Table Of Contents
Caveats for Cisco IOS Release 12.2(33)SRC through 12.2(33)SRD3
Resolved Caveats—Cisco IOS Release 12.2(33)SRD3
Resolved Caveats—Cisco IOS Release 12.2(33)SRD2a
Resolved Caveats—Cisco IOS Release 12.2(33)SRD2
Open Caveats—Cisco IOS Release 12.2(33)SRD1
Resolved Caveats—Cisco IOS Release 12.2(33)SRD1
Open Caveats—Cisco IOS Release 12.2(33)SRD
Resolved Caveats—Cisco IOS Release 12.2(33)SRD
Resolved Caveats—Cisco IOS Release 12.2(33)SRC5
Resolved Caveats—Cisco IOS Release 12.2(33)SRC4
Open Caveats—Cisco IOS Release 12.2(33)SRC3
Resolved Caveats—Cisco IOS Release 12.2(33)SRC3
Open Caveats—Cisco IOS Release 12.2(33)SRC2
Resolved Caveats—Cisco IOS Release 12.2(33)SRC2
Open Caveats—Cisco IOS Release 12.2(33)SRC1
Resolved Caveats—Cisco IOS Release 12.2(33)SRC1
Open Caveats—Cisco IOS Release 12.2(33)SRC
Resolved Caveats—Cisco IOS Release 12.2(33)SRC
Caveats for Cisco IOS Release 12.2(33)SRC through 12.2(33)SRD3
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in this section.
Because Cisco IOS Release 12.2SR is based on Cisco IOS Release 12.2, many caveats that apply to Cisco IOS Release 12.2 also apply to Cisco IOS Release 12.2SR. For information on severity 1 and 2 caveats in Cisco IOS Release 12.2, see the Caveats for Cisco IOS Release 12.2 document located on Cisco.com.
In this section, the following information is provided for each caveat:
•
Symptoms—A description of what is observed when the caveat occurs.
•
•
Note
This section consists of the following subsections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Resolved Caveats—Cisco IOS Release 12.2(33)SRD3
All the caveats listed in this section are resolved in Cisco IOS Release 12.2(33)SRD3. The caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD.
•
Symptoms: A Cisco router may crash or may stop responding.
Conditions: This has been always seen with an atm interface only when a rate-limit command is enabled on the interface. The crash occurs when an interface that is configured with a rate-limit command is deleted by entering the no interface command and then reenabled by entering the interface command.
Workaround: Remove the rate-limit configuration from the interface before deleting the interface.
Further Problem Description: Happens under very specific circumstances and the crash is seen randomly.
•
Symptoms: The following CLASS-BASED-QOS-MIB counters are incorrect in output direction:
- cbQosCMPrePolicyByte64
- cbQosCMPostPolicyByte64
In input direction cbQosCMDropByte64 is incremented and is always equal to cbQosCMPrePolicyByte64.
Conditions: Hardware specific setup: SIP-600 and 10GE SPA.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 Series router or Cisco Catalyst 6500 Switch may unexpectedly reload due to bus error when running remote command switch show mmls met.
Conditions: Occurs when the device is doing multicast.
Workaround: Do not run the command.
•
Symptoms: Resilient Ethernet Protocol (REP) flaps due to excessive CPU utilization occurs.
Conditions: Occurs in a Resilient Ethernet Protocol (REP) segment if 4000 VLANs are configured on the router and if VLANs are allowed on a switchport.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may fail to access a flash card after formatting it, and the following error message is generated:
*** Emulating mis-aligned load at 0x80000190 PC = 0x8001179c ... succeeded
Conditions: The symptom is observed on a Cisco 7200 series, Cisco 7301, and Cisco 7500 series that run Cisco IOS Release 12.4(10) or Release 12.4(12) and occurs only when a flash card is accessed from the ROMmon prompt.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.4(8a) or an earlier release.
•
Symptoms: Under certain unusual circumstances, routes can go SIA in an EIGRP network and create transient routing loops.
Conditions: When the metric on an interface increases rapidly, the symptom can occur. This can happen with MANET interfaces as well as bundled interfaces (such as port-channels).
Workaround: There is no workaround.
•
Symptoms: The following symptoms all relate to the same root cause:
1. In syntax check mode, if there is a standby in SSO mode, the cts dot1x command does not work and the following error messages are displayed:
RouterRP(syntax-if)#cts dot1x %ERROR: Standby doesn't support this command ^ % Invalid input detected at '^' marker.
RouterRP(syntax-archive)#path disk0: %ERROR: Standby doesn't support this command ^ % Invalid input detected at '^' marker.
2. After a redundancy force-switchover, the applet configuration is lost and retains only the applet name. (This is done by configuring an applet on the main RP and switchover to the Standby by issuing a redundancy force-switchover. Issue the sh run command on the Standby which is now the main RP.) All the action statements are lost.
3. The Standby switch reloads by itself after going into the event manager applet configuration mode:
Config Sync: Line-by-Line sync verifying failure on command: event manager applet cli-test-01 due to parser return error
4. The Standby switch may also reload upon removing the command event manager applet:
RouterRP(config)#event manager applet 1 EEM: Applet 1 is currently being modified
OR
RouterRP(config)#no event manager applet 1 EEM: Applet 1 is currently being modified
Conditions: The symptoms are observed in syntax check mode, if there is a standby in SSO mode.
Workaround: There is no workaround.
•
Symptoms: The image name displayed in show version will be truncated to 64 characters if the image name is more than that.
Conditions: It occurs in High Availability (HA) setup.
Workaround: There is no workaround.
•
Symptoms: Shortly after replacing FlexWAN, SNMP queue starts to fill and SNMP queue full error message is printed:
%SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
Conditions: Occurs on a Cisco 7600 router running Cisco IOS Release 12.2(33)SRD1.
Workaround: Apply following view:
snmp-server view Flash iso included
snmp-server view Flash ciscoFlashMIB exclude
snmp-server view Flash ciscoFlashDevice exclude
snmp-server view Flash ciscoFlashPartitions exclude
snmp-server view Flash ciscoFlashPartitionTable exclude
snmp-server view Flash ciscoFlashPartitionEntry exclude
snmp-server community <name> view Flash RW
If this is not enough to get rid of SNMP queue full, reload the router so that the view applies at the router bootup.
•
Symptoms: Router crashes following a shut/no shut on the main interface.
