Table Of Contents
Resolved Caveats—Cisco IOS Release 12.0(33)S5
Resolved Caveats—Cisco IOS Release 12.0(33)S4
Resolved Caveats—Cisco IOS Release 12.0(33)S3
Resolved Caveats—Cisco IOS Release 12.0(33)S2
Resolved Caveats—Cisco IOS Release 12.0(33)S1
Resolved Caveats—Cisco IOS Release 12.0(33)S
Open Caveats—Cisco IOS Release 12.0(33)S
Resolved Caveats—Cisco IOS Release 12.0(32)S14
Resolved Caveats—Cisco IOS Release 12.0(32)S13
Resolved Caveats—Cisco IOS Release 12.0(32)S12
Resolved Caveats—Cisco IOS Release 12.0(32)S11
Resolved Caveats—Cisco IOS Release 12.0(32)S10
Resolved Caveats—Cisco IOS Release 12.0(32)S9
Resolved Caveats—Cisco IOS Release 12.0(32)S8
Resolved Caveats—Cisco IOS Release 12.0(32)S7
Resolved Caveats—Cisco IOS Release 12.0(32)S6
Resolved Caveats—Cisco IOS Release 12.0(32)S5
Resolved Caveats—Cisco IOS Release 12.0(32)S4
Resolved Caveats—Cisco IOS Release 12.0(32)S3
Resolved Caveats—Cisco IOS Release 12.0(32)S2
Resolved Caveats—Cisco IOS Release 12.0(32)S1
Resolved Caveats—Cisco IOS Release 12.0(32)S
Resolved Caveats—Cisco IOS Release 12.0(31)S6
Resolved Caveats—Cisco IOS Release 12.0(31)S5
Resolved Caveats—Cisco IOS Release 12.0(31)S4
Resolved Caveats—Cisco IOS Release 12.0(31)S3
Resolved Caveats—Cisco IOS Release 12.0(31)S2
Resolved Caveats—Cisco IOS Release 12.0(31)S1
Resolved Caveats—Cisco IOS Release 12.0(31)S
Resolved Caveats—Cisco IOS Release 12.0(30)S5
Resolved Caveats—Cisco IOS Release 12.0(30)S4
Resolved Caveats—Cisco IOS Release 12.0(30)S3
Resolved Caveats—Cisco IOS Release 12.0(30)S2
Resolved Caveats—Cisco IOS Release 12.0(30)S1
Resolved Caveats—Cisco IOS Release 12.0(30)S
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.
Because Cisco IOS Release 12.0S is based on Cisco IOS Release 12.0, many caveats that apply to Cisco IOS Release 12.0 will also apply to Cisco IOS Release 12.0S. For information on severity 1 and severity 2 caveats in Cisco IOS Release 12.0, see the Caveats for Cisco IOS Release 12.0 document located on Cisco.com.
Note
If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and click Technical Support: Tools & Resources: Bug Toolkit. (The Bug Toolkit is listed under Troubleshooting.) Another option is to go to http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl. (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)
These caveats are documented in the following format:
•
•
•
The caveats section consists of the following subsections:
Cross-Platform Release Notes for Cisco IOS Release 12.0S, Part 3:
Caveats for 12.0(33)S5 through 12.0(30)S•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cross-Platform Release Notes for Cisco IOS Release 12.0S, Part 4:
Caveats for 12.0(29)S1 through 12.0(27)S•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cross-Platform Release Notes for Cisco IOS Release 12.0S, Part 5:
Caveats for 12.0(26)S6 through 12.0(24)S•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cross-Platform Release Notes for Cisco IOS Release 12.0S, Part 6:
Caveats for 12.0(23)S6 through 12.0(6)S•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Resolved Caveats—Cisco IOS Release 12.0(33)S5
All the caveats listed in this section are resolved in Cisco IOS Release 12.0(33)S5. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: A remote third-party device is resetting the IPv6 BGP session with a Cisco 12000 router.
Conditions: BGP is exchanging only IPv6 capability with the remote EBGP peer, but IPv4 capability will be enabled by default. The remote EBGP peer is sending only IPv6 capability, and we should advertise only IPv6 prefixes because that is the capability negotiated. We are wrongly marking IPv4 capability as negotiated and advertising IPv4 prefixes, and the remote neighbor is resetting the session because IPv4 capability is not negotiated at the peer end.
Workaround: Configure a route map to deny all IPv4 prefixes, and apply it as follows:
Route-map deny-ipv4 deny 10
Router bgp <asnum>
address-family ipv4
Neighbor <IPv6Address> activate
Neighbor <IPv6Address> route-map <deny-ipv4> out•
Symptoms: Under certain circumstances, an E5 linecard may stop forwarding traffic to a certain subinterface. We see ARP entries updated, but traffic is not arriving on the connected equipment. Accordingly, we see on the connected equipment that ARP ages out. The connected VLAN becomes isolated to the rest of the network. Also, control protocols on the affected interface can go down.
Conditions: The Cisco 12000 is connected to a dot1q trunk. The issue is seen on subinterfaces with or without VRF, and with various lengths of subnet masks. This issue is seen when the adjacencies of the affected interface have an adjacency index with a value greater than 16383. This issue can be seen in a scaled testbed where there is a lot of churn in adjacency creation and deletion as a result of subinterface deletion and creation or ARP entries getting timed-out and refreshed.
Workaround: Perform a shut/no shut on the subinterface. Make sure to pause before bringing the subinterface back up. If this does not work, remove the subinterface and configure the same again.
If the above workaround does not work, reloading the RP is the only solution.
•
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support for Four-octet AS Number Space") and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.
The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.
Cisco has released free software updates to address these vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Resolved Caveats—Cisco IOS Release 12.0(33)S4
All the caveats listed in this section are resolved in Cisco IOS Release 12.0(33)S4. This section describes only severity 1, severity 2, and select severity 3 caveats.
Basic System Services
•
Symptoms: IPv6 traps are not sent. And sometimes "%IP_SNMP-3-SOCKET: can't open UDP socket" messages can also be seen.
Conditions: This symptom is observed when no IPv4 address is configured.
Workaround: Perform the following three steps:
1. Disable the SNMP engine by issuing the no snmp-server command.
2. Configure an IP address and an IPv6 address on loopback interfaces.
3. Enable the SNMP engine.
•
Symptoms: A Cisco 12000 series Internet router that is running Cisco IOS Release 12.0(33)S3 may have partial debug outputs of the debug snmp packet command in the log even though no such debug command is enabled.
The edited log would appear as follows:
<snip>
May 27 15:36:52.272 UTC: SNMP: Packet sent via UDP to xxx.xxx.xxx.xxx
<snip>
Conditions: The messages appear because of a reply to an SNMP probe.
Workaround: There is no workaround.
Further Problem Description: This symptom is not observed in Cisco IOS Release 12.0(33)S2.
Resolved Caveats—Cisco IOS Release 12.0(33)S3
All the caveats listed in this section are resolved in Cisco IOS Release 12.0(33)S3. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: Inbound data packets that are reassembled from multilink fragments may not be processed properly on Multilink PPP (MLP) interfaces that are receiving encrypted IP Security (IPSec) traffic that is terminated locally when a hardware accelerator is used for decryption.
Conditions: This symptom affects all inbound reassembled data frames that are received by the bundle and not just those data frames that are carrying encrypted IP datagrams. Most significantly, inbound Internet Security Association and Key Management Protocol (ISAKMP) keepalives are not processed, leading to the eventual failures of the associated IPSec sessions.
The IPSec sessions are reestablished after each failure, but traffic drops will occur until the session is renegotiated via the Internet Key Exchange (IKE). Thus, the observable symptoms are an intermittent failure of IPSec sessions combined with high loss rates in the encrypted data traffic.
Workaround: Disable hardware crypto acceleration, and use software crypto acceleration instead.
•
Symptoms: After a Stateful Switchover (SSO) occurs on a Cisco 7500 series, the traffic interruption may last longer than you would expect.
Conditions: This symptom is observed on Cisco 7500 series that runs Cisco IOS Release 12.2(22)S and that is configured with a Route Switch Processor 4 or 8 (RSP4 or RSP8) when the router is configured with a large number (100,000) of Border Gateway Protocol (BGP) routes and Ethernet interfaces that process traffic.
Workaround: There is no workaround. One way to help reduce the length of the traffic interruption is to add static ARP entries.
•
Symptoms: When you enter the clear interface command on an Inverse Multiplexing for ATM (IMA) interface configured for dynamic bandwidth, the PVCs that are associated with the IMA interface may become Inactive.
Conditions: This symptom is observed only for IMA interfaces that have the atm bandwidth dynamic command enabled.
Workaround: Issuing the no atm bandwidth dynamic command from the IMA interface can prevent the problem from happening. If the problem has been experienced already, using the no atm bandwidth dynamic command followed by a shutdown and subsequent no shutdown from the IMA interface can be used to work around the problem and clear the inactive PVC condition.
•
Symptoms: The following message is observed in syslog/console.
%UTIL-3-IDTREE_TRACE: SSM SEG freelist DB:Duplicate ID free
Conditions: This symptom was observed during scalability testing of a large number (over 2000) of PPP sessions being brought up and torn down continuously.
Workaround: There is no workaround.
•
Symptoms: SNMP over IPv6 does not function.
Conditions: This symptom is observed on a Cisco router that integrates the fix for caveat CSCsg02387. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg02387. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Use SNMP over IPv4.
•
Symptoms: On PPP links that do not support duplicate address detection (DAD), the interface up state can be signaled too early, for example before the interface is actually up. As a result, OSPFv3 neighbor relationship is not established.
Conditions: Any interface that does not support DAD could signal link local up before the interface is up.
Workaround: There is no workaround.
•
Symptoms: Summary Refresh messages are not sent downstream; consequently, the downstream router notices missing refreshes, and, after some time, the tunnel goes down.
Conditions: This symptom is observed when there is an alternate FRR path and it becomes active. The router that has refresh reduction enabled creates the problem. The command that creates the problem is:
ip rsvp signalling refresh reduction
Workaround: Disable Refresh Reduction on the router using the following command:
no ip rsvp signalling refresh reduction
Further Problem Description: When an incoming interface on a router is shut down, FRR is triggered, and tunnels takes another path.
Now the Path messages on this router come via a different incoming interface. This router had ip rsvp signalling refresh reduction enabled.
We can now see the that this router stops sending Refresh reduction messages downstream. After some time, the downstream router will say that it has missed the refreshes and then after some time (around 5 minutes), the tunnel will be down.
•
Symptoms: Upon an SSO switchover, on the new active RP, the MFR interface shows the default bandwidth value instead of the actual bandwidth, which is based on the available bundle links.
Conditions: This symptom is observed on a Cisco 7600 router that is running 12.2SR software and on a Cisco 12000 series Internet router that is running 12.0SY software.
Workaround: Recycle the MFR interface to reset the bandwidth to the correct value.
•
Symptoms: A Sup720 Multicast-VPN (MVPN) PE router may not advertise its mdt prefix (BGP vpnv4 RD-type 2) after reloading.
Conditions: This symptom is observed on a Sup720 MVPN PE router.
Workaround: Use the clear ip bgp command after reloading.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If the debug ip tcp transactions command is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed.
This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix CSCso04657 and CSCsg00102.
•
Symptoms: A time-out occurs when you enter an SNMP command for an IPv6 interface. However, you can ping the IPv6 interface.
Conditions: This symptom is observed on a Cisco 7200 series but is platform-independent.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: On a pseudowire that is configured on an OC-12 ATM interface, when you delete the oam-ac emulation-enable command, enter the write memory command, and then initiate an SSO switchover, the new standby PRE continues to reboot because of a configuration mismatch with the new active PRE.
Conditions: This symptom is observed on a Cisco 10000 series when the new active PRE has the oam-ac emulation-enable command in its configuration but the new standby PRE does not, causing a configuration mismatch. The symptom may not be platform-specific.
Workaround: Reload the new active PRE, then remove the oam-pvc manage 0 command from its configuration.
•
Symptoms: Inherit peer-policy does not work.
Conditions: This symptom is observed after a router reload
Workaround: There is no workaround.
•
Symptoms: Unicast traffic is multicasted.
Conditions: This symptom is observed if two sources send traffic at the same time.
Workaround: There is no workaround.
•
Symptoms: Traffic may be lost, and the port mode VC goes down.
Conditions: This symptom is observed when an OIR is performed on the PE edge interface in an L2VPN setup.
Workaround: Reset the interfaces on the PEs.
•
Symptoms: A device with a PA-MC-2T3+ may reset because of a bus error if a channel group is removed while the show interface command is being used from another telnet session at the same time, and then the telnet session is cleared.
The device may also display Spurious Memory Accesses.
Conditions: These symptoms have been observed in the latest Cisco IOS 12.4T and 12.2S releases.
Workaround: Do not remove a channel group while using the show interface command for that interface.
•
Symptoms: The following SNMP is incorrectly generated:
%SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
This issue is affecting the CISCO-MEMORYPOOL-MIB instead.
Conditions: Occurs on a Cisco 2600 series router running Cisco IOS Release 12.4(11)T3. The router keeps dropping SNMP packets. The log shows that the packets are dropped because of the input queue being full. Although the utilization is sometimes high, this could not be the root cause, as the router keeps dropping packets regardless of the current utilization. Also, the SNMP process takes 5 to 20 percent of the CPU load.
Workaround: Exclude ciscoMemoryPoolMIB from your query with the following commands:
snmp-server view public-view iso included
snmp-server view public-view ciscoMemoryPoolMIB excluded
Apply this view to the RW community string. This view will exclude only ciscoMemoryPoolMib, all other MIBs will be available.
•
Symptoms: A router that is running IPv6 in IP tunnelling may reload upon receiving a malformed packet.
Conditions: The router needs to be configured for IPv6 in IP tunneling.
Workaround: There is no workaround.
•
Symptoms: The error message "eelc_add_a_port_to_root: port number not contiguous" is displayed, and SPAs may eventually go out of service.
Conditions: This symptom is observed under a race condition due to a back-to- back removal and addition of a member from the bundle.
Workaround: Shut down the member before removing it from the bundle.
•
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
•
Symptoms: If the traffic flow is re-routed a couple of times due to routing information changes under a heavy load, the linecard suddenly stops forwarding traffic, and then even if the utilization is zero, the linecard does not forward packets anymore.
Conditions: This problem is specific to SPA-1X10GE-L-V2 cards. It is associated with a failed re-initialization of the SPA; that is, the problem can be reproduced by re-initializing the SPA while traffic is artificially sent to the SPA rx side during the re-initialization. Traffic is IMIX with giant/jumbo packets.
Workaround: There is no workaround. The proper operations can be recovered via "reload slot x."
•
Symptoms: When a VPN routing/forwarding (VRF) is deleted through the CLI, the VRF deletion never completes on the standby RP, and the VRF cannot be reconfigured at a later time.
Conditions: This symptom is observed when BGP is enabled on the router.
Workaround: There is no workaround.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.
The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml.
•
Problem Description: When eBGP sessions that carry a full routing table (200,000+ routes) are brought up, a prolonged period of 100-percent CPU utilization (5 to 7 minutes) is experienced.
During this time, the router is unresponsive in the CLI, and it stops responding to icmp/snmp polls.
The router is a Cisco 12406/PRP and is running Cisco IOS Release 12.0(32)S5 (c12kprp-k4p-mz.120-32.S5).
When bringing up a BGP session with a full routing table, the router seems to load the first several thousand prefixes quickly and then stops dead for several minutes before loading the rest.
Workaround: After changing the outbound prefix list on the eBGP session to a deny all (ip prefix-list test-nothing-out seq 1 deny 0.0.0.0/0 le 32), clearing the BGP session does not produce the problem anymore.
•
Symptoms: A crash occurs.
Conditions: All the interfaces should be up and running. To recreate the issue, perform the following steps:
1) Configure xconnect between PE1 and PE2.
2) Execute the show xconnect all command.
3) Then remove the T1 channel on which xconnect is configured.
Workaround: There is no workaround.
•
Symptoms: Multicast data loss may be observed while changing the PIM mode of MDT-data groups in all core routers.
Conditions: The symptom is observed while changing the PIM mode of MDT-data groups from "Sparse" to "SSM" or "SSM" to "Sparse" in all core routers in a Multicast Virtual Private Network (MVPN).
Workaround: Use the clear ip mroute MDT-data group command to resolve the issue.
•
Symptoms: ATM aal0-aal0 local switching fails upon SSO switchover, with L2 rewrite information missing for the corresponding VCs, resulting in traffic drops. Pseudo Wire will be down
Conditions: This symptom is observed after an SSO switchover in a scale testbed Local Switching and AToM both will be affected.
Workaround: Shutting and unshutting the involved ports resolves the issue.
•
Symptoms: The line protocol of the serial interface keeps flapping.
Conditions: This symptom is observed after the Atlas BERT pattern is run on a fractional T1 (1 or 2 timeslots).
Workaround: Add/Remove the T1.
•
Symptoms: SSL VPN service stops accepting any new connections.
Conditions: A device configured for SSL VPN may stop accepting any new SSL VPN connections due to a vulnerability in the processing of new TCP connections for SSL VPN services. If the debug ip tcp transactions command is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed.
Workaround: There is no workaround.
•
Symptoms: A crash occurs.
Conditions: This symptom is observed when the show buffers interface dump command is entered.
Workaround: There is no workaround.
•
Symptoms: In MVPN, on the source PE, multicast packets are punted to the RP CPU, and some packets are also dropped.
Conditions: Ingress E3 and egress E5, and the TUNSEQ error message appears.
Workaround: There is no workaround.
•
Symptoms: A traceback is seen on the E3 and E5 line cards.
Conditions: This symptom is observed under normal traffic conditions after a clear ip route * command is issued.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running the Border Gateway Protocol (BGP), the router may reload if BGP show commands are executed while the BGP configuration is being removed.
Conditions: This problem may happen only if the BGP show command is started and suspended by auto-more before the BGP-related configuration is removed, and if the BGP show command is continued (for example by pressing the SPACE bar) after the configuration has been removed. This bug affects BGP show commands related to VPNv4 address family. In each case the problem only happens if the deconfiguration removes objects that are being utilized by the show command. Removing unrelated BGP configuration has no effect.
This bug is specific to MPLS-VPN scenarios (CSCsj22187 fixes this issue for other address-families).
Workaround: Terminate any paused BGP show commands before beginning operations to remove BGP-related configuration. Pressing "q" to abort suspended show commands, rather SPACE to continue them, may avoid problems in some scenarios.
•
Symptoms: The following error messages are received on a 1xoc12 eng3 line card:
SEC 8:May 16 06:41:09.216: %IDBINDEX_SYNC-3-IDBINDEX_ENTRY_SET: Cannot set entry to interface index table: "", 73 -Process= "RP Standby", ipl= 0, pid= 63 -Traceback= 20A640 20A748 11D29D8 27F7A8 281F80 439B64 436AC4 5187B8 4FF360 5006FC 523434 240B7C 5C0514 5C0A14 34BC74 350B0C SEC 8:May 16 06:41:09.216: %FIB-2-HW_IF_INDEX_ILLEGAL: Attempt to create CEF interface for Serial4/0.1/1:1 with illegal index: -1 -Traceback= 20A640 20A748 178438 17A198 17A7E8 17A980 439C1C 436ACC 5187B8 4FF360 5006FC 523434 240B7C 5C0514 5C0A14 34BC74 SEC 8:May 16 06:41:09.216: %EERP-2-UIDB_ERR: Unable to allocate resources. Null fibhwidb for free 0
Conditions: This symptom is observed when either of the two tasks mentioned below is performed in the specific order and HA is configured in SSO mode.
A. Configure/Unconfigure Channels:
1. Under sonet framing, configure some T1 lines.
2. Unconfigure these T1 lines.
3. Change the framing to sdh and configure some E1 lines.
4. Unconfigure these E1 lines.
5. Change the framing to sonet and configure some T1 lines.
B. Change Framing:
1. Change the framing without deleting all the channels; a warning message to delete all channels before changing the framing will be issued.
2. Delete all the channels.
3. Change the framing multiple times from sonet to sdh, from sdh to sonet, and then from sonet to sdh again.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: VRF may not get deleted if the VRF NAME size is 32 characters on a dual RP HA/SSO router.
Conditions: This symptom occurs when adding a VRF with 32 characters on a DUAL RP HA router. (In some releases a VRF name with more than 32 characters will get truncated to 32.) The following may occur:
–
–
Workaround: There is no workaround.
•
Symptoms: Line cards get stuck in the WAITRTRY state after an RP switchover and a router reload.
Conditions: This symptom is observed on a Cisco 12810 and 12816 Internet series router that is booted with Cisco IOS Release 12.0(32)S11. The symptom is seen on both E4+ and E6 line cards and also during reload.
Workaround: There is no workaround.
•
Symptoms: Traffic for certain pairs of sources and destinations is dropped.
Conditions: This symptom is observed under the following conditions:
1. Destinations are routed via a default route.
2. Load-balancing is in place.
Workaround: Break and restore load-balancing by changing IGP metrics.
•
Symptoms: Traffic engineering (TE) tunnel reoptimization fails and tunnel stuck in "RSVP signaling proceeding."
Conditions: Occurs when explicit path with loose next hops and one of the next hops is still reachable and that next hops is a dead-end.
Workaround: Use strict next hop addresses.
•
Symptoms: A TE tunnel from a mesh group disappears after the tailend router is reloaded.
Conditions: The IGP is OSPF, and OSPF is used to advertise the mesh-group membership. The problem appears only if the OSPF network type is point-to- point.
Workaround: Enter the clear mpls traffic-eng auto-tunnel mesh command after the TE tunnel disappears from the mesh group.
•
Symptoms: A switchover takes more time on a Cisco 7500 router.
Conditions: This symptom is observed when RPR+ is configured on the Cisco 7500.
Workaround: There is no workaround.
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when NetFlow version 5 is used.
Workaround: NetFlow version 9 could be used for exporting.
•
Symptoms: An Engine 3 (E3) Channelized OC12 (CHOC12) line card can reload after a switchover in Route Processor Redundancy Plus (RPR+) mode.
Conditions: This symptom is observed on a Cisco 12416 Internet series router:
The router is booted with Cisco IOS Release 12.0(32)S11n and contains the following:
–
–
–
Workaround: There is no workaround.
•
Symptoms: Router hangs when online insertion and removal (OIR) is performed.
Conditions: Occurs after changing the interface bandwidth followed by an OIR operation.
Workaround: Stop traffic before making these changes.
•
Symptoms: Linecards crash when the tunnel interface is shut down.
Conditions:
1. The issue is seen when Tag-Switching is enabled on the VRF interface and the tunnel interface is shut down.
2. The interface on which the tunnels are going through goes down and tunnels go down with it also.
See attachments for configuration information.
Workarounds:
1. For condition 1, the workaround is to remove the tag-switching command configured on all the affected VRF interfaces and then do a shutdown.
2. For condition 2, there is no workaround because an interface can go down when the underlying L1/L2 layer goes down.
Further Problem Description: See attachments for topology and router configurations.
•
Symptoms: Redistributed routes are not being advertised after a neighbor flap.
Conditions: This symptom is observed if BGP is redistributing local routes and if there are multiple neighbors in the same update-group and then a neighbor flaps. For the flapped neighbor, some redistributed routes are not being advertised.
Workaround: Undo and redo the redistribution.
•
Symptoms: The secondary RP crashes continuously.
Conditions: This symptom is observed in any Cisco IOS Release 12.0(33)S image, subject to following:
–
–
–
The secondary RP will crash when it is coming up, if the primary RP is already up and configured. Examples of this behavior:
–
–
Workaround: Change the redundancy mode to RPR or RPR+ to avoid the crash.
