on "ssl-server 1 urlrewrite 7 *.cis" before matching on "ssl-server 1 urlrewrite 12 *.cisco".
4. Wildcard match (for example, ssl-server 1 urlrewrite 7 *).
•The CSS does not support Virtual IP address ranges (VIPs) on the SSL module. The ssl-proxy-list and ssl-server vip commands cannot be configured as part of a content rule VIP configured using the vip range command.
•The CSS does not apply a keepalive tcp-close configuration to scripted keepalives.
•Before you use the snmp auth-traps command to generate traps, you must first enable SNMP generic traps using the snmp trap-type generic command. Though the CSS will allow you enter the snmp auth-traps command without first entering the snmp trap-type generic command, it will not generate traps until you enable SNMP generic traps.
•The documentation incorrectly states that you can configure as many SNMP communities as you wish through the snmp community command. You can configure a maximum of five communities.
•You cannot configure content rules with VIP address ranges that overlap, including rules with different port numbers. However, you can configure content rules with the same VIP address range.
Operating Considerations
The following operating considerations apply to software version 7.40.0 and greater.
•If you have not configured the portmap vip-address-range command and you observe no-portmap errors, then configure the command. If you have configured the portmap vip-address-range command and your traffic flow consumes all eligible port-map entries, you may observe no-portmap errors and momentary high CPU utilization. You can display the number of no-portmap errors using the show group group_name portmap command. The CSS restricts new connection attempts that require port mapping to prevent extended periods of high CPU utilization. In this case, we recommend that you increase the portmap vip-address-range value beyond that required to support the maximum number of active connections that you anticipate for your application. For more information, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
•The CSS supports a maximum of 31 characters for content rule names. In a content rule-based DNS configuration, CSS peers share content rules over APP sessions. When it learns a content rule from a peer, a CSS appends an "at" sign (@) and the VIP address of the CSS peer to the content rule name. Depending on the length of the original content rule name and the VIP address of the peer, the learned content rule name may exceed 31 characters. To maintain the maximum length of 31 characters, the CSS drops characters from the left side of the learned content rule name. If you have content rule names greater than 15 characters with content-rule based DNS configured, this process could cause a CSS to have two content rules with the same name, which renders both content rules inoperable. To prevent this occurrence, always place the unique characters in a content rule name at the end of the name.
•When the SSL modules are receiving more traffic than they can handle, one module may have more errors than another. Once a module gets behind, it is not able to catch up, so it gets further behind. You may see a load imbalance between the two modules. This occurs because the Session Processor (SP) does not detect the status of the SSL-offload modules. The SP continues to send flows to the SSL module even if it is not able to handle them. This does not include a condition by which the module completely fails. In that case, the CSS removes the module from service.
•When configuring a port mapper in a source group with the same VIP address as the content rule, you must configure the port mapper and content rule with the same VIP address ranges. The maximum VIP address range for a port mapper is 255. If you need to create a rule with a VIP address range greater than 255, create multiple rules with smaller ranges instead.
•When you configure the expiration time and date for a location cookie using the location-cookie expiration command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie command only when necessary.
•When you configure the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the arrowpoint-cookie expiration command only when necessary.
•The Server Status field in the show sntp global command indicates the operating status of the SNTP server (UP or DOWN). After the CSS fails to connect to the SNTP server three consecutive times, the CSS marks the SNTP state as DOWN.
•When the CSS is processing an SNMP BULK_WALK request to obtain the ether-history table, the requesting application may time out due to the large amount of information it has to gather. To avoid having the requesting application time out, increase the requesting application's retransmission timer.
Software Version 7.40.3.05 Open Caveats, Resolved Caveats, and Command Changes
The following sections contain the open caveats, resolved caveats, and command changes in software version 7.40.3.05:
•Software Version 7.40.3.05 Open Caveats
•Software Version 7.40.3.05 Resolved Caveats
•Software Version 7.40.3.05 Command Changes
Software Version 7.40.3.05 Open Caveats
The following caveats apply to software version 7.40.3.05:
•CSCej87514 - The CSS fails to negotiate a TCP handshake successfully when it is proxying a connection to a server that returns a zero window size.
•CSCek00530 - The CRL download fails if the HTTP header spans multiple packets. The CRL download occurs between the SSL module and the configured CRL server. The HTTP header is terminated by a CRLFCRLF, and the CRL download code expects that terminator to be in the first server data packet. The actual CRL data may span multiple packets. In testing with Linux, if the MTU was 278, the HTTP header splits and the CRL download fails.
•CSCek15563 - The IPV4 critical message does not include adequate information to determine which traffic is causing the error message to be generated. For example, the following message should include the IP addresses or ports so you can determine which traffic is generating the error condition.
SEP 19 13:50:25 4/1 6307 IPV4-2: Ipv4SlaveForwBmanChk: no ingress LP in buffer
•CSCek27227 - The CSS may reboot when receiving an SNMP get request for the MIB variable apCntStickyNoCookieString on a content rule.
•CSCek32632 - The CSS reboots when it runs out of system application buffers and fails to check for a non-existent buffer return code.
•CSCek32637 - The CSS reboots when it runs out of file descriptors and is configured with scripted keepalives and the command scheduler.
Software Version 7.40.3.05 Resolved Caveats
The following caveats were resolved in software version 7.40.3.05:
•CSCei00309 - Configuring and then removing a static ARP for an existing device may cause the CSS to reboot after an indeterminate, variable period of time.
•CSCei21776 - If the CSS receives a RST packet while a connection is already in the process of being shut down, the SSL module may reboot.
•CSCei27622 - Invalid "SSL FINISHED" messages may cause the CSS SSL module to reset, which causes the CSS to deny any SSL connections. When the offending packet is no longer sent to the CSS and the timer expiration causes the SSL module to reset, the CSS start accepting new connections.
•CSCei31328 - When you configure client authentication on an SSL module, the SSL module may incorrectly reuse the session ID with different VIPs.
•CSCei31463 - VRRP traps may no longer be sent by the backup CSS when the commit_redundancy script is run.
•CSCei35940 - The following new log message was added for a source group mis-configuration where 'index' is the internal source group index value. However the log message is only logged if an internal source group debug flag "FwPortMapLogging" is enabled, which can only be done using symbols in debug mode. This may cause confusion when tracking log messages because the log message should be at warning, info, or debug level logging.
"<Routine name>: Possible portmap leak - <index> changed to <index>"
•CSCei40272 - When using an SSL module, there may be packets that are being seen on the client-side connection that are believed to be destined to the SSL module.
•CSCei47195 - The isc-port reports LifeTick failures that may not cause session replication to occur correctly because the peers are not passing messages across the isc-port. Workaround: To enable messages to be passed correctly, remove and re-add the isc-port that is experiencing the issue.
•CSCei55203 - The CSS does receive get CRLs when booting even though it is able to resolve DNS requests. Workaround: Use an IP address instead of a hostname in the CRL record to avoid this issue.
•CSCei81533 - The CSS leaks a TCPFAST application source port when it receives a TCP FIN and it was in the process of closing the connection. When the CSS leaks source ports, it causes services to remain in the DOWN state.
•CSCej01719 - When you configure the CSS with an ACL preferred service clause and a source group that both match an incoming ICMP ECHO request, the CSS properly performs source NAT on the ICMP request but does not properly forward the request to the preferred service in the matched ACL clause.
•CSCej02503 - Setting the TCP syn timeout value on an SSL service causes the CSS to reboot.
•CSCej12554 - The CSS may provide the wrong MAC address for the VIP address or not properly handle VIP load-balanced traffic if the CSS VIP address is inserted into the internal CSS ARP or routing tables.
•CSCej12745 - If you configure a service with the ap-kal-pinglist scripted keepalive, the service would be in the wrong service state if one of the script arguments is a local VIP address on the CSS.
•CSCej14453 - The CSS may reboot when trying to import or export an SSL file using SFTP.
•CSCej17291 - When you configure the CSS for SSL termination, it may fail to complete an SSL connection and issue an alert when the server combines multiple SSL messages into a single record layer message.
•CSCej22808 - When the CSS is configured for SSL Termination and a SSL session closed down, it was possible to free the internal SSL session structure twice causing the CSS to reboot.
•CSCej30229 - The SSL module may insert an extra byte into the SSL record causing all of the subsequent bytes in the record to decode incorrectly. This issue prevents the client from finding the next SSL record header and the session falls apart with "short record" errors.
•CSCej34375 - The CSS SSL backend-server IP address and server IP addresses and their port values must be unique. If they are not unique, the following error message appears:
%% Backend-server ip/server address and port values must form unique tuples.
•CSCej35592 - If you configure the number of hours before you update the CRL to 0, the CSS may reboot.