Conditions: Occurs on a router running Cisco IOS Release 12.2SXH2a. IPv6 traffic must be flowing over the WAN interface for multiple IPv6 prefixes. The crash occurs when a shut/no shut is done on the main interface on which multiple subinterfaces have been configured and IPv6 routing is enabled.
Workaround: There is no workaround.
•
Symptoms: When there are two PA-2T3 cards on a VIP6-80 and hard loop one port on one PA-2t3, it causes the port on the second PA-2T3 card to flap. The impact of the issue is that the interface flaps once and it results in dropping of 6-7 packets.
Conditions: When we do a shut/no shut on a serial port, the other serial port on the same VIP might flap once.
Workaround: Put each PA-2T3 card on different VIP modules.
Further Problem Description: Any Cisco IOS release that incorporates CSCsj96781 will definitely see this bug. The other affected serial port can belong to the same PA (in case of two-port T3+ PA) or it can belong to a different PA on a different bay but on same VIP.
•
Symptoms: A Catalyst 6500 switch with an etherchannel spanning multiple DFC modules may drop packets for a certain MAC on egress. This happens when one of the DFCs carrying the etherchannel has an incorrectly programmed MAC address entry, pointing at the internal drop index.
Conditions: This only occurs in an asymmetric routing scenario, where frames are constantly egressing the etherchannel destined for certain MAC addresses, but frames are not consistently seen from those MAC addresses. This is often the case when Hot Standby Routing Protocol (HSRP) is running, and this particular switch is the HSRP standby.
Workaround: Through tweaking ARP and MAC address aging timers, this situation can be avoided. We recommend that the MAC address aging timer be set at least 3 times higher than the ARP timer for the VLAN interface.
The configuration for this is:
Switch(config)#mac-address synchronize
Switch(config)#mac-address aging-time 900
Switch(config)#interface Vlan360
Switch(config-if)#arp timeout 300
Further Problem Description: While a MAC address is in this condition, the following outputs will look like this:
Switch#show mac-address-table address 0000.0000.0001 all det
MAC Table shown in details ========================================
PI_E RM RMA Type Alw-Lrn Trap Modified Notify Capture Flood Mac Address Age Pvlan SWbits Index XTag ----+---+---+----+-------+----+--------+------+-------+------+--------------+----+------+------+------+---- Module 1: No No No DY No No Yes No No No 0000.0000.0001 0x3A 360 0 0x7FFF 0 Active Supervisor: No No No DY No No Yes No No No 0000.0000.0001 0x69 360 0 0x342 0
Here, we see that the MAC address is not present on Module 2, which it should be. On Module 1, we see that the index pointed to is 0x7FFF, which represents the internal drop index in the 6500. Also, we see the "Flood" bit is set to 'No'. In this condition, all frames egressing Module 1 for this MAC will be dropped. Had "Flood=Yes", the frames would be flooded instead of dropped, which is normal behavior.
•
Symptoms: Following reload, controllers come up, but interfaces stay down.
Conditions: A router with HA Sup720 and non-HA Sup32 is connected with 8xCHT1/E1 SPA, 1xCHSTM1 SPA and 4xCT3 SPA in a SIP-200. Upon reloading 8xCHT1/E1 SPA alone on both sides simultaneously, 6-7 interfaces go down and never come up. They show as up/up in line card but up/down in RP.
Workaround: There is no workaround.
•
Symptoms: When a downgrade is done from Cisco IOS Release 12.2(33)SB to Release 12.2(31)SB, the Standby that is loaded with Cisco IOS Release 12.2(31)SB fails to do config sync and keeps crashing.
Conditions: This symptom occurs when both Active and Standby are loaded with Cisco IOS Release 12.2(33)SB image with PPPOX (PPPoA or PPPoE) configurations. Standby is downgraded to Cisco IOS Release 12.2(31)SB. The standby loaded with Cisco IOS Release 12.2(31)SB fails to do configuration sync and keeps crashing after configuring issu loadversion command.
This is also seen in the case of an upgrade from Cisco IOS Release 12.2(31)SB* to Cisco IOS Release 12.2(33)SB image, after issu runversion command, when Active has Cisco IOS Release 12.2(33)SB and Standby has Cisco IOS Release 12.2(31)SB* image.
Workaround: For upgrade from Cisco IOS Release 12.2(31)SB* to Cisco IOS Release 12.2(33)SB image:
After issu runversion command, when Active has Cisco IOS Release 12.2(33)SB:
1) Configure the following:
router#configure terminal router(config)#redundancy router(config-red)#force-rpr 1
2) Cisco IOS Release 12.2(31)SB* becomes Standby and will crash once and then come up in RPR mode.
3)Do issu commitversion and Standby will come up with Cisco IOS Release 12.2(33)SB image.
For downgrade from Cisco IOS Release 12.2(33)SB to Cisco IOS Release 12.2(31) SB* image:
1) Configure the following on Active PRE Cisco IOS Release 12.2(33)SB:
router#configure terminal router(config)#redundancy router(config-red)#force-rpr 1
2) Do issu loadversion command, which causes Standby to go down and come up as Standby (Cisco IOS Release 12.2(31)SB*). The new Standby will crash once and then come up in RPR mode.
3) Do issu runversion command to make Standby as Active (Cisco IOS Release 12.2(31)SB*).
4) Do issu commitversion command and Standby will come up in Cisco IOS Release 12.2(31)SB*.
The force-rpr 1 command is removed from the configuration by now, since Cisco IOS Release 12.2(31)SB* image does not support this command.
•
Symptoms: A Cisco IOS device may reload with an address error or have alignment errors and tracebacks such as %ALIGN-3-SPURIOUS or %ALIGN-3-TRACE
Conditions: The symptoms are most likely to occur when the TACACS+ server (ACS) sends an "authentication error" when ACS is configured, or when a request timeout occurs. There may be other AAA or TACACS related conditions that cause the symptom.
Workaround: There is no workaround.
•
Symptom: Memory leak when remote PEs have more xconnects configured than UUT
Conditions: set session limit under vpdn-group and over subscribe sessions. Workaround: NA
•
Symptoms: A Cisco router might crash when debug condition portbundle ip 10.1.1.1 bundle 0 is configured.
Conditions: Occurs when this command is executed prior to configuring ip portbundle.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may ungracefully reload.
Conditions: The symptom is observed when the router is processing CoA RADIUS messages and when certain debugs are turned on.
Workaround: Disable all debugs.