•
Symptoms: A ping fails across Frame Relay subinterfaces over a non- channelized SPA.
Conditions: The ping fails across Frame Relay subinterfaces when:
–
–
–
Workaround: There is no workaround.
•
Symptoms: IPv6 PIM RP embedded functionality is not working properly in Cisco IOS Release 12.0(32)S or Release 12.0(32)SY even after the fix for CSCsf28907.
Conditions: If a first-hop router (that is connected to the IPv6 multicast source) is configured for a PIM RP embedded operation, the register packets will not be sent to the RP and the mroute table will remain in the Registering state. No IPv6 multicast traffic will flow.
Workaround: Configure an IPv6 PIM static RP.
•
Symptoms: A router cannot be reloaded after the RP switches over three times.
Conditions: The router restarts three times, and each time due to watchdog timeout due to failure to allocate memory. This symptom is related to a flood of multicast messages. Once this symptom occurs, attempts to manually reload the router are unsuccessful as the NVRAM is locked, indicating that it is being updated.
Workaround: There really is no workaround except to manually remove and re-insert the RP or power-cycle the chassis.
•
Symptoms: When a second multilink is enabled between a PE and a connected CPE, the route may not be propagated to the remote PE. A ping from the local PE to the CPE always works fine over both multilinks; however, a ping from the remote PE to the CPE does not work when both links are enabled.
Conditions: This symptom is observed under the following conditions:
1. The routing protocol between the PE and the CE is BGP.
2. Two static routes are defined on the PE toward the CE.
3. MLPPP is used on both links.
4. The PE is a Cisco 12000 series Internet router.
5. Both links are enabled.
These conditions do not guarantee that the problem will be reproduced; but it may occur under certain circumstances.
Workaround: Perform either of the following two workarounds:
1. To clear the issue, redefine the static routes, or shut down both multilinks and bring them back up again.
2. Enable only one multilink.
Further Problem Description: The MPLS label shows as "aggregate" instead of "untagged" during the problem.
•
Symptoms: Set cos is not being applied for VPLS packets in E5 Gig. The source MAC address of the VPLS packet from the disposition PE is getting corrupted.
Conditions: This symptom is observed only for VPLS packets in E5 cards when a service policy with set cos is applied to the egress interface of the disposition PE.
Workaround: There is no workaround.
•
Symptoms: An RP becomes stuck.
Conditions: This symptom is observed after an SSO mode redundancy force switchover is executed.
Workaround: Reload the secondary RP.
•
Symptoms: The following message is continuously seen on SSO switchover even if the maximum scale numbers are not configured.
%RP-3-ENCAP: Failure to allocate encap table entry, exceeded max number of entries, slot 3 (info 0xC0000
Conditions: This symptom is observed upon SSO switchover.
Workaround: Reload the RP.
•
Symptoms: The delay triggers path delay command does not function as it is provisioned on an E3 CHOC12 controller.
Conditions: This symptom is observed on a Cisco 12000 Internet series router booted with c12kprp-p-mz.120-32.S11n. This router contains an E3 CHOC12 line card.
Workaround: There is no workaround.
•
Symptoms: If router is configured as follows:
router ospf 1
...
passive-interface Loopback0And is later enabled with LDP/IGP synchronization using the following commands.
Router(config)# router ospf 1
Router(config-router)# mpls ldp sync
Router(config-router)# ^ZMPLS LDP/IGP synchronization will be allowed on the loopback interface too.
Router# show ip ospf mpls ldp in
Loopback0
Process ID 1, Area 0
LDP is not configured through LDP autoconfig
LDP-IGP Synchronization : Required < ---- NOK
Holddown timer is not configured
Interface is upIf the clear ip ospf proc command is entered, LDP will keep the interface down. Down interface is not included in the router LSA, therefore IP address configured on loopback is not propagated. If some application like BGP or LDP use the loopback IP address for the communication, application will go down too.
Conditions: Occurs when interface configured as passive. Note: all interface types configured as passive are affected, not only loopbacks.
Workaround: Do not configure passive loopback under OSPF. The problem occurs only during reconfiguration.
The problem will not occur if LDP/IGP sync is already in place and:
–
–
•
Symptoms: If "set exp" is configured on the ingress AC, local switching (AC - AC) traffic does not copy the exp value to the cos bits in the egress direction.
Conditions: This symptom is observed with E3 as ingress and "set exp" configured on VPLS interface.
Workaround: There is no workaround.
•
Symptoms: In the case of E5 AToM QinQ, set cos is being set on the inner vlan_id.
Conditions: This symptom is observed in an E5 AToM with QinQ configuration that has set cos in the policy map.
Workaround: There is no workaround.
•
Symptoms: In E5 L2TPv3 dot1q set cos is not setting on the vlan-id.
Conditions: This symptom is observed in a configuration that has set cos in the policy.
Workaround: There is no workaround.
•
Symptoms: Before this BGP aspath memory optimization, the memory consumption for aspath has increased. With this memory optimization, the memory consumption for aspath is reduced.
Workaround: There is no workaround.
•
Symptoms: The show mac address-table bridge-domain domain command may display unexpected MAC addresses.
Conditions: This symptom has been reported on a Cisco 12000 series Internet router that is configured with VPLS. When a service policy with input policing is applied on an interface that also has bridge-domain configured and when police drops happen, ghost MAC addresses are present in the MAC address table for that bridge-domain ID.
Workaround: There is no workaround. But no immediate impact on system behavior has been observed.
Further Problem Description: This issue can occur with either ACL drops or policer drops on a VPLS-enabled interface. If there are no ACL or CAR drops, this issue will not occur.
This unexpected MAC address might conflict with another real MAC address and may lead to some other issues such as traffic being sent over the wrong interface for the same customer.
Let us assume that the customer is having two ACs on the same PE and that AC1 learned the proper MAC address and the unexpected MAC address. If this unexpected MAC address is a valid MAC address on AC2, then the traffic for this MAC address may be sent to AC1 instead of to AC2.
•
Symptoms: A line card on a Cisco 12000 series Internet router generates tracebacks during LI provisioning while installing a 50th tap request. After the appearance of the first traceback, LI functionality stops working for newly requested taps.
Conditions: This symptom is observed when there are 48 active taps and 2 new taps arrive.
Workaround: Reload the line card or the whole router.
•
Symptoms: When PEM PS is inserted, there is an increase in CPU utilization by the PowerMgr Main process. The utilization is from 10 percent to 99 percent; the difference is caused by inserting timing.
Conditions: This issue is observed under the following conditions:
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: Pings fail on an MLPPP interface.
Conditions: There is an MFR interface used for L2 services such as xconnect and an MLPPP interface on the same SPA. When the member links are removed/added from these bundles back-to-back, the ping on the MLPPP interface may fail. This symptom is observed so far only on E5 cards.
Workaround: Reload the line card.
•
Symptoms: Whenever a service policy that has an action as bandwidth or shaping is applied as output to the core-facing interface in an imposition PE in a VPLS setup, the egress multicast packets that are passing through the core-facing interface are being dropped.
Conditions: This symptom is observed when:
–
–
Workaround:
1) Remove and re-add the bridge-domain.
2) Reload the ingress line card that has bridge-domain configured on it.
•
Symptoms: In Cisco IOS Release 12.0(33)S, the VPLS-specific ingress policy matches are not working for the multicast and VPLS-unknown classes. Either class will match all unicast, multicast, broadcast, and unknown traffic.
Conditions: This symptom is observed for multicast and VPLS-unknown traffic that passes through the VPLS-specific ingress policy in Cisco IOS Release 12.0 (33)S images only.
Workaround: There is no workaround.
•
Symptoms: A customer observed the following message in the log:
The PAM_PIM created confusion as it was being referred to Protocol Independent Multicast and not to the Packet Assembly Module/Packet Interface Module.
Conditions: This symptom occurs because of a corrupted packet.
Workaround: There is no workaround.
•
Symptoms: The M(andatory)-Bit is not set in Random Vector AVP, which is a must according to RFC2661.
Conditions: This symptom is observed with Egress ICCN packet with Random Vector AVP during session establishment.
Workaround: There is no workaround.
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•
Symptoms: A router may crash due to a bus error due to an illegal access to a low address because IPC is processing a message that is already returned back to the pool, but still the message's reference is present in IPC's retry table.
Conditions: The conditions under which this symptom occurs are not known.
Workaround: There is no workaround.
•
Symptoms: E4+ on a Cisco 12000 series Internet router stops exporting NetFlow. Show commands display that packets are correctly captured and exported.
Conditions: Traffic should flow through an E4+ and go out through an E5, which has to be MPLS enabled.
Workaround:
1) Change the outbound interface configuration to IP.
2) Add a static route for the NFC using the non-recursive next hop.
•
Symptoms: I have created a few flow monitors, and I tried to add the flow monitors in one direction on which IPHC was configured and it gave a linecard failure message; when I tried the same procedure a second time, it was added.
Conditions: All the serial interfaces should be up and running.
Workaround: There is no workaround.
•
Symptoms: Presently we do not support processing multiple filter specs in the Resv Error message. We process only the first filter spec in the list. Not processing the other LSPs in the RESVError will lead to inconsistent states.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that has a PRP-2 and that is running Cisco IOS Release 12.0(32)SY6.
Workaround: There is no workaround.
•
Symptoms: Default Q-limit is not getting doubled for low-speed interfaces.
1) Non-channelized SPA
2) For policy without queueing action on non-channelized SPA
Conditions: Default Q-limit for low-speed interfaces should be doubled as required.
This should be done only for low-speed interfaces. Rates that will get 64K queue-limit and above. I.e, starting from 32K, the queue-limits will not get doubled.
For example, 64K in will be trimmed to 32K from this release onward and likewise for further queue-limits. Also, it is taken care that the class rate ranges 2097152 - above will get max_queue_depth of 256K as they always got.
For more info, please also refer to DDTS CSCsu60240.
Workaround: Reload the SPA.
•
Symptoms: If the BFD session count exceeds the limits, an error message is printed within the debug flag.
Conditions: The linecard supports 100 sessions, and the chassis supports 200 sessions in Cisco IOS Release 12.0(33)s throttle only.
Workaround: If the BFD session count exceeds the limits, remove and add the BFD from the interface.
•
Symptoms: A 1xCHOC12 controller goes down, and all links flap.
Conditions: This symptom is observed when the show plim datapath details command is executed on the line card, which dumps a lot of information on the console.
Workaround: Avoid using the show plim datapath details command; instead, use the per-channel show plim datapath channel-id details command.
•
Symptoms: An Engine 3 CHOC12 fails to bring the T1 controller link down when the delay triggers path command is configured.
Conditions: Shutting down the remote end T1 controller or CHOC12 T1 controller receive AIS will not cause the T1 link to go to down state.
Workaround: Do not configure the delay triggers path command on the CHOC12 SONET controller.
•
Symptoms: BGP router filters outbound routes to the peers when doing soft reset with specifying peer address using the clear ip bgp ip-address soft out command. However, the routes to be filtered are not deleted from the routing table on the BGP peer router.
Conditions: The symptom happens when removing and then reapplying an outbound route-map. When issuing the clear ip bgp neighbor-address soft out command for each peer in an update-group after applying the outbound route-map filtering policy. The withdraw for filtered prefixes is sent to the first peer specified in soft reset, but the next peers in the same update-group do not withdraw the routes.
Workaround: Perform a hard BGP reset using the clear ip bgp ip-address command.
•
Symptoms: POS interfaces run into a tx stuck condition, and heavy packet drops occur in the local switching path. The VIP CPU runs high due to the Rx- Side Buffering mechanism that kick starts in the local switching path in the VIP.
Conditions: This symptom is observed on a Cisco 7500 node with a VIP that has the POS interfaces up and data traffic being locally switched between the POS interfaces. This symptoms is triggered when a service policy is applied/removed followed by interface flaps.
Workaround: "test rsp stall" cleans up the Rx-Side buffered packets. Hence this could be considered a workaround. However, this does not always help. Doing a soft OIR removal and insertion of the LC always helps recover from this situation. The best workaround is to apply a service policy.
•
Symptoms: A router is not learning MAC addresses when unknown multicast traffic (packet size greater than min_mtu for that VFI towards core) is sent.
Conditions: This symptom is observed when the MTU of the core-facing interface is changed to some value less than the default value and then is increased back to the default. The min_mtu is stuck on the lesser value.
Workaround: There is no workaround.
•
Symptoms: Clearing the SSH sessions from a VTY session may cause the router to crash.
Conditions: The symptom is observed when a Cisco 7300 series router is configured for SSH and then an SSH session is connected. If the SSH session is cleared every two seconds using a script, the symptom is observed.
Workaround: There is no workaround.
•
Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure "no aaa new-model," configure login local under line vty 0 4, and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
•
Symptom: If a linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that LC, the RP could reset due to a CPU vector 400 error.
Conditions: In order to experience these symptoms the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
•
Symptoms: A CHOC12 T1 continuously flaps when the T1 link that is connected to a third-party CE router flaps. With the Cisco router, the same issue is not observed.
Conditions: This symptom is observed under the following conditions:
–
–
Workaround: Disable "yellow detection" on the CHOC12 T1 link. For example, serial interface 12/0.7/6:0:
controller sonet 12/0
sts-1 7
no t1 6 yellow detection
! Wait for the T1 to stabilize.
t1 6 yellow detection•
Symptoms: The source MAC address is not learned properly for the bridge domain associated with a VFI instance.
Conditions: Traffic is from CE2------PE1------CE1 (locally switched). Source MAC addresses of packets from CE2 are not learned correctly. NetFlow is enabled on the interfaces of the PE.
Workaround: Disable NetFlow on the main interface.
•
Symptoms: On a Cisco 12000 series Internet router E5/SPA POS interface, FRR reroute may take up to 700 msec.
Conditions: This symptom is observed when the far-end RX fiber of the POS link is removed.
Workaround: Configure the pos delay triggers command on the interface to reduce delay in FRR.
Further Problem Description: When the RX fiber is removed on the far-end of the POS interface, the far-end router is supposed to send LRDI to the Cisco 12000 series Internet router, and the LRDI will trigger the FRR reroute. The E5/SPA current implementation is that remote end SONET alarm does not trigger FRR in interrupt mode; it triggers FRR only in process context, which may take up to 700 msec to converge.
•
Symptoms: A SIP-400 and SIP-601 crash continuously after the image is loaded.
Conditions: After the 32SY 11_23-date-coded image is loaded, SIP crashes when channelized SPAs come up.
Workaround: There is no workaround.
•
Symptoms: A SPA_PLIM-3-HEARTBEAT failure and tracebacks are seen for channelized SPAs. All the traffic in the ingress direction is dropped.
Conditions: With traffic present, configure aggregate NF scheme on 4XT3/E3 SPA; channelized SPAs get stuck in the booting state. (SIP comes up fine to IOS RUN state.)
Workaround: Perform a microcode reload to make the SPAs come up.
•
Symptoms: A PVC flaps with the following error message:
ATM(ATM3/0/0.504): VC(17) Bad SAP received 00AD
Conditions: This symptom is observed on a Cisco 7600 with a FlexWAN and PAA3 when connected to a Cisco 12000 ATM interface and when the PVC is configured for bridging.
Workaround: There is no workaround.
•
Symptoms: A SUP720 may reset with the following:
RP: %C6K_PLATFORM-2-PEER_RESET: RP is being reset by the SP
SP or DFC: Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x40B0D738 -Traceback= XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX $0 : XXXXXXXX, AT : XXXXXXXX, v0 : XXXXXXXX, v1 : XXXXXXXX a0 : XXXXXXXX, a1 : XXXXXXXX, a2 : XXXXXXXX, a3 : XXXXXXXX t0 : XXXXXXXX, t1 : XXXXXXXX, t2 : XXXXXXXX, t3 : XXXXXXXX t4 : XXXXXXXX, t5 : XXXXXXXX, t6 : XXXXXXXX, t7 : XXXXXXXX s0 : XXXXXXXX, s1 : XXXXXXXX, s2 : XXXXXXXX, s3 : XXXXXXXX s4 : XXXXXXXX, s5 : XXXXXXXX, s6 : XXXXXXXX, s7 : XXXXXXXX t8 : XXXXXXXX, t9 : XXXXXXXX, k0 : XXXXXXXX, k1 : XXXXXXXX gp : XXXXXXXX, sp : XXXXXXXX, s8 : XXXXXXXX, ra : XXXXXXXX EPC : XXXXXXXX, ErrorEPC : XXXXXXXX, SREG : XXXXXXXX MDLO : XXXXXXXX, MDHI : XXXXXXXX, BadVaddr : XXXXXXXX DATA_START : 0xXXXXXXXX Cause XXXXXXXX (Code 0xX): Address Error (load or instruction fetch) exception
Conditions: This symptom is observed on a device that is configured with MPLS.
Workaround: There is no workaround.
•
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
1. Crafted HTTPS packet will crash device - Cisco Bug ID CSCsk62253.
2. SSLVPN sessions cause a memory leak in the device - Cisco Bug ID CSCsw24700.
Cisco has released free software updates that address these vulnerabilities.
There are no workarounds that mitigate these vulnerabilities.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
•
Symptoms: The standby router may crash.
Conditions: The symptom is observed when two IMA interfaces are configured on a Cisco 7500 series router along with HA RPR+ mode. When you try to unconfigure the ima-group from the first member of IMA interfaces, the crash will occur.
Workaround: There is no workaround.
•
Symptoms: CEF Scanner takes high CPU for sustained periods of time around 10 minutes.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.0(32)S11n. It is seen under the following conditions:
–
–
–
Workaround: Configure a static route.
•
Symptoms: After a reboot, GEs remain down/down on a SPA-10X1GE-V2.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that is using a 12000-SIP-601 with a SPA-10X1GE-V2 and Cisco IOS Release 12.0 (32)SY6.
Workaround: Shut and unshut the port that is down/down.
•
Symptoms: When a Cisco router is the Merge Point (MP) for a protected TE tunnel, and FRR is triggered, two things happen:
–
–
Conditions: When a competitor's router is a point of local repair (PLR) and a Cisco router is a merge point, then when FRR is triggered, the Cisco router drops the backup tunnel (in some cases immediately and in other cases after 3 minutes). This causes the primary tunnel that is protected by this backup to go down. The issue has been identified as related to the fact that session attribute flags (link/node protection desired) are being cleared by the competitor PLR when the Path is sent over the backup tunnel.
Workaround: There is no workaround.
•
Symptoms: A switchover cannot be performed on a Cisco 7500 router.
Conditions: This symptom is observed when test crash is issued on a VIP console.
Workaround: There is no workaround.
•
Symptoms: An IPv6 ping fails on an E3 Gigabit line card because of a PRECAM 1 Exception.
Conditions: This issue pertains to the dropping of IPv6 packets because of a precam exception on the egress side. It looked as if the profile for IPv6 was wrong when IPv4 QoS was already applied even on different subinterfaces on the same port.
Workaround:
1) Add/Remove an ACL.
2) Add/Remove the subinterface.
•
Symptoms: In the case of egress MVPN QoS, some packets are going to the wrong queue.
Conditions: This symptom is observed with an egress MVPN QoS configuration.
Workaround: There is no workaround.
•
Symptoms: The no ppp lcp fast-start command is added to all PPP-encapsulation interfaces.
Conditions: This symptom is observed after a router is upgraded from Cisco IOS Release 12.0(32)SY7 to the latest 32sy throttle image.
Workaround: There is no workaround.
•
Symptoms: Given the following topology:
PE1 (CT32/2/1) <------- > (CT34/0/1) CE1
Configuring t1 <1-28> loopback remote line feac at PE1 and then removing the loopback causes the serial interface at CE1 to start flapping continuously.
Conditions: All the interfaces should be up and running.
Workaround: There is no workaround.
•
Symptoms: An Engine 5 linecard crashes.
Conditions: This symptom is observed when MLPPP member links are swapped from one MLPPP bundle to another MLPPP bundle.
Workaround: There is no workaround.
•
Symptoms: RTP timestamp is getting corrupted with a sequence of RTP packets.
Conditions: Conditions are FH/cRTP/cUDP/cRTP. cUDP is sent if there is some change in RTP header like the Marker bit is set, the payload type changes, the CSRC list is there. This symptom is seen only with the IPHC compression format.
Workaround: Configure the IETF compression format.
•
Symptoms: A router crashes.
Conditions: This symptom is observed when the copy scp: disk0: command is issued to transfer the file to disk0: of the router.
Workaround: There is no workaround.
•
Symptoms: A SIP-601 crashes continuously. The line card (LC) stops crashing when the SPA-1XCHSTM1/OC3 SPA is shut. The LC does not stop crashing with any other exercise like LC OIR, SPA OIR, or router reload.
Conditions: This symptom was observed while the router was being brought up. The router was initially shut and was later powered up.
Workaround: Shut the SPA to cause the LC to stop crashing.
•
Symptoms: A CT3 controller on a CH OC3 SPA remains down after a SPA reload.
Conditions: SPA reload.
Workaround: Enable and disable the BITS feature to clear the issue.
•
Symptoms: Traffic does not flow for some VCs through the SR-APS interface.
Conditions: This symptom is observed after a LC reload and a router reload.
Workaround: Shut/no shut of SR-APS interface.
•
Symptoms: If the Flexible NetFlow feature is used on a Cisco 12000 series Internet router along with sampled NetFlow, packets are dropped through the router. The packet drop rate is equal to the configured sampler rate.
Conditions: This symptom has been reported on a Cisco 12000 series Internet router that is running Cisco IOS Release 12.0(33)S1. The symptom is triggered only if both Flexible NetFlow and sampled NetFlow are used together on same interface.
Workaround: There is no workaround.
•
Symptoms: The following message is received from the standby RP:
SEC 8:Jan 13 23:11:09.991: SPA CHOCX ALARM MSG: spa_chocx_update_sonet_ctrlr_alarm_status : mib is NULL plugin = 0xA7357E4 line_id = 0 SEC 8:Jan 13 23:11:09.991: -Traceback= 20E8FC 929F50 929E1C 929D64 928B58 928A98 9335D8 4FAA38 4C09E0 362A84 35EED8 35EF30 2F92DC Jan 13 23:11:10.987 UTC: %SONET-4-ALARM: SONET 14/2/0: SLOS Jan 13 23:11:10.987 UTC: %CONTROLLER-5-UPDOWN: Controller SONET 14/2/0, changed state to down SEC 8:Jan 13 23:11:10.991: spa_chocx_update_sonet_ctrlr_alarm_status : mib is NULL plugin = 0xA7357E4 line_id = 0 SEC 8:Jan 13 23:11:10.991: -Traceback= 20E8FC 929F50 929E1C 929D64 928B58 928A98 9335D8 4FAA38 4C09E0 362A84 35EED8 35EF30 2F92DC
Conditions: This symptom is observed after the framing on the chstm1 SPA card is changed.
Workaround: There is no workaround.
•
Recent research (1) has shown that it is possible to cause BGP sessions to remotely reset by injecting invalid data, specifically AS_CONFED_SEQUENCE data, into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. For this bug to be triggered, an operator does not have to be actively using 4-byte AS support.
The root cause of this problem is the Cisco implementation of RFC 4893 (4-byte ASN support) - this RFC states that AS_CONFED_SEQUENCE data in the AS4_PATH attribute is invalid. However, it does not explicitly state what to do if such invalid data is received, so the Cisco implementation of this RFC sends a BGP NOTIFICATION message to the peer and the BGP session is terminated.
