Table Of Contents
Release Notes for Catalyst 6500 Series Switch SSL Services Module Software Release 2.x
Contents
System Requirements
Hardware Requirements
Software Requirements
Orderable Software Images
New Features in Software Release 2.1
Features in Software Release 1.1 Through 1.2
New and Changed Information
Limitations and Restrictions
Caveats
Open Caveats in Release 2.1(12)
Resolved Caveats in Release 2.1(12)
Open Caveats in Release 2.1(11)
Resolved Caveats in Release 2.1(11)
Open Caveats in Release 2.1(10)
Resolved Caveats in Release 2.1(10)
Open Caveats in Release 2.1(9)
Resolved Caveats in Release 2.1(9)
Open Caveats in Release 2.1(8)
Resolved Caveats in Release 2.1(8)
Open Caveats in Release 2.1(7)
Resolved Caveats in Release 2.1(7)
Open Caveats in Release 2.1(6)
Resolved Caveats in Release 2.1(6)
Open Caveats in Release 2.1(5)
Resolved Caveats in Release 2.1(5)
Open Caveats in Release 2.1(4)
Resolved Caveats in Release 2.1(4)
Open Caveats in Release 2.1(3)
Resolved Caveats in Release 2.1(3)
Open Caveats in Release 2.1(2)
Resolved Caveats in Release 2.1(2)
Open Caveats in Release 2.1(1)
Resolved Caveats in Release 2.1(1)
Documentation Updates
Changes
Related Documentation
Cisco IOS Software Documentation Set
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Catalyst 6500 Series Switch SSL Services Module Software Release 2.x
Current Release: 2.1(12)—January 24, 2008
Previous releases: 2.1(11), 2.1(10), 2.1(9), 2.1(8), 2.1(7), 2.1(6), 2.1(5), 2.1(4), 2.1(3), 2.1(2), 2.1(1)
The SSL Services Module is a Layer 4 through Layer 7 service module that you can install into the Catalyst 6500 series switch. The module terminates secure sockets layer (SSL) transactions and accelerates the encryption and decryption of data used in SSL sessions.
This publication describes the features, modifications, and caveats for the Catalyst 6500 series SSL Services Module software release 2.x.
Note 
For detailed installation and configuration procedures for the SSL Services Module, refer to the Catalyst 6500 series SSL Services Module documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/ssl_mod/index.htm
Contents
This document consists of these sections:
•System Requirements
•New Features in Software Release 2.1
•Features in Software Release 1.1 Through 1.2
•New and Changed Information
•Limitations and Restrictions
•Caveats
•Documentation Updates
•Related Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
System Requirements
This section describes the system requirements for the Catalyst 6500 series SSL Services Module software release 2.x:
•Hardware Requirements
•Software Requirements
Hardware Requirements
The Catalyst 6500 series SSL Services Module is supported in systems with a Supervisor Engine 2 with an MSFC2 or a Supervisor Engine 720 with an MSFC3, and any module with ports that connect server and client networks.
Software Requirements
Note Starting with maintenance image release 2.1(1), there is a single maintenance image for services modules. Refer to this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-serv-maint
Table 1 lists the SSL software versions supported by Catalyst operating system and Cisco IOS software.
Table 1 SSL Software Compatibility
Product Number
|
Minimum SSL Software Version
|
Recommended SSL Software Version
|
Minimum Cisco IOS Software
|
Minimum Catalyst Software
|
| |
Application Image
|
Maintenance Image
|
Application Image
|
Maintenance Image
|
|
|
WS-SVC-SSL-1 with Supervisor Engine 720
|
1.2(2)
|
1.2(1)1
|
2.1(9)
|
2.1(3)
|
12.2(17a)SX1
|
8.2(1)
|
12.2(14)SX1
|
-
|
WS-SVC-SSL-1 with Supervisor Engine 2
|
1.2(2)
|
1.2(1)1
|
2.1(9)
|
2.1(3)
|
12.1(13)E3
|
7.5(1)
|
12.1(13)E
|
-
|
Orderable Software Images
Table 2 lists the software versions and applicable ordering information for the SSL software.
Table 2 Orderable Software Images
Software Version
|
Filename
|
Orderable Product Number
|
2.1(12)
|
c6svc-ssl-k9y9.2-1-12.bin
|
SC-SVC-SSL-2.1.12-K9
|
2.1(11)
|
c6svc-ssl-k9y9.2-1-11.bin
|
SC-SVC-SSL-2.1.11-K9
|
2.1(10)
|
c6svc-ssl-k9y9.2-1-10.bin
|
SC-SVC-SSL-2.1.10-K9
|
2.1(9)
|
c6svc-ssl-k9y9.2-1-9.bin
|
SC-SVC-SSL-2.1.9-K9
|
2.1(8)
|
c6svc-ssl-k9y9.2-1-8.bin
|
SC-SVC-SSL-2.1.8-K9
|
2.1(7)
|
c6svc-ssl-k9y9.2-1-7.bin
|
SC-SVC-SSL-2.1.7-K9
|
2.1(6)
|
c6svc-ssl-k9y9.2-1-6.bin
|
SC-SVC-SSL-2.1.6-K9
|
2.1(5)
|
c6svc-ssl-k9y9.2-1-5.bin
|
SC-SVC-SSL-2.1.5-K9
|
2.1(4)
|
c6svc-ssl-k9y9.2-1-4.bin
|
SC-SVC-SSL-2.1.4-K9
|
2.1(3)
|
c6svc-ssl-k9y9.2-1-3.bin
|
SC-SVC-SSL-2.1.3-K9
|
2.1(2)
|
c6svc-ssl-k9y9.2-1-2.bin
|
SC-SVC-SSL-2.1.2-K9
|
2.1(1)
|
c6svc-ssl-k9y9.2-1-1.bin
|
SC-SVC-SSL-2.1.1-K9
|
New Features in Software Release 2.1
This section describes the new features available in SSL software release 2.1:
•SSL initiation
This feature allows you to configure the SSL Services Module as an SSL client. When you configure an SSL proxy service for SSL client functionality, the SSL Services Module negotiates an SSL session with the server and uses that session to encrypt the clear-text data coming from the client connection.