•
Symptoms: PE-CE performance degradation of 80% on initial convergence.
Conditions: Occurs when BGP and VPNv4 are configured.
Workaround: There is no workaround.
Further Problem Description: Performance is not affected after initial convergence.
•
Symptoms: In very rare cases, a Cisco 10000 series router crashes with a log similar to:
%Software-forced reload Breakpoint exception, CPU signal 23, PC = 0x408FAFC0
Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support.
-Traceback= 408FAFC0 408F8B78 41990010 419910E0 41992DB8 42158AF4 41992EC0 41953F8C 41956C1C
(Note that the hex values of the traceback may be different.)
Conditions: The symptom is observed on a Cisco 10000 series router that is running Cisco IOS Release 12.2(33)SB1.
Workaround: There is no workaround.
Further Problem Description: The occurrence of the problem so far has been rare. The decode of the traceback points to a BGP issue. The confirmation of whether a crash is due to this bug in BGP or not can only be made after the traceback from the crash has been decoded by Cisco support engineers.
•
Symptoms: Redistributed routes are not being advertised after a neighbor flap.
Conditions: This symptom is observed if BGP is redistributing local routes and if there are multiple neighbors in the same update-group and then a neighbor flaps. For the flapped neighbor, some redistributed routes are not being advertised.
Workaround: Undo and redo the redistribution.
•
Symptoms: Changing any of the parameters of a route-map does not take effect.
Conditions: Occurs when using a BGP aggregate-address with an advertise map.
Workaround: Delete the aggregate-address statement and then put it back for the change to take effect.
•
Symptoms: A router configured with BGP import from the global IPv4 table into a VRF using the VRF configuration command import ipv4 unicast map ... may exhibit a brief traffic outage to destinations reached through the imported routes following a switchover.
Conditions: Global to VRF import must be configured under the VRF. Issue only affects Cisco IOS Release 12.29(33)SR releases.
Workaround: There is no workaround.
•
Symptoms: Memory leak can be seen on the LNS.
Conditions: The symptom is observed on the L2TP Network Server (LNS) when the PPP client does a renegotiation.
Workaround: There is no workaround.
•
Symptoms: Frame-Relay fragment output not seen when modifying the attached map-class.
Conditions: Occurs on a Cisco 7200 router.
Workaround: Detach and attach Frame-Relay fragment.
•
Symptoms: After multiple OIRs, memory gets fragmented in line card and at one stage the mallocs start failing.
Conditions: There is a higher chance of fragmentation when we have ATM OC3 SPAs in both the bays and huge configurations which eat up lot of memory.
Workaround: Reload the line card.
•
Symptoms: A device running FTP to transmit the DHCP database may experience a file descriptor leak that results in errors such as:
ROUTER#show run
OR
ROUTER#show start Using XXXX out of XXXX bytes %Error opening nvram:/startup-config (Bad file number)
OR
ROUTER#dir nvram: Directory of nvram:/ %Error opening nvram:/ (File table overflow) XXXX bytes total (XXXX bytes free)
Conditions: Occurs when the router is configured to use FTP to transmit the DHCP database:
ip dhcp database ftp://XXXX:XXXX@X.X.X.X/XXXX
And the FTP server becomes unreachable. The file descriptor leak can be viewed in the output of show file descriptors:
ROUTER-B#show file descriptors File Descriptors:
FD Position Open PID Path 0 0 0302 145 ftp://X.X.X.X/DHCP 1 0 0302 145 ftp://X.X.X.X/DHCP 2 0 0302 145 ftp://X.X.X.X/DHCP 3 0 0302 145 ftp://X.X.X.X/DHCP 4 0 0302 145 ftp://X.X.X.X/DHCP 5 0 0302 145 ftp://X.X.X.X/DHCP 6 0 0302 145 ftp://X.X.X.X/DHCP 7 0 0302 145 ftp://X.X.X.X/DHCP 8 0 0302 145 ftp://X.X.X.X/DHCP 9 0 0302 145 ftp://X.X.X.X/DHCP <snip>
Workaround: Ensure that the FTP server does not become unreachable for more than 128 total minutes, as there are only 128 file descriptors. In the event that all 128 file descriptors are leaked, a reboot is required to recover.
•
Symptoms: PIM packets may be processed on interfaces which PIM is not explicitly configured.
Conditions: Unknown at this time.
Workarounds: Create an ACL to drop PIM packets to such interfaces.
•
Symptoms: When doing IP session on Layer 4 Redirect with VPN routing/forwarding (VRF) web logon scale test, subscriber tries to authenticate with 20 characters per second from test tool. MCP crashed into ROMMon
Conditions: Occurs only when test tool sends authentication at 20 characters per second
Workaround: There is no workaround.
•
Symptoms: High CPU on PM callback process on SP. Depending on the number of trunk links configured, the high CPU time increases exponentially with the number of trunk links.
Conditions: This occurs when VTP pruning is enabled and there are too many trunk links. High CPU on PM callback process is normal as the switch is pruning the VLANs. Problem only occur when there are too many trunk links and the high CPU last for too long and affects other layer 2 operations.
Workaround: Disable VTP pruning or reduce the number of trunk links. For phones, use mode access with voice VLAN configured if this configuration is supported by phone.
•
Symptoms: GRE tunnel terminates on switch where Server Load Balancing (SLB) is configured. Traffic to SLB VIP and real server fails and causes crash.
Conditions: Occurs on a router running Cisco IOS Release 12.2(33)SRC2. Router crashes and creates core dump while doing a telnet to a real server under NAT-configured server farm using GRE Tunnel.
Workaround: There is no workaround.
•
Symptoms: Router may reload when you unconfigure and then configure the ipv multicast-routing commands in quick succession.
Conditions: Occurs when these commands are entered in quick succession, such as with copy and paste.
Workaround: Allow for a delay when entering the commands ipv multicast-routing and no ipv multicast-routing.
•
Symptoms: System crashes while running online diags.
Conditions: The system may crash when there is a spike in CPU utilization or traffic in the system.
Workaround: There is no workaround.
•
Symptoms: BGP neighbors may experience increased flapping.
Conditions: Occurs when large number of BGP neighbors are configured with aggressive BGP hold-timer values.
Workaround: Increase the BGP hold-timer values beyond 10/30.
•
Symptoms: VTY session may get stuck after some extended pings are done and the CPU process may go high.