•CSCej45447 - In a CSS with an SSL module using SSL session ID reuse, if SSL sessions are reused with the same session ID, VIP, and port, some SSL sessions may be leaked causing the SSL module to refuse new SSL connections.
•CSCej46421 - The CSS may reboot when the CSS SNMP agent receives an SNMP bulk NEXT request and one of the SNMP OID requests returns an error.
•CSCej60160 - CSCej60160 - A CSS under minimum load may send many traplog messages that display extremely high DOS attack numbers and display the numbers as negative.
•CSCej61680 - The CSS may reboot if it is configured with an unsupported wildcard domain name in a content rule.
•CSCej64552 - During an FTP session, if you enter a list (ls) command with a pathname greater than 256 characters, the CSS reboots.
•CSCej70513 - The CSS reboots after you modify an SSL configuration and then run the commit_vip_redundancy script.
•CSCej72467 - The CSS SSL module may leak chunks of memory causing the CSS to run out of sessions and to be unable to accept new incoming connections.
•CSCej72718 - On a CSS configured with URL rewrite, if the CSS cannot find the http:// value in the expected Location: field, it may perform the URL rewrite incorrectly and reboot.
•CSCej76133 - The global configuration flow reserve-clean command is being removed and the associated MIB object deprecated. This command has been replaced with the flow permanent and the flow-timeout-multiplier commands.
•CSCej76835 - The CSS SSL module may hang in a Down state and then attempt to reboot because it was unable to create a core file. During this time, all traffic to the SSL module is dropped. When this condition exists, the show task command in debug mode displays suspended tasks on the SSL module.
•CSCej83237 - Using the ssl genscr command to generate a new certificate with an existing filename causes the CSS to reboot.
•CSCej88415 - On a CSS configured with SSL header insertion, when the CSS processes an application data frame that contains a GET, it attempts to insert session information into the clear text request header, but the cipher is NULL, causing the SSL module to reboot.
•CSCek00656 - In some instances, an ap-kal-dns scripted keepalive stops being sent from CSS to server.
•CSCek04270 - The CSS reboots when you add a DNS entry to a content rule.
•CSCek04631 - The ip route originated-packets command did not work consistently when configured on the CSS and the results were undefined.
•CSCek06031 - An FTP test tool was run against the CSS to perform vulnerability testing and the CSS experienced many core dumps. The tool would send FTP commands with very long file and path names and the CSS would corrupt internal memory and reboot.
•CSCek12106 - The CSS allows you to add a primary or a secondary sorry server (whose service does not contain a redundant-index) to a content rule that contains a redundant-index when that content rule is active. This should not be allowed and may cause the config-sync command to fail and Adaptive Session Redundancy to not work properly.
•CSCek22918 - When accessing the CSS GUI, you are prompted with a SSL certificate from the CSS. The SSL certificate was configured to expire on 5/29/2006. Although the expired certificate can continue to be used to access the GUI, a new certificate has been provided.
•CSCek24806 - If a TACACS server responds to the three way TCP handshake but then fails to fully respond to the actual TACACS request, the CSS authentication ability may fail to respond and no further login attempts will be authenticated.
•CSCek24921 - A connection that is being authenticated is closed before the authentication process is completed causing the CSS to reboot.
•CSCek25025 - When the CSS is configured with SSL initiation and SSL backend, the CSS terminates the cleartext connection but does not create the corresponding SSL connection.
•CSCek25247 - The CSS reboots when it is configured for XML and receives a HTTP content request with a large number of tags that uses all the available HTTP daemon memory, which leaves zero memory when it is time to process the MIME authorization.
•CSCek26020 - The CSS reboots if you enter the no ssl-server xx cipher ? command and "xx" is not a configured ssl-server.
•CSCek26792 - The CSS did not send a TCP RST for a "Mid Spoof Reject" as it did for a "Mid Nat Reject". These errors occur when the Flow Control Blocks (FCBs) for a connection have been deleted and reused for new incoming connections. If the configured content rule configured is a Layer 3 rule or a Layer 4 rule, then the error is "Mid Nat Reject". If the configured content rule is a Layer 5 rule, then the error is "Mid Spoof Reject".
•CSCek34363 - On a CSS with an SSL module with client authentication and session id reuse (which is enabled by default) configured, when IE browser connections are made, the connections hangs. Once the HTTP GET is received, the CSS does not forward that GET to the server. The client browser hangs until the connection times out.
Software Version 7.40.3.05 Command Changes
Table 1 lists the commands and options that have been added in software version 7.40.3.05.
Table 1 CLI Commands Added in Version 7.40.3.05
Mode
|
Command and Syntax
|
Description
|
SSL-Proxy
|
no [backend-server | ssl-server] number tcp [virtual | server] ack-delay
|
The no version of this command resets the acknowledgement delay on a client or server connection to 200 milliseconds (ms).
|
ssl-server number crl crl_record_name expiration-enable {verification-enable}
|
The new expiration-enabled keyword allows the SSL module to determine whether a reloaded CRL file has expired by checking the Next Update field in the file. By default, when the CSS successfully loads the CRL initially and then reloads a new copy of the CRL file at the configured hourly refresh interval, it does not check the Next Update field in the file to determine if the CRL has expired, and subsequently downloads an expired file from the configured server.
When you configure this keyword and the CSS tries to load a new copy of the CRL, the SSL module checks the Next Update field in the file. If the field indicates that the CRL has expired, the module clears it from each associated SSL server and rejects all resulting client connections.
The SSL module checks the Next Update field when the CSS loads the CRL file. A load occurs when:
•You activate an ssl-accel type service.
•An SSL-server VIP address associated with a CRL goes to the master state (for example when a content rule is activated).
•The CRL hourly refresh interval is reached.
•You enter the ssl force-crl command.
The new verification-enabled option allows the SSL module to clear the CRL from each associated SSL server and rejects all resulting client connections when any of the following failures occurs when downloading a CRL file:
•Host Timeout
•Host TCP Reset
•Host HTTP "File not Found" return code
•CRL File Format Bad
•CRL Signature Bad
•CRL Next Update Field Invalid
•CRL Next Update Expired
•Internal CRL memory allocation failure
|
SuperUser
|
clear ssl crl statistics {crl_name}
|
Clears all SSL certificate revocation list (CRL) records statistics displayed through the show ssl crl-record command. You can optionally clear the statistics for a specified CRL record name, crl_name.
|
ssl clear-crl {crl_name}
|
Clears the CRL file from all associated SSL servers. You can optionally clear a specified CRL record name, crl_name.
Caution Use this command with caution. If client authentication is configured and you clear the CRL, all resulting client connections are reset.
|
Table 2 lists the commands and options that have changed in software version 7.40.3.05.
Table 2 CLI Commands Changed in Version 7.40.3.05
Mode
|
Command and Syntax
|
Description
|
Global
|
flow reserve-clean
no flow reserve-clean
|
These command have been removed from the CLI.
|
SSL-Proxy
|
[backend-server | ssl-server] number tcp [virtual | server] syn-timeout seconds
|
The range for the seconds variable is now 1 to 3600. Formerly, the range was 0 to 3600.
|
Software Version 7.40.2.02 Open Caveats, Resolved Caveats, and Command Changes
The following sections contain the open caveats, resolved caveats, and command changes in software version 7.40.2.02:
•Software Version 7.40.2.02 Open Caveats
•Software Version 7.40.2.02 Resolved Caveats
•Software Version 7.40.2.02 Command Changes
Software Version 7.40.2.02 Open Caveats
The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:
•CSCeg76469 - Passive FTP may fail when the server reuses ports and the file to be transferred are very small.
•CSCeg84248 - When loading SNMP v1 MIBs on HP OpenView, the CISCO-SMI warning message is displayed.
•CSCeh64196 - In an environment using large SSL POSTs, the TCP window on the SSL module may be reduced in size to less than a packet. This issue creates an ACK in each subsequent packet. Due to the length (in Kbytes) of the transaction, this condition causes the session to last significantly longer than it should versus when the TCP windows are large enough to accept enough date to fill their buffers.
•CSCeh65783 - When a critical service becomes active, the CSS does not apply the VRRP hold down timer. Immediately after the critical services becomes active, VRRP transitions to a master state.
•CSCei00309 - The CSS may reboot if the ARP timing list has duplicate entries.
•CSCei21776 - If the CSS receives a RST packet while a connection is already in the process of being shut down, the SSL module may reboot.
•CSCei31328 - When you configure client authentication on an SSL module, the SSL module may incorrectly reuse the session ID with different VIPs.
•CSCei31463 - VRRP traps may no longer be sent by the backup CSS when the commit_redundancy script is run.
•CSCei31471 - While processing approximately 150 connections/sec the SSL module hangs and does not recover. The SSL module does not fail over, which causes all SSL traffic to fail. The CSS does not produce core dumps.
