 Feedback
|
Table Of Contents
Release Notes for Catalyst 6500 Series
Content Switching Module with SSL Software Release 2.2(x)Software Release 2.2(x) Features
Open and Resolved Caveats in Software Release 2.2(6)
Open Caveats in Software Release 2.2(6) for CSM
Resolved Caveats in Software Release 2.2(6) for CSM
Open Caveats in Software Release 2.2(6) for SSL
Resolved Caveats in Software Release 2.2(6) for SSL
Open and Resolved Caveats in Software Release 2.2(5)
Open Caveats in Software Release 2.2(5) for CSM
Resolved Caveats in Software Release 2.2(5) for CSM
Open Caveats in Software Release 2.2(5) for SSL
Resolved Caveats in Software Release 2.2(5) for SSL
Open and Resolved Caveats in Software Release 2.2(4)
Open Caveats in Software Release 2.2(4) for CSM
Resolved Caveats in Software Release 2.2(4) for CSM
Open Caveats in Software Release 2.2(4) for SSL
Resolved Caveats in Software Release 2.2(4) for SSL
Open and Resolved Caveats in Software Release 2.2(3)
Open Caveats in Software Release 2.2(3) for CSM
Resolved Caveats in Software Release 2.2(3) for CSM
Open Caveats in Software Release 2.2(3) for SSL
Resolved Caveats in Software Release 2.2(3) for SSL
Open and Resolved Caveats in Software Release 2.2(2)
Open Caveats in Software Release 2.2(2) for CSM
Resolved Caveats in Software Release 2.2(2) for CSM
Open Caveats in Software Release 2.2(2) for SSL
Resolved Caveats in Software Release 2.2(2) for SSL
Open and Resolved Caveats in Software Release 2.2(1)
Open Caveats in Software Release 2.2(1) for CSM
Resolved Caveats in Software Release 2.2(1) for CSM
Open Caveats in Software Release 2.2(1) for SSL
Resolved Caveats in Software Release 2.2(1) for SSL
Server and Gateway Health Monitoring
Cisco IOS Software Documentation Set
Obtaining Documentation and Submitting a Service Request
Release Notes for Catalyst 6500 Series
Content Switching Module with SSL Software Release 2.2(x)
Current Release: 2.2(6)—January 27, 2012
Previous releases: 2.2(5), 2.2(4), 2.2(3), 2.2(2), 2.2(1)This publication describes the features, modifications, and caveats for the Catalyst 6500 Series Content Switching Module with SSL (CSM-S) software release 2.2(x) operating on a Catalyst 6500 series switch.
Note
Except where specifically differentiated, the term "Catalyst 6500 series switches" includes both Catalyst 6500 series and Catalyst 6000 series switches.
Contents
•
•
•
•
•
•
•
System Requirements
This section describes the system requirements for the Catalyst 6500 series CSM-S software release 2.2(6).
Memory Requirements
The minimum recommended memory for a chassis with a CSM-S must include a Supervisor Engine with 256 MB of DRAM and an MSFC2 with 256 MB of DRAM. For specific requirements, consult the Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp)
Hardware Supported
Before you can use the Catalyst 6500 series CSM-S, you must have a Supervisor Engine 2 with an MSFC2 or a Supervisor Engine 720 and any module that has ports to connect server and client networks.
Caution
SoftwareSupervisor Engine 2 with MSFC2
12.2(18)SXD
12.2(18)SXF15
Not applicable
Supervisor Engine 720 with MSFC3
12.2(18)SXE
12.2(18)SXF15
Not applicable
Supervisor Engine 720 -10G
12.2(33)SXI2
12.2(33)SXI2
Not applicable
72-876-01
Not applicable
Not applicable
800-05097-01
Not applicable
Not applicable
1 The minimum software release required to support the CSM-S hardware with a given Supervisor Engine to perform basic CSM-S configuration.
2 The base software release required to support new commands for a given CSM-S release.
Software Requirements
Note
Note
Table 1 lists the software releases for the CSM-S;
Software Compatibility
The minimum version that is listed is required to support the CSM-S hardware with a given supervisor engine to perform basic CSM-S configuration.
The recommended version is the base version to support new commands for a given CSM-S release.
Note
Table 2 lists the CSM-S software release compatibility.
Software Release 2.2(6)
The CSM-S software release 2.2(6) is a combination of the following software releases:
•
•
Software Release 2.2(5)
The CSM-S software release 2.2(5) is a combination of the following software releases:
•
•
Software Release 2.2(4)
The CSM-S software release 2.2(4) is a combination of the following software releases:
•
•
Software Release 2.2(3)
The CSM-S software release 2.2(3) is a combination of the following software releases:
•
•
Software Release 2.2(2)
The CSM-S software release 2.2(2) is a combination of the following software releases:
•
•
Software Release 2.2(1)
The CSM-S software release 2.2(1) is a combination of the following software releases:
•
•
Software Release 2.2(x) Features
CSM-S software release 2.2(x) contains feature sets that support SSL and functionality from earlier CSM releases. The tables in this section list supported feature sets.