RFC 4893 is in the process of getting updated to avoid this problem, and the fix for this bug implements the proposed change. The proposed change is as follows:
"To prevent the possible propagation of confederation path segments outside of a confederation, the path segment types AS_CONFED_SEQUENCE and AS_CONFED_SET [RFC5065] are declared invalid for the AS4_PATH attribute. A NEW BGP speaker MUST NOT send these path segment types in the AS4_PATH attribute of an UPDATE message. A NEW BGP speaker that receives these path segment types in the AS4_PATH attribute of an UPDATE message MUST discard these path segments, adjust the relevant attribute fields accordingly, and continue processing the UPDATE message."
The only affected version of Cisco IOS software that supports RFC 4893 is Cisco IOS Release 12.0(32)S12, released in December 2008.
(1) For more information please visit:
http://www.merit.edu/mail.archives/nanog/msg14345.html
•
Symptoms: The standby reloads on a Cisco 7500 series router.
Conditions: The symptom is observed when IMA PA is configured on a Cisco 7500 series router and where RPR+ is configured. It is seen when an OIR is done on the VIP where IMA PA is sitting.
Workaround: There is no workaround.
•
Symptoms: With a nested policy map, when EF traffic is sent at police rate or above police rate, BFD flaps. The BFD timer is set to 999 ms*3, while the EF traffic average latency is only 50 to 70 microseconds.
Conditions: This symptom is observed when a nested policy is applied to ocpos3 and cht3 SPA with FR encapsulation.
Workaround: There is no workaround.
•
Symptoms: With a Cisco IOS Release 12.0(32)SY image, BGP I/O spikes CPU up to 9 percent because of a BGP neighbor flap with a single BGP neighbor. When multiple eBGP neighbors flap at the same time, the BGP I/O can sometimes spike up to approximately 20 percent.
Conditions:
bgp neighbor reset
Workaround: There is no workaround.
•
Symptoms: Packets get corrupted along the path. Extra padding is added to the packets, and the packets become unusable by the receiver application.
Conditions: Frame Relay VPWS between Cisco 12000 series Internet router's with small 25-byte non-IP packets.
Workaround: There is no workaround.
•
Symptoms: All L2VPN traffic is dropped for more than 1 minute around 20 to 30 seconds after another linecard is reinserted.
Conditions:
–
–
–
–
Workaround: Remove the rx-slot-cos part of the configuration.
•
Symptoms: A session may go down one or more times before stabilizing in the up state.
Conditions: This symptom is observed when a BFD session is first coming up and the network is suffering from congestion.
Workaround: There is no workaround.
•
Symptoms: In MPLS VPN each tunnel is associated with one or more virtual routing and forwarding (VRF) instances. A VRF defines the VPN membership of a customer site attached to a PE router. Traffic entering a network on a non-VRF interface may be incorrectly forwarded to a VRF.
Note: Traffic from a VRF to another private or a public network is not incorrectly routed.
Conditions: This issue is only experienced in Cisco 12000 Series Internet Routers running Cisco IOS Releases 12.0(32)S and 12.0(32)SY. Additionally, the affected device must have NetFlow enabled and configured with an Engine 3 Line Card (LC).
This issue is only experienced in very rare conditions where routing table fluctuations take place as the result of route flapping.
Workaround: Create a default IP route destined to null 0 in the global routing table, as demonstrated in the following example:
ip route 0.0.0.0 0.0.0.0 null 0
•
Symptoms: In case of E5 FRoMPLS, small-sized frames that are less than 34 bytes are getting corrupted because of the padding that is being added. Traffic is not getting dropped as the L2 header (DLCI) is intact; only the extra padding that gets added to the payload is being dropped.
Conditions: This symptom is observed when E5 is acting as edge for FRoMPLS.
Workaround: There is no workaround.
•
Symptoms: A SIP-601 is reset after local switching is configured. After the linecard comes up, traffic does not flow end to end on the local switching attachment circuit.
The issue is seen only when the Frame Relay frame size is less than 12 bytes (4 bytes FR header + 4 bytes FCS + 0-4 bytes payload) and when the NLPID value is 0x00 (that is, an invalid Frame Relay encapsulation). From RFC 2427:
An NLPID value of 0x00 is defined within ISO/IEC TR 9577 as the Null Network Layer or Inactive Set. Because it cannot be distinguished from a pad field, and because it has no significance within the context of this encapsulation scheme, an NLPID value of 0x00 is invalid under the Frame Relay encapsulation.
Conditions: Traffic should be enabled while doing local switching configurations.
Workaround: There is no easy workaround. Shut down the interface before the hw-module reload of the linecard.
•
Symptoms: 8-port OC48 E6 linecards crash when trying to bring up back-to-back connected or looped back (between two OC48 interfaces on the same E6 linecard) interfaces. This can also be seen when the optic cable/SFP is removed and inserted continuously between the back-to-back or loopback OC48 interfaces on the E6 linecard.
Conditions: On back-to-back connected or loopback (through two ports on the same linecard) connected E6 OC48 ports, performing a shut/no shut crashes the E6 linecards. Also, removing and inserting the optic cable/SFP repeatedly in the back-to-back or loopback connection (which is in the "no shut" state) between two OC48 ports on E6 cards crashes the E6 linecard.
Workaround: Configure clock source internal before configuring no shut.
•
Symptoms: An Engine 5 line card (SIP-x01) crashes when a QoS configuration is applied to a serial interface.
Conditions: This symptom is observed when applying a service policy to a serial interface with several classes with a Police + WRED configuration, with more than two of the following:
1. Class-default with WRED+Police action.
2. One or more classes matching on prec/dscp with WRED+Police action.
3. One or more classes matching on Access-group with WRED+Police action.
4. Any class with a "Match Any" condition with WRED+Police.
Workaround: There is no workaround. Such a policy is not supported.
•
Symptoms: A SIP 601 crashes in a PE router mvpn scenario.
Conditions: This symptom is observed while flapping core-facing or edge- facing interface.
Workaround: There is no workaround.
•
Symptoms: The IP address of one of the SDCC interfaces is not seen.
Conditions: This symptom is observed after the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: In reloading the E5 with CT3, it resets three to four times, and also the core-facing E5 with 10x1GE crashes a couple of times before stabilizing.
Conditions: This symptom is observed in a scale testbed that is running an MVPN profile.
Workaround: Stop the traffic until the linecard comes up and then start the traffic.
•
Symptoms: QoS class of service queues are in an unallocated state on the standby RP of a router that is configured in SSO mode upon router reload.
Conditions: The following conditions should exist to hit this DDTS:
–
–
–
Workarounds:
1) Reload the E3 LC after the router configured in SSO mode has come up.
2) Remove and add the affected service policies on E3 LC.
•
Symptoms: Ping and traffic drops occur on LB local switching circuits.
Conditions: This symptom is observed when an RPR+ switchover is performed.
Workaround: There is no workaround.
•
Symptoms: An E3 1*CHOC12 LC_ENABLED is not sent to the standby RP in SSO mode.
Conditions: This symptom is observed when a router that is configured in SSO mode is reloaded.
Workaround: There is no workaround.
•
Symptoms: The CEF process is hogging the CPU because of many incomplete fibidbs, because CEF was disabled and re-enabled.
Conditions: This symptom is observed in a scale testbed when an RPR+ switchover is performed.
Workaround: There is no workaround.
•
Symptoms: The standby PRP2 crashes many times during a reload.
Conditions: The problem occurs only during the boot-up process. The router:
–
–
–
–
Workaround: There is no workaround.
Further Problem Description: The standby processor crashes many times during boot-up when the router has a high scale (a large configuration) and many MLPPP interfaces.
The problem happens on a Cisco 12000 series Internet router with two PRP2s that are working in SSO mode and that are running Cisco IOS Release 12.0(32) SY6e.
After the reload, exactly when MLPPP is coming up (establishing), the Cisco 12000 series Internet router suffers high CPU utilization and it loses communication with the standby router for some seconds. When the timeout occurs (when the time expires), the router requests the standby PRP to reset.
•
Symptoms: PPLB drops some packets upon loadsharing with an odd number of links.
Conditions: This symptom is observed when there is an odd number of interfaces for load balancing.
Workaround: There is no workaround.
•
Symptoms: An E5 crashes when the show contr rewrite command is executed.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that is configured with LB.
Workaround: There is no workaround.
•
Symptoms: Although AToM VCs are up, pings are not working between CE routers, and tracebacks are also observed.
Conditions: When L2TPv3 is used with AToM, connectivity breaks between CE routers.
Workaround: There is no workaround.
•
Symptom: A linecard crashes continuously when a microcode reload is performed.
Conditions: The interfaces of the crashing linecard are part of port-channel, and traffic is flowing via that linecard.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.0(33)S2
All the caveats listed in this section are resolved in Cisco IOS Release 12.0(33)S2. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: A Data-link switching plus (DLSw+) circuit may not function when a TCP connection gets stuck. After about 90 seconds, the TCP connection is closed by DLSw+, and a new TCP connection is built for DLSw+. Once the new TCP connection is up, the DLSw+ circuit starts functioning again.
Conditions: This symptom is observed on a Cisco router that is configured with both a DLSw+ interface and an ATM interface.
Possible Workaround: If this is an option, remove the ATM interface from the router. When you configure the DLSw+ interface and the ATM interface on different routers, the symptom does not occur.
•
Symptoms: Under stress conditions, an L2TP multihop node may crash.
Conditions: This symptom is observed when a session is being disconnected.
Workaround: There is no workaround.
•
Symptoms: A static map configuration for an ATM PVC that uses the protocol ip ip-address command is rejected, giving an ambiguous command error.
Conditions: This symptom is observed when you configure a static map on an ATM PVC using the protocol ip ip- address command.
Workaround: Explicitly configure the [broadcast | no broadcast] option:
Router(config-if-atm-vc)# protocol ip 10.10.100.2 broadcastRouter(config-if-atm-vc)# protocol ip 10.10.100.2 ?broadcast Pseudo-broadcastno Prevent Pseudo-broadcast on this connection<cr>Router(config-if-atm-vc)# protocol ip 10.10.100.2 no broadcastRouter(config-if-atm-vc)#•
Symptoms: A PE that is part of a confederation and that has received a VPNv4 prefix from an internal and an external confederation peer, may assign a local label to the prefix despite the fact that the prefix is not local to this PE and that the PE is not changing the BGP next-hop.
Conditions: The symptoms are observed when receiving the prefix via two paths from confederation peers.
Workaround: There is no workaround.
Further Problem Description: Whether or not the PE will chose to allocate a local label depends on the order that the multiple paths for this VPNv4 prefix are learned. The immediate impact is that the local label allocated takes up memory in the router as the router will populate the LFIB with the labels.
•
Symptoms: The NetFlow cache runs out of space for new flow entry when customer uses heavy traffic.
Conditions: Large amount of traffic, which could exhaust the NetFlow cache.
Workaround: There is no workaround.
•
Symptoms: In Eng3 ATM, when a subinterface flaps, traffic to certain destinations is forwarded to the wrong subinterface.
Conditions: This symptom is observed in Cisco IOS Release 12.0(32)S05 and 12.0(32)S06. The symptom is not found in Cisco IOS Release 12.0(31)S2.
Workaround: There is no workaround; however, reloading the line card solves the problem.
•
Symptoms: A BGP neighbor may send a notification reporting that it received an invalid BGP message with a length of 4097 or 4098 bytes.
Conditions: The problem can be seen for pure IPv4 BGP sessions (no MP-BGP in use) when the router that is running the affected software generates a large number of withdraws in a short time period and fills an entire BGP update message (up to 4096 bytes normally) completely with withdraws. Because of a counting error, the router that is running the affected software can generate an update message that is 1 or 2 bytes too large when formatting withdraws close to the 4096 size boundary.
Workaround: The issue is not seen when multiple address families are being exchanged between BGP neighbors.
•
Symptoms: The interface output rate (214 Mb/s) is greater than the interface line rate (155 Mb/s).
Conditions: This symptom is observed with a Cisco 7600/7500/7200-NPE400 and below. That is, PA-POS-2OC3/1OC3 (PULL mode).
Workaround: There is no workaround.
Further Problem Description: From the Ixia, packets are transmitted at 320 Mb/s. On the UUT (Cisco 7600), the outgoing interface (POS-Enhanced Flexwan) shows the output rate as 200 Mb/s. But the interface bandwidth is 155 Mb/s.
•
Symptoms: The show ip mds stats linecard command shows MDFS reloads on all line cards.
Conditions: This symptom is observed when multicast distributed routing is added on a VRF through the configuration of the ip multicast-routing vrf vpn distributed command.
Further Problem Description: Note that while the MDFS reload is a real reload, it is without a preceding clear, so it will not generally cause traffic interruption because it merely causes the same information to be downloaded to the line cards again. However, in a highly scaled system that is running close to the limit, the additional load introduced by a full MDFS reload of every line card may cause additional failures owing to maxing out of the CPUs.
•
Symptoms: The shape average percent calculation is wrong.
Conditions: This symptom is observed on a Cisco 7500 router that is configured for dLFIoLL. The policy is attached to ATM and multilink interfaces.
Workaround: Use only absolute values in the shape policy.
•
Symptoms: OSPF routes are not populated in the Routing Information Base (RIB) with the next hop as traffic engineering (TE) tunnels.
Conditions: Occurs when multiple TE tunnels are configured and the tunnels come up or are shut/no shut simultaneously.
Workaround: Shut/no shut tunnels one at a time.
•
Symptoms:
–
–
Conditions: This symptom is observed when running RPR+.
Workaround: Reapply the original configuration.
Further Problem Description: Deletion of a multilink interface and subsequent creation using the same name may cause portions of the original configuration to return even if not explicitly configured. The hold-queue command is not being synchronized to the standby RP.
•
Symptoms: The v6-vrf-lite configuration does not synch properly with the standby; hence 100 percent of the traffic is lost after an SSO switchover.
Conditions: The conditions under which this symptom is observed are unknown.
Workaround: There is no workaround.
•
Symptoms: Router may crash @ipflow_fill_data_in_flowset when changing flow version.
Conditions: Occurs when NetFlow is running with data export occurring while manually changing the flow-export version configuration from version 9 to version 5 and back to version 9 again.
Workaround: Do not change the NetFlow flow version while the router is exporting data and routing traffic.
•
Symptoms: An E3 linecard may drop packets larger than a certain size because of a buffer carving problem when the mtu command is used for multilink interfaces.
Conditions: This symptom is observed with images based on Cisco IOS Release 12.0(32)S10.
Workaround: Changing the MTU or reloading the linecard may clear the problem.
•
Symptoms: After executing the following CLI commands (steps mentioned alphabetically) via a script (not reproducible manually), the router sometimes crashes:
Test10:
a. clear ip bgp 10.0.101.46 ipv4 multicast out
b. clear ip bgp 10.0.101.47 ipv4 multicast out
Test 1:
c. show ip bgp ipv4 multicast nei 10.0.101.2
d. show ip bgp ipv4 multicast [<prefix>]
e. config terminal
The crash does not happen for each of the following cases:
1. If the same CLI is cut and paste manually, there is no crash.
2. If the clear cli command is not executed, there is no crash.
3. If the config terminal command is not entered, there is no crash.
Conditions: The symptom occurs after executing the above CLI.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 device crashes when a policy map is applied.
Conditions: This symptom is observed when the service policy map is applied on the channelized E3 interface of a Cisco 7200 VXR router and traffic is pumped.
Workaround: Remove the service policy map.
•
Symptoms: You may observe a problem which the OSPF neighbor is down after switch-over in spite of using OSPF Non-Stop Forwarding (NSF).
Conditions: This occurs with the following conditions:
–
–
–
Workaround: Change the OSPF config to "nsf ietf" and change the OSPF interface to "broadcast".
•
Symptoms: The command hold-queue length in cannot be configured for port-channel interface.
Conditions: The symptom is observed with a Cisco 7600 series router after upgrading to Cisco IOS Release 12.2(33)SRC.
Workaround: There is no workaround.
Further Problem Description: Queueing is not supported for port-channel with a Cisco 7600 series router. The hold-queue is a legacy queueing command and is not supported.
•
Symptoms: The "set metric" clause in the continue route-map sequence is not setting metric correctly in some particular conditions. This is also applicable in case where the nexthop setting is done via route-map with a continue clause.
Conditions: The symptom is observed on a Cisco 12000 series router that is running Cisco IOS Release 12.0(32)SY4. This is platform independent. This symptom occurs if the route-map has a continue clause and the match condition does not allow the continue clause to be executed. The following route-map sequence which has to be executed will not execute properly if the metric or nexthop of the prefix are to be modified via the route-map.
Workaround: Avoid using "continue" in a route-map and modifying metric or nexthop via the following route-map sequence.
•
Symptoms: An unexpected reboot occurs because of a software-forced crash.
Conditions: This symptom is observed when changes are made in the policy map.
Workaround: There is no workaround.
•
Symptoms: A router crashes with an unexpected exception to CPUvector 300.
Conditions: This symptom is observed when you configure MPLS trunks on an 4xT3E3 SPA with FR IETF encapsulation.
Workaround: There is no workaround.
•
Symptoms: A device may crash when the show clns interface command is issued on the wrong interface.
Conditions: The symptom is observed when there are a number (around 100 or more) CLNS interfaces on the device.
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: Router may crash in some cases after removing interface Auto-template and unconfiguring auto-mesh with large number of active mesh auto-tunnels. Currently, this crash has only been observed occasionally with internal scale test scripts and has not occurred with manual configuration.
Workaround: Wait until all auto-tunnels are down after unconfiguring auto-tunnel mesh globally, and before removing interface Auto-template
•
Symptoms: BGP peers are stuck with table versions of 0. BGP peers do not announce any routes to neighbors.
Conditions: Whenever the interfaces flap with online insertion and removal (OIR) multiple times, all of the BGP peers using such interfaces for peering connections encounter this issue.
Workaround: Delete and reconfigure the neighbor.
•
Symptoms: Policy-map outputs are not seen in standby router. The policy is attached to the VC in the standby, but no output is seen.
Conditions: The symptom is observed when an ATM PVC is created and a service policy is attached to the PVC.
Workaround: There is no workaround.
•
Symptoms: A customer upgraded to Cisco IOS Release 12.0(32)Sy4, and now the customer is seeing a memory leak in the BGP process. The memory leak is happening with the BGP router process at the rcache chunk memory when the route map has a "continue" clause in the configuration.
Conditions: The leak is seen when a "continue" statement is configured in an outbound route map.
Workaround: There is no workaround.
•
Symptoms: High CPU utilization is seen on a Cisco 12000 series Internet router caused by the "IPC Seat Manager" process.
Conditions: This symptom may be observed when the router is enabled with multicast distributed routing and has high scaled multicast configurations.
Workaround: There is no workaround.
•
Symptoms: A SIP601 sometimes crashes or gets an alignment error.
SLOT 4:Mar 17 17:59:03.877 UTC: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x408C1E14 reading 0xF SLOT 4:Mar 17 17:59:03.877 UTC: %ALIGN-3- TRACE: -Traceback= 408C1E14 408C03D4 00000000 00000000 00000000 00000000 00000000 00000000
Conditions: The conditions under which this symptom occurs are unknown.
Workaround: There is no workaround.
•
Symptoms: The local PE is sending graft messages even after receiving data from the remote PE on an MVPN network.
Conditions: This symptom is observed when the graft-ack messages are lost in transit (could be due to misconfiguration/ACL, etc.).
Workaround: Fix the misconfiguration so that graft-ack messages are forwarded as expected.
•
Symptoms: Configuring a PBR at the E5 GE subinterface may cause buffer depletion. The buffer cannot be released except by reloading the linecard.
Conditions: This symptom is observed when a PBR is configured at the subinterface.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6500 or a Cisco 7600 may reload unexpectedly.
Conditions: Occurs when NetFlow is configured on one of the following:
–
–
Workaround: Disable NetFlow. This is done with the following commands:
no ip flow ingress
no ip flow egress
no ip route-cache flowEnter the appropriate command for each subinterface for which NetFlow is currently configured.
•
Symptoms: MFR bundles associated with E5 channelized based SPAs will stop forwarding traffic, an mismatch of the connection identifier (CI) of the channelized SPA is seen on CI value in the shim header of the l2 rewrite.
Conditions: This problem will occur for l2vpns only on E5 channelized based SPAs.
Workaround: Enter into interface configuration mode.
Alternate Workaround: Remove and re-add the xconnect.
•
Symptoms: When a router reloads, the line protocol on serial interfaces will go down.
Conditions: This symptom is observed when bringing up the SPA-1XCHSTM1/OC3 or SPA-2XCT3/DS0 with a scaled configuration that has serial interfaces on all the T1s.
Workaround: There is no workaround.
•
Symptoms: Spurious accesses are seen when SNMP queries are performed on the router.
Conditions: This symptom occurs if SNMP queries like "snmpwalk -v2c 7.42.19.43 public .1.3.6.1.4.1.9.3.6.13.1" are performed on the router. Spurious accesses are seen.
Workaround: There is no workaround.
•
Symptoms: The line card on a Cisco 10720 resets when an IP phone is connected. The "%TOASTER-2-FAULT: T1 Exception summary:" message appears.
Conditions: The line card to which the Cisco Call Manager is connected to a Cisco 10720 crashes when an IP phone is connected to the network.
Workaround: The recommended approach is to upgrade the Cisco IOS software.
•
Symptoms: New T1s cannot be provisioned on a CT3 SPA.
Conditions: When a customer tries to create a new T1 on one of the controllers of a CT3-SPA that is inserted into a SIP-401, the following errors are displayed:
Router(config-controller)# t1 15 channel-group 7 timeslots 1-24 %Failed to configure channel group Router(config-controller)# Apr 24 22:51:05.283 UTC: %GRPSPA-3-VC_PROV_ERROR: Provision T1 15 channel group 7 of T3 4/0/1 unsuccessful (error code 44) -Traceback= 20A640 20A748 954AA4 94DB80 94DC90 9582D0 4FF4E0 5006FC 240B7C 2563B0 13D7410 13C6F3C 2F517C SLOT 4:Apr 24 22:51:05.271 UTC: %SPA_CHOC_DSX-3-SPA_SW_ERR: SPA on Subslot 0: HDLC controller device driver failure: Failed to start operation Software error was encountered.-Traceback= 40031128 408B4020 408BCE40 408BD374 408BF114 408C004C 408C0ED8 408D24E0 408D25F8Workaround: There is no workaround.
•
Symptoms: Newer SDRAM devices on the 2- and 4-port OC48 POS/RPR SPA require an additional initialization sequence as recommended by the vendor. Without this new initialization sequence, packets that go through the transit buffer in RPR/SRP mode or in subscription mode may get corrupted, or packet loss may occur.
Conditions: Card initialization after inserting the SPA or removing an unpowered shutdown.
Workaround: Perform an OIR on the SPA.
Customers are advised to upgrade to the newer image with this new initialization sequence. Newer software will be backward compatible with older SPA boards.
•
Symptoms: The MDFS state of the line card stays in a "disabled" state, which may lead to multicast traffic being punted to the RP.
Conditions: This symptom may be observed with the following sequence of operation:
1. The router is booted without configuring the ip multicast-routing distributed command.
2. The ip multicast-routing distributed command is configured.
The issue will not be seen if the ip multicast-routing distributed command is present in the startup configuration when the router is reloaded.
Workaround: Enter the clear ip mds linecard slot- number command.
•
Symptoms: A device crashes with ACL configurations.
Conditions: The RP will crash when the device is running low on memory or in a highly fragmented situation if an ACL/ACE is added/deleted.
Workaround: There is no workaround.
•
Symptoms: Ping packets of 8180 or larger cause sourcing POS linecard/SIP to reload and remain in a boot state waiting for IPC connection.
Conditions: This symptom is observed with ping packets that are sourced from PRP2 with part number 800-27058-03.
Workaround: Reload the router.
Further Problem Description: This symptom is observed only on PRP2 with part number 800-27058-03.
•
Symptoms: A crash occurs when BGP graceful restart is configured.