•CSCei35940 - The following new log message was added for a source group mis-configuration where 'index' is the internal source group index value. However the log message is only logged if an internal source group debug flag FwPortMapLogging is enabled, which can only be done using symbols in debug mode. This may cause confusion when tracking log messages because the log message should be at warning, info, or debug level logging.
"<Routine name>: Possible portmap leak - <index> changed to <index>"
•CSCei40272 - When using an SSL module, there may be packets that are being seen on the client-side connection that are believed to be destined to the SSL module.
•CSCei44528 - When using SSL header insertion, some characters may be dropped from the client cert.
•CSCei45775 - In the enhancement for CSCei03460, the syntax for the no ssl server 1 tcp virtual retrans command is incorrect. The virtual keyword is missing from the command. The no version of the command does not remove the command from the running config. The value is being set properly, but it is not correct in the running-config and will cause the running config to fail. Workaround: Use the ssl-server 1 tcp virtual retrans with the default value of 500.
•CSCei47195 - After rebooting the CSS, the isc-port reports LifeTick failures that may not cause session replication to occur correctly because the peers are not passing messages across the isc-port. Workaround: To enable messages to be passed correctly, remove and re-add the isc-port that is experiencing the issue.
•CSCei50372 - On a CSS with an SSL module and SSL initiation configured, the SSL module may reboot without creating a core file in certain situations.
•CSCei55203 - The CSS does receive get CRLs when booting even though it is able to resolve DNS requests. Workaround: Use an IP address instead of a hostname in the CRL record to avoid this issue.
•CSCei55651 - The commit vip redundancy script may fail when the master configuration is very large.
Software Version 7.40.2.02 Resolved Caveats
The following caveats were resolved in software version 7.40.2.02:
•CSCee33659 - When the ISC link is bounced, the sticky table information on the backup CSS is no longer accurate for certain slots.
•CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. Workaround: Configure the source group using the add destination service command instead of using ACLs.
•CSCef61128 - The CSS may reboot when it receives an out of sequence or malformed SSH protocol message.
•CSCeg25641 - According to RFC 2068, Hypertext Transfer Protocol - HTTP/1.1, if `chunked' is in a HEAD response, the CSS should ignore it, and not try to look for more data. However, the CSS continues to look for more data, which causes the keepalive to fail.
•CSCeg35174 - During a secure HTTPS transfer, the CSS sends out several hundred KBs, waits between 3.5 and 5 seconds, and then sends out another several hundred KBs. The CSS repeats this pattern until the transfer is complete. The delay between bulk transfers adds to the transfer time for the file locally. Note that this delay does not impact standard HTTP file transfers, only secure HTTP file transfers.
•CSCeg35659 - When the sticky table is full from entries using the sticky inactivity timer, new connections requiring use of the sticky table should be sticky rejected, but should still be load balanced. This works for SSL sticky, but not for sticky-srcip.
•CSCeg37717 - When the CSS is running heavy client authentication traffic in which the client sends a chained certificate, traffic will eventually stop. If you use the show system resources command several times, the memory on the SSL module drops quickly to approximately 140 MB, and then traffic stops until you reboot the CSS.
•CSCeg40291 - While running a custom keepalive script in a Global Server Load Balancing (GSLB) environment, both CSSs reboot (that is, the CSS running the script and its peer). The CSS running the script creates a core dump, but the peer CSS reboots without creating a core dump.
•CSCeg40412 - If you configure the CSS with an invalid CA certificate when using client authentication, the CSS may incorrectly process the request. This occurs only when you configure a failure method of type redirect. This also only occurs when using IE browsers. When you use Netscape browsers, the CSS sends a redirect to the client.
•CSCeg46589 - A scripted keepalive using socket waitfor in the script may fail with a "Script error" at the socket waitfor line. The service will therefore be down. Conditions: The socket waitfor must be expecting a string that matches exactly the data the service is sending. Workaround: Either configure socket waitfor to a shorter string (1 byte less is sufficient) than what the service sends or configure the service to send a string that is longer (1 byte more is sufficient) than what the socket waitfor expects.
•CSCeg47732 - When the CSS sends a reset to a client that contains a redirect to an IE browser, the client receives a blank page. But, when the client refreshes the page, the issue is resolved. This problem only occurs on IE browsers. The problem is not seen when you use Netscape, Mozilla or opera browsers.
•CSCeg50573 - If the CSS receives a UDP packet, places it on a vector for future processing, and starts processing the vector, it may incorrectly reference a null pointer and reboot.
•CSCeg52668 - If SSH connections from a client are dropped without a FIN or a RESET, the CSS eventually times out the connection on its side but will not release the socket. This prevents the CSS from accepting new connections.
•CSCeg60264 - When you configure the CSS with keepalives using the keepalive tcp-close fin command, the TCPFAST ports may become unresponsive. Over time, all the ports could become unresponsive, causing the keepalives to fail.
•CSCeg60985 - A scripted keepalive may cause the CSS to reboot due to a double delete.
•CSCeg62332 - When configuring an active SSL proxy list, the CSS allows you to remove commands without first suspending the proxy list. This causes the running-config to display a configuration that is different from the configuration being run.
•CSCeg62476 - When you configure an SSL server with URL rewrite on the CSS and then the CSS receives a 3XX HTTP response that does not contain the Location field in the first packet, the SSL connection may fail.
•CSCeg64394 - In an ASR redundancy configuration, the sticky tables may not synchronize completely after the backup CSS is rebooted.
•CSCeg67414 - When an SSL server Hello spans two packets and you configure the tcp-close command with a FIN, the ssl keepalive type fails.
•CSCeg69358 - When you configure the expiration time and date for a location cookie using the location-cookie expiration command, or the arrowpoint-cookie expiration command and the advanced-balance arrowpoint-cookie command, the CSS CPU may spike and the CSS may experience a degradation in its performance. Configure the expiration option with the location-cookie or the arrowpoint-cookie expiration command only when necessary.
•CSCeg72635 - When you configure the CSS to respond to DNS requests domain names by using the content rule add dns command and the CSS is using firewall load balancing (FWLB), the CSS may send a DNS response to the wrong firewall.
•CSCeg72741 - The CSS may fail to NAT when using ACLs with source groups under certain conditions.
•CSCeg72773 - When you configure the CSS for content replication, constructing a file name for replication prevented the CSS from finding the root directory. The CSS now correctly handles this condition.
•CSCeg81363 - If a Telnet session fails to authenticate a username and password pair to the CSS and then immediately disconnects at the same moment the CSS was disconnecting the session due to the failure, the CSS may become unresponsive. At this point Telnet, console, SSH and FTP access is denied until you reboot the CSS.
•CSCeg82005 - If you issue a CWD (change working directory) command through an FTP connection and the pathname contained more than 31 directories, the CSS may reboot because the CSS only supports 31 directories in the pathname.
•CSCeg83161 - When you configure the CSS with an ISC port, walking the apFlowMgrStatIfTable MIB may cause the following message to appear in the sys.log file:
FLOWMGR-3: GetPortFlowStats CE = 0
•CSCeg85065 - Deliveries of error logs for internal messages may cause the CSS to reboot.
•CSCeg85854 - SNMP causes memory leaks.
•CSCeh00595 - An SNMP GET NEXT of the apFlowMgrExtSlotFlowStats table on a chassis that is not fully populated may cause the CSS to reboot.
•CSCeh00709 - When you configure the CSS using the IP advanced-route-remap command, the command does not take effect on services that are local to the CSS.
•CSCeh05837 - When ASR is configured, the CSS does not replicate a load-balanced data channel in an FTP connection to the backup CSS.
•CSCeh09415 - When ASR is configured, dormant flows incorrectly time out on the backup CSS.
•CSCeh18228 - When you configure the CSS virtual router with a critical reporter that is in a Backup state, this places the virtual router into the Master(ReportBkup) state, which causes the CSS to incorrectly bring the dormant flows to an active state. The CSS should keep these flows in a dormant state until the reporter is master again.
•CSCeh18285 - The CSS immediately ARPs when the spanning-tree topology changes.
•CSCeh34493 - A backup CSS may reboot during a VIP redundancy config synch operation.
•CSCeh34858 - A CSS running 7.40.1.07s with an SSL module and URL rewrite activated may not rewrite the URLs in 302 redirect answers from the servers if the "Location" word in the HTTP header spans two different TCP packets.
•CSCeh20456 - Suspending and activating services that are used in an SSL proxy list may cause an active session that is in use to be deleted. This causes the CSS to reboot.
•CSCeh34858 - A CSS running 7.40.1.07s with an SSL module and URL rewrite activated may not rewrite the URLs in 302 redirect answers from the servers if the "Location" word in the HTTP header spans two different TCP packets.