Table 3 and Table 4 list the CSM features available in this release and in earlier CSM-S software releases.
Table 4 lists the CSM-S features in this release.
1 NAT = Network Address Translation
2 PAT = Port Address Translation
New Features
Table 5 lists the features that have been added in CSM-S software release 2.2(x). For detailed information about using the new features, see the "New and Changed Information" section.
New and Changed Information
•
Supplementing the existing predictor types for server load balancing (such as round-robin, least connections, or address hashing), a new predictor type staticload has been added. When the configured predictor type is staticload, load balancing across real servers of the server farm will be based on a load value statically configured by the user.
The selection of the predictor type is made in the server farm configuration submode, as shown in this example:
Router(config-slb-sfarm)# predictor staticloadYou can specify the static load for each real server in the real server configuration submode as shown in this example:
Router(config-slb-real)# staticload real_server_loadThe range for the real_server_load argument is from 2 to 254. The default value of 2 indicates the least load, while a value of 254 indicates the maximum load.
As an alternative to the CLI, the XML configuration feature can be used to configure the predictor type and the load value of the real servers.
•
Displayed information from the show module csm slot vserver detail command now includes the virtual server's current load value and the number of virtual server transitions. When the staticload predictor has been selected, the current load is the average of the configured static loads for the server farm. (If the staticload predictor is not selected, the current load shows the dynamic load of the virtual IP address.) The transition count indicates the number of times a load of 255 has been reported to the Global Site Selector (GSS).
The following is an example of the show module csm slot vserver detail command output:
Router# show module csm slot vserver detail<vserver_name>, type = SLB, state = OPERATIONAL, v_index = 52virtual = <vserver_ip/mask>:<port> bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = sticky/connection, vlan = ALL, pending = 30, layer 7max parse len = 4000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = <current_connections>, total conns = <total_connections>current load = <avg.config.load>, transition count = <trans.count>Default policy:server farm = serverfarm_name, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 0 0 0•
When the CSM-S advertises its route through route health injection (RHI), it reports the administrative distance as 0. The new environment variable RHI_ADMIN_DISTANCE allows you to change this reported distance value. The default is 0; the range is 0—255.
Note
•
When both sticky and persistent rebalance are configured, the CSM-S enables the PARSE_REVERSE_TRAFFIC flag for the session descriptor so that it will inspect all server replies. In rare cases, the PARSE_REVERSE_TRAFFIC flag is not cleared after parsing, and subsequent packets from the client are dropped as invalid packets. When the environment variable PARSE_REVERSE_RESET is set to 1 (enabled), the PARSE_REVERSE_TRAFFIC flag will be reset on the next received packet. The default is 0.
•
On a persistent rebalance request, the CSM-S will rebalance only if a new policy is matched. When the environment variable REBALANCE_SAME_RULE is set to 1 (enabled), the CSM-S will force a rebalance regardless of which policy is matched. The default is 0 (rebalance only on new policy).
•
When ARP_VALIDATE_SOURCE_SUBNET is set to 1 (enabled), the CSM-S will validate the source subnet of received ARP frames. An ARP frame from an incorrect source subnet will not be processed but will be eligible for repeating. The default is 1 (enabled). This variable was introduced in software release 4.2(7).
Limitations and Restrictions
•
vserver testvirtual a.b.c.d tcp 0 service terminationserverfarm servers1persistent rebalancedomain shruninserviceIf you need to ping the virtual server, do not configure service termination on the virtual server.
•
The TCL ping() command uses an underlying ping function provided by VxWorks. The VxWorks ping contains a bug that causes the ping function not to display an error when the ping function receives an ICMP error message (for example, host-unreachable). The function remains in a wait loop until it receives a valid response.
If the destination host is in the same subnet (Layer 2 adjacent) as the CSM-S-configured VLAN, then the ICMP request either receives a valid response or is timed out. In this case, the ping() function will not stop responding.
The problem occurs when the destination IP address is one or more hops away. The router between the CSM-S and the destination host could respond with a "destination unreachable" message to the CSM-S if the router determined that the subnet for this IP address is unknown.
•
•
•
•
•
serverfarm <NAME>nat serverno nat clientpredictor leastconnsfailaction reassignreal name SERVER-Abackup real name SERVER-Binservicereal nameSERVER-Bbackup real name SERVER-Ainserviceprobe <NAME>If failaction reassign is not required (in case the servers do not share connection states and cannot accept connections opened on the other server), remove failaction or use failaction purge.
•
•
•
•
•
•
Note
Note
•
•
•
•
Open and Resolved Caveats in Software Release 2.2(6)
These sections describe the open and resolved caveats in CSM-S software release 2.2(6):
•
•
•
•
Open Caveats in Software Release 2.2(6) for CSM
Note
This section describes the open CSM caveats in CSM-S software release 2.2(6):
There are no open caveats in CSM software release 4.3(6).
