Table Of Contents
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.1 E
Image Support and Memory Requirements
Determining the Software Version
Upgrading to a New Software Release
New Software Features in Cisco IOS Release 12.1(26)E9
New Hardware Features in Cisco IOS Release 12.1(26)E9
New Software Features in Cisco IOS Release 12.1(27b)E2
New Hardware Features in Cisco IOS Release 12.1(27b)E2
New Software Features in Cisco IOS Release 12.1(26)E8
New Hardware Features in Cisco IOS Release 12.1(26)E8
New Software Features in Cisco IOS Release 12.1(27b)E1
New Hardware Features in Cisco IOS Release 12.1(27b)E1
New Software Features in Cisco IOS Release 12.1(27b)E
New Hardware Features in Cisco IOS Release 12.1(27b)E
New Software Features in Cisco IOS Release 12.1(26)E7
New Hardware Features in Cisco IOS Release 12.1(26)E7
New Software Features in Cisco IOS Release 12.1(26)E6
New Hardware Features in Cisco IOS Release 12.1(26)E6
New Software Features in Cisco IOS Release 12.1(26)E5
New Hardware Features in Cisco IOS Release 12.1(26)E5
New Software Features in Cisco IOS Release 12.1(26)E4
New Hardware Features in Cisco IOS Release 12.1(26)E4
New Software Features in Cisco IOS Release 12.1(26)E3
New Hardware Features in Cisco IOS Release 12.1(26)E3
New Software Features in Cisco IOS Release 12.1(26)E2
New Hardware Features in Cisco IOS Release 12.1(26)E2
New Software Features in Cisco IOS Release 12.1(26)E1
New Hardware Features in Cisco IOS Release 12.1(26)E1
New Software Features in Cisco IOS Release 12.1(26)E
New Hardware Features in Cisco IOS Release 12.1(26)E
New Software Features in Cisco IOS Release 12.1(23)E4
New Hardware Features in Cisco IOS Release 12.1(23)E4
New Software Features in Cisco IOS Release 12.1(23)E3
New Hardware Features in Cisco IOS Release 12.1(23)E3
New Software Features in Cisco IOS Release 12.1(23)E2
New Hardware Features in Cisco IOS Release 12.1(23)E2
New Software Features in Cisco IOS Release 12.1(23)E1
New Hardware Features in Cisco IOS Release 12.1(23)E1
New Software Features in Cisco IOS Release 12.1(23)E
New Hardware Features in Cisco IOS Release 12.1(23)E
New Software Features in Cisco IOS Release 12.1(22)E6
New Hardware Features in Cisco IOS Release 12.1(22)E6
New Software Features in Cisco IOS Release 12.1(22)E3
New Hardware Features in Cisco IOS Release 12.1(22)E3
New Software Features in Cisco IOS Release 12.1(22)E1
New Hardware Features in Cisco IOS Release 12.1(22)E1
New Software Features in Cisco IOS Release 12.1(22)E
New Hardware Features in Cisco IOS Release 12.1(22)E
New Software Features in Cisco IOS Release 12.1(20)E6
New Hardware Features in Cisco IOS Release 12.1(20)E6
New Software Features in Cisco IOS Release 12.1(20)E5
New Hardware Features in Cisco IOS Release 12.1(20)E5
New Software Features in Cisco IOS Release 12.1(20)E4
New Hardware Features in Cisco IOS Release 12.1(20)E4
New Software Features in Cisco IOS Release 12.1(20)E3
New Hardware Features in Cisco IOS Release 12.1(20)E3
New Software Features in Cisco IOS Release 12.1(20)E2
New Hardware Features in Cisco IOS Release 12.1(20)E2
New Software Features in Cisco IOS Release 12.1(20)E1
New Hardware Features in Cisco IOS Release 12.1(20)E1
New Software Features in Cisco IOS Release 12.1(20)E
New Hardware Features in Cisco IOS Release 12.1(20)E
New Software Features in Cisco IOS Release 12.1(19)E7
New Hardware Features in Cisco IOS Release 12.1(19)E7
New Software Features in Cisco IOS Release 12.1(19)E6
New Hardware Features in Cisco IOS Release 12.1(19)E6
New Software Features in Cisco IOS Release 12.1(19)E4
New Hardware Features in Cisco IOS Release 12.1(19)E4
New Software Features in Cisco IOS Release 12.1(19)E3
New Hardware Features in Cisco IOS Release 12.1(19)E3
New Software Features in Cisco IOS Release 12.1(19)E2
New Hardware Features in Cisco IOS Release 12.1(19)E2
New Software Features in Cisco IOS Release 12.1(19)E1
New Hardware Features in Cisco IOS Release 12.1(19)E1
New Software Features in Cisco IOS Release 12.1(19)E
SSH Version 2 Support in Cisco IOS
New Hardware Features in Cisco IOS Release 12.1(19)E
New Software Features in Cisco IOS Release 12.1(14)E10
New Hardware Features in Cisco IOS Release 12.1(14)E10
New Software Features in Cisco IOS Release 12.1(14)E8
New Hardware Features in Cisco IOS Release 12.1(14)E8
New Software Features in Cisco IOS Release 12.1(14)E7
New Hardware Features in Cisco IOS Release 12.1(14)E7
New Software Features in Cisco IOS Release 12.1(14)E6
New Hardware Features in Cisco IOS Release 12.1(14)E6
New Software Features in Cisco IOS Release 12.1(14)E5
New Hardware Features in Cisco IOS Release 12.1(14)E5
New Software Features in Cisco IOS Release 12.1(14)E4
New Hardware Features in Cisco IOS Release 12.1(14)E4
New Software Features in Cisco IOS Release 12.1(14)E3
New Hardware Features in Cisco IOS Release 12.1(14)E3
New Software Features in Cisco IOS Release 12.1(14)E2
New Hardware Features in Cisco IOS Release 12.1(14)E2
New Software Features in Cisco IOS Release 12.1(14)E1
New Hardware Features in Cisco IOS Release 12.1(14)E1
New Software Features in Cisco IOS Release 12.1(14)E
Low Latency Queueing with Priority Percentage Support
New Hardware Features in Cisco IOS Release 12.1(14)E
New Software Features in Cisco IOS Release 12.1(13)E1
New Hardware Features in Cisco IOS Release 12.1(13)E1
New Software Features in Cisco IOS Release 12.1(13)E
Network-Based Application Recognition and Distributed Network-Based Application Recognition
WCCP Redirection on Inbound Interfaces
New Hardware Features in Cisco IOS Release 12.1(13)E
New Software Features in Cisco IOS Release 12.1(12c)E7
New Hardware Features in Cisco IOS Release 12.1(12c)E7
New Software Features in Cisco IOS Release 12.1(12c)E6
New Hardware Features in Cisco IOS Release 12.1(12c)E6
New Software Features in Cisco IOS Release 12.1(12c)E5
New Hardware Features in Cisco IOS Release 12.1(12c)E5
New Software Features in Cisco IOS Release 12.1(12c)E1
New Hardware Features in Cisco IOS Release 12.1(12c)E1
New Software Features in Cisco IOS Release 12.1(12c)E
New Hardware Features in Cisco IOS Release 12.1(12c)E
Cisco PA-MC-8TE1+ Port Adapter
New Software Features in Cisco IOS Release 12.1(11b)E14
New Hardware Features in Cisco IOS Release 12.1(11b)E14
New Software Features in Cisco IOS Release 12.1(11b)E12
New Hardware Features in Cisco IOS Release 12.1(11b)E12
New Software Features in Cisco IOS Release 12.1(11b)E11
New Hardware Features in Cisco IOS Release 12.1(11b)E11
New Software Features in Cisco IOS Release 12.1(11b)E10
New Hardware Features in Cisco IOS Release 12.1(11b)E10
New Software Features in Cisco IOS Release 12.1(11b)E8
New Hardware Features in Cisco IOS Release 12.1(11b)E8
New Software Features in Cisco IOS Release 12.1(11b)E3
New Hardware Features in Cisco IOS Release 12.1(11b)E3
New Software Features in Cisco IOS Release 12.1(11b)E1
New Hardware Features in Cisco IOS Release 12.1(11b)E1
New Software Features in Cisco IOS Release 12.1(11b)E
EXEC Commands in Configuration Mode
Pre-Fragmentation for IPSec VPNs
Manual TFTP Certificate Enrollment
Network-Based Application Recognition RTP Payload Classification
New Hardware Features in Cisco IOS Release 12.1(11b)E
New Software Features in Cisco IOS Release 12.1(10)E8
New Hardware Features in Cisco IOS Release 12.1(10)E8
New Software Features in Cisco IOS Release 12.1(10)E7
New Hardware Features in Cisco IOS Release 12.1(10)E7
New Software Features in Cisco IOS Release 12.1(10)E6
New Hardware Features in Cisco IOS Release 12.1(10)E6
New Software Features in Cisco IOS Release 12.1(10)E5
New Hardware Features in Cisco IOS Release 12.1(10)E5
New Software Features in Cisco IOS Release 12.1(10)E4
New Hardware Features in Cisco IOS Release 12.1(10)E4
New Software Features in Cisco IOS Release 12.1(10)E3
New Hardware Features in Cisco IOS Release 12.1(10)E3
New Software Features in Cisco IOS Release 12.1(10)E2
New Hardware Features in Cisco IOS Release 12.1(10)E2
New Software Features in Cisco IOS Release 12.1(10)E1
New Hardware Features in Cisco IOS Release 12.1(10)E1
New Software Features in Cisco IOS Release 12.1(10)E
New Hardware Features in Cisco IOS Release 12.1(10)E
New Software Features in Cisco IOS Release 12.1(9)E3
New Hardware Features in Cisco IOS Release 12.1(9)E3
New Software Features in Cisco IOS Release 12.1(9)E
IPSec VPN High Availability Enhancements
New Hardware Features in Cisco IOS Release 12.1(9)E
New Software Features in Cisco IOS Release 12.1(8b)E13
New Hardware Features in Cisco IOS Release 12.1(8b)E13
New Software Features in Cisco IOS Release 12.1(8b)E12
New Hardware Features in Cisco IOS Release 12.1(8b)E12
New Software Features in Cisco IOS Release 12.1(8b)E11
New Hardware Features in Cisco IOS Release 12.1(8b)E11
New Software Features in Cisco IOS Release 12.1(8b)E10
New Hardware Features in Cisco IOS Release 12.1(8b)E10
New Software Features in Cisco IOS Release 12.1(8b)E9
New Hardware Features in Cisco IOS Release 12.1(8b)E9
New Software Features in Cisco IOS Release 12.1(8a)E4
New Hardware Features in Cisco IOS Release 12.1(8a)E4
New Software Features in Cisco IOS Release 12.1(8a)E2
New Hardware Features in Cisco IOS Release 12.1(8a)E2
New Software Features in Cisco IOS Release 12.1(8a)E
Enhanced Password Security - Phase I
MPLS Label Distribution Protocol
New Hardware Features in Cisco IOS Release 12.1(8a)E
New Software Features in Cisco IOS Release 12.1(7a)E6
New Hardware Features in Cisco IOS Release 12.1(7a)E6
New Software Features in Cisco IOS Release 12.1(7a)E1
New Hardware Features in Cisco IOS Release 12.1(7a)E1
New Software Features in Cisco IOS Release 12.1(7)E
Quality of Service Features for Parallel Express Forwarding (PXF)
SNMP Support for VLAN Subinterfaces
New Hardware Features in Cisco IOS Release 12.1(7)E
Multichannel STM-1 Port Adapter
New Software Features in Cisco IOS Release 12.1(6)E11
New Hardware Features in Cisco IOS Release 12.1(6)E11
New Software Features in Cisco IOS Release 12.1(6)E10
New Hardware Features in Cisco IOS Release 12.1(6)E10
New Software Features in Cisco IOS Release 12.1(6)E9
New Hardware Features in Cisco IOS Release 12.1(6)E9
New Software Features in Cisco IOS Release 12.1(6)E8
New Hardware Features in Cisco IOS Release 12.1(6)E8
New Software Features in Cisco IOS Release 12.1(6)E3
New Hardware Features in Cisco IOS Release 12.1(6)E3
New Software Features in Cisco IOS Release 12.1(6)E2
New Hardware Features in Cisco IOS Release 12.1(6)E2
New Software Features in Cisco IOS Release 12.1(6)E
Distributed Network-Based Application Recognition
New Hardware Features in Cisco IOS Release 12.1(6)E
New Software Features in Cisco IOS Release 12.1(5c)E12
New Hardware Features in Cisco IOS Release 12.1(5c)E12
New Software Features in Cisco IOS Release 12.1(5c)E11
New Hardware Features in Cisco IOS Release 12.1(5c)E11
New Software Features in Cisco IOS Release 12.1(5c)E10
New Hardware Features in Cisco IOS Release 12.1(5c)E10
New Software Features in Cisco IOS Release 12.1(5c)E9
New Hardware Features in Cisco IOS Release 12.1(5c)E9
New Software Features in Cisco IOS Release 12.1(5c)E8
New Hardware Features in Cisco IOS Release 12.1(5c)E8
New Software Features in Cisco IOS Release 12.1(5a)E4
New Hardware Features in Cisco IOS Release 12.1(5a)E4
New Software Features in Cisco IOS Release 12.1(5a)E2
New Hardware Features in Cisco IOS Release 12.1(5a)E2
New Software Features in Cisco IOS Release 12.1(5a)E1
New Hardware Features in Cisco IOS Release 12.1(5a)E1
New Software Features in Cisco IOS Release 12.1(5a)E
Cisco 7500 Single Line Card Reload
DiffServ Compliant Weighted Random Early Detection
PA-MC-2T3+Phase-II (T3 Subrate)
Transparent Webcache Load Balancing
Wireless Application Protocol (WAP) Load Balancing
New Hardware Features in Cisco IOS Release 12.1(5a)E
New Software Features in Cisco IOS Release 12.1(4)E3
New Hardware Features in Cisco IOS Release 12.1(4)E3
New Software Features in Cisco IOS Release 12.1(4)E
Express RTP Header Compression
New Hardware Features in Cisco IOS Release 12.1(4)E
PA-POS-OC3 Packet OC-3 Port Adapter
New Software Features in Cisco IOS Release 12.1(3a)E8
New Hardware Features in Cisco IOS Release 12.1(3a)E8
New Software Features in Cisco IOS Release 12.1(3a)E7
New Hardware Features in Cisco IOS Release 12.1(3a)E7
New Software Features in Cisco IOS Release 12.1(3a)E5
New Hardware Features in Cisco IOS Release 12.1(3a)E5
New Software Features in Cisco IOS Release 12.1(3a)E4
New Hardware Features in Cisco IOS Release 12.1(3a)E4
New Software Features in Cisco IOS Release 12.1(3a)E1
New Hardware Features in Cisco IOS Release 12.1(3a)E1
New Software Features in Cisco IOS Release 12.1(3a)E
Cisco Quality of Service Device Manager 1.2
Server Load Balancing Enhancements
New Hardware Features in Cisco IOS Release 12.1(3a)E
Cisco 7200-I/O-GE+E and Cisco 7200-I/O-2FE/E Input/Output Controllers
Enhanced Gigabit Ethernet Interface Processor
New Software Features in Cisco IOS Release 12.1(2)E2
New Hardware Features in Cisco IOS Release 12.1(2)E2
New Features in Cisco IOS Release 12.1(2)E1
New Software Features in Cisco IOS Release 12.1(2)E
Class-Based Quality of Service Management Information Base
Local-Area Network Emulation Quality of Service
Low Latency Queuing for the VIP Enhancement
Cisco Quality of Service Device Manager 1.1 Support
VIP-Based FRF.11/12 (dFRF.11/12)
New Software Features in Cisco IOS Release 12.1(1)E5
New Hardware Features in Cisco IOS Release 12.1(1)E5
New Features in Release Cisco IOS Release 12.1(1)E3
New Software Features in Release Cisco IOS Release 12.1(1)E2
Cisco Quality of Service Device Manager 1.0 Support for Cisco 7500 Series Routers
New Hardware Features in Cisco IOS Release 12.1(1)E
Network Services Engine Support
New Software Features in Cisco IOS Release 12.1(1)E
IOS Server Load Balancing Enhancements
Interface Range Configuration Mode
Network-Based Application Recognition Enhancements
Cisco Quality of Service Device Manager 1.0 Support
Deprecated and Replacement MIBs
SNMP Version 1 BGP4-MIB Limitations
Image Deferral, Cisco IOS Release 12.1(10)E2
Image Obsolescence, Cisco IOS Release 12.1(10)E
Image Obsolescence, Cisco IOS Release 12.1(7)E
Image Obsolescence, Cisco IOS Release 12.1(5c)E8
Image Deferral, Cisco IOS Release 12.1(5a)E2
Image Deferral, Cisco IOS Release 12.1(5a)E1
Image Deferral, Cisco IOS Release 12.1(3a)E5
Caveat CSCdr91706 and IOS HTTP Vulnerability
Image Obsolescence, Cisco IOS Release 12.1(3a)E4
Image Deferral, Cisco IOS Release 12.1(3a)E1
Image Obsolescence, Cisco IOS Release 12.1(3a)E1
Image Deferral, Cisco 7100 Images and Cisco 7500 Images
Cisco 7500 Series Images Released in 12.1(1)E2
Image Deferral, Cisco 7200 Boot Image
Cisco 7500 Series Not Supported on Cisco IOS Release 12.1(1)E
Open Caveats—Cisco IOS Release 12.1(26)E9
Resolved Caveats—Cisco IOS Release 12.1(26)E9
Open Caveats—Cisco IOS Release 12.1(27b)E2
Resolved Caveats—Cisco IOS Release 12.1(27b)E2
Open Caveats—Cisco IOS Release 12.1(26)E8
Resolved Caveats—Cisco IOS Release 12.1(26)E8
Open Caveats—Cisco IOS Release 12.1(27b)E1
Resolved Caveats—Cisco IOS Release 12.1(27b)E1
Open Caveats—Cisco IOS Release 12.1(27b)E
Resolved Caveats—Cisco IOS Release 12.1(27b)E
Open Caveats—Cisco IOS Release 12.1(26)E7
Resolved Caveats—Cisco IOS Release 12.1(26)E7
Open Caveats—Cisco IOS Release 12.1(26)E6
Resolved Caveats—Cisco IOS Release 12.1(26)E6
Open Caveats—Cisco IOS Release 12.1(26)E5
Resolved Caveats—Cisco IOS Release 12.1(26)E5
Open Caveats—Cisco IOS Release 12.1(26)E4
Resolved Caveats—Cisco IOS Release 12.1(26)E4
Open Caveats—Cisco IOS Release 12.1(26)E3
Resolved Caveats—Cisco IOS Release 12.1(26)E3
Open Caveats—Cisco IOS Release 12.1(26)E2
Resolved Caveats—Cisco IOS Release 12.1(26)E2
Open Caveats—Cisco IOS Release 12.1(26)E1
Resolved Caveats—Cisco IOS Release 12.1(26)E1
Open Caveats—Cisco IOS Release 12.1(26)E
Resolved Caveats—Cisco IOS Release 12.1(26)E
Open Caveats—Cisco IOS Release 12.1(23)E4
Resolved Caveats—Cisco IOS Release 12.1(23)E4
Open Caveats—Cisco IOS Release 12.1(23)E3
Resolved Caveats—Cisco IOS Release 12.1(23)E3
Open Caveats—Cisco IOS Release 12.1(23)E2
Resolved Caveats—Cisco IOS Release 12.1(23)E2
Open Caveats—Cisco IOS Release 12.1(23)E1
Resolved Caveats—Cisco IOS Release 12.1(23)E1
Open Caveats—Cisco IOS Release 12.1(23)E
Resolved Caveats—Cisco IOS Release 12.1(23)E
Open Caveats—Cisco IOS Release 12.1(22)E6
Resolved Caveats—Cisco IOS Release 12.1(22)E6
Open Caveats—Cisco IOS Release 12.1(22)E3
Resolved Caveats—Cisco IOS Release 12.1(22)E3
Open Caveats—Cisco IOS Release 12.1(22)E1
Resolved Caveats—Cisco IOS Release 12.1(22)E1
Open Caveats—Cisco IOS Release 12.1(22)E
Resolved Caveats—Cisco IOS Release 12.1(22)E
Open Caveats—Cisco IOS Release 12.1(20)E6
Resolved Caveats—Cisco IOS Release 12.1(20)E6
Open Caveats—Cisco IOS Release 12.1(20)E5
Resolved Caveats—Cisco IOS Release 12.1(20)E5
Open Caveats—Cisco IOS Release 12.1(20)E4
Resolved Caveats—Cisco IOS Release 12.1(20)E4
Open Caveats—Cisco IOS Release 12.1(20)E3
Resolved Caveats—Cisco IOS Release 12.1(20)E3
Open Caveats—Cisco IOS Release 12.1(20)E2
Resolved Caveats—Cisco IOS Release 12.1(20)E2
Open Caveats—Cisco IOS Release 12.1(20)E1
Resolved Caveats—Cisco IOS Release 12.1(20)E1
Open Caveats—Cisco IOS Release 12.1(20)E
Resolved Caveats—Cisco IOS Release 12.1(20)E
Open Caveats—Cisco IOS Release 12.1(19)E7
Resolved Caveats—Cisco IOS Release 12.1(19)E7
Open Caveats—Cisco IOS Release 12.1(19)E6
Resolved Caveats—Cisco IOS Release 12.1(19)E6
Open Caveats—Cisco IOS Release 12.1(19)E4
Resolved Caveats—Cisco IOS Release 12.1(19)E4
Open Caveats—Cisco IOS Release 12.1(19)E3
Resolved Caveats—Cisco IOS Release 12.1(19)E3
Open Caveats—Cisco IOS Release 12.1(19)E2
Resolved Caveats—Cisco IOS Release 12.1(19)E2
Open Caveats—Cisco IOS Release 12.1(19)E1
Resolved Caveats—Cisco IOS Release 12.1(19)E1
Open Caveats—Cisco IOS Release 12.1(19)E
Resolved Caveats—Cisco IOS Release 12.1(19)E
Open Caveats—Cisco IOS Release 12.1(14)E10
Resolved Caveats—Cisco IOS Release 12.1(14)E10
Open Caveats—Cisco IOS Release 12.1(14)E8
Resolved Caveats—Cisco IOS Release 12.1(14)E8
Open Caveats—Cisco IOS Release 12.1(14)E7
Resolved Caveats—Cisco IOS Release 12.1(14)E7
Open Caveats—Cisco IOS Release 12.1(14)E6
Resolved Caveats—Cisco IOS Release 12.1(14)E6
Open Caveats—Cisco IOS Release 12.1(14)E5
Resolved Caveats—Cisco IOS Release 12.1(14)E5
Open Caveats—Cisco IOS Release 12.1(14)E4
Resolved Caveats—Cisco IOS Release 12.1(14)E4
Open Caveats—Cisco IOS Release 12.1(14)E3
Resolved Caveats—Cisco IOS Release 12.1(14)E3
Open Caveats—Cisco IOS Release 12.1(14)E2
Resolved Caveats—Cisco IOS Release 12.1(14)E2
Open Caveats—Cisco IOS Release 12.1(14)E1
Resolved Caveats—Cisco IOS Release 12.1(14)E1
Open Caveats—Cisco IOS Release 12.1(14)E
Resolved Caveats—Cisco IOS Release 12.1(14)E
Open Caveats—Cisco IOS Release 12.1(13)E1
Resolved Caveats—Cisco IOS Release 12.1(13)E1
Open Caveats—Cisco IOS Release 12.1(13)E
Resolved Caveats—Cisco IOS Release 12.1(13)E
Open Caveats—Cisco IOS Release 12.1(12c)E7
Resolved Caveats—Cisco IOS Release 12.1(12c)E7
Open Caveats—Cisco IOS Release 12.1(12c)E6
Resolved Caveats—Cisco IOS Release 12.1(12c)E6
Open Caveats—Cisco IOS Release 12.1(12c)E5
Resolved Caveats—Cisco IOS Release 12.1(12c)E5
Open Caveats—Cisco IOS Release 12.1(12c)E1
Resolved Caveats—Cisco IOS Release 12.1(12c)E1
Open Caveats—Cisco IOS Release 12.1(12c)E
Resolved Caveats—Cisco IOS Release 12.1(12c)E
Open Caveats—Cisco IOS Release 12.1(11b)E14
Resolved Caveats—Cisco IOS Release 12.1(11b)E14
Open Caveats—Cisco IOS Release 12.1(11b)E12
Resolved Caveats—Cisco IOS Release 12.1(11b)E12
Open Caveats—Cisco IOS Release 12.1(11b)E11
Resolved Caveats—Cisco IOS Release 12.1(11b)E11
Open Caveats—Cisco IOS Release 12.1(11b)E10
Resolved Caveats—Cisco IOS Release 12.1(11b)E10
Open Caveats—Cisco IOS Release 12.1(11b)E8
Resolved Caveats—Cisco IOS Release 12.1(11b)E8
Open Caveats—Cisco IOS Release 12.1(11b)E3
Resolved Caveats—Cisco IOS Release 12.1(11b)E3
Open Caveats—Cisco IOS Release 12.1(11b)E1
Resolved Caveats—Cisco IOS Release 12.1(11b)E1
Open Caveats—Cisco IOS Release 12.1(11b)E
Resolved Caveats—Cisco IOS Release 12.1(11b)E
Open Caveats—Cisco IOS Release 12.1(10)E8
Resolved Caveats—Cisco IOS Release 12.1(10)E8
Open Caveats—Cisco IOS Release 12.1(10)E7
Resolved Caveats—Cisco IOS Release 12.1(10)E7
Open Caveats—Cisco IOS Release 12.1(10)E6
Resolved Caveats—Cisco IOS Release 12.1(10)E6
Open Caveats—Cisco IOS Release 12.1(10)E5
Resolved Caveats—Cisco IOS Release 12.1(10)E5
Open Caveats—Cisco IOS Release 12.1(10)E4
Resolved Caveats—Cisco IOS Release 12.1(10)E4
Open Caveats—Cisco IOS Release 12.1(10)E3
Resolved Caveats—Cisco IOS Release 12.1(10)E3
Open Caveats—Cisco IOS Release 12.1(10)E2
Resolved Caveats—Cisco IOS Release 12.1(10)E2
Open Caveats—Cisco IOS Release 12.1(10)E1
Resolved Caveats—Cisco IOS Release 12.1(10)E1
Open Caveats—Cisco IOS Release 12.1(10)E
Resolved Caveats—Cisco IOS Release 12.1(10)E
Open Caveats—Cisco IOS Release 12.1(9)E3
Resolved Caveats—Cisco IOS Release 12.1(9)E3
Open Caveats—Cisco IOS Release 12.1(9)E
Resolved Caveats—Cisco IOS Release 12.1(9)E
Open Caveats—Cisco IOS Release 12.1(8b)E13
Resolved Caveats—Cisco IOS Release 12.1(8b)E13
Open Caveats—Cisco IOS Release 12.1(8b)E12
Resolved Caveats—Cisco IOS Release 12.1(8b)E12
Open Caveats—Cisco IOS Release 12.1(8b)E11
Resolved Caveats—Cisco IOS Release 12.1(8b)E11
Open Caveats—Cisco IOS Release 12.1(8b)E10
Resolved Caveats—Cisco IOS Release 12.1(8b)E10
Open Caveats—Cisco IOS Release 12.1(8b)E9
Resolved Caveats—Cisco IOS Release 12.1(8b)E9
Open Caveats—Cisco IOS Release 12.1(8a)E4
Resolved Caveats—Cisco IOS Release 12.1(8a)E4
Open Caveats—Cisco IOS Release 12.1(8a)E2
Resolved Caveats—Cisco IOS Release 12.1(8a)E2
Open Caveats—Cisco IOS Release 12.1(8a)E
Resolved Caveats—Cisco IOS Release 12.1(8a)E
Open Caveats—Cisco IOS Release 12.1(7a)E6
Resolved Caveats—Cisco IOS Release 12.1(7a)E6
Open Caveats—Cisco IOS Release 12.1(7a)E1
Resolved Caveats—Cisco IOS Release 12.1(7a)E1
Open Caveats—Cisco IOS Release 12.1(7)E
Resolved Caveats—Cisco IOS Release 12.1(7)E
Open Caveats—Cisco IOS Release 12.1(6)E12
Resolved Caveats—Cisco IOS Release 12.1(6)E12
Open Caveats—Cisco IOS Release 12.1(6)E11
Resolved Caveats—Cisco IOS Release 12.1(6)E11
Open Caveats—Cisco IOS Release 12.1(6)E10
Resolved Caveats—Cisco IOS Release 12.1(6)E10
Open Caveats—Cisco IOS Release 12.1(6)E9
Resolved Caveats—Cisco IOS Release 12.1(6)E9
Open Caveats—Cisco IOS Release 12.1(6)E8
Resolved Caveats—Cisco IOS Release 12.1(6)E8
Open Caveats—Cisco IOS Release 12.1(6)E3
Resolved Caveats—Cisco IOS Release 12.1(6)E3
Open Caveats—Cisco IOS Release 12.1(6)E2
Resolved Caveats—Cisco IOS Release 12.1(6)E2
Open Caveats—Cisco IOS Release 12.1(6)E
Resolved Caveats—Cisco IOS Release 12.1(6)E
Open Caveats—Cisco IOS Release 12.1(5c)E12
Resolved Caveats—Cisco IOS Release 12.1(5c)E12
Open Caveats—Cisco IOS Release 12.1(5c)E11
Resolved Caveats—Cisco IOS Release 12.1(5c)E11
Open Caveats—Cisco IOS Release 12.1(5c)E10
Resolved Caveats—Cisco IOS Release 12.1(5c)E10
Open Caveats—Cisco IOS Release 12.1(5c)E9
Resolved Caveats—Cisco IOS Release 12.1(5c)E9
Open Caveats—Cisco IOS Release 12.1(5c)E8
Resolved Caveats—Cisco IOS Release 12.1(5c)E8
Open Caveats—Cisco IOS Release 12.1(5a)E4
Resolved Caveats—Cisco IOS Release 12.1(5a)E4
Open Caveats—Cisco IOS Release 12.1(5a)E2
Resolved Caveats—Cisco IOS Release 12.1(5a)E2
Open Caveats—Cisco IOS Release 12.1(5a)E1
Resolved Caveats—Cisco IOS Release 12.1(5a)E1
Open Caveats—Cisco IOS Release 12.1(5a)E
Resolved Caveats—Cisco IOS Release 12.1(5a)E
Open Caveats—Cisco IOS Release 12.1(4)E3
Resolved Caveats—Cisco IOS Release 12.1(4)E3
Open Caveats—Cisco IOS Release 12.1(4)E
Resolved Caveats—Cisco IOS Release 12.1(4)E
Open Caveats—Cisco IOS Release 12.1(3a)E8
Resolved Caveats—Cisco IOS Release 12.1(3a)E8
Open Caveats—Cisco IOS Release 12.1(3a)E7
Resolved Caveats—Cisco IOS Release 12.1(3a)E7
Open Caveats—Cisco IOS Release 12.1(3a)E5
Resolved Caveats—Cisco IOS Release 12.1(3a)E5
Open Caveats—Cisco IOS Release 12.1(3a)E4
Resolved Caveats—Cisco IOS Release 12.1(3a)E4
Open Caveats—Cisco IOS Release 12.1(3a)E1
Resolved Caveats—Cisco IOS Release 12.1(3a)E1
Open Caveats—Cisco IOS Release 12.1(3a)E
Resolved Caveats—Cisco IOS Release 12.1(3a)E
Open Caveats—Cisco IOS Release 12.1(2)E2
Resolved Caveats—Cisco IOS Release 12.1(2)E2
Open Caveats—Cisco IOS Release 12.1(2)E1
Resolved Caveats—Cisco IOS Release 12.1(2)E1
Open Caveats—Cisco IOS Release 12.1(2)E
Resolved Caveats—Cisco IOS Release 12.1(2)E
Open Caveats—Cisco IOS Release 12.1(1)E5
Resolved Caveats—Cisco IOS Release 12.1(1)E5
Open Caveats—Cisco IOS Release 12.1(1)E3
Resolved Caveats—Cisco IOS Release 12.1(1)E3
Open Caveats—Cisco IOS Release 12.1(1)E2
Resolved Caveats— Cisco IOS Release 12.1(1)E2
Open Caveats—Cisco IOS Release 12.1(1)E
Resolved Caveats— Cisco IOS Release 12.1(1)E
Cisco IOS Software Documentation Set
Cisco IOS Release 12.1 Documentation Set Contents
Obtaining Technical Assistance
Contacting TAC by Using the Cisco TAC Website
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.1 E
June 9, 2008
Cisco IOS Release 12.1(26)E9
OL-1588-82
These release notes for the Cisco 7000 family describe the enhancements provided in Cisco IOS Release 12.1(26)E9. These release notes are updated as needed.
For a list of the software caveats that apply to Cisco IOS Release 12.1(26)E9, see the "Caveats" section, the Caveats for Cisco IOS Release 12.1 document, and the Release Notes for Cisco 7000 Family for Cisco IOS Releases 12.0(5)XE through 12.0(7)XE1. All caveats in Cisco IOS Release 12.1(2) and Cisco IOS Release 12.0(7)XE1 are also in Cisco IOS Release 12.1(26)E9.
Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.1 and the Release Notes for Cisco 7000 Family for Cisco IOS Release 12.0(5)XE Through 12.0(7)XE1 located on Cisco.com and on the Documentation CD-ROM.
Documentation Survey
Is Cisco documentation helpful? Click here to give us your feedback or go to the following URL to give us your feedback: http://www.cisco.com/warp/public/732/docsurvey/rtg.
Contents
These release notes describe the following topics:
•
MIBs
•
Early Deployment Releases
These release notes describe the Cisco 7000 family for Cisco IOS Release 12.1(26)E9, which is an early deployment (ED) release based on Cisco IOS Release 12.0(7)XE. Early deployment releases contain fixes for software caveats and support for new Cisco hardware and software features. Table 1 shows recent early deployment releases of the Cisco 7000 family.
Table 1 Early Deployment Releases for the Cisco 7000 Family
Cisco IOS Release 12.1 E
(26)E9
Cisco IOS Release 12.1(26)E9 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E9 includes caveat fixes only. For more information, see the "Caveats" section
08/17/2007
Cisco IOS Release 12.1 E
(27b)E2
Cisco IOS Release 12.1(27b)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(27b)E2 includes caveat fixes only. For more information, see the "Caveats" section
06/11/2007
Cisco IOS Release 12.1 E
(26)E8
Cisco IOS Release 12.1(26)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E8 includes caveat fixes only. For more information, see the "Caveats" section
01/20/2007
Cisco IOS Release 12.1 E
(27b)E
Cisco IOS Release 12.1(27b)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(27b)E1 includes caveat fixes only. For more information, see the "Caveats" section
09/29/2006
Cisco IOS Release 12.1 E
(27b)E
Cisco IOS Release 12.1(27b)E contains no additional software or hardware features.
Cisco IOS Release 12.1(27b)E includes caveat fixes only. For more information, see the "Caveats" section
03/02/2006
Cisco IOS Release 12.1 E
(26)E7
Cisco IOS Release 12.1(26)E7 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E7 includes caveat fixes only. For more information, see the "Caveats" section
06/01/2006
Cisco IOS Release 12.1 E
(26)E6
Cisco IOS Release 12.1(26)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E6 includes caveat fixes only. For more information, see the "Caveats" section
02/06/2006
Cisco IOS Release 12.1 E
(26)E5
Cisco IOS Release 12.1(26)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E5 includes caveat fixes only. For more information, see the "Caveats" section
01/05/2006
Cisco IOS Release 12.1 E
(26)E4
Cisco IOS Release 12.1(26)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E4 includes caveat fixes only. For more information, see the "Caveats" section
10/20/2005
Cisco IOS Release 12.1 E
(26)E3
Cisco IOS Release 12.1(26)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E3 includes caveat fixes only. For more information, see the "Caveats" section
08/22/2005
Cisco IOS Release 12.1 E
(26)E2
Cisco IOS Release 12.1(26)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E2 includes caveat fixes only. For more information, see the "Caveats" section
06/30/2005
Cisco IOS Release 12.1 E
(26)E1
Cisco IOS Release 12.1(26)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E1 includes caveat fixes only. For more information, see the "Caveats" section
03/24/2005
Cisco IOS Release 12.1 E
(26)E
Cisco IOS Release 12.1(26)E contains no additional software or hardware features.
Cisco IOS Release 12.1(26)E includes caveat fixes only. For more information, see the "Caveats" section
01/06/2005
Cisco IOS Release 12.1 E
(23)E4
Cisco IOS Release 12.1(23)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(23)E4 includes caveat fixes only. For more information, see the "Caveats" section
08/29/2005
Cisco IOS Release 12.1 E
(23)E3
Cisco IOS Release 12.1(23)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(23)E3 includes caveat fixes only. For more information, see the "Caveats" section
05/05/2005
Cisco IOS Release 12.1 E
(23)E2
Cisco IOS Release 12.1(23)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(23)E2 includes caveat fixes only. For more information, see the "Caveats" section
11/03/2004
Cisco IOS Release 12.1 E
(23)E1
Cisco IOS Release 12.1(23)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(23)E1 includes caveat fixes only. For more information, see the "Caveats" section
09/09/2004
Cisco IOS Release 12.1 E
(23)E
Cisco IOS Release 12.1(23)E contains no additional software or hardware features.
Cisco IOS Release 12.1(23)E includes caveat fixes only. For more information, see the "Caveats" section
07/25/2004
Cisco IOS Release 12.1 E
(22)E6
Cisco IOS Release 12.1(22)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(22)E6 includes caveat fixes only. For more information, see the "Caveats" section
05/05/2004
Cisco IOS Release 12.1 E
(22)E3
Cisco IOS Release 12.1(22)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(22)E3 includes caveat fixes only. For more information, see the "Caveats" section
10/19/2004
Cisco IOS Release 12.1 E
(22)E1
Cisco IOS Release 12.1(22)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(22)E1 includes caveat fixes only. For more information, see the "Caveats" section
04/20/2004
Cisco IOS Release 12.1 E
(22)E
Cisco IOS Release 12.1(22)E contains no additional software or hardware features.
Cisco IOS Release 12.1(22)E includes caveat fixes only. For more information, see the "Caveats" section
03/22/2004
Cisco IOS Release 12.1 E
(20)E6
Cisco IOS Release 12.1(20)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E6 includes caveat fixes only. For more information, see the "Caveats" section
05/12/2005
Cisco IOS Release 12.1 E
(20)E5
Cisco IOS Release 12.1(20)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E5 includes caveat fixes only. For more information, see the "Caveats" section
09/30/2004
Cisco IOS Release 12.1 E
(20)E4
Cisco IOS Release 12.1(20)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E4 includes caveat fixes only. For more information, see the "Caveats" section
07/12/2004
Cisco IOS Release 12.1 E
(20)E3
Cisco IOS Release 12.1(20)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E3 includes caveat fixes only. For more information, see the "Caveats" section
04/19/2004
Cisco IOS Release 12.1 E
(20)E2
Cisco IOS Release 12.1(20)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E2 includes caveat fixes only. For more information, see the "Caveats" section
01/29/2004
Cisco IOS Release 12.1 E
(20)E1
Cisco IOS Release 12.1(20)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E1 includes caveat fixes only. For more information, see the "Caveats" section
12/04/2003
Cisco IOS Release 12.1 E
(20)E
Cisco IOS Release 12.1(20)E contains no additional software or hardware features.
Cisco IOS Release 12.1(20)E includes caveat fixes only. For more information, see the "Caveats" section
10/27/2003
Cisco IOS Release 12.1 E
(19)E7
Cisco IOS Release 12.1(19)E7 contains no additional software or hardware features.
Cisco IOS Release 12.1(19)E7 includes caveat fixes only. For more information, see the "Caveats" section
04/01/2004
Cisco IOS Release 12.1 E
(19)E6
Cisco IOS Release 12.1(19)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(19)E6 includes caveat fixes only. For more information, see the "Caveats" section
01/18/2004
Cisco IOS Release 12.1 E
(19)E4
Cisco IOS Release 12.1(19)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(19)E4 includes caveat fixes only. For more information, see the "Caveats" section
12/01/2003
Cisco IOS Release 12.1 E
(19)E3
Cisco IOS Release 12.1(19)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(19)E3 includes caveat fixes only. For more information, see the "Caveats" section
09/11/2003
Cisco IOS Release 12.1 E
(19)E2
Cisco IOS Release 12.1(19)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(19)E2 includes caveat fixes only. For more information, see the "Caveats" section
07/31/2003
Cisco IOS Release 12.1 E
(19)E1
Cisco IOS Release 12.1(19)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(19)E1 includes caveat fixes only. For more information, see the "Caveats" section
07/01/2003
Cisco IOS Release 12.1 E
(19)E
SSH Version 2 Support in Cisco IOS
06/22/2003
Cisco IOS Release 12.1 E
(14)E10
Cisco IOS Release 12.1(14)E10 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E10 includes caveat fixes only. For more information, see the "Caveats" section
01/18/2004
Cisco IOS Release 12.1 E
(14)E8
Cisco IOS Release 12.1(14)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E8 includes caveat fixes only. For more information, see the "Caveats" section
01/13/2004
Cisco IOS Release 12.1 E
(14)E7
Cisco IOS Release 12.1(14)E7 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E7 includes caveat fixes only. For more information, see the "Caveats" section
10/13/2003
Cisco IOS Release 12.1 E
(14)E6
Cisco IOS Release 12.1(14)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E6 includes caveat fixes only. For more information, see the "Caveats" section
09/04/2003
Cisco IOS Release 12.1 E
(14)E5
Cisco IOS Release 12.1(14)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E5 includes caveat fixes only. For more information, see the "Caveats" section
06/23/2003
Cisco IOS Release 12.1 E
(14)E4
Cisco IOS Release 12.1(14)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E4 includes caveat fixes only. For more information, see the "Caveats" section
05/08/2003
Cisco IOS Release 12.1 E
(14)E3
Cisco IOS Release 12.1(14)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E3 includes caveat fixes only. For more information, see the "Caveats" section
03/31/2003
Cisco IOS Release 12.1 E
(14)E2
Cisco IOS Release 12.1(14)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E2 includes caveat fixes only. For more information, see the "Caveats" section
03/03/2003
Cisco IOS Release 12.1 E
(14)E1
Cisco IOS Release 12.1(14)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(14)E1 includes caveat fixes only. For more information, see the "Caveats" section
02/10/2003
Cisco IOS Release 12.1 E
(14)E
Low Latency Queueing with Priority Percentage Support
Traffic Policing
NPE-G1
11/16/2002
Cisco IOS Release 12.1 E
(13)E1
Cisco IOS Release 12.1(13)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(13)E1 includes caveat fixes only. For more information, see the "Caveats" section
11/11/2002
Cisco IOS Release 12.1 E
(13)E
Network-Based Application Recognition and Distributed Network-Based Application Recognition
IOS Server Load Balancing
WCCP Redirection on Inbound Interfaces
09/09/2002
Cisco IOS Release 12.1 E
(12c)E7
Cisco IOS Release 12.1(12c)E7 contains no additional software or hardware features.
Cisco IOS Release 12.1(12c)E7 includes caveat fixes only. For more information, see the "Caveats" section
07/14/2003
Cisco IOS Release 12.1 E
(12c)E6
Cisco IOS Release 12.1(12c)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(12c)E6 includes caveat fixes only. For more information, see the "Caveats" section
11/08/2002
Cisco IOS Release 12.1 E
(12c)E5
Cisco IOS Release 12.1(12c)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(12c)E5 includes caveat fixes only. For more information, see the "Caveats" section
10/28/2002
Cisco IOS Release 12.1 E
(12c)E1
Cisco IOS Release 12.1(12c)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(12c)E1 includes caveat fixes only. For more information, see the "Caveats" section
07/12/2002
Cisco IOS Release 12.1 E
(12c)E
Cisco IOS Release 12.1(12c)E contains no additional software or hardware features.
Cisco IOS Release 12.1(12c)E includes caveat fixes only. For more information, see the "Caveats" section
05/28/2002
Cisco IOS Release 12.1 E
(11b)E14
Cisco IOS Release 12.1(11b)E14 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E14 includes caveat fixes only. For more information, see the "Caveats" section
01/18/2004
Cisco IOS Release 12.1 E
(11b)E12
Cisco IOS Release 12.1(11b)E12 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E12 includes caveat fixes only. For more information, see the "Caveats" section
07/23/2003
Cisco IOS Release 12.1 E
(11b)E11
Cisco IOS Release 12.1(11b)E11 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E11 includes caveat fixes only. For more information, see the "Caveats" section
01/02/2003
Cisco IOS Release 12.1 E
(11b)E10
Cisco IOS Release 12.1(11b)E10 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E10 includes caveat fixes only. For more information, see the "Caveats" section
11/22/2002
Cisco IOS Release 12.1 E
(11b)E8
Cisco IOS Release 12.1(11b)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E8 includes caveat fixes only. For more information, see the "Caveats" section
09/19/2002
Cisco IOS Release 12.1 E
(11b)E3
Cisco IOS Release 12.1(11b)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E3 includes caveat fixes only. For more information, see the "Caveats" section
05/13/2002
Cisco IOS Release 12.1 E
(11b)E1
Cisco IOS Release 12.1(11b)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(11b)E1 includes caveat fixes only. For more information, see the "Caveats" section
03/25/2002
Cisco IOS Release 12.1 E
(11b)E
CNS Agents SSL Security
EXEC Commands in Configuration Mode
IOS Server Load Balancing
Pre-Fragmentation for IPSec VPNs
Manual TFTP Certificate Enrollment
VPN Device Manager 1.1
MLPPP Link Down Support
Network-Based Application Recognition RTP Payload Classification
Secure HTTP (HTTPS)
03/04/2002
Cisco IOS Release 12.1 E
(10)E8
Cisco IOS Release 12.1(10)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E8 includes caveat fixes only. For more information, see the "Caveats" section
06/14/2002
Cisco IOS Release 12.1 E
(10)E7
Cisco IOS Release 12.1(10)E7 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E7 includes caveat fixes only. For more information, see the "Caveats" section
03/29/2002
Cisco IOS Release 12.1 E
(10)E6
Cisco IOS Release 12.1(10)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E6 includes caveat fixes only. For more information, see the "Caveats" section
03/13/2002
Cisco IOS Release 12.1 E
(10)E5
Cisco IOS Release 12.1(10)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E5 includes caveat fixes only. For more information, see the "Caveats" section
02/19/2002
Cisco IOS Release 12.1 E
(10)E4
Cisco IOS Release 12.1(10)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E4 includes caveat fixes only. For more information, see the "Caveats" section
02/10/2002
Cisco IOS Release 12.1 E
(10)E3
Cisco IOS Release 12.1(10)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E3 includes caveat fixes only. For more information, see the "Caveats" section
01/28/2002
Cisco IOS Release 12.1 E
(10)E2
Cisco IOS Release 12.1(10)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E2 includes caveat fixes only. For more information, see the "Caveats" section
01/07/2002
Cisco IOS Release 12.1 E
(10)E1
Cisco IOS Release 12.1(10)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E1 includes caveat fixes only. For more information, see the "Caveats" section
12/02/2001
Cisco IOS Release 12.1 E
(10)E
Cisco IOS Release 12.1(10)E contains no additional software or hardware features.
Cisco IOS Release 12.1(10)E includes caveat fixes only. For more information, see the "Caveats" section
11/06/2001
Cisco IOS Release 12.1 E
(9)E3
Cisco IOS Release 12.1(9)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(9)E3 includes caveat fixes only. For more information, see the "Caveats" section
02/09/2002
Cisco IOS Release 12.1 E
(9)E
IOS Server Load Balancing
IPSec VPN High Availability Enhancements
VPN Acceleration Module
09/10/2001
Cisco IOS Release 12.1 E
(8b)E13
Cisco IOS Release 12.1(8b)13 contains no additional software or hardware features.
Cisco IOS Release 12.1(8b)13 includes caveat fixes only. For more information, see the "Caveats" section
12/30/2002
Cisco IOS Release 12.1 E
(8b)E12
Cisco IOS Release 12.1(8b)12 contains no additional software or hardware features.
Cisco IOS Release 12.1(8b)12 includes caveat fixes only. For more information, see the "Caveats" section
10/28/2002
Cisco IOS Release 12.1 E
(8b)E11
Cisco IOS Release 12.1(8b)E11 contains no additional software or hardware features.
Cisco IOS Release 12.1(8b)E11 includes caveat fixes only. For more information, see the "Caveats" section
05/28/2002
Cisco IOS Release 12.1 E
(8b)E10
Cisco IOS Release 12.1(8b)E10 contains no additional software or hardware features.
Cisco IOS Release 12.1(8b)E10 includes caveat fixes only. For more information, see the "Caveats" section
04/22/2002
Cisco IOS Release 12.1 E
(8b)E9
Cisco IOS Release 12.1(8b)E9 contains no additional software or hardware features.
Cisco IOS Release 12.1(8b)E9 includes caveat fixes only. For more information, see the "Caveats" section
02/15/2002
Cisco IOS Release 12.1 E
(8a)E4
Cisco IOS Release 12.1(8a)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(8a)E4 includes caveat fixes only. For more information, see the "Caveats" section
09/17/2001
Cisco IOS Release 12.1 E
(8a)E2
Cisco IOS Release 12.1(8a)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(8a)E2 includes caveat fixes only. For more information, see the "Caveats" section.
08/06/2001
Cisco IOS Release 12.1 E
(8a)E
Enhanced Password Security - Phase I
MPLS Label Distribution Protocol
07/09/2001
Cisco IOS Release 12.1 E
(7a)E6
Cisco IOS Release 12.1(7a)E6 contains no additional software or hardware features.
Cisco IOS Release 12.1(7a)E6 includes caveat fixes only. For more information, see the "Caveats" section.
02/14/2002
Cisco IOS Release 12.1 E
(7a)E1
Cisco IOS Release 12.1(7a)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(7a)E1 includes caveat fixes only. For more information, see the "Caveats" section.
05/14/2001
Cisco IOS Release 12.1 E
(7)E
Quality of Service Features for Parallel Express Forwarding (PXF)
SNMP Support for VLAN Subinterfaces
Multichannel STM-1 Port Adapter
04/30/2001
Cisco IOS Release 12.1 E
(6)E12
Cisco IOS Release 12.1(6)E12 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E12 includes caveat fixes only. For more information, see the "Caveats" section.
07/17/2003
Cisco IOS Release 12.1 E
(6)E11
Cisco IOS Release 12.1(6)E11 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E11 includes caveat fixes only. For more information, see the "Caveats" section.
07/10/2002
Cisco IOS Release 12.1 E
(6)E10
Cisco IOS Release 12.1(6)E10 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E10 includes caveat fixes only. For more information, see the "Caveats" section.
06/14/2002
Cisco IOS Release 12.1 E
(6)E9
Cisco IOS Release 12.1(6)E9 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E9 includes caveat fixes only. For more information, see the "Caveats" section.
05/20/2002
Cisco IOS Release 12.1 E
(6)E8
Cisco IOS Release 12.1(6)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E8 includes caveat fixes only. For more information, see the "Caveats" section.
02/12/2002
Cisco IOS Release 12.1 E
(6)E3
Cisco IOS Release 12.1(6)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E3 includes caveat fixes only. For more information, see the "Caveats" section.
05/30/2001
Cisco IOS Release 12.1 E
(6)E2
Cisco IOS Release 12.1(6)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(6)E2 includes caveat fixes only. For more information, see the "Caveats" section.
04/18/2001
Cisco IOS Release 12.1 E
(6)E
Distributed Network-Based Application Recognition (dNBAR)
VPN Device Manager
03/26/2001
Cisco IOS Release 12.1 E
(5c)E12
Cisco IOS Release 12.1(5c)E12 contains no additional software or hardware features.
Cisco IOS Release 12.1(5c)E12 includes caveat fixes only. For more information, see the "Caveats" section.
02/12/2002
Cisco IOS Release 12.1 E
(5c)E11
Cisco IOS Release 12.1(5c)E11 contains no additional software or hardware features.
Cisco IOS Release 12.1(5c)E11 includes caveat fixes only. For more information, see the "Caveats" section.
04/20/2001
Cisco IOS Release 12.1 E
(5c)E10
Cisco IOS Release 12.1(5c)E10 contains no additional software or hardware features.
Cisco IOS Release 12.1(5c)E10 includes caveat fixes only. For more information, see the "Caveats" section.
04/02/2001
Cisco IOS Release 12.1 E
(5c)E9
Cisco IOS Release 12.1(5c)E9 contains no additional software or hardware features.
Cisco IOS Release 12.1(5c)E9 includes caveat fixes only. For more information, see the "Caveats" section.
03/26/2001
Cisco IOS Release 12.1 E
(5c)E8
Cisco IOS Release 12.1(5c)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(5c)E8 includes caveat fixes only. For more information, see the "Caveats" section.
03/05/2001
Cisco IOS Release 12.1 E
(5a)E4
Cisco IOS Release 12.1(5a)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(5a)E4 includes caveat fixes only. For more information, see the "Caveats" section.
02/12/2001
Cisco IOS Release 12.1 E
(5a)E2
Cisco IOS Release 12.1(5a)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(5a)E2 includes caveat fixes only. For more information, see the "Caveats" section.
01/15/2001
Cisco IOS Release 12.1 E
(5a)E1
Cisco IOS Release 12.1(5a)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(5a)E1 includes caveat fixes only. For more information, see the "Caveats" section.
12/28/2000
Cisco IOS Release 12.1 E
(5a)E
Cisco 7500 Single Line Card Reload
DiffServ Compliant Weighted Random Early Detection
Multi-ISA
PA-MC-2T3+Phase-II (T3 Subrate)
Transparent Webcache Load Balancing
Wireless Application Protocol (WAP) Load Balancing
PA-2FE
PA-MC-4T1 and PA-MC-8T1 on Cisco 7100
PA-MC-8E1 on Cisco 7100
12/21/2000
Cisco IOS Release 12.1 E
(4)E3
Cisco IOS Release 12.1(4)E3 contains no additional software or hardware features.
Cisco IOS Release 12.1(4)E3 includes caveat fixes only. For more information, see the "Caveats" section
02/09/2002
Cisco IOS Release 12.1 E
(4)E
IPSec MIB
Express RTP Header Compression
Turbo Access Control Lists
PA-POS-OC3 Packet OC-3 Port Adapter
Gigabit Ethernet Port Adapter
PA-MC-2E1
PA-MC-2T1
11/13/2000
Cisco IOS Release 12.1 E
(3a)E8
Cisco IOS Release 12.1(3a)E8 contains no additional software or hardware features.
Cisco IOS Release 12.1(3a)E8 includes caveat fixes only. For more information, see the "Caveats" section.
02/14/2002
Cisco IOS Release 12.1 E
(3a)E7
Cisco IOS Release 12.1(3a)E7 contains no additional software or hardware features.
Cisco IOS Release 12.1(3a)E7 includes caveat fixes only. For more information, see the "Caveats" section.
02/14/2002
Cisco IOS Release 12.1 E
(3a)E5
Cisco IOS Release 12.1(3a)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(3a)E5 includes caveat fixes only. For more information, see the "Caveats" section.
10/30/2000
Cisco IOS Release 12.1 E
(3a)E4
Cisco IOS Release 12.1(3a)E4 contains no additional software or hardware features.
Cisco IOS Release 12.1(3a)E4 includes caveat fixes only. For more information, see the "Caveats" section.
10/24/2000
Cisco IOS Release 12.1 E
(3a)E1
Cisco IOS Release 12.1(3a)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(3a)E1 includes caveat fixes only. For more information, see the "Caveats" section.
10/10/2000
Cisco IOS Release 12.1 E
(3a)E
SLB Enhancements
QDM 1.2
Cisco 7200-I/O-GE+E and Cisco 7200-I/O-2FE/E Input/Output Controllers
Enhanced Gigabit Ethernet Interface Processor
NPE-400
PA-A3-OC12
VIP4
09/18/2000
Cisco IOS Release 12.1 E
(2)E2
Cisco IOS Release 12.1(2)E2 contains no additional software or hardware features.
Cisco IOS Release 12.1(2)E2 includes caveat fixes only. For more information, see the "Caveats" section.
02/14/2002
Cisco IOS Release 12.1 E
(2)E1
Cisco IOS Release 12.1(2)E1 contains no additional software or hardware features.
Cisco IOS Release 12.1(2)E1 includes caveat fixes only. For more information, see the "Caveats" section.
Now
Cisco IOS Release 12.1 E
(2)E
Class-Based Quality of Service Management Information Base
Local Area Network Emulation Quality of Service
Low Latency Queuing for the VIP Enhancement
Cisco Quality of Service Device Manager 1.1 Support
NBAR Enhancements
08/22/2000
Cisco IOS Release 12.1 E
(1)E5
Cisco IOS Release 12.1(1)E5 contains no additional software or hardware features.
Cisco IOS Release 12.1(1)E5 includes caveat fixes only. For more information, see the "Caveats" section.
02/12/2002
Cisco IOS Release 12.1 E
(1)E2
Cisco 7500 series support added
05/11/2000
Cisco IOS Release 12.1 E
(1)E
IOS Server Load Balancing Enhancements
Interface Range Configuration Mode
Network-Based Application Recognition (NBAR) Enhancements
Cisco Quality of Service Device Manager 1.0 Support
Turbo Access Control Lists
NSE-1 support
Integrated Service Adapter
04/17/2000
Cisco IOS Release 12.0 XE1
(7)
dWFQ for RSVP
Cisco IOS Firewall Feature Set for Cisco 7500 series routers
Fast EtherChannel Enhancements for Cisco 7200 series routers
Inverse multiplexing over ATM Enhancements
Low-Latency Queueing for the Versatile Interface Processor Enhancement
PA-MC-T3 Multi-Channel T3 Synchronous Serial Port Adapter Enhancement
MPLS Class Of Service Classification Using MPLS Experimental Bits
OC-12c Dynamic Packet Transport Interface Processor (DPTIP) for Cisco 7200 and 7500 series routers
Inverse multiplexing over ATM on Cisco 7100 series routers
PA-MC-2T3+ port adapter
Two-Port Multichannel DS1/PRI and Multichannel E1/PRI port adapters
Gigabit Ethernet (PA-GE support)
Now
Cisco IOS Release 12.0 XE5
(5)
None
Integrated Service Module
Now
Cisco IOS Release 12.0 XE3
(5)
Quality of service for Virtual Private Networks
None
Now
Cisco IOS Release 12.0 XE2
(5)
Network-Based Application Recognition (NBAR)
E1 support for Two-port T1/E1 High-Capacity Digital Voice Port Adapter for Cisco 7200 series routers
Now
Cisco IOS Release 12.0 XE
(5)
Distributed Traffic Shaping
Two-Port T1/E1 High-capacity Digital Voice Port Adapter for Cisco 7200 series routers
Inverse multiplexing over ATM port adapter
Now
System Requirements
This section describes the system requirements for Cisco IOS Release 12.1(26)E9 and includes the following sections:
•
•
•
Image Support and Memory Requirements
Table 2 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(14)E3 and later releases for the Cisco 7000 family of routers up to and including Cisco IOS Release 12.1(26)E9.
Table 3 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(14)E2 for the Cisco 7000 family of routers.
Table 4 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(14)E1 for the Cisco 7000 family of routers.
Table 5 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(14)E for the Cisco 7000 family of routers.
Table 6 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(13)E1 for the Cisco 7000 family of routers.
Table 7 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(13)E for the Cisco 7000 family of routers.
Table 8 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(12c)E7 for the Cisco 7000 family of routers.
Table 9 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(12c)E6 for the Cisco 7000 family of routers.
Table 10 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(12c)E5 for the Cisco 7000 family of routers.
Table 11 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(12c)E1 for the Cisco 7000 family of routers.
Table 12 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(12c)E for the Cisco 7000 family of routers.
Table 13 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E14 for the Cisco 7000 family of routers.
Table 14 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E12 for the Cisco 7000 family of routers.
Table 15 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E11 for the Cisco 7000 family of routers.
Table 16 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E10 for the Cisco 7000 family of routers.
Table 17 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E8 for the Cisco 7000 family of routers.
Table 18 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E3 for the Cisco 7000 family of routers.
Table 19 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E1 for the Cisco 7000 family of routers.
Table 20 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(11b)E for the Cisco 7000 family of routers.
Table 21 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E8 for the Cisco 7000 family of routers.
Table 22 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E7 for the Cisco 7000 family of routers.
Table 23 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E6 for the Cisco 7000 family of routers.
Table 24 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E5 for the Cisco 7000 family of routers.
Table 25 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E4 for the Cisco 7000 family of routers.
Table 26 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E3 for the Cisco 7000 family of routers.
Table 27 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E2 for the Cisco 7000 family of routers.
Table 28 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E1 for the Cisco 7000 family of routers.
Table 29 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(10)E for the Cisco 7000 family of routers.
Table 30 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(9)E3 for the Cisco 7000 family of routers.
Table 31 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(9)E for the Cisco 7000 family of routers.
Table 32 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8b)E13 for the Cisco 7000 family of routers.
Table 33 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8b)E12 for the Cisco 7000 family of routers.
Table 34 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8b)E11 for the Cisco 7000 family of routers.
Table 35 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8b)E10 for the Cisco 7000 family of routers.
Table 36 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8b)E9 for the Cisco 7000 family of routers.
Table 37 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8a)E4 for the Cisco 7000 family of routers.
Table 38 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8a)E2 for the Cisco 7000 family of routers.
Table 39 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(8a)E for the Cisco 7000 family of routers.
Table 40 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(7a)E6 for the Cisco 7000 family of routers.
Table 41 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(7a)E1 for the Cisco 7000 family of routers.
Table 42 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(7)E for the Cisco 7000 family of routers.
Table 43 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E12 for the Cisco 7000 family of routers.
Table 44 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E11 for the Cisco 7000 family of routers.
Table 45 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E10 for the Cisco 7000 family of routers.
Table 46 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E9 for the Cisco 7000 family of routers.
Table 47 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E8 for the Cisco 7000 family of routers.
Table 48 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E3 for the Cisco 7000 family of routers.
Table 49 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E2 for the Cisco 7000 family of routers.
Table 50 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(6)E for the Cisco 7000 family of routers.
Table 51 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5c)E12 for the Cisco 7000 family of routers.
Table 52 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5c)E11 for the Cisco 7000 family of routers.
Table 53 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5c)E10 for the Cisco 7000 family of routers.
Table 54 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5c)E9 for the Cisco 7000 family of routers.
Table 55 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5c)E8 for the Cisco 7000 family of routers.
Table 56 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5a)E4 for the Cisco 7000 family of routers.
Table 57 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5a)E2 for the Cisco 7000 family of routers.
Table 58 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5a)E1 for the Cisco 7000 family of routers.
Table 59 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(5a)E for the Cisco 7000 family of routers.
Table 60 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(4)E3 for the Cisco 7000 family of routers.
Table 61 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(4)E for the Cisco 7000 family of routers.
Table 62 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(3a)E8 for the Cisco 7000 family of routers.
Table 63 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(3a)E7 for the Cisco 7000 family of routers.
Table 64 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(3a)E5 for the Cisco 7000 family of routers.
Table 65 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(3a)E4 for the Cisco 7000 family of routers.
Table 66 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(3a)E1 for the Cisco 7000 family of routers.
Table 67 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(2)E2 for the Cisco 7000 family of routers.
Table 68 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(2)E1 for the Cisco 7000 family of routers.
Table 69 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(1)E5 for the Cisco 7000 family of routers.
Table 70 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(1)E3 for the Cisco 7000 family of routers.
Table 71 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(1)E2 for the Cisco 7000 family of routers.
Table 72 describes the memory recommendations and the images supported by Cisco IOS Release 12.1(1)E for the Cisco 7000 family of routers.
Supported Hardware
Cisco IOS Release 12.1 E supports the following Cisco 7000 family platforms:
•
•
•
•
Table 73 describes the supported Cisco 7000 family routers for Cisco IOS Release 12.1 E releases.
Determining the Software Version
To determine the version of Cisco IOS software running on your Cisco 7000 family router, log in to the Cisco 7000 family router and enter the show version EXEC command. The following sample show version command output is from a router running a Cisco 7100 series software image with Cisco IOS Release 12.1(26)E9:
Router> show versionCisco Internetwork Operating System SoftwareIOS (tm) 7100 Software (c7100-is-mz), Version 12.1(26)E9, RELEASE SOFTWAREUpgrading to a New Software Release
For general information about upgrading to a new software release, see Cisco IOS Upgrade Ordering Instructions located at:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco IOS features.
Cisco IOS Release 12.1(26)E9 supports the same feature sets as Cisco IOS Release 12.1(5)T, but Cisco IOS Release 12.1(26)E9 can include new features supported by the Cisco 7000 family.
Caution
Note
Table 74 through Table 76 list the feature sets for Cisco 7100 series routers. Table 77 through Table 80 list the feature sets for Cisco 7200 series routers. Table 81 through Table 83 list the feature sets for Cisco 7500 series routers.
The tables use the following conventions:
•
•
•
Note
New and Changed Information
The following sections list the new hardware and software features supported by the Cisco 7000 family of routers for Cisco IOS Release 12.1(26)E9.
For a list of features for Cisco IOS Release 12.0(7)XE1, see the Release Notes for Cisco 7000 Family for Cisco IOS Releases 12.0(5)XE through 12.0(7)XE1.
All features in Cisco IOS Release 12.1(1) are also in Cisco IOS Release 12.1(2)E. For a list of features for Cisco IOS Release 12.1(1), see the Cross-Platform Release Notes for Cisco IOS Release 12.1.
New Software Features in Cisco IOS Release 12.1(26)E9
There are no new software features supported in Cisco IOS Release 12.1(26)E9.
New Hardware Features in Cisco IOS Release 12.1(26)E9
There are no new hardware features supported in Cisco IOS Release 12.1(26)E9.
New Software Features in Cisco IOS Release 12.1(27b)E2
There are no new software features supported in Cisco IOS Release 12.1(27b)E2.
New Hardware Features in Cisco IOS Release 12.1(27b)E2
There are no new hardware features supported in Cisco IOS Release 12.1(27b)E2.
New Software Features in Cisco IOS Release 12.1(26)E8
There are no new software features supported in Cisco IOS Release 12.1(26)E8.
New Hardware Features in Cisco IOS Release 12.1(26)E8
There are no new hardware features supported in Cisco IOS Release 12.1(26)E8.
New Software Features in Cisco IOS Release 12.1(27b)E1
There are no new software features supported in Cisco IOS Release 12.1(27b)E1.
New Hardware Features in Cisco IOS Release 12.1(27b)E1
There are no new hardware features supported in Cisco IOS Release 12.1(27b)E1.
New Software Features in Cisco IOS Release 12.1(27b)E
There are no new software features supported in Cisco IOS Release 12.1(27b)E.
New Hardware Features in Cisco IOS Release 12.1(27b)E
There are no new hardware features supported in Cisco IOS Release 12.1(27b)E.
New Software Features in Cisco IOS Release 12.1(26)E7
There are no new software features supported in Cisco IOS Release 12.1(26)E7.
New Hardware Features in Cisco IOS Release 12.1(26)E7
There are no new hardware features supported in Cisco IOS Release 12.1(26)E7.
New Software Features in Cisco IOS Release 12.1(26)E6
There are no new software features supported in Cisco IOS Release 12.1(26)E6.
New Hardware Features in Cisco IOS Release 12.1(26)E6
There are no new hardware features supported in Cisco IOS Release 12.1(26)E6.
New Software Features in Cisco IOS Release 12.1(26)E5
There are no new software features supported in Cisco IOS Release 12.1(26)E5.
New Hardware Features in Cisco IOS Release 12.1(26)E5
There are no new hardware features supported in Cisco IOS Release 12.1(26)E5.
New Software Features in Cisco IOS Release 12.1(26)E4
There are no new software features supported in Cisco IOS Release 12.1(26)E4.
New Hardware Features in Cisco IOS Release 12.1(26)E4
There are no new hardware features supported in Cisco IOS Release 12.1(26)E4.
New Software Features in Cisco IOS Release 12.1(26)E3
There are no new software features supported in Cisco IOS Release 12.1(26)E3.
New Hardware Features in Cisco IOS Release 12.1(26)E3
There are no new hardware features supported in Cisco IOS Release 12.1(26)E3.
New Software Features in Cisco IOS Release 12.1(26)E2
There are no new software features supported in Cisco IOS Release 12.1(26)E2.