Conditions: The symptom is observed when an extended ping with CLNS is done and the command is left incomplete until the vty session times out.
Workaround: Issue can be prevented by not leaving the extended 'ping clns' command incomplete for long time in the vty session.
•
Symptoms: A router may write a crashinfo that lacks the normal command logs, crash traceback, crash context, or memory dumps.
Conditions: This might be seen in a memory corruption crash depending on precisely how the memory was corrupted.
Workaround: There is no workaround.
•
Symptoms: Routers using OSPF and MPLS Traffic Engineering may crash or operate incorrectly following changes to the configuration of MPLS-TE tunnel interfaces or OSPF. In some cases a configuration change will cause an immediate crash, while in others memory may be corrupted resulting in problems later.
Routers using MPLS-TE primary auto-tunnels are particularly vulnerable because those tunnel interfaces may be removed as the result of network topology changes as well as by modifying the running configuration.
Conditions: In order to be exposed to this problem, a router must have MPLS TE tunnel interfaces that are announced to OSPF. Systems that do not run OSPF, or which do not use MPLS-TE are not affected.
Systems that operate without "service alignment detection" enabled may crash when the following configuration commands are issued:
Global configuration mode:
* no interface tunnel <n> * no router ospf * no mpls traffic-eng auto-tunnel
Interface configuration mode:
* no ip unnumbered * no ip address
Exec mode:
* clear mpls traffic-eng auto-tunnel
Note that routers running modular IOS (ION) and IOS-XE do not have alignment detection enabled.
Regardless of the state of alignment detection, removing the last MPLS-TE tunnel interface to a destination can cause problems, as can removing auto-tunnel configuration. Removal of dynamically created auto-tunnel interfaces as a result of changes in the network topology has the same effect.
Note that routers using auto backup tunnels to provide fast reroute for static MPLS-TE tunnels do not have any extra exposure to this bug because while these backup tunnels may be removed due to topology changes, the static tunnel to the same destination will not be.
Normal UP/DOWN state changes of tunnel interfaces do not cause problems.
Workaround: To remove a MPLS-TE tunnel interface, first configure it down with the "shutdown" command in interface submode.
To remove an OSPF instance, first disable MPLS-TE for the instance by configuring "no mpls traffic-eng area <n>" in router ospf submode.
No workaround is available for MPLS-TE auto-tunnels.
•
Symptoms: When flapping a fiber, the link protocol comes up, but the line protocol does not.
Conditions: Occurs on links between SIP modules.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: Both active and standby supervisors crash.
Conditions: Occurs when Control Plane Policing (COPP) is configured and there are multiple session churns happening with PPPoE subscribers.
Workaround: There is no workaround.
•
Symptoms: With traffic flowing normally over a GRE tunnel terminating on the ES20 line card the module will crash when IPSec tunnel protection is enabled.<BR><BR>
Conditions: Occurs when tunnel endpoint is an interface on the ES20 line card.<BR><BR>
Workaround: This crash is seen only when GRE is accelerated by spa-ipsec-2g. If GRE is accelerated by the SUP, the crash does not happen. This is done by default in VRF mode without any other directives like "crypto engine mode gre vpnblade". To ensure the tunnel is adding "crypto engine gre supervisor" in the global configuration mode and on all the tunnels that are handled by ES20 for mpls recirculations.
As an alternative workaround, If the customer wants the GRE acceleration to be taken over by the spa-ipsec-2g. An ACL needs configured to drop all the plain unencrypted GRE traffic between a tunnel's source and destination ip addresses may also be effective if applied prior to configuring the "tunnel protection ..." command. However, this workaround may not scale in certain configurations.<BR><BR>
As a preventive precautionary measure. A safer practice would be to configure the Customer Edge device prior to configuring the Provider Edge. This configuration order should prevent this issue from occuring when adding IPSec Tunnel protection to GRE Tunnels.
•
Symptoms: Microflow policing fails to be removed or modified on port-channel subinterface.
Conditions: Occurs on a Cisco 7600 series router with port-channel subinterface configured for microflow policing, and the same policy configured on subinterface with encap VLAN as well as another subinterface without encap VLAN.
Workaround: There is no workaround.
•
Symptoms: BGP MDT session flaps when a router running Cisco IOS is interoperating with a router running Cisco IOS-XR and when withdrawal messages are sent by IOS to XR of previously advertised MDT prefixes.
Conditions: MDT prefixes need to be exchanged by IOS and XR routers. If a withdrawal message is exchanged subsequently for any reason then this problem is seen.
Workaround: There is no workaround.
•
Symptoms: Whenever MTU is configured under a port-channel with EVC (Ethernet Virtual Circuit), the MTU functionality does not work as expected.
Conditions: This happens only with Layer 3 port-channels.
Workaround: There is no workaround.
Further Problem Description: Whenever a member link is added to a port-channel, the member link's MTU is programmed to the jumbo MTU value (default 9216). Even when a custom MTU value is configured under port-channel, all the member links' MTUs are programmed with 9216.
•
Symptoms: The following messages appear in the log after a reload:
Suspending service policy (policyname) on Multilink(#)bandwidth of 24.00% is not available (1.00%)
bandwidth of 24.00% is not available (1.00%)
bandwidth of 24.00% is not available (1.00%)
bandwidth of 24.00% is not available (1.00%)
Conditions: A Cisco 7600 running Cisco IOS Release 12.2(33)SRB2 and 12.2(33)SRB3 with Multilink interface configured for CBWFQ QOS policy will suspend policy and display error message similar to the above if service-policy is applied to Multilink interface at time of route loading.
Workaround: Load router with no service-policies applied and apply them after router is up.
•
Symptoms: Crash in TCP.
Conditions: Happens when clearing a BGP neighbor. The trigger is uncertain and hard to reproduce.
Workaround: There is no workaround.
•
Symptoms: A policy-map is applied to an interface on ESM20G card and has a random-detect aggregate action configured in a class. If another class is added to the policy-map which has match statement as "match cos <cos-value>", this class gets added. Now if random-detect aggregate is removed from the previous class, an error message is dumped on screen :
'match cos' combined with other match statements at the same class level is not supported for this interface.
If random-detect action is added to this class, router crashes.
Conditions: Occurs with the following configuration:
policy-map PMAP_UPLINKS
class CMAP-RT-COS (match cos <vaue>)
class CMAP-BC-EXP
no random-detect aggregate
random-detect -----> (CRASH)
Workaround: Do not add a class-map with "match cos" filter to a policy-map which conflicts with other class-map filters.