Resolved Caveats in Software Release 2.2(6) for CSM
Note
This section describes resolved caveats in CSM software release 4.3(6):
•
If a new regular expression domain match is added to the GSLB configuration, CSM does not match specific regular expression domains and a wrong A-record response is returned that does not match the correct policy map.
Workaround: None.
•
If a serverfarm going down or up is configured on multiple VIPs, the VIP state change syslog is sent for only one VIP and not for all the VIPs.
Workaround: None.
•
With the static NAT configured, server initiated connections may fail on a higher traffic rate.
Workaround: Disable static NAT.
•
The FTP connections do not time out and prevent new connections.
Workaround: Clear all connections associated with the server. Downgrade your CSM to any CSM release below 4.2(14). Clear all slowpath connections using slowpath_reap_sessions in VENUS.
•
The sticky replication is not working on CSM 4.2(14).
Workaround: None.
Open Caveats in Software Release 2.2(6) for SSL
Note
This section describes the open SSL caveats in CSM-S software release 2.2(6):
There are no open caveats for SSL.
Resolved Caveats in Software Release 2.2(6) for SSL
Note
This section describes the SSL caveats resolved in CSM-S software release 2.2(6):
There are no resolved caveats for SSL.
Open and Resolved Caveats in Software Release 2.2(5)
These sections describe the open and resolved caveats in CSM-S software release 2.2(5):
•
•
•
•
Open Caveats in Software Release 2.2(5) for CSM
Note
This section describes the open CSM caveats in CSM-S software release 2.2(5):
There are no open caveats in CSM software release 4.3(5).
Resolved Caveats in Software Release 2.2(5) for CSM
Note
This section describes resolved caveats in CSM software release 4.3(5):
•
An issue can occur with two operational vservers, VS1 and VS2, when vserver VS2 is tracking the primary vserver VS1. If vserver VS1 goes into OUTOFSERVICE mode because of probes or real server failures, vserver VS2 also goes into OUTOFSERVICE mode as expected. However, in a few seconds, vserver VS2 comes back into OPERATIONAL mode, even when the primary vserver VS1 is in OUTOFSERVICE mode.
Workaround: None.
•
The source-ip sticky may stop working after an extended uptime of approximately 470 days or more. The CSM will not create a new sticky entry.
Workaround: None.
•
The default expiration date of the cookies inserted by the CSM is Thursday, 1 Jan 2099, 01:01:50 GMT. After this time, the cookie-insert sticky will not work as expected.
Workaround: The default cookie expiration date can be changed by setting the COOKIE_INSERT_EXPIRATION_DATE environment variable on the CSM. For example, you can move the expiration date to May 25, 2020, by using the following commands:
Router# config tRouter(config)# mod csm 8Router(config-module-csm# variable COOKIE_INSERT_EXPIRATION_DATE "Mon, 25 May 2020 08:00:00 GMT"Make sure to change the slot number. The new expiration date changes in the inserted cookies immediately because this change does not require a reboot of the CSM. This change will not affect the network traffic.
•
When the uptime of CSM is more than 828 days, the FTP or RTSP Layer 7 connections are not timing out.
Workaround: None.
•
When a standby CSM reaches an uptime of 828 days, the standby CSM can assert mastership for a very short period (around 2 seconds), which creates an active/active situation.
Workaround: None.
•
A new variable, L7_TX_CORE_QUEUE_TIMEOUT, is added to address CSCsh53633, where the CSM that runs release 4.2(6) might reboot due to an IXP 3 and the type of crash is "L7 abort."
Variable Name: L7_TX_CORE_QUEUE_TIMEOUT
Rights: RW
Value: 1
Default: 1
Valid values: Integer (1 to 10).
Description: Time (in seconds) to wait for the Layer 7 TX Core queue to come out of the full state before asserting a core.
Workaround: None.
Open Caveats in Software Release 2.2(5) for SSL
Note
This section describes the open SSL caveats in CSM-S software release 2.2(5):
There are no open caveats for SSL.
Resolved Caveats in Software Release 2.2(5) for SSL
Note
This section describes the SSL caveats resolved in CSM-S software release 2.2(5):
There are no resolved caveats for SSL.
Open and Resolved Caveats in Software Release 2.2(4)
These sections describe the open and resolved caveats in CSM-S software release 2.2(4):
•
•
•
•
Open Caveats in Software Release 2.2(4) for CSM
Note
This section describes the open CSM caveats in CSM-S software release 2.2(4):
•
The source-ip sticky may stop working after an extended uptime of approximately 470 days or more. The CSM will not create a new sticky entry.
Workaround: Reboot the CSM.
Resolved Caveats in Software Release 2.2(4) for CSM
Note
This section describes resolved caveats in CSM software release 4.3(4):
•
The default expiration date of the cookies inserted by the CSM is Friday, 1 Jan 2010, 01:01:50 GMT. After this time, the cookie-insert sticky will not work as expected.