New Hardware Features in Cisco IOS Release 12.1(26)E2
There are no new hardware features supported in Cisco IOS Release 12.1(26)E2.
New Software Features in Cisco IOS Release 12.1(26)E1
There are no new software features supported in Cisco IOS Release 12.1(26)E1.
New Hardware Features in Cisco IOS Release 12.1(26)E1
There are no new hardware features supported in Cisco IOS Release 12.1(26)E1.
New Software Features in Cisco IOS Release 12.1(26)E
There are no new software features supported in Cisco IOS Release 12.1(26)E.
New Hardware Features in Cisco IOS Release 12.1(26)E
There are no new hardware features supported in Cisco IOS Release 12.1(26)E.
New Software Features in Cisco IOS Release 12.1(23)E4
There are no new software features supported in Cisco IOS Release 12.1(23)E4.
New Hardware Features in Cisco IOS Release 12.1(23)E4
There are no new hardware features supported in Cisco IOS Release 12.1(23)E4.
New Software Features in Cisco IOS Release 12.1(23)E3
There are no new software features supported in Cisco IOS Release 12.1(23)E3.
New Hardware Features in Cisco IOS Release 12.1(23)E3
There are no new hardware features supported in Cisco IOS Release 12.1(23)E3.
New Software Features in Cisco IOS Release 12.1(23)E2
There are no new software features supported in Cisco IOS Release 12.1(23)E2.
New Hardware Features in Cisco IOS Release 12.1(23)E2
There are no new hardware features supported in Cisco IOS Release 12.1(23)E2.
New Software Features in Cisco IOS Release 12.1(23)E1
There are no new software features supported in Cisco IOS Release 12.1(23)E1.
New Hardware Features in Cisco IOS Release 12.1(23)E1
There are no new hardware features supported in Cisco IOS Release 12.1(23)E1.
New Software Features in Cisco IOS Release 12.1(23)E
The following new software feature is supported in Cisco IOS Release 12.1(23)E.
Upgrade Secondary ROMmom CLI
Platforms: Cisco 7200 series routers
The Cisco 7200 VXR router has two ROMmon images: the original image shipped with your system is a ReadOnly image that cannot be erased or altered in the field; the second image is read-and-write upgradable by the field. The upgradable second image provides field personnel and other users with the capability to correct ROMmon software problems using Upgrade Secondary ROMmon CLI commands. This ability eliminates or reduces the need to physically replace the hardware in order to get a new image.
The Upgrade Secondary ROMmon CLI commands allow you to:
•
•
At bootup, the system first executes the ReadOnly ROMmon image and then, if configured, switches to the Upgrade ROMmon image. When you are reloading the router with the upgradable image, you will see appropriate warning messages.
•
•
New Hardware Features in Cisco IOS Release 12.1(23)E
There are no new hardware features supported in Cisco IOS Release 12.1(23)E.
New Software Features in Cisco IOS Release 12.1(22)E6
There are no new software features supported in Cisco IOS Release 12.1(22)E6.
New Hardware Features in Cisco IOS Release 12.1(22)E6
There are no new hardware features supported in Cisco IOS Release 12.1(22)E6.
New Software Features in Cisco IOS Release 12.1(22)E3
There are no new software features supported in Cisco IOS Release 12.1(22)E3.
New Hardware Features in Cisco IOS Release 12.1(22)E3
There are no new hardware features supported in Cisco IOS Release 12.1(22)E3.
New Software Features in Cisco IOS Release 12.1(22)E1
There are no new software features supported in Cisco IOS Release 12.1(22)E1.
New Hardware Features in Cisco IOS Release 12.1(22)E1
There are no new hardware features supported in Cisco IOS Release 12.1(22)E1.
New Software Features in Cisco IOS Release 12.1(22)E
There are no new software features supported in Cisco IOS Release 12.1(22)E.
New Hardware Features in Cisco IOS Release 12.1(22)E
There are no new hardware features supported in Cisco IOS Release 12.1(22)E.
New Software Features in Cisco IOS Release 12.1(20)E6
There are no new software features supported in Cisco IOS Release 12.1(20)E6.
New Hardware Features in Cisco IOS Release 12.1(20)E6
There are no new hardware features supported in Cisco IOS Release 12.1(20)E6.
New Software Features in Cisco IOS Release 12.1(20)E5
There are no new software features supported in Cisco IOS Release 12.1(20)E5.
New Hardware Features in Cisco IOS Release 12.1(20)E5
There are no new hardware features supported in Cisco IOS Release 12.1(20)E5.
New Software Features in Cisco IOS Release 12.1(20)E4
There are no new software features supported in Cisco IOS Release 12.1(20)E4.
New Hardware Features in Cisco IOS Release 12.1(20)E4
There are no new hardware features supported in Cisco IOS Release 12.1(20)E4.
New Software Features in Cisco IOS Release 12.1(20)E3
There are no new software features supported in Cisco IOS Release 12.1(20)E3.
New Hardware Features in Cisco IOS Release 12.1(20)E3
There are no new hardware features supported in Cisco IOS Release 12.1(20)E3.
New Software Features in Cisco IOS Release 12.1(20)E2
There are no new software features supported in Cisco IOS Release 12.1(20)E2.
New Hardware Features in Cisco IOS Release 12.1(20)E2
There are no new hardware features supported in Cisco IOS Release 12.1(20)E2.
New Software Features in Cisco IOS Release 12.1(20)E1
There are no new software features supported in Cisco IOS Release 12.1(20)E1.
New Hardware Features in Cisco IOS Release 12.1(20)E1
There are no new hardware features supported in Cisco IOS Release 12.1(20)E1.
New Software Features in Cisco IOS Release 12.1(20)E
The following new software feature is supported in Cisco IOS Release 12.1(20)E.
VAM - RSA-Encr
Platforms: Cisco 7100 series routers, Cisco 7200 series routers, and Cisco 7401ASR routers.
RSA signatures and RSA encrypted nonces (supported on VAM with Cisco IOS Release12.1(20)E)—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman, hence RSA. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation. For additional information, see the Exporting and Importing RSA Keys feature module at: http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a 00801541cf.html
New Hardware Features in Cisco IOS Release 12.1(20)E
There are no new hardware features supported in Cisco IOS Release 12.1(20)E.
New Software Features in Cisco IOS Release 12.1(19)E7
There are no new software features supported in Cisco IOS Release 12.1(19)E7.
New Hardware Features in Cisco IOS Release 12.1(19)E7
There are no new hardware features supported in Cisco IOS Release 12.1(19)E7.
New Software Features in Cisco IOS Release 12.1(19)E6
There are no new software features supported in Cisco IOS Release 12.1(19)E6.
New Hardware Features in Cisco IOS Release 12.1(19)E6
There are no new hardware features supported in Cisco IOS Release 12.1(19)E6.
New Software Features in Cisco IOS Release 12.1(19)E4
There are no new software features supported in Cisco IOS Release 12.1(19)E4.
New Hardware Features in Cisco IOS Release 12.1(19)E4
There are no new hardware features supported in Cisco IOS Release 12.1(19)E4.
New Software Features in Cisco IOS Release 12.1(19)E3
There are no new software features supported in Cisco IOS Release 12.1(19)E3.
New Hardware Features in Cisco IOS Release 12.1(19)E3
There are no new hardware features supported in Cisco IOS Release 12.1(19)E3.
New Software Features in Cisco IOS Release 12.1(19)E2
There are no new software features supported in Cisco IOS Release 12.1(19)E2.
New Hardware Features in Cisco IOS Release 12.1(19)E2
There are no new hardware features supported in Cisco IOS Release 12.1(19)E2.
New Software Features in Cisco IOS Release 12.1(19)E1
There are no new software features supported in Cisco IOS Release 12.1(19)E1.
New Hardware Features in Cisco IOS Release 12.1(19)E1
There are no new hardware features supported in Cisco IOS Release 12.1(19)E1.
New Software Features in Cisco IOS Release 12.1(19)E
The following new software feature is supported in Cisco IOS Release 12.1(19)E.
SSH Version 2 Support in Cisco IOS
Platforms: Cisco 7100 Series Routers, Cisco 7200 Series Routers, and Cisco 7500 Series Routers
SSHv2 is standards-based protocol to provide secure telnet capability for router configuration and administration.
SSHv2 is an application running on top of a reliable transport layer, such as TCP/IP, and providing strong authentication and encryption capabilities. It supports logging onto another computer over a network, executing commands remotely, and moving files from one host to another.
New Hardware Features in Cisco IOS Release 12.1(19)E
There are no new hardware features supported in Cisco IOS Release 12.1(19)E.
New Software Features in Cisco IOS Release 12.1(14)E10
There are no new software features supported in Cisco IOS Release 12.1(14)E10.
New Hardware Features in Cisco IOS Release 12.1(14)E10
There are no new hardware features supported in Cisco IOS Release 12.1(14)E10.
New Software Features in Cisco IOS Release 12.1(14)E8
There are no new software features supported in Cisco IOS Release 12.1(14)E8.
New Hardware Features in Cisco IOS Release 12.1(14)E8
There are no new hardware features supported in Cisco IOS Release 12.1(14)E8.
New Software Features in Cisco IOS Release 12.1(14)E7
There are no new software features supported in Cisco IOS Release 12.1(14)E7.
New Hardware Features in Cisco IOS Release 12.1(14)E7
There are no new hardware features supported in Cisco IOS Release 12.1(14)E7.
New Software Features in Cisco IOS Release 12.1(14)E6
There are no new software features supported in Cisco IOS Release 12.1(14)E6.
New Hardware Features in Cisco IOS Release 12.1(14)E6
There are no new hardware features supported in Cisco IOS Release 12.1(14)E6.
New Software Features in Cisco IOS Release 12.1(14)E5
There are no new software features supported in Cisco IOS Release 12.1(14)E5.
New Hardware Features in Cisco IOS Release 12.1(14)E5
There are no new hardware features supported in Cisco IOS Release 12.1(14)E5.
New Software Features in Cisco IOS Release 12.1(14)E4
There are no new software features supported in Cisco IOS Release 12.1(14)E4.
New Hardware Features in Cisco IOS Release 12.1(14)E4
There are no new hardware features supported in Cisco IOS Release 12.1(14)E4.
New Software Features in Cisco IOS Release 12.1(14)E3
There are no new software features supported in Cisco IOS Release 12.1(14)E3.
New Hardware Features in Cisco IOS Release 12.1(14)E3
There are no new hardware features supported in Cisco IOS Release 12.1(14)E3.
New Software Features in Cisco IOS Release 12.1(14)E2
There are no new software features supported in Cisco IOS Release 12.1(14)E2.
New Hardware Features in Cisco IOS Release 12.1(14)E2
There are no new hardware features supported in Cisco IOS Release 12.1(14)E2.
New Software Features in Cisco IOS Release 12.1(14)E1
There are no new software features supported in Cisco IOS Release 12.1(14)E1.
New Hardware Features in Cisco IOS Release 12.1(14)E1
There are no new hardware features supported in Cisco IOS Release 12.1(14)E1.
New Software Features in Cisco IOS Release 12.1(14)E
The following new software feature is supported in Cisco IOS Release 12.1(14)E.
Low Latency Queueing with Priority Percentage Support
Platforms: Cisco 7200 Series Routers and Cisco 7500 Series Routers
This feature allows you to configure bandwidth as a percentage within low latency queueing (LLQ). Specifically, you can designate a percentage of the bandwidth to be allocated to an entity (such as a physical interface, a shaped ATM permanent virtual circuit (PVC), or a shaped Frame Relay PVC) to which a policy map is attached. Traffic associated with the policy map will then be given priority treatment.
This feature also allows you to specify the percentage of bandwidth to be allocated to non-priority traffic classes.
This feature modifies two existing commands—bandwidth and priority—and this feature provides additional functionality to the way that bandwidth can be allocated using these two commands.
Changes to the bandwidth Command
This feature adds a new keyword to the bandwidth command—remaining percent. The feature also changes the functionality of the existing percent keyword. These changes result in the following commands for bandwidth: bandwidth percent and bandwidth remaining percent.
The bandwidth percent command configures bandwidth as an absolute percentage of the total bandwidth on the interface.
The bandwidth remaining percent command allows you to allocate bandwidth as a relative percentage of the total bandwidth available on the interface. This command allows you to specify the relative percentage of the bandwidth to be allocated to the classes of traffic. For instance, you can specify that 30 percent of the available bandwidth be allocated to class1, and 60 percent of the bandwidth be allocated to class2. Essentially, you are specifying the ratio of the bandwidth to be allocated to the traffic class. In this case, the ratio is 1 to 2 (30 percent allocated to class1 and 60 percent allocated to class2). The sum of the numbers used to indicate this ratio cannot exceed 100 percent. This way, you need not know the total amount of bandwidth available, just the relative percentage you want to allocate for each traffic class.
Each traffic class gets a minimum bandwidth as a relative percentage of the remaining bandwidth. The remaining bandwidth is the bandwidth available after the priority queue, if present, is given its required bandwidth, and after any Resource Reservation Protocol (RSVP) flows are given their requested bandwidth.
Because this is a relative bandwidth allocation, the packets for the traffic classes are given a proportionate weight only, and no admission control is performed to determine whether any bandwidth (in kbps) is actually available. The only error checking that is performed is to ensure that the total bandwidth percentages for the classes do not exceed 100 percent.
Changes to the priority Command
This feature also adds the percent keyword to the priority command. The priority percent command indicates that the bandwidth will be allocated as a percentage of the total bandwidth of the interface. You can then specify the percentage (that is, a number from 1 to 100) to be allocated by using the percentage argument with the priority percent command.
Unlike the bandwidth command, the priority command provides a strict priority to the traffic class, which ensures low latency to high priority traffic classes.
How These Commands Calculate Bandwidth
When the bandwidth and priority commands calculate the total amount of bandwidth available on an entity, the following guidelines are invoked:
•
•
–
–
•
–
–
Traffic Policing
Platforms: Cisco 7200 Series Routers and Cisco 7500 Series Routers
The Traffic Policing feature performs the following functions:
•
•
Traffic policing allows you to control the maximum rate of traffic transmitted or received on an interface. The Traffic Policing feature is applied when you attach a traffic policy contain the Traffic Policing configuration to an interface. A traffic policy is configured using the Modular Quality of Service Command-Line Interface (Modular QoS CLI). For information on configuring the Modular QoS CLI, see the Modular Quality of Service Command-Line Interface Overview on Cisco Connection Online (CCO) and the Documentation CD-ROM.
New Hardware Features in Cisco IOS Release 12.1(14)E
The following new hardware feature is supported in Cisco IOS Release 12.1(14)E.
NPE-G1
Platform: Cisco 7200 VXR routers
The NPE-G1 is the first network processing engine for the Cisco 7200 VXR routers to provide the functionality of both a network processing engine and I/O controller. If used without an I/O controller, an I/O blank panel must be in place.
While its design provides I/O controller functionality, it can also work with any I/O controller supported in the Cisco 7200 VXR routers. The NPE-G1, when installed with an I/O controller, provides the primary input/out functionality; that is, the NPE-G1 input/out functionality enhances that of the existing I/O controller. However, when both the I/O controller and NPE-G1 are present, the functionality of the auxiliary port and console port are on the I/O controller.
The NPE-G1 maintains and executes the system management functions for the Cisco 7200 VXR routers and also holds the system memory and environmental monitoring functions.
The NPE-G1 consists of one board with multiple interfaces. It is keyed so that it can be used only in the Cisco 7200 VXR routers.
New Software Features in Cisco IOS Release 12.1(13)E1
There are no new software features supported in Cisco IOS Release 12.1(13)E1.
New Hardware Features in Cisco IOS Release 12.1(13)E1
There are no new hardware features supported in Cisco IOS Release 12.1(13)E1.
New Software Features in Cisco IOS Release 12.1(13)E
The following new software feature is supported in Cisco IOS Release 12.1(13)E.
IOS Server Load Balancing
Platforms: Cisco 7100 Series Routers and Cisco 7200 Series Routers
The IOS SLB feature is an IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, you can define a virtual server that represents a group of real servers in a cluster of network servers known as a server farm. In this environment, the clients connect to the IP address of the virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured load-balancing algorithm.
Note
IOS SLB also provides firewall load balancing, which balances flows across a group of firewalls called a firewall farm.
Network-Based Application Recognition and Distributed Network-Based Application Recognition
Platforms: Cisco 7100 Series Routers, Cisco 7200 Series Routers, and Cisco 7500 Series Routers
The purpose of IP Quality of Service (QoS) is to provide appropriate network resources (bandwidth, delay, jitter and packet loss) to applications. QoS maximizes the return on investments on network infrastructure by ensuring that mission critical applications get the required performance and non-critical applications do not hamper the performance of critical applications.
IP QoS can be deployed by defining classes or categories of applications. These classes are defined by using various classification techniques available in Cisco IOS software. After these classes are defined and attached to an interface, the desired QoS features, such as Marking, Congestion Management, Congestion Avoidance, Link Efficiency mechanisms, or Policing and Shaping can then be applied to the classified traffic to provide the appropriate network resources amongst the defined classes.
Classification, therefore, is an important first-step in configuring QoS in a network infrastructure.
NBAR is a classification engine that recognizes a wide variety of applications, including web-based and other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. When an application is recognized and classified by NBAR, a network can invoke services for that specific application. NBAR ensures that network bandwidth is used efficiently by classifying packets and then applying Quality of Service (QoS) to the classified traffic. Some examples of class-based QoS features that can be used on traffic after the traffic is classified by NBAR include:
•
•
•
•
•
Note
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455984.html
Note
NBAR introduces several new classification features that identify applications and protocols from Layer 4 through Layer 7:
•
•
•
•
NBAR can classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs.
NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are transversing an interface. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: total number of input and output packets and bytes, and input and output bit rates. The Protocol Discovery feature captures key statistics associated with each protocol in a network that can be used to define traffic classes and QoS policies for each traffic class.
WCCP Redirection on Inbound Interfaces
Platforms: Cisco 7100 Series Routers, Cisco 7200 Series Routers, and Cisco 7500 Series Routers
The WCCP Redirection on Inbound Interfaces feature adds support to Cisco IOS software for the redirection of Web Cache Communication Protocol (WCCP) traffic on inbound interfaces. Prior to this release, WCCP could be configured to redirect traffic at an outbound interface only.
This feature offers better redirection performance as well as providing more flexibility in configuring WCCP.
Inbound traffic can be configured to use Cisco Express Forwarding (CEF), distributed Cisco Express Forwarding (dCEF), Fast Forwarding, or Process Forwarding.
New Hardware Features in Cisco IOS Release 12.1(13)E
There are no new hardware features supported in Cisco IOS Release 12.1(13)E.
New Software Features in Cisco IOS Release 12.1(12c)E7
There are no new software features supported in Cisco IOS Release 12.1(12c)E7.
New Hardware Features in Cisco IOS Release 12.1(12c)E7
There are no new hardware features supported in Cisco IOS Release 12.1(12c)E7.
New Software Features in Cisco IOS Release 12.1(12c)E6
There are no new software features supported in Cisco IOS Release 12.1(12c)E6.
New Hardware Features in Cisco IOS Release 12.1(12c)E6
There are no new hardware features supported in Cisco IOS Release 12.1(12c)E6.
New Software Features in Cisco IOS Release 12.1(12c)E5
There are no new software features supported in Cisco IOS Release 12.1(12c)E5.
New Hardware Features in Cisco IOS Release 12.1(12c)E5
There are no new hardware features supported in Cisco IOS Release 12.1(12c)E5.
New Software Features in Cisco IOS Release 12.1(12c)E1
There are no new software features supported in Cisco IOS Release 12.1(12c)E1.
New Hardware Features in Cisco IOS Release 12.1(12c)E1
There are no new hardware features supported in Cisco IOS Release 12.1(12c)E1.
New Software Features in Cisco IOS Release 12.1(12c)E
The following new software feature is supported in Cisco IOS Release 12.1(12c)E.
DCBWFQ, DWRED, and DLLQ Support for PA-A3-8E1 IMA and PA-A3-8T1 IMA Port Adapters on Cisco 7500 Series Routers
Platforms: Cisco 7500 series routers
PA-A3-8E1 IMA and PA-A3-8T1 IMA port adapters on Cisco 7500 series routers now support Distributed Class-Based WFQ (DCBWFQ), Distributed Weighted Random Early Detection (DWRED), and Distributed Low-Latency Queueing (DLLQ).
Distributed Class-Based WFQ (DCBWFQ)
WFQ offers dynamic, fair queueing that divides bandwidth across queues of traffic based on weights. WFQ ensures that all traffic is treated fairly, given its weight.
DCBWFQ extends the standard WFQ functionality to provide support for user-defined traffic classes on the VIP. These user-defined traffic classes are configured in the Modular Quality of Service Command-Line Interface (Modular QoS CLI) feature. For information on how to configure QoS with the Modular QoS CLI, refer to the Configuring the Modular Quality of Service Command-Line Interface document.
For information on how to configure DCBWFQ, see the chapter "Configuring Weighted Fair Queueing" in the "Congestion Management" part of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.1.
Distributed Weighted Random Early Detection (DWRED)
WRED, the Cisco implementation of RED, combines the capabilities of the RED algorithm with IP Precedence to provide preferential traffic handling for higher priority packets. It can selectively discard lower priority traffic when the interface begins to get congested and provide differentiated performance characteristics for different classes of service.
DWRED is the Cisco high-speed version of WRED. The DWRED algorithm was designed with ISP providers in mind; it allows an ISP to define minimum and maximum queue depth thresholds and drop capabilities for each class of service.
For more information about DWRED, refer to the "Quality of Service Overview" chapter of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.1.
Distributed Low Latency Queueing
DLLQ brings the ability to specify low latency behavior for a traffic class. LLQ allows delay-sensitive data such as voice to be dequeued and sent first (before packets in other queues are dequeued), giving delay-sensitive data preferential treatment over other traffic.
DLLQ also introduces the ability to limit the depth of a device transmission ring. Before the introduction of DLLQ, the maximum transmission ring depth was not a user-configurable parameter. Therefore, particles could accumulate on a transmission ring without limitation, which could result in unavoidable high latencies. DLLQ allows users to limit the number of particles that may exist on a transmission ring, effectively lowering the latency incurred by packets sitting on that transmission ring.
For more information about DLLQ refer to the Distributed Low Latency Queueing document.
PA-A3-8E1 IMA and PA-A3-8T1 IMA
For more information about the PA-A3-8E 1IMA and PA-A3-8T1 IMA port adapters, refer to the Inverse Multiplexing over ATM Port Adapter Installation and Configuration document.
New Hardware Features in Cisco IOS Release 12.1(12c)E
The following new hardware feature is supported in Cisco IOS Release 12.1(12c)E.
Cisco PA-MC-8TE1+ Port Adapter
Platforms: Cisco 7200 series routers and Cisco 7500 series routers
The Cisco PA-MC-8TE1+ is a single-wide port adapter designed to provide a full eight-port PRI multichannel solution for the Cisco7200 series of routers. The interfaces can be channelized, fractional or ISDN Primary Rate Interface (PRI), or unframed (E1) with up to 256 independent High-Level Data Link Control (HDLC) channels definable for T1 and E1 applications. The PA-MC-8TE1+ port adapter is ideal for services providers and large enterprises looking to cost-effectively deploy high-density ISDN terminations of multiple remote-sites.
The Cisco PA-MC-8TE1+ port adapter provides the following features
•
•
•
•
For more information about the Cisco PA-MC-8TE1+ port adapter, refer to the following Cisco document:
http://www.cisco.com/univercd/cc/td/doc/product/core/7200vx/portadpt/multicha/8port_t1/index.htm
Route Switch Processor 16
Platforms: Cisco 7500 series routers
The RSP16 is available in new system deployments and as an upgrade to existing RSP8, RSP4+, or RSP2-based systems. The RSP16 is compatible with existing Versatile Interface Processors (VIPs), including the new Cisco VIP6-80 and port adapters that are supported with existing VIPs.
The RSP16 fully supports Cisco 7500 Series high-availability features, including Single Line Card Reload, Route Processor Redundancy, Fast Software Upgrade (FSU), Nonstop Forward (NSF), and Stateful Switch Over (SSO). This support allows the Cisco 7500 Series routers to demonstrate some of the highest uptime in the industry. FSU allows customers to upgrade their existing RSP2, RSP4+, and RSP8 to RSP16 with minimal downtime.
The RSP16 is an ideal platform for enterprise and service provider networks that require additional performance and processing power to support service-enabled edge and core applications.
VIP6-80
Platforms: Cisco 7500 series routers
The Versatile Interface Processor (VIP6-80) is an option available for use with the Cisco 7500 series and the Cisco 7000 series routers using the 7000 Series Route Switch Processor (RSP7000) and 7000 Series Chassis Interface (RSP7000CI). The VIP6-80 improves high-performance switching over previous generation VIPs.
The VIP6-80 supports online insertion and removal (OIR), a feature which allows you to remove and replace a VIP6-80 without first shutting down the system. However, VIP6-80 does not support OIR of port adapters (PAs). The VIP6-80 removed before removing or installing the port adapter.
The VIP6-80 also supports Single Line Card Reload, a feature which reloads a failed line card on the network backplane without reloading other line cards.
The VIP6-80 supports any combination of LAN and WAN PAs, including Fast Ethernet, T1/E1, High-Speed Serial Interface (HSSI), T3/E3,T3/E3 ATM, multichannel T1/E1, multichannel T3/E3, OC-3 ATM, Packet over SONET (POS), and OC-12 ATM.
New Software Features in Cisco IOS Release 12.1(11b)E14
There are no new software features supported in Cisco IOS Release 12.1(11b)E14.
New Hardware Features in Cisco IOS Release 12.1(11b)E14
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E14.
New Software Features in Cisco IOS Release 12.1(11b)E12
There are no new software features supported in Cisco IOS Release 12.1(11b)E12.
New Hardware Features in Cisco IOS Release 12.1(11b)E12
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E12.
New Software Features in Cisco IOS Release 12.1(11b)E11
There are no new software features supported in Cisco IOS Release 12.1(11b)E11.
New Hardware Features in Cisco IOS Release 12.1(11b)E11
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E11.
New Software Features in Cisco IOS Release 12.1(11b)E10
There are no new software features supported in Cisco IOS Release 12.1(11b)E10.
New Hardware Features in Cisco IOS Release 12.1(11b)E10
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E10.
New Software Features in Cisco IOS Release 12.1(11b)E8
There are no new software features supported in Cisco IOS Release 12.1(11b)E8.
New Hardware Features in Cisco IOS Release 12.1(11b)E8
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E8.
New Software Features in Cisco IOS Release 12.1(11b)E3
There are no new software features supported in Cisco IOS Release 12.1(11b)E3.
New Hardware Features in Cisco IOS Release 12.1(11b)E3
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E3.
New Software Features in Cisco IOS Release 12.1(11b)E1
There are no new software features supported in Cisco IOS Release 12.1(11b)E1.
New Hardware Features in Cisco IOS Release 12.1(11b)E1
There are no new hardware features supported in Cisco IOS Release 12.1(11b)E1.
New Software Features in Cisco IOS Release 12.1(11b)E
The following new software features are supported in Cisco IOS Release 12.1(11b)E.
CNS Agents SSL Security
Platforms: Cisco 7100 series router, Cisco 7200 routers, and Cisco 7500 series routers
CNS Agents SSL Security is a Cisco IOS software feature which allows for the configuration of a secure connection between the Cisco Networking Services (CNS) Agent, running on the Cisco IOS software-based device, and a CNS Server.
EXEC Commands in Configuration Mode
Platforms: Cisco 7100 series router, Cisco 7200 routers, and Cisco 7500 series routers
You can now issue EXEC-level Cisco IOS commands (such as show, clear, and debug commands) from within global configuration mode or other modes by issuing the do command followed by the EXEC command.
IOS Server Load Balancing
Platforms: Cisco 7100 series router and Cisco 7200 routers series routers
The IOS SLB feature is an IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, you can define a virtual server that represents a group of real servers in a cluster of network serves known as a sever farm. In this environment, the clients connect to the IP address of the virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured load-balancing algorithm.
The following IOS Server Load Blazing functions are in Cisco IOS Release 12.1(11b)E:
•
•
•
•
Pre-Fragmentation for IPSec VPNs
Platforms: Cisco 7100 series router and Cisco 7200 routers series routers
When a packet is nearly the size of an encrypting router maximum transmission unit (MTU), and it is encapsulated with IPSec headers, it is likely to exceed the MTU of the outbound link. This will cause packet fragmentation after encryption. While this has little impact on the performance of the encrypting router, the performance of the decrypting router is badly affected. Since the fragments are not encrypted individually, they are reassembled before they can be decrypted. Reassembly cannot be done at interrupt level and takes place only at the process level. Process switching lowers performance to a great extent.
Pre-Fragmentation for IPSec VPNs enables an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the MTU of the output interface, the packet is fragmented before encryption. This avoids process level reassembly before decryption and helps improve decryption performance and overall IPSec traffic throughput.
Manual TFTP Certificate Enrollment
Platforms: Cisco 7100 series router, Cisco 7200 routers, and Cisco 7500 series routers
The Manual TFTP Certificate Enrollment feature enables adds tftp input and output to certificate enrollment commands so Cisco routers will be able to use tftp in addition to SCEP to "send" an enrollment request and to receive the granted certificate.
MLPPP Link Down Support
Platforms: Cisco 7100 series router, Cisco 7200 routers, and Cisco 7500 series routers
Multilink PPP allows establishing multiple PPP links in parallel to the same destination. This is often used with dialup or ISDN connections to easily increase the amount of bandwidth between points. With the introduction of the MLPPP Link Down Support feature, you can configure the number of T1 connections in a Multilink PPP (MLP) bundle required to keep that bundle active by entering the ppp multilink links minimum links mandatory command. When you configure this command, all Network Control Protocols (NCPs) for a MLP bundle are disabled until the MLP bundle has the required minimum number of links. When a new link is added to the MLP bundle that brings the number of links up to the specified required minimum number of links, the NCPs are activated for the MLP bundle. When a link is removed from an MLP bundle and the number of links falls below the required minimum number of links for that MLP bundle, the NCPs are disabled for that MLP bundle.
Network-Based Application Recognition RTP Payload Classification
Marketing name: Also previously referred to as NBAR Heuristics and NBAR Heuristics Matching
Platforms: Cisco 7100 series router, 7200 series router, and 7500 series router with VIP
The RTP Payload Type Matching enhancement has been added to the Network-Based Application Recognition (NBAR) feature. With the addition of NBAR RTP Payload Type Matching, RTP traffic can now be classified as a protocol within the Modular QoS CLI framework.
For additional information on the NBAR feature, including NBAR RTP Payload Type Matching, refer to the following document:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm
Secure HTTP (HTTPS)
Platforms: Cisco 7100 series router and Cisco 7200 routers series routers
The Cisco IOS HTTP server provides authentication, but not encryption, for client connections. The data that the client and server transmit to each other is not encrypted. This leaves communication between clients and servers vulnerable to interception and attack.
The Secure HTTP (HTTPS) feature provides the capability to connect to the Cisco IOS HTTPS server securely. It uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide device authentication and data encryption.
VPN Device Manager 1.1
Platforms: Cisco 7100 series router and Cisco 7200 routers series routers
VPN Device Manager (VDM) release 1.1 supports the Secure HTTP (HTTPS) feature. This feature provides the capability to connect to the Cisco IOS HTTPS server securely. For more information, see Installation and Release Notes for VPN Device Manager 1.1.
New Hardware Features in Cisco IOS Release 12.1(11b)E
The following new hardware features are supported in Cisco IOS Release 12.1(11b)E.
New Software Features in Cisco IOS Release 12.1(10)E8
There are no new software features supported in Cisco IOS Release 12.1(10)E8.
New Hardware Features in Cisco IOS Release 12.1(10)E8
There are no new hardware features supported in Cisco IOS Release 12.1(10)E8.
New Software Features in Cisco IOS Release 12.1(10)E7
There are no new software features supported in Cisco IOS Release 12.1(10)E7.
New Hardware Features in Cisco IOS Release 12.1(10)E7
There are no new hardware features supported in Cisco IOS Release 12.1(10)E7.
New Software Features in Cisco IOS Release 12.1(10)E6
There are no new software features supported in Cisco IOS Release 12.1(10)E6.
New Hardware Features in Cisco IOS Release 12.1(10)E6
There are no new hardware features supported in Cisco IOS Release 12.1(10)E6.
New Software Features in Cisco IOS Release 12.1(10)E5
There are no new software features supported in Cisco IOS Release 12.1(10)E5.
New Hardware Features in Cisco IOS Release 12.1(10)E5
There are no new hardware features supported in Cisco IOS Release 12.1(10)E5.
New Software Features in Cisco IOS Release 12.1(10)E4
There are no new software features supported in Cisco IOS Release 12.1(10)E4.
New Hardware Features in Cisco IOS Release 12.1(10)E4
There are no new hardware features supported in Cisco IOS Release 12.1(10)E4.
New Software Features in Cisco IOS Release 12.1(10)E3
There are no new software features supported in Cisco IOS Release 12.1(10)E3.
New Hardware Features in Cisco IOS Release 12.1(10)E3
There are no new hardware features supported in Cisco IOS Release 12.1(10)E3.
New Software Features in Cisco IOS Release 12.1(10)E2
There are no new software features supported in Cisco IOS Release 12.1(10)E2.
New Hardware Features in Cisco IOS Release 12.1(10)E2
There are no new hardware features supported in Cisco IOS Release 12.1(10)E2.
New Software Features in Cisco IOS Release 12.1(10)E1
There are no new software features supported in Cisco IOS Release 12.1(10)E1.
New Hardware Features in Cisco IOS Release 12.1(10)E1
There are no new hardware features supported in Cisco IOS Release 12.1(10)E1.
New Software Features in Cisco IOS Release 12.1(10)E
There are no new software features supported in Cisco IOS Release 12.1(10)E.
New Hardware Features in Cisco IOS Release 12.1(10)E
There are no new hardware features supported in Cisco IOS Release 12.1(10)E.
New Software Features in Cisco IOS Release 12.1(9)E3
There are no new software features supported in Cisco IOS Release 12.1(9)E3.
New Hardware Features in Cisco IOS Release 12.1(9)E3
There are no new hardware features supported in Cisco IOS Release 12.1(9)E3.
New Software Features in Cisco IOS Release 12.1(9)E
The following new software features are supported in Cisco IOS Release 12.1(9)E.
IOS Server Load Balancing
Platforms: Cisco 7100 series and Cisco 7200 series routers.
The IOS SLB feature is an IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, you can define a virtual server that represents a group of real servers in a cluster of network servers known as a server farm. In this environment, the clients connect to the IP address of the virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured load-balancing algorithm.
IOS SLB also provides firewall load balancing, which balances flows across a group of firewalls called a firewall farm.
IPSec VPN High Availability Enhancements
Platforms: Cisco 7100 series and Cisco 7200 series routers.
Reverse Route Injection
Reverse Route Injection (RRI) is a feature designed to simplify network design for VPNs where there is a requirement for redundancy or load balancing. RRI works with both dynamic and static crypto maps.
In the dynamic case, as remote peers establish IPSec security associations with an RRI enabled router, a static route is created for each subnet or host protected by that remote peer. For static crypto maps, a static route is created for each destination of an extended access-list rule.
Once routes are created, they are injected into any dynamic routing protocol and distributed to surrounding devices. This traffic flows requiring IPSec to be directed to the appropriate RRI router for transport across the correct SAs to avoid IPSec policy mismatches and possible packet loss.
Hot Standby Router Protocol and IPSec
Hot Standby Router Protocol (HSRP) is designed to provide high network availability by routing IP traffic from hosts on Ethernet networks without relying on the availability of any single router. This feature is particularly useful for hosts that do not support a router discovery protocol, such as Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP), and do not have the functionality to switch to a new router when their selected router reloads or loses power. Without this functionality, a router that loses its default gateway because of a router failure is unable to communicate with the network.
HSRP is configurable on LAN interfaces using standby CLI commands. It is now possible to use the standby IP address from an interface as the local IPSec identity, or local tunnel endpoint.
By using the standby IP address as the tunnel endpoint, failover can be applied to VPN routers by using HSRP. Remote VPN gateways connect to the local VPN router via the standby address that belongs to the active device in the HSRP group. In the event of failover, the standby device takes over ownership of the standby IP address and begins to service remote VPN gateways.
New Hardware Features in Cisco IOS Release 12.1(9)E
The following new hardware feature is supported in Cisco IOS Release 12.1(9)E.
VPN Acceleration Module
Platforms: Cisco 7100 series routers
The VPN Acceleration Module (VAM) is a single-width accelerator module. It provides high-performance, hardware-assisted tunneling and encryption services suitable for virtual private network (VPN) remote access, site-to-site intranet, and extranet applications. It also provides platform scalability and security while working with all services necessary for successful VPN deployments—security, quality of service (QoS), firewall and intrusion detection, and service-level validation and management. The VAM off-loads IPSec processing from the main processor, thus freeing resources on the processor engines for other tasks.
The VAM provides hardware-accelerated support for multiple encryption functions:
•
•
•
•
•
New Software Features in Cisco IOS Release 12.1(8b)E13
There are no new software features supported in Cisco IOS Release 12.1(8b)E13.
New Hardware Features in Cisco IOS Release 12.1(8b)E13
There are no new hardware features supported in Cisco IOS Release 12.1(8b)E13.
New Software Features in Cisco IOS Release 12.1(8b)E12
There are no new software features supported in Cisco IOS Release 12.1(8b)E12.
New Hardware Features in Cisco IOS Release 12.1(8b)E12
There are no new hardware features supported in Cisco IOS Release 12.1(8b)E12.
New Software Features in Cisco IOS Release 12.1(8b)E11
There are no new software features supported in Cisco IOS Release 12.1(8b)E11.
New Hardware Features in Cisco IOS Release 12.1(8b)E11
There are no new hardware features supported in Cisco IOS Release 12.1(8b)E11.
New Software Features in Cisco IOS Release 12.1(8b)E10
There are no new software features supported in Cisco IOS Release 12.1(8b)E10.
New Hardware Features in Cisco IOS Release 12.1(8b)E10
There are no new hardware features supported in Cisco IOS Release 12.1(8b)E10.
New Software Features in Cisco IOS Release 12.1(8b)E9
There are no new software features supported in Cisco IOS Release 12.1(8b)E9.
New Hardware Features in Cisco IOS Release 12.1(8b)E9
There are no new hardware features supported in Cisco IOS Release 12.1(8b)E9.
New Software Features in Cisco IOS Release 12.1(8a)E4
There are no new software features supported in Cisco IOS Release 12.1(8a)E4.
New Hardware Features in Cisco IOS Release 12.1(8a)E4
There are no new hardware features supported in Cisco IOS Release 12.1(8a)E4.
New Software Features in Cisco IOS Release 12.1(8a)E2
There are no new software features supported in Cisco IOS Release 12.1(8a)E2.
New Hardware Features in Cisco IOS Release 12.1(8a)E2
There are no new hardware features supported in Cisco IOS Release 12.1(8a)E2.
New Software Features in Cisco IOS Release 12.1(8a)E
The following new software features are supported in Cisco IOS Release 12.1(8a)E.
Enhanced Password Security - Phase I
Platforms: Cisco 7100 series router, Cisco 7200 routers, and Cisco 7500 series routers
Using the Enhanced Password Security feature, you can configure MD5 encryption for username passwords. Before the introduction of this feature there were two types of passwords associated with usernames. Type 0 is a clear text password visible to any user who has access to privileged mode on the router. Type 7 is a password with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the encrypted text by using publicly available tools.
MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear text passwords. MD5 encrypted passwords cannot be used with protocols that require that the clear text password be retrievable, such as Challenge Handshake Authentication Protocol (CHAP).
Use the username (secret) command to configure a user name and an associated MD5 encrypted secret.
IOS Server Load Balancing
Platforms: Cisco 7100 series router and Cisco 7200 routers
The IOS Server Load Balancing (SLB feature is an IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, you can define a virtual server that represents a group of real servers in a cluster of network servers known as a server farm. In this environment, the clients connect to the IP address of the virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured load-balancing algorithm.
IOS SLB also provides firewall load balancing, which balances flows across a group of firewalls called a firewall farm.
MPLS Label Distribution Protocol
Platforms: Cisco 7200 routers and Cisco 7500 series routers
MPLS label distribution protocol (LDP), as standardized by the Internet Engineering Task Force (IETF) and as enabled by Cisco IOS software, allows the construction of highly scalable and flexible IP Virtual Private Networks (VPNs) that support multiple levels of services.
LDP provides a standard methodology for hop-by-hop, or dynamic label, distribution in an MPLS network by assigning labels to routes that have been chosen by the underlying Interior Gateway Protocol (IGP) routing protocols. The resulting labeled paths, called label switch paths or LSPs, forward label traffic across an MPLS backbone to particular destinations. These capabilities enable service providers to implement MPLS-based IP VPNs and IP+ATM services across multivendor MPLS networks.
LDP provides the means for label switching routers (LSRs) to request, distribute, and release label prefix binding information to peer routers in a network. LDP enables LSRs to discover potential peers and to establish LDP sessions with those peers for the purpose of exchanging label binding information.
From an historical and functional standpoint, LDP is a superset of Cisco's prestandard Tag Distribution Protocol (TDP), which also supports MPLS forwarding along normally routed paths. For those features that LDP and TDP share in common, the pattern of protocol exchanges between network routing platforms is identical. The differences between LDP and TDP for those features supported by both protocols are largely embedded in their respective implementation details, such as the encoding of protocol messages, for example.
This release of LDP, which supports both the LDP and TDP protocols, provides the means for transitioning an existing network from a TDP environment to an LDP environment. Thus, you can run LDP and TDP simultaneously on any router platform. The routing protocol that you select can be configured on a per-interface basis for directly connected neighbors and on a per-session basis for nondirectly connected (targeted) neighbors. In addition, a label switch path (LSP) across an MPLS network can be supported by LDP on some hops and by TDP on other hops.
New Hardware Features in Cisco IOS Release 12.1(8a)E
There are no new hardware features supported in Cisco IOS Release 12.1(8a)E.
New Software Features in Cisco IOS Release 12.1(7a)E6
There are no new software features supported in Cisco IOS Release 12.1(7a)E6.
New Hardware Features in Cisco IOS Release 12.1(7a)E6
There are no new hardware features supported in Cisco IOS Release 12.1(7a)E6.
New Software Features in Cisco IOS Release 12.1(7a)E1
There are no new software features supported in Cisco IOS Release 12.1(7a)E1.
New Hardware Features in Cisco IOS Release 12.1(7a)E1
There are no new hardware features supported in Cisco IOS Release 12.1(7a)E1.
New Software Features in Cisco IOS Release 12.1(7)E
The following new software features are supported by Cisco IOS Release 12.1(7)E:
Quality of Service Features for Parallel Express Forwarding (PXF)
Platform: Cisco 7200 VXR using a Network Services Engine (NSE)
The Modular Quality of Service Command-Line Interface (Modular QoS CLI) and many of the associated class-based QoS features are now available on PXF.
The following class-based QoS features are being introduced for PXF:
•
•
•
•
•
•
The Committed Access Rate (CAR) feature configured to use an access list with rate-limiting policies (the access-list rate-limit command in interface configuration mode) is also now available on PXF. If you wish to rate-limit traffic without using an ACL, use the Modular QoS CLI to configure the Traffic Policing feature.
Because of the addition of the Modular QoS CLI, traditional WRED (the random-detect command in interface configuration mode) and Fair Queueing (the fair-queue command in interface configuration mode) are no longer configurable. If you would like to configure WRED or Fair Queueing, you can use the Modular QoS CLI to configure Class-Based WRED or Class-Based Weighted Fair Queueing on a per-class rather than a per-interface basis.
The Modular QoS CLI on PXF does not currently support the following match criteria that are available on other Modular QoS CLI-supported platforms:
•
•
•
•
•
•
•
For additional information on the Modular QoS CLI, see the Modular Quality of Service Command-Line Interface document.
SNMP Support for VLAN Subinterfaces
Platforms: Cisco 7200 series and Cisco 7500 series routers
The SNMP Support for VLAN Subinterfaces feature provides MIB-2 interfaces sparse table support for Fast Ethernet subinterfaces. This enhancement is similar to the functionality supported in Frame Relay subinterfaces.
New Hardware Features in Cisco IOS Release 12.1(7)E
The following new hardware feature is supported by Cisco IOS Release 12.1(7)E:
Multichannel STM-1 Port Adapter
Platforms: Cisco 7200 series and Cisco 7500 series routers
The PA-MC-STM-1 is a high-speed single-port multichannel STM-1 port adapter. You can configure the PA-MC-STM-1 as a multichannel E1/E0 STM-1 port. The PA-MC-STM-1 can be configured into 63 individual E1 links. Each E1 link can carry a single channel at full or fractional rates, or be broken down into multiple DS0 or Nx64 Kbps rates. The PA-MC-STM-1 supports up to three TUG-3/AU-3 transport slots numbered 1 through 3. You can configure each TUG-3/AU-3 to carry 21 SDH TU-12s. Each SDH TU-12 is capable of carrying a channelized E1 frame, which can be unchannelized to N*64 Kbps timeslots.
New Software Features in Cisco IOS Release 12.1(6)E11
There are no new software features supported in Cisco IOS Release 12.1(6)E11.
New Hardware Features in Cisco IOS Release 12.1(6)E11
There are no new hardware features supported in Cisco IOS Release 12.1(6)E11.
New Software Features in Cisco IOS Release 12.1(6)E10
There are no new software features supported in Cisco IOS Release 12.1(6)E10.
New Hardware Features in Cisco IOS Release 12.1(6)E10
There are no new hardware features supported in Cisco IOS Release 12.1(6)E10.
New Software Features in Cisco IOS Release 12.1(6)E9
There are no new software features supported in Cisco IOS Release 12.1(6)E9.
New Hardware Features in Cisco IOS Release 12.1(6)E9
There are no new hardware features supported in Cisco IOS Release 12.1(6)E9.
New Software Features in Cisco IOS Release 12.1(6)E8
There are no new software features supported in Cisco IOS Release 12.1(6)E8.
New Hardware Features in Cisco IOS Release 12.1(6)E8
There are no new hardware features supported in Cisco IOS Release 12.1(6)E8.
New Software Features in Cisco IOS Release 12.1(6)E3
There are no new software features supported in Cisco IOS Release 12.1(6)E3.
New Hardware Features in Cisco IOS Release 12.1(6)E3
There are no new hardware features supported in Cisco IOS Release 12.1(6)E3.
New Software Features in Cisco IOS Release 12.1(6)E2
There are no new software features supported in Cisco IOS Release 12.1(6)E2.
New Hardware Features in Cisco IOS Release 12.1(6)E2
There are no new hardware features supported in Cisco IOS Release 12.1(6)E2.
New Software Features in Cisco IOS Release 12.1(6)E
The following new software features are supported by Cisco IOS Release 12.1(6)E:
Distributed Network-Based Application Recognition
Platforms: Cisco 7500 series routers
Distributed Network-Based Application Recognition (dNBAR) introduces the existing NBAR feature on VIP-enabled Cisco 7500 series routers.
Networks often have difficulty identifying applications and, therefore, are unable to provide a proper level of support for an application.
Distributed Network-Based Application Recognition (dNBAR) solves this problem for VIP-enabled Cisco 7500 series routers by adding intelligent network classification to network infrastructures. dNBAR is a classification engine that recognizes a wide variety of applications, including web-based and other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. When an application is recognized and classified by dNBAR, a network can invoke services for that specific application. dNBAR ensures that network bandwidth is used efficiently by working with QoS features to provide various QoS features, including:
•
•
•
•
•
dNBAR introduces several classification features for VIP-enabled Cisco 7500 series routers:
•
•
•
•
dNBAR can also classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, dNBAR is easier to configure and can provide classification statistics that are not available when using ACLs.
dNBAR provides a special Protocol Discovery feature that determines which application protocols are traversing a network at any given time. The Protocol Discovery feature captures key statistics associated with each protocol in a network. These statistics can be used to define traffic classes and QoS policies for each traffic class.
VPN Device Manager
Platforms: Cisco 7100 series and Cisco 7200 series routers
VPN Device Manager (VDM) software is installed directly onto Cisco VPN routers. It allows network administrators to use a web browser to manage and configure site-to-site VPNs on a single router. VDM implements a wizard-based graphical user interface (GUI) that allows simplified VPN configuration of the router on which it resides and peer-to-peer interfaces from that router to remote devices. VDM requires configuration of some Cisco IOS commands before it can be fully operational.
Note
http://www.cisco.com/warp/public/cc/pd/nemnsw/vpdvmn/.VDM also monitors general system statistics and router health information such as tunnel throughput and errors. The graphing capability allows comparison of such parameters as traffic volume, tunnel counts, and system utilization.VDM supports site-to-site VPNs. Its step-by-step wizards simplify the configuration of common VPN setups, interfaces, and policies, including:
•
•
New Hardware Features in Cisco IOS Release 12.1(6)E
There are no new hardware features supported in Cisco IOS Release 12.1(6)E.
New Software Features in Cisco IOS Release 12.1(5c)E12
There are no new software features supported in Cisco IOS Release 12.1(5c)E12.
New Hardware Features in Cisco IOS Release 12.1(5c)E12
There are no new hardware features supported in Cisco IOS Release 12.1(5c)E12.
New Software Features in Cisco IOS Release 12.1(5c)E11
There are no new software features supported in Cisco IOS Release 12.1(5c)E11.
New Hardware Features in Cisco IOS Release 12.1(5c)E11
There are no new hardware features supported in Cisco IOS Release 12.1(5c)E11.
New Software Features in Cisco IOS Release 12.1(5c)E10
There are no new software features supported in Cisco IOS Release 12.1(5c)E10.
New Hardware Features in Cisco IOS Release 12.1(5c)E10
There are no new hardware features supported in Cisco IOS Release 12.1(5c)E10.
New Software Features in Cisco IOS Release 12.1(5c)E9
There are no new software features supported in Cisco IOS Release 12.1(5c)E9.
New Hardware Features in Cisco IOS Release 12.1(5c)E9
There are no new hardware features supported in Cisco IOS Release 12.1(5c)E9.
New Software Features in Cisco IOS Release 12.1(5c)E8
There are no new software features supported in Cisco IOS Release 12.1(5c)E8.
New Hardware Features in Cisco IOS Release 12.1(5c)E8
There are no new hardware features supported in Cisco IOS Release 12.1(5c)E8.
New Software Features in Cisco IOS Release 12.1(5a)E4
There are no new software features supported in Cisco IOS Release 12.1(5a)E4.
New Hardware Features in Cisco IOS Release 12.1(5a)E4
There are no new hardware features supported in Cisco IOS Release 12.1(5a)E4.
New Software Features in Cisco IOS Release 12.1(5a)E2
There are no new software features supported in Cisco IOS Release 12.1(5a)E2.
New Hardware Features in Cisco IOS Release 12.1(5a)E2
There are no new hardware features supported in Cisco IOS Release 12.1(5a)E2.
New Software Features in Cisco IOS Release 12.1(5a)E1
There are no new software features supported in Cisco IOS Release 12.1(5a)E1.
New Hardware Features in Cisco IOS Release 12.1(5a)E1
There are no new hardware features supported in Cisco IOS Release 12.1(5a)E1.
New Software Features in Cisco IOS Release 12.1(5a)E
The following new software features are supported by Cisco IOS Release 12.1(5a)E:
Cisco 7500 Single Line Card Reload
Platforms: Cisco 7500 series routers
The Cisco 7500 Single Line Card Reload feature, the only method of correcting a line card hardware failure or a severe software error for one line card on a Cisco 7500 series router, requires the execution of a CBus Complex, a process that reloads every line card on the network backplane. The time it takes to complete the CBus Complex is often inconvenient, and no network traffic can be routed or switched during the CBus Complex process.
The Cisco 7500 Single Line Card Reload feature allows users to correct a line card failure on a Cisco 7500 series router by reloading the failed line card without reloading any other line cards on the network backplane. During the single line card reload process, all physical lines and routing protocols on the other line cards of the network backplane remain active. A single line card reload is also significantly faster than the CBus Complex process.
The Cisco 7500 Single Line Card Reload feature works on all rsp images for all Cisco IOS releases that support the Cisco 7500 Single Line Card Reload feature.
DiffServ Compliant Weighted Random Early Detection
Platforms: Cisco 7500 series routers
The DiffServ Compliant Weighted Random Early Detection feature enables Weighted Random Early Detection (WRED) to use the differentiated services code point (DSCP) value when it calculates the drop probability for a packet. The DSCP value is the first six bits of the IP type of service (ToS) byte.
The DiffServ Complaint Weighted Random Early Detection feature was originally released on Cisco IOS Release 12.1(5)T.
Multi-ISA
Platforms: Cisco 7200 series routers
The Multi-ISA feature allows a Cisco IOS router to accommodate more than one hardware crypto engine. With this feature, users can increase the capacity of their routers with multiple Integrated Services Adapters (ISAs) and Integrated Services Module (ISMs).
ISAs are used on Cisco 7200 routers and ISMs are used on Cisco 7100 routers. Hereafter, unless otherwise noted, the term "ISA" denotes Integrated Services Adapters and Integrated Services Modules.
The multi-ISA layer provides a single interface, which Cisco IOS software can use to send commands to different hardware crypto engines. The multi-ISA layer accepts all commands and packets on behalf of all underlying hardware crypto engines; it distributes all commands and packets in a predefined manner. That is, when you request an Internet Key Exchange Security Association (IKE SA) session, the multi-ISA layer determines which hardware crypto engine contains fewer IKE SAs, and it assigns the next session to the hardware crypto engine that has fewer IKE SAs.
When your router has only one ISA in an active state, all IKE and IPSec SA sessions go to this one ISA. Once you have inserted the second ISA into your router and it becomes active, subsequent IKE SAs will flow to the second ISA until the first and second ISAs have an equal number of IKE SA sessions. For example, if ISA-1 has 10 IKE sessions, and then ISA-2 becomes active, the router sends the following 11 through 20 IKE sessions to ISA-2. Thereafter, the multi-ISA layer maintains a balance of IKE SA sessions on both ISAs.
Note
Your system should contain at least 128 megabytes of memory to run a single ISA and 256 megabytes of memory to run two ISAs. You need more than 128 megabytes of memory to cross 2,000 bi-directional IPSec tunnels.
Note
Keepalives are needed to achieve failover in your router. If you turn on keepalives, you cannot exceed 500 tunnels because of current IKE keepalive limitations in the Cisco IOS software.
Note
PA-MC-2T3+Phase-II (T3 Subrate)
Platforms: Cisco 7200 series and Cisco 7500 series routers
The PA-MC-2T3+ is a single-width port adapter that provides two T3 interface connections. Each T3 interface can now be independently configured to be either channelized or unchannelized. A channelized T3 provides 28 T1 lines multiplexed into the T3. Each T1 line can be configured into one or more serial interface data channels.
Using the no channelized command, you can configure the T3 as a single, unchannelized serial interface data channel. You can configure this data channel to use all of the T3 bandwidth or a portion of it.
Transparent Webcache Load Balancing
Platforms: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
You can use IOS Server Load Balancing (SLB) to load balance transparent webcaches if you know the IP addresses they are serving. Simply configure the IP addresses, or some common subset of them, as virtual servers.
A webcache can start its own connections to real websites if pages are not available in its cache. Those connections cannot be load balanced back to the same set of webcaches. IOS SLB addresses this by allowing you to configure "client exclude" statements, so that IOS SLB does not load balance connections initiated by the webcaches.
IOS SLB firewall load balancing does not support transparent webcache load balancing.
Wireless Application Protocol (WAP) Load Balancing
Platforms: Cisco 7200 series routers
You can use IOS SLB to load balance a group of Wireless Application Protocol (WAP) gateways or content servers on an IP bearer network. WAP load balancing requires a WAP virtual server configured on one of the WAP ports (9200, 9201, 9202, or 9203). IOS SLB uses Wireless Session Protocol (WSP) probes, which you can configure to verify the presence of each real server, to detect WAP server failures.
New Hardware Features in Cisco IOS Release 12.1(5a)E
The following new hardware features are supported by Cisco IOS Release 12.1(5a)E:
PA-2FE
Platforms: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
The PA-2FE is a single-wide port adapter for the Cisco 7100, Cisco 7200, and Cisco 7500/VIP platforms. It provides two 10/100-Mbps, 10/100BaseT Fast Ethernet/ISL interfaces, and supports both full-duplex and half-duplex operation.
The PA-2FE is available in two variants: a copper, dual port 100BASE-TX version with 100BASET, half/full duplex, over Category 5, and unshielded twisted-pair (PA-2FE-TX) and a fiber, dual port 100BASE-FX version with 100BASET, half/full duplex, over multimode optical fiber (PA-2FE-FX).
PA-MC-4T1 and PA-MC-8T1
Platform: Cisco 7100 series
The multichannel DS1/PRI port adapter (PA-MC-4T1 and PA-MC-8T1 versions) are now available on Cisco 7100 series routers. The PA-MC-4T1 and PA-MC-8T1 are single-wide modules that integrate channel service unit (CSU) functionality, data service unit (DSU) functionality, and DS0 channel support into the Cisco router.
The PA-8DSX1 version integrates DS1 data service unit (DSU) functionality and DS0 channel support into the Cisco router.
For more information about the multichannel DS1/PRI port adapter, see the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/cable/cab_rout/cfig_nts/4815ds1p/index.htm
PA-MC-8E1
Platform: Cisco 7100 series routers
The multichannel E1/PRI port adapter (PA-MC-8E1 version) is now available on Cisco 7100 series routers. The PA-MC-8E1 integrates data service unit (DSU) functionality and E1 channel support into the Cisco router.
The PA-MC-8E1 provides eight independent E1(120-ohm) connections via RJ-48C connectors and up to 128 separate full-duplex High-Level Data Link Control (HDLC) channelized E1, fractional E1, full E1, or unframed E1 interfaces. The PA-MC-8E1 can also provide up to 62 separate full-duplex HDLC channelized E1, fractional E1, full E1, or unframed E1 interfaces.
For more information about the PA-MC-8E1 port adapter, see the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/cable/cab_rout/cfig_nts/5083e1p/index.htm
New Software Features in Cisco IOS Release 12.1(4)E3
There are no new software features supported in Cisco IOS Release 12.1(4)E3.
New Hardware Features in Cisco IOS Release 12.1(4)E3
There are no new hardware features supported in Cisco IOS Release 12.1(4)E3.
New Software Features in Cisco IOS Release 12.1(4)E
The following new software features are supported by Cisco IOS Release 12.1(4)E:
IPSec MIB
Platforms: Cisco 7100 series and Cisco 7200 series routers
Using the IPSec MIB feature you can configure and monitor IP Security (IPSec), MIB tunnel tables, and trap notifications using Simple Network Management Protocol (SNMP).
With the IPSec MIB feature you can specify the desired size of a tunnel history table or a tunnel failure table. The history table archives attribute and statistic information about the tunnel; the failure table archives tunnel failures including the time of the failures. A failure history table can be used to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
This feature also allows a router to send MIB-related IPSec trap notifications to a random or specified host. A trap notification may be sent when a particular event, such as an error, occurs.
Note
The IPSec MIB feature is used in conjunction with an SNMP agent, which is based on version 1 of the SNMP protocol. The SNMP agent implements the IPSec MIB subsystem. With the IPSec MIB feature you can adjust tunnel tables and enable IPSec trap notifications, thereby enhancing the SNMP agent process.
Express RTP Header Compression
Platforms: Cisco 7100 series routers
Before Cisco IOS Release 12.0(7)T, if compression of Real-Time Transport Protocol (RTP) headers was enabled, compression was performed in the process-switched path. That meant that packets traversing interfaces that had RTP header compression enabled were queued and passed up to the process to be switched. This procedure slowed down transmission of the packet, and therefore some users preferred to fast switch uncompressed RTP packets.
Now, if RTP header compression is enabled, it occurs by default in the fast-switched path or the Cisco Express Forwarding-switched (CEF-switched) path, depending on which switching method is enabled on the interface. Furthermore, the number of RTP header compression connections was increased to 1000 connections each. If neither fast switching nor CEF switching is enabled, and if RTP header compression is enabled, compression will occur in the process-switched path as before.
Turbo Access Control Lists
Platform: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
The Turbo Access Control List (ACL) feature is now available on the Cisco 7100 series routers.
ACLs are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a significant amount of time and memory when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an ACL with several entries.
The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The following are benefits of this feature:
•
•
New Hardware Features in Cisco IOS Release 12.1(4)E
The following new hardware features are supported by Cisco IOS Release 12.1(4)E:
PA-POS-OC3 Packet OC-3 Port Adapter
Platforms: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
The Packet-over-SONET OC-3 port adapters (PA-POS-OC3SML, PA-POS-OC-3SMI, and PA-POS-OC-3MM) are now available on Cisco 7100 series routers. The POSIP and POS OC-3 provide a single 155.520-Mbps, OC-3 physical layer interface for packet-based traffic. This OC-3 interface is fully compatible with SONET and Synchronous Digital Hierarchy (SDH) network facilities and is compliant with RFC 1619, "PPP over SONET/SDH," and RFC 1662, "PPP in HDLC-like Framing." The Packet-over-SONET specification is primarily concerned with the use of the PPP encapsulation over SONET/SDH links.
For more information on the PA-POS-OC3 port adapter, refer to the PA-POS-OC3 Packet OC-3 Port Adapter Installation and Configuration publication that accompanies the hardware.
Gigabit Ethernet Port Adapter
Cisco 7100 series and Cisco 7200 VXR series routers
The Gigabit Ethernet Port Adapter (GEPA) is now supported on the Cisco 7100 series router. The GEPA is a single-port fixed port adapter that, when combined with the appropriate optical fiber cable, provides one 1000-Mbps Gigabit Ethernet interface that complies with IEEE 802.3z specifications. The Gigabit Ethernet interface operates in full-duplex mode at 1000 Mbps for transmit (TX) and receive (RX) directions.
PA-MC-2E1
Platforms: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
The multichannel E1/PRI port adapters (PA-MC-2E1 and PA-MC-8E1) are now supported on the Cisco 7100 series routers. The PA-MC-2E1 and PA-MC-8E1 integrate data service unit (DSU) functionality and E1 channel support into the Cisco router. The PA-MC-2E1 or PA-MC-8E1 port adapter provides two or eight independent E1 (120-ohm) connections via RJ-48C connectors. The PA-MC-8E1 port adapter can provide up to 128 separate full-duplex High-Level Data Link Control (HDLC) channelized E1, fractional E1, full E1, or unframed E1 interfaces and the PA-MC-2E1 port adapter can provide up to 62 separate full-duplex HDLC channelized E1, fractional E1, full E1, or unframed E1 interfaces.
PA-MC-2T1
Platforms: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
The multichannel DS1/PRI port adapter (PA-MC-2T1, PA-MC-4T1, and PA-MC-8T1 versions) is now supported on the Cisco 7100 series routers.The PA-MC-2T1, PA-MC-4T1, and PA-MC-8T1 provide a single-wide module that integrates channel service unit (CSU) functionality, data service unit (DSU) functionality, and DS0 channel support into the Cisco router. The PA-8DSX-1 version integrates DS1 data service unit (DSU) functionality and DS0 channel support into the Cisco router.
New Software Features in Cisco IOS Release 12.1(3a)E8
There are no new software features supported in Cisco IOS Release 12.1(3a)E8.
New Hardware Features in Cisco IOS Release 12.1(3a)E8
There are no new hardware features supported in Cisco IOS Release 12.1(3a)E8.
New Software Features in Cisco IOS Release 12.1(3a)E7
There are no new software features supported in Cisco IOS Release 12.1(3a)E7.
New Hardware Features in Cisco IOS Release 12.1(3a)E7
There are no new hardware features supported in Cisco IOS Release 12.1(3a)E7.
New Software Features in Cisco IOS Release 12.1(3a)E5
There are no new software features supported in Cisco IOS Release 12.1(3a)E5.
New Hardware Features in Cisco IOS Release 12.1(3a)E5
There are no new hardware features supported in Cisco IOS Release 12.1(3a)E5.
New Software Features in Cisco IOS Release 12.1(3a)E4
There are no new software features supported in Cisco IOS Release 12.1(3a)E4.
New Hardware Features in Cisco IOS Release 12.1(3a)E4
There are no new hardware features supported in Cisco IOS Release 12.1(3a)E4.
New Software Features in Cisco IOS Release 12.1(3a)E1
There are no new software features supported in Cisco IOS Release 12.1(3a)E1.
New Hardware Features in Cisco IOS Release 12.1(3a)E1
There are no new hardware features supported in Cisco IOS Release 12.1(3a)E1.
New Software Features in Cisco IOS Release 12.1(3a)E
The following new software features are supported by Cisco IOS Release 12.1(3a)E:
Cisco Quality of Service Device Manager 1.2
Platforms: Cisco 7100 series, Cisco 7200 series, and VIP-enabled 7500 series routers
Cisco Quality of Service Device Manager (QDM) is a web-based Java application through which you can configure and monitor advanced IP-based quality of service (QoS) functionality within Cisco routers.
QDM 1.2 is available as a separate product download and is free of charge.
For more information on QDM, see the Release and Installation Notes for Cisco Quality of Service Device Manager 1.2 on Cisco.com and on the Documentation CD-ROM.
Server Load Balancing Enhancements
Platforms: Cisco 7200 series routers
Ping Probes
Server Load Balancing now supports ping probes, in addition to HTTP probes. Probes are a simple way to verify connectivity for devices being server load balanced, for firewalls being firewall load balanced, and even devices on the other side of a firewall.
Firewall Load Balancing
Firewall load balancing enables IOS SLB to balance flows to firewalls regardless of whether or not any server load balancing is used. Firewall load balancing uses a load balancing device on each side of a group of firewalls (called a firewall farm) to ensure that the traffic for each related flow goes to the same firewall, ensuring that the security policy is not compromised.
New Hardware Features in Cisco IOS Release 12.1(3a)E
The following new hardware features are supported by Cisco IOS Release 12.1(3a)E:
Cisco 7200-I/O-GE+E and Cisco 7200-I/O-2FE/E Input/Output Controllers
Platform: Cisco 7200 VXR routers
The Cisco 7200-I/O-GE+E is an input/output controller that provides one Gigabit Ethernet Port and one Ethernet port. It is equipped with a GBIC receptacle for 1000-Mbps operation and an RJ-45 receptacle for 10-Mbps operation.
The Cisco 7200-I/O-2FE/E is an input/output controller that provides two autosensing Ethernet or Fast Ethernet ports and two RJ-45 receptacles for 10/100-Mbps operation.
I/O controllers support the following features:
•
•
•
•
•
Enhanced Gigabit Ethernet Interface Processor
Platform: Cisco 7500 series routers
The Enhanced Gigabit Ethernet Interface Processor (GEIP+) dual-wide port adapter provides enhanced data throughput compared to the GEIP for high density environments.
Gigabit Ethernet (GE) continues to be the choice media for both Enterprise backbone and ISP intra-POP interconnects. The GEIP+ supplies the high-throughput solution for integrating Cisco 7500 series routers into GE infrastructures. The GEIP+ supports the following features:
•
•
•
•
•
•
•
•
NPE-400
Platform: Cisco 7200 VXR routers
The NPE-400 is a new version of network processing engine for Cisco 7200 VXR routers with the following enhancements:
•
•
•
•
The NPE-400 leverages technology from the NPE-225 and NSE-1 to provide a higher performance NPE card.
PA-A3-OC12
Platforms: Cisco 7500 series routers
The PA-A3-OC12 port adapter is a standards-based SONET/SDH OC12c/STM-4 622.08-Mbps ATM port adapter for the VIP4 in Cisco 7500 series routers. The PA-A3-OC12 port adapter is a high-speed ATM uplink for connectivity from the Cisco 7500 series routers to any ATM switch, including the Cisco LightStream 1010, Cisco 8500, and StrataCom BPX.
The ATM PA-A3-OC12 is designed with a high-performance, dual segmentation and reassembly (SAR) architecture with local buffer memory. The ATM PA-A3 supports the latest ATM hardware features such as per-virtual connection (VC) traffic shaping and Virtual Path (VP) traffic shaping, support for ATM service classes such as variable bit rate-non real-time (VBR-nrt) and unspecified bit rate (UBR), and support of 4096 ATM VCs.