•SSL version 2.0 forwarding
This feature allows you to configure the SSL Services Module to forward SSLv2 connections to another server. When you configure the SSLv2 server IP address, the SSL Services Module transparently forwards all SSLv2 connections to that server.
•URL rewrite
URL rewrite rules resolve the problem of a website redirecting you to a nonsecure HTTP URL by rewriting the domain from http:// to https://. By configuring URL rewrite, all client connections to the web server are SSL connections, ensuring the secure delivery of HTTPS content back to the client.
•HTTP header insertion
This feature provides support for servers that require information inserted into an HTTP header.
•Wildcard proxy
Wildcard SSL proxy provides a flexible network configuration interface if you have a large number of servers in your network.
•Client certificates
This feature allows you to configure a certificate for a client-type proxy service. When acting as an SSL client, the SSL Services Module sends this certificate for authentication if the SSL server requests it, and the issuer of this certificate is on the server's list of acceptable certificate authorities.
•Client and server certificate caching
This feature allows you to cache peer certificates that have been authenticated within a configurable time interval.
•Client and server certificate authentication
This feature allows you to configure the option to request and authenticate the client certificate when the SSL Services Module acts as a SSL server. The SSL Services Module automatically authenticates the server certificate when it acts as a SSL client. The feature specifies a set of trusted certificate authorities and the scope of validation for each proxy service.
•Certificate security attribute-based access control lists
This feature allows you to configure an access control list (ACL) that filters certificates based on certificate attribute values.
•Certificate revocation lists (CRL)
A CRL is a time-stamped list that identifies certificates that should no longer be trusted. When a participating peer device uses a certificate, that device not only checks the certificate signature and validity but also checks that the certificate serial number is not on that CRL.
•Certificate expiration warning
When you enable certificate expiration warnings, the SSL Services Module checks every 30 minutes for expiration information. The SSL Services Module can log warning messages and send SNMP traps when certificates have expired or will expire within a specified amount of time.
•Module-level redundancy with multiple SSL Services Modules configured with HSRP
You can configure HSRP to provide redundancy when the SSL Services Module is used in a standalone configuration (using policy-based routing).
•TACACS/TACACS+/RADIUS
The feature allows you to configure external servers for authentication, authorization, and accounting (AAA).
•Password recovery
This feature allows you to access the SSL Services Module without any authentication using the password recovery script.
Note You can download the password recovery script from the Cisco.com software center.
•SNMP support
–CISCO-SSL-PROXY-MIB (All objects are read-only)
cspGlobalConfigGroup
cspProxyServiceConfigGroup
cspProxyServiceNotificationGroup
cspSslGroup
cspSsl3Group
cspTls1Group
cspSslErrorGroup
cspCpuStatusGroup
–CISCO-SSL-PROXY-CAPABILITY
•CiscoView Device Manager for Cisco Catalyst 6500 Series SSL SM 1.0 (CVDM-SSLSM)
CVDM-SSLSM enables users to easily configure Secure Socket Layer (SSL) services on their SSL Services Module. It is a task-based tool that allows users to take advantage of the versatility of their SSL Services Module. It offers configuration wizards based on best practices in tasks such as setting up Trustpoints and proxy services.
To access all CiscoView Device Manager documentation, go to this URL:
http://www.cisco.com/go/cvdm
Features in Software Release 1.1 Through 1.2
For a complete list of features for SSL software releases 1.1 through 1.2, refer to the Release Notes for Catalyst 6500 Series SSL Services Module Software Release 1.x at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_3396.htm
New and Changed Information
This section describes new and changed information for all 2.1(x) software releases:
•In the output display of the show ssl-proxy stats service context command, the valid session counter is renamed to session cache entry. The counter displays the number of SSL session IDs in the cache. The change is added in SSL software release 2.1(12). (CSCek28849)
•New CLI command min-chain-length is added in SSL software release 2.1(12). (CSCsl42088)
When a trustpoint is associated with an SSL-proxy service, it is subjected to several validity checks. One such check requires that the trustpoints on the SSLM can be chained together to form a full certificate chain that terminates with a self-signed root CA certificate. The new crypto pki trustpoint subcommand min-chain-length allows this requirement to be modified. The default value of min-chain-length is zero, which means that a full certificate chain must be present. If min-chain-length is set to a nonzero value, the check passes if the chain either terminates in a root CA certificate or if the number of certificates in the chain is at least the min-chain-length value.
The min-chain-length option was introduced because an HTTPS server does not need to present a full certificate chain to a browser, because the browser can complete the chain using its preinstalled root CA certificates. In fact, it may be desirable for the server to present a partial certificate chain to support a range of browsers with varied root CA certificates. If the browser has a root CA certificate that can be used to complete the certificate chain, the server's certificate will be accepted.
This command affects the checking process only at the time that the trustpoint is associated with the service. After making a change to the min-chain-length value, you should disassociate the trustpoint from the service, and then reassociate it.
Following is an example of the min-chain-length command:
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint server1
Router(ca-trustpoint)# min-chain-length 3
Limitations and Restrictions
This section describes general limitations and restrictions for all 2.1(x) software releases:
•You can install a maximum of four SSL Services Modules in a chassis.