Workaround: The default cookie expiration date can be changed by setting the COOKIE_INSERT_EXPIRATION_DATE environment variable on the CSM. For example, you can move the expiration date to May 25, 2020, by using the following commands:
Router# config tRouter(config)# mod csm 8Router(config-module-csm# variable COOKIE_INSERT_EXPIRATION_DATE "Mon, 25 May 2020 08:00:00 GMT"Make sure to change the slot number. The new expiration date changes in the inserted cookies immediately as this change does not require a reboot of the CSM. This change will not affect the production traffic.
•
In rare cases, when CSM fault tolerant (FT) synchronization is performed with the hw-module csm mod standby config-sync command and FT VLAN is intermittently down, the standby CSM may send out an ARP packet towards the Layer 2 adjacent nodes using its physical MAC-address, instead of its virtual MAC-address. This causes an outage until the ARP table cache is either cleared or times out.
Workaround: To prevent rapid failover in the standby CSM2 node, increase the failover timer to 120 seconds on both CSM nodes (active and standby).
Open Caveats in Software Release 2.2(4) for SSL
Note
This section describes the open SSL caveats in CSM-S software release 2.2(4):
There are no open caveats for SSL.
Resolved Caveats in Software Release 2.2(4) for SSL
Note
This section describes the SSL caveats resolved in CSM-S software release 2.2(4):
There are no resolved caveats for SSL.
Open and Resolved Caveats in Software Release 2.2(3)
These sections describe the open and resolved caveats in CSM-S software release 2.2(3):
•
•
•
•
Open Caveats in Software Release 2.2(3) for CSM
Note
This section describes open CSM caveats in CSM-S software release 2.2(3):
•
In rare cases, CSM-S may propagate an invalid MAC address table for VLAN 1 with an invalid MAC address back plane, across the CSM-S port channel Po259 to the back plane on management VLAN 1.
The following output displays an invalid MAC address across the CSM-S port channel Po259 to the back plane on management VLAN 1:
Console> enable show mac-address-table | inc 259* 1 4000.6806.14d9 dynamic Yes 205 Po259* 1 4000.6c06.1eb1 dynamic Yes 90 Po259* 1 4000.3806.4227 dynamic Yes 50 Po259* 1 4000.2e06.47c0 dynamic Yes 150 Po259* 1 4000.6c06.916b dynamic Yes 255 Po259* 1 4000.6b06.fe6b dynamic Yes 240 Po259* 1 4000.3406.a2ce dynamic Yes 175 Po259* 1 0000.3206.79e0 dynamic Yes 15 Po259* 1 0000.3206.8c3a dynamic Yes 135 Po259* 1 4000.6806.13b8 dynamic Yes 55 Po259* 1 0000.3206.69d4 dynamic Yes 10 Po259
Note
Workaround: None.
•
On a CSM-S module, the configuration synchronization times out with a large configuration. For example, the configuration synchronization that occurs at 16 K fails at 23 K.
•
Resolved Caveats in Software Release 2.2(3) for CSM
Note
This section describes resolved CSM caveats in CSM-S software release 2.2(3):
This section describes resolved caveats in CSM-S software release 4.3(3):
•
When the CSM-S starts to load balance using the default policy, and then a GET request matches a URL under a subpolicy, the CSM-S forwards traffic to the real server without modifying the TCP acknowledgement number.
Workaround: Disable persistent rebalance.
•
When SSL stickiness is configured on a backup server farm, the CSM-S fails to perform NAT in some cases.
Workaround: Disable SSL stickiness on the server farm.
•
In rare cases, the CSM-S will stop responding to the CLI but will continue to pass traffic.
Workaround: None.
•
When cookie-insert is configured on the CSM-S and the server sends the FIN/ACK immediately after its HTTP 200 OK response, the CSM-S may send some subsequent packets out of order and with an incorrect TCP sequence number.
Workaround: None.
•
The CSM-S does not send a reset upon receiving a synchronize acknowledgement (ACK) packet sent to a synchronize start (SYN) packet. This condition occurs in Layer 7 mode when the CSM-S opens a connection on the backend server, and if the server responds to the SYN with an ACK that has an invalid sequence number.
Workaround: None.
•
Configuring multiple server load balancing (SLB) policies in a particular order causes the connection counter in a real server in the server farm to erroneously report the default maximum connection (MAXCONN) limit of 4294967295 connections. When this condition occurs, the real server refuses new connections.
Workaround: Remove multiple SLB policies.
•
When configuring two virtual servers (Layer 3 and Layer 4) with the same virtual IP address, CSM-S drops the ICMP request to the virtual IP address. This condition occurs when both virtual servers are operational, and when there is no connection to the Layer 3 virtual server.
Workaround: Ensure that the Layer 3 virtual server is configured after the Layer 4 virtual server.
•
Under certain conditions, one or more VIPs on the CSM-S will not respond to the ping. This condition occurs when the same VIP is used in the virtual server and in a static NAT entry. The VIP may be displayed in the CSM ARP table as a SVR NAT entry instead of virtual server entry. You can display the CSM ARP table by using show mod csm slot arp command.
Workaround:
1.
2.
3.
4.