The primary applications of the PA-A3-OC12 are:
•
•
•
•
The PA-A3-OC12 supports the following features:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
VIP4
Platforms: Cisco 7500 series routers
The VIP4 is the fourth generation of Versatile Interface Processors for use with Cisco 7000 series routers using the Cisco 7000 Series Route Switch Processor (RSP7000) and Cisco 7000 Series Chassis Interface (RSP7000CI) with Cisco 7500 series routers (which also include the Cisco 7507-MX and Cisco 7513-MX routers). The VIP4 installs in the interface processor slots in your Cisco 7000 series or Cisco 7500 series router.
For more information, see the data sheet located on Cisco.com at: http://www.cisco.com/warp/public/cc/pd/ifaa/ifsw/vrifpz/prodlit/vip4_ds.htm
For VIP4 installation and configuration information see the VIP4 Installation and Configuration guide located on Cisco.com at: http://www.cisco.com/univercd/cc/td/doc/product/core/cis7505/vip1/vip4/
New Software Features in Cisco IOS Release 12.1(2)E2
There are no new software features supported in Cisco IOS Release 12.1(2)E2.
New Hardware Features in Cisco IOS Release 12.1(2)E2
There are no new hardware features supported in Cisco IOS Release 12.1(2)E2.
New Features in Cisco IOS Release 12.1(2)E1
Cisco IOS Release 12.1(2)E1 does not include support for any new software or hardware features. Cisco IOS Release 12.1(2)E1 incorporates fixes for the following caveats:
•
•
•
For more information, see the "Caveats" section.
New Software Features in Cisco IOS Release 12.1(2)E
The following new software features are supported by Cisco IOS Release 12.1(2)E:
Class-Based Quality of Service Management Information Base
Platforms: Cisco 7200 series and Cisco 7500 series routers
The Class-Based Quality of Service Management Information Base (Class-Based QoS MIB) provides read access to QoS configurations. This MIB also provides QoS statistics information based on the Modular QoS CLI, including information regarding class map and policy map parameters.
This Class-Based QoS MIB is actually two MIBs: CISCO-CLASS-BASED-QOS-MIB and CISCO-CLASS-BASED-QOS-CAPABILITY-MIB.
Use the Cisco Network Management Toolkit for the MIBs tool on Cisco.com to locate MIBs.
Local-Area Network Emulation Quality of Service
Platforms: Cisco 7200 series and Cisco 7500 series routers
The Local-Area Network Emulation (LANE) Quality of Service (QoS) feature provides the capability to differentiate multiple classes of traffic by creating virtual channel connections (VCCs) with the desired QoS parameters. When prioritized traffic is received, the LANE Client (LEC) forwards this traffic on a VCC with matching QoS parameters.
Currently, LANE QoS supports the creation of Unspecified Bit Rate+ (UBR+) VCCs. A UBR+ VCC is a UBR VCC for which the minimum cell rate (MCR) is guaranteed by the switch. If the switch cannot guarantee the rate you have specified for the UBR+ VCC, the LEC will revert to UBR with no MCR guarantee.
You can enable or disable the LANE QoS feature on a per-LEC basis by entering the qos option in the lane client command. The same emulated LAN (ELAN) can contain both QoS-capable and non-QoS-capable LECs.
Low Latency Queuing for the VIP Enhancement
Platform: Cisco 7500 series routers
The optional bytes argument has been added to the priority command.
For more information on Low Latency Queuing for the VIP, including information on the bytes argument in the priority command, see the Low Latency Queuing for the Versatile Interface Processor document on Cisco.com and the Documentation CD-ROM.
NBAR Enhancements
Platforms: Cisco 7100 series and Cisco 7200 series routers
Network-Based Application Recognition (NBAR) has added the following enhancements for Cisco IOS Release 12.1(2)E:
•
•
Cisco Quality of Service Device Manager 1.1 Support
Platforms: Cisco 7100 series, Cisco 7200 series, and VIP-enabled 7500 series routers
Cisco IOS Release 12.1(2)E supports Cisco Quality of Service Device Manager (QDM) 1.1. QDM is a web-based Java application with which you can configure and monitor advanced IP-based quality of service (QoS) functionality within Cisco routers.
QDM 1.1 is available as a separate product download and is free of charge.
For information on QDM, see the Release and Installation Notes for Cisco Quality of Service Device Manager 1.0 on Cisco.com and the Documentation CD-ROM.
SLB Enhancements
Platform: Cisco 7200 series routers
The Cisco IOS Server Load Balancing (SLB) feature contains the following enhancements in Cisco IOS Release 12.1(2)E:
Client NAT
If multiple load balancing devices are used, replacing the client IP address with an IP address associated with the load balancer will result in proper routing of outbound traffic to the correct load balancer. Client Network Address Translation (NAT) also requires that the ephemeral client port be modified because many clients can use the same ephemeral port. This is important so that server NAT can be performed on the packet and important protocol events (such as TCP SYN, FIN, or RST) are seen by the load balancer connection finite state machine. Even in cases where multiple load balancers are not used, client NAT can be useful to ensure that packets from load-balanced connections are not routed around the load balancer.
Note
HTTP Probe
HTTP probe provides a simple way to monitor the applications being load balanced. With frequent probes, operation of the application is verified, not just connectivity to the application. The basic function of HTTP probe is to determine the real server status by issuing an HTTP GET or HTTP POST against each real server in a server farm.
Because multiple virtual servers could use a single server farm, all virtual servers tied to that server farm are probed, and if a real server failed for one virtual server, it must be failed for all virtual servers using that real server. If multiple probes detect the failure of a real server, all virtual servers must agree that the real server is recovered before that real server is restored to inservice.
Currently only one probe per server farm is allowed.
Stateful Backup
IOS SLB could represent a point of failure and the servers could lose their connections to the backbone if power fails, or if a link from a switch to the distribution-layer switch is disconnected. IOS SLB supports two redundancy options you can use to reduce that risk: Hot Standby Router Protocol (HSRP) and stateful backup. Stateful backup enables SLB to incrementally back up its load balancing decisions, or "keep state," between primary and backup Layer 3 switches.
MIB Support of SLB
The CISCO-SLB-MIB now supports the SLB feature.
VIP-Based FRF.11/12 (dFRF.11/12)
Platform: Cisco 7500 series routers
The Voice over Frame Relay (VoFR) capabilities that were introduced on the Cisco MC3810 multiservice access concentrator beginning with Cisco IOS Release 11.3 were eventually extended to the Cisco 2600 series, Cisco 3600 series, and Cisco 7200 series router platforms. These capabilities are now available for Cisco 7500 series routers (with a VIP).
When VoFR is configured on a Cisco router, the router is able to carry voice traffic such as telephone calls and faxes over a Frame Relay network.
The Cisco implementation of Voice over Frame Relay provides the following benefits to existing Frame Relay networks:
•
•
•
•
•
•
•
For more information see the Versatile Interface Processor-Based FRF.11 and FRF.12 feature module.
New Software Features in Cisco IOS Release 12.1(1)E5
There are no new software features supported in Cisco IOS Release 12.1(1)E5.
New Hardware Features in Cisco IOS Release 12.1(1)E5
There are no new hardware features supported in Cisco IOS Release 12.1(1)E5.
New Features in Release Cisco IOS Release 12.1(1)E3
Cisco IOS Release 12.1(1)E3 does not include support for any new software or hardware features. Cisco IOS Release 12.1(1)E3 incorporates fixes for the following caveats:
•
•
•
•
•
For more information, see the "Caveats" section.
New Software Features in Release Cisco IOS Release 12.1(1)E2
The following new software feature is supported by Cisco IOS Release 12.1(1)E2:
Cisco Quality of Service Device Manager 1.0 Support for Cisco 7500 Series Routers
Platform: Cisco 7500 series routers
Cisco IOS Release 12.1(1)E2 supports Cisco Quality of Service Device Manager (QDM) 1.0 on Cisco 7500 series routers. QDM is a web-based Java application through which you can configure and monitor advanced IP-based quality of service (QoS) functionality within Cisco routers.
QDM 1.0 is available as a separate product download and is free of charge.
For more information on QDM, see the Release and Installation Notes for Cisco Quality of Service Device Manager 1.0 on Cisco.com and the Documentation CD-ROM.
New Hardware Features in Cisco IOS Release 12.1(1)E
The following new hardware features are supported by the Cisco 7000 family of routers for Cisco IOS Release 12.1(1)E:
Network Services Engine Support
Platform: Cisco 7200 VXR series routers
Cisco IOS Release 12.1(1)E supports the network services engine (NSE-1) hardware.
The NSE-1 maintains and executes the system management functions for Cisco 7200 VXR series routers. The NSE-1 also shares system memory and environmental monitoring functions with the I/O controller. Its performance is greater than that of the network processing engines because of the secondary Parallel eXpress Forwarding (PXF) processor. The PXF processor enables parallel IP multipacket processing functions, working with the primary processor to provide accelerated packet switching as well as accelerated IP Layer 3 feature processing.
Integrated Service Adapter
Platform: Cisco 7100 series and Cisco 7200 series routers
The Integrated Service Adapter (ISA) is a single-width service adapter that provides high-performance, hardware-assisted tunneling and encryption services suitable for Virtual Private Network (VPN) remote access, site-to-site intranet, and extranet applications, as well as platform scalability and security while working with all services necessary for successful VPN deployments—security, quality of service (QoS), firewall and intrusion detection, and service-level validation and management.
The ISA off-loads IPSec and Microsoft Point-to-Point Encryption (MPPE) processing from the main processor of Cisco 7200 series routers, thus freeing resources on the processing engine (that is, the network processing engine [NPE] on the Cisco 7200 series routers) for other tasks.
The ISA provides hardware-accelerated support for multiple encryption functions:
•
•
•
•
•
For additional information on the Integrated Service Adapter, see the ISA and ISM Installation and Configuration guide on Cisco.com and the Documentation CD-ROM.
New Software Features in Cisco IOS Release 12.1(1)E
The following new software features are supported by the Cisco 7000 family of routers for Cisco IOS Release 12.1(1) E:
IOS Server Load Balancing Enhancements
Platform: Cisco 7200 series routers
Server Network Address Translation
IOS Server Load Balancing (SLB) is now capable of performing Network Address Translation (NAT) of the server IP address for SLB connections. For packets sourced by a client, SLB can translate the virtual server IP address to the real server IP address. For packets sourced by a server, SLB can translate the real server IP address to the virtual IP address, provided a matching SLB connection exists in the SLB connection database.
To enable server NAT, enter the nat server command.
Server Load Balancing Stateless Redundancy
To promote high availability, a backup SLB device can take over the SLB function in the event of a failure on the primary SLB device. SLB performs this function by monitoring Hot Standby Routing Protocol (HSRP) state changes and linking the service state of an SLB server to the HSRP state.
To enable SLB Stateless Redundancy, use the inservice standby command.
For additional information on the IOS Server Load Balancing feature, including information on Server Network Address Translation and Server Load Balancing Stateless Redundancy, see the IOS Server Load Balancing feature module on Cisco.com and the Documentation CD-ROM.
Interface Range Configuration Mode
Platforms: Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series routers
The interface range configuration mode allows you to configure multiple interfaces with the same configuration parameters. Once you enter the interface range configuration mode, all command parameters you enter are attributed to all interfaces within that range until you exit out of the interface range configuration mode.
The interface range command mode has the following syntax:
interface range {vlan vlan_ID - vlan_ID} | {{ethernet | fastethernet | gigabitethernet | macro macro_name} slot/interface - interface} [, {{ethernet | fastethernet | gigabitethernet | macro macro_name} slot/interface - interface}]
Network-Based Application Recognition Enhancements
Platforms: Cisco 7100 series and Cisco 7200 series routers
Network-Based Application Recognition (NBAR) can now perform subport classification of HTTP traffic by Host name. You can classify HTTP traffic by web server names. To perform a match on the hostname portion of the URL, use the new Host matching criteria.
For additional information on the NBAR enhancements, see the Network-Based Application Recognition Enhancements feature module.
For additional information on NBAR, see the Network-Based Application Recognition Enhancements feature module.
Cisco Quality of Service Device Manager 1.0 Support
Platforms: Cisco 7100 series and Cisco 7200 series routers
Cisco IOS Release 12.1(1)E supports Cisco Quality of Service Device Manager (QDM) 1.0. QDM is a web-based Java application with which you can configure and monitor advanced IP-based quality of service (QoS) functionality within Cisco routers.
QDM 1.0 is available as a separate product download and is free of charge.
For information on QDM, see the Release and Installation Notes for Cisco Quality of Service Device Manager 1.0 on Cisco.com and the Documentation CD-ROM.
Turbo Access Control Lists
Platform: Cisco 7200 series routers
Access control lists (ACLs) are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a significant amount of time and memory when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an ACL with several entries.
The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The following are benefits of this feature:
•
•
MIBs
Current MIBs
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
Deprecated and Replacement MIBs
MIBs will be replaced in a future release. Currently, OLD-CISCO-* MIBs are being converted into more scalable MIBs without affecting existing Cisco IOS products or network management system (NMS) applications. You can update from deprecated MIBs to the replacement MIBs as shown in Table 84.
Important Notes
SNMP Version 1 BGP4-MIB Limitations
You may notice incorrect BGP trap OID output when using the SNMP version 1 BGP4-MIB that is available for download at ftp://ftp.cisco.com/pub/mibs/v1/BGP4-MIB-V1SMI.my. When a router sends out BGP traps (notifications) about state changes on an SNMP version 1 monitored BGP peer, the enterprise OID is incorrectly displayed as .1.3.6.1.2.1.15 (bgp) instead of .1.3.6.1.2.1.15.7 (bgpTraps). The problem is not due to any error with Cisco IOS software. This problem occurs because the BGP4-MIB does not follow RFC 1908 rules regarding version 1 and version 2 trap compliance. This MIB is controlled by IANA under the guidance of the IETF, and work is currently in progress by the IETF to replace this MIB with a new version that represents the current state of the BGP protocol. In the meantime, we recommend that you use the SNMP version 2 BGP4-MIB or the CISCO-BGP4-MIB to avoid an incorrect trap OID.
Image Deferral, Cisco IOS Release 12.1(10)E2
All Cisco 7100, Cisco 7200, and Cisco 7500 series images in Cisco IOS Release 12.1(10)E have been deferred to Cisco IOS Release 12.1(10)E2 due to the following caveats:
•
•
Note
Image Obsolescence, Cisco IOS Release 12.1(10)E
All Cisco 7100 series and Cisco 7200 series crypto images in Cisco IOS Releases 12.1(10)E have been obsoleted from manufacturing due to the following caveat:
•
These images are now available in Cisco IOS Release 12.1(10)E4.
Note
Image Obsolescence, Cisco IOS Release 12.1(7)E
All Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series images in Cisco IOS Releases 12.1(7)E have been obsoleted from manufacturing.
These images are now available in Cisco IOS Release 12.1(7a)E1.
Note
Image Obsolescence, Cisco IOS Release 12.1(5c)E8
All Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series images in Cisco IOS Releases 12.1(5a)E, 12.1(5a)E1, 12.1(5a)E2, and 12.1(5a)E4 have been obsoleted from manufacturing due to the following caveats:
•
•
•
•
•
•
•
These images are now available in Cisco IOS Release 12.1(5c)E8.
Note
Cisco IOS Release 12.1(5a)E4
Cisco IOS Release 12.1(5a)E4 supports only Cisco 7500 images. There are no new features released in Cisco IOS Release 12.1(5a)E4.
Image Deferral, Cisco IOS Release 12.1(5a)E2
All Cisco 7100 and Cisco 7200 series crypto images in Cisco IOS Release 12.1(5a)E have been deferred to Cisco IOS Release 12.1(5a)E2 due to the following caveat:
•
Note
Cisco IOS Release 12.1(5a)E2
Cisco IOS Release 12.1(5a)E2 supports only Cisco 7100 and Cisco 7200 security images. There are no new features released in Cisco IOS Release 12.1(5a)E2.
Image Deferral, Cisco IOS Release 12.1(5a)E1
All Cisco 7500 series images in Cisco IOS Release 12.1(5a)E have been deferred to Cisco IOS Release 12.1(5a)E1 due to the following caveats:
•
•
•
Note
Cisco IOS Release 12.1(5a)E1
Cisco IOS Release 12.1(5a)E1 supports only Cisco 7500 images. There are no new features released in Cisco IOS Release 12.1(5a)E1.
Image Deferral, Cisco IOS Release 12.1(3a)E5
All Cisco 7200 series images in Cisco IOS Release 12.1(3a)E4 have been deferred to Cisco IOS Release 12.1(3a)E5 due to the following caveat:
•
Note
Caveat CSCdr91706 and IOS HTTP Vulnerability
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled, browsing to http://router-ip/anytext?/ is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack.
The vulnerability, identified as Cisco bug ID CSCdr91706, affects virtually all mainstream Cisco routers and switches running Cisco IOS software releases 12.0 through 12.1, inclusive. This is not the same defect as CSCdr36952.
The vulnerability has been corrected and Cisco is making fixed releases available for free to replace all affected IOS releases. Customers are urged to upgrade to Cisco IOS Release 12.1(3a)E4 or later releases of Cisco IOS Release 12.1 E.
This vulnerability can only be exploited if the enable password is known or not set.
You are strongly encouraged to read the complete advisory, which is available at
http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml.
Cisco IOS Release 12.1(3a)E5
Cisco IOS Release 12.1(3a)E5 contains caveat-fixes only. There are no new features released in Cisco IOS Release 12.1(3a)E5.
Image Obsolescence, Cisco IOS Release 12.1(3a)E4
All Cisco 7100 series, Cisco 7200 series, and Cisco 7500 series images in Cisco IOS Releases 12.1(3a)E, 12.1(3a)E1, and 12.1(3a)E3 have been obsoleted from manufacturing.
These images are now available in Cisco IOS Release 12.1(3a)E4.
Note
Cisco IOS Release 12.1(3a)E4
Cisco IOS Release 12.1(3a)E4 contains a fix for DDTS CSCdr91706. There are no new features released in Cisco IOS Release 12.1(3a)E4.
Image Deferral, Cisco IOS Release 12.1(3a)E1
All Cisco 7100 series and Cisco 7200 series crypto images in Cisco IOS Release 12.1(3a)E have been deferred to Cisco IOS Release 12.1(3a)E1 due to the following caveat:
•
Note
Image Obsolescence, Cisco IOS Release 12.1(3a)E1
All Cisco 7500 series -v- images in Cisco IOS Release 12.1(3a)E have been obsoleted due to the following caveat:
•
These images are now available in Cisco IOS Release 12.1(3a)E1.
Note
Cisco IOS Release 12.1(3a)E1
Cisco IOS Release 12.1(3a)E1 contains caveat-fixes only. There are no new features released in Cisco IOS Release 12.1(3a)E1.
Cisco IOS Release 12.1(3)E
Cisco IOS Release 12.1(3)E syncs to the latest release point on the parent branch, which is Release 12.1(3a). Therefore, to provide consistency, Cisco IOS Release 12.1(3)E is renamed to Cisco IOS Release 12.1(3a)E.
Image Deferral, Cisco 7100 Images and Cisco 7500 Images
Cisco IOS Release 12.1(2)E crypto images for Cisco 7100 series routers have been deferred to Cisco IOS Release 12.1(2)E1 due to the following caveats:
•
•
Cisco IOS Release 12.1(2)E non-crypto images for Cisco 7500 series routers have been deferred to Cisco IOS Release 12.1(2)E1 due to the following caveat:
•
Note
Cisco IOS Release 12.1(2)E1
Cisco IOS Release 12.1(2)E1 contains caveat-fixes only. There are no new features released in Cisco IOS Release 12.1(2)E1.
Cisco 7500 Series Images Released in 12.1(1)E2
Cisco IOS Release 12.1(1)E did not release Cisco 7500 series images (rsp-*-mz). Cisco IOS Release 12.1(1)E2 is the first 12.1 E release that supports the Cisco 7500 series images.
Cisco IOS Release 12.1(1)E2 also has integrated other software repairs. Other defect repairs integrated into Cisco IOS Release 12.1(1)E2 are listed in the "Caveats" section.
Cisco IOS Release 12.1(1)E2 is built from Cisco IOS Release 12.1(1)E plus integrated defects solutions.
Note
For more information on Cisco IOS Release 12.1(2)E2, refer to the Field Notice located at the following URL:
http://www.cisco.com/warp/public/770/fn12256.shtml
or, for registered Cisco.com customers:
http://www.cisco.com/warp/public/770/fn12256.shtml
Image Deferral, Cisco 7200 Boot Image
Cisco IOS Release 12.1(1)E boot images for Cisco 7200 series routers have been deferred due to the following caveat:
•
Cisco IOS Release 12.1(1)E for the 7200 boot images (c7200-boot-mz-*) have outgrown the Flash SIMM used to store the boot image on the input/output controllers used in the Cisco 7200 series routers. The c7200-boot-mz image in Cisco IOS Release 12.1(1)E will be replaced with the Cisco IOS Release 12.0(10)S c7200-boot-mz image, which is available on Cisco.com.
For more information about this deferral, refer to the Field Notice located at the following URL:
http://www.cisco.com/warp/public/770/fn7771.shtml
or on Cisco.com at:
Service & Support: Technical Assistance Center: Documents: Field Notices
Cisco 7500 Series Not Supported on Cisco IOS Release 12.1(1)E
Cisco IOS Release 12.1(1)E did not support Cisco 7500 series routers. Cisco IOS Release 12.1(1)E2 supports Cisco 7500 series routers. Cisco IOS Release 12.1(1)E2 is the first Cisco IOS 12.1 E release to support the Cisco 7500 series routers.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.
This section contains only open and resolved caveats for the current Cisco IOS maintenance release.
All caveats in Cisco IOS Release 12.1(4) and Cisco IOS Release 12.1(5)T are also in Cisco IOS Release 12.1(26)E9.
All caveats in Cisco IOS Release 12.0(7)XE1 are also in Cisco IOS Release 12.1 E.
For information on caveats in Cisco IOS Release 12.1(4), see the Caveats for Cisco IOS Release 12.1 document.
For information on Caveats in Cisco IOS Release 12.1(5) T, see the Caveats for Cisco IOS Release 12.1 T document, which lists severity 1 and 2 caveats and is located on Cisco.com and on the Documentation CD-ROM.
For information on caveats in Cisco IOS Release 12.0(7)XE1, see the Release Notes for Cisco 7000 Family for Cisco IOS Releases 12.0(5)XE through 12.0(7)XE.
Note
Open Caveats—Cisco IOS Release 12.1(26)E9
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E9 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.126)E9.
Resolved Caveats—Cisco IOS Release 12.1(26)E9
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E9. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
•
Certain User Datagram Protocol (UDP) packets that are directed at a TACACS port may become stuck in the interface queue.
This issue occurs on a Cisco platform that is configured for TACACS+.
Workarounds: After the symptom has occurred, you can increase the interface input hold queue to allow additional traffic to pass temporarily, but this is not a complete workaround. To prevent the symptom from occurring, create and apply an interface access control list (ACL), infrastructure ACL, or receive ACL to deny the UDP packets that have as their destination the TACACS port (49) from entering the interface queue.
•
A router that is running Remote Copy Protocol (RCP) can be reloaded by a specific packet.
This issue can occur under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed Remote Shell (RSH) packets. Use another protocol such as Secure Copy Protocol (SCP). Use virtual terminal (VTY) access control lists (ACLs).
•
Malformed Secure Shell (SSH) version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
This condition occurs on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
config tip ssh version 1endAlternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
10.1.1.0/24 is a trusted network that is permitted access to the router, all other access is deniedaccess-list 99 permit 10.1.1.0 0.0.0.255access-list 99 deny anyline vty 0 4access-class 99 inendFor information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document: http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapte r09186a0080716ec2.html
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:
http://www.cisco.com/warp/public/707/ssh.shtml
•
Malformed Secure Sockets Layer (SSL) packets may cause a router to leak multiple memory blocks.
This issue occurs on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
Open Caveats—Cisco IOS Release 12.1(27b)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(27b)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(27b)E2.
Resolved Caveats—Cisco IOS Release 12.1(27b)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(27b)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Closing an existing Telnet session may cause a router to crash.
This issue is platform-independent.
There are no known workarounds.
•
If Remote Shell (RSH) is enabled on the router, the router accepts Transmission Control Protocol connections to port 514 and allocates resources for each session.
Workaround: Disable RSH, and use Telnet instead.
•
Intensive Simple Network Management Protocol (SNMP) polling may cause the I/O memory of a router to be depleted.
This issue occurs in rare situations.
Workaround: Reduce the SNMP polling interval, frequency, or rate.
•
Tracebacks or crashes can occur during Hypertext Transfer Protocol (HTTP) transactions with long URLs.
The crashes occur when the length of any token in the URL of the request is excessively long.
Workaround: Disable the HTTP server using the no ip http server command.
•
The Protocol Independent Multicast (PIM) assert mechanism is not functioning properly, causing provider edge (PE) routers to remove VPN routing and forwarding (VRF) subinterfaces from output interface lists, and, in turn, causing multicast traffic to be dropped.
This issue occurs when redundant PE routers and customer edge (CE) routers are located on one LAN segment and when the CE routers select different PE routers as their next hop.
Workaround: Change the configuration so that all CE routers on one LAN segment select the same PE router as their next hop.
•
An E1 controller on PA-MC-8TE1+ port adapter does not come up when a router is reloaded.
This defect only occurs when another line card on the router has a very large configuration.
Workaround: Execute a shut/no shut of the controller after the reload is completed. This action should bring the controller back up.
•
A Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
•
The following log message is observed:
03:14:29: SP: TCAM ASSERT FAILURE: label_alloc_tbl[label].num_if_using[lookup_type] != 0: ../const/native-sp/tcam_label.c: 1393 03:14:29: SP: -Traceback= 403FCA70 403E8B38 403E7138 403E8FA8 403EE760 403EFA94 403EFCE8 400FCD64 400FCD50This message appears on a sup2 running Cisco IOS Release 12.1(26)E6 and earlier versions when an input access control list (ACL) is configured with an input service policy and L4 operators such as permit udp any range 10 12 any.
There are no known workarounds.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
A Trivial File Transfer Protocol (TFTP) client is trying to transfer a file from a Cisco IOS device configured as a TFTP server (which has an access control list (ACL) restricting access to the file in question), and the client receives a different result depending on whether the file is being offered for download or not. This issue allows a third party to enumerate which files are available for download.
Workaround: The following workarounds can be applied:
1) Configure and attach an access list to every router interface active and configured for IP packet processing as follows:
access-list access-list-number remark--- the following hosts and networks area ALLOWED for TFTP accessaccess-list access-list-number permit udp host source_1 host interface_address_1 eq 69access-list access-list-number permit udp host source_2 host interface_address_2 eq 69access-list access-list-number permit udp source source-wildcard host interface_address_1 eq 69access-list access-list-number permit udp source source-wildcard host interface_address_2 eq 69access-list access-list-number remark --- everyone else is DENIED for TFTP accessaccess-list access-list-number deny udp any host interface_address_1 eq 69access-list access-list-number deny udp any host interface_address_2 eq 69access-list access-list-number remark --- any other traffic to/through the router is allowedaccess-list access-list-number permit ip any anyinterface Ethernet0/0ip access-group access-list-number inAfter the TFTP server is enabled and listening by default on all interfaces enabled for IP processing, the access list would deny traffic to each and every IP address assigned to any active router interface.
2) Configure and apply a Control Plan Policing (CoPP) policy as follows:
access-list access-list-number remark--- Do not police TFTP traffic from trusted hosts and networksaccess-list access-list-number deny udp host source_1 any eq 69access-list access-list-number deny udp source source-wildcard any eq< 69access-list access-list-number remark--- Police TFTP traffic from untrusted hosts and networksaccess-list access-list-number permit udp any any eq 69access-list access-list-number remark--- Do not police any other traffic going to the routeraccess-list access-list-number deny ip any anyclass-map match-all tftp-class match access-group access-list-numberpolicy-map control-plane-policy! Drop all traffic that matches the class tftp-classclass tftp-classdropcontrol-planeservice-policy inputcontrol-plane-policyNote that CoPP is only available on certain platforms and Cisco IOS releases. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a0080211f39.shtml.
3) Configure Infrastructure ACLs (iACLs). Although it is often difficult to block traffic transiting your network, identifying traffic which should never be allowed to target your infrastructure devices and blocking that traffic at the border of your network is possible using Infrastructure ACLs. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The following white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for iACLs: http://www.cisco.com/warp/public/707/iacl.html.
4) Configure Receive Access Lists (rACLs) For distributed platforms, rACLs may be an option starting in Cisco IOS Release 12.0 (24)S for Cisco 7500 series routers. Receive access lists protect devices from harmful traffic before the traffic can impact the route processor. Receive path ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The following white paper entitled "GSR: Receive Access Control Lists" will help identify and allow legitimate traffic to your device and deny all unwanted packets: http://www.cisco.com/warp/public/707/racl.html.
Note
•
Malformed Secure Shell Version 2 (SSHv2) packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
This issue occurs on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
config tip ssh version 1endAlternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example where 10.1.1.0/24 is a trusted network that is permitted access to the router, and all other access is denied:
access-list 99 permit 10.1.1.0 0.0.0.255access-list 99 deny any linevty 0 4access-class 99 inendFor information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document: http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapte r09186a0080716ec2.html.
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document: http://www.cisco.com/warp/public/707/ssh.shtml.
•
When modifying, configuring, or-reapplying an access control list (ACL) on the supervisor when a route-map (PBR) that utilizes that ACL is already installed, a Ternary Content Addressable Memory (TCAM) misprogramming situation occurs, which ultimately causes a connectivity problem.
This issue occurs on a router running Cisco IOS Release12.1E with a Sup2/Multilayer Switch Feature Card 2 (MSFC2) installed.
Workaround: Remove and re-apply the route-map to the interface.
•
An unexpected router reload occurs when a routing event causes a multicast boundary to be configured on a Reverse Path Forwarding (RPF) interface.
This issue occurs on Cisco platforms that are configured for Protocol Independent Multicast (PIM).
Workaround: Remove the multicast boundary from the configuration.
•
Customers can use an access list to restrict Trivial File Transfer Protocol (TFTP) configuration transfers that are initiated through the Simple Network Management Protocol (SNMP) by using the snmp-server tftp-server-list access-list command. This restriction is not possible for the File Transfer Protocol (FTP), Remote Copy Protocol (RCP), and Secure Copy Protocol (SCP) protocols.
This issue occurs on any Cisco IOS platform that is configured for SNMP.
Workarounds: 1) Apply a more general access list to restrict traffic to and from the affected platform. 2) Disallow configuration copy from SNMP by excluding the CISCO-CONFIG-COPY-MIB using SNMP views. 3) Disable the SNMP server.
•
Specifically crafted Cisco Discovery Protocol (CDP) packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets can cause memory allocation problems on the router. Because CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
This issue occurs when the CDP packet header length is less than predefined header length (4 bytes) in images that have the fix for CSCse85200.
Workaround: Disable CDP on interfaces where CDP is not necessary.
•
When an Enhanced Gigabit Ethernet interface processor (GEIP+) on a Cisco 7500 router and an IBM Gigabit Interface Converter (GBIC)/6516 on a Catalyst 6500 series switch are link partners, connectivity issues can occur as a result of autonegotiation, including one-way issues (such as a routing protocol flap), the GEIP+ getting stuck, or link up delay problems of from 5 seconds to 5 minutes.
Workaround: Perform a shut/no shut at the GEIP+.
•
A standby route processor (RP) sends packets with "0" filled source and destination MAC addresses.
This issue occurs when an Ethernet port of a standby RP is connected to a network and is running Cisco IOS Release 12.1E.
There are no known workarounds.
•
A router running Cisco IOS Release 12.1(22)E1 experiences a medium buffer leak. The show buffers command is displaying a very high value for the number of total medium buffers, and the logs contain switch processor (SP) IO memory allocation failures of the form:
%SYS-SP-2-MALLOCFAIL: Memory allocation of X bytes failed from Y, alignment Z.
Workaround: Enter the show buffer pool medium dump command (with term len 0) to help the Technical Assistance Center (TAC) confirm the problem, and if this problem is confirmed, then reload the router.
•
The bandwidth of a multilink group interface that is down does not reflect the actual bandwidths of the links that are configured as members of the multilink group. In Cisco IOS Release 12.4(8) and later, the multilink interface bandwidth reflects the bandwidth of the last link in the bundle prior to going down. In earlier versions, the bandwidth is restored to 100000 Kbps.
This issue occurs only when the multilink interface is down. The bandwidth is correct when the multilink bundle is up.
There are no known workarounds.
•
The L3VlanMet, Ingress, and Egress Span tests fail on WS-X6516A-GBIC and WS-X6548-GE-TX if they come online while the system is in flow-through mode.
This issue occurs because the bridge ASIC used on these two line cards requires a specific synchronization sequence to be applied when enabling it for testing purposes.
There are no known workarounds.
•
Malformed Secure Sockets Layer (SSL) packets may cause a router to leak multiple memory blocks.
This issue is occurs on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
On a Cisco 7500 series router with an Enhanced Gigabit Ethernet interface processor (GEIP+), the interface status may show as down/down when the peer is reset multiple (more than 2000) times.
Workaround: Perform a shut/no shut on the interface to bring the interface status back to UP/UP.
•
Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.
This issue occurs because the Cisco IOS clock summer-time zone recurring configuration command uses United States standards for daylight savings time rules by default, and the Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date for daylight savings time from the first Sunday of April to the second Sunday of March, and the end date from the last Sunday of October to the first Sunday of November.
Workaround: Use the clock summer- time configuration command to manually configure the proper start date and end date for daylight savings time. After the summer-time period for calendar year 2006 is over, configure clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 (This example is for the US/Pacific time zone.)
Note
•
After approximately 497 days of system up time, the IMLI keepalive fails. As a result of this failure, SVCs are torn down and connections are lost.
ILMI keepalives fail because of the rollover of the sysup timer, which is a 32-bit counter. The timer rolls over after 497 days of system up time.
Workaround: Reload the node before 497 days of system up time is reached.
•
When a Hot Standby Router Protocol (HSRP) active router receives a UDP Echo to the virtual IP address, it fails to echo back by LOOPPAK.
This issue occurs when UDP small servers is enabled on a router.
There are no known workarounds.
•
A router may send out packets with TTL=0 when a Border Gateway Protocol (BGP) VPN aggregate prefix has been configured with the summary-only keyword
There are no known workarounds.
•
Output drops occurs on a T1 serial interface. These drops are shown in the output of the show interface serial command, but are not shown at the quality of service (QoS) level; that is, the output of the show policy-map interface command does not indicate any drops. When this situation occurs, the output of the show controller command for the serial interface at the Versatile Interface Processor (VIP) shows "pascb.tx_polling_high" with any value other than 2.
This issue occurs on Cisco 7500 series routers (with a VIP) that have a serial interface that is configured for fair-queueing.
Workaround: Remove and then reconfigure fair-queueing so that "pascb.tx_polling_high" is set to the correct value of 2.
•
On a Cisco router running Cisco IOS Release 12.1(26)E7, an aggregate label for a Virtual Private Network Version 4 (VPNv4) Border Gateway Protocol (BGP) route may be missing.
This issue occurs if an aggregate network summary only command is used to create an aggregate route, and a static route exists for the same network.
Workaround: Remove the static route with the same network as the aggregate route.
•
Packets are getting dropped after a change in an access control list (ACL) on existing interfaces even though the ACL has permit entry for the destination.
This issue only occurs when the ACL is changed on an interface that requires order-dependent programming.
Workaround: Perform the following steps:
1) Disable quality of service (QoS):
conf t#no mls qos2) Remove the ACL from all the interfaces that share the label:
conf tinterface g1/1no ip access-group xxx inendinterface g1/2no ip access-group xxx inend3) Reapply the ACL again on all the interfaces:
conf tinterface g1/1ip access-group xxx inendinterface g1/2ip access-group xxx inendNote that steps 2 and 3 assume only the interfaces g1/1 and g1/2 share the same label. If any other interfaces share the same label, repeat steps 2 and 3 for each of those interfaces.
4) Re-enable QoS:
conf tmls qos•
Address Resolution Protocol (ARP) requests to the Hot Standby Routing Protocol (HSRP) virtual IP address may fail.
The ARP requests may fail if the same HSRP IP address is used alternatively on different interfaces, and one of those interfaces has the switchport command configured and then unconfigured several times.
Workaround: Remove the HSRP configuration on an interface before configuring the switchport command on that interface.
•
On a Cisco 7500 router running a distributed Multilink Point-to-point Protocol (MLPPP), MLPPP lost fragments and discarded fragments are not mapped to any interface counters.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(26)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E8.
Resolved Caveats—Cisco IOS Release 12.1(26)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Closing an existing Telnet session may cause a router to crash.
This issue is platform-independent.
There are no known workarounds.
•
The IOS process Distance Vector Multicast Routing Protocol (DVMRP) probes by default. This default leads to unintended behavior. DVMRP packets are processed even if DVMRP is not configured.
This issue occurs because the default was set incorrectly. The interoperability default should have been set to "off", not "on".
There are no known workarounds.
•
The object dot1dTpLearnedEntryDiscards counter always returns a value of zero.
There are no known workarounds.
•
A Versatile Interface Processor (VIP) reloads because of memory corruption that is caused by a hardware issue of the PA-2FE port adapter.
This issue occurs when the VIP and port adapter function under stress, when the VIP is unable to serve memory read/write requests from the port adapter, and when there are PCI retry timeouts.
There are no known workarounds.
•
The Protocol Independent Multicast (PIM) assert mechanism is not functioning properly, causing provider edge (PE) routers to remove VPN routing and forwarding (VRF) subinterfaces from output interface lists, and, in turn, causing multicast traffic to be dropped.
This issue occurs when redundant PE routers and customer edge (CE) routers are located on one LAN segment and when the CE routers select different PE routers as their next hop.
Workaround: Change the configuration so that all CE routers on one LAN segment select the same PE router as their next hop.
•
Auto-provisioning is disabled on a Cisco router that is configured with a PA-A3 port adapter.
This issue occurs when a virtual circuit (VC) class that is configured for create on-demand is attached to the main Asynchronous Transfer Mode (ATM) interface and then the create on-demand configuration is removed and re-applied to the VC class.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ATM interface of the PA-A3 port adapter.
•
A Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Transmission Control Protocol (TCP) connections that are opened through a Cisco IOS Firewall (Context-based Access Control (CBAC) may not timeout.
This issue occurs because when the Cisco IOS Firewall (CBAC) is enabled the TCP idle timer for a session may be reset by TCP packets that fail TCP inspection and are subsequently dropped. This can lead to the TCP session not timing out.
There are no known workarounds.
•
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Cisco IOS or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml.
•
Traffic drops of 0.002%, or 1 packet every minute, can occur on a router with an OSM-2+4GE-WAN+ module connected to a traffic generator (such as IXIA or N2X) when traffic is running between the traffic generator and the GE-WAN interface on PWAN2.
This issue only occurs when IXIA is configured to generate an IPv4 TCP/UDP packet with a data pattern of "Random". The drops occur on the GE-WAN slot/2 interface only, that is, on the second port of the PWAN2 only, and not on other ports.
Workaround: Configure the IXIA traffic generator to use a fixed or incrementing data pattern.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
The Gigabit Ethernet Interface Processor (GEIP) interface doesn't count input errors
This issue occurs on either the GEIP or Enhanced Gigabit Ethernet Interface Processor (GEIP+).
There are no known workarounds.
•
Connected ports may transition from the up state to the down state with no apparent cause.
This issue occurs on a 16-port Gigabit Ethernet Gigabit Interface Converter (GBIC) line card (WS-X6816-GBIC) when the following two conditions are met: (1) A 1000Base-T GBIC is inserted after the WS-X6816-GBIC has been powered up, and (2) Port 1 is enabled, not connected, and set to auto-negotiate.
Workaround: Disable auto-negotiation on port 1 by entering the speed nonnegotiate command. Two alternate workarounds: (1) Remove all 1000Base-T GBICs that are in use, reset the WS-X6816-GBIC, and refrain from using 1000Base-T GBICs, or (2) Disable port 1.
•
When modifying, configuring, or-reapplying an access control list (ACL) on the supervisor when a route-map (PBR) that utilizes that ACL is already installed, a Ternary Content Addressable Memory (TCAM) misprogramming situation occurs, which ultimately causes a connectivity problem.
This issue occurs on a router running Cisco IOS Release12.1E with a Sup2/Multilayer Switch Feature Card 2 (MSFC2) installed.
Workaround: Remove and re-apply the route-map to the interface.
•
The tunnel interface doesn't ping the other end of the tunnel with an Asynchronous Transfer Mode (ATM) interface.
This issue occurs after configuration, when the ATM and tunnel interfaces are up.
Workaround: Enter a sequence of shut/no shut commands on any end of tunnel interface.
•
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Cisco IOS or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The Asynchronous Transfer Mode (ATM) blade is getting stuck periodically and is not able to receive any more cells on any of the circuits configured.
This issue occurs when the ATM blade is receiving Cisco Discovery Protocol (CDP) packets over a configured virtual circuit.
Workaround: Reset the module from the supervisor. Applying the sequence of corrupt, halt_rxhost, and halt_txhost commands may improve the situation also.
•
An unexpected router reload occurs when a routing event causes the Reverse Path Forwarding (RPF) interface to change to the interface configured as the multicast boundary.
There are no known workarounds.
•
The following error message appears in the log or on the console: 13w3d:
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet8/5 (not full duplex), with VoiceRouter-1 FastEthernet3/0 (full duplex).This issue occurs when Cisco Multicast Manager (CMM) is running.
Workaround: Set the CMM interface to half duplex or turn off the Cisco Discovery Protocol (CDP). Neither workaround solves the issue of the router side being half-duplex.
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Specifically crafted Cisco Discovery Protocol (CDP) packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets can cause memory allocation problems on the router. Because CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
This issue occurs when the CDP packet header length is less than predefined header length (4 bytes).
Workaround: Disable CDP on interfaces where CDP is not necessary.
•
The Enhanced Gigabit Ethernet interface processor (GEIP+) on a Cisco 7500 router can cause connectivity issues, including one-way issues (such as a routing protocol flap), the GEIP+ getting stuck, or link up delay problems of from 5 seconds to 5 minutes.
Workaround: Perform a shut/no shut at the GEIP+.
•
A standby route processor (RP) sends packets with "0" filled source and destination MAC addresses.
This issue occurs when an Ethernet port of a standby RP is connected to a network and is running Cisco IOS Release 12.1E.
There are no known workarounds.
•
You cannot ping the Cisco Multicast Manager (CMM) activate (ACT) module FE interface from the supervisor, but you can ping it from other devices on the same subnet. If you have redundant paths to this network, other devices may also be able to ping the ACT. Pinging to or from the same-chassis supervisor does not work.
Symptoms of this problem include incomplete Address Resolution Protocol (ARP) entries for ACT module IPs in the router's ARP table, and output such as the following when a debug arp command is issued from the native IOS side during a ping: 16w3d: IP ARP rep filtered src {ACT Fa IP} {ACT Fa MAC}, dst {Supervisor IP} {Sup MAC} it's our address.
This issue typically occurs when a CMM module is using a sup1A with Cisco IOS Release 12.1(20)E, although it can also occur with Cisco IOS Release 12.2(18)SXD6 on various hardware including Supervisor Engine 720s.
Workaround: Reloading the CMM or hardcoding a MAC address on to the router-side interfaces may resolve the issue. To hard code a MAC address, first use the show int [(gig|fa) {mod}/0-3] | inc bia command on the CMM to view the MACs. Then add 5 to each MAC, and manually assign them to the appropriate interface on the supervisor using the mac-address {mac} command.
•
A router running Cisco IOS Release 12.1(22)E1 experiences a medium buffer leak. The remote command switch show buffers command is displaying a very high value for the number of total medium buffers, and the logs contain switch processor (SP) IO memory allocation failures of the form:
%SYS-SP-2-MALLOCFAIL: Memory allocation of X bytes failed from Y, alignment Z.
Workaround: Enter the show buffer pool medium dump command (with term len 0) to help the Technical Assistance Center (TAC) confirm the problem, and if this problem is confirmed, then reload the router.
•
The bandwidth of a multilink group interface that is down does not reflect the actual bandwidths of the links that are configured as members of the multilink group. In Cisco IOS Release 12.4(8) and later, the multilink interface bandwidth reflects the bandwidth of the last link in the bundle prior to going down. In earlier versions, the bandwidth is restored to 100000 Kbps.
This issue occurs only when the multilink interface is down. The bandwidth is correct when the multilink bundle is up.
There are no known workarounds.
•
The L3VlanMet, Ingress, and Egress Span tests fail on WS-X6516A-GBIC and WS-X6548-GE-TX if they come online while the system is in flow-through mode.
This issue occurs because the bridge ASIC used on these two line cards requires a specific synchronization sequence to be applied when enabling it for testing purposes.
There are no known workarounds.
•
After approximately 497 days of system up time, the IMLI keepalive fails. As a result of this failure, SVCs are torn down and connections are lost.
ILMI keepalives fail because of the rollover of the sysup timer, which is a 32-bit counter. The timer rolls over after 497 days of system up time.
Workaround: Reload the node before 497 days of system up time is reached.
Open Caveats—Cisco IOS Release 12.1(27b)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(27b)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(27b)E1.
Resolved Caveats—Cisco IOS Release 12.1(27b)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(27b)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When no ip routing is configured on a router, an IP address is configured on an interface, and then a no shut command is entered, the Address Resolution Protocol (ARP) entry for that interface should be added in the ARP table. This is not occurring.
Workaround: Enter a clear arp command to get the entries for the connected interfaces.
•
Intermediate System-to-Intermediate System (IS-IS) load balancing may not function correctly. This can occur in the following topology:
–
–
–
–
There are no known workarounds.
•
The Border Gateway Protocol (BGP) max community limit (255 for standard communities and 128 for extended communities) should be removed for RFC1771 compliance.
There are no known workarounds.
•
A Versatile interface Processor (VIP) in which a PA-2FE port adapter is installed may reload because of memory corruption that is caused by a hardware issue of the PA-2FE port adapter.
This issue is observed when the VIP and port adapter function under stress, when the VIP is unable to serve memory read/write requests from the port adapter, and when there are PCI retry timeouts.
There are no known workarounds.
•
The following messages can be seen on a Sup720 configured for Authentication, Authorization, and Accounting (AAA) Accounting:
%SYS-3-NOELEMENT: data_enqueue:Ran out of buffer elements for enqueue-Process= "Virtual Exec", ipl= 5, pid= 261-Traceback= 403119C4 40366704 4022A580 4022AB0C 4022AC80 4022B970 4022DBA8 402203D8 4025BDD040294A2C 4035B558 4035B544%AAAA-3-DROPACCTLOWMEM: Accounting record dropped due to low memory: connection-stopThere are no known workarounds.
•
A Cisco router may not correctly set the next-hop for static routes that are redistributed into the Border Gateway Protocol (BGP).
This issue can occur under the following conditions:
–
–
Workaround: Configure a route-map to set the next-hop to the desired value.
•
The running configuration is larger in the nondesignated router (NDR) than in designated router (DR), and the remark lines in the access-lists (ACLs) are duplicated.
The remark lines in the ACLs get duplicated in the NDR when the configuration is synchronized or when the copy start run commands are executed.
Workaround: The problem exists only if an ACL has trailing remarks. A trailing remark is a remark at the end of an ACL that is not followed by an ACL entry. Either of the following workarounds will prevent the problem:
1) Do not configure any trailing remarks in ACLs.
2) Add a deny ip any any entry to the end of the ACLs that have trailing remarks. This will not change the ACL matching behavior in any way; ACLs implicitly deny all packets once the end of an ACL has been reached.
•
The egress Versatile Interface Processor (VIP) may crash when Network-Based Application Recognition (NBAR) is configured on the Ingress VIP.
Workaround: Enable fair-queue on all serial interfaces.
•
Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177.
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Auto-provisioning may be disabled on a Cisco router that is configured with a PA-A3 port adapter.
This issue is observed when a Virtual Circuit (VC) class, that is configured for create on-demand, is attached to the main ASynchronous Transfer Mode (ATM) interface and then the create on-demand configuration is removed and re-applied to the VC class.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ATM interface of the PA-A3 port adapter.
•
When enabling ip inspect, SQL packets cause a memory leak in the IP input process.
There are no known workarounds.
•
The debug ip ospf hello command does not show hellos originated by the router on which the debug is executed.
Workaround: Enter the debug ip packets command using access lists that allow only Open Shortest Path First (OSPF) packets.
•
The bridged entry does not cleared after the bridge-group setting is removed from the router. During this time, fall-back bridging is stopped. After few minutes, the bridged entry is cleared, and fall-back bridging starts.
Although the stale MAC entry is eventually removed as a result of the L2 aging timer, this fix eliminates that delay by adding the clear mac-address-table dynamic bridged mac_address clear bridge group_number command. This command immediately removes the MAC entry when a user deletes the bridge-group from the VLAN interface configuration.
Workaround: The stale MAC entry is eventually removed as a result of the L2 aging timer.
•
IF-MIB- ifInOctets returns a negative value for the MLP (Multilink PPP) interface.
This issue occurs after several flaps of the multilink interface and member links, followed by reloads of the customer premises equipment (CPE router) connecting to the multilink interface.
Workaround: Use the packets input counter under the show interface multilink x command.
•
Transmission Control Protocol (TCP) connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
There are no known workarounds.
•
The Hot Standby Router Protocol (HSRP) sends a cHsrpStateChange trap two times when the group changes to Active state.
This issue occurs when running Cisco IOS Release 12.1E with the following configuration:
----------snmp-server enable traps hsrpsnmp-server host x.x.x.x version 2c publicinterface xip address x.x.x.x x.x.x.xstandby x.x.x.x----------There are no known workarounds.
•
The Cisco 7200 platform experiences the disappearance of Simple Network Management Protocol (SNMP) v3 user information after switchover or reload.
There are no known workarounds.
•
The VLAN Trunking Protocol (VTP) feature in certain versions of Cisco IOS software may be vulnerable to a crafted packet sent from the local network segment which may lead to denial of service condition.
The packets must be received on a trunk enabled port.
There are no known workarounds.
•
The VLAN Trunking Protocol (VTP) feature in certain versions of Cisco IOS software is vulnerable to a locally-exploitable buffer overflow condition and potential execution of arbitrary code. If a VTP summary advertisement is received with a Type-Length-Value (TLV) containing a VLAN name greater than 100 characters, the receiving switch will reset with an Unassigned Exception error.
The packets must be received on a trunk enabled port, with a matching domain name and a matching VTP domain password (if configured).
There are no known workarounds.
•
Hot Standby Router Protocol (HSRP) state change logging messages are currently at log level 6 (informational). They should be log level 5 (notice).
There are no known workarounds.
•
After adding the statements for Data-Link Switching (DLSw) Ethernet Redundancy to the VLAN interface, two routers never establish a master slave relationship.
This issue occurs when setting up DLSW Ethernet Redundancy between two routers that have either SUP720 or SUP32 supervisor modules. After the configuration is added, the routers send out Logical Link Control (LLC) frames to form a master slave relationship but neither router sees the frames from the other router.
Workaround: In the router configuration for the router that is configured as the master, locate a configuration command similar to the following:
dlsw transparent redundancy-enable 9999.9999.9999 master-priority 5Remove this command and then put it back as follows:
no dlsw transparent redundancy-enable 9999.9999.9999 master-priority 5dlsw transparent redundancy-enable 9999.9999.9999 master-priority 5This should correct the problem.
•
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Cisco IOS or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml.
•
An Enable Authentication request is sent to the wrong Authentication, Authorization, and Accounting (AAA) server when it is configured for a different server group than the server group set by the initial user login method.
This issue occurs when login authentication is set to go to one AAA server group, and the enable authentication is set to go to a different AAA server group.
Workaround: Configure the Enable Authentication to go to the same server as the login authentication.
•
The Gigabit Ethernet Interface Processor (GEIP) interface does not count input errors.
This issue may occur on a GEIP or GEIP+ interface.
There are no known workarounds.
•
When Data-Link Switching (DLSw) Ethernet Redundancy is configured, circuits may be established through the wrong switch.
This issue is observed in the following configuration:
–
–
The output of the show dlsw transparent map shows that router 1 has the active mapping and that router 2 has the passive mapping. All circuits should be established on router 1, but instead they are established on router 2.
The outputs of the show dlsw trans neighbor and show dlsw trans map commands show correct information, but the output of the show dlsw cir cache command shows state "negative" on router 1 and state "positive" on router 2.
There are no known workarounds. Note that all circuits are up and running, but they just go through the wrong router.
•
On an Asynchronous Transfer Mode (ATM) interface, the tunnel interface doesn't ping the other end of the tunnel. After configuration, the ATM and tunnel interfaces are up.
Workaround: Enter a sequence of shut/no shut on any end of the tunnel interface.
•
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Cisco IOS or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
Open Caveats—Cisco IOS Release 12.1(27b)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(27b)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(27b)E.
Resolved Caveats—Cisco IOS Release 12.1(27b)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(27b)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A router running Cisco IOS Release 12.1(19)E1 is periodically reporting the following message:
%AAAA-3-TIMERNOPER: AAA/ACCT/TIMER: No periodic update but timer set.-Traceback= FC56C FC370 FDAFC 1DB024There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(26)E7
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E7 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On an Asynchronous Transfer Mode (ATM) interface, the tunnel interface doesn't ping the other end of the tunnel. After configuration, the ATM and tunnel interfaces are up.
Workaround: Enter a sequence of shut/no shut on any end of the tunnel interface.
Resolved Caveats—Cisco IOS Release 12.1(26)E7
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E7. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When no ip routing is configured on a router, an IP address is configured on an interface, and then a no shut command is entered, the Address Resolution Protocol (ARP) entry for that interface should be added in the ARP table, but is not.
Workaround: Enter a clear arp command to get the entries for the connected interfaces.
•
Intermediate System-to-Intermediate System (IS-IS) load balancing may not function correctly. This issue can occur in the following topology:
–
–
–
–
There are no known workarounds.
•
A Sup720 running Cisco IOS Release 12.2(18)SXD1 and configured for Authentication, Authorization, and Accounting (AAA) Accounting, ran out of buffer elements for the enqueue.
There are no known workarounds.
•
A Cisco router may not correctly set the next-hop for static routes that are redistributed into the Border Gateway Protocol (BGP). This issue can occur when the next-hop of the static route is not reachable using a directly connected interface, that is, when the next-hop of the static route is learned using a routing protocol. This problem was introduced in caveat CSCec14415.
Workaround: Configure a route-map to set the next-hop to the desired value.
•
An Area Border Router (ABR) can fail to flush a Type3 link-state advertisement (LSA) after shutting down an interface in different area.
Workaround: Enter the clear ip ospf command.
•
The Egress Versatile Interface Processor (VIP) may crash when Network-Based Application Recognition (NBAR) is configured on the Ingress VIP.
Workaround: Enable fair-queue on all serial interfaces.
•
Incorrect packet decoding can occur when a crafted packet is sent to a tunnel destination with a crafted Generic Routing Encapsulation (GRE) header.
Workaround: Upgrade to a Cisco IOS release containing fixes for the following caveats: CSCuk27655, CSCea22552, or CSCei62762.
•
Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177.
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
When enabling ip inspect, SQL packets cause a memory leak in the IP input process.
There are no known workarounds.
•
The debug ip ospf hello command does not show hellos originated by the router on which the debug is executed.
Workaround: Enter the debug ip packets command using access lists that allow only Open Shortest Path First (OSPF) packets.
•
Incorrect Simple Network Management Protocol (SNMP) ifInOctets and ifOutOctets counters are returned on a Cisco 7513 after several Multilink PPP (MLP) interface flaps.
Workaround: Use the packets input counter in the show interfaces multilink command.
•
The Hot Standby Routing Protocol (HSRP) sends a cHsrpStateChange trap two times when the group changes to the Active state.
There are no known workarounds.
•
The Cisco 7200 platform experiences the disappearance of Simple Network Management Protocol (SNMP) v3 user information after a switchover or reload.
There are no known workarounds.
•
Symptoms: The VTP feature in certain versions of Cisco IOS software may be vulnerable to a crafted packet sent from the local network segment which may lead to denial of service condition.
Conditions: The packets must be received on a trunk enabled port.
Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:
–
–
–
These vulnerabilities are addressed by Cisco IDs:
–
–
–
Cisco's statement and further information are available on the Cisco public website at
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
•
Symptoms: The VTP feature in certain versions of Cisco IOS software is vulnerable to a locally-exploitable buffer overflow condition and potential execution of arbitrary code. If a VTP summary advertisement is received with a Type-Length-Value (TLV) containing a VLAN name greater than 100 characters, the receiving switch will reset with an Unassigned Exception error.
Conditions: The packets must be received on a trunk enabled port, with a matching domain name and a matching VTP domain password (if configured).
Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:
–
–
–
These vulnerabilities are addressed by Cisco IDs:
–
–
–
Cisco's statement and further information are available on the Cisco public website at
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
Open Caveats—Cisco IOS Release 12.1(26)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E6.
Resolved Caveats—Cisco IOS Release 12.1(26)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A label may not be assigned for a peer provider edge (PE) router.
This issue is observed on a Cisco 7500 series router in a Virtual Private Network (VPN) configuration with multiple route reflectors (RRs) and label controlled ATM (LC-ATM) links between PE routers.
There are no known workarounds.
•
On a router running in Hybrid mode, the Multilayer Switch Feature Card 2 (MSFC2) creates the Address Resolution Protocol (ARP) entry for the device in the private VLAN but then ages it out when the ARP timer expires. This ARP entry should not age out.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(26)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E5.
Resolved Caveats—Cisco IOS Release 12.1(26)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Auto-RP announcements from a directly-connected peer bypass the local interface multicast boundary. This issue occurs when auto-RP announcements are registered, and the register state is created prior to the local multicast boundary being configured. After configuring the boundary, the register state (and bypass) remain until a clear ip mroute command is entered. Ideally, configuring a multicast boundary would prevent all relevant packets from passing the boundary, regardless of pre-existing state.
Workaround: Enter clear ip mroute * command after configuring any multicast boundary.
•
When the priority feature is added to a service policy that is attached to an interface without any priority feature and with traffic flowing through existing classes of that policy, traffic stops flowing through the other classes.
This issue occurs because the interface that has the output service policy is congested when the priority feature is added to the policy map.
Workaround: Remove and re-attach the service policy to the interface.
•
PPP Multilink does not update the Simple Network Management Protocol (SNMP) ifStackTable to reflect the layering relationship between the bundle and member links.
There are no known workarounds.
•
A high value is seen in maxOfNegativeSD or maxOfNegativeDS of the jitter statistics.
There are no known workarounds.
•
Secure Shell (SSH) sessions to Cisco IOS Release 12.1(22)E1 devices do not terminate properly, regardless of the platform. This issue has been seen on Cisco 7200 routers.
The issue occurs when ssh 'ed to a router from a Sun/Solaris box or a MacOSX box (using the native ssh in each case). The following error message is the usual symptom:
Router#dabd 7419 c39b c716Disconnecting: Bad packet length -625118183.Specific IOS version isIOS (tm) MSFC2 Software (C6MSFC2-JK2SV-M), Version 12.1(22)E1, EARLYThere are no known workarounds.
•
FHR sets the F-flag wrongly to the group denied by the multicast boundary. This issue occurs at a first hop designated router with two loopback interfaces: the first loopback interface has Protocol Independent Multicast (PIM) enabled, the second loopback interface does not. Although a group address denied on the interface by the multicast boundary is created, when the non-PIM enabled interface is brought up it does not have the F-flag set and the S,G) packet is not registered to the rendezvous point (RP). But when the other PIM-enabled interface goes up, the F-flag is set and the Data-header register is sent to RP.
There are no known workarounds.
•
Output for the show interfaces gigabitethernet 0/0/0 command is "Unknown, Unknown for duplex-mode and spped". However, output for the show controllers gigabitethernet 0/0 command on the Versatile Interface Processor (VIP) displays correct information.
There are no known workarounds.
•
When two Open Shortest Path First (OSPF) areas generate the same intra-area route, and the route has the same cost in both areas attached to the same Area Border Router (ABR), the ABR might not generate the correct summary link state advertisement (LSA) (type 3) when the routes in the respective areas flap in the wrong order.
Workaround: Clear the OSPF process on ABR.
•
The ifIndex entry gets dropped from ifStackStatus when ifOperStatus is Down for the lower layer and ifAdminStatus is up. This issue occurs on a MultiLink PPP interface running Cisco IOS Release 12.3(8)T.
There are no known workarounds.
•
A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (TCL) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.
Devices that are not running AAA command authorization feature, or do not support TCL functionality are not affected by this vulnerability.
This vulnerability is present in all versions of Cisco IOS that support the tclsh command.
Workaround: This advisory with appropriate workarounds is posted at
http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
•
The counter for the runts packets is not getting updated properly.
This counter issue is only seen with distributed platforms such as Cisco 7500 and Cisco 7600 routers.
There are no known workarounds.
•
The Cisco IOS Network Time Protocol (NTP) uses the same source IP address to send packets, even if it does not get a reply from that interface.
This issue is not applicable for source configured using the ntp source command.
There are no known workarounds.
•
A spurious access is observed in Cisco 7200/7500/7600 routers running Cisco IOS Release 12.1(26.3)E.
This issue occurs when a service policy is unconfigured and reconfigured in a router few times after sending the traffic through that router.
There are no known workarounds.
•
When configuring fair-queue aggregate-limit and fair-queue individual-limit commands, the commands do not show up in the running configurations and the queues do not change to the configured value (as shown in the show int que command). There is a a warning message that states changing the default values can be hazardous, but the system does not inform the user that the values will not be changed.
There are no known workarounds.
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at
http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
The ifAdminStatus for an Asynchronous Transfer Mode (ATM) subinterface shows "DOWN" when neither the subinterface, nor the main interface, has been shut down.
This issue occurs when the line is down (when ifOperStatus is DOWN).
There are no known workarounds.
•
The wrong path for an external route may be installed in the routing table in addition to the right path.
This issue occurs because of a metric conflict in the Autonomous System Border Router (ASBR), which originates external link-state advertisements (LSAs) and is reachable via two areas - the regular one (for example, area 0) and the Not-So-Stubby Area (NSSA). The total metric, including the forwarding address, is better through the regular area, however, the better metric to ASBR is through the NSSA area. This problem occurs in all IOS versions. Similar sets of problems also occur in Open Shortest Path First (OSPF) v3 for IPv6.
Workaround: If possible, increase the metric in the NSSA area so that the path towards the ASBR through the NSSA area has a higher cost than the path using the regular area.
•
User Tracking (Campus Manager) is not able to display the hosts connected to a router. This issue has been observed using Campus Manager 4.0 on Cisco IOS Release 12.1(26)E.
This issue occurs when there are dynamic learned entries for the router port as shown in the output of the show mac-address-table dynamic command.
Workaround: Find an entry of "vlan_id xxxx.xxxx.xxxx dynamic Yes -- Router" in the output of the show mac-address-table dynamic command.
Send an SNMP GETNEXT request with dot1dTpFdbAddress referring to the MAC address "xxxx.xxxx.xxxx" to get the next forwarding entry. Once this new forwarding entry is obtained, the entry after this new entry may be obtained through subsequent GETNEXT requests.
•
An Autonomous System Border Router (ASBR) router running Open Shortest Path First (OSPF) and configured with the area xxx nssa default-information-originate command may continue to advertise a default route on a Not-So-Stubby Area (NSSA) area even after the default Border Gateway Protocol (BGP) route is withdrawn and removed from the routing table.
This issue occurs when an OSPF ASBR is learning one or more BGP default routes.
Workaround: Do not use area xxx nssa default-information-originate command.
•
Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors may be reset unnecessarily on an interface that is configured with summarization. The following output is displayed when this symptom occurs:
%DUAL-5-NBRCHANGE: IP-EIGRP 111: Neighbor x.x.x.x (FastEthernet4/0) isdown: Summary up, remove externalThe summary is regenerated on an interface if all components of the summary are lost and at least one component is relearned.
A similar issue is already fixed by CSCdz26469, and Cisco IOS Release 12.1(19)E does not have this problem. However, this issue occurs again in Cisco IOS Release 12.1(20)E or later.
Workaround: Remove the EIGRP summary statements from the interface, or use Cisco IOS Release 12.1(19)E.
Open Caveats—Cisco IOS Release 12.1(26)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E4.
Resolved Caveats—Cisco IOS Release 12.1(26)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When using Data-Link Switching (DLSw) Ethernet Redundancy (ER), if the dlsw disable command is used to force the second DLSw ER router to take over mapping and circuits, the disabled router will source test frames of the mapped addresses.
This occurs when the Logical Link Control, type 2 (LLC2) session between the ER routers fails. This failure causes the attached router to incorrectly set the cam table and prevents the circuit from connecting until the cam table is cleared.
There are no known workarounds.
•
When using Data-Link Switching (DLSw) Ethernet Redundancy (ER) and the master router goes down, some entries may get stuck in COLLECTING in the transparent cache of the slave router.
Workaround: Clear the entries stuck in COLLECTING with the clear dlsw transparent circuit command.
•
Memory leaks can occur when configuring/unconfiguring "dialer string" on a Cisco router.
The memory leakage will be several bytes per configuration/unconfiguration.
There are no known workarounds.
•
A Cisco 7500 series router that is functioning as a provider edge (PE) router in a Multicast Virtual Private Network (MVPN) environment may stop sending Protocol Independent Multicast (PIM) register messages for the default multicast distribution tree (MDT) to its rendezvous point (RP). This situation prevents PE routers from establishing PIM adjacencies with other PE routers in the MVPN.
This issue occurs on a Cisco 7500 series router that is running Cisco IOS Release 12.0(24)S and has the ip pim register-rate-limit global configuration command enabled. The issue is not observed in Cisco IOS Release 12.0(23)S or earlier releases.
Workaround: Enter the clear ip mroute group-address EXEC command for the default MDT group address.
Alternate Workaround: Do not use the ip pim register-rate-limit global configuration command.
•
In a data-link switching (DLSw) Ethernet Redundancy (ER) environment, the backup DLSw ER router that learns the MAC address mapping from the neighbor may fail to forward explorers to the remote DLSw peers. When this issue occurs, the MAC address enters a NOT_FOUND state in the DLSw reachability cache. This state is observed after the primary DLSw ER router fails twice.
This issue occurs when the dlsw icanreach global configuration command is configured on the remote DLSw router and both of the DLSw ER routers have to learn the MAC address during the capability exchange phase.
Workaround: Instead of configuring the dlsw icanreach global configuration command, configure the dmac-output- list access-list-number keyword and argument under the dlsw remote-peer global configuration command.
•
The system may unexpectedly restart, or report a spurious access, when a Simple Network Management Protocol (SNMP) trap is sent for a Transmission Control Protocol (TCP) connection attempt to a rotary group. This issue occurs if the connection attempt is assigned to the last line in the rotary group, a "modem host" is configured on that line, and the device connected to the line does not assert Data Set Ready (DSR) in response to Data Terminal Ready (DTR) being asserted.
There are no known workarounds.
•
Open Shortest Path First (OSPF) packets are not processed, resulting in the OSPF declaring the neighbors "down". The neighbors recover once CPU utilization levels drop.
Surrounding neighbors do not see the OSPF adjacency drop.
Use the following debugs to see if this is what is happening:
debug ip packet acldebug ip ospf packetwhere the acl permits OSPF packets to/from any address (or possibly filtering packets sent from the router).
When this issue occurs, the output will show that IP is receiving packets for OSPF, but OSPF is not processing them in a reasonable time and is declaring the neighbors down.