•Although Cisco IOS Release 12.1(13)E and later releases support 4096 VLANs, the SSL software supports only the normal-range VLANs (2 through 1005). Limit the SSL Services Module configuration to the normal-range VLANs.
•The SSL software does not monitor the health of the real (HTTP) servers. If a real server goes into a down state, the system shows that the service status is up until the Cisco IOS software retries and fails ARP after the default timeout period.
Workaround 1: If you know that the HTTP server is down, enter the no inservice command for the corresponding SSL proxy service.
Workaround 2: If you are using the SSL Services Module with a Content Switching Module (CSM), configure health monitoring on the CSM. (CSCdy83210)
•The client (SSL) and server (HTTP) connections that were bound during data transfer show up as four connections in the TCP connection table if both connections are in TIME_WAIT state. (CSCdy69930)
•With an open TCP connection, when the associated SSL proxy service is deleted and configured again using the same name, the association between the SSL proxy service and the previous open TCP connection is lost. When you delete and create the same SSL proxy service, a new service ID for the same service name is created. (CSCdy68548)
•When you configure private VLANs, the SSL Services Module VLAN must be different from the primary or secondary VLAN on the client or server. If the SSL Services Module VLAN is the same as the primary or secondary VLAN on the client or server, the SSL interface may drop the traffic coming from the private VLAN. (CSCdy86258)
•The SSL Services Module supports only one route per VLAN. If you add multiple routes using the ssl-proxy vlan command, only the last route entered is added. (CSCdy44647)
•Do not use any routing protocols on the SSL Services Module. Although you can configure the Routing Information Protocol (RIP), we do not recommend it. The module supports administrative VLAN for all management (non-SSL) traffic. (CSCdz23816)
•If ARP requests are sent at wire speed to the SSL Services Module, traceback messages are displayed that warn that the module is receiving heavy traffic in its control plane, which is not a normal condition. Avoid sending wire-speed traffic to a services module. (CSCdz36033)
•Operations affecting NVRAM (such as deleting a file or exporting a trustpoint to NVRAM) displays a message regarding downgrade compatibility. This message is similar to the message displayed after you enter the copy system:running-config nvram:startup-config command. (CSCea69515)
•The SSL Services Module is not Federal Information Processing Standards (FIPS) certified in SSL software release 1.x. or 2.x.
•If there is more than one level of certificate authority, only the lowest level certificate authority trustpoint that is authenticated and enrolled is exported in PEM files.
Workaround: Export the enrolled trustpoint to a PKCS12 file. All levels of CA trustpoints in the certificate chain will be automatically included in the same file. (CSCea75462)
•The clear ssl-proxy stats ssl command does not clear the counters in the max handshake conns and the max device q len fields. The clear ssl-proxy stats service backend-ssl command does not clear the counters in the valid sessions field. These counters are running counters and are not meant to be cleared when you enter a clear command. (CSCeh70549)
Caveats
These sections describe open and resolved caveats in SSL software for all 2.1(x) software releases:
•Open Caveats in Release 2.1(12)
•Resolved Caveats in Release 2.1(12)
•Open Caveats in Release 2.1(11)
•Resolved Caveats in Release 2.1(11)
•Open Caveats in Release 2.1(10)
•Resolved Caveats in Release 2.1(10)
•Open Caveats in Release 2.1(9)
•Resolved Caveats in Release 2.1(9)
•Open Caveats in Release 2.1(8)
•Resolved Caveats in Release 2.1(8)
•Open Caveats in Release 2.1(7)
•Resolved Caveats in Release 2.1(7)
•Open Caveats in Release 2.1(6)
•Resolved Caveats in Release 2.1(6)
•Open Caveats in Release 2.1(5)
•Resolved Caveats in Release 2.1(5)
•Open Caveats in Release 2.1(4)
•Resolved Caveats in Release 2.1(4)
•Open Caveats in Release 2.1(3)
•Resolved Caveats in Release 2.1(3)
•Open Caveats in Release 2.1(2)
•Resolved Caveats in Release 2.1(2)
•Open Caveats in Release 2.1(1)
•Resolved Caveats in Release 2.1(1)
Open Caveats in Release 2.1(12)
This section describes open caveats for the SSL Services Module software release 2.1(12):
•Configuring Network Time Protocol (NTP) on the SSLM or the Content Switching Module with SSL (CSM-S) SSL daughtercard (SSL-DC) may interfere with the clock synchronization. If the CSM-S SSL-DC is configured to synchronize its clock using NTP, the clock might go out of synchronization.
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSLM. The daughtercard clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)
Resolved Caveats in Release 2.1(12)
This section describes resolved caveats in SSL Services Module software release 2.1(12):
•When a URL-rewrite policy is configured with an asterisk (*), the SSLM will rewrite HTTP to HTTPS on nondefault (port 80) TCP ports. (CSCse28330)
•When a backend server redirects a connection from the client to another server by providing a URL, the redirection is successful but the URL is not rewritten. (CSCsi22668)
•A certificate renewal fails when the original trustpoint was created using the crypto ca import name pem terminal password command. (CSCsj89254)
•In the output display of the show ssl-proxy stats hdr command, the Service Errors counter is incremented when accessing a proxy service without an HTTP header policy. (CSCsd06143)
•When client certification and header insertion are enabled, and the client certificate contains UTF8-encoded non-ASCII characters, the ISSUER and SUBJECT fields are empty in the HTTP header from the SSLM to the back-end server.
Workaround: Do not use UTF8-encoding in the client certificate. (CSCsk31737)
•In rare cases, the SSLM may reload when client authentication is enabled with the authenticate verify all command and a CRL download is performed while there is significant network congestion.