Open Caveats in Software Release 2.2(3) for SSL
Note
This section describes the open SSL caveats in CSM-S software release 2.2(3):
•
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSLM. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)
Resolved Caveats in Software Release 2.2(3) for SSL
Note
This section describes the resolved SSL caveats in CSM-S software release 2.2(3):
•
Workaround: None. (CSCsh79045)
Open and Resolved Caveats in Software Release 2.2(2)
These sections describe the open and resolved caveats in CSM-S software release 2.2(2):
•
•
•
•
Open Caveats in Software Release 2.2(2) for CSM
Note
This section describes open CSM caveats in CSM-S software release 2.2(2):
•
In rare cases, the CLI becomes unresponsive while traffic passes normally.
Workaround: None.
•
A CSM-S running 2.1(5) had a reboot due to IXP 3. The type of crash was known as a "L7 abort."
Workaround: None.
Resolved Caveats in Software Release 2.2(2) for CSM
Note
This section describes resolved CSM caveats in CSM-S software release 2.2(2):
•
A CLI lockup can occur when the serverfarm threshold (vserver submode) command is issued. This condition can occur when the primary server farm contains hundreds of real servers that are down and the backup server farm takes over immediately. In this case, the CSM-S performance drops and the CLI becomes unresponsive.
Workaround: None.
•
A large delay can occur when updating LOAD using KAL-AP. When a Global Site Selector (GSS) is configured to probe a large number of virtual IP addresses with KAL-AP, the response to KAL-AP queries slows enough to make the GSS consider the virtual IPs to be down.
Workaround: Consolidate virtual servers to reduce their number, or use TCP keepalives instead.
•
Under a high traffic load, the CSM-S may halt unexpectedly. The console displays the error message: "P:\ixp1200\core\l7\l7_main.c(395) warning: TX Queue overflow. Shutting down CORE_TX_Q" followed by a core dump.
Workaround: None.
•
In rare cases, the CSM-S console becomes unresponsive and the show module csm num command indicates that the CSM-S is offline.
•
A pair of CSM-S configured for a fault-tolerant operation will both enter the active state after 828 days.
Workaround: None.
•
When persistent rebalance is configured, the CSM-S will reexamine a persistent GET and remap it if it matches a different policy. As part of the remapping, the CSM-S will send a reset to the old connection. If the header insert feature is configured, this reset message has an incorrect sequence number.
Workaround: None.
•
The CSM-S stops responding to CAPP-UDP requests from a Global Site Selector (GSS) after changing the CAPP-UDP setting from secure to no secure.
Workaround: Reload the CSM-S.
•
HSRP causes CSM-S static ARP entries to be overwritten with all zeros (00-00-00-00-00-00). This problem is an unintended result of a previous caveat resolution.
Workaround: None.
•
In rare cases, the CSM-S may reboot and create a core dump due to memory corruption.
Workaround: None.
•
When a server farm contains many real servers (for example, 100), the CSM-S may reboot and create a core dump when you add the predictor leastconns slowstart num command to the server farm.
Workaround: Do not use the slowstart command option.
•
The CSM-S console might lock up when a backup server farm is configured with a threshold and contains few real servers (for example, when you have fewer than ten real servers).
Workaround: Remove the threshold command.
•
When the CSM-S is configured for Global Server Load Balancing (GSLB), the active CSM-S can exhibit a slow memory leak.
Workaround: Monitor memory usage regularly by using the venus console. Open a session to the active CSM-S by entering the session slot x processor 0 command. At the CSM> prompt, enter the venus command. At the venus# prompt, enter the core_show_usage command. If available memory is less than 20 percent, schedule a reboot of the CSM-S. Because the memory leak occurs only on the active CSM-S, the standby CSM-S should be available to take over.
•
The CSM-S drops SASP server messages larger than 2816 bytes.
Workaround: Reduce the number of servers participating in SASP to reduce the length of the SASP messages.
•
When an XML call is contained in a TCL script probe, the CSM-S probe fails with a memory allocation failure and the CSM-S console becomes unresponsive.
Workaround: None.
•
If persistent rebalance is enabled in a virtual server that contains a redirect server farm, the CSM-S will send two redirect responses for multipacket GET requests. This condition causes high CPU usage.
Workaround: Disable persistent rebalance on the virtual server that contains a redirect server farm.
•
A CSM-S configured for redundancy may have its CSRP replication status stuck in the INIT state.
Workaround: None.
•
When the CSM-S is configured to load balance IPsec using one Layer 4 virtual server for IKE and another for ESP, the CSM-S fails to forward to the back-end real server any "ICMP can't fragment" messages received at the CSM-S virtual IP address and relating to the ESP flow.
Workaround: Possible workarounds include the following:
–
–
•
When a NAT pool is modified while configured as part of an SLB policy to a virtual server, traffic is sent to the virtual server with a NAT-supplied source address of 0.0.0.0.
Workaround: Reboot the CSM-S.
•
Path MTU discovery (PMTUD) performed by a server behind a CSM-S does not work correctly if the CSM-S is performing a cookie insertion.