•CSCeh35317 - In a Content Replication configuration using a UNIX directory structure on the publisher, if the publisher FTP server uses UserID/GroupID instead of UserName/GroupName in the directory listing, the CSS fails to detect the files for replication on the Publisher.
•CSCeh35328 - In a Content Replication configuration, it was possible for the CSS to improperly send numerous test files to the Subscriber. In some cases, the Subscriber FTP server would detect this as an attack and would deny FTP access from the CSS. This was changed so that the CSS will send no more than 4 test files per minute.
•CSCeh38202 - Client authentication fails when the client certificate spans multiple packets.
•CSCeh38676 - When ASR is configured, the ISC link will not come up unless the SCM is in slot 1.
•CSCeh38890 - On a CSS11503 or CSS11506, the CSS may inject incorrect arrowpoint cookie expiration values.
•CSCeh39182 - On networks that experience frequent packet losses and long transaction times, a configuration parameter is needed to deal with SSL transactions terminated on the CSS so the user can tune the retransmission timers to account for these delays.
•CSCeh39266 - Running VIP/interface redundancy with a pair of CSSs connected to a Catalyst 6509/Supervisor 720, the GB ports on the backup CSS may fail unless the interfaces connected to the Catalyst are explicitly shut down using admin-shutdown command.
•CSCeh41820 - A CSS with an SSL module and URL rewrite activated may not rewrite the URLs in 302 responses.
•CSCeh44041 - If the Location field of a 302 Redirect spans from the 2nd packet to the 3rd packet, the CSS does not perform the urlrewrite function if the "Location: " string falls into the third (or greater) packet of a spanned 302 response.
•CSCeh44262 - For a CSS in a VIP/Interface redundant configuration, when a critical service transitioned from DOWN to BACKUP, the CSS would improperly GARP causing devices to update their ARP tables with incorrect information.
•CSCeh45167 - On a CSS with an SSL module and URL rewrite activated, if non-standard ports are configured to be rewritten as well as the "https://", and the 3XX response from the server spans across multiple packets, only the "https" may be rewritten, but not the "port".
•CSCeh45575 - When ASR is configured, the CSS may reboot during a VRRP transition.
•CSCeh48648 - When the CSS was configured for backend remapping, the TCP RST ACK number sent to the backend server to close the connection was incorrect.
•CSCeh49741 - When the CSS is configured for SSL termination, if a SSL handshake message contained multiple SSL messages inside a single record and the record size was greater then 1520 bytes, the resulting CSS behavior was incorrect. The CSS sent an SSL alert, rebooted, or failed to verify the SSL client certificate.
•CSCeh49861 - When a CSS was configured with a DNS entry that was added to a content rule as well as configured as a proximity record, the CSS improperly freed some of the associated memory, and rebooted.
•CSCeh51008 - If a new client authentication certificate was placed on the CSS and you entered the no ssl associate command followed by the ssl associate command that contained a name that already existed in the ssl-proxy-list, and then you suspended and activated the server that was using the ssl-proxy-list, the CSS would reboot.
•CSCeh53894 - On a CSS with an SSL module, the TCP acknowledge timer may become corrupt, causing the CSS to reboot.
•CSCeh54012 - When a CSS was configured with a service type redirect and a long URL was requested, resulting in a redirect response from the CSS, the redirect was being logged. When the redirect string was logged, it was long enough to corrupt memory and caused the CSS to reboot.
•CSCeh54652 - When configuring location cookie, the service types of ssl-accel-backend and ssl-init need to be permitted. Previously only local and redirect were allowed to be configured.
•CSCeh56281 - The CSS may reboot when suspending a content rule due to internal rule tree corruption using Layer 5 rules containing a wildcard url "/hraward*" and a header tag rule using the url "/home*" . This is because both URLs begin with the same letter.
•CSCeh57760 - The CSS may not NAT all ICMP error packets. The IP packet within the ICMP error is translated, but the encompassing ICMP error packet may not be NAT-translated before being sent out of the CSS.
•CSCeh64254 - When typing the show group command on a group name that is not configured using specific arguments and you use the question mark (?) to get the list of available options, the CSS may reboot.
•CSCeh65429 - When configuring the CSS to add an HTTP keepalive, you may see the following error message:
Error %% Maximum keepalives of this type have been exceeded. Cannot activate when
trying to add a new HTTP head keepalive.
•CSCeh65531 - The debug mode flowmgr reset logging may cause the port number in the log message to be incorrect.
•CSCeh68829 - When using advanced balance arrowpoint or location cookies, if the server packets are out of order and HTTP data arrives before the HTTP header, the CSS will not correctly adjust the tcp sequence number, resulting in corrupted data received on the client.
•CSCeh70529 - With the CSS configured with an SSL module and url rewrite activated, if the HTTP 3XX response from the server contained the tag "Content-Location:" the URL rewrite failed because the HTTP tag in the packet was modified. The CSS should modify the \r\nLocation: <>\r\n" tag only instead of any HTTP tag that contains the word "Location:".
•CSCeh70874 - When using the commit_vip_redundancy script to sync a config that includes ACLs and has authChallenge configured on the APP session, if the session secret ends with the string "app", the commit may fail.
•CSCeh71185 - On a CSS configured with a Layer5 rule, when receiving a POST with multiple data packets, if one packet starts with the content "HEAD" it will be blocked by the CSS.
•CSCeh75114 - When a POST is processed by the CSS, if the data that follows the POST begins with a CONNECT or GET, the CSS would erroneously interpret that to be an HTTP method. The CSS will now fully qualify all HTTP Methods to ensure that the POST data is not incorrectly processed as a valid HTTP method.
•CSCeh76035 - When configuring an RMON alarm, if you suspend, activate, suspend and then enter the no rmon-alarm command, the CSS may reboot.
•CSCeh83740 - On a CSS with an SSL module configured with an SSL proxy list using a CRL and VIP/interface redundancy, the backup CSS does not download the CRL, causing DoS attacks.
•CSCeh83762 - If the CSS was configured with services with encrypted http keepalives of type ssl-backend or ssl-initiation, memory may be leaked on the SSL module until eventually all memory blocks could be depleted and user SSL traffic would cease.
•CSCeh86543 - If the CSS is configured for SSL Termination using a CRL list and the SSL module was in the process of retrieving the CRL when the global CRL record was deleted on the SCM, the SSL module may reboot. This may also occur when you issue the clear running-config command.
•CSCeh86555 - The CSS may reboot when enabling OSPF due to an OSPF LSA update that contained the maximum Ethernet packet size.
•CSCeh87082 - If the CSS was configured for logging to an SMTP server, when the CSS opened an SMTP connection to the mail host, the CSS was incorrectly detecting the "continue" character of "-". This caused the CSS and the SMTP mail host to get out of sync in the SMTP protocol and the sendmail connection would be terminated by the CSS prematurely, causing the sendmail to fail.
•CSCeh89398 - When trying to set and enable the SNTP server through the GUI on the CSS running 7.4.1.11s, the following error may occur:
"An error occurred while processing your request. The request was not completed."
•CSCeh97409 - If the CSS was configured with a protocol-only content rule (that is, protocol tcp but no port) and the VIP range on the content rule was changed, a reboot was required for the configuration change to take effect even suspending and activating the content rule.
•CSCei00983 - On a CSS with an SSL module, the available memory on the SSL module could drop significantly on a daily basis until all available memory was lost, severely impacting SSL traffic and requiring a reboot to recover the memory.
•CSCei02447 - When an SSL module was configured for header insertion, the SSL header insertion was not occurring for all POSTs, and potentially GETs if the HTTP header terminator spanned multiple packets.
•CSCei04797 - The CSS was allowing a scripted keepalive under a service to be configured, even if the script did not exist. Once the service was activated, the following error message appeared in the show service command display:
Script Error: Script failed to load. Is script present on disk?
•CSCei08501 - The backup CSS does not download the CRL information in a box-to-box setup because the interfaces are not active. When the CSS moves from backup to master, the SSL module does not attempt to download the CRL after the interfaces become active. This prevents the backup CSS from having the correct CRL information until the first update is sent after it becomes the master CSS. Because of this condition, the backup CSS will not have the correct CRL information when it becomes the master CSS.
•CSCei15420 - When a CSS is configured with VIP/Interface redundancy, critical reporters, and SNMP redundancy-transition traps enabled, it reboot when a reporter transitioned to down due to a string over-run on the trap text.
Software Version 7.40.2.02 Command Changes
Table 3 lists the commands and options that have been added in software version 7.40.2.02.
Table 3 CLI Commands Added in Version 7.40.2.02
Mode
|
Command and Syntax
|
Description
|
All
|
zero group statistics
|
Clears all service and portmap statistics for all source groups displayed through the show group command.