Workaround: Disable full client authentication by entering either the authenticate verify signature-only command or the no authenticate verify all command. (CSCsl10317)
•The show ssl-proxy mac address and show ssl-proxy mac cpu-util commands display incorrect results. (CSCsl28453)
•Custom header insertion fails for consecutive POSTs in a TCP connection. (CSCsl35144)
•The SSLM may reset connections using a timeout interval lower than the defined timeout handshake value for an SSL policy.
Workaround: Remove the timeout handshake value. The default value of 0 will cause the SSLM to wait until the connection closes for the handshake to complete. (CSCsl54156)
Open Caveats in Release 2.1(11)
This section describes open caveats for the SSL Services Module software release 2.1(11):
•Configuring NTP on the SSLM or CSM-S SSL-DC may interfere with the clock synchronization. Configuring the CSM-S SSL-DC to synchronize its clock using NTP might lead to the clock going out of synchronization.
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSLM. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)
Resolved Caveats in Release 2.1(11)
This section describes resolved caveats in SSL Services Module software release 2.1(11):
•After normal operation, the SSLM stops inserting the header into the clear text traffic. This problem occurs only with software release 2.1(10).
Workaround: None. (CSCsh79045)
Open Caveats in Release 2.1(10)
This section describes open caveats for the SSL Services Module software release 2.1(10):
•After normal operation, the SSLM stops inserting the header into the clear text traffic. This problem occurs only with SSL software release 2.1(10).
Workaround: None.
•Configuring NTP on the SSLM or CSM-S SSL-DC may interfere with the clock synchronization. Configuring the CSM-S SSL-DC to synchronize its clock using NTP might lead to the clock going out of synchronization.
Workaround: Do not configure NTP on the CSM-S SSL-DC or the SSLM. The DC clock periodically synchronizes with the supervisor engine, so having NTP running on the supervisor engine is enough to keep the clock in synchronization. (CSCsg55214)
Resolved Caveats in Release 2.1(10)
This section describes resolved caveats in SSL Services Module software release 2.1(10):
•SSLM stops accepting new SSL connections because of a depletion of connection IDs on the TCP processor. Enter the show ssl-proxy stats command. The condition can occur when there is an approximately 65K difference between the connection allocation counters and deallocation counters under TCP. Eventually when all the connection IDs are exhausted, the SSLM will not be able to initiate any more connections to the backend servers.
Workaround: Reload the module. (CSCek50983)
•The SSLM fails to pass the entire POST to a server when the header insert is configured in SSL proxy service. This occurred with a POST that had a large payload.
Workaround: Remove the header insert configuration from the proxy service. (CSCse31785)
•When performing a URL rewrite, the location URL in a 302 redirect includes an 80. For example, http://192.168.45.10:80/. (CSCse92180)
•The location string for URL rewrites is being incorrectly rewritten in some cases. For example, a URL rewrite rule is given in the configuration for the URL, www.cisco.com, and the redirected location field contains the following string:
http://user.microsoft.com/dir/test.jsp?login=https://www.cisco.com
The location string is being incorrectly rewritten as follows:
http://user.microsoft.com/dir/test.jsp?login=httpswww.cisco.com
The rule is supposed to be rewritten if the host portion of the URL matches www.cisco.com. In the situation described here, that is not the case. No rewrite is supposed to occur. In addition, the rewrite should not affect the string https://www.cisco.com so far into the location field. (CSCsg65505)
•HTTP POST transactions fail when the total header size is exactly 1536 bytes and when the HTTP header insert policy is used. (CSCsh30757)
Open Caveats in Release 2.1(9)
This section describes open caveats for the SSL Services Module software release 2.1(9).
•After upgrading to SSL software release 2.1(5) or a later release, the SSL proxy service might remain in a down state with a "No Server/Next HOP MAC" reason, even though the server is reachable. This situation might occur after reload.
Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)
•If you delete the route to the real server from the SSL proxy VLAN, and then configure another SSL proxy VLAN with the same network as the server IP address, the SSL proxy service goes into a down state and the proxy status shows "No Server VLAN," even though the real server is reachable from the SSL Services Module.
Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)
•The SSL Services Module does not support client certificate insertion for SSL client proxy service. If you apply an HTTP header policy to a client proxy service and configure the HTTP header policy with client certificate insertion and other headers, error messages are displayed, and the configuration is not accepted. Output from the show running-config command and the show ssl-proxy service service_name command does not show that the HTTP header policy is attached to the client proxy service; however, the SSL Services Module continues to insert the other configured HTTP headers (other than client certificate headers) into the request.
Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)
•The SSL Services Module with a virtual TCP policy that is configured with a low TCP maximum segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side, might experience a software-forced reset due to exhausted resources if the following events occur simultaneously:
–The real server is unreachable.
–There is a burst of approximately 26,000 TCP SYN requests to establish a client connection.
–All connections enter the ESTABLISHED state in TCP before the HTTP requests are sent on any of the connections.
–The HTTP requests are more than three times the size of the negotiated MSS value.
Workaround: Do one of the following:
–Stabilize the real server so that it is reachable.
–If the SSL Services Module is used with a Content Switching Module (CSM), enable the health probe for a real server on the CSM. (CSCed53976)
•When you configure trustpoints for manual or TFTP enrollment and enter the crypto ca certificate query command, the router loses certificates after it is reloaded.
Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)
•On systems that are running Catalyst operating system software on the supervisor engine and are configured with high availability, if you reset the SSL Services Module after a switchover, the supervisor engine displays the following error:
Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module
resetting...
The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)
•If you add a trailing slash (/) to the url value in the enrollment url url command for a trustpoint, the SSL Services Module sends the following GET request during certificate authority authentication:
GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0
The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.
Workaround: Do not enter a trailing slash (/) to the url value in the enrollment url url command for a trustpoint. (CSCed33492)
•If you configure a URL rewrite rule, and a server redirects a client to a website that does not have a trailing slash (/) in the URL, the SSL Services Module does not rewrite the URL.