Workaround: Possible workarounds include the following:
–
–
–
•
When the same gateway IP address is configured in both the gateway and route statements, the gateway statement will be ignored, although it will appear in the running configuration. After a failover or a reconfiguration, the active CSM-S will have no default route and will drop traffic.
Workaround: Possible workarounds include the following:
–
–
–
•
When a client sends a SYN packet to a virtual server with the Explicit Congestion Notification (ECN) and Congestion Window Reduced (CWR) flags set, the CSM-S drops the SYN packet.
Workaround: Disable ECN on the client.
•
The CSM-S stops servicing load-balanced connections and probes due to a buffer leak.
Workaround: Periodically, enter the show mod csm slot tech-support all | i outstanding command. If small buffers reach 24500 or medium buffers reach 20000, the buffers are full and you must reboot the CSM-S.
Open Caveats in Software Release 2.2(2) for SSL
Note
This section describes the open SSL caveats in CSM-S software release 2.2(2):
•
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSL-M. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)
•
Workaround: Reload the module. (CSCek50983)
•
Workaround: Remove the header insert configuration from the proxy service. (CSCse31785)
•
•
http://user.microsoft.com/dir/test.jsp?login=https://www.cisco.com
The location string is being incorrectly rewritten as follows:
http://user.microsoft.com/dir/test.jsp?login=httpswww.cisco.com
The rule is supposed to be rewritten if the host portion of the URL matches www.cisco.com. In the situation described here, that is not the case. No rewrite is supposed to occur. In addition, the rewrite should not affect the string https://www.cisco.com so far into the location field. (CSCsg65505)
•
•
Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)
•
Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)
•
Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)
•
–
–
–
–
Workaround: Do one of the following:
–
–
•
Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)
•
Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module resetting...The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)
•
GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.
Workaround: Do not enter a trailing "/" to the url value in the enrollment url url command for a trustpoint. (CSCed33492)
•
Workaround: Configure the server to add a trailing "/" to the relocation string. (CSCec46997)
•
Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.
Workaround 2: Reset the enrollment timer by doing the following:
a.
b.
c.
•
Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)
•
•
Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)
•
•
Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)
•
•
Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)
•
•
Workaround: Specify the filename in the URL. (CSCea32058)
•
Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)
•
Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)
•
•
•
•
•
Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM. (CSCdz03802)
•
•
•
•
•
•
Workaround: Reset the module, and then shut down the module. (CSCee37656)
Resolved Caveats in Software Release 2.2(2) for SSL
Note
This section describes the SSL caveats resolved in CSM-S software release 2.2(2):
•
Open and Resolved Caveats in Software Release 2.2(1)
These sections describe the open and resolved caveats in CSM-S software release 2.2(1):
•
•
•
•
Open Caveats in Software Release 2.2(1) for CSM
Note
This section describes open CSM caveats in CSM-S software release 2.2(1):
•
A CLI lockup can occur when the serverfarm threshold (vserver submode) command is issued. This condition can occur when the primary server farm contains hundreds of real servers that are down and the backup server farm takes over immediately. In this case, the CSM-S performance drops and the CLI becomes unresponsive.
Workaround: None.
•
A large delay in updating LOAD using KAL-AP can occur. When a Global Site Selector (GSS) is configured to probe a large number of virtual IP addresses with KAL-AP, the response to KAL-AP queries slows enough to make the GSS consider the virtual IPs to be down.
Workaround: Consolidate virtual servers to reduce their number, or use TCP keepalives instead.
•
In rare cases, a CSM-S had a reboot due to IXP 3. The type of crash was "L7 abort."
Workaround: None.
•
In an active-standby connection state replication setup, the connection counters on the standby CSM-S were not the same as the counters on the active CSM-S. The active CSM-S correctly shows that the connections were load balanced to various servers within a server farm. On the standby CSM-S, all replicated connections are assigned to a single real server within a server farm. The number of connections shown in the standby CSM-S might be different from the number of connections seen in the active CSM-S. This is a minor issue and does not affect the service.
Workaround: None.
•
Fragmented Layer 2 Tunneling Protocol (L2TP) tunneled packets are discarded by the CSM-S, and the Packets Repeat Reverse Fragmentation counter in the CSM-S increments quickly. This problem occurs when packets arrive out of order (the MF packets arrive last) and are separated in time by about 10 milliseconds.
Workaround: Design the network so that all fragments follow the same path, forcing them to arrive in order and closer together. You can also configure a static route in the CSM-S so that the module knows where to send reassembled fragments that arrived in a reverse order.
•
Under high traffic load, the CSM-S may halt unexpectedly. The console displays the error message: "P:\ixp1200\core\l7\l7_main.c(395) warning: TX Queue overflow. Shutting down CORE_TX_Q" followed by a core dump.
Workaround: None.
Resolved Caveats in Software Release 2.2(1) for CSM
Note
This section describes resolved CSM caveats in CSM-S software release 2.2(1):
•
The show module csm number conns command lists the RTSP data channel in the INIT state when it should be displayed in the ESTAB (established) state.