Formerly, the zero all command in group configuration mode cleared these statistics. This command now clears the statistics for the group in the current mode.
|
All modes except RMON, URQL, and VLAN
|
show http-redirect-option
|
Displays the TCP FIN or RST flag settings for HTTP 302 redirect messages sent by the CSS.
|
Global
|
arp mac-down-immediate
no arp mac-down-immediate
|
Configures the CSS to immediately send an ARP request for an IP address associated with that MAC address, thus immediately repopulating the entries in bridge forwarding table.
By default, when the CSS receives a Down event for a MAC address in the bridge forwarding table, it may not send an ARP request to an IP address associated with that MAC address for up to 60 seconds to refresh the table. During this time, the bridge flows through the CSS to the MAC address could fail. Use the no form of this command to reset the default behavior
|
http-redirect-option [fin-rst|fin-fin|rst-rst]
|
Configures the CSS to send specific TCP FIN and RST flags with HTTP 302 redirect messages. By default, when the CSS sends an HTTP 302 redirect message, it sends a FIN flag on an initial connection and RST flags on subsequent requests in a persistent connection.
When the CSS sends packets to a client that contains a redirect message to a Microsoft IE browser, use the http-redirect-option command to select a behavior that is suitable for the browser.
The keywords for this command are:
•fin-rst - Sends a FIN flag for initial connections and an RST flag for persistent connection (default)
•fin-fin - Always sends a TCP FIN flag
•rst-rst - Always sends a TCP RST flag
|
ftp data-channel-timeout seconds
no ftp data-channel-timeout
|
Allows you to configure the time to wait to initiate the FTP data channel on an active or passive FTP connection when you configure the CSS for FTP content rule and source groups.
The seconds variable is the wait time in seconds. Enter a number from 5 to 20. The default value is 5. To reset the default wait time to 5 seconds, use the no ftp data-channel-timeout command.
|
Owner-
Content
|
arpt-lct http-100-reinsert
no arpt-lct http-100-reinsert
|
Reinserts the arrowpoint (ARPT) cookie in the server response packet when the previous HTTP response packet contains a 100 Continue response. Use this command on a content rule configured with the advanced-balance arrowpoint-cookie command.
By default, the CSS always inserts an ARPT cookie in the first server response packet that begins with HTTP. More than likely during POST processing, the packet may contain a 100 Continue response instead of a 200 OK response. When the client receives the 100 Continue response with the inserted ARPT cookie, it may discard the response along with the cookie. Because the CSS does not reinsert the cookie when it receives a following 200 OK response, the client never uses the cookie and stickiness is broken. To reinsert the ARPT cookie in an HTTP server response if the previous packet contains a 100 Continue response, use the arpt-lct http-100-reinsert command.
To reset the default behavior of inserting the ARPT cookie in an ARPT cookie in the first server response packet that begins with HTTP, use the no arpt-lct http-100-reinsert command.
|
SSL-Proxy
|
[backend-server | ssl-server] number tcp [virtual | server] retrans milliseconds
no [backend-server | ssl-server] number tcp [virtual | server] retrans
|
The new retrans option allows you to adjust the retransmission timer for SSL transactions. On networks that experience a lot of packet loss, the transaction can take a long time.
The milliseconds variable is the minimum time in milliseconds for retransmission of SSL transactions. Enter a number form 50 to 500. The default value is 500. To reset the default value of 500 milliseconds, use the no form of the command.
|
SuperUser
|
ssl force-crl-reload {name}
|
Forces the CSS to download all Certificate Revocation Lists (CRLs) or a specific CRL on any active SSL-proxy list on an active service configured with a service type of ssl-accel.
The name variable is the name of a specific CRL that you want to download. If you do not include a specific CRL name with this command, the CSS downloads any of the configured CRLs that are associated with an active SSL-proxy list on an active service.
You cannot download CRLs on a CSS in the backup state.
|
Table 4 lists the commands and options that have changed in software version 7.40.2.02.
Table 4 CLI Commands Changed in Version 7.40.2.02
Mode
|
Command and Syntax
|
Description
|
All
|
show ssl crl-record
|
Now includes a File Not Found field that increments when a CRL filename is not found on the CRL host.
|
Global
|
dns-peer load-variance number
|
The number argument now has a range from 0 to 255. It was formerly 0 to 254.
|
flow persist-span-ooo
no flow persist-span-ooo
|
This command formerly was in Debug mode. This command enables the reordering of persistent spanning packets. By default, the CSS disables the reordering of persistent spanning packets. To reset the default behavior, use the no flow persist-span-ooo command.
|
flow set-port-zero enable | disable
|
This command formerly was in Debug mode. This command enables or disables the CSS to pass traffic using a TCP/UPD source or destination port of 0. By default, the CSS disables the passing of traffic using port 0.
Use the enable keyword to enable the passing of traffic using a TCP/UPD source and destination port of 0.
Note The CSS normally logs traffic with source or destination ports of 0 as a denial-of-service (DOS) attacks. If you enable traffic on port 0, the CSS does not log the flows as denial-of-service attacks.
Use the disable keyword to reset the CSS to its default behavior of not passing traffic using a TCP/UPD source and destination port of 0.
|
flow tcp-del-ack
no flow tcp-del-ack
|
This command formerly was in Debug mode. This command enables TCP delayed acknowledgements (ACK) for Layer 5 spanning packets. By default, the CSS disables TCP delayed ACK for Layer 5 spanning packets. To reset the default behavior, use the no flow tcp-del-ack command.
|
ospf default|[redistribute firewall|static|local] {metric}
|
The range for the metric variable is now 0 to 16777215. It was formally 1 to 16777215.
|
rip [redistribute firewall|local|static|ospf] {metric}
|
The range for the metric variable is now 0 to 15. It was formally 1 to 15.
|
Global (cont.)
|
sntp [primary-server | secondary-server] ip_address {version number}
sntp [primary-server-poll-interval | secondary-server-poll-interval] seconds
no sntp [primary-server | secondary-server]
|[primary-server-poll-interval | secondary-server-poll-interval]
|
These commands and their no forms replace the previous version of the sntp command:
sntp [server ip_address {version number}|poll-interval seconds]
no sntp [server|poll-interval]
The modified commands allow the configuration of a primary or secondary SNTP server on the CSS, and their poll intervals. The keywords, variables and options of the modified command are:
•primary-server | secondary-server - Defines the primary or the secondary SNTP server.
•ip_address - The IP address of the SNTP server. Enter the IP address for the server.
•version number - Defines the version of the SNTP server. For the number value, enter a number from 1 to 4. The default version is 1.
•primary-server-poll-interval - Defines the poll interval for the primary SNTP server.
•secondary-server-poll-interval - Defines the poll interval for the secondary SNTP server
•seconds -The poll interval in seconds between SNTP request messages. For the seconds value, enter a number from 16 to 16284. The default is 64.
|
Group
|
zero all
|
Formerly, this command cleared all service statistics for all source groups displayed through the show group command. This command now clears the statistics for the group in the current mode. It also now clears the portmap statistics.
To clear a all service statistics for all source groups displayed through the show group command, use the zero group statistics commands available in any mode.
|
Software Version 7.40.1.03 Open Caveats, Resolved Caveats, and Command Changes
The following sections contain the open caveats, resolved caveats, and command changes in software version 7.40.1.03:
•Software Version 7.40.1.03 Open Caveats
•Software Version 7.40.1.03 Resolved Caveats
•Software Version 7.40.1.03 Command Changes
Software Version 7.40.1.03 Open Caveats
The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:
•CSCee33659 - When the ISC link is bounced, the sticky table information on a backup CSS is no longer accurate for certain slots.
•CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.
•CSCef69624 - If you configure the CSS with preempt on a virtual router that is being monitored by a reporter and the virtual router is in the backup state, the CSS may not preempt if the master CSS begins advertising a lower priority.
•CSCeg04397 - After running a stress test on the SSL module using HTTP header insert, the debug command shell 3 l i stops producing output and the show ssl statistics command returns an error.
•CSCeg10594 - The CSS does not correctly handle VRRP announcement upon a link failure being brought back into service by a backup CSS when using VIP interface redundancy.
•CSCeg25641 - According to RFC 2068, Hypertext Transfer Protocol - HTTP/1.1, if `chunked' is in a HEAD response, the CSS should ignore it, and not try to look for more data. However, the CSS continues to look for more data, which causes the keepalive to fail.
•CSCeg35174 - During a secure HTTPS transfer, the CSS sends out several hundred KBs, waits between 3.5 and 5 seconds, and then sends out another several hundred KBs. The CSS repeats this pattern until the transfer is complete. The delay between bulk transfers adds to the transfer time for the file locally. Note that this delay does not impact standard HTTP file transfers, only secure HTTP file transfers.
•CSCeg35659 - When the sticky table becomes full from entries that use the sticky inactivity timer, the CSS should sticky-reject new connections requiring use of the sticky table, but should still load-balance the connections. When you use the sticky-srcip command, the CSS rejects these connections.