Workaround: Configure the server to add a trailing slash (/) to the relocation string. (CSCec46997)
•Automatic enrollment might not work correctly if the router does not have a hardware clock (calendar) or if you have not configured a network time protocol (NTP) server.
Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.
Workaround 2: Reset the enrollment timer by doing the following:
a. Copy the "crypto ca trustpoint trustpoint_label" and "crypto ca certificate chain name" information from the running configuration.
b. Delete the trustpoint by entering the no crypto ca trustpoint trustpoint_label command.
c. Paste the trustpoint and certificate chain information to the configuration. (CSCec19596)
•If multiple certificate authority certificates in the database have the same subject name, the certificate chain might contain the wrong certificate authority certificate. If the SSL Services Module is configured as an SSL server, it will send the wrong certificate authority certificate in the chain to the client, which could result in authentication and handshake failures.
Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)
•The SSL Services Module does not rewrite the URL if the HTTP header that specifies the relocation string spans more than one TCP segment. (CSCec74017)
•When you import a certificate from a PKCS12 or PEM file, or when you manually input a certificate authority certificate to the module and the certificate contains an invalid extension, the SSL peer might reject the certificate.
Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)
•Importing a self-signed certificate with the key pair of the issuer is not supported by the Cisco IOS PKI system. (CSCea48145)
•Windows 2000 certificate authorities occasionally reject certificate enrollment requests that are issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the .net version of the certificate authority but not on the Windows 2000 version.
Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)
•There is no help string for the test crypto pki self command, and the generated self-signed certificate is not displayed by the show crypto ca certificate command. (CSCea50887)
•The Cisco IOS PKI system cannot recover from an authentication failure, which results in a failed enrollment.
Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)
•The Cisco IOS PKI system does not validate the issuer when using manual enrollment. As a result, a certificate chain may have a root certificate that belongs to one certificate authority and a router certificate that was issued by another certificate authority. (CSCea57072)
•For manual certificate enrollment, if the URL string ends with a slash (/) after the TFTP server name or address (for example, tftp://ipaddress/), the system tries to open a file named ".ca" from the TFTP server.
Workaround: Specify the filename in the URL. (CSCea32058)
•If you import a key pair and a self-signed certificate from a PKCS12 file to a trustpoint and assign the certificate to a proxy service, installation of the certificate fails after you reboot the system, and the proxy service remains in the no cert state.
Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)
•Cutting and pasting the hexadecimal values of a certificate into the configuration from the terminal can cause the data entry to fail.
Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)
•When you upgrade the image using the copy tftp: pclc#mod-fs: command, the command accepts any filename. You will not receive an image name validation when you upgrade the maintenance partition from the application partition or upgrade the application partition from the maintenance partition. For example, if you attempt to upgrade the application partition after booting the module in the application partition, the upgrade fails. (CSCdz23639)
•Cisco Discovery Protocol (CDP) is not supported on the SSL Services Module; however, the CLI is available. (CSCdz24446)
•The module might take longer to boot if there are client NAT pools in the startup configuration. The delay is proportional to the number of NAT pools in the configuration. With the maximum supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
•Exporting a PKCS12 file using FTP can take up to 20 minutes if a file with the same name exists on the remote host. (CSCdy85233)
•When query mode is configured and there are multiple trustpoints using the same certificate authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after a Cisco IOS software reboot.
Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM. (CSCdz03802)
•Syslog messages indicating that proxy services are in the UP state may not be printed for all services configured in the system while booting. (CSCdy61618)
•Do not configure the internal port Ethernet0/0. Any configuration on Ethernet0/0 results in unexpected behavior of the SSL Services Module. (CSCdy72229)
•If you enter the clear arp command on the SSL Services Module, all proxy services go into a "down" state and then go into an "up" state. (CSCdy77843)
•When query mode is configured, entering the no crypto ca certificate query command on the running configuration does not stop the periodic polling for certificates. (CSCdy46075)
•When certificate query mode is configured, an "invalid input" message may be displayed on the console following a fingerprint. This message displays when a certificate is read from NVRAM when Cisco IOS software reboots, and it does not indicate a real error condition. (CSCdy43112)
•On systems that are running Cisco IOS software and are configured with route processor redundancy plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switchover (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut down, and its status will remain as "Other."
Workaround: Reset the module, and then shut down the module. (CSCee37656)
Resolved Caveats in Release 2.1(9)
This section describes resolved caveats in SSL Services Module software release 2.1(9):
•The SSL Services Module might reboot every 2 to 6 hours when you configure URL rewrite with the default ports (port 80 for cleartext and port 443 for SSL).
Workaround: Disable URL rewrite. (CSCsd25820)
•If the SSL Services Module receives a misaligned TCP selective acknowledgment (SACK) option or a misaligned TCP timestamp option, the module might reload. (CSCee35357)
Open Caveats in Release 2.1(8)
This section describes open caveats for the SSL Services Module software release 2.1(8).
•After upgrading to SSL software release 2.1(5) or a later release, the SSL proxy service might remain in a down state with a "No Server/Next HOP MAC" reason, even though the server is reachable. This situation might occur after reload.
Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)
•If you delete the route to the real server from the SSL proxy VLAN and then configure another SSL proxy VLAN with the same network as the server IP address, the SSL proxy service goes into a "down" state and the proxy status shows "No Server VLAN," even though the real server is reachable from the SSL Services Module.
Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)
•The SSL Services Module does not support client certificate insertion for SSL client proxy service. If you apply an HTTP header policy to a client proxy service and configure the HTTP header policy with client certificate insertion and other headers, error messages are displayed, and the configuration is not accepted. Output from the show running-config command and the show ssl-proxy service service_name command does not show that the HTTP header policy is attached to the client proxy service; however, the SSL Services Module continues to insert the other configured HTTP headers (other than client certificate headers) into the request.
Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)
•The SSL Services Module with a virtual TCP policy that is configured with a low TCP maximum segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side, might experience a software-forced reset due to exhausted resources if the following events occur simultaneously:
–The real server is unreachable.
–There is a burst of approximately 26,000 TCP SYN requests to establish a client connection.
–All connections enter the ESTABLISHED state in TCP before the HTTP requests are sent on any of the connections.
–The HTTP requests are more than three times the size of the negotiated MSS value.
Workaround: Do one of the following:
–Stabilize the real server so that it is reachable.
–If the SSL Services Module is used with a Content Switching Module (CSM), enable the health probe for a real server on the CSM. (CSCed53976)
•When you configure trustpoints for manual or TFTP enrollment and enter the crypto ca certificate query command, the router loses certificates after it is reloaded.
Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)
•On systems that are running Catalyst operating system software on the supervisor engine and are configured with high availability, if you reset the SSL Services Module after a switchover, the supervisor engine displays the following error:
Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module
resetting...
The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)
•If you add a trailing slash (/) to the url value in the enrollment url url command for a trustpoint, the SSL Services Module sends the following GET request during certificate authority authentication:
GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0
The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.
Workaround: Do not enter a trailing slash (/) to the url value in the enrollment url url command for a trustpoint. (CSCed33492)
•If you configure a URL rewrite rule, and a server redirects a client to a website that does not have a trailing slash (/) in the URL, the SSL Services Module does not rewrite the URL.
Workaround: Configure the server to add a trailing slash (/) to the relocation string. (CSCec46997)
•Automatic enrollment might not work correctly if the router does not have a hardware clock (calendar) or if you have not configured a network time protocol (NTP) server.
Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.
Workaround 2: Reset the enrollment timer by doing the following:
a. Copy the "crypto ca trustpoint trustpoint_label" and "crypto ca certificate chain name" information from the running configuration.
b. Delete the trustpoint by entering the no crypto ca trustpoint trustpoint_label command.
c. Paste the trustpoint and certificate chain information to the configuration. (CSCec19596)
•If multiple certificate authority certificates in the database have the same subject name, the certificate chain might contain the wrong certificate authority certificate. If the SSL Services Module is configured as an SSL server, it will send the wrong certificate authority certificate in the chain to the client, which could result in authentication and handshake failures.
Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)
•The SSL Services Module does not rewrite the URL if the HTTP header that specifies the relocation string spans more than one TCP segment. (CSCec74017)
•When you import a certificate from a PKCS12 or PEM file, or when you manually input a certificate authority certificate to the module and the certificate contains an invalid extension, the SSL peer might reject the certificate.
Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)
•Importing a self-signed certificate with the key pair of the issuer is not supported by the Cisco IOS PKI system. (CSCea48145)
•Windows 2000 certificate authorities occasionally reject certificate enrollment requests that are issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the .net version of the certificate authority but not on the Windows 2000 version.
Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)
•There is no help string for the test crypto pki self command, and the generated self-signed certificate is not displayed by the show crypto ca certificate command. (CSCea50887)
•The Cisco IOS PKI system cannot recover from an authentication failure, which results in a failed enrollment.
Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)
•The Cisco IOS PKI system does not validate the issuer when using manual enrollment. As a result, a certificate chain may have a root certificate that belongs to one certificate authority and a router certificate that was issued by another certificate authority. (CSCea57072)
•For manual certificate enrollment, if the URL string ends with a slash (/) after the TFTP server name or address (for example, tftp://ipaddress/), the system tries to open a file named ".ca" from the TFTP server.
Workaround: Specify the filename in the URL. (CSCea32058)
•If you import a key pair and a self-signed certificate from a PKCS12 file to a trustpoint and assign the certificate to a proxy service, installation of the certificate fails after you reboot the system, and the proxy service remains in the no cert state.
Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)
•Cutting and pasting the hexadecimal values of a certificate into the configuration from the terminal can cause the data entry to fail.
Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)
•When you upgrade the image, the copy tftp: pclc#mod-fs: command accepts any filename. You will not receive an image name validation when you upgrade the maintenance partition from the application partition or upgrade the application partition from the maintenance partition. For example, if you attempt to upgrade the application partition after booting the module in the application partition, the upgrade fails. (CSCdz23639)
•Cisco Discovery Protocol (CDP) is not supported on the SSL Services Module; however, the CLI is available. (CSCdz24446)
•The module might take longer to boot if there are client NAT pools in the startup configuration. The delay is proportional to the number of NAT pools in the configuration. With the maximum supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
•Exporting a PKCS12 file using FTP can take up to 20 minutes if a file with the same name exists on the remote host. (CSCdy85233)
•When query mode is configured and there are multiple trustpoints using the same certificate authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after a Cisco IOS software reboot.
Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM. (CSCdz03802)
•Syslog messages indicating that proxy services are in the UP state may not be printed for all services configured in the system while booting. (CSCdy61618)
•Do not configure the internal port Ethernet0/0. Any configuration on Ethernet0/0 results in unexpected behavior of the SSL Services Module. (CSCdy72229)
•If you enter the clear arp command on the SSL Services Module, all proxy services go into a "down" state and then go into an "up" state. (CSCdy77843)
•When query mode is configured, entering the no crypto ca certificate query command on the running configuration does not stop the periodic polling for certificates. (CSCdy46075)
•When certificate query mode is configured, an "invalid input" message may be displayed on the console following a fingerprint. This message displays when a certificate is read from NVRAM when Cisco IOS software reboots, and it does not indicate a real error condition. (CSCdy43112)
•On systems that are running Cisco IOS software and are configured with route processor redundancy plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switchover (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut down, and its status will remain as "Other."