Workaround: If this is a UDP session, check both odd and even table entries to determine the actual state of the RTSP data channel.
•
The CSM-S halts with the following system log (syslog) error: "%CSM_SLB-3-UNEXPECTED: Module 3 unexpected error: FPGA3 exception encountered."
Workaround: None.
•
The CSM-S reloads unexpectedly with the following syslog error: "%CSM_SLB-3-UNEXPECTED: Module 3 unexpected error: PPC exception." The console displays the error message "PPC exception type 1792 on FTReplFlow(0C247500h)" followed by a core dump.
Workaround: None.
•
Clients sending persistent connections to a CSM-S virtual server may see a long delay after an HTTP request. This situation can occur when the virtual server is configured with persistence rebalance and with sticky cookies learned through the server. The CSM-S may not be forwarding the request to the server if the preceding request had an out-of-order response from the server.
Workaround: Remove persistence rebalance or remove cookies from the virtual server.
•
The CSM-S is not passing SYN-ACK in a policy-based routing (PBR) network when the ROUTE_UNKNOWN_FLOW_PKTS environment variable is set to 2. This environment variable specifies whether to route SYN or non-SYN packets that do not match any existing flows.
Workaround: Downgrade to a CSM-S version lower than 2.1(3).
Open Caveats in Software Release 2.2(1) for SSL
Note
This section describes the open SSL caveats in CSM-S software release 2.2(1):
•
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSL-M. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)
•
Workaround: Reload the module. (CSCek50983)
•
Workaround: Remove the header insert configuration from the proxy service. (CSCse31785)
•
•
http://user.microsoft.com/dir/test.jsp?login=https://www.cisco.com
The location string is being incorrectly rewritten as follows:
http://user.microsoft.com/dir/test.jsp?login=httpswww.cisco.com
The rule is supposed to be rewritten if the host portion of the URL matches www.cisco.com. In the situation described here, that is not the case. No rewrite is supposed to occur. In addition, the rewrite should not affect the string https://www.cisco.com so far into the location field. (CSCsg65505)
•
•
Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)
•
Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)
•
Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)
•
–
–
–
–
Workaround: Do one of the following:
–
–
•
Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)
•
Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module resetting...The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)
•
GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.
Workaround: Do not enter a trailing "/" to the url value in the enrollment url url command for a trustpoint. (CSCed33492)
•
Workaround: Configure the server to add a trailing "/" to the relocation string. (CSCec46997)
•
Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.
Workaround 2: Reset the enrollment timer by doing the following:
a.
b.
c.
•
Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)
•
•
Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)
•
•
Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)
•
•
Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)
•
•
Workaround: Specify the filename in the URL. (CSCea32058)
•
Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)
•
Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)
•
•
•
•
•
Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM. (CSCdz03802)
•
•
•
•
•
•
Workaround: Reset the module, and then shut down the module. (CSCee37656)
Resolved Caveats in Software Release 2.2(1) for SSL
Note
This section describes the SSL caveats resolved in CSM-S software release 2.2(1):
•
Troubleshooting
CSM-S error messages may be received and reported in the system log (syslog). This section describes these messages.
Message Banners
When syslog messages are received, they are preceded by one of the following banners (where # is the slot number of the CSM-S module):
Error Message CSM_SLB-4-INVALIDID Module # invalid ID
00:00:00: CSM_SLB-4-DUPLICATEID Module # duplicate ID
00:00:00: CSM_SLB-3-OUTOFMEM Module # memory error
00:00:00: CSM_SLB-4-REGEXMEM Module # regular expression memory error
00:00:00: CSM_SLB-4-ERRPARSING Module # configuration warning
00:00:00: CSM_SLB-4-PROBECONFIG Module # probe configuration error
00:00:00: CSM_SLB-4-ARPCONFIG Module # ARP configuration error
00:00:00: CSM_SLB-6-RSERVERSTATE Module # server state changed
00:00:00: CSM_SLB-6-GATEWAYSTATE Module # gateway state changed
00:00:00: CSM_SLB-3-UNEXPECTED Module # unexpected error
00:00:00: CSM_SLB-3-REDUNDANCY Module # FT error
00:00:00: CSM_SLB-4-REDUNDANCY_WARN Module # FT warning
00:00:00: CSM_SLB-6-REDUNDANCY_INFO Module %d FT info
00:00:00: CSM_SLB-3-ERROR Module # error
00:00:00: CSM_SLB-4-WARNING Module # warning
00:00:00: CSM_SLB-6-INFO Module # info
00:00:00: CSM_SLB-4-TOPOLOGY Module # warning
00:00:00: CSM_SLB-3-RELOAD Module # configuration reload failed
00:00:00: CSM_SLB-3-VERMISMATCH Module # image version mismatch
00:00:00: CSM_SLB-4-VERWILDCARD Received CSM-SLB module version wildcard on slot #
00:00:00: CSM_SLB-3-PORTCHANNEL Portchannel allocation failed for module #
00:00:00: CSM_SLB-3-IDB_ERROR Unknown error occurred while configuring IDBServer and Gateway Health Monitoring
Error Message SLB-LCSC: No ARP response from gateway address A.B.C.D.Explanation The configured gateway A.B.C.D. did not respond to ARP requests.