•CSCeg37717 - When running heavy client authentication traffic in which the client sends a chained certificate, traffic will eventually stop.If you use the show system resources command several times, the memory on the SSL module drops quickly to approximately 140 MB, and then traffic stops until you reboot the CSS.
•CSCeg40291- While running a custom keepalive script in a Global Server Load Balancing (GSLB) environment, both CSSs reboot (that is, the CSS running the script and its peer). The CSS running the script creates a core dump, but the peer CSS reboots without creating a core dump.
•CSCeg40412 - If you configure the CSS with an invalid cacert when using client authentication, the CSS may incorrectly process the request. This only occurs when you configure a failure method of type redirect. This also only occurs when using IE browsers. When you use Netscape browsers, the CSS sends a redirect to the client.
•CSCeg46366 - When you configure the SSL module for url rewrite, it monitors the TCP data traffic from server to client for HTTP header with status code 302. If the header is found at the start of the data payload in the TCP frame, it is considered an HTTP response header and is translated. No check is performed to ensure the data received is an HTTP header that needs to be translated. There is a possibility (very low, but not zero) that the HTTP object accessed contains data that contains HTTP header information with a configured site (for example, a packet trace or HTTP training) and this header is the first data in a TCP frame. If this is true, the header may incorrectly be rewritten.
•CSCeg46589 - A scripted keepalive using socket waitfor in the script may fail with a "Script error" at the socket waitfor line. The service will therefore be down. Conditions: The socket waitfor must be expecting a string that matches exactly the data the service is sending. Workaround: Either configure socket waitfor to a shorter string (1 byte less is sufficient) than what the service sends or configure the service to send a string that is longer (1 byte more is sufficient) than what the socket waitfor expects.
•CSCeg47732 - When the CSS sends a reset to a client that contains a redirect to an IE browser, the client receives a blank page. But, when the client refreshes the page, the issue is resolved. This problem only occurs on IE browsers. The problem is not seen when you use Netscape, Mozilla or opera browsers.
•CSCeg50573 - If the CSS receives a UDP packet, places it on a vector for future processing, and starts processing the vector, it may incorrectly reference a null pointer and reboot.
•CSCeg52668 - If SSH connections from a client are dropped without a FIN or a RESET, the CSS eventually times out the connection on its side but will not release the socket. This prevents the CSS from accepting new connections.
Software Version 7.40.1.03 Resolved Caveats
The following caveats were resolved in software version 7.40.1.03:
•CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.
•CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.
•CSCee56977 - The CSS may not properly load balance return traffic over firewall routes when the traffic is using a source group.
•CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.
•CSCee88220 - When configuring SSL, performance is the same even when you use SSL session ID reuse, which occurs when you configure a Layer 5 SSL sticky content rule.
•CSCee82580 - The CSS may reboot if you configure the ssl-server handshake timeout command.
•CSCef12205 - The CSS was not properly managing its memory when thousands of DNS queries (of different names and strings) were sent to the CSS. This lead to memory being reduced to the point at which an unrelated task tried to allocate memory and the CSS rebooted.
•CSCef12699 - When you configure the CSS with host routes, do not remove unreachable host routes that are still on the egress host list if these routes are not a dynamic host entry. Removing these host entries may cause the CSS to reboot.
•CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.
•CSCef19550 - Running an SSH scanning tool against a circuit IP address may cause the CSS to deny SSH, telnet, or console access.
•CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.
•CSCef24443 - The CSS may reboot when it tries to delete a service that has a service index that did not exist. The CSS will now ignore service delete messages with an incorrect service index.
•CSCef26473 - If a client is behind a source group and is performing passive FTP to a VIP on the CSS, a portmap entry is leaked for every control channel.
•CSCef28638 - The CSS may reboot when a globally-defined DNS record is removed, re-applied, and removed a second time.
•CSCef32957 - The CSS sends out the chmgr-module-transition trip with a specific value of 1, but should send it out with a specific value of 2.
•CSCef34041 - The CSS may reboot if you remove an interface and an ARP request is initiated through this interface. The reboot occurs because the nexthop host is not available.
•CSCef35273 - The CSS removes the output port from the flow table after the destination MAC is aged out of the bridge forwarding table.
•CSCef35258 - A CSS with an SSL module and URL rewrite configured may not rewrite the URLs in 302 redirect responses from the servers if the word "Location" in the HTTP header spans two different TCP packets.
•CSCef35721 - The SSL module should not accept an out of order FIN packet.
•CSCef35877 - A memory leak exists in the SSL module in client proxy mode (ssl-init and backend ssl) and when client authentication is enabled on the backend SSL servers.
•CSCef39490 - If you configure the CSS with an HTTP keepalive with the method GET and the CSS receives an HTTP chunked keepalive response that contains a SPACE (0x20) in the size field, the CSS may incorrectly mark the service as Down.
•CSCef40927 - When the CSS sends out a redirect to force a client to break a persistent connection, it uses the host tag and the URL to form the location field. However, proxy clients use requests in the form GET http://. Therefore, combining the host and URL creates an invalid location field.
•CSCef42240 - Flows on the backend were getting spliced to the wrong flow on the front end, causing applications to fail.
•CSCef44604 - An SNMP NEXT of the apListTable using the apListText OID would not work properly.
•CSCef51658 - Adding a new clause to an existing ACL does not make the new clause function by applying the ACL to the circuit.
•CSCef51985 - The CSS may reboot if it receives a zero length message length in the SSL record header.
•CSCef53702 - If the CSS receives a packet containing a TTL equal to 1 and was attempting to send an ICMP error response, with certain traffic patterns, it reboots without generating a core dump, or log a lifeTick failure, or display Focus port messages.
•CSCef58833 - When using ASR and VIP interface redundancy and an SSL module, the SSL service does not display as active in the configuration. If you activate the service, the CSS displays the message "Need to enable session redundancy on this service" and the service still appears suspended in the config. However, the show service summary command shows that the service is active and the SSL module is accepting traffic.
•CSCef63092 - In a VIP interface redundancy configuration, the CSS may reboot if you issue the show arp command after a redundancy flip and the ARP is not yet resolved.
•CSCef63177 - When using SSL client authentication and HTTP header insertion, the CSS may reboot due to memory being accessed after it has already been freed.
•CSCef63182 - When you configure SSL flows to use SSL to communicate with a backend server, flows fail if the backend SSL server tries to do a SSL re-handshake. If the backend SSL server attempts to do a SSL re-handshake, the connection will be closed by the SSL module.
•CSCef63534 - The CSS may reboot if you remove a location cookie from a content rule and a stray frame is received from the server that matches a deleted flow on the spoof list that had originally been handled by the location cookie.
•CSCef67449 - If you configure virtual routers with vrid peering reporters and one of the virtual routers negotiates as master, but is being suppressed by the reporter due to the other virtual router being in the backup state, the Virtual-Router state in the show command display and in the MIB is displayed as Idle. A new state, Master(ReporterBkup), was added to the show virtual-routers command display and a new MIB object, masterReporterBkup, was added to apIpv4RedundancyVROperState.
•CSCef68044 - When an `out of mbufs' condition is detected by the CSS, only one message is logged per second. This message includes a count of the number of messages that are dropped during that second.
•CSCef70818 - When you configure a service, because its internal keepalive is configured and added to the lexicographically ordered name list, it is possible for an entry on this list to be removed twice. This may cause the CSS to reboot.
•CSCef72033 - If you configure the CSS with a DNS server, it would not allow you to configure an IP or VIP address with an invalid format (such as `ip address a.b').
•CSCef73794 - Using the socket waitfor command with the raw option may cause the command to work improperly if you use hex values to represent ASCII text characters.
•CSCef74250 - When you configure VIP interface redundancy and reporter (VRID peering), the CSS may not respond to traffic when both CSSs interfaces flap.
•CSCef74605 - The CSS may write past the end of a redirect string variable causing memory to be corrupted and causing the CSS to reboot.
•CSCef82699 - When you configure services using custom keepalives and the data on which to search is longer than 16 characters, a buffer overrun and memory management issue may occur, causing the CSS to reboot.
•CSCef82714 - When you configure the CSS for VIP/IF redundancy and OSPF and you then run the commit_vip_redundancy script, the ospf as-boundary commands would not be present on the remote CSS.
•CSCef84099 - The CSS may not send an ICMP/ARP reply for redundant interfaces.
•CSCef84596 - A specific series of interface flaps may cause the CSS to reboot when a blackhole is configured in combination with a local route to the same destination subnet.
•CSCef84780 - If you configure a scripted keepalive using use-output and the script finishes running at the same time it times out, a resource used by the scripted keepalive is freed twice causing the CSS to reboot.