Conditions: In the following configuration:
ip vrf vfifteen
rd 15:15
import ipv4 unicast map rfifteen
route-target export 150:15
route-target import 150:15Delete the RD, and then the unicast map, and then the VRF.
Workaround: There is no feasible workaround. Try to avoid doing such an operation as explained above.
•
Symptoms: Low CPS may be observed.
Conditions: The symptoms are seen with PPPoA and PPPoE sessions.
Workaround: There is no workaround.
•
Symptoms: A copy tftp operation failed with a Socket error when the FPD of an SPA was updated or when the SPA was reloaded, OIRed.
Conditions: This symptom is related to the number of (nnets) non-virtual interfaces on the box. Depending on that, a number of SPA reloads must be done.
Workaround:
1. Reload the SPA or the router.
2. Configure one loopback interface.
•
Symptoms: A router can crash at l2tp_process_control_packet_cleanup.
Conditions: Conditions are unknown at this time.
Workaround: There is no workaround.
•
Symptoms: CPU hogs are seen in a 1-port E3 channelized OC48.
Conditions: This symptom is observed when any of the following is done:
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: The following error messages appear:
SLOT 5:*May 9 21:43:48.547: %LC_SPA_DMLP-1-SPAHWBUNDLEERROR: Could not perform required operation in SPA H/w for bundle Multilink2 in bflc_cx3_dmlp_frag_on_off SLOT 5:*May 9 21:44:10.727: %SPA_CHOC_DSX-3-ERROR: Multilink2 (cmd 203) Serial5/0/1/8:0: response parsing failed. chnl 36, bid 1 -Traceback= 40031008 408924C0 4072B1BC 40899F64 4033DB90 4033E190 4033E5C0 4033E930 4033F448 4033F600 4015B53C 4015C020 SLOT 5:*May 9 21:44:10.735: %LC_SPA_DMLP-3-CFG_FAIL: bundle Multilink2 (id 1): bay 0 err 7 (del rx link)
Conditions: When we remove/add/remove all members from all the configured MLP bundles once or several times, these tracebacks are seen.
Workaround: There is no workaround.
Further Problem Description: spabrg EFC mapping goes to a mismatch state, and the following is seen:
SLOT 5:*May 9 21:59:26.771: %SPA_CHOC_DSX-3-HDLC_CTRL_ERR: SPA 5/0: 20 TX Chnl Queue Overflow events on HDLC Controller were encountered.
•
Symptoms: The hw-module slot x qos account layer2 encapsulation command does not take effect for an AToM connection.
Conditions: This symptom is observed when xconnect is configured under a VLAN.
Workaround: There is no workaround.
•
Symptoms: When configuring "is-type level-1" under "router isis", the following error message may be received:
% Ambiguous command: "is-type level-1"
Conditions: The symptom is observed when configuring "is-type level-1" under "router isis".
Workaround: There is no workaround.
•
Symptoms: A PA-POS-2OC3 experiences an output stuck condition.
Conditions: This issue is sporadic in nature and is sometimes seen with QoS configurations although QoS is not the cause of the issue. The issue is due to an extra interrupt, which is confusing the driver if it expires before the FIFO reaches the low point. For example, if the FIFO goes full but is filled with large packets, then it is possible that the no traffic timer will expire before the tx packets have emptied. It is a communication issue between the hardware and the driver code.
Workaround: There is no workaround.
•
Symptom: Serials that are part of MLPPP/MFR remain in a down state.
Conditions: This symptom is observed when T1 controllers remain down.
Workaround: There is no workaround.
•
Symptoms: MDFS may get disabled in a scaled mVPN environment that has many global mroutes. Once disabled, it may keep on changing between the "active" and "disabled" states. Linecard CPU utilization may also go high.
Conditions: This symptom is observed with a Cisco IOS Release 12.0(32)S10 image.
Workaround: There is no workaround.
•
Symptoms: Router crashed while running the show vpdn tunnel all command.
Conditions: When there are thousands of L2TP tunnels coming up, going down, running the show vpdn tunnel all command may result in a crash.
Workaround: There is no workaround.
•
Symptoms: After a router reloads, sometimes the configuration for the gigE and POS OC12 SPA is lost from the running configuration.
Conditions: This symptom is observed when the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: If both L2 and L3 services co-exist on the same interface, you can no longer configure urpf on the L3 subinterface after the fix for CSCsl09772. After the router reloads, the urpf command will be erased from the L3 subinterface. You have to use the workaround to reapply the urpf command.
Conditions: This symptom is observed when both L2 and L3 services are configured on the same interface.
Workaround: Do the following:
1. Remove the L2 connection.
2. Add urpf on the L3 subinterface.
3. Re-add the L2 connection.
•
Symptoms: Intermediate System-to-Intermediate System (IS-IS) tries to access invalid memory address and may cause router to stop working.
Conditions: Occurs when a switch over happens and standby router becomes active.
Workaround: There is no workaround.
•
Symptoms: CPU Hog and related tracebacks are seen from the E3 Gig linecard.
Conditions: Attach a scaled policy/LC reload/router reload.
Workaround: There is no workaround.
•
Symptoms: The pos delay triggers line command is configurable at the interface level of E3 channelized POS interfaces.
Conditions: This symptom is observed on a Cisco 12416 Internet series router that is booted with the Cisco IOS Release 12.0(32)S nightly build of 05/19/08. The router contains an E3 CHOC48 linecard.
Workaround: There is no workaround.
•
Symptoms: FRF12 packets are dropped by a PE router.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that has a SPA-1XCHSTM1/OC3, SPA-2XCT3/DS0, or SPA-8XCHT1/E1.
Workaround: There is no workaround.
•
Symptoms: EFC clock interrupts are causing a line card to crash.
Conditions: The conditions under which this symptom occurs are unknown.
Workaround: There is no workaround.
•
Symptoms: The RP crashes.
Conditions: With a map-class that has an egress policy with iphc action, dlci removal is done.
Workaround: Ensure that the map-class is removed and then dlci removal is done.
•
Symptoms: Slow-path multicast fragmentation is not happening correctly. One of the output interfaces is not receiving the packets in case of MVPN traffic.
Conditions: This symptom is observed with MVPN traffic with fragmentation on one of the interfaces on E5.
Workaround: There is no workaround.
•
Symptoms: A Cisco 12000 works as a PE, and an Eng5 SIP line card is used to face the CE. In the VRF, the default route 0.0.0.0 is learned from the remote PE. When the problem occurs, all traffic from the CE that is forwarded via the VRF default route is dropped.
Conditions: This symptom is observed on a Cisco 12000 Eng5 SIP line card that is running Cisco IOS Release 12.0(32)SY04, 12.0(32)SY05, or 12.0(32)SY06. When VRFs are created and deleted, new VRFs that are created will have a problem if they are allocated with a table ID allocated for older deleted VRFs.
Workaround:
1. Reload the ingress Eng5 line card that is facing the CE.
or
2. If the customer does not want to reload the line card, a second workaround can be attempted, but it is not a reliable workaround and may not always be successful. Create a new VRF without removing any VRFs, which gets a new table ID, and apply the VRF configuration completely wherever the old VRF configuration is applied.
Further Problem Description: This problem cannot be cleared by using the clear cef linecard x or clear ip route vrf xxx 0.0.0.0 commands.
•
Symptoms: A heartbeat failure causes SPAs to go out of service.
Conditions: This symptom can be observed under the following conditions:
1. Provision/unprovision the MFR with QoS attached to its subinterfaces with traffic.
2. Add/remove of QoS policy tried on MFR subinterfaces with queues having packets.
3. Link is swapped from MLPPP to MLFR.
Workaround: Reload the line card.
•
Symptoms: Removal of a subinterface may cause memory corruption or a crash. The symptoms are unpredictable.
Conditions: The symptoms are rare and will only be observed if a sub- interface is configured for mpls traffic-eng auto-tunnel primary use, and the sub-interface is later removed from the configuration.
Workaround: Do not remove sub-interfaces.
•
Symptoms: MVPN inner packet with IP option causes depletion of FrFab buffers of Cisco 12000-SIP-401.
Conditions: This symptom occurs on Cisco 12000 routers that are running the c12kprp-k4p-mz.120-32.SY2g image and with Cisco 12000-SIP-401. This is triggered by multicast traffic.
Workaround: Only a reload of the card solves the problem.
•
Symptoms: Trying to remove the MFR bundle crashes the router.
Conditions: After OIR, remove the VIP (those VIP interfaces are members of MFR bundle). Try to remove the MFR bundle.
Workaround: There is no workaround.
Further Problem Description: The MFR bundle has one Channelized PA interface as a member. OIR remove that PA seated VIP and next try to remove the bundle using the no int MFR command. The router crashes.
•
Symptoms: After a router reloads, the SPAs on a SIP601 may take twice as long to come up in OK mode. When this occurs, you also experience the problem that is documented in CSCsq55258.
Conditions: This symptom is observed after a router reloads.
Workaround: There is no workaround.
•
Symptoms: In rare situations, the show controller SONET port command might crash the RP.
Conditions: This symptom has been observed on a 4CHOC12/DS3-I-SCB= line card, but it can be seen on other similar channelized line cards. It may be reproducible by executing the show controller SONET port command on a nonexistent port like sonet 3/4 (that is, only sonet 0/0, 0/1, 0/2, and 0/3 are valid on a 4CHOC line card). When the problem can be seen, the CLI help indicates an incorrect unit number:
Router# show controller sonet 12/?<0-48> Controller unit numberIf the controller unit number is shown fine (for example, <0-3>), then the crash will not occur.
Workaround: There is no workaround.
•
Symptoms: The pos delay triggers line command is configurable on APS-enabled interfaces of E3 clear channel POS line cards. After the commit of CSCsq45452, the pos delay triggers path command is not configurable on APS-enabled interfaces of E3 channelized POS line cards.
Conditions: This symptom is observed on a Cisco 12000 series Internet router that is booted with Cisco IOS Release 12.0(32)S. The router contains ISE OC48 POS and ISE CHOC48 POS line cards.
Workaround: There is no workaround.
•
Symptoms: Memory chunk allocated for LDP-IGP Sync may leak.
Conditions: The symptom is observed on a router with a dual link to its neighbor. LDP and LDP Graceful Restart are enabled on both routers. When LDP is disabled and re-enabled globally on the neighbor router, a small memory leak occurs on this router.
To verify the memory leak, on Router 1, enable memory leak debug with the set memory debug incremental starting-time command. On Router 2, disable LDP globally with the no mpls ip. Wait for LDP session go down, then re-enable LDP. On Router 1, the memory chunk leak for LDP should be seen with the sh mem debug leaks chunks command.
Workaround: There is no workaround.
•
Symptoms: When the router reloads, it loses the previously configured wavelength configuration and puts the controller at its default wavelength (channel 3), which is an undesirable behavior.
Conditions: This symptom is observed with Cisco IOS Release 12.0(33)S01 and an SPA-1X10GE-L-ITUC when a specific wavelength in the controller is configured (for example, wavelength itu-channel 41), the write memory command is issued, and then the router is reloaded.
Workaround: There is no workaround.
•
Due to an eng3 HW limitation, there is more overhead added to like to like ethernet PW or ethernet interworking PW if "hw-module slot <> qos account layer2 encapsulation length <>" is configured. without the fix of CSCsq42803, the overhead impact is less. Request a return to the behavior of 12.0(32)SY back to pre-CSCsq42803.
•
Symptoms: A controller goes into an admin down state.
Conditions: This symptom is observed when an STS path under the SONET controller is shut down.
Workaround: Perform a no shutdown on the controller.
•
Symptoms: The standby router crashes.
Conditions: This symptom is observed when a service-policy map is removed from a VC.
Workaround: There is no workaround.
•
Symptoms: BGP does not generate updates for certain peers.
Conditions: BGP peers show a neighbor version of 0 and their update groups as converged. Out queues for BGP peers are not getting flushed if they have connection resets.
Workaround: There is no workaround other than entering the clear ip bgp * command.
•
Symptoms: All line cards may crash after a switchover in Route Processor Redundancy Plus mode.
Conditions: This issue is observed on Cisco 12000 series Internet routers with PRP2 processors. This issue usually requires multiple line-card reloads prior to the switchover. It is seen under conditions of high line-card utilization.
Workaround: There is no workaround.
•
Symptoms: After a router reloads, sometimes there may be mbus message gets timed out on the SIP601 located in the lower cage of a Cisco 12816.
Conditions: This symptom is observed after a router reloads.
Workaround: There is no workaround.
•
Symptoms: After flapping the interfaces, the FIB converges and points to the correct outgoing interface, while the FIB in hardware points to another interface.
The trigger is when the interface is flapping because the default route is updated. The BGP session is always stable and never goes down.
Topology:
End customer ------(eng3)slot4 c12k_Lab_router-42 slot5 and slot6(Eng5) ------ router_B ------ Internet
The Lab-router-42 router receives a default route from the router_B neighbor.
Snapshots from the Eng3 line card on slot4:
Lab-router-42# exec slot 4 show ip hardware-cef 10.1.1.1 detail========= Line Card (Slot 4) =========Root: 0x240CE000 Location: 0x240CE404 Data: 0x81819380 Offset: 0x93D96404 Leaf pointer: 0x300C9C00Leaf FCR 2 Addr 0x300C9C00 : 0xE0000100 0x0285C008 found 2 deep SRAM Loadbalance addr 0x28170020 default alpha ip loadbalance: 0x28170020 (0 paths, hw maxpath 0) Hash 1: alpha adjacency: 0x2001FA60 (cef adj NULL or alpha_default_lb) [0] oi 0x200006 oq 4080 in A ab 50 hl 20 gp 19 tl 4 loq 9800 6/0/0 mtu 1520 Output interface is GigabitEthernet6/0/0 <== Here ^^^^^^ Here1 tag: 23 current counters 95059, 5157246 last reported 93252, 5059668Output Queue / Local Output Queue Bundle: [0-7] output queue 0x4080 local output queue 0x9800 PLU leaf data: 0xE0000100 0x0285C008 0xA1020304 0xA5080000 Mask bits: 1 Origin AS: 0 Source lookup drop: yes QOS group: 0 Traffic index: 0 Precedence not set Default Route: yes PBR enabled: noWhile the FIB was updated to the proper outgoing interface.
LAB_router_42# exec slot 4 show ip cef 10.1.1.1========= Line Card (Slot 4) =========0.0.0.0/0, version 38, epoch 0, cached adjacency 10.125.72.74 0 packets, 0 bytes Flow: AS 0, mask 0 tag information from 10.38.192.6/32, shared, all rewrites owned local tag: 34 via 192.168.225.0, 0 dependencies, recursive next hop 10.125.72.74, GigabitEthernet5/0/0 via 192.168.225.0/24 (Default) <=== HERE valid cached adjacency tag rewrite with Gi5/0/0, 10.125.72.74, tags imposed {} <=== HERE LAB_router_42#Conditions: This symptom is observed when there is a default route configured while running Cisco IOS Release 120(32)SY4 or 120(32)SY6 on Eng3.
Workaround: Enter clear ip route 0.0.0.0 or <default-network>.
•
Symptoms: Cisco 7500 and 10700 builds are breaking.
Conditions: The fix for CSCsq11643 is causing build breakage.
Workaround: There is no workaround.
•
Symptoms: Low BGP keepalive timer sessions flap too often during periods of high CPU utilization.
Conditions: This symptom is observed when low BGP keepalive timers are set (for example, 20/60, 10/30, 1/3). This symptom is specific to Cisco IOS Release 12.0S and 12.4T.
Workaround: Do not configure very aggressive BGP keepalive timers. Also, try not to overload the CPU.
•
Symptoms: MVPN traffic is being punted to the slowpath for packets that have a size ranging from 1476 to 1500 (minimum IP MTU of the outgoing interfaces is 1500).
Packets that have a size ranging from 1476 to 1500 are being punted to the slowpath, which is not required. During the fragmentation check, we should check the packet size with:
1) Minimum IP MTU of customer-facing interfaces.
2) Minimum IP MTU of core-facing interfaces - gre header (24).
If the size is greater than the above value, then only the packet should be punted to the slowpath for fragmentation.
Conditions: This issue applies to the MVPN on the Cisco 12000 series Internet router with an E5 line card as the egress line card. The issue is not seen with an E3 line card.
Workaround: There is no workaround.
•
Symptoms: A line card crashes.
Conditions: This symptom is observed after members of the MLPPP are swapped from one bay to another bay and vice-versa on the same line card.
Workaround: There is no workaround.
•
Symptoms: A Cisco router crashes following multiple accesses to NVRAM.
Conditions: This symptom has been observed on a Cisco 12000 series Internet router that is running Cisco IOS Release 12.0(32)SY5 when the "dir tar:" command is executed parallel with the "write memory" command. It may not be platform specific.
Workaround: Avoid using the "dir tar:" command.
•
Symptoms: The following messages are displayed in the syslog:
%QM-4-SW_SWITCH: Interface GigabitEthernet7/0/1.558 routed traffic will be software switched in egress direction(s)
Another symptom is that the "show policy-map interface" command for the affected interface displays "Class of service queue: 0" for all queues.
Conditions: These symptoms are observed on Engine 5 line cards when attaching to an interface a policy map that requires more WRED resources than what is available in the line card.
Workaround: Verify whether the line card has enough WRED resources available before attaching a new policy map to one of its interfaces.
Further Problem Description: On Engine 5 line cards, when attaching to an interface a policy map that requires more WRED resources than what is available in the line card, no verification for available WRED resources is performed and the command is accepted. This is because Engine 5 line cards, as opposed to Engine 3 line cards, have Line Card Based QoS Manager. Because the policy cannot be programmed in hardware (there are not enough RED resources), the traffic is punted to the line card CPU (that is, it is software-switched). This fix makes the error message more prominent.
•
Symptoms: The member link of a multilink bundle goes into an up/down state.
Conditions: This symptom is observed when multilink is swapped from one multilink bundle to another multilink bundle through a script.
Workaround: Enter the "hw-module subslot <slot#/subslot#> reload" command.
•
Symptoms: Commands cannot be sent to the SPA.
Conditions: This symptom is observed when the members of MLPPP and MLFR are swapped.
Workaround: Reload the line card.
•
Symptoms: The line card in slot 0 does not boot up completely. It does not go past the UP IOS state.
Conditions: This symptom is observed after upgrading the router to Cisco IOS Release 12.0(32)SY5 and having the ATM line card in slot 6 send an LAIS alarm.
Workaround: Move the ATM card to another slot, or shut down the ATM line card in slot 6.
•
Symptoms: On removal of an xconnect from the L2 transport PVC (ATM portmode), the policy map is not removed and entries still exist.
Conditions: This symptom is observed when an xconnect is removed from the L2 transport PVC (ATM portmode).
Workaround: Remove the policy map first and then remove the xconnect configuration.
•
Symptoms: Channelized SPAs on Engine-5 line cards might go to out-of-service.
Conditions: There should be all kinds of interfaces (with encapsulations hdlc/ppp/fr/gige l2fwding enabled on some interfaces) in the same Engine-5 line card.
Workaround: Reload the Engine-5 line card.
•
Symptoms: An engine 5 line card is queueing on egress the GRE precedence rather than the original IP packet precedence.
Conditions: This symptom is observed under the following conditions:
1. Send MVPN traffic.
2. Configure an egress QoS policy on the decap side.
3. Configure a QoS policy in the core to set the GRE IP precedence.
Workaround: There is no workaround.
•
Symptoms: A SIP-601 crashes while changing the CRC/encap/MTU on MLPPP and MFR.
Conditions: This symptom is observed under the following conditions:
1. Change the CRC of the members of the bundle (from crc 16 to 32 and then back again to crc 16).
2. Remove the members from the bundle.
3. Add serials back to MFR and MLPPP.
4. Change the MTU.
5. Flap the links (serials and bundle).
Workaround: There is no workaround.
•
Symptoms: BGP neighbors that are configured with as-override and send-label (CsC) together may not work after an interface flap or service reset.
Conditions:
neighbor xxx as-override neighbor xxx send-label
Workaround: Enter the "clear ip bgp * soft in" command.
Further Problem Description: Peers (neighbors) with a CsC (IPv4+label) BGP configuration with the as-override option should be separated into different dynamic update groups during the BGP update generation process. After the CSCef70161 fix in Cisco IOS Release 12.0(32)SY4, this is no longer the case; this CSCsu12040 fix enhances the CSCef70161 fix to handle the CsC (IPv4+label) case separately.
•
Symptoms: On a Cisco 12404 that is running Cisco IOS Release 12.0(32)SY5, a SIP-401 reloads when lawful intercept (LI) is used on it.
Conditions: This symptom is observed when LI is activated.
Workaround: Deactivate LI.
•
Symptoms: "carve-level 0" is being used in SY5 nodes (SIP-601) to avoid unnecessary buffer recarving and subsequent traffic disruption.
Conditions:
carve-level 0
Workaround: There is no workaround.
•
Symptoms: On a Cisco 7500 with an HA setup, the "show controller t3" command is showing framing as M23 on the active and as C-bit on the standby. So the "loopback remote" configuration is rejected on the active and is accepted on the standby.
Conditions: This symptom is observed when the "show controller t3 1/1/0" command is issued.
Workaround: There is no workaround.
Further Problem Description: Because of the framing mismatch, the standby might crash due to sync issues.
•
Symptoms: Label Forwarding Information Base (LFIB) shows incorrect information for Global BGP prefix after route flap. LFIB/FIB shows prefix as having a tag when it should be not. Routing table is correct.
Conditions: Occurred on a Cisco 12000 router running Cisco IOS Release 12.0(33)S1.
Workaround: Enter the clear ip route command.
•
Symptoms: The connect command that is used to configure FRoMPLS is rejected.
Conditions: This symptom is observed with E0/E2 cards and E3/E5 MFRs.
Workaround: There is no workaround.
•
Symptoms: A GRP crashes with DWDM.
Conditions: This symptom is observed when the "show controllers dwdm" command is issued.
Workaround: There is no workaround.
•
Symptoms: Traffic is dropped on an FR subinterface with IPHC configurations when the SPA reloads.
Conditions: This symptom is observed when IPHC is configured.
Workaround: Shut/no shut the affected main interface (for the subinterfaces).
•
Symptoms: ICMP packets get corrupted when PXF is enabled.
Conditions: This symptom is observed when PXF is enabled.
Workaround: Disable PXF.
Resolved Caveats—Cisco IOS Release 12.0(33)S1
All the caveats listed in this section are resolved in Cisco IOS Release 12.0(33)S1. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: Device crashes with a segmentation violation (SegV) exception.
Conditions: Occurs when the connect target_ip [login|513] /terminal- type value command is entered with a large input parameter to the terminal-type argument such as the following:
router>connect 192.168.0.1 login /terminal-type aaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Trying 192.168.0.1...Open login:
*** System received a SegV exception *** signal= 0xb, code= 0x1100, context= 0x82f9e688 PC = 0x61616160, Vector = 0x1100, SP = 0x833ae5a8
Workaround:
AAA Authorization AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
For a complete description of authorization commands, refer to the following links:
Configuring Authorization http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor. htm
ACS 4.1 Command Authorization Sets http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/ user/SPC.html#wpxref9538
ACS 4.1 Configuring a Shell Command Authorization Set for a User Group http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/ user/GrpMgt.html#wp480029
Role-Based CLI Access The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. The following link provides more information about the Role-Based CLI Access feature:
Role-Based CLI Access http://www.cisco.com/en/US/netsol/ns696/networking_solutions_white_paper09186a00801ee18d.sh tml
Device Access Control Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or Subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:
Infrastructure Protection on Cisco IOS Software-Based Platforms Appendix B-Controlling Device Access http://www.cisco.com/application/pdf/en/us/guest/products/ps1838/c1244/cdccont_0900aecd804 ac831.pdf
Improving Security on Cisco Routers /en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
•
Symptoms: The ciscoMemoryPoolType returns the wrong value for all memory types, except processor.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2 S, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A service policy is unexpectedly removed.