The following sample output shows that the IP layer is receiving packets destined for OSPF, but OSPF is not processing the packets:
Oct 22 14:05:23.934 PST: IP: s=192.168.128.33 (POS6/2), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:24.634 PST: IP: s=192.168.1.194 (GigabitEthernet0/0),d=224.0.0.5, len 120, rcvd 0Oct 22 14:05:24.634 PST: IP: s=192.168.128.58 (POS2/0), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:24.834 PST: IP: s=192.168.128.29 (POS4/2), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:24.834 PST: IP: s=192.168.128.74 (POS6/3), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:25.130 PST: IP: s=192.168.128.62 (POS2/1), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:25.130 PST: IP: s=192.168.2.98 (GigabitEthernet1/2), d=224.0.0.5,len 120, rcvd 0Oct 22 14:05:25.958 PST: IP: s=192.168.128.33 (POS6/2), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:26.678 PST: IP: s=192.168.128.58 (POS2/0), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:26.878 PST: IP: s=192.168.128.29 (POS4/2), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:26.878 PST: IP: s=192.168.128.74 (POS6/3), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:26.994 PST: IP: s=192.168.128.62 (POS2/1), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:27.194 PST: IP: s=192.168.2.98 (GigabitEthernet1/2), d=224.0.0.5,len 120, rcvd 0Oct 22 14:05:27.918 PST: IP: s=192.168.128.78 (POS6/0), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:27.918 PST: IP: s=192.168.128.33 (POS6/2), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:28.722 PST: IP: s=192.168.128.58 (POS2/0), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:28.722 PST: IP: s=192.168.128.29 (POS4/2), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:28.922 PST: IP: s=192.168.128.74 (POS6/3), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:29.018 PST: IP: s=192.168.128.62 (POS2/1), d=224.0.0.5, len 120,rcvd 0Oct 22 14:05:29.218 PST: IP: s=192.168.2.98 (GigabitEthernet1/2), d=224.0.0.5,len 120, rcvd 0Oct 22 14:05:29.914 PST: OSPF: 10.1.1.1 address 192.168.128.33 on POS6/2 isdeadCompare to the following output, which shows the expected behavior; the packets reach OSPF from IP in just a few milliseconds:
Nov 11 04:04:13.489 PST: IP: s=192.168.128.74 (POS6/3), d=224.0.0.5, len 104,rcvd 0Nov 11 04:04:13.489 PST: IP: s=192.168.2.98 (GigabitEthernet1/2),d=192.168.2.97, len 260, rcvd 0Nov 11 04:04:13.493 PST: OSPF: rcv. v:2 t:2 l:32 rid:10.1.1.10aid:10.1.1.1 chk:0 aut:2 keyid:100 seq:0x3FB0ADB9 from GigabitEthernet1/2Nov 11 04:04:13.493 PST: OSPF: rcv. v:2 t:2 l:32 rid:10.1.1.11aid:0.0.0.0 chk:0 aut:2 keyid:100 seq:0x3FB0ADB9 from POS6/3This issue occurs in high CPU utilization situations when aggressive OSPF hello and dead timers are used rather than the defaults.
Workaround: Either use a longer dead timer or decrease process-max-time. Note that the process-max-time should be adjusted with caution and preferably under guidance by Cisco TAC.
•
After a Stateful Switchover (SSO) occurs on a Cisco 7500 series router, the standby route switch processor (RSP) may hang just before downloading the image. This situation may prevent the router from entering the STANDBY-HOT state and from being capable to perform a switchover until the standby RSP is reset.
This issue occurs on a Cisco 7500 series router that runs Cisco IOS Release 2.0 S or 12.2 S and that is configured for SSO/Nonstop Forwarding (NSF).
There are no known workarounds. After the problem occurs, the router can be recovered by either waiting for an interprocess communication (IPC) timer to expire (the default time is 30 minutes) or by entering the hw-module sec-cpu reset command.
•
An Open Shortest Path First (OSPF) Designated Router (DR) may fail to regenerate the network link-state advertisement (LSA) when you reload the router.
This issue is observed on a Cisco router that functions as a DR for an OSPF interface when another interface with the same interface address is present in the area but is in a shut down state.
Workaround: Remove the duplicate interface address and enter the clear ip ospf process command.
•
A router that is configured for Open Shortest Path First (OSPF) reloads unexpectedly and references the "ospf_build_one_paced_update" process.
This issue occurs on a Cisco router that has a mixture of link-state advertisements (LSAs) (of type 5 and 11) that travel throughout an autonomous system and LSAs (of any type other than type 5 and 11) that travel within a particular OSPF area. The issue may occur at any time without any specific changes or configuration and is not specifically related to any type of LSA.
There are no known workarounds.
•
The show ip route summary shows one extra connected route of Ethernet Out of Band Channel (EOBC) address by a router.
There are no known workarounds.
•
After reloading a Multilayer Switch Feature Card (MSFC), VLAN Bridge Protocol Data Units (BPDUs) are not received by the MSFC any more, opening bridging loops.
This issue occurs under the following conditions:
–
–
There are no known workarounds. However, performing a shut/no shut on each VLAN interface after reload fixes this problem.
•
When two areas generate the same router link-state advertisement (LSA), known on the Area Border Router (ABR) as an intra-area route, the summary LSA might not be generated on the ABR if that route flaps.
Workaround: Clear the Open Shortest Path First (OSPF) process on the ABR.
•
A router may reload when an Asynchronous Transfer Mode (ATM) virtual circuit (VC) class is configured.
This issue occurs on Cisco 7200 series routers and Cisco 7500 series routers that are configured for Multiprotocol Label Switching (MPLS).
There are no new workarounds.
•
If a default route is redistributed from Routing Information Protocol (RIP) into the Border Gateway Protocol (BGP), then back into RIP on another router, the default route is not marked as poisoned or withdrawn on the customer edge (CE0 router that receives the updates.
This issue is observed when a CE router sends the default route using RIP to a provider edge (PE) router, when the PE router advertises this route to a second CE router, and when the link between the first CE router and the PE router is disconnected.
There are no known workarounds.
•
The identification field is always 0 in the Terminal Access Controller Access Control System Plus (TACACS+) packet with a SYN flag.
The TACACS+ packet goes from the router through a firewall to the Authentication, Authorization, and Accounting (AAA) server. The firewall construes this as a Fragment Overlap Attack and drops additional new connections.
There are no known workarounds.
•
The router unexpectedly reloads when a Web Cache Communication Protocol (WCCP) service is running and is configured to use mask assignment.
This issue occurs when a WCCP service is enabled and mask assignment is configured as the assignment method rather than the default method of hash Assignment. In addition, there is a relatively large number of caches in the service group (greater than 5). Under these conditions, the protocol message sent from router to cache may overflow, causing a memory corruption and subsequent reload.
Workaround: One possible workaround is to use hash assignment, rather than mask assignment, for the service group.
Alternative workaround: Reduce the number of caches in the service group.
•
Packet-over-SONET/SDH (POS) interfaces running Cisco IOS Release 12.1(26)E1 stay up/down after reload.
This issue occurs after a router reload.
Workaround: Reload the FlexWan on which the POS port adapter is installed.
•
The driver code of a third-party vendor Fast Ethernet controller that is part of a C7200-I/O-FE I/O controller may pause indefinitely or reload unexpectedly.
This issue occurs on a Cisco 7200 series router when a packet enters the third-party vendor Fast Ethernet controller, this packet is forwarded to a Multilink PPP (MLP) interface, and then another packet is forwarded by the third-party vendor Fast Ethernet controller before the first packet has left the MLP interface.
There are no known workarounds.
•
Data-link switching (DLSw) circuits are established over the same peer connection when there are multiple remote peer connections to the same remote MAC address.
This issue occurs when DLSw load-balancing is configured and there are multiple peers that have the dlsw icanreach mac-address mac-addr command enabled with the same remote MAC address for the mac-addr argument.
Workaround: Bounce the DLSw peer connection either by entering the dlsw disable command or by removing and reconfiguring the DLSw remote peer statement.
•
When the Cisco Discovery Protocol (CDP) is enabled on a Firewall Services Module (FWSM) on a gigabit ethernet interface, CDP can not be disabled on these interfaces from the CLI.
Workaround: Perform the following:
1. Disable CDP globally
2. Ignore CDP messages in CiscoWorks
3. Wait for software resolution
•
When a router running Cisco IOS Release 12.1(26)E1 is running as a Secure Shell (SSH) server, the following log messages are seen:
Apr 19 13:59:15.084 edt: %SCHED-3-THRASHING: Process thrashing on watchedmessage event.-Process= "SSH Process", ipl= 5, pid= 36-Traceback= 4020CB90 4020CF84 412E2D84 412E389C 412E40B4 412E4B9C 4015F4D0401548DC 40155088 40156AD4 4015540C 4017E040 4017E090 401725B0 4040836C401812ECApr 19 13:55:03.260 edt: %SCHED-3-THRASHING: Process thrashing on watchedmessage event.-Process= "SSH Process", ipl= 5, pid= 36-Traceback= 4020CB90 4020CF84 412E2D84 412E389C 412E40B4 412E4B9C 4015F4D04015FD3C 4015FC04 40181290 412E7A4C 412E828C 401EC3A4 401EC390This issue occurs when establishing a SSH connection to the SSH server (IOS router), and typing characters very fast on the vty terminal from the client side. After some time, the SSH server will log the above messages. If this test runs for long time, these messages can be logged many times.
There are no known workarounds.
•
Caveat CSCds00250, "SNMP support for IfTable/ifXTable for vLAN (802.1Q/ISL) subinterface," has been resolved in Cisco IOS Release 12.2and later releases.
The purpose of this new caveat is to incorporate that caveat fix into Cisco IOS Release 12.1E.
There are no known workarounds.
•
Server load balancing (SLB) real servers move to FAILED TESTING or READY_TO_TEST when a PROBE_ABDICATE event occurs. With per-packet virtual servers (vservers) and Internet Control Message Protocol (ICMP) probes, the real servers never move back to operational.
Workaround: Use an application probe (tcp, udp, http) or a non-per-packet vserver.
•
Numerous tracebacks occur as a result of alignment errors. In some cases, but not all, these tracebacks are accompanied by high CPU usage.
This issue occurs under the following conditions:
–
–
Workaround: Disable one of the features.
•
If an intermittent source is not active for 3.5 minutes, the S,G entry expires on the local rendezvous point (RP) and transit routers, but because the Multicast Source Discovery Protocol (MSDP) Source Active (SA) cache expiration timer is 6 minutes, the local RP will keep sending MSDP SA messages at 1 minute intervals, which will refresh the S,G entry on the remote RP (this functionality was introduced via CSCdp44494). When the source starts after 3.5 minutes of inactivity, it registers with the local RP, which sends an MSDP SA message in an encapsulated packet to the remote RP. However, the remote RP will not trigger a Protocol-Independent Multicast (PIM) Join towards the source because it still has the S,G entry present. As a result of this behavior, IP multicast packets will be lost until the next periodic PIM S,G Join.
This issue is hardware independent and applies to all releases where CSCdp44494 is integrated.
There are no known workarounds.
•
A router that has a summary-address configured and is also a Not-So-Stubby Area (NSSA) Area Border Router (ABR) may incorrectly maxage and flush the summary link-state advertisement (LSA).
Workaround: Make sure there are no N1/N2 routes in the NSSA ABR.
Open Caveats—Cisco IOS Release 12.1(26)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E3.
Resolved Caveats—Cisco IOS Release 12.1(26)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A router may reset its Border Gateway Protocol (BGP) session.
This issue is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Open Caveats—Cisco IOS Release 12.1(26)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E2.
Resolved Caveats—Cisco IOS Release 12.1(26)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Under some conditions, the forwarding address may be improperly set to a route that is an inter area route in the remote Not-So-Stubby Area (NSSA) router instead of an intra area route. This occurs if a external route is redistributed on a Area Border Router (ABR) that is also an Autonomous System Border Router (ASBR) for multiple areas, including the NSSA area.
For example:
r1--Area10(NSSA)--r2--Area20|Area0ip route x.x.x.x y.y.y.y (next hop out Area20 interface)In the above scenario, performing a redistribute static causes the forwarding address for the type 7 link-state advertisement (LSA) for area 10 to get set to that of the interface in area 20, resulting in it being known in area 10 as an inter area route. Because, in an NSSA, the forwarding address must be that of an intra area route, the routing bit is not set on the LSA.
Workaround: Remove Open Shortest Path First (OSPF) from the interface that the external route is pointed out of, then do a clear ip ospf redistribution.
•
The link-state advertisement (LSA) for the default route (0.0.0.0) may get flushed when a Shortest Path First (SPF) algorithm is executed. The type 7 LSA for the default route is generated with an age of 3600, which will immediately maxage the entry. After 1-7 seconds a type 7 LSA default route with an age of 0 will be created.
This happens under the following condition:
–
–
Example:
router ospf 1area 10 nssa default-information originatesummary-address 0.0.0.0 [not-advertise]Workaround One: Change the summary-address to not include the 0.0.0.0 network.
Workaround Two:Change to the NSSA no-summary area and remove the default-information originate, since the total NSSA area will generate a default of type 3 on the ABR.
•
A VPN routing and forwarding (VRF) static route pointing to Null0 does not have an aggregate label.
If this route is redistributed into the VRF table (using the redistribute static command), packets destined for the network will be dropped.
There are no known workarounds.
•
A router may stop receiving multicast traffic.
This rare issue occurs during convergence, when a router receives a Join message on an Reverse Path Forwarding (RPF) interface, and when a downstream router converges faster than the first router that receives the Join message.
In this situation, the router does not populate the RPF interface into the outgoing interface list (OIL) (that is, the OIL remains null) because the old switch processor (SP) tree has already been pruned by the downstream router. When the RPF interface of the router changes to the new path later, it does not trigger a Join message toward the multicast source until the router receives a next periodic Join message from the downstream router and populates the OIL. As a result, multicast traffic stops temporarily but no longer than the periodic Join message interval.
There are no known workarounds.
•
When an snmpget command is executed for an interface index below .1.3.6.1.2.1.31.1.1.1.6, the router responds with the following information:
ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets.12 : VARBIND EXCEPTION: No Such InstanceHowever, an snmpwalk command executes successfully for an interface index below .1.3.6.1.2.1.31.1.1.1.6.
This issue occurs when an snmpget command is executed for 4GE-SFP-LC subinterfaces or for a 4GE-SFP-LC interface when there is another interface index for the same interface.
Workaround: Reload the router.
•
An extra Simple Network Management Protocol (SNMP) v3 configuration may be added after a multiple switchover.
This issue occurs when operating in RPR+ mode.
Workaround: Manually remove the additional configurations.
•
A router that is configured for the Routing Information Protocol (RIP) and Border Gateway Protocol (BGP) may unexpectedly reload with the following error messages:
System returned to ROM by bus error at PC 0x0, address 0x0The crashinfo reports the following:%ALIGN-1-FATAL: Corrupted program counter pc=0x0, ra=0x60BBD828, sp=0x64228388%ALIGN-1-FATAL: Corrupted program counter pc=0x0, ra=0x60BBD828, sp=0x64228388Unexpected exception, CPU signal 10, PC = 0x0-Traceback= 0 60BBD828 60BAC93C 60BAD790 61FE44C0 60BAD834 60B7C138This issue occurs on a router running Cisco IOS Release 12.3(9b) that is configured for a Multiprotocol Label Switching (MPLS) virtual private network (VPN) when the RIP is partially configured without a network statement and when BGP is redistributed into RIP.
Workaround: Ensure that the RIP is configured correctly.
•
On a non-translating (lower router-id) Not-So-Stubby Area (NSSA)/Area Border Router (ABR), if a summary-address is configured under Open Shortest Path First (OSPF) for external routes with the same subnet mask for NSSA external routes, then external routes might flap on that router.
Workaround: On the non-translating ABR:
1. Remove the summary-address configuration
2. Change the summary-address subnet, which is different than the external subnet generated by the translating ABR.
•
An Autonomous System (AS) external or Not-So-Stubby Area (NSSA) route that corresponds to an Open Shortest Path First (OSPF) forwarding address will not have Equal-Cost Multi-Path (ECMP) paths, even though the corresponding OSPF intra-area or inter-area route does.
Workaround: For Cisco IOS Release 12.1 E, ensure that the omitted forwarding address gateway is not configured as a local interface address.
•
There are missing rows in the cbQosServicePolicyTable of the CISCO-CLASS-BASED-QOS-MIB. Only the first permanent virtual circuit (PVC) of an Asynchronous Transfer Mode (ATM) subinterface is being returned. The rest of the PVCs are missing.
This issue occurs when a service policy is attached to an ATM PVC.
There are no known workarounds.
•
A SUP2/Multilayer Switch Feature Card 2 (MSFC2) running native Cisco IOS Release 12.1(26)E or Cisco IOS Release 12.1(26)E1 code may experience a memory leak in the "CEF IPC Backgrou" process on both the route processor (RP) and switch processor (SP).
This rare issue occurs on a device undergoing stress testing in which routing instability was deliberately introduced.
Workaround: Resolve the underlying routing instability issues. or reboot the device to re-allocate memory.
•
A Multicast Source Discovery Protocol (MSDP) RP does not send a triggered Source Active (SA) when it is the non-designated router on a segment for a directly connected source. This behavior can induce a delay in the start of the multicast stream for remote receivers.
This issue occurs when the MSDP RP is not the designated router on a segment. When the source starts sending, both the designated router and non-designated router create state. The designated router then registers the source with the RP. Because the RP already has state, a triggered SA is not sent. The SA is sent in the next periodic update. However, this behavior can induce delay at the start of the stream because the remote MSDP peer has to wait for the next periodic update.
Workaround: Make the RP and the designated router the same, or move the RP of the directly connected segment.
Open Caveats—Cisco IOS Release 12.1(26)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E1.
Resolved Caveats—Cisco IOS Release 12.1(26)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
After issuing the clear adjacency command adjacencies are not created for Asynchronous Transfer Mode (ATM) interface.
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
In specific scenarios, bridge-groups may put an Open Shortest Path First (OSPF) neighbor in the INIT state. For example, when a router was directly connected to a Sup2 using a single link with an OSPF neighborship established, when the bridge-group (in this case, a vlan-bridge) was added, the neighborship was put into INIT state. This behavior also applies to DEC and IBM environments.
There are no known workarounds.
•
IOS does not indicate the supported SMON groups in the smonCapabilities object correctly. The object returns zero, instead of "a8", which is the supported group for this agent (smonVlanStats + dataSource + portCopy). For example:
snmpwalk foo.cisco.com 1.3.6.1.2.1.16.19.15rmon.probeConfig.smonCapabilities.0 : OCTET STRING- (ascii):This defect causes the port spanning feature in nGenius RTM to fail.
Workaround: Span the port through the NAM GUI or CLI.
•
Both sides of a link will stay in the loop-inconsistent state if Rapid-Per-VLAN Spanning Tree (Rapid-PVST) is used and the root bridge gets removed from the network or changes its priority when loopguard has been enabled and multiple paths to the root exist.
Workaround: Disable loopguard on designated side of the link. The link needs to be manually brought down/up either by removing/reattaching the cable or using shut/no shut.
Note
•
After upgrading from Cisco IOS Release 12.1(19)E1 to Cisco IOS Release 12.1(23)E2, the TCP option field is not ended by END of Option kind. According to RFC 793, this behavior causes other Transmission Control Protocol (TCP) implementations, such as a Firewall, to drop these packets as invalid. The resulting packet drops cause further problems, such as breaking TACACS communication between the Cisco Router and TACACS server upon its return, and further, when using an Ethernet analyzer like Sniffer or Ethereal, the Ethernet analyzer may not interpret this behavior correctly and may report an invalid option field.
The problem is intermittent in nature; one of more TACACS TCP packets that are fragmented over multiple frames may experience this problem. This problem appears more frequent on loaded production devices.
Workaround: Depending the implementation of the TCP stack at the receiver side or an intermediate firewall, you can try to ignore the handling or interpretation of the TCP options by ignoring invalid options. Otherwise, there are no known workarounds.
•
When the router is reloaded, "logging event link-status" disappears on port-channel + switchport.
This issue occurs on Cisco IOS Release 12.1(13)E15.
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
When issuing a large number of commands (tens of thousands over several hours) using a Secure Shell (SSH) session, the Device Under Test (DUT) exhibits peculiar memory behavior. Memory Used will increase over a period of several hours growing anywhere from 1 to 20Mb before being freed again. Should the device run out of memory before the free occurs, an unexpected reload may occur. When the SSH session exits, the memory will be freed as well.
This issue occurs in a single SSH session, when executing thousands of commands for several hours.
Workaround: Use Telnet for extended session of commands, or issue commands in several different SSH sessions.
Open Caveats—Cisco IOS Release 12.1(26)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(26)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(26)E.
Resolved Caveats—Cisco IOS Release 12.1(26)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(26)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Open Shortest Path First (OSPF) database packets may be exchanged with an invalid length. Error messages may indicate an invalid packet length and bad checksum.
This issue is observed on a Cisco 7500 series router.
There are no known workarounds.
•
A Cisco router will reload when the tftp-server flash long-string global configuration command is enabled.
There are no known workarounds.
•
A software-forced reload may occur on an NPE-G1 after you have reloaded the NPE-G1, and the NPE-G1 may enter the boot mode.
This issue is observed on a Cisco 7200 series router when traffic is entering the router while the NPE-G1 is being reloaded and when there is a high CPU utilization on the NPE-G1.
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
The attach exec mode command is an interactive remote session command meant to be used with Telnet/SSH/console access methods but not with the Hypertext Transfer Protocol (HTTP) access method. This fix will ensure that when this command is issued using HTTP, it is appropriately rejected by the HTTP parser.
There are no known workarounds.
•
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command `bgp log-neighbor-changes' configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
If a misformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command `show ip bgp neighbors' or running the command `debug ip bgp <neighbor> updates' for a configured bgp neighbor.
Cisco has made free software available to address this problem.
For more details, please refer to this advisory, available at
http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml
•
When you try to configure the Network Time Protocol (NTP) on a Cisco platform, the ntp server command is rejected with the following error message:
%NTP: failed to initialize NTP processThis issue is observed on any Cisco platform that does not support a reference clock.
There are no known workarounds.
•
A network operations center (NOC) may receive many false alerts indicating that an Internet key exchange (IKE) tunnel is down. (The IKE tunnel is torn down but immediately rebuilt.)
This issue is observed when Simple Network Management Protocol (SNMP) traps are sent for every IKE timeout or rekey but not for an IP security (IPSec) timeout or rekey.
There are no known workarounds.
•
A router cannot write to bootflash.
This issue is observed on a Cisco router after you have entered the squeeze bootflash command.
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
This issue is observe when User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
The detail advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
There are no known workaround.
•
When a new probe (for example, index $PROBE_ID) is created through the Simple Network Management Protocol (SNMP), the probes that have index numbers that are greater than $PROBE_ID are not shown in the output of the show rtr configuration and show rtr operation-state commands.
This issue is observed when the probe is created in the CREATE_AND_WAIT state by entering the following command:
unix_xterm\>setany -v1 $ROUTERIP publicrttMonCtrlAdminStatus.$PROBE_ID 5In addition, there is no subsequent SNMP configuration command for the probe.
Workaround: Enter a subsequent SNMP configuration command to make the probe configuration complete, as in the following example:
setany -v1 $ROUTERIP public \rttMonCtrlAdminRttType.$PROBE_ID -i 1 \rttMonEchoAdminProtocol.$PROBE_ID -i 2 \rttMonEchoAdminTargetAddress.$PROBE_ID -o "05 00 00 02"<Sectionsub> <par>Interfaces and Bridging•
The line protocol on serial or Packet-over-SONET (POS) interfaces with High-Level Data Link Control (HDLC) may become disabled for a few seconds.
This issue is observed after a switchover to a redundant route processor (RP) on a Cisco 7500 series that is configured for Stateful Switch Over (SSO) and that has a large number (about 2000) of dot1q interfaces defined.
Workaround: Increase the HDLC keepalive time or disable keepalives. Replacing HDLC with Point-to-Point Protocol (PPP) is another workaround.
•
Currently for the IF-MIB, when the ifIndex refers to a VPN routing and forwarding instance (VRF) (dot1q/Isl) subinterface (FE/GE), some objects are missing in the ifTable.
This issue occurs in the VRF subinterfaces on a Cisco 7513 router after an upgrade from Cisco IOS Release 12.1(14)E5 to Cisco IOS Release 12.1(23)E.
There are no known workarounds.
•
A Versatile Interface Processor (VIP) that is configured with an enhanced 1-port Asynchronous Transfer Mode (ATM) OC-12/STM-4 port adapter (PA-A3-OC12) may reload unexpectedly because of memory corruption.
This issue occurs on a Cisco 7500 series router when a permanent virtual circuit (PVC) is configured on the PA-A3-OC12.
There are no known workarounds.
•
A Cisco router may crash when you enter the clear ip route * command.
This issue occurs when the routing table has a default route.
There are no known workarounds.
•
A software-forced reload may occur on a router that is configured with a Distance Vector Multicast Routing Protocol (DVMRP) tunnel.
This issue occurs on a Cisco router when the DVMRP tunnel is brought up and routing information is redistributed between the DVMRP and the Multiprotocol BGP (MBGP).
There are no known workarounds.
•
A Cisco router may reload unexpectedly when you enter the show ip msdp peer command.
This issue occurs because the Multicast Source Discovery Protocol (MSDP) session flaps when you enter the show ip msdp peer command.
There are no known workarounds.
•
A Multicast Source Discovery Protocol (MSDP) enabled route processor (RP) does not build an (S,G) state from its Source Active (SA) cache when it should do so. Depending on the topology and if a shortest path tree (SPT) threshold is configured as infinite, this situation may result in a multicast forwarding interruption of up to 2 minutes.
This issue occurs when the RP for a group fails and an incoming (*,G) join message is received.
MSDP should create an (S,G) state from its SA cache. However, if the message is received before the (*,G) olist is populated, because of the (*,G) NULL olist, MSDP does not install an (S,G) state.
Workaround: Enter the clear ip mroute * command on all first-hop routers to the source to enable the FHR to register immediately when the next packet creates an (S,G) state.
•
Remote routes are not propagated through internal BGP (IBGP) in a Multiprotocol Label Switching (MPLS) virtual private network (VPN) environment.
This issue occurs when the routers in the core are configured as IBGP peers. The routes learnt by either of the provider edges (PEs) are not propagated through IBGP to each other.
There are no known workarounds.
•
When Border Gateway Protocol (BGP) speakers are peering in a multicast address family (AF), the withdraw update message could be corrupt.
There are no known workarounds.
•
When an interface is configured for Intermediate System-to-Intermediate System (IS-IS) routing and then shut and configured as a passive-interface for IS-IS, after the no shutdown command, the network configured passive-interface is not advertised.
Workaround: Disable IS-IS routing on the interface before configuring the passive-interface.
There are no known workarounds.
•
SIP Voice over IP (VoIP) calls using Domain Name System (DNS) services might cause the router to reload.
This issue occurs when Session Initiation Protocol (SIP) is configured to use DNS services and the domain name servers fail to respond to the queries sent from the router when Time To Live (TTL) for the cached DNS entries expire.
Workaround: Use high TTL values in the domain name servers (7200 seconds or higher), and/or use high availability platforms for domain name servers.
•
Cisco Express Forwarding (CEF) believes a interface is down when it is in fact up, which causes CEF forwarding not to work for traffic destined to this interface.
This issue occurs during rapid interface flaps.
Workaround: Shut the interface down and bring the interface back up again.
•
UDP port 1985 on a Cisco 7206 VXR router was opened by the nmap command on UNIX server as follows:
# nmap -sU -p 1985 10.1.1.21Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )Interesting ports on (10.1.1.21):
Port State Service1985/udp open unknownNmap run completed -- 1 IP address (1 host up) scanned in 1 secondThere are no known workarounds.
•
A permanent virtual circuit (PVC) does not come up even after an alarm indication signal (AIS) is stopped. This symptom occurs after an AIS is received on the PVC from an Asynchronous Transfer Mode (ATM) network and the PVC configuration is changed.
To recreate this symptom, the PVC configuration must be changed while the PVC is in the AIS or remote defect indication Operation, Administration, and Maintenance (OAM) VC state.
Workaround: Reset the PVC by entering the shutdown interface configuration command followed by the no shutdown interface configuration command.
•
A flash disk or compact flash disks may not be recognized.
This issue occurs when a new flash disk or compact flash disk (that has not been formatted earlier on a platform that runs Microsoft Windows 95 or 98) is formatted on a platform that runs Microsoft Windows 2000.
There are no known workarounds.
•
Incorrect tags may be imposed after a route has flapped.
This issue occurs on a Cisco router that functions in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment.
There are no known workarounds.
•
When a Cisco 7206 VXR router is configured with an Inverse Multiplexing over ATM (IMA) interface (with 4 T1 lines in the IMA group, 3 minimum active-links, and traffic shaping using the vbr-nrt 3088 2381 100 statement), the vbr-nrt 3088 2381 100 statement is missing from the configuration after reload the router.
There are no known workarounds.
•
A Cisco router may reload unexpectedly.
This issue occurs when bringing up the multilink interfaces of the router.
There are no known workarounds.
•
A router can crash while unconfiguring an Optical Services Module (OSM)-Asynchronous Transfer Mode (ATM) interface or after shutting down an OSM-ATM interface.
This issue occurs when basic Multiprotocol Label Switching (MPLS) is configured on the aal5snap subinterface of an OSM-ATM module. This issue seems to occur when you try to modify an existing permanent virtual circuit (PVC). Some structures may be wrongly freed while still in use. It does not appear that MPLS is the direct cause of this crash.
There are no known workarounds.
•
A Cisco 7500 series multichannel T3 port adapter (PA-MC-2T3+) may not provide a two-second delay before bringing down the T3 controller.
This issue occurs when an alarm as defined in the ANSI T1.231 specification occurs.
There are no known workarounds.
•
When the controller of multichannel T3 port adapter (PA-MC-2T3+) goes down for a short duration and an alarm occurs, the port adapter does not report the type of alarm.
This issue occurs on Cisco 7200 series and Cisco 7500 series routers hat are configured with a PA-MC-2T3+. The port adapter should provide a history table of recent alarm conditions along with a corresponding time stamp to allow for proper troubleshooting.
There are no known workarounds.
•
A Versatile Interface Processor (VIP) may crash with a bus error after you have configured a multilink interface.
This issue occurs after you have configured a multilink interface with serial interfaces on a PA-MC-8TE1+ and PA-MC-8E1/120 port adapter.
Workaround: Use the same type of port adapter for each multilink interface.
•
A Versatile Interface Processor (VIP) may crash with a bus error and generate the following error message:
%ALIGN-1-FATAL: Illegal access to a low addressThis issue occurs on a Cisco 7500 series router that runs a Cisco IOS image that contains the fix for CSCec07487 when a PA-MC-8TE1+ is installed in the VIP. This issue appears after the following scheduler error in the "req_proc" process:
%SYS-2-INTSCHED: 'sleep for' at level 2-Process= "req_proc", ipl= 2, pid= 27There are no known workarounds.
•
A Cisco 7200 VXR router may hang.
This issue occurs on a Cisco 7200 VXR router that has a PA-MC-8TE1 and that is configured for IP security (IPSec) encryption, using either tunnel protection or a crypto map.
Workaround: Disable the IPSec encryption.
•
A Cisco 7500 series T3 port adapter (PA-2T3+) may not provide a two-second delay before bringing down the T3 controller.
This issue occurs when an alarm as defined in the ANSI T1.231 specification occurs.
There are no known workarounds.
•
After online insertion and removal (OIR) of a line card on a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router, the local label for a prefix in the label forwarding information base (LFIB) could be different from the Label Distribution Protocol (LDP) allocated local label. The local label in the LFIB can be displayed by executing the show mpls forwarding prefix command, and the LDP allocated local label can be displayed by executing the show mpls ldp binding prefix mask length command.
This problem only occurs if a prefix has multiple paths where:
–
–
There are no known workarounds.
•
On a Response Time Reporter (RTR) probe, a route switch processor (RSP) does not report input or output packets for serial interfaces of PA-MC-8T1, PA-MC-8E1, and PA-MC-8TE1+ port adapters.
This issue occurs on a Cisco 7500 series router that runs Cisco IOS Release 12.2(23a) or Cisco IOS Release 12.3 and is more likely to occur when the number of channelized port adapters (such as the PA-MC-8T1, PA-MC-8E1, and PA-MC-8TE1+ port adapters) that are installed in the router is high. The symptom may also occur in other releases.
Workaround: Reload the router.
Alternate Workaround: Enter the reload microcode router configuration command.
•
A Cisco router may reload unexpectedly with a bus error exception.
This issue occurs on a Cisco 7200 series router with an NPE-G1 that is actively passing traffic.
There are no known workarounds.
•
A Cisco 7200 router might crash with a software forced crash as a consequence of a memory corruption.
This issue occurs when more than 15 Hot Standby Routing Protocol (HSRP) groups in an interface of a PA-2FE-TX are configured.
Workaround: Do not configure more than 15 HSRP groups in those interfaces.
•
Cache error reporting is broken for SiByte processors.
When an L2 cache error occurs on an Sibyte processor, such as an NPE-G1, misleading error messages describing "INVALID CPUS" and "Address not in TLB" are displayed on the console.
There are no known workarounds.
•
When accessing a system with CiscoView Device Manager (CVDM), the system may crash if there are more than 50 files on the compact flash (CF) card. The crash only occurs after a successful authentication.
Note that this problem is not seen on all CF cards, and this limit of 50 files also includes deleted files unless the flash is squeezed
Workaround: Keep less than 50 files on the CF card, or squeeze the flash with the squeeze flash device command.
•
A memory leak exists in the *Dead* processes. When the show processes memory command is executed, the memory held by the *Dead* processes increases constantly. Most of the lines displayed in the command reference the "HTTP PROXY Server".
This issue occurs when the router is running Cisco IOS Release 12.1E and is configured with auth-proxy.
There are no known workarounds.
•
When a local address is configured as part of a crypto map, the local address is a subinterface of an Inverse Multiplexing over ATM (IMA) interface, and the router is reloaded, the local address points to the main IMA interface.
Workaround: If the endpoints of the IP security (IPSec) session are directly connected interfaces, the crypto map local-address configuration is not needed. Remove the configuration with no crypto map map name local-address atmX/imaY.Z command.
•
The bandwidth on a Fast Ethernet (FE) interface changes to 10 Mbps when the remote interface flaps once.
This issue occurs on the FE interface of a port adapter that is installed in a carrier card on a Cisco 7304 router that is configured with an NSE-100. The FE interface has an auto-duplex and an auto-speed configuration.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected FE interface.
•
When you configure vbr-nrt shaping on two or more permanent virtual circuits (PVCs) that are defined under the same physical Asynchronous Transfer Mode Interface (ATM) interface, one of the PVCs is subsequently unable to achieve the configured vbr-nrt rate.
This issue occurs when a PA-A3-8E1IMA or PA-A3-8T1IMA port adapter is installed in a Cisco 7xxx series router and when the load is equal to or greater than the maximum configured vbr-nrt rate on at least two PVCs.
Workaround: Configure vbr-nrt rates proportionally higher on each PVC. Enter the transmit-priority 1 command on the PVC that must reach the guaranteed vbr-nrt. This configuration allows the other PVC or PVCs to reach approximately 90 to 95 percent of the configured vbr-nrt rate.
•
You may not be able to configure the clock source line command during the configuration of the SONET controller on a Cisco 7200 series router in which a PA-MC-STM1 port adapter is installed.
When you enter the clock source line command during the configuration of the SONET controller, the output of the show running-config command indicates that the clock source is set to line. However, the output of the show controllers sonet command indicates that the clock is set to internal, and when you enter the show running-config command again, the output indicates this time that the clock source is set to internal.
This issue occurs when the PA-MC-STM1 port adapter is connected back-to-back using dark fiber to another PA-MC-STM1 port adapter.
Workaround: Enter the overhead s1byte ignore command on the SONET controller before you configure the clock source.
•
A change in the controller state does not affect the subrate interface state.
This issue occurs on a Cisco 7500 series router that is configured with an PA-MC-2T3+ port adapter.
Workaround: There are no known workarounds. However, you can synchronize the interface with the controller by entering the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
When issuing commands that output a lot of text (such as show tech-support and show mls cef) from a Secure Shell (SSH)v2 connection, the output hangs until any key is pressed. As soon as a key is pressed, output resumes. The hang does not occur when connection made through Telnet or Secure Shell (SSH)v1.
Workaround: Press a key on the client session for the remaining output to continue.
•
A Cisco 7200 series router that is configured for IP security (IPSec) and the Tunnel End-Point Discovery feature may crash because of a watchdog timeout.
This issue occurs when the Cisco 7200 series router functions as an Internet key exchange (IKE) responder under stress.
Workaround: Disable the Tunnel End-Point Discovery feature. If disabling this feature is not an option, there are no known workarounds.
•
When using service compress-config with dual route switch processors (RSPs), the startup configuration is not saved on the slave RSP. In addition, compression is not performed on the slave NVRAM and you get the following message:
Router#wr memBuilding configuration...Compressed configuration from 145645 bytes to 41107 bytes[OK]Copying config from Master to Slave...Uncompressed configuration from 41107 bytes to 145645 bytes%Error writing slavenvram:startup-config (No space left on device)or
%Error writing slavenvram:startup-config (Error Sending Request)There are no known workarounds.
•
A port adapter that is installed in a Versatile Interface Processor (VIP) or FlexWAN module and that is configured with more than 38 multilink bundles crashes.
This issue occurs on a Cisco 7500 series router when distributed Cisco Express Forwarding (CEF) switching is disabled, either through entering the no ip cef distributed command or through a FIB-DISABLE event.
There are no known workarounds.
•
The ifAdminStatus MIB does not show as down on the subinterface when the CLI shows it is administratively down.
This issue affects Simple Network Management Protocol (SNMP) monitoring of a sub interface's proper status.
Workaround: Use ifOperStatus.
•
Packets are not marked on a frame-relay interface when a flat policy is configured.
This issue occurs on a Cisco 7500 series router that is configured with an RSP4. However, this caveat may be platform-independent.
Workaround: Use the per-data-link connection identifier (DLCI) policy.
•
Spurious memory accesses may occur on a Versatile Interface Processor (VIP) in which one or more channelized port adapters are installed. The CPU utilization may increase to 99 or 100 percent, causing the performance of the VIP to be impacted.
This issue occurs on a Cisco 7500 series router that runs Cisco IOS Release 12.3(6), but may also occur in other releases.
There are no known workarounds.
•
The router crashes at hqf_create_a_blt when modifying an access-list.
This issue occurs when a feature that is not supported in the input direction is applied on an interface or subinterface.
There are no known workarounds.
•
A Cisco 7200 VXR router may hang.
This issue occurs on a Cisco 7200 VXR router that has a PA-MC-8TE1 and is configured for IPSec encryption, using either tunnel protection or a crypto map.
Workaround: Disable the IPSec encryption.
•
A serial interface of a PA-MC-8TE1+ continues to process packets even after the interface is placed in the "ADMINDOWN" state. The counters in the output of the show interfaces serial command may continue to increment even if the serial interface is shut down.
This issue occurs on a serial interface of a PA-MC-8TE1+ when there is a channel-group configuration for the interface.
Workaround: Remove the channel-group configuration for the interface.
•
When a service is reconfigured on a cache engine from Layer 2 (L2) Redirect to Generic Routing Encapsulation (GRE) as the forwarding method, the Multilayer Switching (MLS) flow mask is not amended appropriately. While overall system behavior is as expected, performance may be less than optimal.
There are no known workarounds.
•
Multicast packets, such as Hot Standby Routing Protocol (HSRP) and Open Shortest Path First (OSPF) packets, are not received on a port-channel interface.
This issue occurs when a port-channel interface is configured on a Cisco router, you reload the router, and the first member is added to the port-channel interface by entering the no shutdown interface configuration command on the physical interface.
Workaround: Enter the do shutdown interface configuration command followed by the no shutdown interface configuration command on the port-channel interface.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(23)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(23)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(23)E4.
Resolved Caveats—Cisco IOS Release 12.1(23)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(23)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A router may reset its Border Gateway Protocol (BGP) session.
This issue is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Open Caveats—Cisco IOS Release 12.1(23)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(23)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(23)E3.
Resolved Caveats—Cisco IOS Release 12.1(23)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(23)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The policing rate is calculated lower than configured with small packets (of less than 82bytes).
This issue occurs because although the router should use the IP length for policing, these small packets seem to be treated as 82bytes (iplength = 64bytes).
This issue is very similar to CSCdx92093, but this issue happens with native IOS:
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at:
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
Open Caveats—Cisco IOS Release 12.1(23)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(23)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(23)E2.
Resolved Caveats—Cisco IOS Release 12.1(23)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(23)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Time To Live (TTL) is not decreased when switching packets coming from a Generic Routing Encapsulation (GRE) tunnel.
There are no known workarounds.
•
Polling IPsec MIBS - ciscoIPsecMIB, ciscoIpSecFlowMonitorMIB, and ciscoIpSecPolMapMIB - through the Simple Network Management Protocol (SNMP) results in memory being held indefinitely by the device.
This issue occurs on Cisco 7200 VXR series routers running cryptographic versions of IOS. In particular, the issue has been noted on Cisco IOS Releases 12.3(1a) and 12.1(11b)E.
Workaround: Minimize the use of these MIBS until a remedy for the defect is found.
•
The following flow message appears when the system is working normally:
%ENVM-4-ENVWARN: xxx V measured at yyyThere are no known workarounds.
•
The combination of a static Address Resolution Protocol (ARP) entry and an IP route, whose destination is a local interface rather than an IP next-hop, fails to create an adjacency for that host. This issue results in packets being forwarded in software at the process level instead of in hardware.
This issue occurs if the static ARP entry is created after a dynamic ARP has been learned.The dynamic ARP is not updated, and packets continue to be forwarded according to the old dynamic ARP information.
Workaround: Do not use static ARP entries.
Alternative workaround: Use IP routes with an IP address as the destination instead of an interface name.
•
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command `bgp log-neighbor-changes' configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
If a misformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command `show ip bgp neighbors' or running the command `debug ip bgp <neighbor> updates' for a configured bgp neighbor.
Cisco has made free software available to address this problem.
For more details, please refer to this advisory, available at
http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml
•
The snmp-server host config command fails as follows:
snmp-831(config)#snmp-server host 192.168.5.1 tuname1 udp-port 7249 config% Ambiguous command: "snmp-server host 192.168.5.1 tuname1 udp-port 7249 config "This issue occurs because previously only one snmp-server host config command was available. Now, due to the addition of another command, snmp-server host config-copy, this behavior is exhibited:
snmp-831(config)#snmp-server host 192.168.5.1 a udp-port 2000 config?config config-copyThere are no known workarounds.
•
A router cannot write to bootflash.
This issue occurs on a Cisco router after entering the squeeze bootflash command.
There are no known workarounds.
•
You are unable to identify the IPSec tunnel termination reason from the IPSec tunnel stop trap.
Workaround: You can poll the required Varbind once it gets the trap.
•
When issuing commands which output a lot of text (such as show tech-support and show mls cef) from a Secure Shell (SSH)v2 connection, the output hangs until any key is pressed. As soon as a key is pressed, output resumes. This hang is not seen when connection is made through Telnet or Secure Shell (SSH)v1.
Workaround: Press a key on the client session for the remaining output to continue.
•
A Cisco 7200 series router that is configured for IP security (IPSec) and the Tunnel End-Point Discovery feature may crash because of a watchdog timeout.
This issue occurs when the Cisco 7200 series router functions as an Internet key exchange (IKE) responder under stress.
Workaround: Disable the Tunnel End-Point Discovery feature. If disabling this feature is not an option, there are no known workarounds.
•
When using service compress-config with dual Remote Switch Processors (RSPs), the startup configuration is not saved on the slave RSP. In addition, compression is not performed on the slave NVRAM and the following message appears:
Router# wr memBuilding configuration...Compressed configuration from 145645 bytes to 41107 bytes[OK]Copying config from Master to Slave...Uncompressed configuration from 41107 bytes to 145645 bytes%Error writing slavenvram:startup-config (No space left on device)or
%Error writing slavenvram:startup-config (Error Sending Request)There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(23)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(23)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(23)E1.
Resolved Caveats—Cisco IOS Release 12.1(23)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(23)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When the max-links limit is reached, all active physical units (PUs) are deactivated.
This issue occurs on SNASw routers with max-links and NNS-Required configured on the SNA Switching Services (SNASw) port.
Workaround: Configure only max-links or NNS-Required on the SNASw Port.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A Cisco 7200 VXR router may become unresponsive.
This issue occurs on a Cisco 7200 VXR router that has a PA-MC-8TE1 and is configured for IPSec encryption, either using tunnel protection or a crypto map.
Workaround: Disable IPSec encryption.
•
After online insertion and removal (OIR) of a line card on a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router, the local label for a prefix in the label forwarding information base (LFIB) could be different from the Label Distribution Protocol (LDP) allocated local label. The local label in the LFIB can be displayed by executing the show mpls forwarding prefix command, and the LDP allocated local label can be displayed by executing the show mpls ldp binding prefix mask length command.
This problem only occurs if a prefix has multiple paths where:
–
–
There are no known workarounds.
•
When you try to configure the Network Time Protocol (NTP) on a Cisco platform, the ntp server command is rejected with the following error message:
%NTP: failed to initialize NTP processThis issue is observed on any Cisco platform that does not support a reference clock.
There are no known workarounds.
•
A network operations center (NOC) may receive many false alerts indicating that an Internet key exchange (IKE) tunnel is down. (The IKE tunnel is torn down but immediately rebuilt.)
This issue is observed when Simple Network Management Protocol (SNMP) traps are sent for every IKE timeout or rekey but not for an IP security (IPSec) timeout or rekey.
There are no known workarounds.
•
A Cisco 7200 router might crash with a software forced crash as a consequence of a memory corruption.
This issue occurs when more than 15 Hot Standby Routing Protocol (HSRP) groups in an interface of a PA-2FE-TX are configured.
Workaround: Do not configure more than 15 HSRP groups in those interfaces.
•
A memory leak exists in the *Dead* processes. When the show processes memory command is executed, the memory held by the *Dead* processes increases constantly. Most of the lines displayed in the command reference the "HTTP PROXY Server".
This issue occurs when the router is running Cisco IOS Release 12.1E and is configured with auth-proxy.
There are no known workarounds.
•
With IPSec is using hardware crypto engine accelerators, the Time To Live (TTL) in the IP header is not correctly decremented prior to IPSec encapsulation. This behavior can cause excessive traffic load in a network with routing loops.
Workaround: Eliminate the routing loop in the network.
•
A Versatile Interface Processor (VIP) that is configured with an enhanced 1-port Asynchronous Transfer Mode (ATM) OC-12/STM-4 port adapter (PA-A3-OC12) may reload unexpectedly because of memory corruption.
This issue occurs on a Cisco 7500 series router when a permanent virtual circuit (PVC) is configured on the PA-A3-OC12.
There are no known workarounds.
•
A Cisco 7200 VXR router may hang.
This issue occurs on a Cisco 7200 VXR router that has a PA-MC-8TE1 and that is configured for IPSec encryption, either using tunnel protection or a crypto map.
Workaround: Disable IPSec encryption.
•
A serial interface of a PA-MC-8TE1+ continues to process packets even after the interface is placed in the "ADMINDOWN" state. The counters in the output of the show interfaces serial command may continue to increment even if the serial interface is shut down.
This issue occurs on a serial interface of a PA-MC-8TE1+ when there is a channel-group configuration for the interface.
Workaround: Remove the channel-group configuration for the interface.
•
Multicast packets, such as Hot Standby Routing Protocol (HSRP) and Open Shortest Path First (OSPF) packets, are not received on a port-channel interface.
This issue occurs when a port-channel interface is configured on a Cisco router, you reload the router, and the first member is added to the port-channel interface by entering the no shutdown interface configuration command on the physical interface.
Workaround: Enter the do shutdown interface configuration command followed by the no shutdown interface configuration command on the port-channel interface.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(23)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(23)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(23)E.
Resolved Caveats—Cisco IOS Release 12.1(23)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(23)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
SIP Voice over IP (VoIP) calls using Domain Name System (DNS) services might cause the router to reload.
This issue occurs when Session Initiation Protocol (SIP) is configured to use DNS services and the domain name servers fail to respond to the queries sent from the router when Time To Live (TTL) for the cached DNS entries expire.
Workaround: Use high TTL values in the domain name servers (7200 seconds or higher), and/or use high availability platforms for domain name servers.
•
UDP port 1985 on a Cisco 7206 VXR router was opened by the nmap command on UNIX server as follows:
# nmap -sU -p 1985 10.1.1.21Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )Interesting ports on (10.1.1.21):
Port State Service1985/udp open unknownNmap run completed -- 1 IP address (1 host up) scanned in 1 secondThere are no known workarounds.
•
The Inverse Address Resolution Protocol (INARP) fails to map the Internet Protocol (IP) address of the peer device when the devices are connected over Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC) bundle bumping.
This defect manifests when the member PVC of the bundle, which is responsible for carrying the INARP traffic (PVC configured to carry packets with IP precedence 6) goes down and the traffic of that particular PVC is bumped to another member PVC of the bundle correctly.
Workaround: Issue the shutdown and no shutdown on the interface or map the PVC bundle to peer IP address statically.
Note
•
A Cisco 7500 series router running Cisco IOS Release 12.1(10) may unexpectedly reload because of bus error.
This unexpected reload happens under normal working conditions; no configuration changes were performed at that time.
There are no known workarounds.
•
A Cisco 7500 series router that is configured as a bridge may not pass bridged traffic on a Fiber Distributed Database Interface (FDDI) interface. This situation may lead to a loss of connectivity.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the FDDI interface.
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Dynamic Feedback Protocol (DFP) manager reports the following errors:
5w5d: %CASA-4-SECURITY_FAIL: Incorrect security information in CASA packet.%SLB_DFP-4-NO_PARSE: Agent 10.9.9.42:1111 - Could not parse message%SLB_DFP-4-KEEP_ALV: Agent 10.9.9.44:1111 - Have not received keep aliveThis happens when DFP is configured on the manager and agent. If the DFP passwords are not configured, the first two messages are not seen.
There are no known workarounds.
•
An interoperability issue occurs with the 48MB viking flash. This issue occurs under the following conditions:
–
–
The problem is not seen when deleting smaller files, such as the bootloader that is only 4MB in size.
There are no known workarounds.
•
A Cisco 7500 series router running Cisco IOS Release 12.1(10)E6 reports SYS-3-CPUHOG messages and drops Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) adjacencies.
This issue has been observed after running a script which removed/added two access control lists.
There are no known workarounds.
•
The withdraw message of a multipath (not bestpath) from a Border Gateway Protocol (BGP) neighbor deletes the path from the BGP table but it does not uninstall the route from the IP routing table.
This issue occurs when the maximum-paths eibgp command or maximum-paths ibgp command is configured.
Workaround: Enter the clear ip bgp * command or disable the maximum-paths eibgp command or maximum-paths ibgp command.
Alternate Workaround: If the number of possible BGP paths is less than or equal to 2 then the problem is transient and not obviously noticeable.
•
This caveat consists, of six separate issues and workarounds, of which the first three apply to all Cisco IOS releases and the last three apply only to Cisco IOS Release 12.3 T:
Issue 1: There are three problems:
–
–
–
This issue occurs when an application creates or opens a file without the "O_TRUNC:" mode, as in the following example:
Router# show version | append disk#:Router# conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# vtp file newSetting device to store VLAN database at filename new.Router(config)# ^ZThere are no known workarounds.
Issue 2: The show disk slot-number and dir disk slot-number commands may show inconsistent information (such as inconsistent file sizes) when multiple images are copied.
This issue occurs when you make two copies of the image file to the disk by using two vtys and by entering the dir disk slot-number command at the same time.
Workaround: Do not enter the show disk slot-number and dir disk slot-number commands when multiple images are being copied.
Issue 3: There are two problems:
–
–
This issue occurs when you rename a directory that consists of many subdirectories or files.
Workaround: Reload the router.
Issue 4: There are two symptoms:
–
–
This issue occurs on a router that runs Cisco IOS Release 12.3 T after the router boots up.
There are no known workarounds.
Issue 5: There are two symptoms:
–
–
This issue occurs on a router that runs Cisco IOS Release 12.3 T when an application or a CLI command overwrites a file on the disk.
Workaround: Reload the router.
Issue 6: A router that runs Cisco IOS Release 12.3 T may unexpectedly reload.
This issue occurs when an application creates or opens a file without the "O_TRUNC" mode and attempts to delete the file, as in the following example:
show version | append disk0:redirect.out" and issuingdelete disk0:disk0:redirect.outWorkaround: Reload the router and delete the file.
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In UserService (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
An IP version 6 (IPv6) Protocol-Independent Multicast (PIM) neighbor may be down after changing the PIM configuration.
This issue occurs when the no ipv6 pim command is entered on some subinterfaces of a physical Ethernet interface and PIM is enabled on several subinterfaces of the same physical Ethernet interface.
There are no known workarounds.,
•
In Integrated Services Digital Network (ISDN) leased line environments, all traffic stops after online insertion and removal (OIR) of the PA-8B.
There are no known workarounds.
•
In an Integrated Services Digital Network (ISDN) leased line environment, all traffic stops after an online insertion and removal (OIR) is performed on an NM-8B.
Workaround: Reload the router.
•
Under the right conditions, a Cisco router may unexpectedly reload if a port adapter driver attempts to convert an uncached iomem address to an cached iomem address.
This issue occurs on a Cisco 7200 NPE-G1 series router.
There are no known workarounds.
•
Pings across a GigabitEthernet link in a Multiprotocol Label Switching (MPLS) network may fail.
This issue occurs on a Cisco 7500 series router running Cisco IOS Release 12.1(20)E3 when a GigabitEthernet link is used in the MPLS network and ip cef dist is not enabled on the far-end label switching router (LSR) of the link.
Workaround: Configure ip cef dist on the far-end LSR of the GigabitEthernet link.
•
A Versatile Interface Processor (VIP) containing a PA-A3-OC12 ATM port adapter in a Cisco 7500 series router may unexpectedly reload.
This issue occurs when the router is running Asynchronous Transfer Mode (ATM) LAN Emulation (LANE) configuration.
There are no known workarounds. The traffic on the VIP is disrupted for a while until the VIP comes back up.
•
A memory leak exists in Secure Shell Version 2 (SSHv2).
This issue occurs when the client closes the connection after a key exchange and before user authentication occurs.
Workaround: Configure Secure Shell Version 1 (SSHv1) by entering the ip ssh version 1 command.
•
Spurious memory accesses occur on the Versatile Interface Processor (VIP) with a PA-FE on the Cisco 7500 platform.
This issue occurs hen a raw Ethernet packet is received by a PA-FE interface (which uses the DEC21140 MAC controller chipset) configured as an Inter-Switch Link (ISL) trunk.
There are no known workarounds.
•
On a Cisco 7206VXR router running Cisco IOS Release 12.1(19)E3, when a shut and then a no shut command is configured under the Asynchronous Transfer Mode (ATM) interface, the source address on the access control list (ACL) between the routers changes, automatically causing IPSec to fail.
This is a rare occurrence and only occurs on some Cisco 7206 routers.
An example of ACL change is as follows:
ip access-list extended acl1permit ip any host a.b.c.dpermit ip any w.x.y.z 0.0.0.63 <--- this statement is changed toip access-list extended acl1permit ip any host a.b.c.dpermit ip host 0.0.0.0 w.x.y.z 0.0.0.63 <--- this statementWorkaround: Manually change the ACL statement back to the original configuration.
•
Memory leaks exist in the Adj Manager and IP Input processes, and possibly in some routing protocol processes, such as IP-EIGRP Router.
This issue affects only distributed architecture platforms, and only occurs if all following conditions are met:
–
–
–
–
Workaround: If possible, disable dCEF.
•
The router experiences tracebacks and crashes while sending a high rate of Internet Group Management Protocol (IGMP) joins to many multicast groups.
This issue occurs only in extreme cases or in a denial of service attack where a device is attempting to join an extremely large number of multicast groups.
There are no known workarounds.
•
The show controllers t1 slot/port command shows only the current interval.
This issue occurs on a Cisco 7200 series router when a facilities data link (FDL) is configured.
There are no known workarounds.
•
A Cisco 7500 series router with a PA-T3 or PA-2T3 configured for class-based weighted-fair queueing (CBWFQ) experiences a software forced crash.
Workaround: Remove WFQ from the interface or policy-map.
•
On a Cisco IOS router running IPSec (IP Security) encryption, if the crypto access-list is defined in such a way that it has explicit deny statements for networks that do not need to be encrypted, and a permit ip any at the end to encrypt all other traffic, then the deny statements may be ignored. The result is that traffic that is not intended to be protected by IPSec may get encrypted and later dropped on the receiving router since it expects the same flow to be in clear.
Workaround: Use explicit permit statements in the crypto ACL to only define networks that need to be encrypted.
•
The Service Adapter-VPN Acceleration Module (SA-VAM) gets stuck if the IOS and VPN Acceleration Module (VAM) get out of sync with the message "rx_intr:*error* PA still owns free pool buffer {0xA,0xy,0xz,0xw}".
Workaround: Reload the crypto engine using no cry engine accel and crypto engine accel commands. In the case of E-train images, use crypto card shut, crypto card enable commands to reset the VAM module.
•
When booting a Cisco 7200 series router that is configured with an NPE-300 or NPE-400, the router crashes with a traceback.
This issue occurs when the router runs Cisco IOS interim Release 12.1(22.3)E1.
There are no known workarounds.
•
A dual Spatial Reuse Protocol (SRP) ring fails to become active completely due to an is-type mismatch. The output of the show clns neighbors command indicates that a certain system interface remains in the "Init" state indefinitely, although the output of the show ip interface brief command shows that this interface is up.
There are no known workarounds.
•
A router running IPSec pre-fragmentation may reload due to a bus error in crypto fragmentation code.
Workaround: Disable the preframentation feature by issuing the crypto ipsec fragmentation after-encryption command.
•
The route switch processor (RSP) doesn't report input/output packets when Cisco Express Forwarding (CEF) is enabled on the Response Time Reporter (RTR).
Workaround: Reload the router, or upgrade to fix the code.
•
When the NPE-G1 receives an Expanded Call Context (ECC) bus error, it displays an erroneous parity error message.
There are no known workarounds.
•
A Cisco router that serves as a Network Time Protocol (NTP) broadcast client fails to synchronize with an NTP server.
This issue occurs on Cisco routers running Cisco IOS Release 12.2(12.11)T and later releases.
There are no known workarounds.
•
A Multicast Source Discovery Protocol (MSDP) enabled route processor (RP) does not build an (S,G) state from its Source Active (SA) cache when it should do so. Depending on the topology and if a shortest path tree (SPT) threshold is configured as infinite, this situation may result in a multicast forwarding interruption of up to 2 minutes.
This issue occurs when the RP for a group fails and an incoming (*,G) join message is received.
MSDP should create an (S,G) state from its SA cache. However, if the message is received before the (*,G) olist is populated, because of the (*,G) NULL olist, MSDP does not install an (S,G) state.
Workaround: Enter the clear ip mroute * command on all first-hop routers to the source to enable the FHR to register immediately when the next packet creates an (S,G) state.
•
A Cisco router reloads unexpectedly with a bus error exception.
This issue occurs on a Cisco 7200 series router with an NPE-G1 that was actively passing traffic.
There are no known workarounds.
•
When a new probe (index $PROBE_ID) is created through the Simple Network Management Protocol (SNMP), the probes, whose index numbers are greater than $PROBE_ID, are not shown in the output of the show rtr configuration or show rtr operation-state commands.
This issue occurs if the probe is created in the CREATE_AND_WAIT state using the following command:
unix_xterm>setany -v1 $ROUTERIP public rttMonCtrlAdminStatus.$PROBE_ID 5Workaround: Enter a subsequent SNMP configuration command to make the probe configuration complete.
For Example:
setany -v1 $ROUTERIP public \rttMonCtrlAdminRttType.$PROBE_ID -i 1 \rttMonEchoAdminProtocol.$PROBE_ID -i 2 \rttMonEchoAdminTargetAddress.$PROBE_ID -o "05 00 00 02"•
A Cisco 7500 series router reloads when the multilink interface configured on it comes up.
This issue occurs when service-policy is configured on the multilink interface and distributed switching is enabled.
Workaround: Do not configure service-policy on router to prevent the router from reloading.
•
A router that functions under a heavy load with Secure Shell Version 2 (SSHv2) clients may crash if any of the SSH clients are terminated.
This issue occurs when the following conditions are present:
–
–
–
–
–
Workaround: Avoid using SSHv2 when the router is very stressed.
•
A Parallel Express Forwarding (PXF) exception occurs on a Cisco 7200 series router that is configured with an NSE-1, or on a Cisco 7401 router that has PXF enabled when either of these platforms function as an L2TP network server (LNS).
This issue occurs when an L2TP session is established over a VLAN subinterface that has Inter-Switch Link (ISL) encapsulation enabled and when traffic is processed on this subinterface.
Workaround: Disable PXF by entering the no ip pxf command.
•
A Cisco 7500 series router shows a large number of tracebacks of the "64bit read" access type on a Versatile Interface Processor (VIP).
This issue occurs on a Cisco 7500 series router that runs Cisco IOS Release 12.2 S or 12.3 when the VIP contains a PA-POS-OC3, PA-POS-2OC3, or PA-SRP-OC12.
There are no known workarounds.
•
A Cisco 7200 VXR series router with a VPN Acceleration Module (VAM) Encryption/Compression engine port adapter may stop forwarding traffic and display the following error:
%SYS-2-BADSHARE: Bad refcount in retparticle, ptr=0, count=0-Traceback= 605BEBE0 616335E0 60F827D8 60154C08 604892B4 6048B39C 6048D3D0This issue occurs on a Cisco 7200 VXR series router running the Cisco IOS Release 12.1(20)E.
There are no known workarounds.
•
After applying the input service-policy, if the access-list matching that class/policy is modified, the router crashes.
This issue occurs when a feature that is not supported in the input direction is applied on an interface or subinterface.
There are no known workarounds.
•
The route processor (RP) crashes while creating two particular class-maps.
This issue occurs when the first class map is configured with a match access-list with permit ip any, and then, a second class map is configured with match any.The RP hangs for sometime, and then unexpectedly reloads.
class-map match-all qosmatch access-group 99class-map match-all puravimatch anyaccess-list 99 permit ip anyThere are no known workarounds.
•
Spurious memory accesses are reported by a router after a number of Web Cache Communication Protocol (WCCP) cache lost and cache found events. After these occur, addition and deletion of WCCP services fail and the show ip wccp service command indicates the service does not exist even though the service appears in the output of the show ip wccp command.
The problem applies to dynamic services only (not web-cache) and arises if all the caches in a service group are lost and then reacquired a number of times. This problem can be caused by services being manually disabled and re-enabled on a cache or perhaps by heavy traffic load between router and cache causing WCCP protocol messages to be dropped. Only images containing the fix for CSCec55429 exhibit this problem.
After the problem has occurred, it is necessary to stop all WCCP services on the router and then restart them.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(22)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(22)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(22)E6.
Resolved Caveats—Cisco IOS Release 12.1(22)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(22)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
Open Caveats—Cisco IOS Release 12.1(22)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(22)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(22)E3.
Resolved Caveats—Cisco IOS Release 12.1(22)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(22)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Time To Live (TTL) is not decreased when switching packets coming from a Generic Routing Encapsulation (GRE) tunnel.
There are no known workarounds.
•
The cikeFailTable and cipSecFailTable are not getting populated.
There are no known workarounds.
•
The Inverse Address Resolution Protocol (INARP) fails to map the Internet Protocol (IP) address of the peer device when the devices are connected over Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC) bundle bumping.
The defect manifests when the member PVC of the bundle, which is responsible for carrying the INARP traffic (PVC configured to carry packets with IP precedence 6) goes down, and the traffic of that particular PVC is bumped to another member PVC of the bundle correctly.
Workaround: Issue shutdown and no shutdown on the interface.
Alternative workaround: Map the PVC bundle to peer IP address statically. To completely address this problem, both this fix and the fix for CSCin31097 are needed.
•
Addresses that are used for overloading may be used as one-to-one translations.
This issue occurs when a combination of static and dynamic Port Address Translation (PAT) are used. The addresses that are used for overloading may be used as one-to-one translations because for Domain Name System (DNS) packets, the addresses are translated inside the payload. This issue may cause dynamic translations to fail.
Workaround: Ensure the ip nat pool inside_pool contains more than one IP address.
•
CSCdz88480 identified that the JMIX performance was lower when the ATM-PA was placed in the even slot. This could be due to the extra PCI bridge latency.
This caveat investigates ways of improving performance when Asynchronous Transfer Mode (ATM) is in the even slot.
There are no known workarounds.
•
When an Asynchronous Transfer Mode (ATM) link flaps or a remote ATM platform reloads, a Fast Etherchannel may fail and Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors that are connected through the Fast Etherchannel may be lost.
This issue occurs on a Cisco 7500 series router that is running Cisco IOS Release 12.0(21)S5.
There are no known workarounds.
•
A basic ping fails on the port channel interface.
This issue is observed on a Cisco 200 series router that is running Cisco IOS Release 12.2(15)T3.
There are no known workarounds.
•
When going from Cisco IOS Release 12.1(15) to 12.2(17) the Fast Serial Interface Processor (FSIP) reports %RSP-3-FOREVER, and the Ethernet Interface Processor (EIP) becomes wedged.
This issue also occurs in Cisco IOS Release 12.1(20) and later releases.
Workaround: Load the old microcode for the Fast Serial Interface Processor (FSIP) (rsp_fsip20-9) using the microcode commands.
•
A Cisco 7200 series router unexpectedly reloads.
The problem occurs when the router attempts to correct a single bit error in memory (DRAM parity). The issue is similar to CSCdu00306, however CSCdu00306 may not correct every situation where this occurs.
This issue is specific to the NPE400.
There are no known workarounds.
•
Using the Polling IPsec MIBS - ciscoIPsecMIB, ciscoIpSecFlowMonitorMIB, and ciscoIpSecPolMapMIB - through the Simple Network Management Protocol (SNMP) results in memory being held indefinitely by the device.
This issue occurs on Cisco 7200 VXR series routers running cryptographic versions of IOS. In particular, the issue has been noted on Cisco IOS Releases 12.3(1a) and 12.1(11b)E.
Workaround: Minimize the use of these MIBS until a remedy for the defect is found.
•
A spurious memory access message appears when Border Gateway Protocol (BGP) peer groups are configured on the router.
This issue occurs on Cisco IOS Release 12.1E.
There are no known workarounds.
•
A Cisco router experiences high CPU utilization at the TTY Background process when the logging synchronous command is configured under line con 0.
Workaround: Remove the logging synchronous command from line con 0. Note, however, that this should only be performed during a scheduled maintenance window as the router could pause indefinitely just after removal of the command, possibly requiring a manual reboot of the router.
•
An output authentication error occurs in the crypto hardware.
This issue occurs when running multiple failover tests over a long period of time. Very few authentication errors are noticed on the crypto hardware statistics.
There are no known workarounds.
•
Invalid AVL messages may be generated over a period of time.
This issue occurs on a Cisco 7200 series router that is configured with 2000 IPSec tunnels when a High Availability (HA) switchover occurs once every hour.
There are no known workarounds.
•
Pings fail on an Ethernet-to-VLAN interworking over Layer 2 Tunneling Protocol, version 3(L2TPv3) due to an Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP) failure.
This issue occurs when you ping between two customer edge (CE) routers because both of the CE routers do not learn each other's MAC address automatically.
Workaround: Ping from the first CE router to the second CE router, then ping from the second CE router to the first CE router.
•
A Cisco 7200 series router running the VPN Acceleration Module (VAM) may report spurious memory access.
This issue occurs under rare circumstances with VAM and VAM2.
There are no known workarounds.
•
A Cisco 7200 series router running the VPN Acceleration Module (VAM) may under utilize the resources for processing Internet Key Exchange (IKE) commands.
There are no known workarounds.
•
When an Open Shortest Path First (OSPF) external route has a forwarding address, which is known in the routing table to have next hop a.b.c.d, the next hop address does not get updated in the type 5 link-state advertisement (LSA) when the forwarding address gets a more specific entry in the routing table with a different next hop address.
Workaround: Enter the clear ip route x.x.x.x command where x.x.x.x is the external OSPF route.
Alternative workaround: Enter the clear ip ospf redistribution command on the originating Autonomous System Border Router (ASBR).
•
When the max-links limit is reached, all active physical units (PUs) are deactivated.
This issue occurs on SNASw routers with max-links and NNS-Required configured on the SNA Switching Services (SNASw) port.
Workaround: Configure only max-links or NNS-Required on the SNASw Port.
•
IPSec accelerators leak I/O memory buffers when they are shutdown.
This issue occurs with the VPN Acceleration Module (VAM), VAM2 and AIM-EPII cards. This issue is not seen with the integrated services adapter (ISA).
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
The command to test if the L3 cache is enabled or disabled is broken for the NSE-1 on a Cisco 7200 series router.
Workaround: Use the show version command to ascertain the status of the L3 cache state.