Workaround: Reset the module, and then shut down the module. (CSCee37656)
Resolved Caveats in Release 2.1(8)
This section describes resolved caveats in SSL Services Module software release 2.1(8):
•When you add HTTP header insert policies to an SSL proxy service, the SSL Services Module might reset repeatedly and generate core dumps. This behavior occurs when a large number of end-of-http-headers are lost.
Workaround: Do not apply policies performing header insertion to ssl-proxy-services. (CSCej38531)
•When you configure a client proxy, the SSL Services Module resets when the backend SSL server does not allow session resumption and returns an empty session ID.
Workaround: Enable session resumption on the backend SSL server. (CSCsc26099)
•If you configure the SSL Services Module with header insertion, and if the total size of the server cookie, the client request, and the inserted header exceeds the size of the first buffer (1460 bytes) on the SSL Services Module, the buffer overflows and the SSL Services Module resets. (CSCsb77689)
•When you configure URL rewrite, the SSL Services Module scans the response from the server. Currently, the entire response (headers and data) is scanned, which leads to a drop in performance. (CSCej33386)
Open Caveats in Release 2.1(7)
This section describes open caveats for the SSL Services Module software release 2.1(7).
•After upgrading to SSL software release 2.1(5) or a later release, the SSL proxy service might remain in a down state with a "No Server/Next HOP MAC" reason, even though the server is reachable. This situation might occur after reload.
Workaround: Remove the server IP addresses from the proxy service, and reconfigure the proxy service to restart the service. (CSCei12818)
•If you delete the route to the real server from the SSL proxy VLAN and then configure another SSL proxy VLAN with the same network as the server IP address, the SSL proxy service goes into a "down" state and the proxy status shows "No Server VLAN," even though the real server is reachable from the SSL Services Module.
Workaround: Save the configuration, and reset the SSL Services Module. (CSCee46096)
•The SSL Services Module does not support client certificate insertion for SSL client proxy service. If you apply an HTTP header policy to a client proxy service and configure the HTTP header policy with client certificate insertion and other headers, error messages are displayed and the configuration is not accepted. Output from the show running-config command and the show ssl-proxy service service_name command does not show that the HTTP header policy is attached to the client proxy service; however, the SSL Services Module continues to insert the other configured HTTP headers (other than client certificate headers) into the request.
Workaround: Save the configuration, and reset the SSL Services Module. (CSCin67360)
•The SSL Services Module with a virtual TCP policy that is configured with a low TCP maximum segment size (MSS) value (for example, 256), and with the default SYN timeout on the server side, might experience a software-forced reset due to exhausted resources if the following events occur simultaneously:
–The real server is unreachable.
–There is a burst of approximately 26,000 TCP SYN requests to establish a client connection.
–All connections enter the ESTABLISHED state in TCP before the HTTP requests are sent on any of the connections.
–The HTTP requests are more than three times the size of the negotiated MSS value.
Workaround: Do one of the following:
–Stabilize the real server so that it is reachable.
–If the SSL Services Module is used with a Content Switching Module (CSM), enable the health probe for a real server on the CSM. (CSCed53976)
•When you configure trustpoints for manual or TFTP enrollment and enter the crypto ca certificate query command, the router loses certificates after it is reloaded.
Workaround: Do not enter the crypto ca certificate query command if you configure any of the trustpoints for manual or TFTP enrollment. (CSCee69321)
•On systems that are running Catalyst operating system software on the supervisor engine and are configured with high availability, if you reset the SSL Services Module after a switchover, the supervisor engine displays the following error:
Console> (enable) Error: Module <mod> didn't shutdown complete within 3 min.Module
resetting...
The supervisor engine then successfully resets the SSL Services Module. (CSCec69592)
•If you add a trailing slash (/) to the url value in the enrollment url url command for a trustpoint, the SSL Services Module sends the following GET request during certificate authority authentication:
GET //pkiclient.exe?operation=GetCACert&message=t1 HTTP/1.0
The pkiclient.exe file is usually located in the /cgi-bin/ directory of the certificate authority server.
Workaround: Do not enter a trailing slash (/) to the url value in the enrollment url url command for a trustpoint. (CSCed33492)
•If you configure a URL rewrite rule, and a server redirects a client to a website that does not have a trailing slash (/) in the URL, the SSL Services Module does not rewrite the URL.
Workaround: Configure the server to add a trailing slash (/) to the relocation string. (CSCec46997)
•Automatic enrollment might not work correctly if the router does not have a hardware clock (calendar) or if you have not configured a network time protocol (NTP) server.
Workaround 1: Remove the auto-enroll configuration, and then reconfigure auto-enroll to reset the clock manually.
Workaround 2: Reset the enrollment timer by doing the following:
a. Copy the "crypto ca trustpoint trustpoint_label" and "crypto ca certificate chain name" information from the running configuration.
b. Delete the trustpoint by entering the no crypto ca trustpoint trustpoint_label command.
c. Paste the trustpoint and certificate chain information to the configuration. (CSCec19596)
•If multiple certificate authority certificates in the database have the same subject name, the certificate chain might contain the wrong certificate authority certificate. If the SSL Services Module is configured as an SSL server, it will send the wrong certificate authority certificate in the chain to the client, which could result in authentication and handshake failures.
Workaround: When a certificate authority has renewed its certificate, make sure that you renew all SSL certificates issued by this certificate authority. Delete the old certificate authority certificate from the database to avoid this problem. (CSCec82360)
•The SSL Services Module does not rewrite the URL if the HTTP header that specifies the relocation string spans more than one TCP segment. (CSCec74017)
•When you import a certificate from a PKCS12 or PEM file, or when you manually input a certificate authority certificate to the module and the certificate contains an invalid extension, the SSL peer might reject the certificate.