Conditions: This symptom is observed when you apply a service policy to a multilink interface and then the interface is reset.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, reconfigure the service policy after the multilink interface has been brought up.
•
Symptoms: A short CPU hog seen in the ATM PA Helper process when an interface flaps and the framing configuration is modified on the interface.
Conditions: This symptom is observed on a Cisco 7200 with a PA-A3-T3 adapter that is running Cisco IOS Release 12.2(25)S or 12.2(31)SB (and possibly other Cisco IOS releases).
Workaround: There is no workaround.
Further Problem Description: The CPU hog is enough to cause OSPF adjacencies (with fast hello) to go down on other unrelated interfaces. The same problem is seen if BFD is configured.
•
Symptoms: The dot1q tunneling ethertype 0x9100 interface configuration command disappears from the main interface after a route processor (RP) switchover.
Conditions: This symptom is observed after an RP switchover.
Workaround: There is no workaround.
•
Symptoms: BGP convergence is very slow, and CPU utilization at the BGP Router process is always near 100 percent during the convergence at the aggregation router. This issue obviously shows the following tendencies:
1) The greater the number of component prefixes that belong to the aggregate- address entry, significantly slower convergence is seen at the aggregation router.
2) The greater the number of duplicate aggregation component prefixes for the aggregate-address entry, seriously slower convergence is seen at the aggregation router.
Conditions: Any release would be affected if "aggregate-address" is configured and routing updates are received every few seconds.
Workaround: Remove the "aggregate-address".
Further Problem Description: If you configure "aggregate-address" lines after BGP convergence has been achieved, the BGP process only holds about 60 or 80 percent of the CPU for about 1 minute. However, if you do peer reset after "aggregate-address" entries have been configured, the convergence time is about 32 minutes (it is about 6 minutes if "aggregate-address" entries are removed).
•
Symptoms: After executing the no ipv6 multicast-routing command on a dual-RP router, IPC communication to the standby RP may be broken, and the following messages may be seen every minute:
%IPCGRP-3-ERROR: standby set time: timeout seen
Conditions: This symptom is observed on a Cisco 12000 series router that is running the c12kprp-p-mz image of Cisco IOS Release 12.0(32)SY.
Workaround: Reload the router.
Further Problem Description: This bug is seen only while operating in SSO mode (not in RPR mode).
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at /en/US/products/products_security_advisory09186a008096986d.shtml
•
Symptoms: When an ATM interface is configured with an IMA group and when you enter the clock source line command, the router may crash.
Conditions: This symptom is observed on a Cisco router that integrates the fixes for caveats CSCin90422 and CSCsb68536.
Workaround: There is no workaround.
Further Problem Description: The symptom occurs because the default clocking has been changed to "internal" via the fixes for caveats CSCin90422 and CSCsb68536. The fix for this caveat, CSCse75697, sets the default clocking back to "line."
•
Symptoms: A router may reload unexpectedly when a routing event causes multicast boundary to be configured on a Reverse Path Forwarding (RPF) interface.
Conditions: This symptom is observed on a Cisco platform that is configured for PIM.
Workaround: Remove multicast boundary from the configuration.
•
Symptoms: Route Switch Processor (RSP) may crash when flash card is removed from RSP slot.
Conditions: This has been seen on RSP running Cisco IOS Release 12.4(10).
Workaround: There is no workaround.
•
Symptoms: A device that is running Cisco IOS software may crash during processing of an Internet Key Exchange (IKE) message.
Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in Cisco IOS software that use IKE include Site-to- Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE, and GET VPN.
Workaround: Customers that do not require IPsec functionality on their devices can use the no crypto isakmp enable command in global configuration mode to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured, this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.
Further Problem Description: This bug is triggered deep into the IKE negotiation, and an exchange of messages between IKE peers is necessary.
If IPsec is not configured, it is not possible to reach the point in the IKE negotiation where the bug exists.
•
Symptoms: On a Cisco router running Cisco IOS Release 12.0(32)S4 and configured with BGP and peer-groups, if the Fast Peering Session Deactivation feature is configured in the peer-group, the router automatically configures on the command a route-map with the same name as the peer- group.
Conditions: Occurs with the following configuration sequence:
RR#conf t Enter configuration commands, one per line. End with CNTL/Z. RR(config)#router bgp 65001 RR(config-router)#neighbor rrs-client fall-over ? bfd Use BFD to detect failure route-map Route map for peer route <cr>
RR(config-router)#neighbor rrs-client fall-over
RR#sh ru <snip> router bgp 65001
neighbor rrs-client peer-group neighbor rrs-client remote-as 20959 neighbor rrs-client update-source Loopback0 neighbor rrs-client fall-over route-map rrs-client <<<<<<<
the route-map does not exist.
Workaround: Configure the neighbor individually or use peer-templates.
•
Symptoms: Applying L4 operators (used with an ACL) on many interfaces at the same time generates a traceback.
Conditions: There is no set procedure for generating the traceback. You must play around with the configuration to generate it.
Workaround: Configure the ACL batch by batch; for example, 20 to 30 interfaces at a time.
•
Symptoms: RP crashes in IFS code when a SSH or TELNET session is established while the switch is attempting to download a configuration.
Conditions: Occurs on a Cisco Catalyst 6509.
Workaround: There is no workaround.
•
Symptoms: The following message can be seen after executing the write memory command, even though the version has not been changed.
Router# write memory
Warning: Attempting to overwrite an NVRAM configuration previously written by a different version of the system image. Overwrite the previous NVRAM configuration?[confirm]
The router then restarts with the following traceback:
-Traceback= 6067F3DC 6067FB38 605E3FE8 60686384 605E3FE8 605188BC 60518830 605444D4 60539164 6054719C 605AB65C 605AB648
Conditions: This symptom is observed on a Cisco 7206 VXR (NPE-400) with C7200-IO-FE-MII/RJ45= or C7200-I/O= running the Cisco IOS Release 12.2(24a) interim build.
Workaround: There is no workaround.
•
Symptoms: A Traffic Engineering (TE) tunnel does not re-optimize to explicit path after an MTU change.
Conditions: The TE tunnel is operating via explicit path. The MTU on outgoing interface is changed. OSPF is flapped, and it does not come up as there is MTU mismatch (MTU is not changed on peer router). Meanwhile the TE re- optimizes to a dynamic path-option as expected. Now the MTU is reverted back to the previous value, and the OSPF adjacency comes up. The TE tunnel does not re-optimize to explicit path. Manual re-optimization of the TE tunnel fails as well, and the TE tunnel sticks to the dynamic path.
Workaround: Enter the shutdown command followed by the no shutdown command on the particular interface.
•
Symptoms: The line card crashes when the interface MTU is changed.
Conditions: This symptom is observed when having both ingress and egress E0 cards with MPLS in the core and when an ATOM tunnel is configured on the egress line card.
Workaround: Before changing the MTU, stop the traffic across all the E0 line card interfaces. You can resume traffic after changing the MTU.
•
Symptoms: Egress E0 - Two ports OC3 channelized to DS1/E1 are crashing continuously just as traffic starts.
Conditions: E0 - In an IP->Tag fragmentation case with E4/E4P/E6 POS cards as the ingress and E0 as the egress card, for certain frame sizes larger than the egress MTU, the E0 egress card crashes. This happens only with the E0 card as egress.
Workaround: Make sure that the packets sent are less than the egress MTU of the E0 linecard to avoid any fragmentation.
•
Symptoms: With some VPN configurations, such as configurations with a multipath import or an import map, the CPU usage of the router may be very high for a long time, even after BGP convergence has occurred.
Conditions: This symptom is observed on a Cisco router that functions in a highly scaled environment involving several hundred VRFs and occurs after the router has been reloaded or after a switchover has occurred.
Workaround: There is no workaround.
•
Symptoms: MPLS-TE tunnels do not come up after a core interface is brought down and then up again by entering the shutdown command followed by the no shutdown command.
Conditions: This symptom is observed when there are 200 MPLS-TE tunnels and 1000 VRFs configured on an NES-150 and when entering the shutdown command followed by the no shutdown command for the core interface when the traffic is on for all 1000 VRFs end to end.
Workaround: Enter the no mpls traffic-eng tunnels command followed by the mpls traffic-eng tunnels command, and all tunnels come up.
•
Symptoms: If you shut down a TE tunnel interface and you have a static route through the tunnel, the routing table is not updated immediately but only when the static scan runs (every minute by default).
Conditions: This problem is fine if the static route is pointing to a physical interface and happens only with TE tunnel interfaces when it is configured with the ip routing protocol purge command.
Workaround: Remove the ip routing protocol purge command or tune the adjust timer (ip route static adjust-time command).
•
Symptoms: A router may crash because of a bus error.
Conditions: The router must be configured for L2TP.
Workaround: There is no workaround.
•
Symptoms: Field diagnostics fail (indicating a DOWNLOAD FAILURE) on the standby PRP2 when the PRP2 has 4 GB of memory installed.
After 40 minutes, the default download time limit, field diagnostics declare a download failure and reload the board. The failure message for this looks like the following:
--------------------------------------------------------------------------- Field Diagnostic: ****DOWNLOAD FAILURE**** while preparing slot {#}
Field Diag eeprom values: run 3 fail mode 5 (DOWNLOAD FAILURE) slot {#} last test failed was 0, error code 0 Shutting down diags in slot {#}
Board will reload ---------------------------------------------------------------------------
Conditions: This symptom is observed for any release of Cisco IOS software when you attempt to run field diagnostics on a standby PRP that has 4 GB of memory.
Workaround: There is no workaround.
•
Symptoms: An E5 line card with a 1x10GE SPA can crash when the laser of a JDSU T-BERD 8000 testset that is connected to the 10GE interface is enabled.
Conditions: This symptom is observed on a router that contains an E5 line card with a 1x10GE SPA and redundant PRP-2 processors that are booted with the c12kprp-p-mz.12.0(32)S7 image and that are running in RPR+ mode.
Workaround: There is no workaround.
•
Symptoms: Traceback seen at tfib_post_table_change_label_request_needed.
Conditions: Occurs during SSO switchover on a Cisco 7606 router.
Workaround: There is no workaround.
•
Symptoms: Some packet flows may be dropped when the next-hop is load-shared between MPLS-TE tunnel and physical interface. The next-hop entry for the physical interface is invalid in Hardware-CEF table in ingress Line-Card during this problem. This cause the some packet flows which look up the invalid entry as the result of hash calculation to be dropped. The other flows which looks up the tunnel interface are not affected.
You can check the detail of hardware-CEF table for this problem by entering the show ip hardware-cef prefix detail command in Engine 3 and Engine 5.
Conditions: This problem occurs when the next-hop is load-shared between MPLS-TE and physical interface. This problem may be observed when using Engine 3 or Engin 5 as the ingress Line-Card on GSR.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series router that is running Cisco IOS Release 12.2SB and Release 12.0S continues to witness output drops after configuring and unconfiguring an Output Policy containing Police feature on a Logical Interface. On a Cisco 7507 router that is running Cisco IOS Release 12.0(32) S9, reconfiguring fair-queue causes the VIP crash by signal = 10.
Conditions: The problem is caused when installing a policy with police on a logical interface: Subinterface, ATM PVC, Frame Relay DLCI, etc. After removal of such policy, the interface continues to police traffic. If the interface is configured with FR and the fair-queue is reconfigured, the VIP crashes.
Workaround: There is no workaround. The router has to be reloaded to correct the behavior.
•
Symptoms: Uninitialized memory causes failures when label switched path (LSP) ping is performed
Conditions: This error occurs when the allocated memory is non-zero.
Workaround: There is no workaround.
•
Symptoms: Syslog displays password when copying the configuration via FTP.
Conditions: This symptom occurs when copying via FTP. The Syslog message displays the password given by the user as part of syntax of FTP copy.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 router running Cisco IOS Release 12.2(18)SFX6 may encounter a condition such that when intermediate system-to-intermediate system (IS-IS) and traffic engineering (TE) are configured, IS-IS should remove the native path from its local RIB and call RIB code to remove the path from global RIB but fails by either not passing the "delete" msg to RIB properly or RIB does not react when it received the "delete" call.
Conditions: The show mpls traffic-engineering tunnel command output may indicate "Removal Trigger: setup timed out" status.
Workaround: Perform a shut/no shut on the interface or change the metric temporarily to force an update with the tunnel mpls traffic-eng autoroute metric 1 command.
•
Symptoms: Watchdog timeout seen after switchover.
Conditions: Occurs when high availability RPR mode is configured on a Cisco 7500 router.
Workaround: There is no workaround.
•
Symptoms: While giving T1 controller configuration, the router crashes. This happenes on the 8-port multichannel T1/E1 8PRI PA (PA-MC-8TE1+).
Conditions: Occurs on a router running Cisco IOS Release 12.4(17.7) and Cisco IOS Release 12.4(17.4)T1.
Workaround: There is no workaround.
•
Symptoms: OSPFv3 loses hello packets causing neighbors to flap.
Conditions: Occurs on a Cisco GSR router running Cisco IOS Release 12.0(32)S7 and later when TE tunnels are configured.
Workaround: There is no workaround.
•
Symptoms: All E6 line cards are holding incorrect output slot information in hardware CEF for default route. At the same time, other E4+ and E2 LCs have no problem with hardware CEF.
Conditions: Unknown.
Workaround: Use the clear ip route 0.0.0.0 command.
•
Symptoms: Hot Standby Routing Protocol (HSRP) Virtual IP address is unreachable. IP address assigned to the interfaces is reachable.
Conditions: Problem was seen in GSRs with different SPAs. Problem occurs only when line card is installed for the first time or if it is moved between slots. Problem only occurs if the same interface is both configured for HSRP and assigned to VPN routing/forwarding (VRF) VRF.
interface GigabitEthernet3/0/0.5 ip vrf forwarding ip address X.X.X.2 X.X.X.X standby 1 ip X.X.X.1 standby 1 priority 110 standby 1 preempt
Workaround: Reload active and standby router as if you reload only active there is a chance standby router once become active may hit the problem. Or, remove the HSRP configuration before moving the linecard.
•
Symptoms: Tx traffic may get dropped due to a "precam 1 exception."
Conditions: This symptom is observed when vrf vlite and strict urpf are configured on the interfaces. This happens in all releases when adjacency indexes between 65528 to 65531 are used in TX SRAM Adjacency programming on line cards. This happens only on port 0. Strict URPF not a required condition. It can happen without that.
Workaround: To recover from the situation, remove and re-apply the configuration on the interface when the problem is seen. To recover from the condition, shut and no shut of the interface is fine provided it does not get adjacency index allocated within 65528 and 65532. If URPF/PBR is configured or removed, then also it gets cleared.
Alternate Workaround: Do not use port 0 on the line card. Using a subinterface will mitigate the issue.
•
*Some packet flows dropped in nexthop load-sharing between TAG and IP
•
Symptoms: SPA-4XCT3/DS0 serial interface went down.
Conditions: Connected the shared port adapter (SPA) back to back and configured remote loopback from one router and entered t1 1 bert channel-group 0 pattern 2^11 interval 1. BERT ran successfully, then the serial interface went down.
Workaround: Perform a shut/no shut on the controller or serial interface.
•
Symptoms: When the maximum-paths n import command is unconfigured, for example, a no maximum-paths n import m command is issued for a VPN/VRF on a router, sometimes the routes in that VPN may have duplicate path entries.
For example:
diezmil#sh ip bgp vpnv4 v v1001 10.0.20.0 BGP routing table entry for 100:1001:10.0.20.0/24, version 1342275 Paths: (2 available, best #1, table v1001) Flag: 0x420 Not advertised to any peer 65164, imported path from 100:1:10.0.20.0/24 192.168.1.7 (metric 4) from 192.168.1.254 (192.168.1.254) Origin IGP, metric 1552, localpref 80833, valid, internal, best Extended Community: RT:100:1001 Originator: 192.168.1.7, Cluster list: 192.168.2.7 mpls labels in/out nolabel/291 65164, imported path from 100:1:10.0.20.0/24 192.168.1.7 (metric 4) from 192.168.1.253 (192.168.1.253) Origin IGP, metric 1552, localpref 80833, valid, internal Extended Community: RT:100:1001 Originator: 192.168.1.7, Cluster list: 192.168.2.7 mpls labels in/out nolabel/291
Workaround: The least resource-intensive workaround is to configure and unconfigure a dummy import map under that VPN/VRF. Clearing the affected BGP sessions on PEs also resolves the issue.
•
Symptoms: Router may crash when a sequence of commands are executed in quick succession.
Conditions: Occurs when a Border Gateway Protocol (BGP) neighbor belongs to a particular peer group and the following commands are entered in quick succession: * no neighbor a.b.c.d peer-group pgroup-name * no neighbor a.b.c.d description xyz If these commands executed quickly, such as when they are pasted into the interface, the router may crash.
Workaround: Use the no neighbor a.b.c.d peer-group pgroup-name command to remove the neighbor. This command removes the neighbor and eliminates the need for the second command.
•
Symptoms: Packet drops occurring on PE router.
Conditions: Occurs after sending traffic from VPN routing/forwarding (VRF). Traffic is stopped until the mroute entries get cleared. When traffic is sent from core, packets are dropped.
Workaround: Reload the line card.
•
None <B>Symptom:</B> After gsr is booted, up and running, when first time dwdm spa is inserted in linecard, linecard crashes. AFter linecard restart, next oirs are fine.
<B>Workaround:</B> Before gsr boots, keep dwdm spa inserted in linecard and then boot gsr.
•
Symptoms: The number of entries obtained from the "ciscoMvpnBgpMdtUpdateTable" table using the getmany command is incorrect
Conditions: Occurred on a Cisco 7200 router running Cisco IOS version 12.4(17.9)T.
Workaround: There is no workaround.
•
Symptoms: Configuration applied to a multilink interface is not reflected on the interface.
Conditions: Occurs when a configuration is applied immediately after adding the first link to a multilink PPP or a multilink frame-relay bundle. It affects any configuration applied to the main interface or to the sub-interface of the bundle. The problem does not occur when adding subsequent member links to the bundle.
Workaround: After adding the first link, wait 15 seconds before applying any configuration to the bundle interface or on the sub-interface. If any of the configurations are missing, re-apply them.
•
Symptoms: Line card reloads.
Condition: Occurs after high-availability switchover and caused by excessive number of control messages.
Workaround: There is no workaround.
•
Symptoms: Attempting to configure serial interfaces results in the following message and a traceback: %FIB-2-HW_IF_INDEX_ILLEGAL: Attempt to create CEF interface for Serialx/x with illegal index: -1
Conditions: When this happens the "ifindex" table appears to be incorrect on the PRP as a result of a race condition related to online insertion and removal (OIR) events. This problem should only occur if SSO or RPR+ redundancy is configured.
Workaround: If this happens on an HA-protected Active RP, check whether the Standby RP has good if- index values for all interfaces by running the show idb EXEC command on the Standby RP. If so, then do an RP switchover, so the RP with good interface indexes becomes the Active RP.
If the Standby RP shows this symptom, reload the Standby RP and check that after it comes up it has good if-index values, which should happen in most cases.
•
Symptoms: BERT continues to run on a T1 channel of SPA-1XCHSTM1/OC3.
Conditions: Occurred when a SPA-1XCHSTM1/OC3 shared port adapter (SPA) was connected back-to-back and configured with 12 T1 links with a network loopback from the other router. The following steps cause the problem:
1) Run normal bert patterns on 6 T1 channels 2) Once the bert is done run atlas bert pattern on 4 T1 channels 3) Later run atlas bert pattern on 4 T1 channels.
Workaround: Reload the SPA.
•
Symptoms: Routes and packets are lost.
Conditions: Occurs because NSF restart is not recognized by some of the neighbors after a router restarts.
Workaround: There is no workaround.
•
Symptoms: Link is flaps after reload.
Conditions: Occurs with a Engine 5 line card and 5x1GE shared port adapter (SPA) following a reload of SPA or line card.
Workaround: There is no workaround.
•
Symptom: Prefixes are allowed by the outbound route-map even though the match condition is met and the action is set to deny.
Conditions: Occurs in the following scenario: 1. The iteration with the deny action contains a match community. 2. The continue statement is used in one of the previous iterations.
Workaround: If there is single match clause based on NLRI, the condition is avoided.
Further Problem Description: Route-maps can be used without continue to avoid the problem.
•
Symptoms: PC error messages are seen along with tracebacks and SPA console is not available while running atlas BERT.
Conditions: The issue is seen when running atlas BERT on CHSTM1.
Workaround: Reload the SPA
•
<B>Symptom:</B>
RP Crashed with MLPPP Provisioning / unprovisioning -- followed by SPA reload
<B>Conditions:</B>
RP Crashed with MLPPP Provisioning / unprovisioning -- followed by SPA reload
<B>Workaround:</B>
•
Symptoms: A router may reload after reporting SYS-3-OVERRUN or SYS-3-BADBLOCK error messages. SYS-2-GETBUF with 'Bad getbuffer' error may also be reported.
Condition: Occurs when PIM auto-RP is configured and IP multicast boundary is enabled with the filter-autorp option.
Workaround: Configure IP multicast boundary without the filter-autorp option.
•
Symptoms: Cisco 12000 router running Cisco IOS Release 12SY may experience intermittent communications problems over Bridged VCs and ARP entries are not repopulated.
Conditions: Occurs when VC is configured for half-bridging and the router is running Cisco IOS Release 12.0SY.
Workaround: Use Cisco IOS Release 12.0S or, use VCs with routed encapsulation.
•
Symptoms: Anyphy value changes after channel group BERT.
Conditions: Anyphy value changes after channel group BERT for an interface if another interface on the same SPA with a lower anyphy value is deleted.
Workaround: Reload the line card.
•
Symptoms: A Cisco 12000 series router with an Engine 0 ATM OC12 line card may experience a problem in which a Layer 2 adjacency rewrite string for an ATM PVC becomes invalid. The invalid rewrite results in packets being forwarded out the interface with the wrong Layer 2 details prepended.
Conditions: This symptoms is observed on a Cisco 12000 series router with an Engine 0 ATM OC12 line card.
Workaround: Use the following command for the affected IP address:
clear ip arp x.x.x.x
Further Problem Description: This problem can be identified using the execute-on [slot#] show controller rewrite Cisco IOS command, compared to the rewrite string in the show adjacency internal command:
Router# execute-on 1 show controller rewrite
========= Line Card (Slot 1) =========
Local MAC rewrite table Interface Address Output_Info -------------------------------------------------------- ... ATM1/0.1 192.168.1.1 0x1C062340 4BA72000AABA031180C2000700000004 757122D600081008B0560800 <-- incorrect ...
Router# execute-on all show adjacency internal
========= Line Card (Slot 1) =========
Protocol Interface Address ... IP ATM1/0.1 192.168.1.1(9) 131229862 packets, 74135640171 bytes 02710100AABA031180C2000700000017 E0DC040200072009B0450800 <-- correct ...
Router# clear ip arp 192.168.1.1
Router# execute-on 1 show controller rewrite
========= Line Card (Slot 1) =========
Local MAC rewrite table Interface Address Output_Info -------------------------------------------------------- ... ATM1/0.1 192.168.1.1 0x1C025340 6EA82000AABA031180C2000700000017 E0DC040200072009B0450800 <-- correct ...
•
Symptoms: A SIP401/SIP600 may crash upon a primary CSC failover. FIA Halt related error messages are also seen.
Conditions: This symptom is observed upon a primary CSC failover.