•
An uncorrectable Expanded Call Context (ECC) parity error may occur on a Cisco 7200 series router that is configured with an NPE-G1.
This rare issue occurs when you enter the show sysctlr or show tech command on the NPE-G1.
Workaround: Do not enter the show sysctlr or show tech command.
•
A Cisco 7200 series router running the VPN Accelerator Module (VAM) produces traceback at crypto_isa_post_encrypt_ps function with the message "SYS-2-LINKED Bad enqueue of 0xxx in queue 0xxx".
This traceback occurs when the crypto card is shutdown using the command crypto card shut slot while traffic is still running. This issue occurs more often when more than 500 IPSec tunnels are configured.
There are no known workarounds.
•
A Cisco 7200 series router with NPE-G1 running the VPN Acceleration Module (VAM) may print the XXXX pattern when debugging VAM errors using the debug crypto device command.
This issue occurs only when the debug flag is enabled.
There are no known workarounds.
•
A Cisco router may unexpectedly reload if a port adapter driver attempts to convert an uncached iomem address to a cached iomem address.
This issue occurs on a Cisco 7200 series router that is configured with an NPE-G1.
There are no known workarounds.
•
Resetting a VPN Acceleration Module (VAM)/AIM-EPII module may block all the interrupts.
This issue is triggered when the router is extremely low on i/o memory and the crypto accelerator is reset.
Workaround: Reload the router and monitor memory usage.
•
When you enter the shutdown command followed by the no shutdown command on an Asynchronous Transfer Mode (ATM) interface, the source address on the access control list (ACL) between the routers may change unexpectedly, causing IPSec to fail.
The following is an example of an unexpected change in the source address on the ACL:
ip access-list extended acl1permit ip any host a.b.c.dpermit ip any w.x.y.z 0.0.0.63 <--- this statement is changed toip access-list extended acl1permit ip any host a.b.c.dpermit ip host 0.0.0.0 w.x.y.z 0.0.0.63 <--- this statementThis issue occurs on a Cisco 7206VXR router that is running Cisco IOS Release 12.1(19)E3, but may also occur in other releases such as Cisco IOS Releases 12.3 and 12.3 T.
Workaround: Manually change the ACL statement back to original configuration.
•
A software-forced crash may occur on a Cisco 7500 series router.
This issue occurs on a Cisco 7500 series router with a PA-T3 or PA-2T3 configured for class-based weighted fair queueing (CBWFQ).
Workaround: Remove CBWFQ from the interface or policy map.
•
On a Cisco IOS router running IP Security (IPSec) encryption, if the crypto access-list is defined in such a way that it has explicit deny statements for networks that do not need to be encrypted and a permit ip any at the end to encrypt all other traffic, then the deny statements may be ignored. The result is that traffic that is not intended to be protected by IPSec may get encrypted and later dropped on the receiving router since it expects the same flow to be in clear.
Workaround: Use explicit permit statements in the crypto access control list (ACL) to only define networks that need to be encrypted.
•
The Service Adapter-VPN Acceleration Module (SA-VAM) gets stuck if the IOS and VPN Acceleration Module (VAM) get out of sync with the message "rx_intr:*error* PA still owns free pool buffer {0xA,0xy,0xz,0xw}".
Workaround: Reload the crypto engine using no cry engine accel and crypto engine accel commands. In the case of E-train images, use crypto card shut, crypto card enable commands to reset the VAM module.
•
A router running IPSec may reload due to a bus error.
This issue only occurs using hardware encryption.
There are no known workarounds.
•
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command `bgp log-neighbor-changes' configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
If a misformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command `show ip bgp neighbors' or running the command `debug ip bgp <neighbor> updates' for a configured bgp neighbor.
Cisco has made free software available to address this problem.
For more details, please refer to this advisory, available at
http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml
•
A Cisco 7200 VXR series router may hang.
This issue occurs on a Cisco 7200 VXR series router that has a PA-MC-8TE1 and is configured for IPSec encryption, either using tunnel protection or a crypto map.
Workaround: Disable IPSec encryption.
•
A router running IPSec prefragmentation may reload due to a bus error.
This issue occurs only with prefragmentation under special circumstances.
Workaround: Disable prefragmentation by entering the crypto ipsec fragmentation after-encryption global configuration command.
•
An NPE-G1 may display an erroneous parity error message.
This issue occurs on a Cisco 7200 series router when the NPE-G1 receives an Expanded Call Context (ECC) bus error.
There are no known workarounds.
•
Simple Network Management Protocol (SNMP) traps are sent for every Internet Key Exchange (IKE) timeout/rekey but not for the IPSec timeout/rekey. This behavior overwhelms the customer's network operations center (NOC) with false alerts that an IKE tunnel is down. What actually happens is that the IKE tunnel is torn down, but immediately rebuilt.
There are no known workarounds.
•
A memory leak exists in the *Dead* processes. When the show processes memory command is executed, the memory held by the *Dead* processes increases constantly. Most of the lines displayed in the command reference the "HTTP PROXY Server".
This issue occurs when the router is running Cisco IOS Release 12.1E and is configured with auth-proxy.
There are no known workarounds.
•
When IPSec is using hardware crypto engine accelerators, the Time To Live (TTL) in the IP header is not correctly decremented prior to IPSec encapsulation. This behavior can cause excessive traffic load in a network with routing loops.
Workaround: Eliminate the routing loop in the network.
•
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally. Services such as packet forwarding, routing protocols and all other communication to and through the device are not affected.
Cisco will make free software available to address this vulnerability.
Workarounds, identified below, are available that protect against this vulnerability.
The advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
A Cisco 7200 series router that is configured for IP security (IPSec) and the Tunnel End-Point Discovery feature may crash because of a watchdog timeout.
This issue occurs when the Cisco 7200 series router functions as an Internet key exchange (IKE) responder under stress.
Workaround: Disable the Tunnel End-Point Discovery feature. If disabling this feature is not an option, there are no known workarounds.
•
The default fair-queue command changes the queueing strategy under cable interfaces from the default of Weighted Fair Queuing (WFQ) to First In First Out (FIFO).
This issue occurs in Cisco IOS Release 12.2(15)BC2c and earlier releases.
Workaround: Configure fair-queue under the cable interface to change the queueing strategy from FIFO back to the default of FIFO.
•
A Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) may reload when PPP over ATM (PPPoA) sessions are initiated.
This issue occurs when the shutdown interface configuration command and the no shutdown interface configuration command are entered in quick succession.
•
If a FastEthernet (FE) interface is being used as an IP link for voice calls between 2 routers and shut/ no shut is issued multiple times on the FE interface, the Address Resolution Protocol (ARP) entry of other FE might be lost and not recovered automatically.
Workaround: Shut/no shut the other FE.
•
The frame-relay class classname command is not accepted on a Cisco 7500 series route switch processor (RSP).
This issue occurs on a Cisco 7500 series router (RSP) that runs Cisco IOS Release 12.1(21.03)E03.
Workaround: Use the class statement under the Data-Link Connection Identifier (DLCI).
•
A Cisco 7200 VXR series router with a VPN Acceleration Module (VAM) Encryption/Compression engine port adapter may stop forwarding traffic and display the following error:
%SYS-2-BADSHARE: Bad refcount in retparticle, ptr=0, count=0-Traceback= 605BEBE0 616335E0 60F827D8 60154C08 604892B4 6048B39C 6048D3D0This issue occurs on a Cisco 7200 VXR series router running Cisco IOS Release 12.1(20)E.
There are no known workarounds.
•
A Cisco 7200 VXR series router may hang.
This issue occurs on a Cisco 7200 VXR router that has a PA-MC-8TE1 and is configured for IPSec encryption, either using tunnel protection or a crypto map.
Workaround: Disable IPSec encryption.
•
A serial interface of a PA-MC-8TE1+ continues to process packets even after the interface is placed in the "ADMINDOWN" state. The counters in the output of the show interfaces serial command may continue to increment even if the serial interface is shut down.
This issue occurs on a serial interface of a PA-MC-8TE1+ when there is a channel-group configuration for the interface.
Workaround: Remove the channel-group configuration for the interface.
•
Spurious memory accesses are reported by a router after a number of Web Cache Communication Protocol (WCCP) cache lost and cache found events. After these occur, addition and deletion of WCCP services fail and the show ip wccp service command indicates the service does not exist even though the service appears in the output of the show ip wccp command.
The problem applies to dynamic services only (not web-cache) and arises if all the caches in a service group are lost and then reacquired a number of times. This problem can be caused by services being manually disabled and re-enabled on a cache or perhaps by heavy traffic load between router and cache causing WCCP protocol messages to be dropped. Only images containing the fix for CSCec55429 exhibit this problem.
After the problem has occurred, it is necessary to stop all WCCP services on the router and then restart them.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(22)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(22)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(22)E1.
Resolved Caveats—Cisco IOS Release 12.1(22)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(22)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed fromx605111F0, pool Processor, alignment 0-Process= "CDP Protocol", ipl= 0, pid= 42-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C602D0E18The issue occurs on a Cisco 7513 router that runs Cisco IOS Release 12.0(17)ST. The issue may also occur on other Cisco 7500 series routers that run Cisco IOS Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A router may reload unexpectedly after it attempts to access a low memory address.
This issue occurs after access control lists (ACLs) have been updated dynamically or after the router has responded dynamically to an intrusion detection system (IDS) signature.
Workaround: Disable IP Inspect and IDS.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A Cisco router experiences a memory leak in the Cisco Discovery Protocol (CDP) process.
The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the global command no cdp run.
Open Caveats—Cisco IOS Release 12.1(22)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(22)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(22)E.
Resolved Caveats—Cisco IOS Release 12.1(22)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(22)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router running Cisco IOS Release 12.1(22)E and configured for IPSec may reboot with a bus error.
There are no known workarounds.
•
Address overloading might not be possible after manual clearing the Network Address Translation (NAT) translation table. Each dynamic entry in the translation table grabs a whole address.
Workaround: Do not clear NAT translation table manually on routers running affected software releases.
•
Incoming packets may be become stuck indefinitely on the native Gigabit Ethernet interfaces of a Network Processing Engine G1 (NPE-G1) that is installed in a Cisco 7200 series router.
This issue occurs under a full traffic load and only on a Cisco 7200 series router that is configured with an NPE-G1.
Workaround: Issue the shutdown command follow by a no shutdown command on the affected NPE-G1 Gigabit Ethernet interface.
•
A Cisco route switch processor (RSP) that is configured as a bridge may not pass bridged traffic, regardless of the protocols that are configured on Ethernet interfaces. This situation can lead to a loss of connectivity.
There are no known workarounds.
•
When the negotiation auto command is enabled, the Gigabit Ethernet port link is up and down between the Cisco 7301 router and the network processing engine-G1 (NPE-G1).
This issue occurs on a Cisco 7301 router, but is platform independent.
Workaround: Enter the no negotiation auto command on the interface of each router.
•
Context-based Access Control (CBAC) sessions are left in the sis-closing state due to out-of-order packet handling.
Workarounds: To reduce exposure to this issue, lower the inspect File Transfer Protocol (FTP) timeout, or disable Cisco Express Forwarding (CEF).
•
Native Gigabit Ethernet interface throttling is always bypassed.
This issue occurs because the newer version of BCM chips bypass throttling, whereas for older revisions, it is needed.
There are no known workarounds.
•
The Buffer (I/O memory) starvation and %SYS-2-MALLOCFAIL messages display on the console.
This issue occurs when Encryption/Compression and fair-queue are enabled on same interface on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform.
Workaround: Disable PXF using the no ip pxf command.
Alternate Workaround: Disable fair-queuing on the egress interface using the no fair-queue command.
•
A Cisco router configured with Frame-Relay encapsulation may forward packets that come in on a subinterface that is in an administratively shutdown state.
There are no known workarounds.
•
Packets cannot be transmitted out of the interface. As a result, the interface and routing may start flapping. In addition, you may also see memory allocation failure messages.
This issue occurs on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform when Parallel Express Forwarding (PXF) is enabled, and the egress interface has enabled fair-queuing and traffic shaping.
Workaround: Disable PXF using the no ip pxf command.
Alternate Workaround: Disable fair-queuing on the egress interface using the no fair-queue command.
•
The Enhanced Interior Gateway Routing Protocol (EIGRP) may incorrectly remove a connected route from the topology when the user changes the router network commands and overlapping networks exist.
Consider the following configuration:
int loopback1ip addr 10.1.2.2 255.255.255.0router eigrp 1net 10.0.0.0 0.3.255.255if changing the network command to 'net 10.0.0.0' by doing...router(config)# net 10.0.0.0router(config)# no net 10.0.0.0 0.3.255.255... the connected route will be removed when it should be retained.Workaround: Remove the old network command first before adding the new one:
router(config)# no net 10.0.0.0 0.3.255.255router(config)# net 10.0.0.0•
The output queue of a Gigabit Ethernet port may become stuck, preventing traffic from leaving the interface.
This issue occurs on the Gigabit Ethernet port 0/1 (gig0/1) of a Network Processing Engine NPE-G1 (NPE-G1) that is installed in a Cisco 7200 series router.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
Alternate workaround: Reload the router.
•
A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
•
A router may reload when you enter the show queueing interface privileged EXEC command.
This issue occurs on a router that is functioning as a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) when there is a lot of downstream data traffic from an L2TP network server (LNS) using the LAC to a client and when Cisco Express Forwarding (CEF), fast switching, or process switching is enabled.
There are no known workarounds.
•
An Asynchronous Transfer Mode (ATM) interface may remain administratively down.
This issue occurs when the command-line interface (CLI) does not function. This issue is platform independent.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(20)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(20)E6.
Resolved Caveats—Cisco IOS Release 12.1(20)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
Open Caveats—Cisco IOS Release 12.1(20)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(20)E5.
Resolved Caveats—Cisco IOS Release 12.1(20)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Time To Live (TTL) is not decreased when switching packets coming from a Generic Routing Encapsulation (GRE) tunnel.
There are no known workarounds.
•
The cikeFailTable and cipSecFailTable are not getting populated.
There are no known workarounds.
•
The Inverse Address Resolution Protocol (INARP) fails to map the Internet Protocol (IP) address of the peer device when the devices are connected over Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC) bundle bumping.
The defect manifests when the member PVC of the bundle, which is responsible for carrying the INARP traffic (PVC configured to carry packets with IP precedence 6) goes down, and the traffic of that particular PVC is bumped to another member PVC of the bundle correctly.
Workaround: Issue shutdown and no shutdown on the interface.
Alternative workaround: Map the PVC bundle to peer IP address statically. To completely address this problem, both this fix and the fix for CSCin31097 are needed.
•
Polling IPsec MIBS - ciscoIPsecMIB, ciscoIpSecFlowMonitorMIB, and ciscoIpSecPolMapMIB - through the Simple Network Management Protocol (SNMP) may result in memory being held indefinitely by the device.
This issue occurs on Cisco 7200 VXR series routers running cryptographic versions of IOS. In particular, the issue has been noted on Cisco IOS Releases 12.3(1a) and 12.1(11b)E.
Workaround: Minimize the use of these MIBS.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
The ifOperStatus object does not support the lowerLayerDown value defined in the RFC 2863.
This issue may occur because the lowerLayerDown value is not supported in Asynchronous Transfer Mode (ATM) interfaces.
Workaround: Traverse the ifStackTable to find out if the lower layer is down. Note, however, that this process is very tedious.
•
A Cisco 7200 VXR series router may become unresponsive.
This issue occurs on a Cisco 7200 VXR series router that has a PA-MC-8TE1 and is configured for IPSec encryption, either using tunnel protection or a crypto map.
Workaround: Disable IPSec encryption.
•
Simple Network Management Protocol (SNMP) traps are sent for every Internet Key Exchange (IKE) timeout/rekey but not for the IPSec timeout/rekey. This behavior overwhelms the customer's network operations center (NOC) with false alerts that an IKE tunnel is down. What actually happens is that the IKE tunnel is torn down, but immediately rebuilt.
There are no known workarounds.
•
When IPSec is using hardware crypto engine accelerators, the Time To Live (TTL) in the IP header is not correctly decremented prior to IPSec encapsulation. This behavior can cause excessive traffic load in a network with routing loops.
Workaround: Eliminate the routing loop in the network.
•
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally. Services such as packet forwarding, routing protocols and all other communication to and through the device are not affected.
Cisco will make free software available to address this vulnerability.
Workarounds, identified below, are available that protect against this vulnerability.
The Advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
A Cisco 7200 series router that is configured for IP security (IPSec) and the Tunnel End-Point Discovery (TED) feature may crash because of a watchdog timeout.
This issue occurs when the Cisco 7200 series router functions as an Internet Key Exchange (IKE) responder under stress.
Workaround: Disable the TED feature. If disabling this feature is not an option, there are no known workarounds.
•
A Cisco 7200 VXR series router may hang.
This issue occurs on a Cisco 7200 VXR series router that has a PA-MC-8TE1 and is configured for IPSec encryption, either using tunnel protection or a crypto map.
Workaround: Disable IPSec encryption.
•
A serial interface of a PA-MC-8TE1+ continues to process packets even after the interface is placed in the "ADMINDOWN" state. The counters in the output of the show interfaces serial command may continue to increment even if the serial interface is shut down.
This issue occurs on a serial interface of a PA-MC-8TE1+ when there is a channel-group configuration for the interface.
Workaround: Remove the channel-group configuration for the interface.
Open Caveats—Cisco IOS Release 12.1(20)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(20)E4.
Resolved Caveats—Cisco IOS Release 12.1(20)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
You cannot ping the IP address of local Generic Routing Encapsulation (GRE) tunnel interface on a router when the interface is showing UP/UP.
There are no known workarounds.
•
A router may reload because of a watchdog timeout if the no dialer pool-member interface configuration command is entered on the D channel of the router.
This issue occurs when the command is entered on the D channel and there is more than one link that is bound to the dialer profile with Multilink PPP (MLP).
Workaround: Shut down the dialer interfaces and physical interfaces that are relevant to the dialer pool. After the interfaces are completely down, enter the no dialer pool-member interface configuration command.
•
A Cisco 7200 series router may unexpectedly reload.
The problem occurs when the router attempts to correct a single bit error in memory (DRAM parity). The issues are similar to CSCdu00306, however CSCdu00306 may not correct every situation where this may occur.
This issue is specific to NPE400.
There are no known workarounds.
•
An output authentication error occurs in the crypto hardware.
This issue occurs when running multiple failover tests over a long period of time. Very few authentication errors are noticed on the crypto hardware statistics.
There are no known workarounds.
•
Invalid AVL messages may be generated over a period of time.
This issue occurs on a Cisco 7200 series router that is configured with 2000 IPSec tunnels when a High Availability (HA) switchover occurs once every hour.
There are no known workarounds.
•
A Cisco 7200 series router running the VPN Acceleration Module (VAM) may report spurious memory access.
This issue occurs under rare circumstances with VAM and VAM2.
There are no known workarounds.
•
A Cisco 7200 series router running the VPN Acceleration Module (VAM) may under utilize the resources for processing Internet Key Exchange (IKE) commands.
There are no known workarounds.
•
When an Open Shortest Path First (OSPF) external route has a forwarding address, which is known in the routing table to have next hop a.b.c.d, the next hop address does not get updated in the type 5 link-state advertisement (LSA) when the forwarding address gets a more specific entry in the routing table with a different next hop address.
Workaround: Enter the clear ip route x.x.x.x command where x.x.x.x is the external OSPF route.
Alternative workaround: Enter the clear ip ospf redistribution command on the originating Autonomous System Border Router (ASBR).
•
IPSec accelerators leak I/O memory buffers when they are shutdown.
This issue occurs with the VPN Acceleration Module (VAM), VAM2 and AIM-EPII cards. This issue is not seen with the integrated services adapter (ISA).
There are no known workarounds.
•
A Cisco router may unexpectedly reload if a port adapter driver attempts to convert an uncached iomem address to an cached iomem address.
This issue occurs on a Cisco 200 NPE-G1 series router.
There are no known workarounds.
•
Resetting a VPN Acceleration Module (VAM)/AIM-EPII module may block all the interrupts.
This issues is triggered when the router is extremely low on i/o memory and the crypto accelerator is reset.
Workaround: Reload the router and monitor memory usage.
•
Area Border Routers (ABRs) may continue to generate summary link-state advertisements (LSAs) for obsolete non-backbone intra-area route(s).
This issue occurs under the following conditions:
1. The ABR (called ABR X) has at least one non-backbone area (called area X) in common with one or more additional ABRs.
2. The ABRs are generating summary LSAs, on behalf of the Area X's two or more intra-area routes, into the backbone area and other areas. The two intra-area routes must be advertised as stub links from two different routers; that is, one from ABR X, and the other from another router belonging to Area X.
3. The summary LSA IDs for the intra-area routes above, when ORed with the host bits of the corresponding masks, yield identical LSA IDs.
For example: 10.10.10.128/25 and 10.10.10.0/24 yield identical LSA IDs when the network address is logically ORed with the host bits:
10.10.10.128 | 0.0.0.127 = 10.10.10.25510.10.10.0 | 0.0.0.255 = 10.10.10.255Workaround: Perform the clear ip ospf proc command on all ABRs containing the obsolete LSAs
•
When you enter the shutdown command followed by the no shutdown command on an Asynchronous Transfer Mode (ATM) interface, the source address on the access control list (ACL) between the routers may change unexpectedly, causing IPSec to fail.
The following is an example of an unexpected change in the source address on the ACL:
ip access-list extended acl1permit ip any host a.b.c.dpermit ip any w.x.y.z 0.0.0.63 <--- this statement is changed toip access-list extended acl1permit ip any host a.b.c.dpermit ip host 0.0.0.0 w.x.y.z 0.0.0.63 <--- this statementThis issue occurs on a Cisco 7206VXR router that is running Cisco IOS Release 12.1(19)E3, but may also occur in other releases such as Cisco IOS Releases 12.3 and 12.3 T.
Workaround: Manually change the ACL statement back to original configuration.
•
On a Cisco IOS router running IP Security (IPSec) encryption, if the crypto access-list is defined in such a way that it has explicit deny statements for networks that do not need to be encrypted and a permit ip any at the end to encrypt all other traffic, then the deny statements may be ignored. The result is that traffic that is not intended to be protected by IPSec may get encrypted and later dropped on the receiving router since it expects the same flow to be in clear.
Workaround: Use explicit permit statements in the crypto access control list (ACL) to only define networks that need to be encrypted.
•
The Service Adapter-VPN Acceleration Module (SA-VAM) gets stuck if the IOS and VPN Acceleration Module (VAM) get out of sync with the message "rx_intr:*error* PA still owns free pool buffer {0xA,0xy,0xz,0xw}".
Workaround: Reload the crypto engine using no cry engine accel and crypto engine accel commands. In the case of E-train images, use crypto card shut, crypto card enable commands to reset the VAM module.
•
A router running IPSec may reload due to a bus error.
This issue only occurs using hardware encryption.
There are no known workarounds.
•
A router running IPSec prefragmentation may reload due to a bus error.
This issue occurs only with prefragmentation under special circumstances.
Workaround: Disable prefragmentation by entering the crypto ipsec fragmentation after-encryption global configuration command.
•
When the NPEG1 receives an Expanded Call Context (ECC) bus error, it displays an erroneous parity error message.
There are no known workarounds.
•
A Cisco 7200 VXR series router with a VPN Acceleration Module (VAM) Encryption/Compression engine port adapter may stop forwarding traffic and display the following error:
%SYS-2-BADSHARE: Bad refcount in retparticle, ptr=0, count=0-Traceback= 605BEBE0 616335E0 60F827D8 60154C08 604892B4 6048B39C 6048D3D0This issue occurs on a Cisco 7200 VXR series router running Cisco IOS Release 12.1(20)E.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(20)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(20)E3.
Resolved Caveats—Cisco IOS Release 12.1(20)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router running Cisco IOS Release 12.1(22)E and configured for IPSec may reboot with a bus error.
There are no known workarounds.
•
With certain Asynchronous Transfer Mode (ATM) subinterfaces, the ip verify unicast reverse-path interface configuration command may incorrectly drop a fraction of incoming traffic.
There are no known workaround.
•
Addresses that are used for overloading may be used as one-to-one translations.
This issue occurs when a combination of static and dynamic Port Address Translation (PAT) are used. The addresses that are used for overloading may be used as one-to-one translations because for Domain Name System (DNS) packets, the addresses are translated inside the payload. This issue may cause dynamic translations to fail.
Workaround: Ensure the ip nat pool inside_pool contains more than one IP address.
•
Under rare circumstances, a router that is configured with Protocol-Independent Multicast (PIM) may pause indefinitely.
This issue occurs when an interface that has PIM enabled is shut down. This issue may also occur when other configuration operations are performed on a PIM-enabled interface. This symptom affects only port adapters, such as the 8-port 10BASE-T Ethernet port adapter (PA-8E) and the 8-port 10BASE-T Ethernet port adapter (PA-4E), that are using a particular third-party vendor chip.
Workaround: Use a different Ethernet card, or avoid using PIM.
•
The no logging snmp-authfail command, entered in config terminal mode, is introduced to suppress the following error message:
logging of %SNMP-3-AUTHFAIL.To turn the error message back ON, enter the logging snmp-authfail command.
Note that the default setting is OFF, rate-limited (refer to CSCdw57847), and that the configuration can be saved in NVRAM with the write mem command.
Example:
Router(config)#no logging snmp-authfailLogging of %SNMP-3-AUTHFAIL is disabledRouter(config)#logging snmp-authfailLogging of %SNMP-3-AUTHFAIL is enabled•
Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed fromx605111F0, pool Processor, alignment 0-Process= "CDP Protocol", ipl= 0, pid= 42-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C602D0E18The issue occurs on a Cisco 7513 router that runs Cisco IOS Release 12.0(17)ST. The issue may also occur on other Cisco 7500 series routers that run Cisco IOS Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent these failures, disable CDP by entering the no cdp run global configuration command.
•
Outdrops may occur on a native Gigabit Ethernet interface of a Network Processing Engine G1 (NPE-G1), and the bad length counter in the output of the show controllers gigabitethernet privileged EXEC command may increase.
This situation may prevent a customer premises equipment (CPE) from using File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) communication when the CPE is connected to the Internet using a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) and a L2TP network server (LNS).
This issue occurs on a Cisco 7200 series router that is configured with an NPE-G1, is functioning as an LNS, and has Cisco Express Forwarding (CEF) enabled.
Workaround: Enter the no ip cef global configuration command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Packets are counted as process-switched even though they are fast- switched when a service-policy is attached to a serial interface according to the show interface stat output.This issue is only a counter issue; the configured quality of service (QoS) feature works correctly.
There are no known workarounds.
•
CSCdz88480 identified that the JMIX performance was lower when the ATM-PA was placed in the even slot. This could be due to the extra PCI bridge latency.
This caveat investigates ways of improving performance when Asynchronous Transfer Mode (ATM) is in the even slot.
There are no known workarounds.
•
Alignment errors and traceback appear when creating an Internet Key Exchange (IKE) security association with a Rivest, Shamir, & Adleman (RSA) signature.
There are no known workarounds.
•
Incoming packets may be become stuck indefinitely on the native Gigabit Ethernet interfaces of a Network Processing Engine G1 (NPE-G1) that is installed in a Cisco 7200 series router.
This issue occurs under a full traffic load and only on a Cisco 7200 series router that is configured with an NPE-G1.
Workaround: Issue the shutdown command follow by a no shutdown command on the affected NPE-G1 Gigabit Ethernet interface.
•
A Cisco 7200 series router may reload unexpectedly when it attempts to translate virtual address 0x3C0C00C0 to a physical address.
This rare issue occurs on a Cisco 7200 series router that is configured with a C7200-I/O-FE I/O controller in slot 0. The symptom is related to an error in the Fast Ethernet controller on the I/O controller.
There are no known workarounds.
•
An Open Shortest Path First (OSPF) interface is reported to be in the "down" state while the interface and the line protocol are reported in the "up" state. This situation causes missing OSPF neighbor adjacencies on the OSPF interface that is in the "down" state.
This issue occurs when there are a large number of active interfaces and one of the following events has occurred:
–
–
–
–
–
Workaround: Use one of the following methods to recover the OSPF interface:
–
–
–
•
When an Asynchronous Transfer Mode (ATM) link flaps or a remote ATM platform reloads, a Fast Etherchannel may fail and Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors that are connected using the Fast Etherchannel may be lost.
This issue occurs on a Cisco 7500 series router that is running Cisco IOS Release 12.0(21)S5.
There are no known workarounds.
•
A basic ping fails on the port channel interface.
This issue occurs on a Cisco 7200 series router that is running Cisco IOS Release 12.2(15)T3.
There are no known workarounds.
•
An Enterprise Systems Connection (ESCON) Channel Port Adapter (ECPA), Parallel Channel Port Adapter (PCPA), or ECPA version 4 (ECPA4) fails to reactivate after a microcode reload or an online insertion and removal (OIR) and displays the following messages:
Router# <CmdBold>microcode reload ecpa4 slot 4<noCmdBold>Reload microcode? [confirm]%PA-4-IMPROPER_REMOVAL: Improper removal for slot 2.%PA-3-DEACTIVATED: port adapter in bay [2] powered off.This issue occurs on a Cisco 7200 series router that has an ECPA, PCPA, or ECPA4 configured.
Workaround: Reload the router.
•
A Cisco 7513 router running Cisco IOS Release 12.2(14)S and multicast VPN experiences a memory leak of 20-30Mb per day in the Protocol-Independent Multicast (PIM) process.
Workaround: Use another method to determine the rendezvous point (RP) for a VPN routing and forwarding instance (VRF) or do not configure a Bootstrap Router (BSR) or Route Processor as an RP, but instead configure a customer edge (CE) router to function as the RP.
•
An interface of a Cisco router may not be able to receive traffic that is destined for an address that is configured on the router.
This issue is platform independent and occurs only when there is a route in a different VPN routing and forwarding instance (VRF) that is attached or connected to the interface. This may occur when the route has been exported from one VRF to another, or when a static route in a VRF points to the interface.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
A Cisco route switch processor (RSP) that is configured as a bridge may not pass bridged traffic, regardless of the protocols that are configured on Ethernet interfaces. This situation can lead to a loss of connectivity.
There are no known workarounds.
•
A router may reload unexpectedly while performing a shut/no shut on an interface.
This issue occurs when the processor is an NPE-G1 and the interface being administered has VLAN subinterfaces configured.
There are no known workarounds.
•
A Cisco router may reload unexpectedly because of memory corruption with a corrupted redzone without any intervention.
This issue occurs on a Cisco router when multicast traffic is protected by an IP Security (IPSec) Generic Routing Encapsulation (GRE) tunnel.
There are no known workarounds.
•
A software-forced reload may occur on a Cisco 7200 series router after an online insertion and removal (OIR) of a PA-2T3+ port adapter.
This issue occurs when traffic enters through the interface of the port adapter.
Workaround: Shut down the interface of the port adapter before you perform an OIR.
•
When the negotiation auto command is enabled, the Gigabit Ethernet port link is up and down between the Cisco 7301 router and the network processing engine-G1 (NPE-G1).
This issue occurs on a Cisco 7301 router, but is platform independent.
Workaround: Enter the no negotiation auto command on the interface of each router.
•
Multicast boundary doesn't take effect in following scenario:
–
–
–
Note that multicast boundary works for other scenarios.
There are no known workarounds.
•
A Network Processing Engine (NPE-G1 or NPE-G100) may forward unicast IP packets that have a Layer 2 multicast MAC address.
This issue occurs on an NPE-G1 that is installed in a Cisco 7200 series router or an NPE-G100 installed in a Cisco 7304 router.
Workaround: Create an access control list (ACL) to filter the packets.
Alternate Workaround: Configure a static multicast MAC address mapping to the ports of the connected Layer 2 switch.
•
A multicast router may stop sending Protocol Independent Multicast (PIM) join messages.
This issue occurs on a Cisco router that is configured for multicast routing when buffer allocation failures occur and I/O memory is low.
Workaround: Disable and re-enable multicast routing.
•
A router may reload unexpectedly when you remove network commands. This reload may occur in the window when a network command, which covers an interface running Open Shortest Path First (OSPF) is removed, and there are outstanding packets from this interface in the OSPF queue.
This issue occurs on a Cisco router that has the router ospf global configuration command enabled.
There are no known workarounds.
•
Over a period of time, the value of "allocated address" becomes larger than the value of "dynamic active translations" in the show ip nat statistics output and eventually reaches 100%. When the dynamic Network Address Translation (NAT) pool allocation reaches 100, no new user translations are allowed.
This issue occurs when you configure a static NAT entry with an IP address that overlaps the range of the address pool.
Workaround: Do not configure a static NAT entry with an IP address that is part of a dynamic pool.
Alternative Workaround: Deny the specific IP addresses configured for static NAT from the NAT access control list used for the dynamic address pool.
•
Output drops may occur and increase on interfaces that have Weighted fair Queuing (WFQ) enabled by default.
This issue occurs on a Cisco 7200 series router that is configured with a Network Service Engine 1 (NSE-1) and a Cisco 7401 router that has Parallel Express Forwarding (PXF) enabled and that is using a default hold-queue size.
Workaround: Configure an output hold-queue size on the interface using the hold-queue length out interface configuration command.
Alternate Workaround One: Disable PXF by entering the no ip pxf global configuration command.
Alternate Workaround Two: Disable WFQ by entering the no fair-queue interface configuration command.
•
If an IPSec card is inserted into the system, a small amount of memory leaks.
There are no known workarounds.
•
The DS1 MIB is not accessible for T1 controllers.
There are no known workarounds.
•
When the multicast route (mroute) expiration timer is set to a nondefault holdtime value, a router may reload unexpectedly because of a watchdog timeout.
This issue occurs on a Cisco router when a nondefault holdtime value is received through a Protocol Independent Multicast (PIM) join message in combination with a bursty source. This situation may cause the mroute expiration timer to enter an infinite loop.
Because the holdtime value is not user configurable on a Cisco router, this situation is caused by a PIM connection with a non-Cisco router or by the modification of the Internet Group Management Protocol (IGMP) query interval on an interface.
Workaround: Ensure that no nondefault holdtime value can be configured for PIM or IGMP.
•
The ingress IP traffic on a Cisco 7206 VXR Asynchronous Transfer Mode (ATM) interface is being process switched with Cisco Express Forwarding (CEF) enabled. Ping drops occur on the permanent virtual circuit (PVC), which has not been used at all, and the RP Drops and SPD Fast Flushes are incrementing (because the IP has been process switched).
This issue occurs on a Cisco 7206VXR running Cisco IOS Release 12.1(19)E1 with two Packet-over-SONET (POS) interfaces (OC3,1 per PCI bus) and an ATM interface (PA-A3-OC3-SMI)), around 700 subinterfaces/PVCs (of which a great majority have VPN routing and forwarding instances (VRFs) configured, and some of which are bridged ATM PVCs (VRF on BVI)).
Workaround: Increase the ingress hold-queue on the ATM interface.
•
A spurious memory access message appears when Border Gateway Protocol (BGP) peer groups are configured on the router.
There are no known workarounds.
•
A Cisco 7200 series router running the VPN Acceleration Module (VAM) generates error 0x4.
This issue occurs when the router is configured for a large number of tunnels and has memory fragmentation or low memory conditions.
Workaround: Reset the crypto card, but be aware that his action will tear down all the existing tunnels.
•
A Cisco 7200 series router that is running IPSec may crash with tracebacks pointing to a managed timer.
This issue occurs when a large number of IPSec tunnels are rekeyed at the same time.
There are no known workarounds. However, increasing the IPSec security association (SA) lifetime may help reduce the stress on the router and therefore avoid the race condition.
•
The output queue of a Gigabit Ethernet port may become stuck, preventing traffic from leaving the interface.
This issue occurs on the Gigabit Ethernet port 0/1 (gig0/1) of a Network Processing Engine NPE-G1 (NPE-G1) that is installed in a Cisco 7200 series router.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
Alternate workaround: Reload the router.
•
Native Gigabit Ethernet interface throttling is always bypassed.
This issue occurs because the newer version of BCM chips bypass throttling, whereas for older revisions, it is needed.
There are no known workarounds.
•
A router crashes due to L3 cache parity error.
This issue occurs on Cisco 7200 NPEs and NSE-1s and Cisco 7400 routers.
There are no known workarounds.
•
During VPN Acceleration Module (VAM) card initialization, the VAM card may fail to come up because of a POST Failure. These failures have occurred on well-functioning hardware.
This issue occurs during VAM card initialization and, then only occasionally, when, in accordance with the statistical nature of the RNG Test, happenstance and entropy dictate.
Workaround: Use the microcode reload vam command to re-attempt initialization.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
The Cisco 7200 NPE-G1 built-in Gigabit Ethernet (GE) (SBeth) MAC filter accepts NULL destination addresses (DAs) ( 00-00-00-00-00-00). This unintentional behavior may pose a denial of service security risk in customer environments if their networks are flooded with NULL DAs. This issue appears to be a Broadcomm silicon or documentation errata. The Broadcomm documentation states that NULL DAs may be used for unused MAC Filter entries, implying that they are not accepted.
There are no known workarounds.
•
A router may reload unexpectedly after it attempts to access a low memory address.
This issue occurs after access control lists (ACLs) have been updated dynamically or after the router has responded dynamically to an intrusion detection system (IDS) signature.
Workaround: Disable IP Inspect and IDS.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A Cisco router may reload if the crypto card shutdown/enable slot command is issued with online traffic.
This issue occurs on a Cisco 7200 series router with a VPN Accelerator Module (VAM).
Workaround: Shut down the input interface before issuing the crypto card shutdown/enable slot command
•
A Cisco 7200 series router with a VPN Acceleration Module (VAM) reports DH counter stuck in the output of the show crypto eli command.
This issue occurs under the following conditions:
- Large number of tunnels are all trying to rekey at same time.
- Large number of buffer failures.
- Large number of Internet Key Exchange (IKE) negotiation failures due to mismatch in IKE/IPSec policies, access control list (ACL), and so on
Workaround: Restart the crypto engine by issuing crypto card shut slot, crypto card enable slot command.
•
Cisco IOS software running IPSec with the Tunnel End-point Discovery (TED) feature can have spurious memory access tracebacks.
This issue occurs under the following conditions:
–
–
There are no known workarounds.
•
Packets are stuck in the output queue of multilink bundles on routers running Cisco IOS Release 12.1(20)E. All Network Control Protocol (NCP) negotiations fail to complete.
This issue occurs when multilink is used with a legacy dialer (Integrated Services Digital Network (ISDN) or dialer rotary groups) and fair queuing is enabled (either explicitly or by default).
Workaround: Disable "fair-queue" or disable "ppp multilink" under the d-channel or dialer interface, or use dialer profiles.
•
A Cisco 7200 series router running the VPN Acceleration Module (VAM) and configured for a large number of tunnels may fail to create new Internet Key Exchange (IKE) security associations (SAs) and display the message "Main mode exchange failed" or "unable to create DH parameters". In addition, the "IPSec Card Error coming back 0x4" message appears on the console.
This issue occurs under the following conditions:
–
–
–
Workaround: Issue crypto card shut, followed by crypto card enable to reset the crypto engine. Note, that this will tear down all the existing IKE and IPSec SAs.
•
A Cisco 7200 series router running IPSec with a crypto accelerator may crash with illegal access to low memory exception.
This issue occurs when the clear cry sa command is issued or during an online insertion and removal (OIR) of the crypto accelerator.
Workaround: Avoid sending traffic while doing the OIR.
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In UserService (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
The Buffer (I/O memory) starvation and %SYS-2-MALLOCFAIL messages display on the console.
This issue occurs when Encryption/Compression and fair-queue are enabled on same interface on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform.
Workaround: Disable PXF using the no ip pxf command.
Alternate Workaround: Disable fair-queuing on the egress interface using the no fair-queue command.
•
A Cisco router configured with Frame-Relay encapsulation may forward packets that come in on a subinterface that is in an administratively shutdown state.
There are no known workarounds.
•
Packets cannot be transmitted out of the interface. As a result, the interface and routing may start flapping. In addition, you may also see memory allocation failure messages.
This issue occurs on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform when Parallel Express Forwarding (PXF) is enabled, and the egress interface has enabled fair-queuing and traffic shaping.
Workaround: Disable PXF using the no ip pxf command.
Alternate Workaround: Disable fair-queuing on the egress interface using the no fair-queue command.
•
The command to test if the L3 cache is enabled or disabled is broken for the NSE-1 on a Cisco 7200 series router.
Workaround: Use the show version command to ascertain the status of the L3 cache state.
•
An uncorrectable Expanded Call Context (ECC) parity error may occur on a Cisco 7200 series router that is configured with an NPE-G1.
This rare issue occurs when you enter the show sysctlr or show tech command on the NPE-G1.
Workaround: Do not enter the show sysctlr or show tech command.
•
The Enhanced Interior Gateway Routing Protocol (EIGRP) may incorrectly remove a connected route from the topology when the user changes the router network commands and overlapping networks exist.
Consider the following configuration:
int loopback1ip addr 10.1.2.2 255.255.255.0router eigrp 1net 10.0.0.0 0.3.255.255if changing the network command to 'net 10.0.0.0' by doing...router(config)# net 10.0.0.0router(config)# no net 10.0.0.0 0.3.255.255... the connected route will be removed when it should be retained.Workaround: Remove the old network command first before adding the new one:
router(config)# no net 10.0.0.0 0.3.255.255router(config)# net 10.0.0.0•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A Cisco 7200 series router running the VPN Accelerator Module (VAM) produces traceback at crypto_isa_post_encrypt_ps function with the message "SYS-2-LINKED Bad enqueue of 0xxx in queue 0xxx".
This traceback occurs when the crypto card is shutdown using the command crypto card shut slot while traffic is still running. This issue occurs more often when more than 500 IPSec tunnels are configured.
There are no known workarounds.
•
A Cisco 7200 series router with NPE-G1 running the VPN Acceleration Module (VAM) may print the XXXX pattern when debugging VAM errors using the debug crypto device command.
This issue occurs only when the debug flag is enabled.
There are no known workarounds.
•
A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
•
A router reloads when you enter the show queueing interface privileged EXEC command.
This issue occurs on a router that is functioning as a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) when there is a lot of downstream data traffic from an L2TP network server (LNS) through the LAC to a client and Cisco Express Forwarding (CEF), fast switching, or process switching is enabled.
There are no known workarounds.
•
A Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) may reload when PPP over ATM (PPPoA) sessions are initiated.
This issue occurs when the shutdown interface configuration command and the no shutdown interface configuration command are entered in quick succession.
There are no known workarounds.
•
An Asynchronous Transfer Mode (ATM) interface may remain administratively down.
This issue occurs when the command-line interface (CLI) does not function. This issue is platform independent.
There are no known workarounds.
•
If a FastEthernet (FE) interface is being used as an IP link for voice calls between 2 routers and shut/ no shut is issued multiple times on the FE interface, the Address Resolution Protocol (ARP) entry of other FE might be lost and not recovered automatically.
Workaround: Shut/no shut the other FE.
•
When booting the router, if you tried to establish a Secure Shell Version 2 (SSHv2) session immediately after the "Press RETURN to get started!" message on the console, the router reloads.
There are no known workarounds.
•
An enhanced Asynchronous Transfer Mode (ATM) port adapter (PA-A3) may display an increasing "rx_no_buffer" counter in the output of the show controllers atm privileged EXEC command, and some permanent virtual circuits (PVCs) configured on the PA-A3 port adapter may stop receiving traffic.
This issue occurs when there is a high-traffic load on the PA-A3. Certain types of PA-A3s are impacted by this problem (PA-A3-OC3/T3/E3 are impacted, but PA-A3-OC12 and PA-A3-8T1/8E1 IMA are not). In addition, any platform supporting these types of PA-A3s may be impacted.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the PA-A3.
•
Spurious access is observed in the Cisco 7500 platform when rate output and fair queuing are configured on the serial/gigabit interfaces.
There are no known workarounds.
•
The router may reload when the show queue atm command is issued.
This issue occurs on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform when Parallel Express Forwarding (PXF) is enabled and the show queue atm command is entered when traffic is flowing through the Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC).
Workaround: Disable PXF globally using the no ip pxf command.
•
A Cisco router experiences a memory leak in the Cisco Discovery Protocol (CDP) process when the device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256-character hostname, or disable the CDP process with the no cdp run global command.
Open Caveats—Cisco IOS Release 12.1(20)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Network Processing Engine G1 (NPE-G1) restarts unexpectedly and reports the following message:
Last reset from watchdog resetThis problem occurs on a Cisco 7200 series router that is configured with an NPE-G1 and that is running Cisco IOS Release 12.2(14)S3. The problem may also occur in other releases.
There are no known workarounds.
•
Match input interface configuration is loss after a router reload.
This problem occurs when the interface to be matched is a channelized interface.
There are no known workarounds.
•
A router may reload due to a software forced crash when a large Internet Group Management Protocol (IGMP) packet flood occurs.
This problem occurs if the router is configured for multicast and a large IGMP packet flood occurs.
There are no known workarounds.
•
A router may become unresponsive and may reload when you append a file whose size is not a multiple of 512 bytes to an Advanced Technology Attachment (ATA) flash card (for example, boot disk, disk0, disk1).
For example, this situation may occur when you enter the show command | tee /append url privileged EXEC command.
This problem occurs on a Cisco platform that runs a Cisco IOS image that contains the fix for caveat CSCdz27200 and that utilizes an ATA flash card. A list of the affected releases can be found at
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdz27200.
Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Write the output of the show command to a new file instead of appending it to an existing file by entering the show command | tee url privileged EXEC command.
Resolved Caveats—Cisco IOS Release 12.1(20)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 NSE-1 may run into a Parallel Express Forwarding (PXF) exception when packets are being PXF switched and the route has multiple destinations (load balance).
Workaround: Disable PXF using the no ip pxf command when running the NSE-1 processor on a Cisco 7200 series router.
•
A Cisco router may generate a "SYS-2-GETBUF" message during the Tag Input process and subsequently reload unexpectedly.
This issue occurs when the router fragments a Multiprotocol Label Switching (MPLS) packet.
There are no known workarounds.
•
Spurious accesses were seen on a Cisco 7200 series router and route switch processor (RSP) when ppp multilink encap is configured.
This issue occurs in Cisco IOS Releases 12.2(17.1)SPI1 and 12.2(17.8)SPI2.
There are no known workarounds.
•
A Cisco 7200 series router, running the Cisco IOS Release 12.1(E) crypto image with a dynamic crypto map configuration, may drop clear traffic.
I f you add an access list and then remove the access list from the dynamic crypto map, the assigned interface drops clear traffic.
Workaround: Re-attach the access-list, or delete the dynamic crypto map configuration and create it again. Note that access lists are not mandatory for dynamic crypto maps.
•
A packet through a multilink interface will not be distribute switched because the multilink adjacency is programmed as punt.
There are no known workarounds.
•
When an interface is configured with multiple ip multicast helper-map statements for the same group address and different broadcast addresses are removed, spurious memory access errors are generated.
If the interface is reconfigured and then removed again, the router will unexpectedly reload.
There are no known workarounds.
•
When Protocol Independent Multicast (PIM) dense mode is enabled, an interface in the outgoing interface list may indicate that it is in forwarding mode but the P flag may still be set to the source, group (S,G) state, preventing the interface from forwarding any packets.
This problem occurs when an interface enters forwarding mode because the prune timer expires. In addition, note that there is an Internet Group Management Protocol (IGMP) member on this interface.
Workaround: Enter the clear ip mroute group privileged EXEC command.
•
The ip pim register-source command is not accepted in Cisco IOS Release 12.1E and its derivatives.
Workaround: Downgrade to Cisco IOS Release 12.1(8b)E9 or 12.1(8)EA1c.
•
A Multilayer Switch Feature Card 2 (MSFC2) with an Asynchronous Transfer Mode (ATM) FlexWAN in the Service Resource Module (SRM) configured with low latency queueing (LLQ) quality of service (QoS) on the ATM virtual circuit (VC) may crash with a SRM failover. In addition, you may see slow traffic forwarding on some ATM VCs with high priority traffic.
There are no known workarounds if the router unexpectedly reloads. However, for slow traffic forwarding, remove the service policy configuration statement in the atm subinterface and re-add the configuration again. These actions should make the slow traffic forwarding problem disappear.
•
Directed broadcasts to a destination network which is part of a Multiprotocol Label Switching (MPLS) VPN fail. If the same destination network is placed in the global routing table, then directed broadcasts do work successfully.
There are no known workarounds.
•
A Cisco router running Cisco IOS Release 12.2(13c) may reload unexpectedly because of memory corruption.
This problem occurs under the following conditions:
–
–
–
Workaround: Disable connection accounting.
•
A Cisco 7204 router with a Service Adapter-VPN Acceleration Module (SA-VAM) card running Cisco IOS Release 12.1(20)E1 and configured for IPSec keeps generating "Error coming back 0004" information. The IPSec tunnel stays up and traffic passes without any problem. In addition, the "invalid_fc" and "cmdq_rx_error" counters keep increasing in the output of the show pas vam int command.
This problem occurs when more than 500 tunnels are configured. After a large number of re-keys, the error 0x4 appears.
Workaround: Use the crypto card shut command, followed by the crypto card enable command, to reset the VPN Acceleration Module (VAM) card. Note, however, that these commands will delete all existing Internet Key Exchange (IKE) and IPSec security associations (SAs).
•
When a Border Gateway Protocol (BGP) process propagates routes that are learned from an internal BGP (iBGP) peer to an external BGP (eBGP) peer, the eBGP peer should see these routes with the next-hop address of the originator's address. However, the eBGP peer sees the routes with the next-hop address of the router that propagates the routes, not the router that originates the routes.
This problem occurs in Cisco IOS Release 12.1(22).
There are no known workarounds.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Secure Shell Version 1 (SSHv1) doesn't work in either compatibility mode or ip ssh version 1 mode.
Workaround: Use Secure Shell Version 2 (SSHv2) server through a SSHv2 client.
•
The show controller serial command for a PA-T3 PA does not show the complete data.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(20)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(20)E1.
Resolved Caveats—Cisco IOS Release 12.1(20)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
RSP4, running Cisco IOS Release 12.1(19)E1, reports that an interface is not transmitting because of an output stuck event. This problem is shown on the router's console in the following manner:
%ISDN-6-LAYER2DOWN: Layer 2 for Interface Se1/0/2:15, TEI0 changed to down%ISDN-6-LAYER2DOWN: Layer 2 for Interface Se1/0/1:15, TEI0 changed to down%ISDN-6-LAYER2DOWN: Layer 2 for Interface Se1/0/3:15, TEI0 changed to down%RSP-3-RESTART: interface Serial1/0/0:15, not transmittingOutput Stuck on Serial1/0/0:15%RSP-3-RESTART: interface Serial1/0/1:15, output frozen%RSP-3-RESTART: interface Serial1/0/2:15, not transmitting%RSP-3-RESTART: cbus complexThis problem occurs when compress stack is configured on the interface.
Workaround: Remove the compress stack statement from the configuration.
•
When next-hop-self is configured on a peer group, the next-hop calculation is only performed on the first member of the peer group, and the same next-hop value is replicated to the rest of the peers instead of calculating the next hop based on the next-hop-self configuration. This problem occurs if the router is multihomed and if the Border Gateway Protocol (BGP) uses those multiple interfaces to peer with neighbors which are in the same peer group (or update group). As a result, the next-hop value of the leader of the peer group is used for all the members.
This problem occurs on a Cisco 7200 series router that is running Cisco IOS Release 12.2, 12.3, or 12.3T.
Workaround: Remove the peer groups to allow the calculation to be run for each neighbor.
Alternate workaround: Ensure that all the peers that are in the same peer group can be reached through a single interface and use that interface IP address in the BGP update-source command as the local peering address.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
Open Caveats—Cisco IOS Release 12.1(20)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(20)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(20)E.
Resolved Caveats—Cisco IOS Release 12.1(20)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(20)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
When IPSec crypto hardware is shut down, IOS falls back to software to handle all crypto operation. A CLI is needed to disable this behavior.
There are no known workarounds.
•
When IPSec crypto hardware goes down, it does not generate syslog messages that trigger a syslog Simple Network Management Protocol (SNMP) trap when logging is at error level.
Workaround: Set logging to the informationalb level, which should generate syslog SNMP traps.
•
A Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 router displays %PXF-2-TALLOCFAIL messages repeatedly.
This problem occurs when any routing protocol is used.
There are no known workarounds.
•
Rivest, Shamir, & Adleman (RSA) encryption is not supported by the VPN Acceleration Module (VAM) hardware.
Workaround: Use software crypto or a non-Hifn hardware accelerator.
Open Caveats—Cisco IOS Release 12.1(19)E7
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E7 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetThis issue occurs on a Cisco 7200 series router configured with an NPE-G1 that is running Cisco IOS Release 12.2(14)S3. This issue may also occur in other releases.
There are no known workarounds.
•
The output queue of a Gigabit Ethernet port may become stuck, preventing traffic from leaving the interface.
This issue occurs on the Gigabit Ethernet port 0/1 (gig0/1) of a Network Processing Engine NPE-G1 (NPE-G1) that is installed in a Cisco 7200 series router.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
Alternate workaround: Reload the router.
•
An uncorrectable Expanded Call Context (ECC) parity error may occur on a Cisco 7200 series router that is configured with an NPE-G1.
This rare issue occurs when you enter the show sysctlr or show tech command on the NPE-G1.
Workaround: Do not enter the show sysctlr or show tech command.
Resolved Caveats—Cisco IOS Release 12.1(19)E7
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E7. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
With certain Asynchronous Transfer Mode (ATM) subinterfaces, the ip verify unicast reverse-path interface configuration command may incorrectly drop a fraction of incoming traffic.
There are no known workaround.
•
Addresses that are used for overloading may be used as one-to-one translations.
This issue occurs when a combination of static and dynamic Port Address Translation (PAT) are used. The addresses that are used for overloading may be used as one-to-one translations because for Domain Name System (DNS) packets, the addresses are translated inside the payload. This issue may cause dynamic translations to fail.
Workaround: Ensure the ip nat pool inside_pool contains more than one IP address.
•
With the addition of packet-by-packet compression on a serial interface, followed by enabling ip cef globally, a punt adjacency is created for that interface. However, the subsequent removal of packet-by-packet compression on that interface does not result in the removal of the punt adjacency for that interface.
There are no known workarounds.
•
Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed fromx605111F0, pool Processor, alignment 0-Process= "CDP Protocol", ipl= 0, pid= 42-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C602D0E18The issue occurs on a Cisco 7513 router that runs Cisco IOS Release 12.0(17)ST. The issue may also occur on other Cisco 7500 series routers that run Cisco IOS Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A Cisco 7513 router running Cisco IOS Release 12.2(14)S and multicast VPN experiences a memory leak of 20-30Mb per day in the Protocol-Independent Multicast (PIM) process.
Workaround: Use another method to determine the rendezvous point (RP) for a VPN routing and forwarding instance (VRF) or do not configure a Bootstrap Router (BSR) or Route Processor as an RP, but instead configure a customer edge (CE) router to function as the RP.
•
A Cisco router might not save the media-type mii configuration for a FastEthernet interface in the startup-config. When the router is reloaded, it will use the default configuration and the line protocol on the interface may not come up.
Workaround: Reconfigure media-type mii on the interface after restarting the router.
•
A router may reload unexpectedly while performing a shut/no shut on an interface.
This issue occurs when the processor is an NPE-G1 and the interface being administered has VLAN subinterfaces configured.
There are no known workarounds.
•
A Cisco 7500 series router may experience high CPU on a Versatile Interface Processor (VIP) which leads to latency on all interfaces of the VIP.
This issue occurs when Network Based Application Recognition (NBAR) is configured to match Kazaa as a protocol or NBAR protocol discovery is enabled.
Workaround: Load version 6.0 or later Kazaa2 PDLM.
•
The ingress IP traffic on a Cisco 7206 VXR Asynchronous Transfer Mode (ATM) interface is being process switched with Cisco Express Forwarding (CEF) enabled. Ping drops occur on the permanent virtual circuit (PVC), which has not been used at all, and the RP Drops and SPD Fast Flushes are incrementing (because the IP has been process switched).
This issue occurs on a Cisco 7206VXR running Cisco IOS Release 12.1(19)E1 with two Packet-over-SONET (POS) interfaces (OC3,1 per PCI bus) and an ATM interface (PA-A3-OC3-SMI)), around 700 subinterfaces/PVCs (of which a great majority have VPN routing and forwarding instances (VRFs) configured, and some of which are bridged ATM PVCs (VRF on BVI)).
Workaround: Increase the ingress hold-queue on the ATM interface.
•
A router may reload unexpectedly after it attempts to access a low memory address.
This issue occurs after access control lists (ACLs) have been updated dynamically or after the router has responded dynamically to an intrusion detection system (IDS) signature.
Workaround: Disable IP Inspect and IDS.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
The Buffer (I/O memory) starvation and %SYS-2-MALLOCFAIL messages display on the console.
This issue occurs when Encryption/Compression and fair-queue are enabled on same interface on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform.
Workaround: Disable Parallel Express Forwarding (PXF) using the no ip pxf command.
Alternate Workaround: Disable fair-queuing on the egress interface using the no fair-queue command.
•
Packets cannot be transmitted out of the interface. As a result, the interface and routing may start flapping. In addition, you may also see memory allocation failure messages.
This issue occurs on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform when Parallel Express Forwarding (PXF) is enabled, and the egress interface has enabled fair-queuing and traffic shaping.
Workaround: Disable PXF using the no ip pxf command.
Alternate Workaround: Disable fair-queuing on the egress interface using the no fair-queue command.
•
A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
•
The router may reload when the show queue atm command is issued.
This issue occurs on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform when Parallel Express Forwarding (PXF) is enabled and the show queue atm command is entered when traffic is flowing through the Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC).
Workaround: Disable PXF globally using the no ip pxf command.
•
A Cisco router experiences a memory leak in the Cisco Discovery Protocol (CDP) process when the device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256-character hostname, or disable the CDP process with the no cdp run global command.
Open Caveats—Cisco IOS Release 12.1(19)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(19)E6.
Resolved Caveats—Cisco IOS Release 12.1(19)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Open Caveats—Cisco IOS Release 12.1(19)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(19)E4.
Resolved Caveats—Cisco IOS Release 12.1(19)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
A Cisco router may generate a "SYS-2-GETBUF" message during the Tag Input process and may subsequently reload.
This problem occurs when the router fragments a Multiprotocol Label Switching (MPLS) packet.
There are no known workarounds.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
An IP packet that is sent with an invalid IP checksum may not be dropped.
This problem occurs if the IP checksum is calculated with a decreased Time To Live (TTL) value. For example, in the situation where the IP checksum must be 0x1134 with a TTL of 3, if the packet is sent with an IP checksum of 0x1234 that is calculated by using a TTL value of 2, the packet is not dropped. In all other cases, packets with incorrect checksums are dropped.
There are no known workarounds.
•
Ethernet redundancy may not function with Inter-Switch Link (ISL) trunking.
This problem occurs on a Cisco router or switch that is configured for data-link switching (DLSw) and Ethernet Redundancy (ER).
There are no known workarounds.
•
A Cisco 7200 series router reports "%ALIGN-3-TRACE."
There are no known workarounds.
•
New vulnerabilities in the OpenSSL implementation for SSL have been announced.
An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client.
There are workarounds available to mitigate the effects of these vulnerabilities. Please refer to the following advisory for more information
http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
Open Caveats—Cisco IOS Release 12.1(19)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(19)E3.
Resolved Caveats—Cisco IOS Release 12.1(19)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When a large number of flows are configured, then the router will either face some performance issues or it will hog more memory than its share.
This problem occurs when netflow is configured on any interface.
There are no known workarounds.
•
The show policy-map interface statistics are incorrect on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 platform.
This issue occurs when you turn on the Parallel Express Forwarding (PXF) switch and apply a class-default policy on interfaces that use fair queue by default.
There are no known workarounds.
•
Physical inverse multiplexing over Asynchronous Transfer Mode (ATM) (IMA) ports are not indexed in the IF-MIB.
In the following example, the IF-MIB shows ATM1/IMA0 (index 43), but the interface is not indexed:
ifDescr.40 = ATM1/7-aal5 layerifDescr.41 = ATM1/7.0-aal5 layerifDescr.42 = Null0ifDescr.43 = ATM1/ima0 <----ifDescr.44 = ATM1/ima0-atm layerifDescr.45 = ATM1/ima0.0-atm subififDescr.46 = ATM1/ima0-aal5 layerifDescr.47 = ATM1/ima0.0-aal5 layerifDescr.48 = ATM1/ima0.40-atm subififDescr.49 = ATM1/ima0.40-aal5 layerThere are no known workarounds.
•
The %STANDBY-3-DIFFVIP1 message is sent out as 3 separate syslog messages.
This problem is caused by a Hot Standby Routing Protocol (HSRP) misconfiguration.
There are no known workarounds.
•
An integrated service adapter (ISA) card can undergo reset, resulting in a trigger of CSCeb27017 or merely a loss of all security associations (SAs). In the case of CSCeb27017 being triggered, the router may crash.
This problem occurs on a Cisco 7200 series router that is using an ISA card and is experiencing some packet memory buffer starvation. Under these conditions, a buffer alloc failure for the Internet Key Exchange (IKE) Cmd path results in the ISA card being reset by the ISA driver.
Workaround: Using VPN Acceleration Module (VAM) in place of ISA is a viable alternative.
Alternative workaround: Reduce traffic volume or remove egress packet bottlenecks.
•
When compiled access control lists (ACLs) are enabled (using the access-list compiled config command), and the total number of ACL entries is relatively large (more than 1500 lines), under some traffic patterns such as random or continually varying flows, the compiled ACL tables may grow to the point where a memory allocation failure occurs due to internal memory fragmentation. After this occurs, there may be continuing attempts to recompile the ACLs that all fail due to memory allocation failures.
Workarounds: Possible workarounds include:
1) ACLs can sometimes be rearranged to make them shorter or less complex, which will also reduce the memory requirements.
2) Large ACLs used for Border Gateway Protocol (BGP) route prefixes should be converted to use a prefix-list configuration instead.
3) Disable and then re-enable compiled ACLs as follows:
no access-list compiledaccess-list compiled4) Disable compiled ACLs entirely.
•
When compiled access control lists (ACLs) are enabled (using the access-list compiled config command), and the total number of ACL entries is relatively large (more than 1500 lines), under traffic stress the recompilation may cause CPUHOG messages. A side effect of this is that not enough time is provided for other processes, and this can impact areas such as keepalives or Cisco Express Forwarding (CEF) management.
Workaround: Disable and then re-enable compiled ACLs as follows:
no access-list compiledaccess-list compiledAlternative workaround: Disable compiled ACLs entirely.
Open Caveats—Cisco IOS Release 12.1(19)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(19)E2.
Resolved Caveats—Cisco IOS Release 12.1(19)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router may experience a memory leak.
This problem occurs on a Cisco 7206VXR provider edge (PE) router that is running Cisco IOS Release 12.1(5a) in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) network. The memory leak is caused by the Border Gateway Protocol (BGP) I/O process and occurs at the rate of 100 to 130 KB per hour (about 2.5 to 3 MB per day) after the show memory summary | incl BGP privileged EXEC command is entered. This situation occurs regardless of whether the BGP neighbor is flapping.
The show memory summary | incl BGP privileged EXEC command indicates that the "BGP (1) update" function allocates memory without deallocating it again after the process is completed.
The following is command output from the show processes memory | incl BGP privileged EXEC command:
Router# show processes memory | incl bgpPID TTY Allocated Freed Holding Getbufs Retbufs Process ... 104 0 35225695482139398320 21965976 297916 5184 BGP I/O ...The following is command output from the show memory summary | incl BGP privileged EXEC command:
Router# show memory summary | incl bgpAlloc PC Size Blocks Bytes What ... 0x607C42E0 65496 333 21810168 BGP (1)update ....Workaround: Stop the session by using the clear ip BGP privileged EXEC command.
•
PA-VXx-xxx, PA-MCX-xxx, and PA-MC-8TE1+ display the red alarm LED if one or more ports are shutdown.
Workaround: Use a "loop plug" connecting pin 1 to 4, and 2 to 5 in ports that are not used, and configure no shutdown.
•
A VIP2-50 with an E1 controller running Cisco IOS Release 12.2(16) may record the following error message:
3d23h: %SYS-2-QCOUNT: Bad deqeueue 60B71288 count 0-Process= "<interrupt level>", ipl= 1-Traceback=The problem occurs after removing/reconfiguring some timeslots as follows:
Controller x/x/xno channel-group 0 timeslotsAnd then:
Controller x/x/xchannel-group 0 timeslots xWorkaround: Remove the Frame Relay map-class from the interface before changing the channel configuration.
•
When running an NPE-G1 on Cisco 7206 VXR router with Cisco IOS Release 12.1(14)E and basic Multiprotocol Label Switching (MPLS) configured (ip2tag - tag2ip), the router crashes when sending traffic of 1518 byte packets. Without MPLS configured, traffic of 1518 byte packets is sent.
There are no known workarounds.
•
When configuration changes are made, a Cisco 7500 series Versatile Interface Processor (VIP) may pause indefinitely, produce large numbers of spurious memory accesses, or reload. This situation may cause the router to detect that interfaces on the VIP are not sending packets and to report that the output of the interfaces is stuck.
This problem occurs on a Cisco 7500 series router that is configured for fragmentation and shaping on a Frame Relay interface using the modular quality of service (QoS) CLI (MQC).
Workaround: Before you make quality of service (QoS) policy or Frame Relay fragmentation changes on an interface of the VIP, enter the shutdown interface configuration command on the interface.
•
When an IOS Server Load Balancing (IOS-SLB) virtual server for RADIUS load balancing is configured with the msid-cisco option, Accounting-Start RADIUS requests from a Home Agent may not be load-balanced to the same real as the Access-Request.
This issue occurs because the virtual server must be configured for service radius and with sticky radius username msid-cisco [group num ].
There are no known workarounds.
•
When clients move from one subnet to another subnet on a router with Multilayer Switch Feature Card (MSFC) acting as a Cisco IOS Dynamic Host Configuration Protocol (DHCP) server, the clients retain old addresses rather than getting new ones.
Sniffer traces reveal that when clients request to use the old address in the new subnet with a DHCP request, the MSFC does not NAK and then the Windows 2000 XP client retains the old address.
This behavior occurs on wireless, as well as wired clients
There are no known workarounds.
•
A Cisco 7500 series router running Cisco IOS Release 12.1(19)E, with installed FastEthernet interfaces, may report the following error for each FastEthernet interface whenever a show run or wr mem command is issued:
%PARSER-3-BADSUBCMD: Unrecognized subcommand 0 in interface command 'media-type'The defect is cosmetic; it has no impact on the operation of the router.
There are no known workarounds.
•
A Cisco 7500 series router running Multilink Point-to-point Protocol (MLPPP) with distributed Cisco Express Forwarding (dCEF) enabled may drop packets that are received from the peer router if the packets are doing a form of compression.
This problem is not seen with route switch processor (RSP) -based Cisco Express Forwarding (CEF).
Workaround: When the problem occurs, reset the multilink interface.
•
An integrated service adapter (ISA) card can cease to process commands and packets, resulting in a crypto-processing deadlock. An error "1510" typically results, and packet flow through the card ceases.
This issue occurs on a Cisco 7200 series router that is using Cisco Express Forwarding (CEF) or Fast-switching, using an integrated services adapter (ISA) card, and is configured such that a single packet requires multiple passes through the ISA (such as a hub router terminating multiple tunnels and/or using Generic Routing Encapsulation (GRE) with IPSec). Under these conditions a burst of traffic or generally medium-to-high traffic levels (above 40Mbps) can trigger the problem.
Workaround: Using the VPN Acceleration Module (VAM) in place of ISA is a viable alternative.
Alternative Workaround: Use process switching
•
Cisco IOS does not provide all 96 intervals consistently on both T3 and T1 interfaces. The clocking used for the 15-minute interval is also off.
There are no known workarounds.
•
When a packet is received through one tunnel and Cisco Express Forwarding (CEF)-switched into another tunnel, the router may reload with a DMA error.
This problem occurs because the first tunnel encapsulation has been replaced with the second tunnel encapsulation and the second tunnel requires the newly tunnel-encapsulated packet to be punted from CEF switching to a slower switching path. This problem occurs on Cisco 7200 or Cisco 7400 platforms.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(19)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(19)E1.