•
Symptoms: Delay in bootup time of the line cards occurs during reload with diags enabled. Issue not seen when diags are disabled.
Conditions: There is no specific configuration or traffic combination that will trigger this issue. Issue seen with or without any Ethernet Virtual Circuit (EVC) configs or traffic conditions.
Workaround: Disable bootup diags or power down the 6748-GE-TX card
•
Symptoms: ATOM VC status is seen as down in standby RP and traffic loss is seen after switchover for 44 seconds.
Conditions:
1. Bring 6RU up (SSO) with 1 AToM VC, 1 AToM VP (Initial VC state: active:UP; standby:HOTSTANDBY)
2. Delete the AToM VC sub-int ('no int a2/2/0.122') and delete the AToM VP sub-int ('no int a2/2/0.1001')
3. Re-configure back the same AToM VC and VP configuration (VC state: Active:UP; Standby:DOWN for AToM VC)
4. If I do a force switchover ('redundancy force-switchover'). It will experience ~44 seconds of traffic lost for this VC.
Workaround: There are two work around for this issue:
1. Do not reconfigure the ATOM VC immediately after deleting a subinterface.
2. Do not copy and paste the ATOM VC configuration. Either do it manually step by step or copy the configuration from a file.
•
Symptoms: PKI daemon is stuck in DNS resolution attempt for the hostname used in the CDP.
Conditions: The when symptom is observed using name resolution for automatic actions taken by the router during non-interactive sessions (CRL download using name in CDP URI). Only applicable if 'ip domain-lookup' is enabled within the config
Workaround: There is no workaround.
•
Symptoms: When trying to configure a peer template using the command template peer-session S1_1 under router bgp 1 , it enters into UNKNOWN-MODE. Once there, we cannot get out of that mode and the router has to be rebooted.
Conditions: The bug is seen only in Cisco ION images. Cisco IOS images are fine. Following is an example:
ip39-1(config)#router bgp 1
ip39-1(config-router)#template peer-session S1_1
ip39-1(UNKNOWN-MODE)#?
% Unrecognized command
ip39-1(UNKNOWN-MODE)#end ^ % Invalid input detected at '^' marker.
Workaround: There is no workaround.
•
Symptoms: Device crashes upon entering command sh policy-map interface.
Conditions: Unknown at this time.
Workaround: There is no workaround.
•
Symptoms: Crash is seen when 1000 IP sessions identified by same MAC address are setup and torn down using Cisco Intelligent Services Gateway (ISG).
Conditions:
1. Setup 1000 IP sessions on ISG on one port. 2. Setup another 1000 sessions on second port with same MAC address range as in first port. 3. Ensure 1000 sessions are up. The other 1000 sessions setup request would be rejected as they are using the same MAC address as in step 1. 4. Clear the 1000 sessions using clear sss session all. 5. Repeat steps 2, 3, and 4 until crash is seen.
Note: This scenario is not supported and has been documented. Please refer to the Restrictions section on the following URL: http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_sub_aware_enet.html#wp1074579
Workaround: This is a negative test case and will never happen in practical setups as the MAC addresses will not overlap. Also the network topology should ensure that the same subscriber MAC address does not appear on more than one physical interface.
•
Symptoms: Virtual Private LAN Services (VPLS) unicast traffic not flowing over the VC when core-facing port is ESM20 line card.
Conditions: Core-facing port must be on the 9th slot or higher in a Cisco 7609 or Cisco 7613 chassis. Also the VC neighbor scale should be very high on that VPLS VLAN.
Workaround: Use slots lower than 9.
•
Symptoms: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Conditions: See "Additional Information" section in the posted response for further details.
Workarounds: See "Workaround" section in the posted response for further details.
•
Symptoms: Switch does not send TC trap if it is not a root bridge
Conditions: If switch is a root bridge, it generates TC trap when link goes both up and down. But if switch is not a root bridge, it generates TC trap only when link goes up.
Workaround: There is no workaround.
•
Symptoms: When relaying to multiple servers from an unnumbered interface, the DHCP relay sends packets to all servers, even for packets where the client is in a RENEWING state unicasting to attempt to reach a single server. ARP entries are retained for all offered addresses, even if the client is ultimately using a different address. These extra ARP entries persist for several hours.
Conditions: The symptom is observed under the following conditions:
1. When relaying a DHCP packet on an unnumbered interface and the DHCP client is in a renewing state (as determined by the fact that the packets are sent to the DHCP server which allocated the address so that we do not end up giving the client a new address, which would then interrupt the user sessions).
2. When the client is in any other state, or if we do not get a response from the DHCP server, the packets are sent to all helper-addresses.
Workaround: Use Cisco IOS 12.4T images.
Further Problem Description: Only retain an ARP entry for the address that the DHCP client ACKs. Do not retain addresses offered by DHCP servers which the client did not use in the ARP table.
•
Symptoms: The no l2tp tunnel authentication command does not work at LNS.
Conditions: This symptom happens when the VPDN group that is used has a virtual-template x.
Workaround: Configure the no l2tp tunnel authentication command under virtual template.
•
Symptoms: Following error message are seen when the frame-relay fragment <fragment size> command is configured under map-class attached to PVC:
% Fragment size 110 not supported. Supported fragment size are 128, 256 and 512. Rounding current fragment config to 128.
Conditions: This seen in distributed platforms (Cisco 7600) when fragment size configured is not 128, 256, or 512.
Workaround: Configure the fragment size as 128, 256 or 512
•
Symptoms: Memory leak is seen on configuring and unconfiguring "cem-group".
Conditions: Occurs when configuring and unconfiguring 4 "cem-groups" per controller.
Workaround: There is no workaround.
•
Symptoms: Crash occurs when BGP configuration is removed.
Conditions: BGP is checkpointing routes to the redundant RRP when the configuration change occurs. More likely to occur in a scaled setup.
Workaround: Do not enter the no router bgp command.
•
Symptoms: VPN routing/forwarding (VRF) transfer fails.
Conditions: Occurs when ISG is configured on the device.
Workaround: There is no workaround.
•
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
•
Symptoms: Any attempt to copy a file from a router to an FTP server will fail. The FTP error is "No such file or directory".
Conditions: This is only a problem with FTP and only when transferring to an FTP server. Transfers from an FTP server work as expected.