Workaround: There is no workaround.
•
Symptoms: When explicit-null packets are received on URPF bundle, there is a possibility of BMA errors and crash.
Conditions: Occurs when explicit-null and URPF are configured.
Workaround: There is no workaround.
•
Symptoms: Standby RSP reloads and has problems syncing configuration when DS1 controller is removed from DS3 configuration.
Conditions: This problem is seen when SSH is enabled on the router and DS1 controller is added or deleted from the configuration.
Workaround: There is no workaround.
•
Symptoms: SIP-400 crashed.
Conditions: Occurs after repeated provision/unprovision of ML bundle.
Workaround: There is no workaround.
•
<B>Symptom:</B> 1. Multiple OI and OQ information which are same for an (S, G) mroute ( MGID ) on conga.
<B>Conditions:</B> 1. An E3 card with Multicast output interfaces configured.
2. Colliding sources for same multicast group (S1, G) and (S2, G) for above output interfaces.
3. No Egress QoS in the above interfaces.
<B>Workaround:</B> 1. reload the E3 LC 2. do not have colliding sources for multicast.
•
Symptoms: Traffic may stop because of spurious memory access.
Conditions: Occurs after shutting the qinq subinterface
Workaround: Perform a shut/no shut on the subinterface.
•
Symptoms: Cisco 12000-SIP-401 with SPA-8X1FE-TX-V2 stops forwarding traffic.
Conditions: Occurs on Cisco 12000 routers running the c12kprp-k4p-mz.120-32.SY2g image and with 12000-SIP-401 and SPA-8X1FE-TX-V2. Another three shared port adapters (SPA) were also present. Possibly triggered by multicast traffic.
Workaround: Only a reload of the card/SPA solves the problem.
•
Symptoms: An Open Shortest Path First (OSPF) enhancement, to avoid a suspend when link state update packets are sent, may result in a router crash.
Conditions: The symptoms are observed in a scenario with 3k tunnels. Both unconfiguring the loopback interface and deleting the loopback interface trigger the same code path that may lead to OSPF suspension.
Workaround: There is no workaround
Further Problem Description: The problem actually exists in all branches. However, this is a timing issue.
•
Symptoms: The channelized SPA is in admin down state. When the show hw-module subslot x brief command is entered on the LC, the LC may crash.
Conditions: Unknown at this time.
Workaround: There is no workaround.
•
Symptoms: Channelized shared port adapter (SPA) out of service after active RP crash.
Conditions: Occurs because of heartbeat failure
Workaround: Reload the SPAs.
•
Symptoms: Some FRR database entries become active after reoptimization. Traffic on the LSP which become FRR active is forwarded to the wrong path and continues to drop.
Conditions: This problem may happen when manual or timer reoptimization is performed during convergence. This problem may happen when "Tunnel head end item" and "LSP midpoint item" in FRR database have more than one entry in each item. This problem may happen when midpoint entry in "LSP midpoint item" is the LSP using "loose" path-option on a headend router.
Workaround: There is no workaround.
Further Problem Description: FRR database state and the traffic recover by doing primary tunnel or backup tunnel's "shutdown" / "no shutdown" if this problem occur. If we configure longer reoptimization timer or we perform manual reoptimization after convergence, this problem may not occur
•
Symptoms: GSR not soaking SLOS and bringing down interface immediately
Conditions: The issue occurs only when the GSR redundancy switchover happens.
Workaround: There is no workaround.
•
*Some packet flows dropped in nexthop load-sharing between TAG and IP
•
Symptoms: Provider edge (PE) not learning MAC addresses as expected.
Conditions: Occurs with Virtual Private LAN Services (VPLS) setup with three PEs.
Workaround: There is no workaround.
•
Symptoms: Packet drops occur when doing MPLS ip2tag and tag2ip load balancing on an Engine 2 line card.
Condition: Occurs on a Cisco 12000 series router running Cisco IOS Release 12.0(32)sy2d.
Workaround: Enable LDP on the the tunnel.
•
Symptoms: EF CAR value does not set properly in TCAM for MFR bundle interface.
Conditions: Occurs when MFR interface is shut and no shut.
Workaround: Remove and re-apply output service policy to the MFR interface.
•
Symptoms: IOS field diagnostics is failing with various error messages about "Slave Clock" such as displayed below:
Error disabling LC Enable register on CSC 0, SCA768_LC_ENABLE_2_S 0x7f, read_count 100 ... Timed out waiting for TX Network Interrupt to happen ... Slot 16, Slave Clock Control Register 0x00000000
Conditions: This has only been observed on a Cisco 12000 router when there are 12010E-CSC and 12010E-SFC fabric card in the chassis.
Workaround: There is no workaround.
•
Symptoms: A sync issue is observed with the standby and active configuration.
Conditions: This symptom is observed on a Cisco 12000 series router that is configured for MLPP/MFR. When an attempt is made to remove and add the members before the unprovisioning is completed, the member is added in standby but not in active; hence the configuration sync issue.
Workaround: Add the member after the unprovisioning is completed.
•
Symptoms: When core-facing line card reloads or has link flap, the edge-facing E3/E5 for mVPN may not forward mVPN traffic.
Conditions: This defect is observed with an internal version off Cisco IOS Release 12.0(33)S.
Workaround: Enter the clear ip mds line <edge facing E5 lc slot> command.
•
Symptoms: Engine 5 card crashed following provision/unprovision.
Conditions: Occurs after repeated provision/unprovision of Multilink Point-to-Point Protocol (MLPPP).
Workaround: There is no workaround.
•
Symptoms: Standby RP crashed.
Conditions: Occurred after provision/unprovision of Multilink Frame Relay (MLFR) MLFR with Hierarchical Quality of Service (HQoS).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may see the following errors: Oct 30 16:42:04.094 GMT: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x405039FC reading 0x1678
Conditions: The symptoms may be observed on a CISCO7513 running Cisco IOS release 12.0(32)S3 with PA-MC-E3 cards installed.
Workaround: There is no workaround. This problem is not service impacting.
•
Symptoms: On a Cisco 12000 router running Cisco IOS Release 12.0(32)SY4, the SNMP ifIndex is missing for subinterfaces of the first SPA of a Engine 5 SIP-600 Line Card, as follows:
router#sh snmp mib ifmib ifindex GigabitEthernet15/0/3.951 Invalid ifIndex for GigabitEthernet15/0/3.951
This issue affects accounting and billing.
Conditions: Occurred after router was upgraded from Cisco IOS Release 12.0.(31)s6 to Cisco IOS Release 12.0.(32)SY4.
Workaround: There is no workaround.
•
Symptoms: RP crashes after successful switchover.
Conditions: Occurs when Data-Link Connection Identifiers (DLCI) are deleted from Multilink Frame Relay (MFR) interface, followed by a switchover.
Workaround: There is no workaround.
•
Symptoms: The process IPC Seat Manager is permanently holding a CPU utilization of 40-50%. Causes a considerable decrease in traffic and very slow response from the routers.
Condition: This behavior has been observed on several Cisco 12000 routers with PRP-1 running Cisco IOS Release 12.0(32)SY4 and is conditioned to the following factors: - Several hundreds of interfaces configured like channelized, multilink or virtual template interfaces. Every physical and each of these interfaces has an HWIDB associated with it. - many linec ards in the chassis. - The ip multicast-routing distributed command is enabled.
Workaround: Upgrade to PRP-2 and CPU would go down to 10-15% in this same process. Or if feasible, disable ip multicast-routing distributed.
•
Symptoms: Bidirectional Forwarding Detection (BFD) sessions do not scale. This symptom is especially visible with an OSPF client when one of the peers is rebooted after configuring the maximum number of BFD sessions.
Conditions: This symptom occurs when configuring maximum BFD sessions or total number of BFD sessions too close to the maximum limit.
Workaround: Configure 90 percent of the maximum allowed BFD sessions.
•
Symptoms: Fragmentation is handled incorrectly on GSR E5 line card. We can send up to around 2Gbps of fragmented traffic without performance impact. When the egress line card CPU reaches 100%, the rate of the fragmented traffic drops down to 50Mbps.
Conditions: Occurs when all CPU resources of the egress LC are consumed.
Workaround: There is no workaround.
•
Symptoms: When the MTU is changed on the core-facing E0 LC, all the E0 cards in the router crash.
Conditions: This symptom is observed with bidirectional traffic with an L3VPN, L2VPN configuration. There are also MPLS TE tunnels.
Workaround: There is no workaround.
•
Symptoms: E5 line card configured for CFI and BFI may crash when passing mVPN traffic.
Conditions: This is observed with Cisco IOS Release 12.0(32)SY5.
Workaround: There is no workaround.
•
Symptom: CPU hog condition occurs because of stressful BGP configuration.
Conditions: Occurs in Cisco IOS releases in which CSCsj17879.
Workaround: None
•
Symptoms: Packet drops on output service policy after port swap in Tx BMA of E3 Card. The problem is due to the port-burst being changed incorrectly without any real configuration change on the concerned sub-interfaces.
Conditions: When a Port-swap in Tx BMA is accompanied by the change in burst value after removing service policy (or sub-interface), we are able to see the traffic drop to another sub-interface.
Workaround: Remove and re-add the output service policy from the affected sub-interface.
•
Symptoms: The show ppp multilink statistics are not updated on a Cisco 7500 router.
Conditions: This symptom is observed when dLFIoLL+SSO is configured on the Cisco 7500 router and a switchover is performed.
Workaround: There is no workaround.
•
Symptoms: Traffic stops forwarding after the deletion of a security output ACL which is shared with the other port on a two-port OC-192, with the port carrying the traffic having a feature-output ACL.
Conditions: Occurs on a two-port OC-192 E6 card. Both the ports should be configured with output or input security ACLs, and one port which is carrying the traffic should have output or input ACL. For this issue to happen, all the ACLs need to be either output or input type simultaneously.
Workaround: Configure a new ACL with a different name from the original ACL, then remove it. The traffic can then be forwarded again.
Further Problem Description: This issue is specific to E6 alone and will not happen on E4.
•
Symptoms: When multicast VPN routing/forwarding instance (mVRF) is un-configured, memory leak may occur in line cards.
Conditions: This symptom is observed in Cisco 12000 Series Routers and Cisco 7500 Series Routers when multicast distributed routing is enabled on VPN routing/forwarding instance.
Workaround: There is no workaround.
•
Symptoms: RP crashes due to memory corruption.
Conditions: LC or SPA sending wrong VC number during stats update.
Workaround: There is no workaround.
•
Symptoms: A SIP600 crashes.
Conditions: When the primary CSC is shut, the SIP600 crashes.
Workaround: There is no workaround.
•
Symptoms: Interface flaps continuously after running atlas BERT.
Conditions: During atlas BERT another interface with lower anyphy number should be deleted.
Workaround: Reload the shared port adapter (SPA).
•
Symptoms: A standby route processor crashes with a traceback when multilink is provisioned/unprovisioned continuously.
Conditions: This symptom is observed with a script. There is a small but significant chance of encountering this symptom during manual testing. This symptom occurs in branches based on Cisco IOS Release 12.0S ONLY.
Workaround: There is no workaround.
•
Symptoms: Customer reporting intermitent loss of L2 tunnel with no error messages.
Conditions: Occurs on a Cisco 7500 router running Cisco IOS Release 12.0(31)S02y.
Workaround: There is no workaround.
•
Symptoms: Layer 2 Virtual Private Network (L2VPN) CoS (Class of Service) queue becomes unallocated via the show policy-map int <> dlci <> output command after a L3VPN subinterface with another policy-map is applied to the same interface.
Conditions: Occurs when both L2vpn and L3vpn under the same interface with different policy-map on both of them.
Workaround: Delete and redefine the layer 2 QoS policy to the Data-Link Connection Identifier (DLCI).
•
Symptoms: Some Intermediate System-to-Intermediate System (IS-IS) routes are missing in the routing table.
Conditions: This occurs when some interfaces flap.
Workaround: There is no workaround.
•
Symptoms: 1choc12 ISE: PLIM might reset due to heartbeat failure.
Conditions: This happens when the following errors occur on the PLIM console: [2]T1:5 rx error(crc or non-integer size) 5 [2]T1:5 rx error(crc or non-integer size) 5
And when one or more paths have PAIS.
Workaround: Reduce the TEMUX logging level to 0 as follows attach slot# plim logctl /dev/temux 0 And then clear the path AIS.
•
Symptoms: When removing a subinterface from the configuration that contains an IP address that falls into the major net of the static route, the static route is no longer injected into the BGP table. Since the route is not in the BGP table, it is not advertised to any peers.
Conditions: This symptom is observed with auto-summary enabled in BGP. A static summary route is configured to null0 and is injected into the BGP table with a network statement.
Workaround: There are four possible workarounds:
1) Use an "aggregate-address" configuration instead of the static route to generate the summary. 2) Remove auto-summary from the BGP process. 3) Enter the clear ip bgp * command. 4) Remove and reconfigure the BGP network statement for the summary route.
•
Symptoms: The ifStackStatus results for SPA-4XCT3/DS0 on GSR intermittently do not show relationship between Serial interface and T1, nor T1 to CT3.
Conditions: Occurs when running Cisco IOS Release 12.0(32)S6d with SPA-4XCT3/DS0. Polling ifStackStatus results do show layered relationship with Serial interface, T1 to CT3.
Workaround: Remove and add again the T1 link channel-group if possible.
•
Symptoms: VIP reloads.
Conditions: The crash is triggered by an illeagal memory access operation. The issue can affect any interface and on any platform.
Workaround: No workaround.
Further Problem Description: This bug does not impact Cisco IOS Release 12.2SXF, 12.4, or 12.4T releases. This is seen very rarely and is not reproducible in lab.
•
Symptoms: "Warning: error msgs in vc stats" messages are displayed continuously on the console.
Conditions: This symptom is observed when the router is reloaded.
Workaround: There is no workaround.
If any statistics are not being updated properly on the serial interfaces on the Ch-SPAs, enable the debug hw sub slot/bay command on the RP.
•
Symptoms: A Cisco 12000 router with SIP-601 linecards may experience high CPU in the Tag Input process because of many packets being punted by the linecards to the PRP CPU. The packets are MPLS TTL expired packets that require an unreachable to be sent back. These packets should be processed on the linecard, but they are not.
Conditions: This symptom is observed only on SIP-601 10G linecards.
Workaround: There is no workaround.
•
Symptoms: A configuration of L2VPN interworking between SIP-601/GE SPA to SIP- 401/CT3/FR DLCI switching and with a QoS egress policy applied on the SIP-601 GE SPA interface, traffic may propagate egress on the GE port.
Conditions: When the policy is not applied, traffic flows egress on the GE SPA based interface. When the policy is applied, no traffic is seen egress on the GE interfaces.
Workaround: There is no workaround.
•
Symptoms: Multicast tunnel not coming up after RPM change. A misconfiguration with overlapping networks causes the join to be rejected. This can be seen on the PIM neighbor list.
Conditions: There is a problem related to one of the hub card in rpm-xf.10 in forwarding PIM traffic from 2 PEs ( rpm-xf.13 & rpm-xf.11 ). After RP migration from AVICI to CRS we found that tunnels from PE in slot 13 were not coming up. PE in slot 13 was in consistently in registering mode. PE was not coming out of registering mode which was preventing the tunnels from coming up. For PE to come out of registering mode S,G state should be built from new RP down to PE. At this stage the CRS (RP) showed that S,G tree was establish at the RP. S,G tree was OK all the way down from CRS to the last hop (P in slot 10) connecting to the slot 13 PE. The P router in slot 10, which is directly connected to PE, showed that S,G state was established and PE facing interface was in OIL. But there were couple of discrepancies on the P in slot 10. There were no flags set on this P for the mroute of PE. In addition, we found that PE was not receiving any PIM traffic from the P in slot 10. This led to suspicion that although the P showed the correct S,G and OIL but is still not able to forward traffic to the PE. And this could be the reason for PE to remain in registering mode hence preventing the tunnels from coming up.
Workaround: Remove the following configurations:
a. rpm-xfh10-z135 - shut & remove interface Switch1.4073 b. rpm-xfh09-z134 - shut & remove interface Switch1.4073 c. rpm-xfp11-l172 - remove interface Switch1.3172 d. rpm-xfp13-z074 - remove interface Switch1.4074 e. rpm-xfp04-l171 - remove interface Switch1.3171
•
Symptom: Router may install duplicate routes or incorrect route netmask into routing table. It could happen on any routing protocol. Additionally, for OSPF, crash was observed.
Conditions: The problem is triggered by SNMP polling of ipRouteTable MIB. The problem is introduced by CSCsj50773, see the Integrated-in field of CSCsj50773 for affected images.
Workaround: Do not poll ipRouteTable MIB, poll newer replacement ipForward MIB. instead. The ipRouteTable MIB was replaced by ipForward MIB in RFC 1354.
Further problem description: The clear ip route * command can correct the routing table until the next poll of ipRouteTable MIB.
•
Symptoms: Active RP crashes because of FIA error.
Conditions: Crash is seen when ML provisioning/unprovisioning and Buffer Recarve is done.
Workaround: There is no workaround.
•
Symptoms: E5 LC crash on startup with multicast traffic flowing.
Conditions: Reboot the router.
Workaround: There is no workaround.
•
Symptoms: Line cards on a Cisco 12000 series router or a Cisco 7500 router might crash.
Conditions: This symptom is observed when the no ip multicast- routing distributed command for a VRF is issued when multicast tunnels are up. This symptom is also observed when MVRFs are deleted.
Workaround: Stop multicast traffic before deleting VRFs or issuing the no ip multicast-routing distributed command.
•
Symptoms: Class Based Tunnel Selection (CBTS) stops working. Packets are sent through the wrong tunnel.
Conditions: This symptom is observed when the tunnel flaps.
Workaround: There is no workaround. Once CBTS is broken, only a reload of the Line card clears the problem.
•
Symptoms: On switchover, we see the overhead message appearing in config if we have not configured.
Conditions: This symptom is observed only if there is a switchover in RPR+ or SSO mode.
Workaround: Manually change the config to restore the previous config.
•
Symptoms: L2TP session does not come up.
Conditions: Occurs when a Cisco router marks the Call Serial Number AVP in the ICRP as mandatory. This causes a third-party router to reject it.
Workaround: There is no workaround.
•
Symptoms: Connecting SPA-4XCT3/DS0 SPAs back to back and executing the hw-module subslot x/y reload command causes the line card to crash.
Conditions: All the interfaces should be up and running. Note that this symptom occurs only because of the issue introduced by CSCsg96660; it is not seen otherwise without the image having the fix for CSCsg96660.
Workaround: There is no workaround.
•
Symptoms: If a multilink interface has one end connected to a Cisco 12000 router with a CHOC12/DS1-IR-SC and the other end connected to a non-Cisco- 12000 router, then the multilink interface receiver, at the non-Cisco-12000 router side, may drop all received packets because of packet fragment loss or out-of-order.
Conditions: This symptom may occur immediately when the first member link comes back up again after all member links of the multilink interface have gone down.
Workaround:
1) Create a new multilink interface.
2) Move the member links from the current multilink interface to the new multilink interface.
•
Symptoms: E5 BF/CFI on same line card, PIM-DM traffic may not flow for CFI or Auto-RP information may also not flow. So far the problem is identified to be in E5 BFI/CFI card which drops the DM data packets instead of punting them which is needed for the (*,G)/(S,G) state creation and packet flooding for DM to work.
Conditions: This defect is observed with Cisco IOS Release 12.0(32)SY5.
Workaround: Use the clear ip mds line command on the E5 and core line cards to solve the problem.
•
Symptoms: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel.
Condition: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel configured. In OIR "test mbus power 6 off" and "test mbus power 6 on" are performed followed by a microcode reload on slot 6.
Workaround: There is no workaround.
•
Symptoms: The shape fecn-adapt command is accepted in the configuration, but it is not shown in output from show running-config or show policy-map.
Conditions: When shape fecn-adapt is configured with shaping configured on the serial interface with frame-relay, show policy-map does not show the shape fecn-adapt being configured. The show policy-map int command shows fecn-adapt as "0".
Workaround: There is no workaround.
•
Symptoms: if_num mismatch is seen in the uidb, sometimes along with the L2TPv3 bit set to zero. As a result, customer saw L2TPv3 packet drops over FR in Cisco 12000 series Internet router.
Conditions: Removing xconnect on remote PE, resulting in a session(DLCI) FLAP on the local PE. Trigger is L2TPv3 session flap; this may cause a stale CI->Uidb mapping in internal data-structures resulting in if-num mismatch in uidb if the old CI is reused by an DLCI on a different interface.
Workaround: Reload the affected line card.
•
Symptoms: Tracebacks on mic-reload of SIP601.
Conditions: Mic-reload of SIP601 with CT3 SPA.
Workaround: Reloading the secondary RP should restore the out-of-sync ifindex tables.
•
*Some packet flows dropped in nexthop load-sharing between TAG and IP
•
Symptoms: PRP-1 fails to boot after an OIR/power cycle. LEDs might show RPT SENT or RP RDY.
Conditions: This symptom is observed upon a power cycle after upgrading the mbus-agent-rom of the PRP.
Workaround: Use the upgrade mbus-agent-rom slot force command with an older version of Cisco IOS software in the active RP to downgrade the mbus agent ROM of the problem RP.
•
Symptoms: After an RP switchover (SSO), or performing the following procedure, the VPWS DLCI output queues become unallocated.
1. Add VPWS DLCI with service-policy to the FR main interface. 2. Add an FR subinterface but with LFI enabled. 3. Bounce the service policy class on the DLCI under the main interface.
Conditions: When a VPWS circuit is configured on the FR main interface and L3 subinterface has LFI enabled. QoS is applied to both L2VPN and L3VPN services.
Workaround:
1. Delete the LFI FR service-policy. 2. Bounce QoS again on the VPWS DLCI.
•
Symptoms: PE1 2/2/1 <--------> 4/0/1CE1
Connect SPA-4XCT3/DS0 SPA back to back, configure loopback network at CE1, and then run bert on 4 T1 channels in PE1. After this, bert will not stop even though the time interval elapsed.
Conditions: All the interfaces should be up and running.
Workaround: There is no workaround.
•
Symptoms: Tunnels between Cisco and non Cisco peers fail to come up since the Mandatory of Message Type AVP for SCCRQ that is sent by Cisco is FALSE.
Conditions: This symptom occurs because the Mandatory of Message Type AVP for SCCRQ that is sent by Cisco is FALSE.
Workaround: There is no workaround.
•
Symptoms: Traffic may not flow after a switchover.
Conditions: The symptom may be observed when dLFIoLL + HA is configured on a Cisco 7500 router.
Workaround: Wait for standby to come up.
•
Symptoms: An 80-byte buffer depletion occurs on E5, leading to an outage of all serial links.
Conditions: The conditions under which this symptom is observed are unknown.
Workaround: There is no workaround.
•
Symptoms: An output policy on an MFR interface disappears when the SIP 601 card is reset.
Conditions: Configure the service policy and apply it to the output of the MFR interface. Reset the SIP 601 card, and the service policy will disappear from configuration.
Workaround: There is no workaround.
•
Symptoms: OSPF neighborship goes down on RPR+ switchover on core router. The router does not send any hello packets to the connected routers.
Conditions: Occurs when executing RPR or RPR+ switchover. No Problem seen with SSO switchover.
Workaround: There is no workaround.
•
Symptoms: Prefixes learned via IGP (ISIS) get assigned "imp-null" as the local label for them.
Conditions: The router has ECMP paths to uplink routers via POS interfaces. It runs ISIS as an IGP. There could be TE tunnel configured on the POS interface. And frequent interface flaps.
Workaround: There is no workaround. Clear the route or flap the interface to bring back the correct local label.