•CSCef85653 - When you configure the CSS for virtual radius authentication and have a primary and secondary server configured, if the CSS runs out of radius authentication IDs, it may reboot due to corrupted memory.
•CSCef86680 - The CSS must have an existing startup-config before generating SSH keys. This requirement has been modified so that SSH keys can be generated on a CSS that does not have a startup-config.
•CSCef89163 - The CSS may reboot if there are multiple SSL handshake messages in a record.
•CSCef90470 - If you type a large amount of spaces on the command line and then issue an invalid command, the buffer may be overrun and the CSS may reboot.
•CSCef94178 - The CSS does not send back a redirect URL with HTTP code 302 when the server that matches the cookie is down.
•CSCef95904 - Backend SSL fails if the ServerHelloDone handshake message is in a record with multiple messages.
•CSCeg02628 - If you configure double wildcards (for example, "/*.jauction*" or "/mandy/*.jauction*") within the same path on a content rule, the CSS may reboot when you activate and suspend the rule several times.
•CSCeg08059 - The CSS may stop responding when it attempts to generate a core dump. When this occurs, the LED flashes red and the CSS remains unresponsive indefinitely.
•CSCeg08989 - You can configure the same redundant index on two different services if the services are suspended. If you implement the commit redundancy script and activate the first service found in the configuration, the commit redundancy script fails. It fails because the backup CSS does not write the second redundant index on the second service because a service with this index would already be active. This causes the script to fail because the two configurations are not the same size.
•CSCeg09823 - If the disk you use to boot a CSS is different from the primary boot Mass Storage Device (MSD) mapping, or you change the primary boot MSD mapping from the disk that was used to boot using the map command, when you run the upgrade script, the ftp-record puts the new image on the disk used to boot the CSS. When you set the primary boot file in the upgrade script, the file does not exist on the disk to which it is now mapped.
•CSCeg10343 - A generated self-signed SSL certificate would not work when you configured a european date on the CSS.
•CSCeg11933 - The CSS may reboot when you clear a running-config that contains a large amount of redundant VIPs and redundant interfaces on a backup CSS of a VIP redundancy configuration.
•CSCeg15323 - When you configure the CSS for HTTP header insertion and the HTTP request has data appended to the end of it in the first HTTP packet that spans into subsequent packets, the CSS may reboot.
•CSCeg25814 - If a UDP application responds on high numbered ports (for example, in the 40000 range) with packets that start with a certain type of data pattern (for example, 93 13 00 00), the CSS may incorrectly interpret a UDP reply from a service as a traceroute packets. If this occurs, the source group NAT is not applied. The CSS is now more specific in the traceroute checking for UDP packets that use higher port numbers.
•CSCeg29153 - When the CSS is processing a spanned packet and backend remaps to a different server, the initial server then FINs the connection that may cause an ACK loop between the client and the new server.
•CSCeg30876 - The CSS cannot handle active FTP transactions using control connections on TCP port 21 and data connections sourced from a TCP port other than port 20. Note that CSCeg30876 supersedes CSCeg12860.
•CSCeg41862 - If the CSS receives an unexpected ChangeCipherSpec message while the cipher negotiation is in progress, the SSL module may reboot.
•CSCeg46775 - The CSS reboots when you configure crl records that do not contain a complete URL. The URL field of the SSL CRL-RECORD command was not checked for proper syntax. Workaround: Ensure that you use a complete URL that specifies "http://" or "https://" in the string.
Software Version 7.40.1.03 Command Changes
Table 5 lists the commands and options that have been added in software version 7.40.1.03.
Table 5 CLI Commands Added in Version 7.40.1.03
Mode
|
Command and Syntax
|
Description
|
Global
|
ftp non-standard-ports
no ftp non-standard-ports
|
Enables the CSS to handle FTP connections that do not use the standard FTP control port of 21 and data port of 20. By default, this setting is disabled. When disabled, the CSS requires the FTP connection to use the standard FTP ports. The CSS preserves and does not NAT the FTP data port when the FTP data connection is passed through the CSS. When enabled with the ftp non-standards-ports command, the CSS allows the FTP control and FTP data connection to use non-standard ports, not ports 20 or 21. The CSS does not preserve the FTP data port when the FTP data connection is passed through the CSS.
When you use the ftp non-standards-ports command to allow the use of non-standard FTP ports and a content rule is using FTP, you must configure the application ftp-control command on the content rule. To reset the default behavior of requiring the FTP connection to use standard control and data port, use the no form of this command.
For example, enter:
(config)# no ftp non-standard-ports
|
sshd version v1|v2
no sshd version
|
Configures the version of SSH protocol that the CSS supports. By default, CSS supports both the SSH v1 and v2 protocols. The keywords are:
•v1 - Configures the CSS to support SSH v1 protocol only
•v2 - Configures the CSS to support SSH v2 protocol only
To reset the CSS to its default configuration of supporting both the SSH v1 and v2 protocols, enter:
(config)# no sshd version
|
SSL Proxy List
|
backend-server server-num tcp server ack-delay value
backend-server server-num tcp virtual ack-delay value
ssl-server server-num tcp server ack-delay value
ssl-server server-num tcp virtual ack-delay value
|
The new ack-delay option allows you to disable or adjust the SSL TCP timer length for delayed acknowledgements on the client or server connection. The value variable is the timer length in milliseconds (ms) for delayed acknowledgements.
The default value is 200. Enter a value from 0 to 10000. A value of 0 disables the acknowledgement delay in receiving SSL traffic from the client. Disabling the timer improves the performance for sessions using the SSL session cache (Session ID Reuse).
|
Table 6 lists the commands and options that have changed in software version 7.40.1.02.
Table 6 CLI Commands Changed in Version 7.40.1.02
Mode
|
Command and Syntax
|
Description
|
Group
|
vip address ip_or_host {range number}
|
The range for the range number variable changed from
1 to 65353 to 1 to 65535.
|
Software Version 7.40.0.04 Open Caveats, Resolved Caveats, and Command Changes
The following sections contain the open caveats, resolved caveats, and command changes in software version 7.40.0.04:
•Software Version 7.40.0.04 Open Caveats
•Software Version 7.40.0.04 Resolved Caveats
•Software Version 7.40.0.04 Command Changes
Software Version 7.40.0.04 Open Caveats
The following caveats apply to the CSS 11501, CSS 11503 and the CSS 11506:
•CSCdy35383 - The Cisco 11000 series CSS MIBs are not posted on CCO. Workaround: Use an FTP program with a graphical user interface to copy the MIBs from the MIBs directory on your CSS to your management station, then load them into the management station.
•CSCeb29602 - The SNMP v1 version of chasssisMgrExt.mib and apent.mib may not load correctly in some network management systems.
•CSCee34613 - When configuring max connection in a service, the CSS does not switch traffic based on concurrent connections, though it seems to based on connections per second.
•CSCee54803 - The CSS is not learning new ARP entries. A host on the local network is not able to ping the CSS circuit address.
•CSCee55759 - A CSS that is configured using the advanced-balance arrowpoint-cookie command may mishandle multiple GET retransmissions when the retransmissions interval between them is too short.
•CSCee60207 - Using ACLs and source groups to NAT client traffic fails for traffic destined to a SSL content rule that uses a SSL module. The CSS matches the ACL, but does not NAT the client's source IP address. The result is that one-armed topologies do not function properly for specific SSL content rules. The workaround is to configure the source group using the add destination service command instead of using ACLs.
•CSCee73098 - The CSS may have a potential memory leak in the route table when using host routes.
•CSCed80405 - If two content rules using the same VIP have identical names after truncation to 31 characters (including the appended VIP), the CSS may reboot.
•CSCee82580 - The CSS may reboot if you configure the ssl-server handshake timeout command.
•CSCee88220 - When configuring SSL, performance is slower when you use SSL session ID reuse, which occurs when you configure a Layer 5 SSL sticky content rule.
•CSCef17772 - The Ethernet management port may become unresponsive as a result of unusual network traffic. Workaround: If the Ethernet management port becomes unresponsive, use the (config-if[Ethernet-Mgt])# admin-shutdown command to shut down the management port. Then use the (config-if[Ethernet-Mgt])# no admin-shutdown command to restart it.
•CSCef19103 - The GUI may cause the CSS to reboot when you access the Content Rule Summary page or the Content Rule Main Summary page if the content rule is DNS-based and the CSS learns the content rule from a peer whose rule name exceeds 32 characters.
•CSCef19482 - If the CSS sends an ICMP redirect, the packet may contain an ICMP checksum error.
•CSCef19704 - When using the advanced-balance ssl command, the CSS does not NAT the server hello when no SSL session ID is sent.