Workaround: Use a different file transfer protocol, such as TFTP.
•
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
•
Symptoms: When using Point-to-Point Tunnelling Protocol (PPTP) with RADIUS Accounting, there may be several "nas-error" and "lost-carrier" listed in accounting as the Acct-Terminate-Cause.
Conditions: The symptom is observed when using Cisco IOS Release 12.4T (Releases 12.4(15)T-12.4(22)T confirmed) and using PPTP with RADIUS Accounting in place.
Workaround: There is no workaround.
•
Symptoms: After SPA reload, the CHOC12-DS0 SPA may be transmitting B1/B2/B3 errors out. Remote side will detect SF BER, B1 TCA, B2 TCA, or B3 TCA alarms, or DS3 or DS1 alarms. The CHOC12-DS0 SPA will have SONET line REI, Path REI or DS3/DS1 RAI alarm.
Conditions: When the SPA boots up during temperature transition, the SPA transmit side could trigger B1/B2/B3 error detected by remote end. In a stable temperature environment, this problem is hard to reproduce. After SPA is booted up, the problem can not be reproduced even if temperature transits.
Workaround: A software workaround was released in Cisco IOS Release 12.2(33)SRD1 to reduce the issue. But in some SPAs, the problem may still happen. When the problem happens, reload the SPA.
•
Symptoms: Bulk sync fails.
Conditions: Occurs when the relay destination command is configured on the device.
Workaround: There is no workaround.
•
Symptoms: VPN routing/forwarding (VRF) traffic may experience packet loss after a supervisor switchover.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB2 or Cisco IOS Release 12.2(33)SRC2.
Workaround: Apply an access-list with "permit ip any any" in one of the VRF interfaces, or force another switchover.
•
Symptoms: In rare conditions, when removing address-familly in router RIP configuration just after importing large amount of routes in it, the router may crash on bus error.
Conditions: It was observed in the following context:
1) Supervisor 720 running Cisco IOS Release 12.2(18)SXF7. 2) 66K of routes were imported at that moment from BGP into RIP. 3) The address-family is removed.
Workaround: Wait a few minutes between the moment you create and import the routes in the address-family and the moment you remove it. Typically 3-5 minutes (depending on the number of routes, more delay may be needed).
•
Symptoms: Router crashes when BGP-IPv6 directly connected IBGP neighbors receives route with Link-local Nexthop.
Conditions: BGP sends IPv6 link-local address in following cases:
1) Directly connected eBGP neighbors
2) BGP Ipv6 neighbors connected using Link-local address
In case of this defect, testing device is advertising link-local nexthop for directly connected neighbor using global IPv6 address. Cisco router will never advertise link-Local nexthop.
Workaround: There is no workaround.
•
Symptoms: On a PPP aggregator using dhcp-proxy-client functionality, in a situation where a PPP client session is torn down and then renegotiated within 5 seconds, the DHCP proxy client may send a DHCP RELEASE for the previous DHCP handle after the new DHCP handle (created as a result of new IPCP CONFREQ Address 0.0.0.0) has accepted the same IP address allocation from the offnet DHCP Server. This results in the offnet DHCP server having no record of the lease as it exists on the PPP aggregator which causes future addressing conflicts.
Conditions: The symptom is observed on a Cisco 7200 (NPE-400) and 7200 (NPE-G2) that is running Cisco IOS Release 12.4 T, or 12.2 SB.
Workaround:
1. Automated: Write a script to compare active leases on the PPP aggregator to active leases on DHCP server. If a lease is found to only exist on the PPP aggregator, use clear interface virtual-access to recover.
2. Manual: use the command clear interface virtual-access.
Further Problem Description: This issue occurs because the DHCP client holdtime is static at 5 seconds and there are no IOS hooks to tie PPP LCP session removal and IPAM to suppress stale DHCPRELEASES waiting in queue for HOLDTIME to expire.
•
Symptoms: Copy to "slavedisk:" is failing with the following error:
Error writing slavedisk0:/rsp72043-adventerprisek9_dbg-mz.122-33.0.5.SRD (TF I/O failed in data-in phase)
Conditions: The issue is seen in RPR mode with Cisco IOS Release 12.2SR rsp720 image.
Workaround: Copy the file in SSO mode.
•
Symptoms: In extremely rare conditions, traffic loss might be observed through ws-x6704 modules equipped with DFC (DFC3b & 3bxl, DFC3a)
Conditions: To confirm that traffic loss might be related to this issue use the following command:
remote command module mod# show platform soft earl reset history
where <mod#> is slot number of the module experiencing traffic drops (ingress module)
cat6500#remote command mod 11 sh platform soft earl reset history
Num. of times patch applied : 156
Num. of times patch requested : 156
Time Reason InProgress Data
--------------+------------------------+------------+----------
5d20h Non-Earl Fatal error 0000 1701FFFFFFFFFFFF
5d20h Non-Earl Fatal error 0000 1701FFFFFFFFFFFF
5d20h Non-Earl Fatal error 0000 1700FFFFFFFFFFFF
5d20h Non-Earl Fatal error 0000 1700FFFFFFFFFFFF
For traffic loss to be related to this issue in above output one should see lines similar to above (most important is the last part i.e. 1701FFFFFFFFFFFF and 1700FFFFFFFFFFFF). There should be multiple lines like this and new lines might appear from time to time. Traffic loss would coincide with the appearance of new lines.
Workaround: There is no workaround other than upgrading to a release that has been fixed.
•
Symptoms: In a router running BGP, the BGP process may hold increased amounts of memory over time without freeing any memory. This may also be seen from the output of show proc mem sort and in the output of show ip bgp sum or show ip bgp vpnv4 all sum and looking at the number of BGP attributes which may be increasing over time in relation to the BGP prefixes and paths which may remain roughly the same.
Conditions: Some BGP neighbors are not in established state and exchanging prefixes. The issue is observed on all platforms running the following releases of Cisco IOS:
-12.2(31)SB14
-12.2(33)SB1b
-12.2(33)SB2
-12.2(33.05.14)SRB
-12.2(33.02.09)SRC
-12.2(33)SRC3
-12.4(20)T2
-12.4(22)T1
-12.2(33)SXI or later releases.
Workaround: Remove the configuration lines related to the inactive neighbors (neighbors in Idle or Active states).
•
Symptoms: On RSP720-10GE, VPNSPA always remains in INIT state.
Conditions: Unknown at this time.