Error Message SLB-LCSC: No ARP response from real server A.B.C.D.Explanation The configured real server A.B.C.D. did not respond to ARP requests.
Error Message SLB-LCSC: Health probe failed for server A.B.C.D on port P.Explanation The configured real server on port P of A.B.C.D. failed health checks.
Error Message SLB-LCSC: DFP agent <x> disabled server <x>, protocol <x>, port <x>Explanation The configured DFP agent has reported a weight of 0 for the specified real server.
Error Message SLB-LCSC: DFP agent <x> re-enabled server <x>, protocol <x>, port <x>Explanation The configured DFP agent has reported a non-zero weight for the specified real server.
Diagnostic Messages
Error Message SLB-DIAG: WatchDog task not responding.Explanation A critical error occurred within the CSM-S hardware or software.
Error Message SLB-DIAG: Fatal Diagnostic Error %x, Info %x.Explanation A hardware fault was detected. The hardware is unusable and must be repaired or replaced.
Error Message SLB-DIAG: Diagnostic Warning %x, Info %x.Explanation A non-fatal hardware fault was detected.
Fault Tolerance Messages
Error Message SLB-FT: No response from peer. Transitioning from Standby to Active.Explanation The CSM-S detected a failure in its fault-tolerant peer and has transitioned to the active state.
Error Message SLB-FT: Heartbeat intervals are not identical between ft pair.
SLB-FT: Standby is not monitoring active now.Explanation Proper configuration of the fault-tolerance feature requires that the heartbeat intervals be identical between CSM-S modules within the same fault-tolerance group, which is currently not the case. The fault-tolerance feature is disabled until the heartbeat intervals have been configured identically.
Error Message SLB-FT: heartbeat interval is identical againExplanation The heartbeat intervals of different CSM-S modules in the same fault-tolerance group have been reconfigured to be identical. The fault-tolerance feature will be re-enabled.
Error Message SLB-FT: The configurations are not identical between the members of the fault tolerant pair.Explanation In order for the fault-tolerance system to preserve the sticky database, the different CSM-S modules in the fault-tolerance group must be identically configured, which is not currently the case.
Regular Expression Errors
Error Message SLB-LCSC: There was an error downloading the configuration to hardware
SLB-LCSC: due to insufficient memory. Use the 'show ip slb memory'
SLB-LCSC: command to gather information about memory usage.
SLB-LCSC: Error detected while downloading URL configuration for vserver %s.Explanation The hardware does not have sufficient memory to support the desired set of regular expressions. A different set of regular expressions must be configured for the system to function properly.
Error Message SLB-REGEX: Parse error in regular expression <x>.
SLB-REGEX: Syntactic error in regular expression <x>.Explanation The configured regular expression does not conform to the regular expression syntax as described in the user manual.
Error Message SLB-LCSC: Error detected while downloading COOKIE policy map for vserver <x>.
SLB-LCSC: Error detected while downloading COOKIE <x> for vserver <x>.Explanation An error occurred in configuring the cookie regular expressions for the virtual server. This error is likely due to a syntactic error in the regular expression (see below), or there is insufficient memory to support the desired regular expressions.
XML Errors
When an untolerated XML error occurs, the HTTP response contains a 200 code. The portion of the original XML document with the error is returned with an error element that contains the error type and description.
This example shows an error response to a condition where a virtual server name is missing:
<?xml version="1.0"?><config><csm_module slot="4"><vserver><error code="0x20">Missing attribute name in elementvserver</error></vserver></csm_module></config>The error codes returned also correspond to the bits of the error tolerance attribute of the configuration element. Returned XML error codes are as follows:
XML_ERR_INTERNAL = 0x0001,XML_ERR_COMM_FAILURE = 0x0002,XML_ERR_WELLFORMEDNESS = 0x0004,XML_ERR_ATTR_UNRECOGNIZED = 0x0008,XML_ERR_ATTR_INVALID = 0x0010,XML_ERR_ATTR_MISSING = 0x0020,XML_ERR_ELEM_UNRECOGNIZED = 0x0040,XML_ERR_ELEM_INVALID = 0x0080,XML_ERR_ELEM_MISSING = 0x0100,XML_ERR_ELEM_CONTEXT = 0x0200,XML_ERR_IOS_PARSER = 0x0400,XML_ERR_IOS_MODULE_IN_USE = 0x0800,XML_ERR_IOS_WRONG_MODULE = 0x1000,XML_ERR_IOS_CONFIG = 0x2000The default error_tolerance value is 0x48, which corresponds to ignoring unrecognized attributes and elements.
Related Documentation
For more detailed installation and configuration information, refer to the following publications:
•
•
•
•
•
•
•
•
•
•
•
•
Cisco IOS Software Documentation Set
Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2012, Cisco Systems, Inc.
All rights reserved.