Resolved Caveats—Cisco IOS Release 12.1(19)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A Versatile Interface Processor (VIP) running Cisco IOS Release 12.2(06d) generates the following traceback when 300 Asynchronous Transfer Mode (ATM) virtual circuits (VCs) are configured on the route switch processor (RSP).
00:00:44: %IPC-5-NULL: Registering Control Port Id=0x1000003, seq = 0-Traceback= 602CE704 602CE968 602CEA30 600DABAC 600DAB98There are no known workarounds.
•
A Cisco IOS router may fail to send a Diffie-Hellman (DH) key delete notification to the crypto accelerator. Because of this failure, the crypto accelerator runs out of DH entries and Internet Key Exchange (IKE) security association (SA) negotiations fail. One manifestation of this problem will be a continuous increase of the DH active counter in the output of the show crypto eli command.
This failure occurs when IKE SA negotiation fails after creating the DH shared secret, and typically occurs with slow links.
Workaround: Shutdown and enable the crypto hardware. Note that resetting the hardware results in loss of all active tunnels.
•
In a virtual private dial-up network (VPDN) scenario where a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) negotiates an authentication protocol that is not listed as a valid authentication protocol according to the L2TP network server (LNS) configuration, the LNS accepts the negotiated options and proceeds to using the authentication protocol set by the LAC. The expected behavior would be that the LNS either disconnects the call or renegotiates the link control protocol (LCP), based on the lcp renegotiate configuration under the VPDN group.
Workaround: Use the lcp renegotiation always configuration.
•
A router, which is not the RP for a group, gets periodic (*,G) joins with sgr prune, and at times processes the (*,G) very quickly before seeing the sgr prune. As a result, the router sends only a (*,G) joins to the RP, which is incorrect.
There are no known workarounds.
•
The router crashes when an L3 cache parity error happens. Typically, this crash is due to a cache parity expectation in the L3 cache.
This fix changes the parity exception handling mechanism on the NPE-400 based routers so that the router will automatically recover from the parity error exception in most cases (it's estimated that the recovery can happen in 70% of the parity error occurrence instances) without crashing the box.
There are no known workarounds.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
Under heavy load (100Mbits/s), and after a period of time of several hours, a router with a VPN Acceleration Module (VAM) accelerator might stop encrypting traffic.
The following log messages can be seen:
IPSECcard: an error coming back 0x1510and
isa_hsp_device_stats_callback: ** error 0x1510 in processing cmd=18 **There are no known workarounds.
•
The IP Control Protocol (IPCP) times out during a link control protocol (LCP) negotiation.
This problem occurs when dial-up networking (DUN) is used to connect to a Cisco router. Subsequent calls will fail in LCP. The problem is not observed if the user is using only PPP.
There are no known workarounds if both dialing methods are requested.
•
A Cisco router may experience a software-forced reload and display the following error messages and traceback:
%SYS-3-BADMAGIC: Corrupt block at 62BD8744 (magic 7E694826)-Traceback= 60647D88 60648DB4 60646B80 6132AB74 6132B840 60791AE8 605B5B40605B7 384 605B5C6C 613247E0 6078D338 6078FF20 607903A4 607905A0 6063A14C6063A138%SYS-6-MTRACE: mallocfree: addr, pc 62BEA518,600014EC 62BE9CEC,6132AAC462BD7740,61324790 62BD7740,40000802 62AD3334,6132477C 62AD3334,4000001E62BE9CEC,6132AB6C 62BE9CEC,40000402This problem occurs on a Cisco 200 series router that has a Service Adapter Virtual Private Network (VPN) Acceleration Module (SA-VAM) and that is being accessed by way of Cisco VPN Device Manager (VDM) Version 1.2 and HTTP Secure (HTTPS).
Workaround: Use the command-line interface (CLI) to monitor the router.
•
When configuring Asynchronous Transfer Mode (ATM) bundles, the router may reload.
There are no known workarounds.
•
IOS Server Load Balanced (SLB) packets that are switched at process level instead of at Forwarding Information Base (FIB) level may be dropped by the router.
The problem occurs when the virtual IP address is a dynamic alias. This occurs when the virtual IP address is a member of a subnet on a router interface.
Workaround: Enable Cisco Express Forwarding (CEF) switching using the global ip cef command and the interface ip route-cache cef command.
•
When the maximum number of RADIUS Load Balancer (RLB) sticky subscribers for a real server (SSG1) are exceeded, the RLB does not pass AcctStop packets (from GGSN) to SSG1 for the existing host objects, but to the next SSG in the round robin pool. Next SSG proxies the AcctStop packets to AAA server, which closes then the corresponding RADIUS sessions. This behavior results in stale host objects on the first SSG.
There are no know workarounds.
Open Caveats—Cisco IOS Release 12.1(19)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(19)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(19)E.
Resolved Caveats—Cisco IOS Release 12.1(19)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(19)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When the no redistribute rip metric metrics command is used, the redistributed connected Routing Information Protocol (RIP). routes still exist in the Enhanced Interior Gateway Routing Protocol (EIGRP) topology tables.
Workaround: Enter the no redistribute rip command without the "metrics" attribute in the EIGRP
configuration to delete the RIP routes from the topology table.•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
A Cisco 7200 series router may reload because the packet cleanup is not performed completely in the interrupt path of an enhanced Asynchronous Transfer Mode (ATM) port adapter (PA-A3).
There are no known workarounds.
•
Parallel Express Forwarding (PXF) fails on a Cisco 7200 series router with the %PXF-2-EXCEPTION: PXF exception and does not come back. In addition, interface flaps occur.
Workaround: Reload the router and disable PXF.
•
A router running Cisco IOS Release 12.2(16),12.1(E) or 12.1(19)E may reload due to a bus error when executing the show frame-relay pvc command.
This problem arises only when two users access same Data-Link Connection Identifier (DLCI) at the same time because the pvc data structure is not locked.
Workaround: Avoid editing the same DLCI at the same time.
•
When a lot of flows exist, the Parallel Express Forwarding (PXF) microcode may go into an infinite loop and trigger an IHB exception - watchdog timer expired error.
Workaround: Disable PXF.
•
A "%CBUS-3-CMDTIMEOUT" message may be displayed on the Versatile Interface Processor (VIP) of a router after the no shutdown interface configuration command is issued on the Asynchronous Transfer Mode (ATM) interface.
This problem occurs on a Cisco 7513 router that has a Route Switch Processor-4 (RSP-4), a Versatile Interface Processor 2 Model 40 (VIP2-40), and a PA-A3-OC3 ATM port adapter and that is running Cisco IOS Release 12.1(12).
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(14)E10
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E10 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E10.
Resolved Caveats—Cisco IOS Release 12.1(14)E10
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E10. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
Open Caveats—Cisco IOS Release 12.1(14)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E8.
Resolved Caveats—Cisco IOS Release 12.1(14)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
Open Caveats—Cisco IOS Release 12.1(14)E7
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E7 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E7.
Resolved Caveats—Cisco IOS Release 12.1(14)E7
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E7. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The media-type mii interface configuration command cannot be configured on a Fast Ethernet interface on a Cisco router.
This problem occurs on a Cisco 7500 series router.
There are no known workarounds.
•
A Cisco router might not save the media-type mii configuration for a FastEthernet interface in the startup-config. When the router is reloaded, it will use the default configuration and the line protocol on the interface may not come up.
Workaround: Reconfigure media-type mii on the interface after restarting the router.
•
An IP packet that is sent with an invalid IP checksum may not be dropped.
This problem occurs if the IP checksum is calculated with a decreased Time To Live (TTL) value. For example, in the situation where the IP checksum must be 0x1134 with a TTL of 3, if the packet is sent with an IP checksum of 0x1234 that is calculated by using a TTL value of 2, the packet is not dropped. In all other cases, packets with incorrect checksums are dropped.
There are no known workarounds.
•
Ethernet redundancy may not function with Inter-Switch Link (ISL) trunking.
This problem occurs on a Cisco router or switch that is configured for data-link switching (DLSw) and Ethernet Redundancy (ER).
There are no known workarounds.
•
A Cisco 7200 series router reports "%ALIGN-3-TRACE."
There are no known workarounds.
•
A Cisco 7500 series router may experience high CPU on a Versatile Interface Processor (VIP) which leads to latency on all interfaces of the VIP.
This issue occurs when Network Based Application Recognition (NBAR) is configured to match Kazaa as a protocol or NBAR protocol discovery is enabled.
Workaround: Load version 6.0 or later Kazaa2 PDLM.
•
New vulnerabilities in the OpenSSL implementation for SSL have been announced.
An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml.
Open Caveats—Cisco IOS Release 12.1(14)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E6.
Resolved Caveats—Cisco IOS Release 12.1(14)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When a large number of flows are configured, then the router will either face some performance issues or it will hog more memory than its share.
This problem occurs when netflow is configured on any interface.
There are no known workarounds.
•
PA-VXx-xxx, PA-MCX-xxx, and PA-MC-8TE1+ display the red alarm LED if one or more ports are shutdown.
Workaround: Use a "loop plug" connecting pin 1 to 4, and 2 to 5 in ports that are not used, and configure no shutdown.
•
Because of a re-entrancy problem with chunks, it is possible under some corner cases to see a crash with applications using chunk memory.
There are no known workarounds.
•
With the addition of packet-by-packet compression on a serial interface, followed by enabling ip cef globally, a punt adjacency is created for that interface. However, the subsequent removal of packet-by-packet compression on that interface does not result in the removal of the punt adjacency for that interface.
There are no known workarounds.
•
The clockrate xxx does not show up in the running config after configuring a data communications equipment (DCE) serial interface with the clock rate xxx command. After a reload, the DCE serial interface defaults back to a clock rate of 0.
This issue occurs on a DCE serial interface on a router running Cisco IOS Releases 12.1(14)E and 12.2(13)T.
Workaround: The clockrate specified, not showing up in the running config, is cosmetic. You can view the true clock rate using the show controller cbus command. If you reload the router, the clock rate xxx command must be re-applied at the DCE serial interface.
For example:
config tinterface serial 2/1/0clock rate 128000show controller cbusMx Serial(4), HW Revision 0x3, FW Revision 3.101Serial2/1/0, applique is V.35 DCEreceived clockrate 128000 <<<VERIFY CLOCK RATEgfreeq 48000178, lfreeq 48000248 (1536 bytes)rxlo 4, rxhi 116, rxcurr 1, maxrxcurr 3txq 48001AA0, txacc 48001AA2 (value 6), txlimit 6•
The %STANDBY-3-DIFFVIP1 message is sent out as 3 separate syslog messages.
This problem is caused by a Hot Standby Routing Protocol (HSRP) misconfiguration.
There are no known workarounds.
•
On a Cisco 7500 series router, the command service single-slot-reload-enable may become disabled and disappear from the running-config when a write mem or copy run start is entered and the router is reloaded.
Workaround: After all configuration changes have been made and saved, add the command service single-slot-reload-enable to the running-config, do not save it, and reload the router.
•
When compiled access control lists (ACLs) are enabled (using the access-list compiled config command), and the total number of ACL entries is relatively large (more than 1500 lines), under some traffic patterns such as random or continually varying flows, the compiled ACL tables may grow to the point where a memory allocation failure occurs due to internal memory fragmentation. After this occurs, there may be continuing attempts to recompile the ACLs that all fail due to memory allocation failures.
Workarounds: Possible workarounds include:
1) ACLs can sometimes be rearranged to make them shorter or less complex, which will also reduce the memory requirements.
2) Large ACLs used for Border Gateway Protocol (BGP) route prefixes should be converted to use a prefix-list configuration instead.
3) Disable and then re-enable compiled ACLs as follows:
no access-list compiledaccess-list compiled4) Disable compiled ACLs entirely.
•
When compiled access control lists (ACLs) are enabled (using the access-list compiled config command), and the total number of ACL entries is relatively large (more than 1500 lines), under traffic stress the recompilation may cause CPUHOG messages. A side effect of this is that not enough time is provided for other processes, and this can impact areas such as keepalives or Cisco Express Forwarding (CEF) management.
Workaround: Disable and then re-enable compiled ACLs as follows:
no access-list compiledaccess-list compiledAlternative workaround: Disable compiled ACLs entirely.
Open Caveats—Cisco IOS Release 12.1(14)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E5.
Resolved Caveats—Cisco IOS Release 12.1(14)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco router running Cisco IOS Release 12.0(7)T may unexpectedly reload if more than one person is configuring an Asynchronous Transfer Mode (ATM) interface at the same time.
If one person (or a session) is configuring a permanent virtual circuit (PVC) and at the same time if the other person (or any other session) is doing a shut/no shut on the interface where this PVC is configured, the router may reload. In addition, if the other person is deleting the same PVC (with a no pvc x/y command), then the router may reload.
Workaround: Do not delete a PVC or shut an ATM interface if the same PVC is being configured actively by other sessions. Only after the PVC configuration is completed by all other users, should you delete the PVC or shut the ATM interface.
•
A Cisco IOS router may fail to send a Diffie-Hellman (DH) key delete notification to the crypto accelerator. Because of this failure, the crypto accelerator runs out of DH entries and Internet Key Exchange (IKE) security association (SA) negotiations fail. One manifestation of this problem will be a continuous increase of the DH active counter in the output of the show crypto eli command.
This failure occurs when IKE SA negotiation fails after creating the DH shared secret, and typically occurs with slow links.
Workaround: Shutdown and enable the crypto hardware. Note that resetting the hardware results in loss of all active tunnels.
•
In a virtual private dial-up network (VPDN) scenario where a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) negotiates an authentication protocol that is not listed as a valid authentication protocol according to the L2TP network server (LNS) configuration, the LNS accepts the negotiated options and proceeds to using the authentication protocol set by the LAC. The expected behavior would be that the LNS either disconnects the call or renegotiates the link control protocol (LCP), based on the lcp renegotiate configuration under the VPDN group.
Workaround: Use the lcp renegotiation always configuration.
•
Under heavy load (100Mbits/s), after a period of time of several hours, a router with a VPN Acceleration Module (VAM) might stop encrypting traffic.
The following messages can be seen in the logs:
IPSECcard: an error coming back 0x1510and
isa_hsp_device_stats_callback: ** error 0x1510 in processing cmd=18 **There are no known workarounds.
•
The IP Control Protocol (IPCP) times out during a link control protocol (LCP) negotiation.
This problem occurs when dial-up networking (DUN) is used to connect to a Cisco router. Subsequent calls will fail in LCP. The problem is not observed if the user is using only PPP.
There are no known workarounds if both dialing methods are requested.
•
When running an NPE-G1 on Cisco 7206 VXR router with Cisco IOS Release 12.1(14)E and basic Multiprotocol Label Switching (MPLS) configured (ip2tag - tag2ip), the router crashes when sending traffic of 1518 byte packets. Without MPLS configured, traffic of 1518 byte packets is sent. There are no known workarounds.
•
Spurious memory accesses may occur during the bootup process of a Cisco 7200 series router, or the router may reload during the bootup process.
This problem occurs on a Cisco 7200 series router that is configured with an enhanced 8-port multichannel T1/E1 PRI port adapter (PA-MC-8TE1+) configured in T1 mode and that is configured with a 2-port multichannel T1 port adapter (PA-MC-2T1), a 4-port multichannel T1 port adapter (PA-MC-4T1), or an 8-port multichannel T1 port adapter (PA-MC-8T1).
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(14)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E4.
Resolved Caveats—Cisco IOS Release 12.1(14)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A router doing Cisco Express Forwarding (CEF) over a LAN Emulation (LANE) interface may run into a condition were packets that are being CEF switched out of the LANE interface get dropped. This scenario can be diagnosed in the adjacency entries for an interface that is experiencing this problem. For example, for a faulty adjacency, you may see the following:
router#sh adjacency detail | include 10.10.10.10IP ATM3/0/0.2 router(6) (10.10.10.10)IP ATM3/0/0.2 router(51) (10.10.10.10) (incomplete)IP ATM3/0/0.2 router(3) (10.10.10.10)whereas for a working adjacency, you may see the following:
router#sh adjacency detail | include 10.10.10.10IP ATM3/0/0.2 router(6) (10.10.10.10)IP ATM3/0/0.2 router(51) (10.10.10.10) (incomplete)Entering a clear cef adjacency command should clear up the condition.
Workaround: Disable Cisco Express Forwarding (CEF) switching on this interface.
•
The sbip, lbip, pbip counters displayed by the show controller atm output are not counting B1, B2, or B3 BIP8 errors correctly.
This problem occurs when SONET B1, B2, or B3 BIP8 errors are injected into the Asynchronous Transfer Mode (ATM) OC-3 port adapter.
There are no known workarounds.
•
Inbound data packets that are reassembled from multilink fragments may not be processed properly on Multilink PPP (MLP) interfaces that are receiving encrypted IP Security (IPSec) traffic that is terminated locally when a hardware accelerator is used for decryption.
This problem affects all inbound reassembled data frames that are received by the bundle and not just those data frames that are carrying encrypted IP datagrams. Most significantly, inbound Internet Security Association and Key Management Protocol (ISAKMP) keepalives are not processed, leading to the eventual failures of the associated IPSec sessions.
The IPSec sessions are reestablished after each failure, but traffic drops occur until the session is renegotiated using the Internet Key Exchange (IKE). The observable symptoms are an intermittent failure of IPSec sessions combined with high loss rates in the encrypted data traffic.
Workaround: Disable hardware crypto acceleration, and use software crypto acceleration instead.
•
When using Generic Routing Encapsulation (GRE) tunnels with IPSec, the IPsec SA Path MTU is set incorrectly when the router is reloaded. The MTU 1514 value is incorrectly selected from the GRE tunnel interface rather then the IP MTU value from the physical outgoing interface. If the physical outgoing interface has an MTU size greater then 1514 and there are problems with Path MTU Discovery (PMTUD) then TCP packets that are larger then 1514 bytes and have the DF (don't fragment) bit set will be dropped. If the Internet Control Message Protocol (ICMP) error message, packet too large and DF bit set (type 3, code 4), from this router to the sending host is blocked, then that TCP connection will fail.
The IPsec SA Path MTU value can be triggered to reset to the correct value with the clear crypto sa command.
To clear just a single IPsec SA, use the clear crypto sa peer remote-peer-address command.
Once cleared, the IPsec crypto SA will use the correct MTU size until the next reload.
More detailed information about IP Fragmentation and PMTUD can be found at
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_white_paper09186a00800d6979.shtml
There are no known workarounds.
•
If the router is Simple Network Management Protocol (SNMP)-polled using an IPSec tunnel that terminates on the same router, the following message may appear and the SNMP reply never gets through the tunnel:
01:18:16: %SYS-2-GETBUF: Bad getbuffer, bytes= -41-Process= "IP SNMP", ipl= 0, pid= 92-Traceback= 605FB078 611F4584 611F4918 611F49C4 611F4A40 611F134C 611F1A7C61212450 607471D4 60746350 60746784 60715A80 60772EEC 607735D8 6063834C60638338Workaround: Bound the maximum size of the SNMP replies so that no fragmentation is required as follows:
snmp-server packetsize 1300Alternative workaround: Disable prefragmentation using the crypto ipsec fragmentation after-encryption command in the global configuration mode. Ensure that it is not overridden by an interface prefragmentation configuration.
•
A memory leak on the LC OC3 (Eng0) causes a Cisco Express Forwarding (CEF) LC stat malloc failure.
Workaround: Do not use ip cef table consistency-check type lc-detect.
•
Cisco Express Forwarding (CEF) may become disabled on the Versatile Interface Processor (VIP) of the route switch processor (RSP).
This problem occurs on a Cisco 7500 series router running Cisco IOS Release 12.2(13)T.
Workaround: Reload the line card, or reload the Cisco 7500 series router.
•
A Cisco 7500 series router running Cisco IOS Release 12.2(11)T or 12.1(14)E1 and quality of service (QoS) may experience a delayed boot-up (30-40 minutes) when a service-policy is configured under an interface.
The issue occurs when distributed Cisco Express Forwarding (dCEF) is enabled only under the interfaces that have the service policy configured (that is, dCEF is disabled on non-QoS interfaces), and the policy-map contains a Network Based Application Recognition (NBAR) match criteria.
Workaround: Remove the service-policy from under the interface, enable dCEF under *all* interfaces, or remove the NBAR match criteria from all class-maps within the policy-map.
•
In some scenarios the PA-A3-OC12 module will send operations, administration, and maintenance (OAM) cells with the reserved bits set to non-zero values. (The first 6 bits, of the last 16 bits of the OAM cell are the reserved bits.) When certain Asynchronous Transfer Mode (ATM) switches (with OAM intercept) receive these OAM cells with the reserved bits set, these cells are dropped as expected.
Workaround: While the routers are dropping these cells as expected, one workaround would be to (when possible) disable OAM intercept to avoid dropping F5 OAM cells based on these reserved bits.
•
joanne start here
Performing internal BGP (iBGP) neighbor removal (using the no neighbor ip remote-as nn command) under a peer-group generates an error message and does not succeed.
Workaround: Use the puur neighbor removal command, no neighbor ip instead.
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
A Cisco 7200 series router with an NPE-G1 and PA-MC-8TE1+ installed experiences parity errors upon bootup.
There are no known workarounds.
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
An NPE-G1 may reload and report the reload as a "System was restarted by reload".
This problem occurs on a Cisco 7200 series router running Cisco IOS Release 12.1(14)E.
There are no known workarounds.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
When running the show shape queue command, a CPUHOG message may appear:
Mar 11 17:59:32 LYO1MC7501 9696: Mar 11 17:59:30: %SYS-3-CPUHOG: Task ran for 13848 msec (29/1), process = Virtual Exec, PC = 602F6768.Mar 11 17:59:32 LYO1MC7501 9697: -Traceback= 602F6770 6025ED98 6025F67C 6025F084 6025E508 6025ECE0 6025F67C 6025F084 6121996C 61219B10 61219C04 61219BCC 61219CA4 602BC4CC 602B9A38 602BC880There are no known workarounds.
•
The PA-A3-OC12 on a Cisco 7500 platform running Cisco IOS Release 12.1(13)E might drop operations, administration, and maintenance (OAM)/routing updates.
This problem occurs when high traffic is sent on vbr-nrt virtual circuits (VCs) configured on the PA-A3-OC12.
There are no known workarounds.
•
A Cisco router running Cisco Express Forwarding (CEF) with Multilink PPP may experience alignment corrections in the log.
There are no known workarounds.
•
A PA-MC-8TE1+ port adapter may not pass traffic on more than one port.
This problem occurs when more than one port is configured on the port adapter.
There are no known workarounds.
•
An A3 port adapter (PA-A3) pauses and stops receiving traffic; the rx_no_buffer counter increases in the show controller atm output.
This issue occurs when high traffic is sent on a PA-A3. The only PA-A3s affected use ATMIZER SAR Revision 4. To display the SAR Revision, use the show controller atmx/y EXEC command.
Note
Workaround: Use the shut and no shut EXEC commands on the interface.
Open Caveats—Cisco IOS Release 12.1(14)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E3.
Resolved Caveats—Cisco IOS Release 12.1(14)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The cbQoSMIB MIB displays large random values for class of service (CoS) monitoring MIBs such as the following objects in the cbQoSCMStatsTable table:
.1.3.6.1.4.1.9.9.166.1.15.1.1.3 = cbQosCMDropByte64.1.3.6.1.4.1.9.9.166.1.15.1.1.6 = cbQosCMPrePolicyByte64.1.3.6.1.4.1.9.9.166.1.15.1.1.10 = cbQosCMPostPolicyByte64.1.3.6.1.4.1.9.9.166.1.15.1.1.14 = cbQosCMDropPkt64There are no known workarounds.
•
When an end-station sends its null exchange identification (XID) as a single route explorer (SRE) to an SNA Switching Services (SNASw) port configured on an internal virtual token ring, the null XID does not receive a response.
This situation may also occur if an end-station, which is Ethernet-attached, is connecting to the virtual token ring using Source-Route Translational Bridging (SR/TLB). If the end-station begins with null XID (rather than test), then the SR/TLB component generates an SRE towards the virtual token ring.
Workaround: Move the SNASw port to the physical interface.
•
A Network Processing Engine G1 (NPE-G1) may drop packets on a path from native Gigabit Ethernet (GE) interface 1 to native GE interface 2 when you configure class-based weighted fair queueing (CBWFQ) with or without low latency queueing (LLQ) on the outgoing interface (that is, on native GE interface 2), even though the outgoing interface is not congested. Traffic is dropped regardless of the packet length and traffic rate.
This issue occurs only on native GE interfaces 1, 2, and 3 of the NPE-G1. All other Cisco 7200 series NPEs operate correctly.
There are no known workarounds.
•
After upgrading a Cisco 7500 series router from a Cisco IOS Release 12.1(11)E9-based image to a 12.1(14)E image, the following messages keep occurring:
Dec 17 17:22:41.666 AEST: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/0 (not full duplex), with c06-7600-2-P-D2-SM2 GE-WAN8/1 (full duplex).Dec 17 17:23:41.663 AEST: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/0 (not full duplex), with c06-7600-2-P-D2-SM2 GE-WAN8/1 (full duplex).There are no known workarounds.
•
A Cisco 7500 series router configured for Cisco Express Forwarding (CEF) switching, generates a spurious access in update_dot1q_vlan_cef_in_counters().
There are no known workarounds.
•
Some router High-Speed Serial Interface (HSSI) interfaces have outgoing traffic for the last 5 minutes, but the output rate displayed by the show interface command is 0.
The route switch processor (RSP) version of this problem is resolved with CSCea31546.
There are no known workarounds.
•
When Parallel Express Forwarding (PXF) is enabled, a variety of crashes can occur when a packet is punted to the RP if the paktype has not been properly scrubbed after its last use.
There are no known workarounds except to turn off PXF.
Open Caveats—Cisco IOS Release 12.1(14)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(14)E2.
Resolved Caveats—Cisco IOS Release 12.1(14)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Source code analysis reveals a potential null-pointer dereference which can result in a crash or at least a spurious access error. Specifically, after entering the no aaa accounting exec default start-stop group tacacs+ command, spurious memory access traceback occurs on the console.
There are no known workarounds.
•
When running Cisco IOS Release 12.1E, the ISAKMP key is limited to 64 bytes when doing hardware to software encryption; this limit is a hardware encryption module limitation.
Workaround: Use 64 bytes or less for the ISAKMP pre-shared key if using hardware to software encryption.
•
When using a dialer interface, Internet Key Exchange (IKE) security associations (SAs) are not being set up.
There are no known workarounds.
•
The PA-2FE-TX reports a stream of error messages to the console as follows:
*Jan 1 13:57:36: %VIP2 R5K-1-MSG: slot1 DMA-1-DRQ_EMPTY_PAK:Empty packet is being sent to backplane. particle_ptr=0x60C693C0These messages are the result of a synchronization problem in which a "return" statement was removed from pas/if_vip_i82543.h
This problem only occurs on the PA-2FE-TX and also only occurs when ip cef distributed is enabled. If Cisco Express Forwarding (CEF) is configured, the problem does not occur.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(14)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco devices which run IOS and contain support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.
Cisco will be making free software available to correct the problem as soon as possible.
The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml.
Resolved Caveats—Cisco IOS Release 12.1(14)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
If the crl optional configuration command is being used, the router will cache peer public keys during Internet Key Exchange (IKE) negotiations that use Rivest, Shamir, & Adleman (RSA) signature authentication. If a peer changes its' public key, the router will be unable to interoperate with that peer and will report that the peer's signature did not verify.
The router must be reloaded to allow interoperation with the peer.
There are no known workarounds.
•
A 2-port Fast Ethernet port adapter (PA-2FE) that is configured with Inter-Switch Link (ISL) subinterfaces may not switch packets out of Generic Routing Encapsulation (GRE) tunnels when there are IP Security (IPSec) configurations on the tunnel interface.
This symptom occurs only when hardware encryption and decryption is used is observed on both integrated services adapter (ISA) and VPN Acceleration Module (VAM) cards. This symptom does not occur when software encryption or decryption is used.
Workaround: If an ISA card is used, remove the ISL configuration on the PA-2FE port adapter and reconfigure the PA-2FE port adapter. After the PA-2FE port adapter has been reconfigured enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the port adapter.
There is no workaround if a VAM card is used for hardware encryption and decryption.
•
Currently for the IF MIB, when the ifIndex refers to a Frame Relay subinterface, a number of objects are not supported, mostly due to inapplicable or unfeasible definitions.
Workaround: The required information actually can be retrieved from both the standard (RFC1315/RFC2550) FR MIB and Cisco FR MIB.
•
The show bootflash: chips EXEC command may cause subsequent commands such as the show bootflash all EXEC command to fail.
This issue occurs on a Cisco router that has a Route Switch Processor 8(RSP8). This issue occurs because the bootflash module is flawed.
Workaround Enter the show version EXEC command to restore the router to normal operating condition.
Alternative workaround: Reseat/replace the flash SIMM.
•
On Cisco 7200 series routers and Cisco 7500 series routers, Multiprotocol Label Switching (MPLS) packets ingressing 802.1Q ethernet VLAN subinterfaces will not be Cisco Express Forwarding (CEF)-switched. On the Cisco 7500 series router, distributed Cisco Express Forwarding (dCEF) switching also fails.
There are no known workarounds.
•
If the image being booted (or copied from) a Personal Computer Memory Card International Association (PCMCIA) flash Advanced Technology Attachment (ATA) disk is corrupted, the router may not boot with a sector read failed error message.
If the copy operation of an image file to a PCMCIA flash ATA disk card is interrupted by a router crash or a power failure, the image file will probably be corrupted. If this image is later copied or used to boot the router, the copy or boot process may fail with a sector read failed error message.
This problem can occur on PCMCIA flash ATA disks only.
<!-- Describe the customer environment and any commands that --><!-- create the problem (if relevant). If the bug only affects --><!-- certain software releases, state which ones. -->Interrupting a copy operation will result in only part of the image file existing on the PCMCIA flash ATA disk card. Depending on how much or how little of the image is missing, various symptoms may be observed. Typically trying to copy this image or boot the router from this image will result in a sector read failed error message. However, the router may also hang or crash during the boot and/or copy operation or after some particular functionality is used.
Workaround: If the user has any reason to suspect that an image is corrupted, the image should be examined using the verify /md5 command. The resulting MD5 value can be compared to the value posted on CCO for the image being examined. If the MD5 values do not match, then the image should be deleted and recopied to the card.
•
The PA-2FE-TX used in a Versatile Interface Processor (VIP) on Cisco 7500 series router sends four extra bytes at the end of Ethernet frames when configured with an Inter-Switch Link (ISL). As a result, frames bigger than 1496 bytes will be dropped as giants by the directly connected devices.
This issue occurs on Cisco IOS Releases 12.1(13.5)E and 12.1(13.5)1, but not 12.1(12.5)E1 when ISL is configured.
Workaround: Use dot1q encapsulation for trunking.
•
The append modifier does not append any data to the file. Likewise, the tee /append does not append any data to the named file. The original contents of the file remain unchanged.
This problem occurs with any Cisco IOS release containing CSCdz27200 before this fix was introduced.
There are no known workarounds.
•
An integrated services adapter (ISA) displays the error message "isa_rx_error: 1204" for a packet, indicating a faulty Extended Services Processor (ESP) pad value, when the packet is not faulty. This situation may result in a Generic Routing Encapsulation (GRE) keepalive failure and, consequently, a GRE tunnel may go down.
This issue occurs on a Cisco 7100 series router or a Cisco 7200 series router that is configured with an ISA and an ESP and that is using Transport Mode when the payload size of the EPS packets is smaller than 20 bytes. This issue does not occur in Tunnel Mode.
Workaround: Use Tunnel Mode.
First Alternate Workaround: Do not use an ISA but, for example, a VPN Acceleration Module (VAM).
Second Alternate Workaround: Use crypto software.
•
On a Cisco 7100 router (with an integrated services module (ISM) card) running Cisco IOS Release 12.1(14)E, the ISM card resets itself intermittently. After seeing the integrated services adapter (ISA) card reset message, two issues were observed:
–
–
There are no known workarounds.
•
Writing a crashinfo file to an Advanced Technology Attachment (ATA) file system results in an unusable (corrupted) file.
This issue can occur on any system that allows the crashinfo file to be written an ATA flash device and that is running a version of Cisco IOS containing the fix for CSCdz27200.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(14)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(14)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Netflow accounting information collected from a PA-MC-STM1 interface on a Cisco 7200 series router shows incorrect Netflow statistics when the Netflow information is exported to a Netflow collector. Netflow statistics on the router are correct.
There are no known workarounds.
•
One peer cannot reach its peer after Parallel Express Forwarding (PXF) is enabled.
This issue occurs on a Cisco 7200 series router running Cisco IOS Release 12.1(11b)E4 with an NSE-1 that is connected to peerA using EIGRP and to peerB using a static route. The static route pointing to peerB can either be configured with the next hop or with the outgoing interface. After enabling PXF on the router, peerA can not reach peerB anymore.
Workaround: Instead of just configuring one static route pointing to peerB using the next hop address or outgoing interface, configure two static routes for peer B, one pointing to the next hop and one pointing to the outgoing interface.
•
A FastEthernet interface with an i82543 chip that is running Cisco IOS Release 12.1E may experience an output queue that becomes wedged after a few minutes when both Inter-Switch Link (ISL)/Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) are configured.
FastEthernet0/0 is up, line protocol is up....Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1985616Queueing strategy: fifoOutput queue :40/40 (size/max)....There are no known workarounds.
•
A Cisco 7206VXR router with an NSE processor running Cisco IOS Release 12.1(12c)E1 may experience a condition such that the router will stop forwarding packets on its interfaces and constantly scroll error messages similar to the following:
%SYS-2-BADSHARE Bad refcount in retparticle, ptr=623ECC40, count=0-Traceback= 606380C8 604B3600 604DBF70 60488198 60488D64 6013A364 6013AE34 60448%SYS-2-NOTQ unqueue didn't find 623ECC40 in queue 623433C8-Process= "<interrupt level>", ipl= 1-Traceback= 604B35F8 604DBF70 60488198 60488D64 6013A364 6013AE34 60448AC8 60448This condition has been observed randomly during normal operating modes.
There are no known workarounds.
•
A Cisco 7200 router with NSE-1 might crash unexpectedly with a bus error. The crash seems to be software related but the trace is totally corrupted.
There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.1(14)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(14)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When running the Hot Standby Routing Protocol (HSRP) on a Cisco 7200 or Cisco 7500 router which contains a PA-2FEISL port adapter, the interface may stop forwarding traffic destined to the HSRP virtual MAC address after a second HSRP failover. For example, if the router is acting as the HSRP active router and a failure occurs that causes it to switch to the standby router, then the failure is corrected causing the router to become the active router again, traffic destined to the HSRP virtual MAC address will not be forwarded. This behavior is due to the interface not being programmed as promiscuous after the interface comes backup as the HSRP primary. To determine if the problem is occurring, execute the show controller command for that interface to see if promiscuous mode is enabled. For example:
Router#show controller fast 1/0...HW filtering information:Promiscuous Mode Enabled, PHY Addr Enabled, Broadcast Addr Enabled....If promiscuous mode is enabled, then the interface should be working properly. If promiscuous mode is disabled, the mode can be re-enabled by issuing the clear interface command (the interface will reset).
Workaround: Add standby use-bia to the HSRP interface.
•
When running an NSE-1 in a Cisco 7206VXR router running Cisco IOS Release 12.1.11b.E4, Parallel Express Forwarding (PXF) no longer functions and becomes disabled until the next reload.
Workaround: Run NSE-1without PXF-enabled by disabling it in global configuration mode as follows:
Router(config)# no ip pxf•
The distribute-list 10 in an ethernet router configuration command may not be saved under a VPN routing and forwarding (VRF) instance.
Workaround: Use the distribute-list 10 router configuration command instead.
•
A Cisco 7200 router with a VPN Acceleration Module (VAM) may crash if the cry card shut/enable slot command is issued with online traffic.
Workaround: Shutdown the input interface before issuing the cry card shut/enable slot command.
•
GPRS Support Node (GSN) entries may have the wrong IP address after a failover occurs.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(13)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(13)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(13)E1.
Resolved Caveats—Cisco IOS Release 12.1(13)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(13)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Error messages may be displayed after a Cisco 7200 VXR series router is reloaded after it is configured with the following commands:
ip cefpolicy-map test-policyclass-map test-classmatch protocol httppolice cir 64000 bc 16000 pir 64000 be 16000conform-action set-clp-transmitexceed-action set-clp-transmitviolate-action set-clp-transmitinterface e3/1service-policy input test-policyThe following error messages are displayed immediately after the router is reloaded:
%SYS-2-INTSCHED: 'sleep for' at level 3 -Process= "Init", ipl= 3, pid= 2-Traceback= 6064AA94 60633C04 60FFD1C4 611867AC 6066D1CC 60596134 603D1EB0603D30BC 603C3110 603D1C20 603BCB30 601F2480 601F0460 601F09F0 601F084060599A60The ip cef global configuration command and the police settings are class-map configurations and need to have a packet identification mechanism before anything is policed (such as match protocol http). This error does not occur until the policy-map is attached to an interface.
Workaround: Reboot the router and detach the service policy containing Network-Based Application Recognition (NBAR) from all interfaces. After the router has rebooted, reattach the service policy. Save a copy of configuration file with the service-policy that is detached from interface in case the router reboots inadvertently because of an accidental power failure.
•
A router may drop an event message if the connection to the Tag Information Gate Base (TIB) gate is down when the send attempt is executed.
There are no known workarounds.
•
A system may run out of memory because of a leak in the routing table structures. No explicit triggers (other than routes in the table) are needed to cause this symptom.
There are no known workarounds.
•
A Cisco router running a Data Encryption Standard (DES)/ Triple DES (3DES) crypto image from Cisco IOS Release 12.1(11b)E to 12.1(11b)E8 or Cisco IOS Release 12.1(12c)E to 12.1(12c)E4 may fail to establish tunnels after the router has been running.
This issue occurs because the source address mask in the crypto access control lists for one or more tunnels get corrupted. This issue can usually be observed soon after a rekey has happened for one or more IPSec tunnels using the interface serial command.
Example:
Before Corruption:interface: Serial1/3Crypto map tag: my_map, local addr. 10.24.128.145local ident (addr/mask/prot/port): (10.24.0.0/255.254.192.0/0/0)remote ident (addr/mask/prot/port): (10.24.137.128/255.255.255.192/0/0)current_peer: 10.24.128.146.....After Corruption:
interface: Serial1/3Crypto map tag: my_map, local addr. 10.24.128.145local ident (addr/mask/prot/port): (10.24.0.0/255.255.23.0/0/0) <===remote ident (addr/mask/prot/port): (10.24.137.128/255.255.255.192/0/0)current_peer: 10.24.128.146.....There are no known workarounds. For all Cisco 7100 images, upgrade to Cisco IOS Release 12.1(12c)E6. For all Cisco 7200 -k2 and -561 images, upgrade to Cisco IOS Release 12.1(12c)E6.
•
The police functionality is broken.
There are no known workarounds.
•
A Cisco 7206VXR router running Cisco IOS Release 12.2(10a) crashes with a bus error after receiving the %AAAA-3-LOSTTIMER: error message.
Workaround: Disable periodic accounting.
•
Slow table replication of conn, sticky and radius tables occurs when large tables are present and the primary Server Load Balancing (SLB) server is preempting the secondary in a stateful configuration.
Workaround: Configure large delay sync and delay minimum timers in the Hot Standby Routing Protocol (HSRP) to allow this to occur.
•
The IOS-Server Load Balancing (SLB) RADIUS Load Balancing load balances RADIUS interim accounting requests to the real server in the sticky database only when the real is not failed. If the real failure is failed, IOS-SLB chooses a different real server.
For interim accounting requests, the behavior should be to continue to send the interim accounting request to the failed real unless failaction radius reassign is configured.
Workaround: Increase the interval and faildetect counters for ping probes to protect against short-term failures.
•
A device running Cisco IOS software reloads.
This situation occurs when the cns config initial command is configured with the event keyword option and the initial configuration sends an event message before the event agent starts up.
There are no known workarounds.
•
IOS Server Load Balancing may incorrectly determine the failure of a RADIUS (AAA) server or RADIUS proxy server when service radius is configured. The problem occurs when RADIUS Accounting requests are not retransmitted, or are retransmitted with different RADIUS identifiers.
Workaround: Configure faildetect numconns 255 numclients 8. This command will reduce the probability of incorrectly marking a real as failed. In addition, Ping probes should be configured to determine server health.
•
A mixed configuration of E3s and T3s on an AU-4 fails on an OC12 channelized to DS3 line card (OSM-1CHOC12/T3).
Workaround: Configure only one type of serial data (either T3 or E3) carried by virtual circuits within an AU-4.
•
When a quality of service (QoS) policy-map with the police feature is attached to an Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC), the policy may disappear from the configuration after the router reloads. The following error messages appear at the console:
Oct 19 22:15:29.623 UTC: %SYS-2-INTSCHED: 'sleep for' at level 3-Process= "Init", ipl= 3, pid= 2-Traceback= 605CA9B4 605B4AE4 60E95AAC 60ED6430 60ED59E4 605EE600 605EE11C 605ED D18 6052EF9C 6039D1D4 6039E08C 60392D68 6039D0A8 6038F0D8 601BFF74 601BE150Workaround: Re-apply the QoS policy-map to the PVC.
•
When logging rate-limit console is configured, massive generation of error messages can fill up the logger queue, and console messages can not be rate-limited, causing the system to hang.
With this fix, the LINEPROTO-5-UPDOWN and FR-5-DLCICHANGE messages described in CSCdy37959 (which resulted in too much console output freezing the system for too long when using the ROM monitor I/O to output messages on console) can be rate-limited and dropped.
Open Caveats—Cisco IOS Release 12.1(13)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(13)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(13)E.
Resolved Caveats—Cisco IOS Release 12.1(13)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(13)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco RM7000 processor that is used by an NPE-300 network processing engine and a Cisco 7140 router cause the router to execute instructions incorrectly or not at all. This situation might result in memory corruption or reload.
There are no known workarounds.
•
A router may reload if a circuit that has compression configured is removed while there is subsequent activity on a compression retry timer.
This issue occurs on a Cisco router that is using software or hardware compression and that has FRF.9 Frame Relay compression configured. The activity on the compression retry timer occurs because of a transmission error and subsequent signaling of a compression restart sequence.
There are no known workarounds.
•
The following error messages may be displayed on the console port of a Cisco router or switch:
%TFIB-7-SCANSABORTED: TFIB scan not completing. MAC string updated.%TFIB-DFC8-7-SCANSABORTED: TFIB scan not completing. MAC string updated.The messages continue to be displayed until the router or switch is reloaded. The error messages are informational and indicate that an excessive amount of network or line transitions may cause an excessive number of Forwarding Information Base (FIB) scans. Processes that are attempting to converge on the network may cause the Route Processor (RP) and/or the Switch Processor (SP) CPU utilization to occasionally reach 100 percent.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(12c)E7
This section documents possible unexpected behavior by Cisco IOS Release 12.1(12c)E7 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(12c)E7.
Resolved Caveats—Cisco IOS Release 12.1(12c)E7
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(12c)E7. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
Open Caveats—Cisco IOS Release 12.1(12c)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(12c)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(12c)E6.
Resolved Caveats—Cisco IOS Release 12.1(12c)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(12c)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco router running a Data Encryption Standard (DES)/ Triple DES (3DES) crypto image from Cisco IOS Release 12.1(11b)E to 12.1(11b)E8 or Cisco IOS Release 12.1(12c)E to 12.1(12c)E4 may fail to establish tunnels after the router has been running.
This issue occurs because the source address mask in the crypto access control lists for one or more tunnels get corrupted. This issue can usually be observed soon after a rekey has happened for one or more IPSec tunnels using the interface serial command.
Example:
Before Corruption:interface: Serial1/3Crypto map tag: my_map, local addr. 10.24.128.145local ident (addr/mask/prot/port): (10.24.0.0/255.254.192.0/0/0)remote ident (addr/mask/prot/port): (10.24.137.128/255.255.255.192/0/0)current_peer: 10.24.128.146.....After Corruption:
interface: Serial1/3Crypto map tag: my_map, local addr. 10.24.128.145local ident (addr/mask/prot/port): (10.24.0.0/255.255.23.0/0/0) <===remote ident (addr/mask/prot/port): (10.24.137.128/255.255.255.192/0/0)current_peer: 10.24.128.146.....There are no known workarounds. For all Cisco 7100 images, upgrade to Cisco IOS Release 12.1(12c)E6. For all Cisco 7200 -k2 and -561 images, upgrade to Cisco IOS Release 12.1(12c)E6.
•
When a quality of service (QoS) policy-map with the police feature is attached to an Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC), the policy may disappear from the configuration after the router reloads. The following error messages appear at the console:
Oct 19 22:15:29.623 UTC: %SYS-2-INTSCHED: 'sleep for' at level 3-Process= "Init", ipl= 3, pid= 2-Traceback= 605CA9B4 605B4AE4 60E95AAC 60ED6430 60ED59E4 605EE600 605EE11C 605ED D18 6052EF9C 6039D1D4 6039E08C 60392D68 6039D0A8 6038F0D8 601BFF74 601BE150Workaround: Re-apply the QoS policy-map to the PVC.
Open Caveats—Cisco IOS Release 12.1(12c)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(12c)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(12c)E5.
Resolved Caveats—Cisco IOS Release 12.1(12c)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(12c)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco RM7000 processor that is used by several Cisco products might cause the router to execute instructions incorrectly or not at all. This situation might result in memory corruption or unexpected reload. This issue further discussed in Field Notice #13130. This field notice can be accessed on CCO via the field notice index
http://www.cisco.com/warp/public/tech_tips/index/hardware/fn.html.
Or directly at the following URL
http://www.cisco.com/warp/public/770/fn13130.shtml.
There are no known workarounds.
•
Formatting bootflash fails with a faster processor. The problem is that the loop which retries to get the device operation status seem to terminate before the device gets ready.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(12c)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(12c)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(12c)E1.
Resolved Caveats—Cisco IOS Release 12.1(12c)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(12c)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On all Cisco routers where static Address Resolution Protocol (ARP) entries are configured, after the router reloads with Cisco Express Forwarding (CEF) configured as enabled or after manually enabling CEF, the router may fail to use the static ARP entry.
Workaround: Disable CEF using the no ip cef configuration command.
•
A router configured with Generic Routing Encapsulation (GRE) tunnels may pause indefinitely and continuously scroll the following messages on the console:
%SYS-2-NOTQ: unqueue didnÃt find 0 in queue 62360144 -Process= "<interruptlevel>", ipl= 1 -Traceback= 60538810 60536468 60536468 6015DB10 60431D6460433D04 60433DC8%SYS-2-BADSHARE: Bad refcount in retparticle, ptr=0, count=0 -Traceback=60672220 60538818 60536468 60536468 6015DB10 60431D64 60433D04 60433 DC8There are no known workarounds.
•
A device that is running Cisco IOS software may reload when a command is issued to display a file that contains certain character patterns.
This issue occurs if the file in question has a very large line. This line may have a very large continuous set of characters without any new line characters, and is most likely corrupted.
There are no known workarounds.
•
A Race condition between the integrated services adapter (ISA) Cache Manager and the ISA DMA Controller can sometimes cause incoherences in the ISA shared memory.
The symptoms vary, because the root cause is very sensitive to changes in the timing of any processor involved: Router RPSP, ISA MIPS, or ISA DSP.
Examples:1) ISA does not come up after microcode reload (No response to capabilities Query)2) ISA returns an error code 1Cxx3) ISA returns an error code 104C, 1041, 104DWorkaround: Upgrade to the newer ISA cards
Alternative workaround 1: Use VPN Acceleration Module (VAM) instead of ISA
Alternative workaround 2: Use software crypto instead of ISA
•
A downstream router recognizes an upstream Protocol Independent Multicast (PIM) neighbor, but fails to join a multicast group.
This issue occurs on a downstream router in a PIM network. The downstream router has a multicast group in the multicast route (mroute) table, but the upstream router does not show the downstream router on the outgoing interface list. This issue occurs only if the multicast group in question is in the Source Specific Multicast (SSM) range.
Workaround: Enter the clear ip mroute group EXEC command.
•
Since Cisco IOS Release 12.1(11b)E the IPSec pre-fragmentation feature is enabled by default when IPSec is configured.
This feature has the side-effect of changing the default maximum transmission unit (MTU) on associated IPSec interfaces. The net effect of this new default value, is that default MTU values between IPSec/Generic Routing Encapsulation (GRE) and Open Shortest Path First (OSPF) peer routers running a mix of Cisco IOS versions pre and post 12.1(11b)E are no longer matching. The result is that OSPF adjacencies may not form over the IPSec/GRE tunnels due to the MTU mismatch (Database Description (DBD) exchange fails).
This is normal OSPF behavior according to RFC2328 which states:
"If the Interface MTU field in the Database Description packet indicates an IP datagram size that is larger than the router can accept on the receiving interface without fragmentation, the Database Description packet is rejected."
Workaround: Reconfigure MTU values on IPSec peer interfaces to match.
•
A router configured with neighbor x.x.x.x or peer-group name nlri unicast multicast does not automatically translate the no auto-summary command into the multicast address-family.
Workaround: Manually add the no auto-summary command under the multicast address-family.
•
Server Load Balancing (SLB) stickies time out of the Firewall Load Balancer (FWLB) causing the user to be unreachable through an Service Selection Gateway (SSG) farm.
This issue occurs if the user has not initiated flows for more than 18 hours.
There are no known workarounds.
•
Internet Control Message Protocol (ICMP) traffic through the IOS Firewall Load Balancer (FWLB) does not follow the sticky table.
There are no known workarounds.
•
If you add new interfaces on a line card that is installed in a router, the Multicast Distributed Fast Switching (MDFS) functions on other line cards of the same router do not recognize the newly added interfaces until multicast is enabled on the newly added interfaces.
Workaround: Turn on a multicast function, such as Protocol Independent Multicast (PIM) mode.
•
A Cisco router running Cisco IOS Release 12.1(11b)E2 may lose the s1byte configuration after a reload.
Workaround: Configure the s1byte again.
•
The Hot Standby Routing Protocol (HSRP) standby delay minimum 0 reload 0 command appears in the running config for an interface if any other HSRP command has been entered on that interface.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(12c)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(12c)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(12c)E.
Resolved Caveats—Cisco IOS Release 12.1(12c)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(12c)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
In some Point-to-Point (PPP) and Multilink PPP (MLP) scenarios the links may fail to establish due to carrier timer issues (physical connection loopback or crossconnect bounces).
This fix allows more generous behavior from PPP/MLP to allow links which may have physically established to transmit PPP link control protocol (LCP) messages on that link and thus allow PPP (LCP) to establish.
Workaround: Manually shut and open the links.
•
When the network address translation (NAT) pool is configured with subranges, the subranges do not take effect.
There are no known workarounds.
•
A Cisco 7206VXR router that is running the Open Shortest Path First (OSPF) Protocol and acting as a designated router (DR) will generate router link states, but may fail to generate network link states for a connected network. The OSPF neighbors come up correctly on all routers in the network.
Workaround: Set the priority on the interface to 0 so that the router is not the DR for that link.
•
When running a Cisco IOS release that contains the fix for CSCdu18397, the KRTT (Karn's Round Trip Time) is not bounded to RTTO*2**5. When there are retransmissions occurring between the Transmission Control Protocol (TCP) endpoints, the KRTT value can get excessively large and the TCP connection will drop.
This issue seems to affect data-link switching (DLSw) frequently. The DLSw peers sporadically drop.
There are no known workarounds.
•
When using the min links mandatory command, a traceback is observed.
There are no known workarounds.
•
A memory leak is occurring in the ciscoFlashMIB.
Workaround: Disable access to the MIB object that is leaking memory.
•
Spurious access is detected at ip_age_one_mroute() after ip_age_one_mroute_wrapper().
There are no known workarounds.
•
This caveat is a port of the fix for CSCdu57137 to the Cisco 7100 platform to fix wr erase.
Workaround: The configuration register needs to be changed to the desired setting to avoid this issue. Enter the confreg 0x2102 command in ROMMON mode, or enter the config-register 0x210 command in the global configuration mode.
•
A route map that has the match nlri unicast multicast command is broken into two route maps, one with the original route-map tag and the other with "_mcast" extended.
This issue occurs on a Cisco router when an old route map format is changed to the new route map format, and if a named community list or an extended community list is configured. This translation can be automatically done or user initiated if the bgp upgrade-cli router configuration command is available.
The router may reload if the write terminal privileged EXEC command, the show running-config privileged EXEC command, or the show route-map privileged EXEC command is issued after the original route map is deleted.
Workaround: Delete the match nlri unicast multicast route-map configuration command from the startup-config file, or avoid deleting the original route map after the system is loaded.
Alternate Workaround: Do not issue the bgp upgrade-cli router configuration command.
•
When the router loads and the ILMI keepalives are enabled on Asynchronous Transfer Mode (ATM) interfaces, optimum polling is enabled by default. There is no CLI (no atm ilmi optimize-polling) to turn it off either.
This issue occurs because the OptiPoll feature, which is currently supported only on switches, is also working on routers because by default it is turned on for both switches and routers.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(11b)E14
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E14 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E14.
Resolved Caveats—Cisco IOS Release 12.1(11b)E14
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E14. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Under some rare traffic patterns which require software processing, the route processor (RP) (Multilayer Switch Feature Card 2 (MSFC2)) can get into a state where it can receive traffic, but cannot send it.
Problems includes instances where devices connected to the problematic router does not receive traffic (unicast and other control traffic such as routing protocol hellos/updates, Cisco Discovery Protocol (CDP) updates, and so on) sourced from the MSFC2. L2-control traffic (such as Spanning Tree Protocol (STP), UniDirectional Link Detection (UDLD), Port Aggregation Protocol (PAg-P), and so on) are unaffected, as they are sourced from the switch processor (SP).
This situation is caused because of inefficient handling of such traffic types by the MSFC2 system controller.
Workaround: An initial fix for this caveat has been available since Cisco IOS Release 12.1(8b)E14 and 12.1(13)E1. However, it is highly recommended to upgrade to Cisco IOS Release 12.1(8b)E15 or 12.1(13)E9 and above, as the initial fix was not complete.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
The default aggregate quality of service (QoS) policer value may be misprogrammed by software. The Open Shortest Path First (OSPF) neighbor drops, and Hot Standby Routing Protocol (HSRP) flaps may occur under some traffic patterns.
The problem occurs on Sup1/Multilayer Switch Feature Card 2 (MSFC2) based systems running native IOS.
Workaround: Disable QoS, or configure policer on all interfaces.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
Open Caveats—Cisco IOS Release 12.1(11b)E12
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E12 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E12.
Resolved Caveats—Cisco IOS Release 12.1(11b)E12
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E12. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
Open Caveats—Cisco IOS Release 12.1(11b)E11
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E11 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco devices which run IOS and contain support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.
Cisco will be making free software available to correct the problem as soon as possible.
The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml.
Resolved Caveats—Cisco IOS Release 12.1(11b)E11
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E11. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known resolved caveats for Cisco IOS Release 12.1(11b)E11.
Open Caveats—Cisco IOS Release 12.1(11b)E10
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E10 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E10.
Resolved Caveats—Cisco IOS Release 12.1(11b)E10
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E10. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
In a configuration with Frame Relay subinterfaces, when these subinterfaces are used with Generic Routing Encapsulation (GRE) in the presence of the crypto hardware module, the Cisco Express Forwarding (CEF) switching fails.
Workaround: Disable the CEF switching on the interface, and use fast switching instead.
•
A Cisco 7100 router that is running Cisco IOS Release 12.1(9)E and 12.1(10)E may generate constant traceback messages when the router is decrypting IP Security (IPSec) traffic over a Multilink PPP (MLP) interface.
Workaround: Upgrade to Cisco IOS Release 12.2(6).
•
A router that is running an earlier Cisco IOS Release than 12.1(11.05)E, 12.2(07.04)S, 12.2(07.04)T, 012.002(007.004), 12.0(20.04)S, 012.000(020.004), 012.001(012.003) may reload when the show ip mroute command is executed.
There are no known workarounds.
•
A memory allocation failure (MALLOCFAIL) message is displayed when a cable is unplugged from the serial interface of a router.
This issue occurs on a Cisco 7200 series router when a Cisco IOS release that contains the fix for CSCdt40038 is used. This issue affects the PA-4T, PA-8T, PA-H, PA-E3, and PA-T3 port adapters. The occurrence of this issue depends on the erroneous bit patterns that are received from the serial line that is down.
Workaround: Bring the line back up to enable the memory usage to return to normal.
•
A router may fail to boot and display the following error message:
4B4 604DC4A0 %SYS-2-INTSCHED: 'idle' at level 4 -Process= "EnvMon", ipl= 4, pid= 8 -Traceback= 6050B024 604F5F98 604F8154 6092BBA8 607124FC 60542FD8 60543228 604DCThis issue occurs on a Cisco router that is running Cisco IOS Release 12.1(11) and the Simple Network Management Protocol (SNMP). The router has to be power-cycled to complete the boot process.
Workaround: Remove SNMP traps from the configuration.
•
A Cisco router experiences 100% CPU utilization due to the Enhanced Interior Gateway Routing Protocol (EIGRP) process if the process is configured with traffic-share min or variance commands; actual traffic share may not reflect the one configured by these commands. The high CPU utilization condition may cause related problems such as slow router response and periodic loss of EIGRP neighbors.
Workaround: Remove from EIGRP configuration commands causing the high CPU condition.
•
Removing a subinterface from the configuration of a Cisco 7200 VXR series router which is running c7200-ik2s-mz.121-11b.E may trigger a crash because of a bus error.
There are no known workarounds.
•
A port adapter may stop receiving packets. When this symptom occurs, the output of the show interface EXEC command does not report any input or output drops. When the show controller EXEC command is issued on the Versatile Interface Processor (VIP) console of a router, the command output may display incrementing rx_no_buffer and virtual circuit connection (VCC) counts.
This issue occurs on an enhanced ATM Port Adapter (PA-A3) on a Cisco 7500 router.
Workaround: Bounce the port adapter interface by issuing the shutdown interface configuration command followed by the no shutdown interface configuration command.
•
A Cisco 7200 series router, running Cisco IOS Release 12.1(11b)E1, might experience a buffer leak in the Very Big buffers.
There are no known workarounds.
•
A router configured for Terminal Access Controller Access Control System (TACACS+) runs out memory because of a buffer leak in the middle buffer pool. The buffer leak is caused by TACACS+ packets.
This issue can be checked with the following command outputs:
Router#show buffers....Middle buffers, 600 bytes (total 3236, permanent 25):11 in free list (10 min, 150 max allowed)562868 hits, 1109 misses, 41 trims, 3252 created0 failures (0 no memory)....Router#show buffer pool middle headerBuffer information for Middle buffer at 0x6096CF18data_area 0x1AF0184, refcount 1, next 0x0, flags 0x80linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1if_input 0x0 (None), if_output 0x0 (None)inputtime 0x0, outputtime 0x0, oqnumber 65535datagramstart 0x1AF01CA, datagramsize 133, maximum size 756mac_start 0x1AF01CA, addr_start 0x1AF01CA, info_start 0x0network_start 0x1AF01D8, transport_start 0x1AF01ECsource: x.x.x.x, destination: x.x.x.x, id: 0x59BE, ttl: 252,TOS: 0 prot: 6, source port 49, destination port 13489Workaround: A reload or power-cycle of the router will clear this condition and free up the buffers and memory.
•
When a quality of service (QoS) policy-map with the police feature is attached to an Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC), the policy may disappear from the configuration after the router reloads. The following error messages appear at the console:
Oct 19 22:15:29.623 UTC: %SYS-2-INTSCHED: 'sleep for' at level 3-Process= "Init", ipl= 3, pid= 2-Traceback= 605CA9B4 605B4AE4 60E95AAC 60ED6430 60ED59E4 605EE600 605EE11C 605ED D18 6052EF9C 6039D1D4 6039E08C 60392D68 6039D0A8 6038F0D8 601BFF74 601BE150Workaround: Re-apply the QoS policy-map to the PVC.
Open Caveats—Cisco IOS Release 12.1(11b)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E8.
Resolved Caveats—Cisco IOS Release 12.1(11b)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
After CSCds21806, if the shared tree and shortest path tree (SPT) diverge due to an RPF change on the shared tree (normally triggered by a failed link being restored) then we will also prune the SPT. A join to restore the traffic flow will follow this prune immediately. This may cause a small interruption to the traffic flow.
There are no known workarounds.
•
Error messages appear after a Cisco 7200 VXR series router is reloaded when it is configured with the following commands:
ip cefpolicy-map test-policyclass-map test-classmatch protocol httppolice cir 64000 bc 16000 pir 64000 be 16000conform-action set-clp-transmitexceed-action set-clp-transmitviolate-action set-clp-transmitinterface e3/1service-policy input test-policyThe following error messages are displayed immediately after the router is reloaded:
%SYS-2-INTSCHED: 'sleep for' at level 3 -Process= "Init", ipl= 3, pid= 2-Traceback= 6064AA94 60633C04 60FFD1C4 611867AC 6066D1CC 60596134 603D1EB0603D30BC 603C3110 603D1C20 603BCB30 601F2480 601F0460 601F09F0 601F084060599A60These errors occur because the ip cef global configuration command and the police settings are class-map configurations and need to have a packet identification mechanism before anything is policed (such as match protocol http). The errors do not occur until the policy-map is attached to the interface.
Workaround: Reboot the router and detach the service policy containing Network-Based Application Recognition (NBAR) from all interfaces. After the router has rebooted, reattach the service policy. Save a copy of configuration file with the service-policy that is detached from interface in case the router reboots inadvertently because of an accidental power failure.
Open Caveats—Cisco IOS Release 12.1(11b)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E3.
Resolved Caveats—Cisco IOS Release 12.1(11b)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
If you perform a write erase that erases the configuration in NVRAM, the boot variables are not changed.
Workaround: Change the boot configuration and configuration register, then save the configuration before erasing NVRAM.
•
When multiple unequal cost paths exist for type 3 link state advertisements (LSAs), the shortest path first calculation might trigger an unnecessary route flap in the routing table for these LSAs.
There are no known workarounds.
•
When the network address translation (NAT) pool is configured with subranges, the subranges do not take effect.
There are no known workarounds.
•
A Cisco 7206VXR router that is running the Open Shortest Path First (OSPF) protocol and acting as a designated router (DR) will generate router link states but may fail to generate network link states for a connected network. The OSPF neighbors come up correctly on all routers in the network.
Workaround: Set the priority on the interface to 0 so that the router is not the DR for that link.
•
The online insertion and removal (OIR) of a Versatile Interface Processor (VIP) in a Cisco 7500 series router may cause Cisco Express Forwarding (CEF) to become disabled on VIP cards in other slots.
Workaround: Enter the microcode reload global configuration command after a failed OIR.
•
A Cisco router may reload if Netflow is sending packets that are locally generated through a tunnel. This condition does not affect fast switching.
Workaround: Disable Cisco Express Forwarding (CEF).
•
A Cisco 7200 series router that is configured with data-link switching plus (DLSw+) Routing Information Field (RIF) passthru peers may reload under the following conditions:
–
–
–
Workaround: Perform the following steps:
1) Ensure that the combined RIF length does not exceed seven hops.
2) Configure both ends of the RIF passthru peer on the physical Token Ring interfaces using the following interface configuration commands:
source-bridge max-hops 3source-bridge max-in-hops 3These commands limit the maximum number of hops from each end of the physical Token Ring interface to three hops. An additional fourth hop is used for the virtual ring. This configuration keeps the combined RIF length to within seven hops.
b) Ensure that the verify timer is larger than the cache timeout to avoid entering the VERIFY state. Issue the following commands in global configuration mode:
dlsw timer sna-verify-interval 1200dlsw timer netbios-verify-interval 1200These commands set the verify interval to 20 minutes (the default cache timeout is 16 minutes, or 960 seconds). This configuration prevents the router from entering the VERIFY state. The cache entry is deleted before the router can perform a VERIFY operation.
•
When running a Cisco IOS release that contains the fix for CSCdu18397, the KRTT (Karn's Round Trip Time) is not bounded to RTTO*2**5. When there are retransmissions occurring between the Transmission Control Protocol (TCP) endpoints, the KRTT value can get excessively large and the TCP connection will drop.
This issue seems to affect data-link switching (DLSw) frequently. The DLSw peers sporadically drop.
There are no known workarounds.
•
A Cisco router that is running Cisco IOS Release 12.1(12) displays the following traceback messages and reloads after the clear cdp table privileged EXEC command is issued:
%ALIGN-3-TRACE: -Traceback= 604E42A0 604E39EC 604E37B0 604E32B0 6026BDE460277FCC 602C90F4 602C90E0%ALIGN-3-TRACE: -Traceback= 604E42CC 604E39EC 604E37B0 604E32B0 6026BDE460277FCC 602C90F4 602C90E0%ALIGN-3-TRACE: -Traceback= 604E42D0 604E39EC 604E37B0 604E32B0 6026BDE460277FCC 602C90F4 602C90E0There are no known workarounds.
•
A PA-MC-STM1 port adapter when configured for framed or unframed mode, sees numerous aborts in some of the channels.
Workaround: Follow the steps below:
1.) Configure network payload loopback on the E1 channel where the problem exists.
2.) Configure another E1 channel on another System Processing Engine (SPE).
3.) Unconfigure the payload loopback.
•
A Cisco router that is running Cisco IOS Release 12.1(13) or another Cisco IOS release may reload with a bus error that is related to Open Shortest Path First (OSPF).
There are no known workarounds.
•
A router may crash during withdrawal of two paths to the same destination network.
There are no known workarounds.
•
A route map that has the match nlri unicast multicast command is broken into two route maps, one with the original route-map tag and the other with "_mcast" extended.
This issue occurs on a Cisco router when an old route map format is changed to the new route map format, and if a named community list or an extended community list is configured. This translation can be automatically done or user initiated if the bgp upgrade-cli router configuration command is available.
The router may reload if the write terminal privileged EXEC command, the show running-config privileged EXEC command, or the show route-map privileged EXEC command is issued after the original route map is deleted.
Workaround: Delete the match nlri unicast multicast route-map configuration command from the startup-config file, or avoid deleting the original route map after the system is loaded.
Alternate Workaround: Do not issue the bgp upgrade-cli router configuration command.
•
On a Cisco 7200 series router that has a port adapter (PA-T3, PA-E3, or PA-H), a Network Processing Engine (NPE-400) or a Network Service Engine-1 (NSE-1) may experience a line protocol flap or go down in high traffic conditions.
Workaround: Use an NPE-300 or dual interface versions of the port adapters mentioned above.
•
The physical interface input counters are not incremented for packets received on a tunnel interface with Cisco Express Forwarding (CEF) switching.
There are no known workarounds.
•
Entering the show ip cef EXEC command may cause a Cisco router to reload if load-shared paths change while the command executes.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(11b)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E1.
Resolved Caveats—Cisco IOS Release 12.1(11b)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco router, the Point-to-Point Protocol (PPP) fails to come up on a leased line over a Basic Rate Interface (BRI) circuit configured with encap ppp. Other encap configurations, such as hdlc and fr work.
Workaround: Configure encap hdlc first, then no encap hdlc, followed by encap ppp. After this, PPP comes up fine.
•
On a Cisco router, an Integrated Services Digital Network (ISDN) trap is not generated after a call is connected. The following ISDN objects are affected:
–
–
–
–
–
–
–
There are no known workarounds.
•
On a Cisco AS5800 universal access server that is running Cisco IOS Release 12.1(5)XM4, all channels except the 24th channel of the primary Non-Facility Associated Signaling (NFAS) may become stuck in the "out of service" channel service state after the Cisco AS5800 access server is provisioned to use Signaling System 7 (SS7) interconnect for voice gateways services for the first time.
Workaround: Reload the Cisco AS5800 access server or enter the shutdown followed by the no shutdown interface configuration commands on the T3 controller or the individual T1 controllers.
•
The bridge on a Cisco 7200 series router may learn a source MAC from Cisco Discovery Protocol (CDP) packets.
Workaround: Disable CDP on the peer interfaces.
•
A Cisco 7200 series router running Cisco IOS Release 12.1(5)T1 constantly displays the following messages.
May 24 12:19:08 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 12:19:08 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 12:34:06 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 12:34:06 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 13:25:59 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 13:25:59 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 13:49:03 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 13:49:03 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 14:16:59 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 14:16:59 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0There are no known workarounds.