•
Symptoms: SONET Section Data Communications Channel (SDCC) comes up initially and goes down after some time and never comes up again. The interface shows up, but the line protocol shows down on both the sides
Conditions: Occurs after packet over SONET (POS) is converted to spatial reuse protocol (SRP).
Workaround: There is no workaround.
•
Symptoms: With an ingress E2 GigE line card and an egress E5 line card, packets are dropped in the egress line card with TX bad BMA buffer counts increasing.
Conditions: This symptom is observed when the ingress is E2 and the egress is E5.
Workaround: There is no workaround.
Further Problem Description: This issue is not seen with an E3/E5 combination or an E2/E6 combination.
•
Symptoms: Engine 5 SIP-600 crashes and tracebacks seen for Flexible NetFlow (FNF) configuration.
Conditions: Line card crash is hard to reproduce, and it is seen when show flow monitor is used. Tracebacks are easily re-producible while unconfiguring FNF output mode.
Workaround: There is no workaround.
•
Symptoms: CEF and hardware CEF for global default route are inconsistent. This may cause the default traffic to be sent through the wrong interface.
Conditions: This issue occurs under the following conditions:
1. Global default should point toward the core. 2. VRF default should be learned from the remote PE.
Workaround: Enter the following command:
clear ip route 0.0.0.0 0.0.0.0
•
Symptoms: L2VPN traffic on an MFR interface is unable to pass through FR/IETF encapsulation MPLS trunk. Furthermore, if this MFR interface is deleted and re-added, the following error messages are received.
SLOT 4:Mar 20 11:51:05.459 UTC: %SPA_CHOC_DSX-3-ERROR: Serial4/0/0/1:0: response parsing failed for DLCI (601) provisioning SLOT 4:Mar 20 11:51:05.471 UTC: %SPA_CHOC_DSX-3-ERROR: Serial4/0/0/1:0: response parsing failed for DLCI (602) provisioning
Conditions: This symptom is observed after an MFR interface is deleted and re-added.
Workaround: There is no workaround.
•
Symptoms: Ping fails
Conditions: Occurs when 2x1GE V2 shared port adapter (SPA) is in BN jacket.
Workaround: There is no workaround.
•
Symptoms: The E4+ line card crashes continuously with the following output:
SLOT 1:Jan 19 02:06:09.559 UTC: %TX192-3-CPUIF: Error=0x40
rd 0x15 base 0x12 hdr 0x14 last 0x14 wr 0x14 insert 0x0 back 0x1 len 0x2474 cnt 0x0
Conditions: There is no exact trigger. But this symptom is observed when there are corrupt packets being sent from the ingress card under unknown circumstances.
Workaround: There is no workaround.
•
Symptoms: A router acting as an OSPF ABR for an NSSA area, when announcing a default route into the NSSA area, sets the LSA forwarding address to one of its interfaces instead of to 0.0.0.0. When there is more than one interface from that router into the NSSA area (load balancing), only one interface will be used by NSSA routers to forward traffic toward destinations reachable via the default route. If there is no default route present in the RIB, the forwarding address is set to 0.0.0.0, which will enable load balancing.
Conditions: This behavior is not present in Cisco IOS Release 12.0(32)SY4.
Workaround: To have load balancing, you may want to define a loopback inside the NSSA to be elected as the FA and have the FA visible from the interfaces into the NSSA.
•
Symptoms: With L3VPN config over IP using L2TPV3 tunnel configuration, the input queues of interface is wedged. The show buffer input interface command yields no output.
Conditions: Occurs with the configuration of L3VPN over IP using L2TPV3 tunnels.
Workaround: There is no workaround.
•
Symptoms: Line card crashes when packet over SONET (POS) shared port adapter (SPA) is present.
Conditions: Occurs the first time router is reloaded.
Workaround: There is no workaround.
•
Symptoms: Per-Packet Load Balancing (PPLB) does not work and traffic goes through single interface.
Conditions: Observed in following case: * CE1----PE-----CE2. * Two links from CE1 to provider edge (PE) and two links from PE to CE2. * All the four links are emerging from same shared port adapter (SPA) on PE. * Serial interface is used. * VPN routing/forwarding (VRF) is configured on PE.
Workaround: Remove PPLB and configure it back. However, the issue will reappear on router or line card reload.
•
None Symptom:
c7200-kboot-mz image is broken by the commit of CSCso71150
Workaround:
No workaround
•
Symptoms: IPv6 multicast unnecessarily copied when join -> prune is repeated multiple times.
Conditions: Occurs when IPv6 multicast-routing is enabled on a Cisco 12000 series router.
Workaround: Reload the router.
•
Symptoms: 12000-SIP-401/501/601 has 8 MB of FSRAM with the fix CSCsm13564. But PLU and TLU adjacencies in the 12000-SIP-401/501/601 support up to 4 MB.
Conditions: If the hardware is supporting 8 MB of FSRAM, the PLU can have access to this 8 MB. But this is not happening.
Workaround: Identified through the code review of CSCsm13564. There is no workaround.
•
Symptoms: CE-CE ping is not working in Frame Relay over MPLS (FRoMPLS).
Condition: Occurs when E0 POS is used as disposition.
Workaround: There is no workaround.
•
Symptoms: Traffic engineering (TE) tunnel is not coming up in MPLS TE.
Condition: Occurs when both Ethernet Over MPLS (EoMPLS) and MPLS TE are configured on the router.
Workaround: There is no workaround.
•
Symptoms: An input service policy with only the class-default class shows no matches.
Conditions: This symptom is observed after a reload of Cisco 12000 series routers, Linecard Engine 3, with an ATM interface configured for AToM, Port Mode.
Workaround: Move traffic and the configuration to another interface.
•
Symptoms: Router crashed when issuing the show-tech command while connected to the router using SSH.
Conditions: Occurred on a Cisco 7200 router with NPE-G2 running Cisco IOS Release 12.0(33)S.
Workaround: Use telnet to connect to the router.
•
Symptoms: Performance Route Processor (PRP) crashes after loading image from disk0.
Condition: Occurs when multiservice edge (MSE) router reloads with the image in the disk0. The RP crashes, and tracebacks are displayed. Both the active and standby RPs toggle each time.
Workaround: There is no workaround.
•
Symptoms: Intermediate System-to-Intermediate System (IS-IS) routes still using MPLS tunnels as next hop even after tunnels are shutdown.
Conditions: Occurs when MPLS tunnels to multiple routers are configured.
Workaround: Use the clear isis * command to temporarily solve the problem.
•
Symptoms: The OSPF state of interfaces on a Cisco 7500 RSP router will stay down after a reload or when the interface are brought down and then up.
Conditions: This only affects Cisco 7500 RSP routers.
Workaround: There is no workaround.
•
*Some packet flows dropped in nexthop load-sharing between TAG and IP
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when templates are exported in the export packet, which is used only in version 9 version of exporting.
Workaround: Version 5 could be used for exporting.
•
Symptoms: Performance Route Processor (PRP) crashes after loading image from disk0.
Condition: Occurs when multiservice edge (MSE) router reloads with the image in the disk0. The RP crashes, and tracebacks are displayed. Both the active and standby RPs toggle each time.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.0(33)S
All the caveats listed in this section are resolved in Cisco IOS Release 12.0(33)S. This section describes only severity 1, severity 2, and select severity 3 caveats.
ISO CLNS
•
Symptoms: A MPLS tunnel may not come up after a stateful switchover (SSO) has occurred.
Conditions: This symptom is observed on a Cisco router when Cisco IS-IS NSF is enabled and when IS-IS is used as the IGP for MPLS TE tunnels.
Workaround: Do not configure Cisco IS-IS NSF. Rather, configure IETF NSF.
First Alternate Workaround: Enter the clear isis * command.
Second Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that is used for the MPLS TE tunnels after the SSO has occurred.
Miscellaneous
•
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
•
Symptoms: IPv6 traffic stops.
Conditions: This symptom is observed on a Cisco router when you first disable and then re-enable IPv6 on an interface.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: A Cisco 12000 series may generate the following error message and reload unexpectedly because of a bus error:
%MEM_ECC-2-MBE: Multiple bit error detected at XXXXXXXX: %MEM_ECC-3-SYNDROME_MBE: 8-bit Syndrome for the detected Multi-bit error: 0x99
Conditions: This symptom is observed on a Cisco 12000 series that is configured for CEF and MPLS.
Workaround: There is no workaround.
•
Symptoms: The PXF engine of a Cisco 10720 may crash.
Conditions: The symptom is observed when you modify an existing access control list (ACL) that is attached to an interface.
Workaround: Do not modify an ACL that is attached to an interface. If you cannot remove the ACL from the interface, create a new ACL and apply it to the interface.
•
Symptoms: The show l2tp session all vcid command generates incorrect output.
Conditions: This symptom is observed on a Cisco router that has an L2TPv3 tunnel.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series that is configured for QoS may crash when traffic is sent.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 or NPE-G2 and that has a Port Adapter Jacket Card in which a 2-port OC-3/STM-1 POS port adapter (PA-POS-2OC3) in installed that has an interface with a service policy.
Workaround: There is no workaround.
•
Symptoms: Route processor crashes.
Conditions: Occurs while executing the command no control-plane slot <slot no> command.
Workaround: There is no workaround.
•
Symptoms: Traffic forwarding stops upon mic-reloading the egress card when E4+ is ingress.
Conditions: Occurs when mic-reloading the egress line card
Workaround: Mic-reload the E4+ line card to recover. You can also enter the clear cef linecard <ingress card slot#> command to recover traffic.
•
Symptoms: Watchdog timeout occurs after switchover.
Conditions: Occurs when the high-availability feature is configured on the RPR of a Cisco 7500 router.
Workaround: There is no workaround.
•
Symptoms: Memory leak occurs on Cisco 10720 router.
Conditions: Occurs when the router receives a "pim join" message. The router allocates blocks of memory that are never released. Occurs when there are more than three IPv6 PIM hosts on the same network segment.
Workaround: There is no workaround.
•
Symptoms: Primary RP crashes when the clear counter command is entered.
Conditions: Occurs when the command is issued while traffic is flowing.
Workaround: There is no workaround.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
Open Caveats—Cisco IOS Release 12.0(33)S
This section describes possibly unexpected behavior by Cisco IOS Release 12.0(33)S. All the caveats listed in this section are open in Cisco IOS Release 12.0(33)S. This section describes only severity 1, severity 2, and select severity 3 caveats.
IP Routing Protocols
•
Symptoms: The remove-private-as command does not work as expected when applied to a neighbor for which a route-map with a "set as-path prepend" and "continue" statement are configured.
Conditions: Occurred on a router with the following configuration:
route-map test permit 10set as-path prepend 2continueroute-map test permit 20set metric 200Workaround: Do not use the remove-private-as command with the above configuration.
•
Symptoms: BGP convergence is very slow and CPU utilization at BGP Router process is always near 100% during the convergence at aggregation router.
Conditions: Occurs if the number of component prefixes belonging to the aggregate-address entry increases. Also occurs if the number of duplicate aggregation component prefixes for aggregate-address entry increases
Workaround: Remove the "aggregate-address" statement.
•
Symptoms: When you enter the neighbor ip address send-label explicit-null command, the RP may crash.
Conditions: This symptom is observed on a Cisco router that is configured for BGP.
Workaround: There is no workaround.
•
Symptoms: After the command route-map test-comm-in permit 20 is issued, one of the peers should be denied and should not be advertised to any other peers.But this behavior is not seen with this image.
Conditions: Occurs when the route map test-comm-in permit 20 is entered.
Workaround: There is no workaround.
•
Symptoms: On a Cisco router running Cisco IOS release 12.0(32)S4 and configured with BGP and peer-groups, if the Fast Peering Session Deactivation feature is configured in the peer-group, the router automatically configures on the command a route-map with the same name as the peer-group.
Conditions: Occurs when the following is configured:
RR#conf tEnter configuration commands, one per line. End with CNTL/Z.RR(config)#router bgp 65001RR(config-router)#neighbor rrs-client fall-over ?bfd Use BFD to detect failureroute-map Route map for peer route<cr>RR(config-router)#neighbor rrs-client fall-overRR#sh ru<snip>router bgp 65001neighbor rrs-client peer-groupneighbor rrs-client remote-as 20959neighbor rrs-client update-source Loopback0neighbor rrs-client fall-over route-map rrs-client <<<<<<<the route-map does not exist.Workaround: Configure the neighbor individually or use peer-templates
•
Symptoms: A carrier supporting carrier (CsC) Multiprotocol Border Gateway Protocol (MPBGP) connection between two PE routers may remain in the active state but never becomes established.
Conditions: This symptom is observed when (CsC) is configured on all routers.
Workaround: There is no workaround.
•
Symptoms: A PE that is part of a confederation and receives a VPNv4 prefix from an internal and an external confederation peer assigns a local label to the prefix despite the fact that the prefix is not local to this PE and that the PE is not changing the BGP next-hop.
Conditions: Occurs when receiving this prefix via two paths from confederation peers.
Workaround There is no workaround.
Further Problem Description: Whether or not the PE will chose to allocate a local label depends on the order at which the multiple paths for this vpnv4 prefix are learned. The immediate impact is that the local label that is allocated takes up memory in the router as the router will populate the LFIB with the labels.
•
Symptoms: Inherit peer-policy does not work after a router reload
Conditions: Occurs only after the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: When converting BGP from NLRI to AF form, route-maps are not applied to the multicast neighbor.
Conditions: Occurs when a neighbor is supporting both unicast and multicast. If a route-map is applied to the neighbor, it will only be applied to the IPv4 unicast address-family after converting with the bgp upgrade-cli command
Workaround: If the route-map is needed for the unicast and multicast address-family, then the command match nlri unicast multicast should be added to the route-map, even though this is the default behavior.
•
Symptoms: Prefixes are allowed by the outbound route-map even though the match condition is met and the action is set to deny
1. The iteration with the deny action contains a match community.
2. The continue statement is used in one of the previous iterations.
Workaround: If there is single match clause based on NLRI, the condition is avoided. The issue is not observed.
•
Symptoms: The output of the show stacks command may show a very large number of blank lines (for example, 280,000) instead of a process name before the next line of command output is shown.
Conditions: This symptom is observed on a Cisco 12000 series. The symptom may also occur when you enter a command that executes the show stacks command such as the show tech command or the show tech cef command.
Workaround: There is no workaround.
ISO CLNS
•
Symptoms: A Cisco 7600 router may encounter a condition such that when IS-IS and Traffic Engineering are configured, IS-IS should remove the native path from its local RIB and call RIB code to remove the path from global RIB but fails by either not passing the "delete" msg to RIB properly or RIB doesn't react when it received the "delete" call.
Conditions: Output from the show mpls traffic-engineering tunnel command may indicate the "Removal Trigger: setup timed out" status.
Workaround: Shut/no shut the interface or change the metric temporarily to force an update by using the tunnel mpls traffic-eng autoroute metric 1 command.
Miscellaneous
•
Symptoms: Incorrect police percent conversions occur in the second and third levels of a policy.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.2SB. However, the symptom is platform-independent.
Workaround: There is no workaround.
•
Symptoms: When configuring frame relay queueing, bandwidth is taken as 28kbps and more than 28 kbps cannot be configured.
Conditions: This happens only when service policy is applied under map-class frame-relay and then binding it under the DLCI with frame-relay traffic shaping enabled under the interface.
Workaround: There is no workaround.
•
Symptoms: Standby may crash repeatedly
Conditions: Occur when dLFIoLL+QoS+SSO is configured on a Cisco 7500 router. Input service policy is configured on MCT1E1 interface.
Workaround: Change the mode to RPR+
•
Symptoms: Cisco 7500 router is unable to provide adequate guarantee to classes.
Conditions: Occurs when dLFIoLL and QoS are configured on 7500 router
Workaround: There is no workaround.
•
Symptoms: RIP process uses excessive CPU.
Conditions: Occurs when 200 network commands are configured using RIP version 2.
Workaround: There is no workaround
•
Symptoms: During setup of vc-class provision for l2tpv3 ATM tunnels, the initial end-to-end is just fine, but after removing vc-class on both PE at the same time by script, one of ATM sub-interface on CE router went down, and ping was not passing through anymore.
Conditions: Occurs when the vc-class on PE1 and PE2 are removed at almost at the same time.
Workaround: Remove vc-class on one PE router first, and then remove vc-class on the other PE router.
•
Symptoms: IPv6 EBGP sessions fail with the following message in "debug bgp events":
%BGP-4-INCORRECT_TTL: Discarded message with TTL 32 from <ip>Conditions: Occurs when BTSH is configured between the peers.
Workaround: Disable BTSH between the IPv6 peers
•
Symptoms: Cisco 7206VXR with PA-MC-8TE1+ experiences interface flaps when there is a service policy configured on the interface.
Conditions: Occurs when the configured service policy limit is reached.
Workaround: There is no workaround.
•
Symptoms: Output for set-mpls-exp-imposition-transmit is incorrect.
Conditions: The following is output when the command is entered:
75Q2-R3(config)#policy-map multiple_action_175Q2-R3(config-pmap)# class 3575Q2-R3(config-pmap-c)# police cir 8000 bc 1000 pir 10000 be 1200075Q2-R3(config-pmap-c-police)#conform-action set-mpls-exp-imposition-transmit 575Q2-R3#sh policy-mapPolicy Map multiple_action_1Class 35police cir 8000 bc 1000 pir 10000 be 12000conform-action set-mpls-exp-transmit 5 <<<should be set-mpls-exp-imposition-transmit 5exceed-action dropviolate-action dropWorkaround: There is no workaround.
•
Symptoms: Using the show ip mds stats linecard command shows MDFS reloads on all LCs when multicast distributed routing is added on a VRF through the configuration of ip multicast-routing vrf vpn distributed.
Workaround: There is no workaround.
Further Problem Description:
Note that while the MDFS reload is a real reload, it is without a preceding clear so it will not generally cause traffic interruption as it merely causes the same information to be downloaded to the linecards again. However in a highly scaled system running close to the limit, the additional load introduced by a full MDFS reload of every linecard may cause additional failures because of CPU utilization.
•
Symptoms: Shape average percent calculation is incorrect.
Conditions: This issue is seen on a Cisco 7500 router configured for dLFIoLL. The policy is attached to ATM and multilink interfaces.
Workaround: there is no workaround.
•
Symptoms: IP PIM neighbor in multicast VPN is not two-way
Conditions: Occurs in traffic between a Cisco 12000 router and a Cisco 7500 router. The Cisco 7500 does not receive MDT update.
Workaround: There is no workaround.
•
Symptoms: Some FRR database entries become active after reoptimization. Traffic on the LSP which become FRR active is forwarded wrong path and continues to drop.
Conditions:
- This problem may happen when manual or timer reoptimization is performed during convergence
- This problem may happen when "Tunnel head end item" and "LSP midpoint item" in FRR database have more than one entry in each item.
- This problem may happen when midpoint entry in "LSP midpoint item" is the LSP using "loose" path-option on a headend router.
Workaround: There is no workaround.
•
Symptoms: The Unicast and Multicast VPN traffic packets are dropped on a MLFR bundle link while increasing the traffic rate and bringing back to normal.
Conditions: The drops are seen only after an increase in the traffic rate and bringing back to normal value.
Workaround: There is no workaround.
•
Symptoms: VIP with CHSTM1 crashes on a Cisco 7500 router.
Conditions: dLFIoLL is configured on a Cisco 7500 router and MDR reload is done on the VIP
Workaround: There is no workaround.
Wide-Area Networking
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: Multicast packets that traverse a Frame Relay virtual circuit (VC) bundle are dropped.
Condition 1: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0S.
Workaround 1: There is no workaround.
Symptom 2: Multicast packets that traverse a Frame Relay virtual circuit (VC) bundle are process-switched.
Condition 2: This symptom is observed with Cisco IOS Release 12.3.
Workaround 2: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.0(32)S14
Cisco IOS Release 12.0(32)S14 is a rebuild of Cisco IOS Release 12.0(32)S. The caveats listed in this section are resolved in Cisco IOS Release 12.0(32)S14 but may be open in previous Cisco IOS releases. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: Bundle links are added or removed when an MFR bundle is in the Administrative Down state; when the bundle is brought back to the Up state, its interface bandwidth value is not properly reflected.
Conditions: This symptom is observed with Cisco IOS Release 12.2SRB software.
Workaround: Shutting a bundle link interface down and bringing it back up can refresh the bundle interface bandwidth value.
•
Symptoms: When an ATM interface is configured with an IMA group and when you enter the clock source line command, the router may crash.
Conditions: This symptom is observed on a Cisco router that integrates the fixes for caveats CSCin90422 and CSCsb68536.
Workaround: There is no workaround.
Further Problem Description: The symptom occurs because the default clocking has been changed to "internal" via the fixes for caveats CSCin90422 and CSCsb68536. The fix for this caveat, CSCse75697, sets the default clocking back to "line."
•
Symptoms: IS-IS protocol packets may not be classified as high-priority. When this situation occurs during stress conditions and when the IS-IS protocol packets are mixed with other packets, the IS-IS protocol packets may be dropped because of their low-priority.
Conditions: This symptom is observed on a Cisco platform that is configured for Selective Packet Discard (SPD).
Workaround: Ensure that DSCP rewrite is enabled and then enter the following command:
mls qos protocol isis precedence 6
•
Symptoms: Alignment correction seen on an MCT3.
Conditions: The symptom is observed when dLFIoLL is configured on a Cisco 7500 series router and an OIR is done on an MCT3 VIP.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: Route Processor unexpectedly reloads upon removing and adding the network x.x.x.x command two or three times under the OSPF process.
Conditions: The symptom is observed on a GSR configured with 1500 TE tunnels in a scale setup.
Workaround: There is no workaround.
•
Symptoms: Aggregate routes are not processed if all aggregated child routes are deleted prematurely.
Conditions: The symptom is observed when all aggregated child routes are marked for deletion and the periodic function which processes the routes to be deleted deletes the route before the aggregate processing function gets a chance to process them and the aggregate route to which they belong.
Workaround: Configuring "bgp aggregate-timer" to 0 or the lowest value would considerably reduce the chances of hitting this problem. In case this problem does occur, in order to delete the stale aggregate route, configure a temporary local BGP route (say, redistribute a static route or network a loopback) with its address being a subnet of the stale aggregate address and then remove the aggregate address and the added route. This should delete the route from table and send withdraws to the other routes also.
Further Problem Description: The periodic function is by default called at 60 second intervals. The aggregate processing is normally done based on the CPU load. If there is no CPU load, then the aggregate processing function would be triggered within one second. As the CPU load increases, this function call will be triggered at higher intervals and if the CPU load is very high it could go as high as the maximum aggregate timer value configured via command. By default this maximum value is 30 seconds and is configurable with a range of 6-60 seconds and in some trains 0. So, if default values are configured, then as the CPU load increases, the chances of hitting this defect is higher.
•
Symptoms: Standby RP can crash upon boot up.
Conditions: The symptom is observed under the following conditions:
1.
2.
3.
Workaround: Use config-register 0x2102 and unconfigure the clock timezone.
•
Symptoms: BGP router filters outbound routes to the peers when doing soft reset with specifying peer address using the clear ip bgp ip-addr soft out command. However, the routes to be filtered are not deleted from the routing table on the BGP peer router.
Conditions: The symptom happens when removing and then reapplying an outbound route-map. When issuing the clear ip bgp neighbor-address soft out command for each peer in an update-group after applying the outbound route-map filtering policy. The withdraw for filtered prefixes is sent to the first peer specified in soft reset, but the next peers in the same update-group do not withdraw the routes.
Workaround: Perform a hard BGP reset using the clear ip bgp ip-addr command.
•
Symptoms: The following traceback is seen on the console, and all the channelized serial links on the E3 LC flap.