Workaround: Make sure that the certificate has the correct extension (for example, basic constraint) before importing it to the module. (CSCed14070)
•Importing a self-signed certificate with the key pair of the issuer is not supported by the Cisco IOS PKI system. (CSCea48145)
•Windows 2000 certificate authorities occasionally reject certificate enrollment requests that are issued by the SSL Services Module. The problem originated with the SCEP DLL and is fixed on the .net version of the certificate authority but not on the Windows 2000 version.
Workaround: Restart the certificate authority, and issue the enrollment request again. (CSCea53069)
•There is no help string for the test crypto pki self command, and the generated self-signed certificate is not displayed by the show crypto ca certificate command. (CSCea50887)
•The Cisco IOS PKI system cannot recover from an authentication failure, which results in a failed enrollment.
Workaround: Enter the no crypto ca trustpoint trustpoint-label command to remove the trustpoint, and then redefine it. Make sure that authentication is successful the first time, and then enroll the router certificate. (CSCea71882)
•The Cisco IOS PKI system does not validate the issuer when using manual enrollment. As a result, a certificate chain may have a root certificate that belongs to one certificate authority and a router certificate that was issued by another certificate authority. (CSCea57072)
•For manual certificate enrollment, if the URL string ends with a slash (/) after the TFTP server name or address (for example, tftp://ipaddress/), the system tries to open a file named ".ca" from the TFTP server.
Workaround: Specify the filename in the URL. (CSCea32058)
•If you import a key pair and a self-signed certificate from a PKCS12 file to a trustpoint and assign the certificate to a proxy service, installation of the certificate fails after you reboot the system, and the proxy service remains in the no cert state.
Workaround: After you reboot the system, delete the trustpoint, and import the PKCS12 file again. The proxy service automatically reinstalls the self-signed certificate. (CSCdz20220)
•Cutting and pasting the hexadecimal values of a certificate into the configuration from the terminal can cause the data entry to fail.
Workaround: Copy the configuration file to the running configuration, or import the certificate with the key pair using a PKCS12 file. (CSCdz63758)
•When you upgrade the image, the copy tftp: pclc#mod-fs: command accepts any filename. You will not receive an image name validation when you upgrade the maintenance partition from the application partition or upgrade the application partition from the maintenance partition. For example, if you attempt to upgrade the application partition after booting the module in the application partition, the upgrade fails. (CSCdz23639)
•Cisco Discovery Protocol (CDP) is not supported on the SSL Services Module; however, the CLI is available. (CSCdz24446)
•The module might take longer to boot up if there are client NAT pools in the startup-configuration. The delay is proportional to the number of NAT pools in the configuration. With the maximum supported number of NAT pools (64), the delay is up to 4 minutes. (CSCdy56573)
•Exporting a PKCS12 file using FTP can take up to 20 minutes if a file with the same name exists on the remote host. (CSCdy85233)
•When query mode is configured and there are multiple trustpoints using the same certificate authority URL, only one of these trustpoints succeeds in obtaining the whole certificate chain after a Cisco IOS software reboot. (CSCdz03802)
Workaround: Manually authenticate and enroll these trustpoints after the failure. Turn off query mode, and save the certificates in the NVRAM.
•Syslog messages indicating that proxy services are in the UP state may not be printed for all the services configured in the system while booting. (CSCdy61618)
•Do not configure the internal port Ethernet0/0. Any configuration on Ethernet0/0 results in unexpected behavior of the SSL Services Module. (CSCdy72229)
•If you enter the clear arp command on the SSL Services Module, all the proxy services go into a "down" state and then go into an "up" state. (CSCdy77843)
•When query mode is configured, entering the no crypto ca certificate query command on the running configuration does not stop the periodic polling for certificates. (CSCdy46075)
•When certificate query mode is configured, an "invalid input" message may be displayed on the console following a fingerprint. This message is displayed when a certificate is read from NVRAM when Cisco IOS software reboot, and it does not indicate a real error condition. (CSCdy43112)
•On systems that are running Cisco IOS software and are configured with route processor redundancy plus (RPR+) or stateful switchover (SSO), if you shut down the SSL Services Module after a switchover (either from the CLI or the SHUTDOWN button on the front panel), the module will not shut down, and its status will remain as "Other."
Workaround: Reset the module, and then shut down the module. (CSCee37656)
Resolved Caveats in Release 2.1(7)
This section describes resolved caveats in SSL Services Module software release 2.1(7):
•Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml
This problem is resolved in SSL software release 2.1(7). (CSCee45312)
•When you configure a gateway for a VLAN on the SSL Services Module, the module incorrectly responds to PROXY ARP, even though the module is not a router for that network. Hosts on that network use the SSL Services Module to route traffic through the network. If the traffic is not intended for the SSL Services Module, the SSL Services Module drops the packet.
Workaround: Do not configure a gateway for a network that has hosts other than the server.
This problem is resolved in SSL software release 2.1(7). (CSCsb09471)
•The SSL Services Module might stop responding and accepting connections if you run an application such as Telnet or secure Telnet and you use the application to perform file transfer operations that generate 1 to 2 byte packets on the wire.
Workaround: Reboot the SSL Services Module.
This problem is resolved in SSL software release 2.1(7). (CSCei45351)
•The SSL Services Module increases the "TOS invalid" counter (as shown in the output of the show ssl-proxy stats tcp command) when it receives packets that are set with a DSCP bit, but the module does not drop the packets. The packets are sent to destination correctly. This issue is not seen when the TOS carry over feature is not enabled.
This problem is resolved in SSL software release 2.1(7). (CSCsb51510)
•Clients