•
On a Cisco router, all voice platforms for which call fallback mechanism is enabled may have some calls rejected.
There are no known workarounds.
•
On a Cisco router, when a file transfer is initiated from a front-end processor (FEP) that is attached to a Cisco 7204 router and destined to an FEP that is attached to a Cisco 2612 router, the show tcp EXEC command does not show retransmitted packets or that the retransmission timeout timer is waking up. Several acknowledgements (ACKs) and a large number of "fast transmitted" packets are shown on the Cisco 7204 when the show tcp brief [all] EXEC command is entered.
This condition occurs when the Cisco 7204 FEP and the Cisco 2612 FEP that are connected through a Fast Ethernet (FE) connection with equal cost and the Enhanced Interior Gateway Routing Protocol (EIGRP) enabled.
Workaround: Eliminate equal cost network paths.
•
The logger on a Cisco router will show the following message once every minute:
fr_oqueue: Invalid datagramstart 36F5438 F, pak dropped The hex value varies.This issue occurs when using Inverse Address Resolution Protocol (ARP) with priority Data-Link Connection Identifiers (DLCIs) when the priority DLCI (which Inverse ARP uses) is INACTIVE or DELETED. The tracebacks stop when the DLCI becomes ACTIVE again.
There are no known workarounds.
•
When running Cisco IOS Release 12.0(x) on a Cisco router, flapping may occur even though there is no traffic if dialer load-threshold 1 is configured without multilink PPP. When this happens, the dialing cause will be shown as "rotary group to LDN overloaded" if the debug dialer is enabled.
Workaround: Configure multilink PPP.
•
On a Cisco 7500 series router, an Area Border Router (ABR)/Autonomous System Border Router (ASBR) may try to generate a type-4 summary link-state advertisement (LSA) about itself with LSInfinity (0xFFFFFF) metric. This issue is a temporary condition.
There are no known workarounds.
•
On a Cisco router, the Enhanced Interior Gateway Routing Protocol (EIGRP) may cause an unexpected system reload at the igrp2_bandwidth_changed process.
There are no known workarounds.
•
On Cisco IOS Release 12.1E, deleting an element of a named access control list (ACL) that was configured within a crypto map may cause the router to reload unexpectedly.
Workaround: Delete the crypto map, edit the ACL, and then reenter the crypto map.
•
On a Cisco 7200 series router, any i8254- based port adapter or I/O controller card can experience spurious resets when higher layer protocols add/remove hardware MAC addresses, add/remove interfaces/subinterfaces, or change an interface characteristics (ipaddresses, and so on). These spurious resets may cause link flaps and protocol flaps (of the Hot Standby Routing Protocol (HSRP), Opens Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP)).
There are no known workarounds.
•
Cisco IOS Release 12.1E currently is incompatible with boot helper images from the mainline release because it does not reset the BSI counter introduced by CSCdw83487. The effect is that the potential system image attempted will be out of sequence than what is specified by user.
There are no known workarounds other than to manually unset the BSI counter in ROMMON.
•
On a Cisco router, the IOS Server Load Balancing command ip slb natpool is not accepted upon reload if configuration of the initial allocation or maximum allocation of client network address translation (NAT) address entities is configured. This allocation is configured using the entries keyword.
Workaround: Enter the ip slb natpool commands without configuring parameters with the entries keyword.
•
On a Cisco 7200 series router, quality of service (QoS) pre-classification may not work with the VPN Acceleration Module (VAM) encryption card.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(11b)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(11b)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(11b)E.
Resolved Caveats—Cisco IOS Release 12.1(11b)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(11b)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco router, the current implementation of Cisco IOS software is not fully compliant with RFC 2547bis. RFC 2547bis describes the procedures that must be implemented to specific extended comminutes when route attributes are passed from a customer edge (CE) router to a provider edge (PE) router. This DDTS enforces those procedures. The CE router may suggest a particular route target for each route from the route targets that the PE router is authorized to attach to the route. The PE router would then attach only the suggested route target rather than the full set. This situation gives the CE administrator some dynamic control of the distribution of routes from the CE.
With the current Cisco IOS software, the PE router allows the CE router to attach route targets in an update without verifying that they are a subset of route targets to which the VPN routing and forwarding instance (VRF) attaches. This condition causes the routes to end up in a VRF instance when they are not supposed to.
Workaround: Configure the VRF route map on the PE router to overwrite the extended community attribute to avoid the leakage of routes to other VRFs.
•
When configuring a reflexive access control list with no timeout value on a Cisco router, the default value is 5 minutes (300 seconds). But when some packets are passed and a reflexive entry is created, the default value shows the wrong "time left" value.
There are no known workarounds.
•
On a Cisco 7500 series router running Cisco IOS Release 12.2(8)T, distributed Network-Based Application Recognition (dNBAR) classification of stateful and bidirectional traffic across Versatile Interface Processors (VIPs) may not work.
There are no known workarounds.
•
On a Cisco 7500 series router, Real-Time Transport Protocol (RTP) distributed Network-Based Application Recognition (dNBAR) classification may not work after the router is reloaded.
Workaround: To restore RTP to a working condition, remove and recreate the RTP classes.
•
A Cisco 7200 series router running IPSec might not evaluate the crypto access control list properly when fast switching is turned on at the same interface on which the crypto map is applied.
There are no known workarounds.
•
Server Load Balancing (SLB) is walking on freed memory.
This issue occurs when SLB reals, which are in use by an SLB virtual server (vserver) running sticky radius framed-ip are removed from a serverfarm.
Workaround: To avoid this caveat, bring the vserver out of service before removing reals from a serverfarm. Or, simply place reals in a "no inservice" state rather than remove them.
•
A Cisco 7200 series router booting with a crypto image crashes if crypto hardware is present. The router may also unexpectedly reload when IOS switches between software and hardware crypto engines when the Internet Key Exchange (IKE) is negotiating IPSec tunnels.
There are no known workarounds.
•
A line card may be stuck in an off-for-download state on a Cisco 7500 series router. This condition is indicated by the output of the show cef linecard EXEC command, and is caused by an interprocess communication (IPC) error with another line card during the Forwarding Information Base (FIB) table download process.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(10)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E8.
Resolved Caveats—Cisco IOS Release 12.1(10)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
If the write memory EXEC command is issued simultaneously with the show config privileged EXEC command or the show running-config EXEC command using two individual Telnet sessions by two different users, output similar to the following may be displayed:
bGc nx^@^@^@^A^A^A^@^@^A^@^@^E\^@^@^@^@^@^@^@^@^@^@^^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^This symptom is observed on a Cisco 7500series router that is running Cisco IOS Release 12.1(10)E.
There are no known workarounds.
•
A device that is running Cisco IOS software may reload when a command is issued to display a file that contains certain character patterns.
This issue occurs if the file in question has a very large line. This line may have a very large continuous set of characters without any new line characters and is most likely corrupted.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(10)E7
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E7 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E7.
Resolved Caveats—Cisco IOS Release 12.1(10)E7
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E7. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7500 series router with a Versatile Interface Processor (VIP) may reload or record spurious access after class maps are configured for Frame Relay.
There are no known workarounds.
•
On a Cisco 7500 series router running Cisco IOS Release 12.1(10)E, distributed Network-Based Application Recognition (dNBAR) does not work due to External Data REpresentation (XDR) failures.
There are no known workarounds.
•
A Cisco 7500 series router performing a show run may encounter problems with the subinterface being in the wrong place. For example:
interface Serial9/0/3:1no ip addressencapsulation frame-relay IETFframe-relay lmi-type q933aframe-relay intf-type dce!interface Serial8/1/4:1.16 point-to-pointip unnumbered Loopback1frame-relay class frts-set_default_ipTOSframe-relay interface-dlci 16!Note that the interface Serial8/1/4:1.16 is after the interface Serial9/0/3:1 in the above configuration. If a mem is written and the router is reloaded, the interface Serial8/1/4:1.16 will be disabled.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(10)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E6.
Resolved Caveats—Cisco IOS Release 12.1(10)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco router, the Point-to-Point Protocol (PPP) fails to come up on a leased line over a Basic Rate Interface (BRI) circuit configured with encap ppp. Other encap configurations, such as hdlc and fr work.
Workaround: Configure encap hdlc first, then no encap hdlc, followed by encap ppp. After this, PPP comes up fine.
•
On a Cisco router, an Integrated Services Digital Network (ISDN) trap is not generated after a call is connected. The following ISDN objects are affected:
–
–
–
–
–
–
–
There are no known workarounds.
•
A Cisco 7200 series router running Cisco IOS Release 12.1(5)T1 constantly displays the following messages:
May 24 12:19:08 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 12:19:08 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 12:34:06 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 12:34:06 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 13:25:59 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 13:25:59 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 13:49:03 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 13:49:03 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0May 24 14:16:59 JST: WFQ :Rcvd incorrectly initialized packet Conv: 4, Linktype: bridge, Flags 9000000, fr_flags 0, Pool: MiddleMay 24 14:16:59 JST: -Traceback= 6067F9F8 6067F878 60687614 60C54808 60C50CD8 606B65E4 606B65D0There are no known workarounds.
•
On a Cisco 7500 series router, Asynchronous Transfer Mode (ATM) virtual circuit (VC) counters are not correctly incremented on a PA-A1-OC3MM in Cisco IOS Release 12.1(7a)E2. This issue causes the subinterface counter to show a wrong value because the value of the subinterface counters is the sum of the counters of VCs configured under it.
There are no known workarounds.
•
On a Cisco router, if a VPN routing and forwarding instance (VRF) Cisco Express Forwarding (CEF) entry recurses through an identical CEF entry in the global routing table, and the latter has multiple paths to the destination or CEF accounting is enabled, then deleting the CEF entry in the VRF could result in the following:
VXR-4#sho ip cef 1.1.1.11.1.1.1/32, version 25, per-destination sharing0 packets, 0 bytestag information setlocal tag: 18via 0.0.0.0, Tunnel100, 0 dependenciestraffic share 1next hop 0.0.0.0, Tunnel100valid adjacencytag rewrite with Tu100, point2point, tags imposed: {}via 0.0.0.0, Tunnel101, 1 dependencytraffic share 1next hop 0.0.0.0, Tunnel101valid adjacencytag rewrite with Tu101, point2point, tags imposed: {}0 packets, 0 bytes switched through the prefixtmstats: external 0 packets, 0 bytesinternal 0 packets, 0 bytesLoad sharing information NOT-OK. (refcount 2)^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Workaround: Do not advertise that the /32 originates the Multiprotocol Border Gateway Protocol (MP-BGP) updates in a VRF
•
The logger on a Cisco router will show the following message once every minute:
fr_oqueue: Invalid datagramstart 36F5438 F, pak dropped The hex value varies.This issue occurs when using Inverse Address Resolution Protocol (ARP) with priority Data-Link Connection Identifiers (DLCIs) when the priority DLCI (which Inverse ARP uses) is INACTIVE or DELETED. The tracebacks stop when the DLCI becomes ACTIVE again.
There are no known workarounds.
•
When running Cisco IOS Release 12.0(x) on a Cisco router, flapping may occur even though there is no traffic if dialer load-threshold 1 is configured without multilink PPP. When this happens, the dialing cause will be shown as "rotary group to LDN overloaded" if the debug dialer is enabled.
Workaround: Configure multilink PPP.
•
On a Cisco 7500 series router, when users configure a VPN routing and forwarding instance (VRF) and the ip unnumbered type number interface configuration command under the Point-to-Point (PPP) subinterface, the Data-Link Connection Identifier (DLCI) under that subinterface changes, which causes ping failure even when DLCI is active.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the provider edge (PE) router.
•
A Cisco router may reload if Netflow is sending packets that are locally generated through a tunnel. This condition does not affect fast switching.
Workaround: Disable Cisco Express Forwarding (CEF).
•
On a Cisco 7500 series router, an Area Border Router (ABR)/Autonomous System Border Router (ASBR) may try to generate a type-4 summary link-state advertisement (LSA) about itself with the LSInfinity (0xFFFFFF) metric. This issue is a temporary condition.
There are no known workarounds.
•
On a Cisco 7500 router, misalign/spurious access is detected on the Versatile Interface Processor (VIP) at hqf_get_policymap().
There are no known workarounds.
•
On a Cisco 7200 series router, any i8254- based port adapter or I/O controller card can experience spurious resets when higher layer protocols add/remove hardware MAC addresses, add/remove interfaces/subinterfaces, or change an interface characteristics (ipaddresses, and so on). These spurious resets may cause link flaps and protocol flaps (of the Hot Standby Routing Protocol (HSRP), Opens Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP)).
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(10)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E5.
Resolved Caveats—Cisco IOS Release 12.1(10)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(10)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E4.
Resolved Caveats—Cisco IOS Release 12.1(10)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(10)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E3.
Resolved Caveats—Cisco IOS Release 12.1(10)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 VXR series router using any unchannelized serial port adapter (PA) and any processor other than the Network Processing Engine (NPE-300) may experience line flaps at high traffic rates and display the following message:
MUESLIX-1-HALT: Mx serial: Serial6/0 TPU halted: cause 0x3 status 0x00371A00Carrier transitions and wedged output queues may also occur. This condition affects the following port adapters:
–
–
–
–
Multichannel port adapters such as the PA-MC-T3 or the PA-MC-2T3+ are not affected. This condition affects only the Cisco 7200 VXR series router.
There are no known workarounds.
•
A Cisco 7200 series router may reload unexpectedly if the access-list entry in use by a crypto map, which has been applied to the interface (P), is removed.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(10)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E2.
Resolved Caveats—Cisco IOS Release 12.1(10)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The Label Distribution Protocol (LDP) fails to come up on a Cisco 7200 series router running Cisco IOS Release 12.0(15.6)ST3.
Workaround: Enter the shut/no shut command on the Fast Ethernet interface.
•
A Cisco router running Cisco IOS Release 12.1(10.1) or a later release with data-link switching (DLSw) and Ethernet Redundancy (ER) may reload unexpectedly.
There are no known workarounds.
•
A Cisco 8-port serial port adapter (PA-8T) interface may sometimes flap under a heavy load if it is configured to receive a clock rate of more than 2015232 bps and all the serial ports of a Mx serial application-specific integrated circuit (ASIC) (MUESLIX) controller (either 0 through 3 or 4 through 7) are in use.
Workaround: Configure clock rates that are less than or equal to 2015232 bps at the provider end.
•
The online insertion and removal (OIR) of a Versatile Interface Processor (VIP) in a Cisco 7500 series router may cause Cisco Express Forwarding (CEF) to become disabled on VIP cards in other slots.
Workaround: Enter the microcode reload global configuration command after a failed OIR.
•
On a Cisco 7500 series router with Virtual Private Networks (VPN) and channelized E1 used in the core fails if the virtual private network (VPN) pings with a packet size greater than 1496.
There are no known workarounds.
•
A Cisco 7500 series router with a service-policy on a Versatile Interface Processor (VIP) interface may not work after a microcode reload.
Workaround: Reattach the service policy to the interface.
•
Under rare conditions, two routers running Cisco IOS Release 12.1(8a)E5 become stuck in active while waiting for the neighboring Multilayer Switch Feature Card (MSFC) to reply to an Enhanced Interior Gateway Routing Protocol (EIGRP) query. The problem condition seems to occur when the MSFCs receive first a query with a worse metric and then a query with an infinite metric. The condition clears after MSFCs run through the default 3-minute stuck-in-active (SIA) timer.
There are no known workarounds.
•
A Cisco 7500 series router may crash when a crypto map is applied to an interface.
This issue occurs on all platforms except Cisco 7200 series routers.
There are no known workarounds.
•
On a Cisco 7140 router running C7100-IK2O3S-M 12.1(10)E, the watchdog timer may run out after reboot if the XML Subscription Manager (XSM) historian is enabled for the Embedded Device Manager (EDM) or VPN Device Manager (VDM).
Workaround: Disable the XSM historian (no xsm history edm, no xsm history vdm).
•
On a Cisco 7200 series router, an interface of a PA-MC-T1 or PA-MC-E1 port adapter may experience an Output Stuck condition, especially when configured in Primary Rate Interface (PRI) mode.
There are no known workarounds.
•
When you perform online insertion and removal (OIR) of a Versatile Interface Processor (VIP) in a Cisco 7500 router or use the Single Linecard Reload (SLCR) feature following a VIP crash, if static routes are defined that point out interfaces on the failed VIP, traffic using those static routes may fail. The static routes include those defined within a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) VPN routing and forwarding instance (VRF).
Workaround: Enter the clear cef linecard adjacency command.
Open Caveats—Cisco IOS Release 12.1(10)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(10)E1.
Resolved Caveats—Cisco IOS Release 12.1(10)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco router, when Internet Key Exchange (IKE) keepalives are not used, the IPsec security associations (SAs) are deleted when the IKE SA gets deleted.
There are no known workarounds.
•
The Transmission Control Protocol (TCP) port remains open even after tag-switching is disabled on the router, both at the interface level and the global level.
This issue occurs because the Tag Distribution Protocol (TDP) uses the TCP port 711 for communication between TDP peers. This port is enabled on a router by default in Cisco IOS Release 12.1. The port becomes active once tag-switching is enabled on a single interface.
Workaround: Reload the router to close the TCP port.
•
On a Cisco 7500 series router, a Fast Serial Interface Processor (FSIP) interface link flap can cause excessive drops of multicast traffic.
This issue occurs after a shut/ no shut of the interface; regular IP traffic is switched without being affected.
Workaround: Disable Weighted fair Queuing (WFQ). Note that adjusting the hold-queue has no added benefit in this case.
•
On a Cisco 7500 series router, online insertion and removal (OIR) of a line card with OC12 PA causes interprocess communication (IPC) failures on all other Versatile Interface Processors (VIPs).
There are no known workarounds.
•
On a Cisco 7500 series router, the VIP-3-BADMALUCMD from CSCdv01729 is also seen in Cisco IOS Release 12.1(10), when the Packet-over SONET (POS)-interface state is changed.
There are no known workarounds.
•
When the Cisco 7100 router series router is reloaded with the crypto configurations, after booting it gives continuos trace back messages.
There are no known workarounds.
•
On a Cisco 7200 series router, after doing shut and no shut on the interface running Fast Switching, some of the route cache entries of directly connected hosts are not created correctly and cause network connectivity issues. This issue has been fixed by invalidating a certain range of wrong route cache entries that can be generated from default route when the interface is not actually up.
There are no known workarounds.
•
On a Cisco 7200 series router, the carrier-delay [seconds] interface configuration command should prevent an interface from being declared as down before the delay timer expires. This expected behavior does not always occur.
Workaround: To keep a list of present routes on the routing table, use a static route of null0 and a higher administrative distance such as ip route 10.10.1.1 255.255.2550 null0 250.
Open Caveats—Cisco IOS Release 12.1(10)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(10)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router with traffic on an outgoing Asynchronous Transfer Mode (ATM) interface will stop forwarding traffic after about of week of operation. This may be due to a memory leak.
There are no known workarounds.
•
A Cisco 7200 series router with VPN Acceleration Module (VAM) and IPSec traffic may unexpectedly reload with bus error under heavy traffic and cpu load.
There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.1(10)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(10)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco router, the duplicate definition of the file atm/ilmi_private.h redefines the interface to snmp_platform_get_oid() is now out of date and needs to be removed. If the duplicate definition is required by some file, then that file should include snmp/snmp_platform_api.h, where the actual definition lives.
There are no known workarounds.
•
A Cisco 7200 series router may experience spurious memory access in the CmpOIDClass function.
Workaround: Invoke the CmpOIDClass function only after checking whether the parameters passed to it are non-null so that illegal references can be avoided. If the parameters are null, an appropriate error code is returned from the function calling CmpOIDClass.
There are no known workarounds.
•
A Cisco router that is running Enhanced Interior Gateway Routing Protocol (EIGRP) with the stub feature on might have a route that is active and not waiting for replies. This situation only occurs in networks where all of the EIGRP neighbors are declared as stub.
Workaround: Remove the EIGRP stub feature or clear the IP EIGRP neighbors.
•
A Cisco 7500 series router with an Enhanced Gigabit Ethernet Interface Processor (GEIP+) may return a wrong cardtype on the Simple Network Management Protocol (SNMP). The GEIP+ should return a value of 199, but in this situation, the GEIP+ returns the value of 427, which is the card type for a Gigabit Ethernet port adapter (PA-GE).
There are no known workarounds.
•
On a Cisco 7500 series router, no output drop in the show interface will be reported when packets are dropped by rx-buffering on another Versatile Interface Processor (VIP). This only occurs on congested 7500 interfaces with First In First Out (FIFO) queueing configured.
Workaround: Configure any type of queueing strategy other than FIFO.
•
A Cisco router with Cisco Discovery Protocol will not function properly when used on Fast Ethernet channel interfaces between Cisco 7500 series and 7200 series routers.
There are no known workarounds.
•
On a Cisco 7100 series router, when an Spatial Reuse Protocol (SRP) span runs over a protected infrastructure (such as protected SONET/SDH rings or protected WDM), both the underlying infrastructure protection and the SRP protection are likely to be triggered in case of a failure.
There are no known workarounds.
•
A Cisco router with Internetwork Packet Exchange (IPX) Enhanced Interior Gateway Routing Protocol (EIGRP) may experience a memory leak related to IPX routing instability.
There are no known workarounds.
•
On a Cisco router, the fallbacks counter for the private particle pools in show buffer is never incremented. This is a cosmetic problem.
There are no known workarounds.
•
A Cisco router may, when the dialer neighbors are down, have 2 dialer neighbors advertise a prefix that is stuck in the topology table/routing table.
Workaround: Clear the advertised route.
•
A Cisco router transmitting a packet size smaller than the fragmentation size will reduce CPU utilization compared to previous versions.
There are no known workarounds.
•
A Cisco 7200 series router using any DS3 port adapter (PA) may experience line flaps at high rates of traffic and display the following message:
MUESLIX-1-HALT: Mx serial: Serial6/0 TPU halted: cause 0x3 status 0x00371A00There are no known workarounds.
•
A Cisco 7200 series router running Cisco IOS Release 12.1 with a multichannel DS1/PRI port adapter (PA-MC-4T1) may experience calls that pause indefinitely. The calls that are dropped will not get reestablished.
There are no workarounds.
•
On a Cisco router, Cisco Express Forwarding (CEF) may behave inconsistently with routing protocols that use holddown to protect against suboptimal routing. A route in holddown should be used to forward traffic until routing protocol timer expiration and/or convergence.
CEF, however, removes the forwarding information from the Forwarding Information Base (FIB) immediately upon the route entering holddown. Process and fast switching will continue to forward traffic as expected.
There are no known workarounds.
•
A Cisco 7200 series router with a number of channelized interfaces configured may experience a high CPU load.
There are no known workarounds.
•
A Cisco router with an Atmsig code of FOR_ALL_SWIDBS loops may cause problems with large numbers of swidbs. The loops should be replaced with FOR_ALL_HWSB and FOR_ALL_SWIDBS_ON_HW to improve scalability.
There are no known workarounds.
•
On a Cisco router, if the no ip cef and ip cef commands are configured in very quick succession, Multiprotocol Label Switching (MPLS) ceases operating and the show mpls forwarding command reports the following message:
Tag switching is not operational. CEF or tag switching has not been enabled.Workaround: Configure the no ip cef command, wait 2 seconds, and then configure the ip cef command.
•
A Cisco router may reload when Intermediate System-to-Intermediate System (IS-IS) is enabled.
There are no known workarounds.
•
The packets on a Cisco 7500 series router with Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPN), which were received by an Asynchronous Transfer Mode (ATM) interface, do not match a class-map that has a policy-map attached as an output service-policy on Asynchronous Transfer Mode (ATM) interfaces.
There are no known workarounds.
•
A Cisco 7200 series router that is running Cisco IOS Release 12.1(6)E may experience memory allocation errors. The output of the show buffers EXEC command shows a value for normal buffers that is higher than normal.
There are no known workarounds.
•
A Cisco 7500 series router with a console session and a Telnet session open displays the output on the console session when the sh controllers vip 1 tech command is entered in the Telnet session. There is no output on Telnet session.
There are no known workarounds.
•
On a Cisco router, Internet Key Exchange (IKE) negotiation may fail with the following error message when Rivest, Shamir, & Adleman (RSA) signatures are configured and a hardware accelerator (Integrated Services Adapter [ISA] or Chaos) is used:
01:47:36:. CryptoEngine0: calculate pkey hmac for conn id 001:47:36: ISAKMP (0:3): error from CRYPTO_DH_SHARED_SECRET (MM_SA_SETUP)01:47:36: -Traceback= 616F3564 616E6384 616E6570 616E44E8 616DE7D4 616DF3A0605B979C 605B9788Workaround: Disable hardware acceleration.
•
A Cisco 7200 series router obtains traceback once the router is reloaded.
There are no known workarounds.
•
A Cisco 7500 series router may encounter the following error message:
%CBUS-4-FIXBADTXVC: Detected and fixed bad tx vc encap.There are no known workarounds.
•
A Cisco router with Data-link switching (DLSw) with fst encapsulation may not work on a router.
Workaround: Use DLSw with tcp encapsulation.
•
On a Cisco router, there may be possible dereferencing to the NULL pointer.
Workaround: Correct by proper error handling.
•
A Cisco 7200 series router with keepalives enabled may experience Internet Key Exchange (IKE) memory leakage when a delete request is sent to the IPSec process.
Workaround: Disable the keepalives.
•
A Cisco 7500 series router running rsp-jsv-mz.121-7.E may reload with a software failure similar to CSCdp74458.
Workaround: Turn off Cisco Express Forwarding (CEF).
•
On a Cisco 7500 series router, when a non-zero route is selected to replace 0.0.0.0/0 as the default route, 0.0.0.0/0 is marked down at the Forwarding Information Base (FIB). However, if route 0.0.0.0/0 is added but cannot replace an existing route as the default network, 0.0.0.0/0 is still installed in the FIB. With Cisco Express Forwarding (CEF) switching, IP packets, which are likely candidates for default network forwarding, are CEF switched using 0.0.0.0/0 instead. This behavior leads to incorrect CEF forwarding when 0.0.0.0/0 and the default network are pointing to different next hops.
Workaround: Assuming a static default route and static default network are both required to be configured, ensure that the static default route is configured before the static default network.
•
A Cisco 7100 router that is running Cisco IOS Release 12.2(2.3) may fail after a tunnel that is configured as a crypto interface is removed from a serial interface.
There are no known workarounds.
•
A Cisco 7500 series router upgrading from Cisco IOS Release 12.0(12) to 12.1(8.1b) may, upon reboot, have the vip2-40 unexpectedly reload with an arithmetic exception or sig-5 error. This problem has happened on two separate routers. Both routers were Cisco 7513 routers with RSP4s and VIP2-40 with 8-port serial cards. The tracebacks were the same in the logs, crashinfo file, and the show diag command.
There are no known workarounds.
•
A Cisco 7206VXR router that is running Cisco IOS Release 12.0(17)ST with a Gigabit Ethernet Port Adapter (PA-GE) may stop forwarding traffic after logging the receipt of giant frames or packets. The interface pauses indefinitely but continues to increment the overrun counter in the show interface gigabit command output.
Workaround: Enter the shut command in DSP configuration mode followed by the no shut command for the interface.
•
A Cisco 7500 series router running Cisco IOS Release 12.1(4)E and using an Enhanced Gigabit Ethernet interface processor (GEIP+) card may find the when the fibre is removed from the interface, it stays in the up/up state, although the show controllers command on the Versatile Interface Processor (VIP) shows up/down.
There are no known workarounds.
•
A Cisco 7100 series router that is using an integrated services adapter (ISA) card to accelerate IPSec packet transformations through any authentication header (AH) protocol (ah-sha-hmac or ah-md5-hmac) may experience an ISA microcode failure that causes the router to unexpectedly reload and display the following message:
ROM: Rebooted by watchdog hard resetThis message may be accompanied or replaced by an ISA heartbeat failure error message. The ISA microcode failure causes the ISA card to become unstable and exhibit symptoms after the ISA card starts processing IPSec packets. This problem has been observed during the very first load of ISA microcode on Cisco 7120 and 7140 routers.
Workaround: After the router reloads, enter the microcode reload all command from the router console to reload the ISA microcode. Entering this command restores the microcode to the ISA card and the correct microprocessor image. No symptoms will occur after the microcode reload all command has been entered.
•
A Data-link switching (DLSw)-Ethernet redundancy (ER) circuit may get stuck in COLLECTING when displayed using the show dlsw transparent cache command. The result is that the DLSW circuit fails to be established. Although the DLsw reachability is correct, the exchange identification (XID) is not forwarded.
Workaround: Reload both of the DLsw-ER routers. Do not use the shut command in DSP configuration mode followed by the no shut command on one of the DLSW-ER interfaces in an attempt to clear the problem, because this action causes the other DLSW-ER router to reload.
•
On a Cisco 7500 series router, if class in a policy has a service-policy along with the feature, then changing the rate of that feature in a class does not ensure that total rates required by features under that service-policy are met with this new modified value.
There are no known workarounds.
•
A Cisco 7206VXR router with a Network Process Engine (NPE-400) and a Gigabit Ethernet port adapter that is running Cisco IOS Release 12.0(17)S may reload with a bus error at an invalid address after receiving ALIGN-3-TRACE and FX1000-3-TOOBIG messages.
There are no known workarounds.
•
On a Cisco 7200 series router, if an outbound access list is applied to an interface that has class-based weighted fair queuing (CBWFQ) configured through a service-policy output policy-name command, outbound traffic is no longer classified into the correct class-based queues. All traffic shows up against the class-default queue. When the access list is removed, CBWFQ again classifies traffic into the correct queues.
This condition also occurs if the attached policy map does not have CBWFQ, but only policing or marking features. This condition also occurs when Multiprotocol Label Switching (MPLS) is used along with an access list that has the LOG feature in the outbound direction. The LOG feature in access lists punts packets to process-level switching from Cisco Express Forwarding (CEF) switching, which causes this condition.
There are no known workarounds.
•
A Cisco 7500 series router with a Route Switch Processor 4 (RSP4) may reload with a bus error when issuing the no service-policy output name command in subinterface atm configuration mode through a Telnet connection.
Workaround: Issue the no service-policy output global configuration command from the console port.
•
A Cisco router running Cisco IOS Release 12.1(8a)E1 with PA-2CE1/PA-2CT1 with fair-queueing configured may experience a crash.
There are no known workarounds.
•
A Cisco 7500 series router with a PA-A3-OC12 may, upon detection of a Loss Of Cell Delineation, have a PA-A3-OC12 interface shut down and become unrecoverable.
Workaround: Perform a shut/no shut on the main interface.
•
The IPSEC MIB subsystem may cause memory fragmentation because of excessive allocation from the global pool. Internet Key Exchange (IKE) and IP Security (IPSec) performance and scalability can be impacted.
There are no known workarounds.
•
When the user tries to delete a file using ciscoFlashMiscOpTable with ciscoFlashMiscOpDestinationName set to a string greater than 33 characters, then the system may crash.
There are no known workarounds.
•
A Cisco 7500 series router running Cisco IOS Release 12.2(2)T crashes when attempting to remove a class from its policy-map without first removing the specified parameters for that class in the policy-map.
Workaround: The router does not crash if you first deconfigure the single parameters one by one. Only when the parameters are deconfigured does the router remove the class from the policy-map.
•
A Cisco 7500 series router, running Cisco IOS Releases 12.0S/12.1/12.2/12.1E with a 2-port channelized T3 port adapter (PA-MC-2T3+), reports the Frame EnginE and Data link Manager (FREEDM) version for the second port incorrectly as zero. The FREEDM version for the first port is shown correctly
There are no known workarounds.
•
A Cisco router generates traceback messages indicating spurious memory access after a reload.
There are no known workarounds.
•
A Cisco router now has support for Tunnel Endpoint Discovery (TED).
There are no known workarounds.
•
On a Cisco router with Cisco Express Forwarding (CEF) enabled, Tunnel Endpoint Discovery (TED) does not work with E-train images.
Workaround: Use process/fast switching
•
In a full mesh Tunnel Endpoint Discovery (TED) environment with 50 crypto peers (Cisco 7200 VXR series router with NPE300), routers crash intermittently.
There are no known workarounds.
•
It is possible for an HDLC connection to believe the line protocol is UP, when in fact the remote link is no longer receiving keepalive packets.
This is an unusual condition which will not be seen under normal conditions. Its presence was detected while troubleshooting SONET issues which were causing physical line problems.
This code change removes the window of opportunity for this condition to occur and will properly bring the line down.
There are no known workarounds.
•
When the "dsu bandwidth" value is changed on PA-E3, the new value doesn't take effect (that is, the E3 DSU bandwidth is still determined by the old value).
Workaround: Reset the serial interface with the clear interface serial command.
Alternative workaround: Save the new configuration and reload the router.
•
A Cisco 7200 series router running Cisco IOS Release 12.2(2) may experience a bus error during configuration of Network-Based Application Recognition and an access control list.
This issue occurs when a stateful session closes at exactly the same time that the system tries to time out the same flow.
Workaround: Use the ip nbar resources number command to extend the time until the system will try to timeout an unused flow. For example: use of ip nbar resources 600 1000 50 command instructs the system to wait 10 minutes (600 seconds) until it tries to clean up a flow. The longer the delay, the less potential there is for a reset packet (RST) or finish (FIN) packet to arrive at the same time.
•
A Cisco 7500 series router with a device telneting through an oc-12/vip4-80 may have the device time out or have the session be too slow to perform any commands.
Workaround: Enable integrated routing and bridging on the subinterface.
•
The fallbacks counter for the private particle pools in show buffer is never incremented. This is a cosmetic problem.
There are no known workarounds.
•
On the Cisco 7200 router, the PA-A3 input buffer can be exhausted when switching to a large number of slow output interfaces. CSCdt74722 increases the number of PA-A3 buffers for NPE300 and NPE400, however, it does not support NSE-1 in the E train. This DDTS adds support for NSE-1 in the E train.
There are no known workarounds.
•
When applying a quality of service (QoS) policy to the egress of a serial interface, the minimum configurable priority bandwidth for the Expedited Forwarding (EF) class is 32 kbps. This issue causes a problem if QoS is to be offered over low speed links (that is, 64kbps). Cable and wireless (C&W) require this minimum value to be 8 kbps.
There are no known workarounds.
•
On Cisco routers running Cisco IOS Release 12.1(9)E, when trying to list all the Asynchronous Transfer Mode (ATM) debug options using debug atm ?, only the arp option appears; the rest of the options are broken.
There are no known workarounds.
•
On a Cisco router, removing the policy-map removes a feature, but may cause a memory leak also.
Workaround: To get around a possible memory leak, remove each feature from the policy-map before removing the policy-map itself.
•
Beginning with Cisco IOS Release 12.1(10.1), Data-Link switching plus (DLSw+) Ethernet Redundancy functionality is unstable, causing possible router reloads, spurious memory accesses, and incorrect cache information.
Workaround: Use transparent bridging, rather than Ethernet Redundancy, to connect Ethernet LANs to DLSw+ without redundancy.
•
In topologies where the remote IPSec peer is not on the same directly connected subnet as the headend router, it is not possible to add a static route for subnets protected by the remote into the routing table of the headend if the headend already has a default route installed.
This issue occurs because the registry call reg_invoke_add_static_route, which is implemented in /iprouting/ipstatic.c, explicitly denies the insertion of a route that requires the next hop be resolved by a recursive lookup to the default route.
This fix changes the next hop in the registry call to reflect the outbound interface (with the crypto map) idb instead of the remote device's IP address; as a result, the route is correctly inserted and traffic is forwarded as expected.
There are no known workarounds.
•
All traffic in the outside to inside direction is punted through Parallel eXpress Forwarding (PXF). This behavior leads to a degradation of performance.
This issue occurs on an NSE-1 running network address translation (NAT).
No workaround is necessary as the router still operates as planned.
•
When the Intermediate System-to-Intermediate System (IS-IS) routing protocol is used on Cisco 7500 series routers with Ethernet, Fast Ethernet, or Gigabit Ethernet, IS-IS adjacency will time out on routers that are running Cisco IOS Releases 12.0(18.3)S, 12.1(9.2), 12.2(2.5), or 12.2(3.3)S.
Workaround: Upgrade to Cisco IOS Release 12.0(19.1)S, 12.0(19.1)ST, 12.1(10.4), 12.2(5.2)T, 12.2(5.3)S, or 12.2(5.2)PI to solve the problem.
•
A Cisco 7500 series router with Automatic Protection Switching (APS)/Multiplex Section Protection (MSP) configured may, in some conditions, have the inactive circuit continue to switch traffic, resulting in a duplicate packet.
There are no known workarounds.
•
This fix corrects a typographical error.
There are no known workarounds.
•
When the user tries to delete a file using ciscoFlashMiscOpTable with ciscoFlashMiscOpDestinationName set to a string greater than 33 characters, the system may crash.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(9)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(9)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(9)E3.
Resolved Caveats—Cisco IOS Release 12.1(9)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(9)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(9)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(9)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router with keepalives enabled may experience Internet Key Exchange (IKE) memory leakage when a delete request is sent to the IPSec process.
Workaround: Disable the keepalives.
•
A Cisco 7500 series router with a device telneting through an oc-12/vip4-80 may have the device time out or have the session be too slow to perform any commands.
Workaround: Enable integrated routing and bridging on the subinterface.
Resolved Caveats—Cisco IOS Release 12.1(9)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(9)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco router that is running Enhanced Interior Gateway Routing Protocol (EIGRP) with the stub feature on might have a route that is active and not waiting for replies. This situation only occurs in networks where all of the EIGRP neighbors are declared as stub.
Workaround: Remove the EIGRP stub feature or clear the IP EIGRP neighbors.
•
A Cisco router with Internetwork Packet Exchange (IPX) Enhanced Interior Gateway Routing Protocol (EIGRP) may experience a memory leak related to IPX routing instability.
There are no known workarounds.
•
A Cisco router may, when the dialer neighbors are down, have 2 dialer neighbors advertise a prefix that is stuck in the topology table/routing table.
Workaround: Clear the advertised route.
•
A Cisco router with Internet Key Exchange (IKE) negotiation may fail with the following error message when Rivest, Shamir, & Adleman (RSA) signatures are configured and a hardware accelerator (Integrated Services Adapter [ISA] or Chaos) is used:
01:47:36:. CryptoEngine0: calculate pkey hmac for conn id 001:47:36: ISAKMP (0:3): error from CRYPTO_DH_SHARED_SECRET (MM_SA_SETUP)01:47:36: -Traceback= 616F3564 616E6384 616E6570 616E44E8 616DE7D4 616DF3A0605B979C 605B9788Workaround: Disable hardware acceleration.
•
A Data-link switching (DLSw+) Ethernet Redundancy circuit may get stuck in COLLECTING when displayed using the show dlsw transparent cache command. The result is that the DLSW circuit fails to be established. The DLSW reachability is correct, but the exchange identification (XID) is be forwarded.
Workaround: Reload both of the DLSW-ER routers.
•
In a full mesh Tunnel Endpoint Discovery (TED) environment with 50 crypto peers (Cisco 7200 VXR series routers with NPE300), routers crash intermittently.
There are no known workarounds.
•
A Cisco router running Cisco IOS Release 2.1(10.1) or later may have the Data-link switching (DLSw+) Ethernet Redundancy functionality become unstable causing the router to unexpectedly reload. The router may also experience spurious memory accesses and/or incorrect cache information.
Workaround: Use transparent bridging, rather than Ethernet redundancy, to connect Ethernet LANs to DLSw+ without redundancy.
•
In topologies where the remote IPSec peer is not on the same directly connected subnet as the headend router, it is not possible to add a static route for subnets protected by the remote into the routing table of the headend if the headend already has a default route installed.
This issue occurs because the registry call reg_invoke_add_static_route, which is implemented in /iprouting/ipstatic.c, explicitly denies the insertion of a route that requires the next hop be resolved by a recursive lookup to the default route.
This fix changes the next hop in the registry call to reflect the outbound interface (with the crypto map) idb instead of the remote device's IP address; as a result, the route is correctly inserted and traffic is forwarded as expected.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(8b)E13
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8b)E13 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco devices which run IOS and contain support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.
Cisco will be making free software available to correct the problem as soon as possible.
The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc. Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml.
Resolved Caveats—Cisco IOS Release 12.1(8b)E13
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8b)E13. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known resolved caveats for Cisco IOS Release 12.1(8b)E13.
Open Caveats—Cisco IOS Release 12.1(8b)E12
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8b)E12 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(8b)E12.
Resolved Caveats—Cisco IOS Release 12.1(8b)E12
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8b)E12. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco RM7000 processor that is used by several Cisco products might cause the router to execute instructions incorrectly or not at all. This situation might result in memory corruption or unexpected reload. This issue further discussed in Field Notice #13130. This field notice can be accessed on CCO via the field notice index:
http://www.cisco.com/warp/public/tech_tips/index/hardware/fn.html.
Or directly at the following URL:
http://www.cisco.com/warp/public/770/fn13130.shtml.
There are no known workarounds.
•
IOS does not wait for the T-bit to be set in an (S,G) entry before sending an assert when the router sees data on an outgoing interface. This may result in the temporary loss of mpackets during the initial switch from the share-tree to the shortest path.
There are no known workarounds.
•
With Protocol Independent Multicast dense mode (PIM-DM) the non-Reverse Path Forwarding (RPF) interface is not sending a prune message.
This behavior occurs on a Packet-over-SONET (POS) interface on a Cisco 7500 series router because multicast packets are coming from the remote side through the non-RPF interface. The packet is not forwarded so there are no multiple/duplicate packets to receive.
There are no known workarounds.
•
After CSCds21806, if the shared tree and shortest path tree (SPT) diverge due to a Reverse Path Forwarding (RPF) change on the shared tree (normally triggered by a failed link being restored) then the SPT is also pruned. A join to restore the traffic flow follows this prune immediately. This action may cause a small interruption to the traffic flow.
There are no known workarounds.
•
A Cisco switch or router running Cisco IOS may see Internet Group Management Protocol (IGMP) mtrace response packets (protocol=2, IGMP type=0x1E) stay in an interface input hold queue indefinitely. These packets may eventually fill up the interface input hold queue and cause packet drops.
Workaround: Reload the router to clear the packets from the input hold queue, and increase the input hold queue depth using the hold-queue queue-length interface configuration command.
•
The router crashes while displaying the group-rp mapping cache.
The logs and the sequence of events just before the router crashed seem to indicate that the cache entry expired during the same period while it was being displayed by the show ip pim rp mapping command.
•
After CSCdt87405 is implemented, inconsistent and unpredictable behavior can occur when Protocol Independent Multicast dense mode (PIM-DM) is used on certain point-to-point interfaces. This behavior is more likely to occur with tunnel interfaces.
There are no known workarounds.
•
A system may run out of memory because of a leak in the routing table structures. No explicit triggers (other than routes in the table) are needed to cause this symptom.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(8b)E11
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8b)E11 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(8b)E11.
Resolved Caveats—Cisco IOS Release 12.1(8b)E11
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8b)E11. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When the network address translation (NAT) pool is configured with subranges, the subranges do not take effect.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(8b)E10
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8b)E10 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(8b)E10.
Resolved Caveats—Cisco IOS Release 12.1(8b)E10
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8b)E10. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco router, the Point-to-Point Protocol (PPP) fails to come up on a leased line over a Basic Rate Interface (BRI) circuit configured with encap ppp. Other encap configurations, such as hdlc and fr work.
Workaround: Configure encap hdlc first, then no encap hdlc, followed by encap ppp. After this, PPP comes up fine.
•
On a Cisco router, an Integrated Services Digital Network (ISDN) trap is not generated after a call is connected. The following ISDN objects are affected:
–
–
–
–
–
–
–
There are no known workarounds.
•
On a Cisco 7200 series router that is running Cisco IOS Release 12.1(5a), a PA-8T synchronous serial port adapter that is configured with High-Level Data Link Control (HDLC) over leased lines may have ports 4 to 7 or ports 0 to 4 going in the up or down state without any visible cause.
Workaround: Reload the router.
•
Setting of the nexthop for a Border Gateway Protocol (BGP) route reflectors should be allowed only through the outbound route-map and not through the nexthop-self command.
There are no known workarounds.
•
A Cisco 7200 series router that is running Cisco IOS Release 12.1(6)E may experience memory allocation errors. The output of the show buffers EXEC command shows a value for normal buffers that is higher than normal.
There are no known workarounds.
•
A Gigabit Ethernet interface may reset when a large number of subinterfaces are added to it using a vendor-specific virtual private network (VPN) configuration product or a script.
Workaround: Add fewer subinterfaces at each attempt.
There are no known workarounds.
•
On a Cisco AS5800 universal access server that is running Cisco IOS Release 12.1(5)XM4, all channels except the 24th channel of the primary Non-Facility Associated Signaling (NFAS) may become stuck in the "out of service" channel service state after the Cisco AS5800 access server is provisioned to use Signaling System 7 (SS7) interconnect for voice gateways services for the first time.
Workaround: Reload the Cisco AS5800 access server, or enter the shutdown followed by the no shutdown interface configuration commands on the T3 controller or the individual T1 controllers.
•
Multiprotocol Label Switching (MPLS) and tag switching do not function properly between Multilink PPP interfaces on Cisco 7500/ Route Switch Processor (RSP) series routers if distributed Cisco Express Forwarding (dCEF) switching is enabled on interfaces participating in the tag switching.
Workaround: Do not enable dCEF globally, or disable dCEF on interfaces that are configured for tag switching by entering the no ip route-cache distributed interface configuration command.
•
The Cisco Express Forwarding (CEF) table is not updated properly when the IP address of an interface changes. The new IP address is added to the CEF table but the old one is not removed. If subinterfaces are used, the old ones remain in the CEF table even after the subinterfaces are removed.
Workaround: If you issue the shut command on the subinterface before changing the address, the IP address is correctly deleted from the CEF tables.
•
A Cisco router that is running Cisco IOS Release 12.2 may reload when it attempts to generate an Open Shortest Path First (OSPF) summary or external link-state advertisements (LSAs) under depleted memory conditions.
There are no known workarounds.
•
A Cisco eight-port serial port adapter (PA-8T) interface may sometimes flap under a heavy load if it is configured to receive a clock rate of more than 2015232 bps and when all the serial ports of a Mx serial application-specific integrated circuit (ASIC) (MUESLIX) controller (either 0 through 3 or 4 through 7) are in use.
Workaround: Configure clock rates that are less than or equal to 2015232 at the provider end.
•
On a Cisco router, when a file transfer is initiated from a front-end processor (FEP) that is attached to a Cisco 7204 router and destined to an FEP that is attached to a Cisco 2612 router, the show tcp EXEC command does not show retransmitted packets or that the retransmission timeout timer is waking up. Several acknowledgements (ACKs) and a large number of "fast transmitted" packets are shown on the Cisco 7204 when the show tcp brief [all] EXEC command is entered.
This condition occurs when the Cisco 7204 FEP and the Cisco 2612 FEP that are connected through a Fast Ethernet (FE) connection with equal cost and the Enhanced Interior Gateway Routing Protocol (EIGRP) enabled.
Workaround: Eliminate equal cost network paths.
•
A Cisco 7200 VXR series router that is using any unchannelized serial port adapter (PA) and any processor other than the Network Processing Engine (NPE-300) may experience line flaps at high traffic rates and display the following message:
MUESLIX-1-HALT: Mx serial: Serial6/0 TPU halted: cause 0x3 status 0x00371A00Carrier transitions and wedged output queues may also occur. This condition affects the following port adapters:
–
–
–
–
Multichannel port adapters, such as the PA-MC-T3 or the PA-MC-2T3+, are not affected.
There are no known workarounds.
•
A Cisco 7200 or Cisco 7500 router may pause indefinitely when Network Based Application Recognition (NBAR) is enabled.
Workaround: Use the ip nbar resources max-age initial-links expand-links global configuration command. Use the maximum value for the initial-links argument to specify the number of preallocation links that the resource manager should preallocate at initialization time according to what the system will allow.
•
On a Cisco 7400 router or NSE-1 with the L3 cache bypass feature enabled, IOS does not recognize port adapter (PA) online insertion or removal (OIR).
When the L3 cache bypass feature is enabled on a Cisco 7400 router or NSE-1, OIR events are lost. This prevents IOS from recognizing PA insertion or removal. The router needs to be reloaded before a new PA is recognized.
Workaround: The L3 cache bypass feature cannot be used on a Cisco 7400 router or NSE-1 when the router is subject to reconfiguration by PA insertion or removal.
Open Caveats—Cisco IOS Release 12.1(8b)E9
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8b)E9 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(8b)E9.
Resolved Caveats—Cisco IOS Release 12.1(8b)E9
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8b)E9. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(8a)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(9)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7500 series router running Cisco IOS Release 12.1(8a)E1 with PA-2CE1/PA-2CT1 configured for fair-queueing may unexpectedly reload.
There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.1(8a)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(9)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco router that is running Enhanced Interior Gateway Routing Protocol (EIGRP) with the stub feature on might have a route that is active and not waiting for replies. This situation only occurs in networks where all of the EIGRP neighbors are declared as stub.
Workaround: Remove the EIGRP stub feature or clear the IP EIGRP neighbors.
•
A Cisco router with Internetwork Packet Exchange (IPX) Enhanced Interior Gateway Routing Protocol (EIGRP) may experience a memory leak related to IPX routing instability.
There are no known workarounds.
•
A Cisco router may, when the dialer neighbors are down, have 2 dialer neighbors advertise a prefix that is stuck in the topology table/routing table.
Workaround: Clear the advertised route.
•
A Data-link switching (DLSw)-Ethernet redundancy (ER) circuit may get stuck in COLLECTING when displayed using the show dlsw transparent cache command. The result is that the DLSW circuit fails to be established. Although the DLsw reachability is correct, the exchange identification (XID) is not forwarded.
Workaround: Reload both of the DLSW-ER routers.
•
A Cisco router with the Multicast Source Discovery Protocol (MSDP) will not advertise automatic rendezvous point (Auto-RP) groups (224.0.1.39 and 224.0.1.40) in Source-Active (SA) messages. This behavior is only required where auto-RP groups are statically configured to point to an MSDP anycast address.
There are no known workarounds.
•
A Cisco 7500 series router with a device telneting through an oc-12/vip4-80 may have the device time out or have the session be too slow to perform any commands.
Workaround: Enable integrated routing and bridging on the subinterface.
•
A Cisco router running Cisco IOS Release 12.1(10.1) or later may have the Data-link switching (DLSw+) Ethernet Redundancy functionality become unstable causing the route to unexpectedly reload. The router may also experience spurious memory accesses and/or incorrect cache information.
Workaround: Use transparent bridging, rather than Ethernet redundancy, to connect Ethernet LANs to DLSw+ without redundancy.
Open Caveats—Cisco IOS Release 12.1(8a)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8a)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router running firmware may encounter a firmware directory (FW) watchdog timeout when Frame Relay is configured. If this happens, the firmware needs to be reset.
There are no known workarounds.
•
A Cisco 7200 Series router using any DS3 port adapter configured with two or more Digital Signal 3 (DS3) interfaces may experience line flaps at high rates of traffic. The router will log the following message:
MUESLIX-1-HALT: Mx serial: Serial6/0 TPU halted: cause 0x3 status 0x00371A00There are no known workarounds.
•
A Cisco 7500 series router running Cisco IOS Release 12.1(4)E and using an Enhanced Gigabit Ethernet Interface Processor (GEIP+) card connected to a Catalyst 6000 switch may find that, if auto-negotiation is configured and the fibre is removed from the interface, the fibre will stay in the up/up state even though a show controllers command on the Versatile Interface Processor (VIP) shows the up/down state.
There are no known workarounds.
•
A Cisco 7200 router with Cisco Express Forwarding (CEF) enabled may cause Internet Control Message Protocol (ICMP) redirects sending problems, resulting in suboptimal routing of packets.
There are no known workarounds.
•
On a Cisco router, when packets that require processing by Server Load Balancing (SLB) are received on a channelized serial interface, SLB does not process the packets. As a result, SLB will not network address translate (NAT) packets from a real server IP address to a virtual server IP address. Instead, it may incorrectly infer that a healthy server has failed.
This problem is seen after reloading a switch or router with channelized serial interfaces that process traffic that must be handled by SLB.
Workaround: In the submode for the channelized serial interface, enter the shut command follow by the no shut command.
Alternative workaround: Enter the no inservice command for all virtual servers and then enter the inservice command for all virtual servers that should be enabled.
Resolved Caveats—Cisco IOS Release 12.1(8a)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco router with URL Rendezvous Directory (URD) configured on an interface that is connected to unix systems may intercept Transmission Control Protocol (TCP) connections from applications/system services relying on the Berkeley Software Distribution (BSD) unix reserved port mechanism, particularly Network File System (NFS) and rsp/rcp, causing the URD to fail.
Workaround: If the affected application/system service is NFS, use UDP instead of TCP when mounting file systems from a server connected to a network on which the router is configured for URD.
For all other affected application/system services, there are no known workarounds.
•
On a Cisco router, Cisco Express Forwarding (CEF) may behave inconsistently with routing protocols that use holddown to protect against suboptimal routing. A route in holddown should be used to forward traffic until routing protocol timer expiration and/or convergence. CEF, however, removes the forwarding information from the Forwarding Information Base (FIB) immediately upon the route entering holddown. Process and fast switching will continue to forward traffic as expected.
There are no known workarounds.
•
Layer 2 Tunneling Protocol (L2TP) and Generic Routing Encapsulation (GRE) tunnels fail to operate correctly on a Cisco 7500 series router running centralized Cisco Express Forwarding (CEF). L2TP tunnels fail completely, whereas packets switched through a GRE tunnel will be fast or process switched.
Workaround: Enable distributed CEF switching.
•
When a router interface is administratively shut down, the switch or other connecting device will still show the router as connected when it is not. This problem exists only on certain port adapters (PA-2FE-TX, PA-2FE-FX, and PA-4E).
Workaround: Physically disconnect and reconnect the cable between the devices to force both sides of the link down.
•
A Cisco router with two interfaces configured to the same IP address, in which one of the interface is in the shutdown state and is configured to run a Tag Distribution Protocol (TDP)/Label Distribution Protocol (LDP) session, may have its neighbors encounter untagged Tag Forwarding Information Base (TFIB) entries.
Workaround: Remove the duplicate IP address from the shutdown interface.
•
A Cisco 7100 series router configured for IP Security (IPSec) reloads when passing crypto traffic at maximum rate.
There are no known workarounds.
•
A Cisco 7100 series router reloads in crypto connection management code under moderate speeds.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(8a)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8a)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(8a)E.
Resolved Caveats—Cisco IOS Release 12.1(8a)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(8)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Routers with Border Gateway Protocol (BGP) running Cisco IOS Releases 12.1E, 12.1T, and 12.2 will not readvertise to the peer router those routes that are conditionally permitted with neighbor address advertise-map route-map non-exist-map route-map.
There are no known workarounds.
•
When a show pol in command is executed on a Cisco 7500 series router with the qos-group set on the input interface and matched on the output interface, the output of the show pol in command shows that the classification counters are ok, but the packets output is reported as 0 for all these classes. All the packets are output on class-default.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(7a)E6
This section documents possible unexpected behavior by Cisco IOS Release 12.1(7a)E6 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(7a)E6.
Resolved Caveats—Cisco IOS Release 12.1(7a)E6
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(7a)E6. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(7a)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(7a)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(7a)E1.
Resolved Caveats—Cisco IOS Release 12.1(7a)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(7a)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco7200 series or Cisco 7500 series router with 3 Multiprotocol Label Switching (MPLS) labels cannot receive a 1500 byte IP packet on a FastEthernet or GigabitEthernet interface because the packet is too large. The packet is dropped.
There are no known workarounds.
•
A Cisco router with Enhanced Interior Gateway Routing Protocol (EIGRP) may sometimes clear neighborship and give the following status message when the summary route comes up, even if there are no external EIGRP routes to the summarized address:
00:25:13: %DUAL-5-NBRCHANGE: IP-EIGRP 2944: Neighbor 10.200.28.63 (FastEthernet0/0) is down: Summary up, remove externalThere are no known workarounds.
•
On a Cisco router, when an Enhanced Interior Gateway Routing Protocol (EIGRP) internal route changes to an external route, the router receiving the new EIGRP route update may not reflect this change in its routing table, leaving it as an internal route.
Workaround: Use the clear ip route * command or clear ip eigrp neighbors command to clear the condition.
•
Reloading a Cisco 7500 series router with Cisco Express Forwarding (CEF) disabled (no ip cef) may cause a "SYS-3-MGDTIMER: Uninitialized timer" error. There is no impact to packet forwarding.
There are no known workarounds.
•
A Cisco router running SNA Switching Services (SNASw) with High Performance Routing (HPR) sends exchange identification (XID) format3type2 with a maximum basic transmit unit (Max BTU) set to 516 bytes (bytes 21-22). Since XID3 BTU must be greater than 768 bytes (because the adjacent node is an HPR node), the receiving station rejects this XID and returns 0x1016 002.
There are no known workarounds.
•
On a Cisco 7000 series router in a Multiprotocol Label Switching (MPLS) environment, a customer edge (CE) router sending a packet that requires fragmentation causes the provider edge (PE) router to send an "ICMP fragmentation required, but do not fragment set" message.
This issue occurs when there are multiple CE routers connected to a PE router, the PE router drops the Internet Control Message Protocol (ICMP) message as unroutable to some CE routers, even though the CE routers are directly connected, and a route appears in the routing table.
There are no known workarounds.
•
In some situations (after reloading or clearing the Open Shortest Path First (OSPF) process), the Area Border Router (ABR) may fail to maxage a type-3 link-state advertisement (LSA) generated based on an inter-area route if the inter-area route is lost.
Workaround: Clear the OSPF process.
•
The ip tftp source-interface loopback command worked in Cisco IOS Release 12.1(2.3)E7, but no longer has any effect in Cisco IOS Release 12.1(2.3)E8 and later releases.
There are no known workarounds.
•
An access server using Enhanced Interior Gateway Routing Protocol (EIGRP) may unexpectedly reload.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(7)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(7)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(7)E.
Resolved Caveats—Cisco IOS Release 12.1(7)E
This section documents possible behavior by Cisco IOS Release 12.1(7)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When a Cisco 7500 series router enables process-switching on a serial interface, the interface w become fast switched after the router is reloaded.
There are no known workarounds.
•
On a Cisco 7500 series router, Tandem calls does not work when making a call from one Cisco 3810 router to another. The router in between is a Cisco 7507 router running Cisco IOS Release 121-5.T5. When the Cisco 7507 router is changed to a Cisco 3640 router, the calls work fine.
There are no known workarounds.
•
On a Cisco 7500 series router, a service-policy does not work when attached to an Asynchronous Transfer Mode (ATM) or Frame Relay permanent virtual circuit (PVC). There is no classification counter from the show policy interface output and all packets are sent to the class-default queue.
Workaround: Apply the service-policy to the subinterface. If FRF.12fragmentation is needed, then there is no workaround.
•
On a Cisco 7500 series router running Cisco IOS Release 12.1(5a)E4 with a VIP4-80 and PA-A3-OC12, if VPN routing and forwarding (VRF) is configured on the PA-A3-OC12, enabling distributed Cisco Express Forwarding (dCEF) prevents the traffic from being forwarded.
This does not happen when using a PA-A3-OC3 or a PA-A3-OC12 when VRF is not enabled.
There are no known workarounds.
•
A Cisco 7000 series router with Open Shortest Path First (OSPF) may fail to install the default route in some rare cases. This route will automatically be installed during next shortest path first (SPF) operation.
Workaround: Add a static default route with higher admin distance than OSPF and redistribute it through OSPF to completely fix the problem.
Alternative workarounds: 1) Use one of the following relevant commands:
Router(conf)#ip route 0.0.0.0 0.0.0.0 <if-name> 200Router(conf)#router ospf 1Router(router-conf)#default-information originateRouter(router-conf)#redistribute static subnet2) Add a fake loopback to OSPF net statements and flap it.
•
On a Cisco router, a ping does not pass through successfully after the router is loaded with an image.
Workaround: Use shut/no shut.
•
A Cisco 7500 series router with an Enhanced Gigabit Ethernet Interface Processor (GEIP+) interface IP address bound to the Tag Distribution Protocol (TDP)/Label Distribution Protocol (LDP) router ID experiences an unrestorable TDP/LDP shut down if the Gigabit Ethernet link goes down.
Workaround: Always configure a loopback interface with an IP address for use as the TDP/LDP router ID, and never shut the loopback interface.
•
A Cisco 7000 family router may experience tag problems between a provider edge (PE) router and a provide (P) core router. The problems occur when Automatic Protection Switching (APS) switches between Working and Protected, or vice versa.
This issue occurs when the ip router isis command brings up the active Packet-over-SONET/SDH (POS) interface, but the tag-switching tdp neighbor command is lost. The show tag-switching command shows that POS interface is operational. On both the P and PE routers, the no tag-switching ip command and tag-switching ip command restarts the tdp neighbor command that was performed in the P or PE router.
There are no known workarounds.
•
A Cisco 7100 series router configuring a crypto map on the routers with Perfect Forward Secrecy (PFS) group5 will fail to route traffic.
Workaround: Use PFS group1 or group2.
Open Caveats—Cisco IOS Release 12.1(6)E12
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E12 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E12.
Resolved Caveats—Cisco IOS Release 12.1(6)E12
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(6)E12. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
Open Caveats—Cisco IOS Release 12.1(6)E11
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E11 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E11.
Resolved Caveats—Cisco IOS Release 12.1(6)E11
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(6)E11. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Enhanced Interior Gateway Routing Protocol (EIGRP) routes cannot be seen even when message digest algorithm 5 (MD5) is authenticated on all routers. This problem is intermittent and may occur when authentication is turned off and subsequently turned back on again. Sometimes, this problem occurs just after authentication is enabled.
Workaround: This problem is intermittent and may be resolved by disabling and re-enabling authentication a second time. This problem may automatically be resolved after a few minutes.
•
On a Cisco 7500 series router running Cisco IOS Release 12.1(6)E9 or 12.1(6)E10, the integration of CSCdx13862 breaks Cisco Express Forwarding/distributed Cisco Express Forwarding (dCEF) switching if the outgoing interface is a LAN Emulation (LANE) interface.
Workaround: Disable CEF/dCEF switching on all incoming interfaces that use the LANE interface to switch outgoing packets.
Open Caveats—Cisco IOS Release 12.1(6)E10
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E10 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E10.
Resolved Caveats—Cisco IOS Release 12.1(6)E10
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(6)E10. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7500 series router that is running Cisco IOS Release 12.0(13.5)S with a Versatile Interface Processor (VIP) may reload at fec_get_hwidb when distributed Cisco Express Forwarding (dCEF) and Fast EtherChannel (FEC) are configured.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(6)E9
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E9 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E9.
Resolved Caveats—Cisco IOS Release 12.1(6)E9
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(6)E9. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An access server using Enhanced Interior Gateway Routing Protocol (EIGRP) may unexpectedly reload.
There are no known workarounds.
•
A Cisco 7500 series router with RSP4/VIP4-80 does not correctly upload the adjacency table to the Versatile Interface Processor (VIP) when distributed Cisco Express Forwarding (dCEF) is enabled.
Workaround: Use clear cef line slot adjacency command.
Open Caveats—Cisco IOS Release 12.1(6)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E8.
Resolved Caveats—Cisco IOS Release 12.1(6)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(6)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(6)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E3.
Resolved Caveats—Cisco IOS Release 12.1(6)E3
This section documents possible behavior by Cisco IOS Release 12.1(6)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7100 series router may experience spurious memory access while enabling an Ethernet interface.
There are no known workarounds.
•
On a Cisco router running Cisco IOS Release 12.1(4)E, the backup server load balancing (SLB) platform being preempted on a primary recovery will not dump its connection information into the designated primary box.
Workaround: Set the preempt delay timer on the Hot Standby Routing Protocol (HSRP) to be greater than 1/4 of the SLB virtual server (vserver) idle timer (if using the default vserver idle timer, the preempt timer would need to be greater than 901 seconds).
•
A Cisco 7000 family router may experience tag problems between a provider edge (PE) router and a provide (P) core router. The problems occur when Automatic Protection Switching (APS) switches between Working and Protected, or vice versa.
This issue occurs when the ip router isis command brings up the active Packet-over-SONET/SDH (POS) interface, but the tag-switching tdp neighbor command is lost. The show tag-switching command shows that POS interface is operational. On both the P and PE routers, the no tag-switching ip command and tag-switching ip command restarts the tdp neighbor command that was performed in the P or PE router.
There are no known workarounds.
•
A Cisco 7500 series router with an Enhanced Gigabit Ethernet Interface Processor (GEIP+) interface IP address bound to the Tag Distribution Protocol (TDP)/Label Distribution Protocol (LDP) router ID experiences an unrestorable TDP/LDP shut down if the Gigabit Ethernet link goes down.
Workaround: Always configure a loopback interface with an IP address for use as the TDP/LDP router ID, and never shut the loopback interface.
Open Caveats—Cisco IOS Release 12.1(6)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)E2.
Resolved Caveats—Cisco IOS Release 12.1(6)E2
This section documents possible behavior by Cisco IOS Release 12.1(6)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The Fast Ethernet interfaces on a Cisco7500 series router performing an IOS upgrade with a PA-2FEISL port adapter go down after the upgrade.
Workaround: Configure the Fast Ethernet interfaces to no full duplex, then half-duplex, and finally to full duplex. The interfaces will successfully come up after these configurations are performed.
•
A Cisco router configured for Tag Distribution Protocol (TDP) and operating with very little free memory may reload.
There are no known workarounds.
•
When loading a Cisco 7200 VXR router with Class-Based Weighted Fair Queuing (CBWFQ) saved in the NVRAM, the router ignores the loading commands. Entering the running-config command shows that the loading commands are not in the router configuration file.
Workaround: Copy the start-config file over to the running-config file.
•
A Cisco router running Cisco Express Forwarding (CEF) and IP Security (IPSec) through a Generic Routing Encapsulation (GRE) tunnel and using the SA-ISA hardware encryption engine may cause memory allocation problems across the tunnel interface for multicast packets. The resulting SYS-3-INVMEMINT error message below indicates that multicast packets were not processed by the router:
002441 %SYS-3-INVMEMINT Invalid memory action (malloc) at interrupt levelThere are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(6)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(6)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(6)9.
Resolved Caveats—Cisco IOS Release 12.1(6)E
This section documents possible behavior by Cisco IOS Release 12.1(6)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
After reloading a Cisco 7500 series router using multiple tunnel interfaces and Cisco Encryption Technology (CET) over Frame Relay, only part of the CET tunnels function properly (27 out of 46).
There are no known workarounds.
•
High end routers running Cisco IOS Release 12.1E crash when queried for the ciscoFlashPartitionEntry MIB when the router has an Advanced Technology Attachment (ATA) disk.
Workaround: Remove the ATA disk.
•
A Cisco 7100 router running Cisco IOS Release 12.1(5a)E2 may reload due to bus error at inc_inpsec_in_octets running the IOS version of IPSec.
There are no known workarounds.
•
A Cisco router with configurations on WAN interfaces and features that use MAX size DFIB interprocess communication (IPC) messages, such as dStile, may have the IPC message corrupted. If this occurs, the system will reload.
There are no known workarounds.
•
In a full mesh of route reflectors, one or two of the route reflectors (RRs) may have a Border Gateway Protocol (BGP) table with multiple entries for the same route (there should be only one) with multiple tags. Clients of the route reflector still receive the correct BGP information. VPN routing and forwarding (VRF) interfaces on the route reflector may get an incorrect tag. This same problem was also seen at provider edge routers that are not RRs.
Workaround: Clear the BGP session. Note that clearing the route fixes the tag situation, but not the BGP table.
•
You can not run Netflow and distributed Cisco Express Forwarding (dCEF) on a Versatile Interface Processor (VIP) or Enhanced Gigabit Ethernet Interface Processor (GEIP+) card with 256 megabytes of DRAM.
There are no known workarounds except not running Netflow and dCEF on those cards.
•
Changing a policy-map configuration during high traffic load may cause an "output stuck" error. The Versatile Interface Processor (VIP) may stop forwarding packets until it is reset automatically.
This issue is specific to a Frame Relay configuration when there are permanent virtual circuits (PVCs) that are shaped using Distributed Traffic Shaping (DTS). It occurs when all the PVCs are congested and a change is made to the policy-map.
Workaround: A possible workaround is to shut the physical interface before changing the policy-map, then re-enable the interface.