Workaround: There is no workaround.
•
Symptoms: On a router in which MPLS Traffic Engineering (TE) is configured, toggling the router-id in the router configuration can cause the router to reload. For example, configuring "router ospf 100 mpls traffic-eng router-id loopback 0" quickly followed by "mpls traffic-eng router-id loopback 1" may trigger this symptom.
Conditions: It is necessary that "mpls traffic-eng tunnel automesh" is running in the OSPF area of the router, although automesh need not be configured on the affected router.
Workaround: There is no workaround.
•
Symptoms: With 2X1GE-V2 SPA on SIP400, when the interface connector changes from SFP to RJ45, the port failed to be up and it could no longer ping its partner.
Conditions: When the media-type of the 2X1GE-V2 interface is chanaged to RJ45 using the media-type rj45 command, the interface goes to down state. This issue is found in Cisco IOS Release 12.2(33)SRB, SRC, and SRD.
Workaround: Reload the router to bring up RJ45 ports.
•
Symptoms: Lawful intercept users are appearing in output from show run.
Conditions: Occurs in Cisco IOS Release 12.2(33)SRC.
Workaround: There is no workaround.
•
Symptoms: VLAN state unable to recover after shutdown by "mac-limit."
Conditions: Applicable for extended VLAN after MAC limit exceeded and action configured to shutdown.
Workaround: There is no workaround.
•
Symptoms: Traceback occur on SPA inside SIP-400.
Conditions: Occurs during online insertion and removal (OIR) of SPA.
Workaround: There is no workaround.
•
Symptoms: Connected route on port-channel sub-interface is not removed when port-channel is down.
Conditions: Happens when using /22 subnet. Does not happen when using /24 subnet.
Workaround: There is no workaround.
•
Symptoms: Sticky-ARP entries are refreshed forever even after the client is removed from the network.
Conditions: This issue is seen after an upgrade from Cisco IOS Release 12.2(33)SRB5 to Release 12.2(33)SRD1.
Workaround: There is no workaround.
•
Symptoms: Native GigE interfaces of a Cisco 7200 NPE-G2 router will not acknowledge reception of pause frames and will not stop its transmission in case of media-type RJ45.
Conditions: The symptom is observed with media-type RJ45 and with SFP with "no neg auto" configured.
Workaround: There is no workaround.
Further Problem Description: There are no issues with SFP with a "neg auto" configuration.
•
Symptoms: Option 82 is not appended in DHCP NAK packet by DHCP server.
Conditions: Not any specific condition.
Workaround: There is no workaround.
•
Symptoms: ISG subnet session feature if used in an environment where subscribers are connected to ISG interface on Layer 2 cloud, that is, ISG is the default gateway for the subscribers yet ISG subscribers interface is in routed mode, then adjacency to these connected subscribers is removed as soon as a subnet session is created and next hop is installed for these subscribers as the logical network id computed using the framed subnet mask received from AAA server as access accept radius attribute.
Conditions: This condition will occur for subnet session feature in scenario where ISG interface is defined under routed mode; however subscribers are connected over layer-2 cloud to this ISG interface, that is, ISG is the default gateway for these subscribers.
Workaround: There is no workaround if the subnet session feature has to be deliberately used in scenario as defined under conditions above. However this problem will not occur if the subscribers are one hop or more away from ISG.
Further Problem Description: ISG subnet session feature is used to group a number of sessions together using IP framed netmask attribute. The ISG subnet session feature can be used if ISG interface is defined under routed mode.
For example IP addresses belonging to a client say 192.168.0.68/24, 192.168.0.69/24, 192.168.0.70/24 and 192.168.0.70/24 can be grouped together under one ISG session if at the time of session creation a IP framed netmask 255.255.255.252 is returned in the access accept message from AAA server. The subscribers are one or more hop away from ISG interface (10.10.10.1/24)
The IP Framed Netmask attribute is used to compute the range of IP addresses to be grouped together under one ISG session. In example above, if a session is initiated firstly by IP address 192.168.0.69/24; then using IP Framed Netmask the computed range of IP addresses to be grouped together will be 192.168.0.68 to 192.168.0.71.
Now in a scenario where ISG interface is defined under routed mode though the subscribers are connected directly over Layer 2 cloud to ISG interface and Subnet Session is required to be used as a feature; then the stated problem under section Symptom above will occur.
Using example above and applying to this problematic scenario - the IP addresses of client 192.168.0.68/24, 192.168.0.69/24, 192.168.0.70/24 and 192.168.0.70/24 have to be grouped together under one ISG session using Subnet Session feature by returning a IP Framed Netmask 255.255.255.252 under Access Accept from AAA server, however the ISG interface (192.168.0.1/24) in this scenario is the default gateway to these Client IP end points.
Now as soon as the session is created and authenticated and Subnet Session feature is installed the next hop for these IP range 192.168.0.68 to 192.168.0.71 computed using IP Framed Netmask value 255.255.255.252 would be 192.168.0.68/30 resulting in traffic destined to all the range of IP addresses grouped under Subnet Session forwarded to 192.168.0.68/30 instead of using ARP to reach the IP end points directly.
•
Symptoms: In a rare event, router may crash in EIGRP code after a peer bounce and route removal.
Conditions: Crash seen during EIGRP route updates.
Workaround: There is no workaround.
•
Symptoms: Switch reports following messages:
CDL2 Read Error: Time out
CDL2 Write Error: Time out
Conditions: Occurs on a Catalyst 6500 switch running Cisco IOS Release 12.2(18)SXF.
Workaround: Re-seat the X2 modules. It is highly recommended to do a complete diagnostic test on all modules.
•
Symptoms: Router crashes with memory corruption.
Conditions: Occurs when BFD is configured on 10GigE interfaces and constant link flaps.
Workaround: There is no workaround.
•
Symptoms: When using an ES-40 10GE linecard, if the MAC layer of the WAN connection goes down, but the optical PCS layer remains up, the ES-40 port will never realize the link is down and will instead always keep the interface Up/Up. 10G ports in the ES+ family of line cards do not take advantage of link fault signalling by peer.
Protocols relying on fast reconvergence, will not be able to take advantage of the 10G link fault signalling.
Conditions: This problem can occur on any 10GE interface on an ES-40 line card when the remote transceiver or repeater keeps the PCS layer up but takes the MAC layer down.