•CSCef42362 - If you configure SSL initiation and have multiple CA certificates configured, when you remove the first CA signed certificate filename using the no backend-server cacert_name cacert_name command, you will be unable to activate an associated service. Workaround: Remove all cacerts from the ssl-proxy-list, re-add them, and then activate both the ssl-proxy-list and service.
•CSCef49739 - The CLI incorrectly enforces that a content rule VIP range and a source group VIP address range match. If these two ranges do not match, the CSS generates an error message stating that the ranges overlap.
Software Version 7.40.0.04 Resolved Caveats
The following caveats were resolved in software version 7.40.0.04:
•CSCed69094 - Using SSH to connect to the CSS while SSL performance tests are running may cause the Sshd task to suspend.
•CSCee01321 - The CSS incorrectly accepts an internal service name as a valid service in a content rule if you specify a service weight. When this is configured, you cannot remove the service from the content rule or delete the content rule. Rebooting the CSS does not fix this issue.
•CSCee23156 - Forcing content replication using the replicate force command may fail if you move, rename, or delete files on the publisher. This problem typically occurs after an initial synchronization.
•CSCee38740 - When using the script modify command in a scripted keepalive, if the variable to be modified does not exist, the CSS may leak memory.
•CSCee41868 - You will not be able to use SSH to access the CSS after you run the Nessus scan tool on a circuit IP address.
•CSCee44817 - Scripted keepalives may cause the CSS to reboot.
•CSCee45284 - When the CSS receives an HTTP POST request that spans multiple packets, but receives those packets too quickly, the CSS may reset the connection.
•CSCee49236 - The CSS responds incorrectly for a DNS query type of ANY.
•CSCee53027 - The CSS may reboot when it processes the timestamp option in an IP header.
•CSCee56155 - The VIP address range fails to check for VIPs that are already in use on source groups.
•CSCee59808 - Non-persistent keepalives are reusing source ports too quickly for multiple services that using the same destination IP address and port.
•CSCee60837 - Backend SSL fails when a server offers a 16-byte session ID.
•CSCee61578 - Configuring radius-server dead-time 1 causes sockets to leak. An out-of-socket condition causes a keepalive task to crash when the keepalive tries to close a socket that it could not get.
•CSCee70050 - The CSS fails to update reachability information in the route table for the first route entry for a /32 route (host route) that follows an unreachable host entry. An attempt to send traffic to the host described by such an entry may cause the CSS to stop processing traffic indefinitely or cause it to reboot.
•CSCee75060 - The CSS may reboot when processing host routes for redistribution to or from OSPF when a host entry (for which an ARP could be resolved) for the IP address is submitted to the route table.
•CSCee77663 - When the CSS is configured as a zone-based DNS server and you configure an A-record, but the keepalive has failed for all zones in which the name is configured, and a request is made to the CSS for that name, the CSS may reboot.
•CSCee80408 - Using the tacacs-server authorize config or the no tacacs-server authorize config commands cause a memory leak.
•CSCee85140 - The CSS stops responding to requests on port 80.
•CSCee90213 - The CSS logs the following error message when there is no FTP content rule in a configuration: "Can't change type to transparent-cache if attached to an FTP rule".
•CSCee95633 - If a service is configured with type nci-direct-return and is then added to a content rule configured with advanced-balance sticky-srcip, the NCI options are not set up for flows hitting the content rule.
•CSCef02846 - The CSS may reboot when the primary servers are suspended and the sorry server configuration is used.
•CSCef03474 - A lifetick failure on the ISC link may cause the link to become wedged in the down state.
•CSCef06443 - When a PrismBufferDebug error log indicates a buffer double free, a TCP keepalive received packet from the server with PSH, FIN, and ACK bits set results in the packet being processed incorrectly.
•CSCef06995 - When using multiple source groups, a flow may be associated with more than one source group, causing the CSS to reboot.
•CSCef08386 - Configuring a URQL on a content rule that has a 0.0.0.0 VIP address should not be allowed, and causes the CSS to reboot.
•CSCef21844 - A cluster corruption causes the NetTask to suspend.
•CSCef24924 - An HTTP header insert connection fails when a client certificate does not contain a SUBJECT_CN field. The CSS is not properly terminating the HTTP header with `\r\n\r\n'; it improperly terminates the HTTP header with `\r\n'.
•CSCef35480 - The HTTP header insert feature is not inserting hyphens in the header field names for certificate extension fields.
Software Version 7.40.0.04 Command Changes
Table 7 lists the commands and options that have been added in software version 7.40.0.04.
Table 7 CLI Commands Added in Version 7.40.0.04
Mode
|
Command and Syntax
|
Book Title
|
All
|
show flow-state-table
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
show ssl crl-record crl_name
|
Cisco Content Services Switch SSL Configuration Guide
|
show ssl statistics session-cache
show ssl statistics backend-session-cache
|
show sticky-table sip-callid-sticky
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
show system-resources slot
|
Cisco Content Services Switch Administration Guide
|
All (except User)
|
show script {filename {line-numbers}}
|
Cisco Content Services Switch Administration Guide
|
Global
|
flow-state number tcp [flow-enable|flow-disable]
flow-state number udp [flow-enable|flow-disable {nat-enable|nat-disable}]
no flow-state number tcp|udp
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
ip advanced-route-remap
no ip advanced-route-remap
|
Cisco Content Services Switch Routing and Bridging Configuration Guide
|
prelogin-banner "text"
no prelogin-banner
|
Cisco Content Services Switch Administration Guide
|
replication file-error retry|skip
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
snmp trap-host ip_or_host community_name {snmpv2}
|
Cisco Content Services Switch Administration Guide
|
snmp trap-type enterprise isc-state-transition
no snmp trap-type enterprise isc-state-transition
|
ssl crl-record crl_name url sign_cert hours
no ssl crl-record crl_name
|
Cisco Content Services Switch SSL Configuration Guide
|
zero flow-state-counters
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
Global, Group, SuperUser, User
|
show group portmap all|ip_address
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
Group
|
portmap vip-address-range number
no portmap vip-address-range
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
Header-
Field Group
|
header-field name custom {custom_string} operator {header_string {search_length}}
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
Owner-
Content
|
advanced-balance sip-call-id
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
application sip
|
Service
|
type ssl-init
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
SSL-proxy list
|
backend-server number cacert name
no backend-server number cacert
|
Cisco Content Services Switch SSL Configuration Guide
|
| |
backend-server number dhparam name
no backend-server number dhparam
|
| |
backend-server number dsacert name
no backend-server number dsacert
|
| |
backend-server number dsakey name
no backend-server number dsakey
|
| |
backend-server number rsacert name
no backend-server number rsacert
|
| |
backend-server number rsakey name
no backend-server number rsakey
|
| |
backend-server number type {backend-ssl|initiation}
no backend-server number type
|
| |
ssl-server number authentication [enable|disable]
no ssl-server number authentication
|
| |
ssl-server number cacert name
no ssl-server number cacert name
|
| |
ssl-server number crl crl_record_name
no ssl-server number crl crl_record_name
|
| |
ssl-server number failure [ignore|redirect|reject]
|
SSL-proxy list
|
ssl-server number failure-url url
no ssl-server number failure-url
|
Cisco Content Services Switch SSL Configuration Guide
|
ssl-server number http-header [client-cert|server-cert|session
|prefix "text_string"|static "text_string"]
no ssl-server number http-header [client-cert|server-cert|session|prefix|static]
|
Table 8 lists the commands and options that have been changed in software version 7.40.0.04.
Table 8 CLI Commands Changed in Version 7.40.0.04
Mode
|
Command and Syntax
|
Book Title
|
All
|
show log {log_filename {tail lines} {line-numbers}}
This command is now available in all modes. Previously, the command was not available in User mode.
|
Cisco Content Services Switch Administration Guide
|
show log-list
This command is now available in all modes. Previously, the command was not available in User mode.
|
socket connect host ip_address port number [tcp {timeout} {session} {nowait}
Added the nowait option for TCP connections.
|
Global
|
dnsflow disable
This command has been deprecated. If you enter this command, the CSS automatically maps it to the flow-state 53 udp flow-disable nat-enable command.
|
Cisco Content Services Switch Content Load-Balancing Configuration Guide
|
dnsflow enable
This command has been removed. Use the flow-state 53 udp flow-enable command instead.
|
no advanced-balance
Syntax changed from no advance-balance.
|
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .PDF versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.
You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to:
•Report security vulnerabilities in Cisco products.
•Obtain assistance with security incidents that involve Cisco products.
•Register to receive security information from Cisco.
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
•For Emergencies only — security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•For Nonemergencies — psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
•1 877 228-7302
•1 408 525-6532
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:
http://www.cisco.com/go/guide
•Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:
http://www.cisco.com/en/US/products/index.html
•Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
•World-class networking training is available from Cisco. You can view current offerings at this URL:
http://www.cisco.com/en/US/learning/index.html
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