SLOT 5:1d00h: %EE48-3-INVALID_CFG_DATA: Channel 4: Invalid configuration
data. Channel type= 5
-Traceback= 40030F00 40417F44 40418208 40418444 404184B4 40418588
SLOT 5:1d00h: %EE48-3-INVALID_CFG_DATA: Channel 5: Invalid configuration
data. Channel type= 5
-Traceback= 40030F00 40417F44 40418208 40418444 404184B4 40418588
Conditions: This symptom occurs with all the serial links configured on a Channelized OC48-DS3/Engine 3 card. Serial interfaces flap, bringing down BGP/OSPF for no apparent reason. No configs were done.
Workaround: There is no workaround.
•
Symptoms: Channelized interfaces on a Cisco 7500 series router may face txacc loss and emit interface "not transmitting" messages.
Conditions: The symptoms are observed when, for example:
1.
2.
3.
Workaround:
1.
2.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: The LC (E3/E5) crashes upon executing certain show controller... commands 3-4 times.
Conditions: The symptom is observed with scale configurations on MLPPP, MFR, serial interfaces with features like VRF, VPN, basic QOS, ACL, and netflow.
Workaround: There is no workaround.
•
Symptoms: The CEF process is hogging the CPU because of many incomplete fibidbs, because CEF was disabled and re-enabled.
Conditions: This symptom is observed in a scale testbed when an RPR+ switchover is performed.
Workaround: There is no workaround.
•
Symptoms: I/O memory leaks after several days. The output of the E1 serial interface may be blocked as well.
Conditions: The symptoms are observed on a Cisco 7200 series router that is running Cisco IOS Release 12.0(33)S and when an E1 interface serial flaps. The QoS outgoing service-policy needs to be provisioned on this serial interface.
Workaround: Remove the outgoing QoS service-policy from the flapped/blocked serial interface.
•
Symptoms: The serial interface on a channelized OC48 line card stays in the UP/DOWN state after encountering Layer 1 alarms (PRID or PAIS). The interface continues to be in the UP/DOWN state even after the Layer 1 alarms are cleared.
The interface is configured for PPP encapsulation, and path level delay triggers are enabled on this interface. The link shows UP, but the PPP negotiation will be stuck in Echo Request Sent.
Conditions: This symptom is observed with a 12.0(32)S11o-based image for channelized DS3 Engine 3 line cards with alarm delay triggers configured. The problem will be seen only with momentary path level alarms.
Workaround:
1.
2.
•
Symptoms: A customer experienced a single T1 flapping on controller 0/3/0. It would take between 2,500 and 3,000 path code violations and then drop and come back. It would do this about once every 15 minutes. Problems with our phones losing connectivity to a central call manager when a WAN circuit experiences a problem.
We use Multilink PPP to bundle three T1s for a 4.5-Mb circuit. If any one of the three T1s experiences even a minor issue, phones are resetting. However, we never lose Layer 3 connectivity. The edge router maintains its BGP peering across the Multilink PPP bundle, and none of our management applications ever sees a loss in connectivity.
We recently switched over to Multilink PPP from Multilink Frame due to a requirement by our MPLS provider. We did not have an issue using Multilink Frame; hence, we believe it is an issue with our configuration for Multilink PPP.
Conditions: This issue was first noticed in a 32S6r image, and some nodes running 32s11 showed similar symptoms.
Workaround: Perform a shut/no shut on the serial interface on the Cisco 12000 series side.
Further Problem Description: The root cause of this issue is that the customer was getting exposed to an inherent limitation of a timer that was being used in the T1/E1 line-state processing routine at the PLIM level. The malfunctioning of the timer would result in the PLIM not sending a line-state update message to the line card and the route processor when a link flapped, and therefore the route processor would not bring the link down even when an alarm was present on the line. This would cause blackholing of traffic for some time until the L2 times out and the protocol comes down.
•
Symptoms: Tag rewrites are missing on line cards for one of the load-shareable interfaces.
Conditions: This symptom is observed on a Cisco 12000 series router that is running Cisco IOS Release 12.0(32)S11o.
Workaround: Shut/no-shut the interface.
•
Symptoms: A remote third-party device is resetting the IPv6 BGP session with a Cisco 12000 router.
Conditions: BGP is exchanging only IPv6 capability with the remote EBGP peer, but IPv4 capability will be enabled by default. The remote EBGP peer is sending only IPv6 capability, and we should advertise only IPv6 prefixes because that is the capability negotiated. We are wrongly marking IPv4 capability as negotiated and advertising IPv4 prefixes, and the remote neighbor is resetting the session because IPv4 capability is not negotiated at the peer end.
Workaround: Configure a route map to deny all IPv4 prefixes, and apply it as follows:
Route-map deny-ipv4 deny 10
Router bgp <asnum>
address-family ipv4
Neighbor <IPv6Address> activate
Neighbor <IPv6Address> route-map <deny-ipv4> out
•
Symptoms: BGP sessions get stuck in an active state.
Conditions: The symptom is observed when using the neighbor fall-over command.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.0(32)S13
Cisco IOS Release 12.0(32)S13 is a rebuild of Cisco IOS Release 12.0(32)S. The caveats listed in this section are resolved in Cisco IOS Release 12.0(32)S13 but may be open in previous Cisco IOS releases. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If the debug ip tcp transactions command is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed.
This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix CSCso04657 and CSCsg00102.
•
Symptoms: With ATMoMPLS with AAL5 encapsulation, the xconnect session bounces when you enter and exit PVC configuration mode without making any configuration changes.
Conditions: This symptom is observed only when the <CmdBold>oam-ac emulation-enable<noCmdBold> command is used.
Workaround: There is no workaround.
•
Symptoms: When a VPN routing/forwarding (VRF) is deleted through the CLI, the VRF deletion never completes on the standby RP, and the VRF cannot be reconfigured at a later time.
Conditions: This symptom is observed when BGP is enabled on the router.
Workaround: There is no workaround.
•
Problem Description: When eBGP sessions that carry a full routing table (200,000+ routes) are brought up, a prolonged period of 100-percent CPU utilization (5 to 7 minutes) is experienced.
During this time, the router is unresponsive in the CLI, and it stops responding to ICMP/SNMP polls.
The router is a Cisco 12406/PRP and is running Cisco IOS Release 12.0(32)S5 (c12kprp-k4p-mz.120-32.S5).
When bringing up a BGP session with a full routing table, the router seems to load the first several thousand prefixes quickly and then stops dead for several minutes before loading the rest.
Workaround: After changing the outbound prefix list on the eBGP session to a deny all (ip prefix-list test-nothing-out seq 1 deny 0.0.0.0/0 le 32), clearing the BGP session does not produce the problem anymore.
•
Symptoms: Multicast data loss may be observed while changing the PIM mode of MDT-data groups in all core routers.
Conditions: The symptom is observed while changing the PIM mode of MDT-data groups from "Sparse" to "SSM" or "SSM" to "Sparse" in all core routers in a Multicast Virtual Private Network (MVPN).
Workaround: Use the clear ip mroute MDT-data group command.
•
Symptoms: Policy-map outputs are not seen in standby router. The policy is attached to the VC in the standby, but no output is seen.
Conditions: The symptom is observed when an ATM PVC is created and a service policy is attached to the PVC.
Workaround: There is no workaround.
•
Symptoms: A traceback is seen on the E3 and E5 line cards.
Conditions: This symptom is observed under normal traffic conditions after a clear ip route * command is issued.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: A switchover takes more time on a Cisco 7500 router.
Conditions: This symptom is observed when RPR+ is configured on the Cisco 7500.
Workaround: There is no workaround.
•
Symptoms: Before this BGP aspath memory optimization, the memory consumption for aspath has increased. With this memory optimization, the memory consumption for aspath has reduced.
Workaround: There is no workaround.
•
Symptoms: A 1xCHOC12 controller goes down, and all links flap.
Conditions: This symptom is observed when the show plim datapath details command is executed on the line card, which dumps a lot of information on the console.
Workaround: Avoid using the show plim datapath details command; instead, use the per-channel show plim datapath channel-id details command.
•
Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure "no aaa new-model", configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
•
Symptoms: A CHOC12 T1 continuously flaps when the T1 link that is connected to a third-party CE router flaps. With the Cisco router, the same issue is not observed.
Conditions: This symptom is observed under the following conditions:
–
–
Workaround: Disable "yellow detection" on the CHOC12 T1 link. For example, serial interface 12/0.7/6:0:
controller sonet 12/0 sts-1 7 no t1 6 yellow detection ! Wait for the T1 to stabilize. t1 6 yellow detection !•
Symptoms: CEF Scanner takes high CPU for sustained periods of time around 10 minutes.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.0(32)S11n. It is seen under the following conditions:
–
–
–
Workaround: Configure a static route.
•
Symptoms: A switchover cannot be performed on a Cisco 7500 router.
Conditions: This symptom is observed when test crash is issued on a VIP console.
Workaround: There is no workaround.
•
Symptoms: An IPv6 ping fails on an E3 Gigabit line card because of a PRECAM 1 Exception.
Conditions: This issue pertains to the dropping of IPv6 packets because of a precam exception on the egress side. It looked as if the profile for IPv6 was wrong when IPv4 QoS was already applied even on different subinterfaces on the same port.
Workaround:
1) Add/Remove an ACL.
2) Add/Remove the subinterface.
•
Symptoms: The no ppp lcp fast-start command is added to all PPP-encapsulation interfaces.
Conditions: This symptom is observed after a router is upgraded from Cisco IOS Release 12.0(32)SY7 to the latest 32sy throttle image.
Workaround: There is no workaround.
•
Recent research(1) has shown that it is possible to cause BGP sessions to remotely reset by injecting invalid data, specifically AS_CONFED_SEQUENCE data, into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. For this bug to be triggered, an operator does not have to be actively using 4-byte AS support.
The root cause of this problem is the Cisco implementation of RFC 4893 (4-byte ASN support) - this RFC states that AS_CONFED_SEQUENCE data in the AS4_PATH attribute is invalid. However, it does not explicitly state what to do if such invalid data is received, so the Cisco implementation of this RFC sends a BGP NOTIFICATION message to the peer and the BGP session is terminated.
RFC 4893 is in the process of getting updated to avoid this problem, and the fix for this bug implements the proposed change. The proposed change is as follows:
"To prevent the possible propagation of confederation path segments outside of a confederation, the path segment types AS_CONFED_SEQUENCE and AS_CONFED_SET [RFC5065] are declared invalid for the AS4_PATH attribute. A NEW BGP speaker MUST NOT send these path segment types in the AS4_PATH attribute of an UPDATE message. A NEW BGP speaker that receives these path segment types in the AS4_PATH attribute of an UPDATE message MUST discard these path segments, adjust the relevant attribute fields accordingly, and continue processing the UPDATE message."
The only affected version of Cisco IOS that supports RFC 4893 is 12.0(32)S12, released in December 2008.
(1) For more information, please visit:
http://www.merit.edu/mail.archives/nanog/msg14345.html
•
Symptoms: A session may go down one or more times before stabilizing in the up state.
Conditions: This symptom is observed when a BFD session is first coming up and the network is suffering from congestion.
Workaround: There is no workaround.
•
Symptoms:
1) In case of a config where police rate is not taking effect on priority command, as we saw it go through default queue. This occurs in a QoS policy with a priority queue where the "police" statement occurs before the priority statement in the policy. Additionally, this occurs only upon the initial configuration of the policy-map. Editing the policy-map will correct the issue.
2) In case of a config where class is configured as only strict priority (no police) and then modified, packets go through non-default and non-priority queue.
Conditions: The initial configuration of policy-map was modified.
Workaround: Detach and re-attach the policy-map.
Resolved Caveats—Cisco IOS Release 12.0(32)S12
Cisco IOS Release 12.0(32)S12 is a rebuild of Cisco IOS Release 12.0(32)S. The caveats listed in this section are resolved in Cisco IOS Release 12.0(32)S12 but may be open in previous Cisco IOS releases. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: Inbound data packets that are reassembled from multilink fragments may not be processed properly on Multilink PPP (MLP) interfaces that are receiving encrypted IP Security (IPSec) traffic that is terminated locally when a hardware accelerator is used for decryption.
Conditions: This symptom affects all inbound reassembled data frames that are received by the bundle and not just those data frames that are carrying encrypted IP datagrams. Most significantly, inbound Internet Security Association and Key Management Protocol (ISAKMP) keepalives are not processed, leading to the eventual failures of the associated IPSec sessions.
The IPSec sessions are reestablished after each failure, but traffic drops will occur until the session is renegotiated via the Internet Key Exchange (IKE). Thus, the observable symptoms are an intermittent failure of IPSec sessions combined with high loss rates in the encrypted data traffic.
Workaround: Disable hardware crypto acceleration, and use software crypto acceleration instead.
•
Symptoms: Adding a /31 netmask route on a Cisco router may not overwrite an existing /32 CEF entry.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.1(13)E4, Release 12.2, other 12.1E releases, or Release 12.3. Any 12.2S release past 12.2(20)S is not affected.
Workaround: There is no workaround.
Further Problem Description: The fix for this caveat enables prefixes that are derived from adjacencies in the FIB to be periodically validated against covering prefixes that originate from the RIB. Validation ensures that an adjacency prefix is only active when it points out of the same interface as a covering attached prefix. To enable this validation, enter the ip cef table adjacency-prefix validate global configuration command.
Note that because validation is periodic, there could be a time lag between RIB changes and subsequent validation or withdrawal of covered adjacencies in the FIB.
•
Symptoms: Removing a policy that has shape and bandwidth in the same class (in that same order) may cause a router to crash.
Conditions: This symptom is observed when the router functions under a traffic load.
Workaround: There is no workaround.
•
Symptoms: When you enter the clear interface command on an Inverse Multiplexing for ATM (IMA) interface configured for dynamic bandwidth, the PVCs that are associated with the IMA interface may become Inactive.
Conditions: This symptom is observed only for IMA interfaces that have the atm bandwidth dynamic command enabled.
Workaround: Issuing the no atm bandwidth dynamic command from the IMA interface can prevent the problem from happening. If the problem has been experienced already, using the no atm bandwidth dynamic command followed by a shutdown and subsequent no shutdown from the IMA interface can be used to workaround the problem and clear the inactive PVC condition.
•
Symptoms: While adding the policer, when it gets rejected, the proper action should also detach the action from the policy map.
Conditions: This symptom is observed in the following releases:
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: A ping from a channelized T3 (CT3) port adapter may fail.
Conditions: This symptom is observed on a Cisco platform that is configured with a CT3 port adapter that functions in unchannelized mode.
Workaround: There is no workaround.
•
Symptoms: CEF-switching does not function, and the output of the show adjacency interface-type interface-number detail command does not show any packets.
Conditions: This symptom is observed on a Cisco router when packets are switched to a multilink interface via CEF and when you enter the show adjacency interface-type interface-number detail command for a multilink interface.
Workaround: There is no workaround.
•
Symptoms: ARP may be refreshed excessively on the default interface, causing high CPU usage in the "Collection Process."
Conditions: This symptom is observed on a Cisco router that has point-to-point interfaces that have non-/32 interface addresses or secondary addresses and that constantly come up or go down.
Workaround: There is no workaround.
•
Symptoms: A PE that is part of a confederation and that has received a VPNv4 prefix from an internal and an external confederation peer, may assign a local label to the prefix despite the fact that the prefix is not local to this PE and that the PE is not changing the BGP next-hop.
Conditions: The symptoms are observed when receiving the prefix via two paths from confederation peers.
Workaround: There is no workaround.
Further Problem Description: Whether or not the PE will chose to allocate a local label depends on the order that the multiple paths for this VPNv4 prefix are learned. The immediate impact is that the local label allocated takes up memory in the router as the router will populate the LFIB with the labels.
•
Symptoms: NetFlow cache runs out of space for new flow entry when customer uses heavy traffic.
Conditions: Large amount of traffic which could exhaust the NetFlow cache.
Workaround: There is no workaround.
•
Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.
Workaround: Add area 0 in the OSPF VRF processes.
Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.
•
Symptoms: In Eng3 ATM, when a subinterface flaps, traffic to certain destinations is forwarded to the wrong subinterface.
Conditions: This symptom is observed in Cisco IOS Release 12.0(32)S05 and 12.0(32)S06. The symptom is not found in Cisco IOS Release 12.0(31)S2.
Workaround: There is no workaround; however, reloading the line card solves the problem.
•
Symptoms: The interface output rate (214 Mb/s) is greater than the interface line rate (155 Mb/s).
Conditions: This symptom is observed with a Cisco 7600/7500/7200-NPE400 and below. That is, PA-POS-2OC3/1OC3 (PULL mode).
Workaround: There is no workaround.
Further Problem Description: From the Ixia, packets are transmitted at 320 Mb/s. On the UUT (Cisco 7600), the outgoing interface (POS-Enhanced Flexwan) shows the output rate as 200 Mb/s. But the interface bandwidth is 155 Mb/s.
•
Symptoms: Performing the snmpwalk on the ipRouteTable MIB may cause high CPU and reloads.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(13b) or later releases.
Workaround: Create a view that excludes the ipRouteTable:
snmp-server view cutdown 1.3.6.1.2.1.4.21 exclude
snmp-server view cutdown internet included
snmp-server community <comm> view cutdown ROThis view restricts the objects that the NMS can poll. It excludes access to the ipRouteTable, but allows access to the other MIBs.
•
Symptoms: The Ethernet interface flaps after configuring QoS on the interface.
Conditions: Occurs on PA-2FE-TX port adapter after applying QoS to the interface.
Workaround: There is no workaround.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb-radix hidden command is entered.
Conditions: This symptom is observed when the show ipv6 ospf lsdb-radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
•
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
•
Symptoms: The shape average percent calculation is wrong.
Conditions: This symptom is observed on a Cisco 7500 router that is configured for dLFIoLL. The policy is attached to ATM and multilink interfaces.
Workaround: Use only absolute values in the shape policy.
•
Symptoms: OSPF routes are not populated in the Routing Information Base (RIB) with the next hop as traffic engineering (TE) tunnels.
Conditions: Occurs when multiple TE tunnels are configured and the tunnels come up or are shut/no shut simultaneously.
Workaround: Shut/no shut tunnels one at a time.
•
Symptoms: The v6-vrf-lite configuration does not synch properly with the standby; hence 100 percent of the traffic is lost after an SSO switchover.
Conditions: The conditions under which this symptom is observed are unknown.
Workaround: There is no workaround.
•
Symptoms: Router may crash @ipflow_fill_data_in_flowset when changing the flow version.
Conditions: Occurs when NetFlow is running with data export occurring while manually changing the flow-export version configuration from version 9 to version 5 and then back again to version 9.
Workaround: Do not change the NetFlow flow version while the router is exporting data and routing traffic.
•
Symptoms: A sync issue is observed with the standby and active configuration.
Conditions: This symptom is observed on a Cisco 12000 series router that is configured for MLPP/MFR. When an attempt is made to remove and add the members before the unprovisioning is completed, the member is added in standby but not in active; hence the configuration sync issue.
Workaround: Add the member after the unprovisioning is completed.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
Symptom: Router may install duplicate routes or incorrect route netmask into routing table. It could happen on any routing protocol. Additionally, for OSPF, crash was observed.
Conditions: The problem is triggered by SNMP polling of ipRouteTable MIB. The problem is introduced by CSCsj50773, see the Integrated-in field of CSCsj50773 for affected images.
Workaround: Do not poll ipRouteTable MIB, poll newer replacement ipForward MIB. instead. The ipRouteTable MIB was replaced by ipForward MIB in RFC 1354.
Further problem description: The clear ip route * command can correct the routing table until the next poll of ipRouteTable MIB.
•
Symptoms: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel.
Condition: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel configured. In OIR "test mbus power 6 off" and "test mbus power 6 on" are performed followed by a microcode reload on slot 6.
Workaround: There is no workaround.
•
Symptoms: if_num mismatch is seen in the uidb, sometimes along with the L2TPv3 bit set to zero. As a result, customer saw L2TPv3 packet drops over FR in Cisco 12000 series Internet router.
Conditions: Removing xconnect on remote PE, resulting in a session(DLCI) FLAP on the local PE. Trigger is L2TPv3 session flap; this may cause a stale CI->Uidb mapping in internal data-structures resulting in if-num mismatch in uidb if the old CI is reused by an DLCI on a different interface.
Workaround: Reload the affected line card.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
Symptoms: The "set metric" clause in the continue route-map sequence is not setting metric correctly in some particular conditions. This is also applicable in case where the nexthop setting is done via route-map with a continue clause.
Conditions: The symptom is observed on a Cisco 12000 series router that is running Cisco IOS Release 12.0(32)SY4. This is platform independent. This symptom occurs if the route-map has a continue clause and the match condition does not allow the continue clause to be executed. The following route-map sequence which has to be executed will not execute properly if the metric or nexthop of the prefix are to be modified via the route-map.
Workaround: Avoid using "continue" in a route-map and modifying metric or nexthop via the following route-map sequence.
•
Symptoms: A device may crash when the show clns interface command is issued on the wrong interface.
Conditions: The symptom is observed when there are a number (around 100 or more) CLNS interfaces on the device.
Workaround: There is no workaround.
•
Symptoms: A customer upgraded to Cisco IOS Release 12.0(32)Sy4, and now the customer is seeing a memory leak in the BGP process. The memory leak is happening with the BGP router process at the rcache chunk memory when the route map has a "continue" clause in the configuration.
Conditions: The leak is seen when a "continue" statement is configured in an outbound route map.
Workaround: There is no workaround.
•
Symptoms: A SIP601 sometimes crashes or gets an alignment error.
SLOT 4:Mar 17 17:59:03.877 UTC: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x408C1E14 reading 0xF SLOT 4:Mar 17 17:59:03.877 UTC: %ALIGN-3- TRACE: -Traceback= 408C1E14 408C03D4 00000000 00000000 00000000 00000000 00000000 00000000
Conditions: The conditions under which this symptom occurs are unknown.
Workaround: There is no workaround.
•
Symptoms: Line card crashes when packet over SONET (POS) shared port adapter (SPA) is present.
Conditions: Occurs the first time router is reloaded.
Workaround: There is no workaround.
•
Symptoms: Configuring a PBR at the E5 GE subinterface may cause buffer depletion. The buffer cannot be released except by reloading the linecard.
Conditions: This symptom is observed when a PBR is configured at the subinterface.
Workaround: There is no workaround.
•
Symptoms: In MVPN, on the source PE, multicast packets are punted to the RP CPU, and some packets are also dropped.
Conditions: Ingress E3 and egress E5, and the TUNSEQ error message appears.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6500 or a Cisco 7600 may reload unexpectedly.
Conditions: Occurs when NetFlow is configured on one of the following:
–
–
Workaround: Disable NetFlow. This is done with the following commands:
no ip flow ingress
no ip flow egress
no ip route-cache flowEnter the appropriate command for each subinterface for which NetFlow is currently configured.
Other Notes:
Only the 12.2SRC and 12.2SXH code trains are affected. The specific versions affected are 12.2(33)SXH, 12.2(33)SXH1, 12.2(33)SXH2, 12.2(33)SXH2a, 12.2(33)SRC, and 12.2(33)SRC1.
The issue is fixed in the two affected code trains from the 12.2SXH3 and 12.2SRC2 releases onwards.
The following release trains do not have this issue; 12.2(18)SXF, 12.2(33)SRA, 12.2(33)SRB, 12.2(33)SXI and all other release trains after those affected.
•
Symptoms: MFR bundles associated with E5 channelized based SPAs will stop forwarding traffic, an mismatch of the connection identifier (CI) of the channelized SPA is seen on CI value in the shim header of the l2 rewri
Guest