•
In Cisco IOS Release 12.0, a receiver may experience a delay when attempting to subscribe to a group.
There are no known workarounds.
•
The no tx-ring-limit command has no effect.
There are no known workarounds.
•
A Cisco 7100 series router with hardware or software encryption may unsuccessfully negotiate Phase II when a Perfect Forward Secrecy (PFS) group is configured on the crypto map.
The following error message is displayed:
ISAKMP (0:20485): Unable to generate DH phase II valuesWorkaround: Remove PFS from the crypto map.
•
A Multiprotocol Label Switching (MPLS) router having a lot of Border Gateway Protocol (BGP) routes (VPNv4 or ipv4) experiences a memory leak if the route to the BGP neighbor flaps. The memory leak is of the order of about 100 bytes per BGP route for each route flap. The leak can be detected by an unusually large consumption of memory by Tag Forwarding Information Base (TFIB) tag rewrites (as seen in the output of show mem sum command).
There are no known workarounds.
•
An incorrect metric appears in the Enhanced Interior Gateway Routing Protocol (EIGRP) topology table for one or more routes after the metric value has been changed on an interface. This change could be due to manual configuration or due to component link changes in the bundling technology (such as port-channels or Multilink Point-to-point Protocol (MLPPP)).
This problem occurs on routers running Cisco IOS Release 12.1(4.4) or later releases on which the interface metric value has been changed.
Workaround: It is possible to clear this condition by clearing all EIGRP neighbors from which the problematic routes have been learned using the clear ip eigrp neighbors <ip address> command. The problem can also be removed by clearing all EIGRP neighbors. These commands must be issued on the router on which the metric value was altered.
•
A router crashes with Align errors as follows: ALIGN-1-FATAL: Illegal access to a low address addr=0x13C, pc=0x6056C83C, ra=0x603E8D4C, sp=0x62177800
There are no known workarounds.
•
Some Ethernet interfaces on the PA-8E may show interface down even after they have been unshut in the configuration.
There are no known workarounds.
•
A Versatile Interface Processor (VIP) on a Cisco 7500 router running Cisco IOS Release 12.1.5aE4 is crashing in vip_fr_update_idb_info after %ALIGN-1-FATAL: Illegal access to a low address.
There are no known workarounds.
•
The provider edge (PE) router does not put a network prefix in its VPN routing and forwarding (VRF) routing table when this prefix is received from a Route Reflector (RR) client.
There are no known workarounds.
•
The best effort (BE) value of the shape feature should allow values from 0, but only values equal to or greater than 32 are accepted. This issue causes the shape command to be rejected from a prior configuration where less than 32 was used.
There are no known workarounds.
•
An alignment error occurs on the Versatile Interface Processor (VIP) when CDR Analysis and Reporting (CAR) or police output is enabled on a Fiber Distributed Database Interface (FDDI) interface.
There are no known workarounds (except to remove the CAR or police output).
•
When random-detect is configured, the ping fails; after random-detect is unconfigured, the ping goes through.
There are no known workarounds.The random-detect feature is a legacy feature.
•
A High-Speed Serial Interface (HSSI) interface of the Versatile Interface Processor (VIP) does not update changes of the maximum transmission unit (MTU) size made on the route switch processor (RSP) under the respective HSSI interface.
There are no known workarounds.
•
If a VPN routing and forwarding (VRF) route points to a next-hop that is also resolved by a recursive lookup, such as in the case of an external BGP (eBGP) multihop session, a tag is incorrectly imposed over the provider edge-customer edge (PE-CE) link. Consequently, traffic does not pass.
Workaround: Change the eBGP session to use directly IP addresses rather then multihop.
Open Caveats—Cisco IOS Release 12.1(5c)E12
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5c)E12 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5c)E12.
Resolved Caveats—Cisco IOS Release 12.1(5c)E12
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5c)E12. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(5c)E11
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5c)E11 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5c)E11.
Resolved Caveats—Cisco IOS Release 12.1(5c)E11
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5c)E11. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On Cisco 7200series and Cisco 7500 series routers, running Cisco IOS 12.0(S), and deleting a subinterface of a MCT3, MC2T3 or MC2T3+ PA removes all the subinterfaces.
Workaround: Do not delete any subinterfaces. Shut down the subinterfaces instead.
•
A Cisco 7000 series router with an Automatic Protection System (APS) switch generates the following error message:
%SYS-3-INVMEMINT: Invalid memory action (malloc)There are no known workarounds.
•
The Fast Ethernet interfaces on a Cisco 7500 series router performing an IOS upgrade with a PA-2FEISL port adapter go down after the upgrade.
Workaround: Configure the Fast Ethernet interfaces to no full duplex, then half-duplex, and finally to full duplex. The interfaces will successfully come up after these configurations are performed.
•
On a Cisco router, deleted subinterfaces may retain their settings and these settings may reappear when the same subinterface is created again.
Workaround: Cleanup all settings on a subinterface before deleting it.
Alternative workaround: Delete all subinterfaces before deleting the main interface.
•
A Cisco router configured for Tag Distribution Protocol (TDP) and operating with very little free memory may reload.
There are no known workarounds.
•
On a Cisco 7500 series router with Enhanced Gigabit Ethernet Interface Processor (GEIP+) interfaces, Tag Distribution Protocol (TDP) or Label Distribution Protocol (LDP) configured using the mpls ip or tag-switching ip command, and a TDP/LDP router Id bound to a Gigabit Ethernet interface IP address, the TDP/LDP router ID will remain bound to the Gigabit Ethernet interface and the TDP/LDP sessions will go down and become unrestoreable if the Gigabit Ethernet link on the router goes down due to a cable cut.
Workaround: Configure a loopback interface with an IP address for use as the TDP/LDP router ID and do not shut the loopback interface.
Open Caveats—Cisco IOS Release 12.1(5c)E10
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5c)E10 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5c)E10.
Resolved Caveats—Cisco IOS Release 12.1(5c)E10
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5c)E10. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco router redistributing routes into Open Shortest Path First (OSPF) may experience periods of high CPU utilization and temporary console lock when the routing table is large.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(5c)E9
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5c)E9 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5c)E9.
Resolved Caveats—Cisco IOS Release 12.1(5c)E9
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5c)E9. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
In a full mesh of route reflectors, one or two of the route reflectors (RRs) may have a Border Gateway Protocol (BGP) table with multiple entries for the same route (there should be only one) with multiple tags. Clients of the route reflector still receive the correct BGP information.VPN routing and forwarding (VRF) interfaces on the route reflector may get an incorrect tag. This same problem was also seen at provide edge (PE) routers that are not RRs.
Workaround: Clear the BGP session. Note that clearing the route fixes the tag situation but not the BGP table.
•
Changing a policy-map configuration during high traffic load may cause an "output stuck" error. The Versatile Interface Processor (VIP) may stop forwarding packets until it is reset automatically.
This issue is specific to a Frame Relay configuration when there are permanent virtual circuits (PVCs) that are shaped using Distributed Traffic Shaping (DTS). It occurs when all the PVCs are congested and a change is made to the policy-map.
Workaround: A possible workaround is to shut the physical interface before changing the policy-map, then re-enable the interface.
•
The provider edge (PE) router does not put a network prefix in its VPN routing and forwarding (VRF) routing table when this prefix is received from a Route Reflector (RR) client.
There are no known workarounds.
•
A High-Speed Serial Interface (HSSI) interface of the Versatile Interface Processor (VIP) does not update changes of the maximum transmission unit (MTU) size made on the route switch processor (RSP) under the respective HSSI interface.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(5c)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5c)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5c)E8.
Resolved Caveats—Cisco IOS Release 12.1(5c)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5c)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
In a Multiprotocol Label Switching (MPLS)/Virtual Private Network (VPN) environment, a route from a provider edge router is not imported on its peer router when the session is cleared on the redundant route reflector.
A sample topology follows:
/-- RR1 --\net_A -- CE1 -- PE1 PE2--CE2\-- RR2 --/CE1 is connected to PE1 via interface in VRF1, RD-1, exports RT-1
CE2 is connected to PE2 via interface in VRF2, RD-2, imports RT-.
Net_a is exported from PE1 and imported from PE2. PE2 receives the updates from PE1 via RR1.
Now the following events happen:
-RR1 is going down, PE2 is still importing net_A via RR2
-RR2 is going down (in the meanwhile RR1 is again up), PE is not anymore importing net_A via RR1
There are no known workarournds.
•
The Versatile Interface Processor (VIP) on a Cisco 7500 series router running Cisco IOS Release 12.1.5aE4 crashes in vip_fr_update_idb_info after %ALIGN-1-FATAL: Illegal access to a low address.
There are no known workarounds.
•
When the visible_bandwidth under a class is less than 1k, its qlimit is set to 0, which causes packet drops.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(5a)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5a)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5a)E4.
Resolved Caveats—Cisco IOS Release 12.1(5a)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5c)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
With multicast routing enabled, a %ALIGN-3-SPURIOUS syslog occurs at or near ip_age_one_mroute(0x607c5d50)+0xc3c.
The spurious interrupt shows a NULL pointer dereference with address at or near 0x558.
In this particular case, the ALIGN-3-SPURIOUS syslog is harmless.The code was reading a boolean flag based on a pointer, and it didn't check whether the pointer was NULL or not. When the pointer was NULL, the code ended up reading a non-existing memory location and triggered the ALIGN-3-SPURIOUS syslog. On a million instructions per second (MIPS) based platform, the read got a value of zero (that is, FALSE for a boolean flag).
Workaround: Because the same path would be taken either if the pointer is NULL or the boolean flag is FALSE, the syslog in this case indicates a harmless event.
•
When priority is configured for a class that matches an access list, and the priority kbps parameter is greater than half of the interface bandwidth, the feature does not function after the router reloads and the following error message is displayed:
bandwidth of <x> kbps is not available (y).Workaround: Remove and re-attach the service-policy.
•
After removing and reconfiguring a Frame Relay (FR) subinterface (or creating a new subinterfaces in some cases), the pings succeed at only a 50 percent rate and Cisco Express Forwarding (CEF) drops occur.
Workaround: Do a shut/no shut on the main interface, or remove and quickly reconfigure the data-link connection identifier (DLCI).
•
The fair-queue queue-limit # packets command is not working and as a result, the per-flow queue-limit values cannot be tuned away from the default values.
There are no known workarounds.
•
The clear line line command on a Cisco 7500 series router incorrectly returns with an ambiguous command error.
There are no known workarounds.
•
Packet classification does not occur for router-originated packets when a distributed traffic-shaping (dTS) service policy is applied to a Frame Relay (FR) permanent virtual circuit (PVC). All router-originated packets are put in the class-default queue and the class-map counter does not count those packets. The "packets output" counter for class-default is incremented normally, however.
The problem configuration is:
policy-map vc-cbwfq...policy-map vc-shapeclass class-defaultshape average <cir>service-policy vc-cbwfqmap-class frame-relay fooservice-policy output vc-shapeThere are no known workarounds.
•
Removing the match access-group criteria from a class that has only that match criteria left can cause a router crash for certain type of policies, such as a policy with llq in one of its classes.
Workaround: Add another match criteria, which will replace the match access-group criteria, and then remove the match access-group criteria.
Open Caveats—Cisco IOS Release 12.1(5a)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5a)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.15a)E2.
Resolved Caveats—Cisco IOS Release 12.1(5a)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5a)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7200 series router with an integrated services adapter (ISA) module that is set up as Smartbits 1 ----f1/0-c7200_2-T3---------------T3-c7200_1-f1/0-Smartbits 2 may display the following error message when sending 26,000 frames/sec with a frame size of 256 bytes:
00:09:13: %ISA-1-NOMEMORY: isa_prcoess_hipri_rx: no mr creation failed for slot 3 00:09:13: %ISA-1-NOMEMORY: isa_prcoess_hipri_rx: no mr creation failed for slot 3 00:09:13: %ISA-1-NOMEMORY: isa_prcoess_hipri_rx: no mr creation failed for slot 3 00:09:13: %ISA-1-NOMEMORY: isa_prcoess_hipri_rx: no mr creation failed for slot 3If this error message is displayed, the ISA card stops encrypting the traffic afterwards.
Workaround: Reload the router.
Open Caveats—Cisco IOS Release 12.1(5a)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5a)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5a)E1.
Resolved Caveats—Cisco IOS Release 12.1(5a)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5a)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Problems exist in the drive code that effect Inter-Switch Link (ISL) packet handling.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(5a)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(5a)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(5a)E.
Resolved Caveats—Cisco IOS Release 12.1(5a)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5a)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "<code><b>http://<em>router-hostname-or-IP-address</em>/<em>more-text</em>?/
</b></code>" is attempted, and the enable password is supplied when requested. This defect can be exploited to produce a denial of service (DoS) attack. This is not the same defect as CSCdr36952.
The vulnerability, identified as Cisco Bug ID CSCdr91706, affects virtually all mainstream Cisco routers and switches running Cisco IOS software releases 12.0 through 12.1, inclusive. The vulnerability has been corrected and Cisco is making fixed releases available for free to replace all affected IOS releases. Customers are urged to upgrade to releases that are not vulnerable to this defect. This vulnerability can only be exploited if the enable password is known, or not set.
The complete advisory is available at http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml.
•
Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers.
This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco device itself; it does not apply to TCP traffic forwarded through the affected device in transit between two other hosts.
To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms. The defect is described in DDTS record CSCds04747.
Workarounds are available that limit or deny successful exploitation of the vulnerability by filtering traffic containing forged IP source addresses at the perimeter of a network or directly on individual devices.
This notice is posted at
http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.
•
A Cisco router may exhibit a spurious access syslog when you use virtual private dial-up network (VPDN) with Cisco Express Forwarding (CEF) enabled.
Workaround: Disable CEF.
•
When you export Routing Information Protocol (RIP) learned routes from one virtual private network (VPN) to another VPN through the Border Gateway Protocol (BGP) at the same provider edge (PE) router, these routes appear in the BGP table of the importing VPN but do not appear in the routing table.
There are no known workarounds.
•
High-Level Data Link Control (HDLC) reports that the line is up even though the mineseen values do not increment or are not received.
Workaround: Configure the line to run the Point-to-Point Protocol (PPP).
•
A router that is running Open Shortest Path First (OSPF) may reload during redistribution testing. This situation has only been seen in development-testing environments, where different routing protocols are configured and unconfigured quickly. Race conditions occur if these protocols are redistributed into OSPF, which forces the router to reload. This situation will not occur in normal operating environments where routing protocols are never removed.
There are no known workarounds.
•
A Cisco router that is running any of the following Cisco IOS releases and is used as a Multiprotocol Label Switching (MPLS) router may reload or experience a reload of its line cards:
–
–
–
–
–
–
Workaround: Upgrade to a Cisco IOS release that contains the fix for this caveat.
•
A Cisco router that is running Enhanced Interior Gateway Routing Protocol (EIGRP) in Cisco IOS Release 12.1(4.1) or a later release, or in Cisco IOS Release 12.1(4.1)T or a later release, may reload when stuck in active (SIA) routes are processing in dual_unstick_dndb.
There are no known workarounds.
•
An incorrect label is assigned to one of the VPN routing and forwarding (VRF) routes from remote provider edge (PE) routers after a reload.
There are no known workarounds.
•
A Cisco router that is running Cisco Express Forwarding (CEF) may unexpectedly reload because of a bus error at an invalid address.
There are no known workarounds.
•
The 12E/2FE Etherswitch port adapter (PA) fails to initalize on the Cisco 7200 platform with Cisco IOS Release 12.1(3a)E when an NPE 400 is used in the Cisco 7200 series router.
Workaround: An NPE 300 works correctly with the 12E/2FE Etherswitch PA.
•
If a Cisco 7200 or 7500 series router with an ATM-PA3 port adapter with a G125 version of microcode (as shown in the output of the show controllers atm privileged EXEC command) is connected directly to another ATM-PA3 port adapter that has an older microcode version, the older version port adapter may drop some valid packets shown as input errors or giants.
If the same router is configured for Available Bit Rate (ABR) virtual circuits (VCs) with the G125 microcode version of the ATM-PA3 port adapter, some VCs may not pass traffic.
Workaround: Use the shut command followed by the no shut command on the subinterface or the main interface.
•
On a Cisco router that is running IP Security (IPSec) without hardware acceleration, all packets encrypted with the security access (SA) will have the same initialization vector (IV).
There are no known workarounds.
•
Transit bridging to a serial interface (with any encapsulation) fails intermittently on a Cisco router that is running Cisco IOS Release 12.1(4.3).
Workaround: Downgrade to Cisco IOS Release 12.1(4).
•
A system that has Cisco Express Forwarding (CEF) enabled may reload when sending NetFlow export packets.
There are no known workarounds.
•
Recent changes in IOS introduced a process suspend allowing context switching where it shouldn't be allowed. This behavior opens up the possibility for a race condition.
There are no known workarounds.
•
A one-second delay occurs for each subinterface that comes up in a system regardless of whether Next Hop Resolution Protocol (NHRP) is enabled or disabled.
There are no known workarounds.
•
A Cisco router may reload in dual_rdblookup when handling a stuck in active (SIA) reply message during Enhanced Interior Gateway Routing Protocol (EIGRP) SIA handling.
There are no known workarounds.
•
A Cisco router that is running a virtual private dialup network (VPDN) and Cisco Express Forwarding (CEF) may reload or endlessly report corrupted particle packets.
Workaround: Disable CEF globally.
•
Problems exist in the drive code that effect Inter-Switch Link (ISL) packet handling.
There are no known workarounds.
•
A Cisco router that is functioning as a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router may have problems forwarding VPN traffic because of missing or incorrect entries in the Tag Forwarding Information Base (TFIB) table for the peer PE Border Gateway Protocol (BGP) router ID. The output of the show tag bgp router id command does not show an entry. This situation occurs only if all of the following conditions are met:
–
–
Workaround: Clear the IP routing table entry for the peer PE BGP router ID prefix.
Alternate workaround: Avoid having the same IP address be both the BGP router ID and be advertised by that same router as part of a VRF.
•
The tag forwarding table entry for a destination whose outgoing tag field should be "Pop tag" or a valid outgoing tag have an outgoing tag field value of "Untagged." (To display the tag forwarding table, use the show tag-switching forwarding command.) When this issue occurs, traffic for the destination may be dropped.
This issue may occur on Cisco routers with tag-switching ip enabled.
Workaround: The following procedure may correct this problem:
1) Determine the next hop and the outgoing interface(s) for the destination.
2) Enter the no tag-switching ip command for each outgoing interface.
3) Wait 15-20 seconds.
4) Enter the command tag-switching ip for each outgoing interface.
•
A Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router that is running Cisco IOS Releases 12.0(10.6)ST, 12.1(2.6), 12.1(3.1), 12.1(3.3)T, 12.1(2.3)T1, or later releases exhibits faulty behavior when forwarding customer traffic. When there are multiple paths to get to the remote PE and one of the paths to the PE goes down or comes up, traffic to all customer prefixes going over any of those multiple paths is dropped until the Cisco Express Forwarding (CEF) entries for those prefixes are resolved (about 15 seconds).
There are no known workarounds.
•
A Cisco router that is acting as a provider edge (PE) router in a Multiprotocol Label Switching (MPLS)/Virtual Private Network (VPN) may show an incorrect tag value for some VPN routing and forwarding (VRF) routes. This situation breaks connectivity between the local and remote VPN networks.
The problem may occasionally appear under specific timing conditions in networks with unstable (flapping) VRF links and redundant Route Reflectors (RR) that are at different geographical locations (different network connection speed).
The recovery method is to use the clear ip route vrf vrf-name {ip-address} EXEC command, where vrf-name is the VRF that includes the route and the corresponding IP address.
Workaround: Use a single RR.
•
On a Cisco 7200 series router or a route switch processor (RSP) that is running Cisco IOS Release 12.1(5), a Versatile Interface Processor (VIP) with a PA-E3 or PA-T3 port adapter does not boot and reloads because of a bus error exception.
There are no known workarounds.
•
The output of show tag-switching forwarding command on the provider (P) core router shows incorrect outgoing labels for some prefixes. Specifically, for prefixes whose next hop address is A, the output shows the label advertised by the PE for the outgoing label instead of the label advertised by the next hop router.
This problem can occur:
–
–
Workaround: Configure provider core routers so that none have addresses that are used as addresses for interfaces bound to customer VRFs on PE routers.
•
If a Cisco router is running Cisco IOS Release 12.0 S, the router might experience a Transmission Control Protocol (TCP) timer problem and reload. This situation occurs when the router is experiencing a heavy traffic load combined with a configuration which includes a large number of TCP sessions (such as hundreds of Border Gateway Protocol peers, or a Voice over Internet (VoIP) proxy gatekeeper).
There are no known workarounds.
•
In a Multiprotocol Label Switching (MPLS) network that uses Label Distribution Protocol (LDP) or Tag Distribution Protocol (TDP), packets that match the default route are dropped or forwarded incorrectly. This situation may occur in MPLS networks that use LDP or TDP that have routes for both 0.0.0.0/0 (default) and 0.0.0.0/n. For the routers that incorrectly drop or forward these packets, the output of the show tag-switching forwarding-table privileged EXEC command shows the label advertised for 0.0.0.0/n as the outgoing label for 0.0.0.0/0.
Workaround: Prevent the use of route 0.0.0.0/n in networks that use 0.0.0.0/0 (default).
•
The Tag Distribution Protocol (TDP) session for the subinterface disappears for no apparent reason and cannot be re-established.
This problem may occur when running TDP on an Asynchronous Transfer Mode (ATM) point-to- point subinterface between two routers. It has been observed only on Cisco IOS Release 12.1(5a).
Workaround: No workaround has been tested and verified since the behavior has not been reproduced. However, the following sequence of commands executed on both routers may correct the situation:
configure terminalinterface interface-nameshut...Wait 10-15 seconds...no shut•
When the Hot Standby Routing Protocol (HSRP) is configured on a Gigabit Ethernet interface on a Cisco 7200 router and the line goes down on the interface the processor reports it is Up.
There are no known workarounds.
•
IOS Server Load Balancing (SLB) Firewall Load Balancer (FWLB) Internet Control Message Protocol (ICMP) connections are retained for the full idle timeout for pings destined to the FWLB device.
Workaround: Configure FWLB ping probes to use a destination address not on the partner loadbalancer.
•
A Cisco 7200 series router may reload or overwrite storage memory if the Server Load Balancing Dynamic Feedback Protocol (SLB DFP) reports a Bind ID Table to a DFP Manager such as Distributed Director (DD).
Workaround: Do not enable SLB DFP Agent support. Do not configure the manage command in ip slb dfp submode.
Note that SLB can still be a DFP Manager and receive weights from the real devices.
•
After a reload, a Cisco router does not forward packets to an interface that is not running IP tag switching. Pinging from the router works, but a ping that needs to cross the router fails.
The problem is present in topologies which involve:
–
–
Workaround: Ensure that the route flaps. If the route flaps, the Multiprotocol Label Switching (MPLS)/Cisco Express Forwarding (CEF) is installed correctly.
Open Caveats—Cisco IOS Release 12.1(4)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(4)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(4b)E3.
Resolved Caveats—Cisco IOS Release 12.1(4)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(4)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(4)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(4)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(4)E.
Resolved Caveats—Cisco IOS Release 12.1(4)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(4)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Caveat CSCdk52846 causes a router to advertise all areas and all nodes within its own area reachable by itself with a cost of 704 and hop count of 29. The fix for caveat CSCdp25634 aids routing by having the router ignore these special updates. However, any other devices on that segment will still get the routing updates. This caveat was filed to disable this feature or add a knob to disable the special updates.
Resolution: A new CLI command, decnet cluster-alias update, has been introduced. By default this command is enabled, and all cluster-alias updates are propagated. However, to prevent these updates from propagating and to block all special updates with a cost of 704 and hop count of 29, configure no decnet cluster-alias update.
•
A Cisco router that receives a large packet that was fragmented before receipt may display the following error message at the rendezvous point of a multicast network that is running Protocol Independent Multicast (PIM) sparse mode:
%PIM-5-REG_ENCAP_INVALID: Bad register from <IP-address> for (<IP-address>,<Class-D-IP-address>). Trace = ....Workaround: Send a mix of large and small packets from the source, so that the source tree is set up correctly by the small packets between the first hop and the rendezvous point (RP). If the multicast data is forwarded correctly, this situation may not cause any real harm.
Alternate workaround: Reduce the packet size from the source, so that fragmentation does not occur between the first hop and the RP.
•
Weighted Random Early Detection (WRED) classifies all Multiprotocol Label Switching (MPLS) packets as precedence 0 in the MPLS->MPLS and MPLS->IP paths, regardless of their actual MPLS Experimental field value.
There are no known workarounds.
•
A Cisco 7100 series router running Cisco IOS Release 12.1 E may reload with a bus error in crypto_classify_packet.
There are no known workarounds.
•
If a Cisco 7200 or 7500 series router with an ATM-PA3 port adapter with a G125 version of microcode (as shown in the output of the show controllers atm privileged EXEC command) is connected directly to another ATM-PA3 port adapter that has an older microcode version, the older version port adapter (PA) may drop some valid packets as input errors or giants.
If the same router is configured for Available Bit Rate (ABR) virtual circuits (VCs) with the G125 microcode version of the ATM-PA3 port adapter, some virtual circuits (VCs) may not pass traffic.
Workaround: Use the shut command followed by the no shut command on the subinterface or the main interface.
•
Integrated services adapter (ISA) firmware errors in malloc handling result in a possible crash, ISA lockup, or 1cxx errors.
There are no known workarounds.
•
When Server Load Balancing (SLB) is configured, the last 14 bytes of fragmented Internet Control Message Protocol (ICMP) ping responses from the virtual IP address may be corrupted.
Note that this only affects ICMP packets, not Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets. Typically, this only occurs if a large ping packet is sent to an SLB virtual server (vserver).
Workaround: Deny fragmented ICMP packets with a destination IP address of a virtual server using an input access control list on the interfaces. This configuration prevents Server Load Balancing from generating the corrupted response to the ping.
•
On Cisco IOS Release 12.1(3a)E4 and earlier releases, Multiprotocol Label Switching (MPLS) packet forwarding is not working correctly on a Cisco 7200 router with an NSE1 engine.
There are no known workarounds.
•
If a Cisco 7200 series router with many PA-MCxT1 cards has Integrated Services Digital Network (ISDN) configured, some ISDN interfaces might fail to initialize correctly. An ISDN_UNEXPECTED_EVENT message is logged and the ISDN status stays at TEI-ASSIGNED.
Workaround: Shut/no shut the interface.
•
A Cisco 7200 or 7500 series router with ATM-PA3 might stop forwarding packets on one or more virtual circuits (VCs). The packets show up as output drops on those VCs. These VCs appear stuck.
This problem occurs because of a newer version of ATM-PA3 microcode (G124). For the Cisco 7200 platform, use the show controllers atm privileged EXEC command to determine the version.
For the Cisco 7500 platform, use the show controller vip slot# tech command to determine the PA-A3 ucode version number.
Note
•
After the fix for CSCdr76238 Open Shortest Path First (OSPF) does not work on unnumbered interfaces.
Workaround: Configure the IP address on the interface.
•
Following a watchdog reset, IOS does not always decode the reset reason correctly.
This problem only affects the Cisco 7200 platform using an NPE-300.
There are no known workarounds.
•
When you use Multilink PPP over virtual private dial-up network (VPDN), the links fail to come up.
Workaround: Disable Multilink PPP over those links.
•
When interface bandwidth is set to 0 on Cisco 7200 series routers, various problems might occur. These problems include reloads when using Resource Reservation Protocol (RSVP) and Enhanced IGRP (EIGRP) not redistributing routes over the interface that believes it has a bandwidth of 0.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(3a)E8
This section documents possible unexpected behavior by Cisco IOS Release 12.1(3a)E8 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(3a)E8.
Resolved Caveats—Cisco IOS Release 12.1(3a)E8
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E8. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(3a)E7
This section documents possible unexpected behavior by Cisco IOS Release 12.1(3a)E7 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(3a)E7.
Resolved Caveats—Cisco IOS Release 12.1(3a)E7
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E7. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(3a)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(3a)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(3a)E5.
Resolved Caveats—Cisco IOS Release 12.1(3a)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
On a Cisco 7200 router with a C7200-I/O-2FE or C7200-I/O-GE/E I/O controller running Cisco IOS Releases 12.1(3a)E (E,E1,E2,E3,E4) the user may experience memory corruption or loading of the router.
Workaround: Upgrade to Cisco IOS Release 12.1(3a)E5 or later. This problem does not occur in any other released images.
Open Caveats—Cisco IOS Release 12.1(3a)E4
This section documents possible unexpected behavior by Cisco IOS Release 12.1(3a)E4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(3a)E4.
Resolved Caveats—Cisco IOS Release 12.1(3a)E4
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
For more information about this caveat, see the "Caveat CSCdr91706 and IOS HTTP Vulnerability" section.
•
A Cisco 7200 series router running Cisco IOS Release 12.1(3a)E may crash while deconfiguring the IP Network Address Translation (NAT) address pool on both the NSE-1 and NPE.
There are no known workarounds.
•
A Cisco 7500 series router reloaded with the Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC) Random Early Detection (RED) functionality will cause spurious accesses on the Versatile Interface Processor (VIP) and break RED functionality and other quality of service (QoS) functionality, such as CDR Analysis and Reporting (CAR).
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(3a)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(3a)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(3a)E1.
Resolved Caveats—Cisco IOS Release 12.1(3a)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A route switch module (RSM) running Cisco IOS Release 12.0(9) and using sparse-mode for the automatic rendezvous point (Auto-RP) groups might not set the "L" flag for the 224.0.1.40 RP-discovery group.
There are no known workarounds.
•
The Class Based Qos MIB was temporarily disabled by mistake. This bug fix re-enables Class Based QoS on Cisco IOS Release 12.1(3a)E.
There are no known workarounds.
•
A Cisco 7200 VXR series router running Cisco IOS Release 12.1(3a)E with an integrated services adapter (ISA) card with too many security associations (SAs) established may disable IP Security (IPSec). The Integrated Services Adapter (ISA) exhibits firmware problems resulting in an invalid Diffie-Hellman (DH) value or an invalid command response from the card.
Workaround: Use Cisco IOS Release 12.1(2)E1 or wait for Cisco IOS Release 12.1(4)E.
Alternate workaround: Reload the router.
Open Caveats—Cisco IOS Release 12.1(3a)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(3a)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(3a)E.
Resolved Caveats—Cisco IOS Release 12.1(3a)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When using the summary-address command in Open Shortest Path First (OSPF), a high CPU problem can occur. This issue occurs when the routing table is extremely large, such as 10K or above.
Workaround- Remove the summary-address command.
•
Interface counters give incorrect values for tunnels on a serial interface when Cisco Express Forwarding (CEF) and IP Security (IPSec) are in use.
There are no known workarounds.
•
Two CAUSE information elements are sent in a STATUS message.
There are no known workarounds.
•
When you configure an IP address on any interface or subinterface on a Versatile Interface Processor (VIP2) using a Fast Ethernet PA-2FEISL-TX port adapter, the IP network configured on the subinterface does not show up as a directly connected interface in the IP routing table. As a result, there is no IP connectivity across the network.
Workaround: Configure a static interface route for the directly connected network.
•
A router reloads when downloading large (10MB) Hypertext Transfer Protocol (HTTP) files using Multilink PPP (MLP) with a Layer 2 Forwarding (L2F) tunnel.
There are no known workarounds.
•
When Cisco Express Forwarding (CEF) switching and Virtual Access interfaces are used, a Cisco 7200 VXR series router experiences serious problems with many alignment errors causing the CPU to reach 100 percent utilization. With an increasing number of users (virtual access interfaces), a production router will cease functioning instantly.
There are no known workarounds.
•
Cisco routers configured to use Stack Group Bidding Protocol (SGBP) might experience a buffer leak in large buffers.
The memory leak might occur if a fairly large number of Multilink PPP (MLP) bundles are terminated on the SGBP member at the time the member enters or reenters the stack group.
Evidence of the leak can be determined by monitoring the SGBP connection hello messages. These messages are enabled with the debug sgbp hellos command. If you see the following message and the size value is greater than 1360, memory buffer leakage is occurring:
SGBP:Send Info, count 1 size 7There are no known workarounds. Reload the router to recover I/O memory.
•
When multiple, load-shared paths exist between provider edge (PE) routers, a PE router might reload if all paths are lost simultaneously while Virtual Private Network (VPN) traffic is being forwarded.
There are no known workarounds.
•
Open Shortest Path First (OSPF) updates might be corrupted on a Cisco 7500 series router using Multiprotocol Label Switching (MPLS) switching with Cisco Express Forwarding (CEF) output features enabled (including "service policy output"). IP routes are temporarily deleted from the IP routing table and a loss of connectivity might occur.
This same problem was seen in an Intermediate System-to-Intermediate System (IS-IS) network. The alternative workaround (see below) was successfully used.
Workaround: Configure the ip cef global configuration command. Then, execute the copy running start command, and reload.
Alternative workaround: Enter the memory cache-policy io uncached command. However, note that entering this command might impact packet switching performance.
•
A Gigabit Ethernet interface might remain in an up/up state with no cable attached when running Cisco IOS Release 12.1(2). This condition can cause problems when running the Hot Standby Routing Protocol (HSRP). If the active router fails, the backup router will take over; however, any traffic destined for the local segment from the original active router will be dropped.
There are no known workarounds.
•
A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability Information (NLRI) and attributes that describe the path to the destination. Each path attribute is a type, length, value (TLV) object.
The type is a two-octet field that includes the attribute flags and the type code. The fourth high-order bit (bit 3) of the attribute flags is the Extended Length bit. It defines whether the attribute length is one octet (if set to 0) or two octets (if set to 1). The extended length bit is used only if the length of the attribute value is greater than 255 octets.
The AS_PATH (type code 2) is represented by a series of TLVs (or path segments). The path segment type indicates whether the content is an AS_SET or AS_SEQUENCE. The path segment length indicates the number of autonomous systems (ASes) in the segment. The path segment value contains the list of ASes (each AS is represented by two octets).
The total length of the attribute depends on the number of path segments and the number of ASes in them. For example, if the AS_PATH contains only an AS_SEQUENCE, then the maximum number of ASes (without having to use the extended length bit) is 126 [= (255-2)/2]. If the UPDATE is propagated across an AS boundary, then the local Abstract Syntax Notation (ASN) must be appended and the extended length bit used.
The caveat was caused by the mishandling of the operation during which the length of the attribute was truncated to only one octet. Because of the internal operation of the code, the receiving border router would not be affected, but its iBGP peers would detect the mismatch and issue a NOTIFICATION message (update malformed) to reset their session.
The average maximum AS_PATH length in the Internet is between 15 and 20 ASes, so there is no need to use the extended length. The failure was discovered because of a malfunction in the BGP implementation of another vendor.
There are no known workarounds.
•
On a Cisco router running Cisco IOS Release 12.1(3), the LAN Emulation Clients (LECs) fail to send LE_ARP responses if the LAN Emulation (LANE) interfaces form part of a bridge group with routing protocols enabled and are in the blocking state. Routed packets addressed to the router's own interfaces might be dropped.
There are no known workarounds.
•
A reload might occur during heavy usage at the Layer 2 Tunneling Protocol (L2TP) network server (LNS).
There are no known workarounds.
•
Multiprotocol Label Switching (MPLS) labeled packets that are larger than 1500 bytes cannot be sent out through the FastEthernet interface even if tag mtu is configured to be larger than 1500 on the FastEthernet interface.
There are no known workarounds.
•
An SNA Switching Services (SNASw) router does not turn on the Command/Response (C/R) bit on the source service access point (SSAP) when replying to an exchange identification (XID) request.
The trace between the SNASw router and the Packet-over-SONET (POS) device shows that the C/R bit on the SSAP is not set when the SNASw router replies to the XID request. Thus, the POS device fails to begin the XID process.
There are no known workarounds.
•
Virtual Switch Interface (VSI)-controlled permanent virtual circuits (PVCs) supported by a PA-A3 port adapter on a Cisco 7200 series router do not come up after reload.
Workaround: Clear (reset) the Asynchronous Transfer Mode (ATM) interface.
•
There is a memory leak in start_h323_ccapi_accounting. When B-Channel information is not present, function returns without freeing a previously allocated nas_port. Accounting should continue when B-Channel is not present, by giving the HWCliName to authentication, authorization, and accounting (AAA).
There are no known workarounds.
•
When connecting an LU6.2 session to a low-entry networking (LEN) device with the Systems Network Architecture (SNA) Switch, SNA Switching Services (SNASw) location statements do not take effect properly when that LEN device is connected over a link that is a defined link from the SNA Switch perspective (hence an uplink).
There are no known workarounds.
•
Transaction Connection (TXCONN) is causing Systems Network Architecture (SNA) sessions to unbind when it terminates conversations. Impacted SNA Switching Services (SNASw) must rebind the sessions again before another conversation can be allocated. This condition is inefficient and might, in certain configurations, cause allocation failures.
There are no known workarounds.
•
A router might reload when using a Transmission Control Protocol (TCP) server on a unique port.
This issue can occur when an internal ping runs to test connectivity with the host.
Workaround: Configure another Database Connection (DBCONN) TCP server on the same port. Two separate DBCONN servers configured on the same port disables the internal ping mechanism.
•
A route switch processor (RSP) reloads with a bus error. A versatile Interface Processor (VIP) reloads when RSP reports a bus error exception. The slave RSP appears but does not pass traffic. The problem is related to the Duplicate Ring Protocol (DRiP), which is enabled when the Token-Ring Inter-Switch Link (TR-ISL) protocol is in use. Further, the problem occurs only when the I/O memory pool on the router runs dangerously low or is fragmented in such a way that buffers cannot be allocated for packet duplication.
There are no known workarounds.
•
Challenge Handshake Authentication Protocol (CHAP) authentication does not work on a Layer 2 Tunneling Protocol (L2TP) network server running Cisco IOS Release 12.1(1.5) or later releases.
There are no known workarounds.
•
As a Cisco router boots Cisco IOS, it attempts to read the CPU EEPROM into a data structure that is not big enough, causing the router to reload. The crash dump typically looks like this:
Nested r4k_return_to_monitor call (2 times)-Traceback= 0 6038EC00 6038EB14 6038D524 603768D4 6042C86C 6042BF88 6043866C604379CC 6042EB18Nested r4k_return_to_monitor call (3 times)*** System received a Bus Error exception ***signal= 0xa, code= 0x4008, context= 0x61869b70PC = 0x60431200, Cause = 0x4020, Status Reg = 0x34008002rommon 2 >There are no known workarounds.
•
When Cisco Express Forwarding (CEF) switching and Virtual Access interfaces are being used, a Cisco 7200 VXR series router running Cisco IOS Release 12.1(3) might experience high CPU usage because many alignment errors are occurring.
There are no known workarounds.
•
A configuration in which Gigabit Ethernet interfaces are being switched through Parallel eXpress Forwarding (PXF) with the fair-queue interface configuration command enabled may stop receiving packets if PXF is disabled and reenabled with a no ip pxf, ip pxf command sequence. This situation is seen when large access control lists (ACLs) are configured.
There are no known workarounds.
•
A Cisco 7200 or 7500 series router with ATM-PA3 might stop forwarding packets on one or more virtual circuits (VCs). The packets would show up as output drops on those VCs. These VCs appear stuck. This problem occurs because of a newer version of ATM-PA3 microcode (G124). For Cisco 7200 series routers, use the show controllers atm privileged EXEC command to determine the version. For Cisco 7500 series routers, the use the show controller vip slot# tech command to determine the PA-A3 ucode version number.
Note
•
A Service Assurance (SA) Integrated Services Adapter (ISA) in a Cisco 7200 series router may reload because of a bus error.
There are no known workarounds.
•
A Cisco 7500 router running Cisco IOS Release 12.0, or a Cisco router that uses an AMDP2-based Ethernet adapter may log unaligned memory accesses when configured for Connectionless Network Service (CLNS) forwarding or the Intermediate System-to-Intermediate System (IS-IS) routing protocol.
There are no known workarounds.
•
Removing a service policy from a large number of Frame Relay permanent virtual circuits (PVCs) might prevent packets from being forwarded out of the entire interface. The commands that lead to this situation are:
interface s1/00:0no frame-relay class nameormap-class frame-relay map-class nameno service-policy {output}policy-mapWorkaround: Attach a dummy Class-Based Weighted Fair Queueing (CBWFQ) policy to the interface, and then remove the policy.
•
Low Latency Queueing (LLQ) and Class-Based Weighted Fair Queueing (CBWFQ) do not function properly on an Asynchronous Transfer Mode (ATM) subinterface policy after that interface has been brought down and up, or if the link flaps.
Workaround: Apply the service policy under the permanent virtual connection (PVC). In this situation, the policy functionality is not affected by link flaps.
Alternate Workaround: Reattach the subinterface service policy after the interface or link comes up.
•
After changing the maximum transmission unit (MTU) from the default to a lower value (from 4470 to 1600 in the customer's case), police does not accept any burst parameter below the default MTU size (for example, 2000). The configuration was allowed at first, but the burst parameter was later overwritten to be the default MTU. The policing functionality is not affected.
There are no known workarounds.
•
The MultiChannel Interface Processor (MIP) logic avoids issuing an interrupt to the digital signal processor (DSP) for each and every packet. Instead, the MIP only issues an interrupt when the DSP packet queue is nearly full or mostly empty.
Workaround: Ensure that the MIP monitors the DSP so that it is processing packets when there are packets to process. Part of this function is to "nudge" the DSP with an additional interrupt whenever there are packets present, but the DSP is not working on them.
•
When Output Rate Limiting is configured on a Versatile Interface Processor (VIP) interface and the router is reloaded, the Rate Limiting functionality will not be properly enabled, and the Distributed Committed Access Rate (DCAR) functionality does not take effect.
Workaround: Disable and then reenable the rate-limit interface configuration command.
•
The Firewall Load Balancer (FWLB) stops functioning if SYN's forwarded to firewalls are not answered with SYNACK's within 30 seconds.
Workaround: Configure all reals in the READY_TO_TEST state out of service, and then back in service.
•
The Parallel eXpress Forwarding (PXF) path for an Asynchronous Transfer Mode (ATM) Point-to-Point Protocol (PPP) encapsulated virtual circuit (VC) is broken (the correct VC is not decoded from the ATM header).
Workaround: Disable PXF.
•
The FastEthernet and Ethernet interfaces report unexpected results after the first interface throttle. The show controller command reports that the MAC is "not in TBI mode."
Workaround: Enter clear interface to fix the problem; however, the problem always reoccurs with the next throttle.
•
A Cisco router with a Fiber Distributed Database Interface (FDDI) may corrupt some packets that are switched out of the FDDI. This problem has been confirmed only for the FDDI to FDDI case with Multiprotocol Label Switching (MPLS) enabled. This problem may also affect FDDI to Asynchronous Transfer Mode (ATM) with MPLS, but is not confirmed for that case or any case other than FDDI to FDDI with MPLS.
Workaround: Keep a continuous stream of pings running from the router that is reporting the cyclic redundancy check (CRC) errors introducing the corruption targeted at the loopback address.
•
Configuration changes such as packet switching lockup and Parallel eXpress Forwarding (PXF) exceptions may occur while traffic is flowing with PXF enabled on an NSE-1.
Workaround: Disable PXF.
Alternate workaround: Reduce or remove traffic during reconfiguration.
Open Caveats—Cisco IOS Release 12.1(2)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(2)E2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(2)E2.
Resolved Caveats—Cisco IOS Release 12.1(2)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(2)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(2)E1
This section documents possible unexpected behavior by Cisco IOS Release 12.1(2)E1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(2)E1.
Resolved Caveats—Cisco IOS Release 12.1(2)E1
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(3a)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An online insertion and removal (OIR) removal of a Versatile Interface Processor (VIP) on a Cisco 7500 series router may cause the slave route switch processor (RSP) to reload.
There are no known workarounds.
•
While passing sweeping pings, a Cisco 7500 series router with an RSP8 running Cisco IOS Release 12.1 E may reload with the following error:
%ALIGN-1-FATAL: Corrupted program counterpc=0x61B2D514, ra=0x61B2D50C, sp=0x61A64A1There are no known workarounds.
•
A Cisco 7140-2T3 may reload as a result of a bus error when the Border Gateway Protocol (BGP) is configured.
There are no known workarounds.
•
Inter-Switch Link (ISL)-encapsulated packets arriving on a Cisco Express Forwarding (CEF)-enabled interface are not switched.
There are no known workarounds.
•
A Cisco 7200 series router running Cisco IOS Release 12.0(7)XE1 with multicast and tunneling configured on a PA-A3-8T1 IMA port adapter may reload due to a software forced reload caused by a memory corruption problem.
There are no known workarounds.
•
The ERROR LED of an Integrated Services Adapter (ISA) may turn on when a Cisco 7204VXR router running Cisco IOS Release 12.1(1)E is under heavy IPSec traffic. The following error message may be displayed:
ISAcard:an error coming back 1CFFThere are no known workarounds.
•
The ModeConfig feature for a dynamic crypto map does not work on a Cisco 7100 series router running Cisco IOS Release 12.1 E. IPSec works fine without Mode-config.
Workaround: Enable IPSec but do not enable Mode-config.
•
When running the Open Shortest Path First (OSPF) protocol on a Cisco 7500 series router that is doing Multiprotocol Label Switching (MPLS)-to-MPLS switching, received OSPF updates may be corrupted. This results in IP routes temporarily being deleted from the IP routing table and loss of connectivity.
Workaround: Replace PA2-FEISL with a one-port Fast Ethernet port adapter.
•
On a Cisco 7200 series router running Cisco IOS Release 12.1 E with Packet eXpress Forwarding (PXF) disabled, fair-queue configured, and heavy traffic in progress, if PXF is then enabled, it may fail to forward packets.
There are no known workarounds.
•
A Cisco 7100 series router running Cisco IOS Release 12.1 E may experience a bus error caused by a crypto reload.
There are no known workarounds.
•
A Cisco 7000 family router running Cisco IOS Release 12.1(1)E1 with an encrypted peer may receive the following error and drop packets:
%CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't match negotiated identityThere are no known workarounds.
•
The number of flows reported by the show ip cache verbose flow command is incorrect if a large number of flows age out. Not all of the flows are reported in the flow export packets.
There are no known workarounds.
•
On a Cisco 7200 series router running Cisco IOS Release 2.1 E with ip pxf enabled and random-detect (but not fair-queue) configured on a congested output interface, tail drops occur too soon. This issue may prevent any random drops from the higher precedence flows.
There are no known workarounds.
•
If you issue the show ip pxf accounting summary command on a Cisco 7200 series router after one of the output interfaces has gone down, the router may declare a bus error exception and spontaneously reload.
Workaround: Avoid using the command unless counters have been cleared since the last time an interface went down.
Note
•
A Cisco 7206VXR router running Cisco IOS Release 12.1(1)E may reboot with a bus error.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.1(2)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(2)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.12)E.
Resolved Caveats—Cisco IOS Release 12.1(2)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(2)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
If the bgp deterministic med command is issued on a Cisco 7200 series router running Cisco IOS Release 12.1 E, the router experiences alignment errors and may reload.
Workaround: Issue the no bgp deterministic med command to disable deterministic Multiple Exit Discriminator (MED).
•
If two Packet-over-SONET (POS) interfaces are configured on an NSE-1, Parallel eXpress Forwarding (PXF) is enabled, fair-queuing is in use, and heavy fragmented traffic is presented immediately upon startup, an unexpected restart may occur as a result of shortage of I/O memory.
There are no known workarounds.
•
A Cisco 7500 series router with an RSP8 running Cisco IOS Release 12.1 E may reload at ipc_cbus_process when passing sweeping pings through the Ethernet interface with the following error:
%ALIGN-1-FATAL: Illegal access to a low addressaddr=0x8, pc=0x602D6D40, ra=0x602D6D5C, sp=0x61940C38There are no known workarounds.
•
On a Cisco 7200 series router running Cisco IOS Release 12.1 E with Packet eXpress Forwarding (PXF) disabled, fair-queue configured, and heavy traffic in progress, if PXF is then enabled, it may declare an exception and spontaneously reload.
There are no known workarounds.
•
Cisco IOS Release 12.1(2)E crypto images have a performance degradation that is being tracked by this DDTS. New images will be posted once this issue is resolved. For more information, see the "Important Notes" section.
There are no known workarounds.
•
Fragmented Encapsulating Security Payload (ESP) packets arriving on a Cisco 7100 series router do not seem to be passed to the crypto engine because decryption counters are not increasing. No encrypted packets pass through the router. For more information, see the "Important Notes" section.
There are no known workarounds.
•
When Frame Relay (FR) fragmentation is configured after attaching a traffic-shaping service policy to a large number of permanent virtual circuits (PVCs), the service policy may not function properly. Because FR fragmentation appears after service policy in the configuration order, there is a chance that the problem occurs after system reload.
The specific policy that fails is:
policy-map fr-pvcclass class-defaultshape average <cir>service-policy llq-policyWorkaround: Configure the service policy after FR fragmentation, or add queue-limit to the traffic-shaping policy.
policy-map fr-pvcclass class-defaultshape average <cir>queue-limit <n>service-policy llq-policy
Note
Open Caveats—Cisco IOS Release 12.1(1)E5
This section documents possible unexpected behavior by Cisco IOS Release 12.1(1)E5 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(1)E5.
Resolved Caveats—Cisco IOS Release 12.1(1)E5
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(1)E5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An error can occur with management protocol processing. Refer to the following URL for further information:
http://www.cisco.com/pcgi-bin/bugtool/onebug.pl?bugid=CSCdw65903.
Open Caveats—Cisco IOS Release 12.1(1)E3
This section documents possible unexpected behavior by Cisco IOS Release 12.1(1)E3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(1)E3.
Resolved Caveats—Cisco IOS Release 12.1(1)E3
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(1)E3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Gigabit Ethernet Interface Processor (GEIP) that is configured for Cisco Encryption Technology (CET) decrypts packets correctly but fails to encrypt packets that match the crypto policy and should be encrypted. In this situation, the GEIP forwards the packets unencrypted.
Workaround: When network topology permits, use the VIP2-40 or VIP2-50 with one or two PA-FE port adapters.
•
The Versatile Interface Processor (VI)P in the highest slot may not boot properly after a router reload.
There are no known workarounds.
•
During startup, the default bandwidth was not being properly set up for ATM Dlx card. The default visible_bandwidth was set to BANDWIDTH_SCALE by the common interface initialization routine, which is 10000000. Now, the code has been changed to set up the default interface bandwidth and delay during startup config setup for ATM Dlx.
There are no known workarounds.
•
In some configurations, if a policy-map is configured to use class-maps based on access lists, after bootup the classification does not occur properly (for example, packets that should match the class are not considered to match).
Workaround: Remove and redefine the class after bootup.
•
Cisco Express Forwarding (CEF) may not process an interface up event, resulting in the show interface command displaying the interface as up while the show cef interface command displays the same interface as down. This issue may result in missing prefixes in the CEF table.
Workaround: Repeat the no shutdown command on the interface. It is not necessary to first issue a shutdown command on the interface.
Note
Open Caveats—Cisco IOS Release 12.1(1)E2
This section documents possible unexpected behavior by Cisco IOS Release 12.1(8b)E9 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(8b)E9.
Resolved Caveats— Cisco IOS Release 12.1(1)E2
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(1)E2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
If the tx-ring-limit command is entered on a Cisco 7500 series route switch processor (RSP) that is running Cisco IOS Release 12.0 S, the router might experience a NULL pointer access, and the Versatile Interface Processor (VIP) might reload. This situation occurs during line flapping and when the router is being configured.
There are no known workarounds.
•
IPSec traffic fails a basic back-to-back ping. Dynamic crypto maps with access control lists (ACLs) do not work. Packets get dropped at the decryption end of the tunnel.
There are no known workarounds.
•
If a crypto map is configured to initiate private addresses using configuration mode on a Cisco router interoperating with Cisco Secure VPN Client version 1.1, the Internet Key Exchange (IKE) peer does not acknowledge the packet and does not continue.
Workaround: Use Cisco Secure VPN Client version 1.0a.
•
A Cisco 7500 series router running Cisco IOS Release 12.1 E may reload when performing actions that result in the router recarving MEMD, such as a microcode reload, EOIR, or changing an interface MTU.
There are no known workarounds.
•
If Output Policing is the only feature configured on a traffic class (configured with the class-map command), then the traffic class has a queue-limit of 0. As a result, no traffic makes it out of this class.
Workaround: Explicitly set a queue-limit that is a nonzero value. The value chosen should correspond to the amount of traffic expected to be offered to this service policy.
•
Configuring a large number of Virtual Private Networks (VPNs) on a Cisco 7500 series route switch processor (RSP) with a large number of channelized interfaces might result in a FIB-DISABLE message. This message indicates that the RSP has not received a Forwarding Information Base (FIB) keepalive from the line card within the expected length of time. When this situation occurs, the RSP functions as if the interprocess communication (IPC) mechanism has failed and disables Cisco Express Forwarding (CEF) on that line card.
Workaround: Disable distributed switching.
•
A Cisco router that is running Cisco IOS Release 12.0(9)S or later releases might experience problems if you attempt to format, delete, or squeeze slot0 immediately after the show version command is entered or immediately after the router reloads. This issue is a flash timing-related issue, and subsequent commands that you enter will not be affected.
There are no known workarounds.
•
Fifty percent of pings may fail to receive replies when IP Cisco Express Forwarding (CEF) is enabled. This behavior implies that in some cases, packets are being dropped frequently.
There are no known workarounds.
•
In Cisco IOS Release 12.1, dynamic crypto maps may not work correctly if two different remote routers attempt to establish encrypted connections to the same interface on behalf of the same end hosts.
There are no known workarounds.
•
Dynamic crypto maps may not work correctly if two different remote routers attempt to establish encrypted connections to the same interface on behalf of the same end hosts. The problem occurs in IPSec on an interface that uses ip address negotiation and crypto map parser commands. If the interface is recycled (active then inactive) more then once within the IPSec SA lifetime and a new IP address is assigned to the interface, IPSec retains the previous IP address.
Workaround 1: Delete the IPSec SA on the router that uses the ip address negotiation command and clear the IPSec use of SA by issuing the clear crypto sa command.
Workaround 2: Use a static IP address instead of a dynamic IP address. Use the crypto map tag local-address interface command to identify a static IP address to IPSec.
•
During Parallel eXpress Forwarding flow switching on the NSE-1, the output from the show ip cache flow command is displayed incorrectly. This incorrect display should have no effect on the export data.
There are no known workarounds.
•
Under certain circumstances, Hypertext Transfer Protocol (HTTP) packets are not redirected properly.
This issue occurs in the following configuration:
–
–
–
Workaround: Disable Parallel eXpress Forwarding (PXF) by entering the no ip pxf command in global configuration mode.
Note
Open Caveats—Cisco IOS Release 12.1(1)E
This section documents possible unexpected behavior by Cisco IOS Release 12.1(1)E and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.1(1)E.
Resolved Caveats— Cisco IOS Release 12.1(1)E
All the caveats listed in this section are resolved in Cisco IOS Release 12.1(1)E. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
High CPU and alignment errors occur in _ipfib_ in rsp-pv-mz.120-4.6 and rsp-pv-mz.120-4.7.
There are no known workarounds.
•
A Cisco 7200 VXR router might reload with a bus error because the packet-by-packet compression code is being passed packets that contain particles.
There are no known workarounds.
•
A Cisco router might experience a bus error and reload if you enable the Asynchronous Transfer Mode (ATM) bundle on the PA-A3-OC3MM ATM port adapter.
There are no known workarounds.
•
If you enable IP route-caching (IP fast-switching) on a Point-to-Point Protocol (PPP) serial interface that is part of a multilink bundle, traffic that is destined for that bundle might stop.
Workaround: Shut down the serial interfaces before entering the ip route-cache command, and then enable the interfaces.
•
If an output rate limit is configured on a non-Versatile Interface Processor (VIP) interface (for example, AIP or FIP) on a Cisco 7500 series route switch processor (RSP) with Cisco Express Forwarding (CEF) enabled, packets cannot be switched out of that interface.
Workaround: Disable CEF.
•
A Cisco router that is running Cisco IOS Release 12.0(5)T and later releases, Cisco IOS Release 12.1, or Cisco IOS Release 12.0 ST might reload if the clear ip bgp * EXEC command is entered on a peer provider edge (PE) router. The following stack trace is exhibited:
bgp_fwdentry_infobgp_v4class_update_fwdtable_walkerrn_walktree_versionbgp_update_fwdtable bgp_routerThe reload occurs on the local PE when a PE Internal Border Gateway Protocol (IBGP) session is cleared on the remote box. If the PE is importing routes from other PE devices, clearing the BGP session on the remote PE will cause the local PE to reload.
There are no known workarounds.
•
Forwarding of bootp/dhcp address request User Datagram Protocol (UDP) packets fails because of an encapsulation failure.
Workaround:
1.) Use Cisco IOS Release 12.0(5)T.
2.) For Dial-on-Demand Routing (DDR), define the IP Dynamic Host Configuration Protocol (DHCP) server on the local router. For details, see the document, "Configuring DHCP," at the following URL:
3.) Configure a static Address Resolution Protocol (ARP) entry for the next hop address's mac-address. For example, the following is a sample workaround for a DHCP server on the other side of a Fiber Distributed Database Interface (FDDI) ring:
interface ethernet 0ip helper-address 192.82.247.98arp 192.82.247.98 4000.7507.0301 SNAP•
A Cisco 7200 series router with an NPE-300 network processing engine installed might not boot up when certain Cisco IOS Release 12.0(5)XE3 subset images are installed. The router will pause indefinitely in the early stage of booting up, and a power cycle is required to resume. For systems set for auto boot, you must enter the break command to abort the boot process and break out to the ROM monitor before the Cisco IOS Release 12.0(5)XE3 image is launched for execution. You then need to either modify the software configuration register to revert to a manual boot of some other known good image, or you need to switch the PCMCIA flash card with a known good image in case the system is set for a default image boot from the slot0: PCMCIA card.
There are no known workarounds.
•
Pings on a Cisco 7500 series tag-switching router that is running Cisco IOS Release 12.0 S, Cisco IOS Release 12.1, or Cisco IOS Release 12.0 ST fail if a packet comes in as an IP packet on an Asynchronous Transfer Mode (ATM) interface, the packet gets route-cache switched, the packet gets fragmented, and the fragments go out as tag packets through a serial interface.
Workaround: Configure distributed Cisco Express Forwarding (dCEF) on a Cisco ATM port adapter.
•
On Cisco routers that are running Cisco IOS Release 12.0(8), IP Security (IPSec) sends clear packets that need to be encrypted and fragmented.
There are no known workarounds.
•
The ip rtp priority interface configuration command does not work in Cisco IOS Release 12.1(09).
There are no known workarounds.
•
Timer data structures used by the dialer component might become corrupted. The corruption might occur because of operator-initiated actions that involve the removal of the dialer function on an interface. Examples of these actions would be configuring a leased-line Basic Rate Interface (BRI), or entering the no dialer in-band interface configuration command. The symptom might not occur for days or weeks after the operator action that caused it. Due to this condition, these actions should be avoided.
There are no known workarounds.
•
If a dialer profile (with multiple Basic Rate Interfaces (BRIs) in pool) is configured with a very low load threshold value using the dialer load-threshold command and if PPP Multilink is also configured, then all the channels except the B channels on one BRI are not disconnected. This situation might cause the B channels in the pool to flap and could also result in the failure of subsequent pings to the same link.
Workaround: Raise the load threshold to a higher value.
•
Currently no environment data (temperature, voltage, and so on) exists for the NSE-1 board.
There are no known workarounds.
•
A Cisco router might reload if the show ip cef EXEC command is entered while the routing table is changing.
There are no known workarounds.
•
With an increased Memd size on RSP8s, it takes the slave a bit longer to reach a steady state after a reset. During this period, the master, when up, reads the DBus status register and the value indicates that the slave route switch processor (RSP) is ready to accept cmd/data when in reality, its not.
Workaround: Forcing the master RSP to wait for a slightly longer delay period circumvents this issue.
•
A Voice over IP (VoIP) gateway configured for huntstop on the pots dial-peer may fail to clear the VoIP call leg when the Public Switched Telephone Network (PSTN) portion of the call fails.
There are no known workarounds.
•
Fax Relay does not enable re-enable voice activity detection (VAD) when the call is torn down. If a fax call is made, the packets per second (PPS) rate will go from 8 to roughly 55 PPS while the fax is up. Once the fax call terminates, the PPS should go back to 8 until the next voice or fax call is made. The PPS actually increases to about 62 PPS and stays there until a shut/no shut is done on the port.
There are no known workarounds.
•
When a Customer Information Control System (CICS) term is forced to use ABEND on the host, the CICSB server will be disabled because the forced ABEND is interpreted as a host failure, and all connections to the server are brought down. Users that are connected to a TX Server might experience outage any time a transaction that is being run on the same server ABENDs.
There are no known workarounds.
•
A Cisco 7200 series router that is running Cisco IOS Release 12.1 with an IPSec Service Adapter (ISA) board might reload if you enter the clear crypto sa global configuration command.
There are no known workarounds.
•
Changes to resolve CSCdp58533 moved part of the code in cfg_int_fair_queue.h to another location. This resulted in a parser problem that resulted in an ambiguous custom-queue-list command. CSCdp58533 was integrated into Cisco IOS Release 12.1(0.7). This problem has been seen from this release onwards.
There are no known workarounds.
•
After the ip audit notify command is configured to send alarms to the NetRanger Director, the router will stop forwarding alarms after an undetermined period of time.
There are no known workarounds.
•
A Common Object Module Transaction Interface (COMTI) session object might not check in the license if an exception error occurs. In this situation, the license can become exhausted, and clients cannot connect.
There are no known workarounds.
•
Security is not functioning properly with Common Object Module Transaction Interface (COMTI) servers. Transactions that require user IDs and passwords cannot be executed through the Cisco Transaction Connection (TXCONN) subsystem.
There are no known workarounds.
•
On a Cisco 7200 series router, the serial drivers may cause a memory leak when a reparented packet is sent.
There are no known workarounds.
•
A voice gateway might reload when a voice call disconnects if you use the gw-accounting [h323 | syslog] global configuration command and you do not properly configure the authentication, authorization, and accounting (AAA) accounting method list for voice.
Workaround: Use the aaa accounting connection h323 {start-stop} [radius | tacacs+] global configuration command.
•
If you enable distributed Cisco Express Forwarding (CEF) on a Cisco 7500 series router, and there are one or more prefixes in the IP routing table with the maximum six paths, the router might reload with the following error message:
%SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header...There are no known workarounds.
•
If a dynamic crypto map has multiple entries, internet key exchange (IKE) negotiation might fail with the Tunnel Endpoint Discovery (TED) peer.
There are no known workarounds.
•
When Cisco Express Forwarding (CEF) is configured as part of a large configuration (typically with access lists), following boot traffic that is directly addressed to the interfaces of a router might not be received. This condition can be observed on enabled interfaces where IP interfaces appear to be up, but the CEF interfaces are down.
Workaround: Perform one of the following steps:
–
–
–
•
Database Connection (DBCONN) Transmission Control Protocol (TCP)/Internet Protocol (IP) passthru connections might cause a Cisco router to reload if the host disconnects prematurely.
There are no known workarounds.
•
In a situation where a customer edge (CE) router is connected to two provider edge (PE) routers, if a third PE changes its selected route to the CE router, it might fail to update the Virtual Private Network (VPN) label for the route, resulting in loss of connectivity to that CE.
Workaround: Use the clear ip route command to clear the route.
•
A Cisco router that is connected to integrated Services Digital Networks (ISDN) Basic Rate Interface (BRI) lines that deactivate Layer 1 (typically done by European telcos to save power on BRI lines when no ISDN calls are active) and that use dialer interfaces (either legacy Dial-on-Demand Routing (DDR) or dialer profiles) will not be able to dial out.
Workaround: Remove the dialer interfaces and configure the BRI interfaces instead.
•
A memory leak in a Cisco router might occur if you use the show isdn active command on a tty other than the console port while calls are in process.
There are no known workarounds.
•
If Cisco Express Forwarding (CEF) is not enabled and Resource Reservation Protocol (RSVP) over Asynchronous Transfer Mode (ATM) is used, excessive switched virtual circuits (SVCs) are created.
There are no known workarounds.
•
Class-Based Weighted Fair Queueing (CBWFQ) does not work on dialer profiles when using non Integrated Services Digital Networks (ISDN) and an ISDN link.
There are no known workarounds.
•
The Border Gateway Protocol (BGP) might cause a Cisco router to reload when using multi-exit discriminator (MED) for best path selection.
There are no known workarounds.
•
Certain configurations might cause spurious memory accesses, failure at start up, or incomplete configuration data processing.
There are no known workarounds.
•
Snmpboots, a boot counter for the Simple Network Management Protocol (SNMP) version 3, is incremented and saved during bootup, which might cause a noticeable bootup delay. This bootup delay will only occur when SNMP version 3 is configured.
There are no known workarounds.
•
If you run a TN3270 server on a channel port adapter or configure virtual telecommunications access method (VTAM) to perform connect-outs by Channel Interface Processor (CIP) Systems Network Architecture (SNA) on a channel port adapter, buffer leaks might occur that will affect service between Cisco IOS software and the channel port adapter. Both of these features use local explorers to establish SNA connections, and when these local explorers are received from the channel port adapter by Cisco IOS software, the receive buffer containing the local explorer is not freed properly, resulting in lost buffers. Eventually, Cisco IOS software will run out of channel port adapter receive buffers and stop receiving packets from the channel port adapter. Symptoms of this situation include ceased input packets on the channel interface.
There are no known workarounds.
•
A Cisco router might reload because of a bus error.
There are no known workarounds.
Related Documentation
The following sections describe the documentation available for the Cisco 7000 family of routers. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, feature modules, and other documents.
Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and the Documentation CD-ROM.
Use these release notes with these documents:
•
Release-Specific Documents
The following documents are specific to Release 12.1 and are located on Cisco.com and on the Documentation CD-ROM:
•
On Cisco.com at:
Technical Documents: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: Release Notes: Cross-Platform Release Notes
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: Release Notes: Cross-Platform Release Notes
•
Technical Documents
•
As a supplement to the caveats listed in "Caveats" in these release notes, see the Caveats for Cisco IOS Release 12.1 document.
On Cisco.com at:
Technical Documents: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: Release Notes: Caveats
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: Release Notes: Caveats
Note
•
On Cisco.com at:
Technical Documents: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.0: Release Notes: Cisco 7000 Family Routers: Cisco 7000 Family—Release Notes for Release 12.0 XE: Release Notes for Cisco 7000 Family for Cisco Releases 12.0(5)XE through 12.0(7)XE1
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.0: Release Notes: Cisco 7000 Family Routers: Cisco 7000 Family—Release Notes for Release 12.0 XE: Release Notes for Cisco 7000 Family for Cisco IOS Releases 12.0(5)XE through 12.0(7)XE1
Platform-Specific Documents
These documents are available for the Cisco 7000 family of routers on Cisco.com and on the Documentation CD-ROM:
•
•
•
•
•
•
•
•
•
On Cisco.com at:
Technical Documents: All Product Documentation: Core/High-End Routers
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Core/High-End Routers
Feature Modules
Feature modules describe new features supported by Release 12.1 E and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only. Feature module information is incorporated in the next printing of the Cisco IOS documentation set.
On Cisco.com at:
Technical Documents: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: New Feature Documentation: New Features in 12.1-Based Limited Lifetime Releases: Cisco IOS Release 12.1 E
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: New Feature Documentation: New Features in 12.1-Based Limited Lifetime Releases: Cisco IOS Release 12.1 E
Feature Navigator
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image.
Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the Contact Database Administration group at cdbadmin@cisco.com. If you do not have an account on Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account.
To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For Java Script support and enabling instructions for other browsers, check with the browser vendor.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. The Cisco IOS software documentation set is shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered the printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On Cisco.com at:
Technical Documents: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: Configuration Guides and Command References
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1: Configuration Guides and Command References
Cisco IOS Release 12.1 Documentation Set Contents
Table 86 lists the contents of the Cisco IOS Release 12.1 software documentation set, which is available in electronic form and in printed form if ordered.
Note
On Cisco.com at:
Technical Documents: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.1
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following sites:
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/public/ordsum.html
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:
P3 and P4 level problems are defined as follows:
•
•
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
•
•