The Link layer detection algorithm for 10G ports in the ES+ does not consider a Remote Fault signalled by the peer end. Thus link will continue to show as Link-Up, even though the remote end MAC has experienced a RX FAULT and did not happen to switch off the laser
Workaround: There is no workaround except to rely on higher layer protocols that send hellos or keepalives to determine when the link goes down and reroute around the failure with those protocols. Line protocol will never go down when the PCS layer is up on an ES-40 line card.
•
Symptoms: A core dump may fail to write, with the following errors seen on the console:
current memory block, bp = 0x4B5400A0,
memorypool type is Exception
data check, ptr = 0x4B5400D0
bp->next(0x00000000) not in any mempool
bp_prev(0x00000000) not in any mempool
writing compressed ftp://10.0.0.1/testuncached_iomem_region.Z
[Failed]
writing compressed ftp://10.0.0.1/testiomem.Z
[Failed]
writing compressed ftp://10.0.0.1/test.Z
[Failed]
%No memory available
Conditions: This is only seen for memory corruption crashes when "exception region-size" is configured to a value that is not divisible by 4.
Workaround: The recommended setting for exception region-size is 262144 in newer images. In older images, where the maximum configurable value is 65536, use the maximum.
•
Symptoms: Downstream traffic stopped after delete/recover of sub-interface configuration while sessions are up.
Conditions: Occurred with the following configuration:
* L2access IP aggregation session
* ISG as DHCP relay
* No VPN routing/forwarding (VRF)
* TAL authentication
Workaround: There is no workaround.
•
Symptoms: Standby router reboots continuously and comes to the prompt only after second or third attempt.
Conditions: When the standby is booting up, during the startup bulk sync, Cat6k QoS Manager client will time out after 30 seconds (depends on load on the box). Due to stress QoS config, during bulk sync, the standby is taking more time, and this triggers active to reset the standby.
Workaround: There is no workaround.
•
Symptoms: STP network will not converge if the vlan dot1q tag native global command is enabled. BPDUs will not get transmitted over Virtual Private LAN Services (VPLS) pseudowire (PW).
Conditions: Occurs in a network with nPE redundancy, where the redundant PEs are connected through VPLS PW.
Workaround: Disable the vlan dot1q tag native command.
•
Symptoms: A router may reload unexpectedly.
Conditions: The symptom is observed when the router has Bidirectional Forwarding Detection (BFD) configured and is actively sending keepalives. The crash has multiple possible triggers:
- It can be triggered by certain show commands (show bootvar and show c7200 are known to cause the problem). The issue will not be seen on every invocation of the commands. It is a rare timing condition, so the probability of the crash increases as the commands are run more frequently. - It can also be triggered by large scale BFD deployments (hundreds of sessions on a single router).
Workaround: Unconfigure BFD.
•
Symptoms: The session ID changes between "interim" and "stop" accounting records.
Conditions: The symptom has been observed on Cisco IOS Release 12.2(31)SB12 with "radius-server attribute 44 extend-with-addr" in the configuration.
Workaround: Do not configure "radius-server attribute 44 extend-with-addr".
•
Symptoms: SPA-4XOC3-ATM can stop forwarding ingress traffic after cell packing timer is changed.
Conditions: Occurs when MPLS is configured over a tunnel interface and the cell packing timer is changed.
Workaround: There is no preventive workaround to this issue. Once the card is in the problem state, the FPGA is hung and to recover from this state, the SPA has to be reloaded.
•
Symptoms: DS3 interface on choc3/STM1 stops passing traffic.
Conditions: Occurs when a DS3 is oversubscribed.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS device may produce CPUHOG error messages and a watchdog timeout unexpected restart when running a Tool Command Language (Tcl) Embedded Event Manager (EEM) policy.
Conditions: This occurs when the EEM policy uses the Tcl puts command to print a very large amount of text.
Workaround: Do not use this command to print out a large amount of text.
•
Symptoms: The entPhysicalVendorType for Transceivers lists the vendortype of Port.
Conditions: Occurs during normal operation.
Workaround: There is no workaround.
•
Symptoms: A Cisco router running Cisco IOS Release 12.2(33)SRC1 may crash when removing the TE tunnel mode on a SIP600 or ES20 card.
Conditions: A tunnel bot uses the following script to remove tunnels:
interface Tunnel37025
no mpls ip
no tunnel mode mpls traffic-eng
exit
no interface Tunnel37025
In the transient time between removal of tunnel mode and removing the tunnel interface, packets are still moving through EARL.
Workaround: Shutdown the tunnel first, then complete the script:
interface Tunnel37025
shutdown
no mpls ip
no tunnel mode mpls traffic-eng
exit
no interface Tunnel37025
•
Symptoms: NAS-port-ID format reported by AAA accounting VS reply to a CoA account-query are different. Affects back-end server for billing functions.
Format send by AAA accounting records:
Apr 16 09:59:16.358: RADIUS: NAS-Port-Id [87] 25 "GigabitEthernet0/1.118:"
Format sent in reply to CoA Query:
Apr 16 10:03:49.149: RADIUS: NAS-Port-Id [87] 33 "nas-port:10.10.10.101:4/0/0/118"
Conditions: This behavior was observed in Cisco IOS Release 12.2(33)SB3.
Workaround: There is no workaround.
•
Symptoms: HQF is not getting cleaned after a policy with priority child class is removed from the "serial-vaccess" MLP interface. Also when removing the policy, an error message is seen:
qos-reg15-r5#config term
Enter configuration commands, one per line. End with CNTL/Z.
qos-reg15-r5(config)# no policy-map customer
please remove queuing feature from child policy first
qos-reg15-r5(config)#end
Conditions: The priority feature cleanup fails and prevents further service policy removal.
Workaround: There is no workaround.
•
Symptoms: A router may crash with BusError when sending an AccountingStop record.
Conditions: Just before the crash, the following error messages are seen:
%IDMNGR-7-ALLOCFAIL: Warning: Failed to allocate memory for keylist in event_init %IDMNGR-7-ALLOCFAIL: Warning: Failed to allocate memory for client request data in request_init
The system is configured for ISG-services.
Workaround: There is no workaround.
Further Problem Description: This was seen in a customer specific special based on Cisco IOS Release 12.2(31)SB13.
•
Symptoms: IPV6 traffic dropped over Virtual Private LAN Services (VPLS) cloud.
Conditions: VPLS core is configured. IPV6 end devices are PCs.
Workaround: When routers are used as end devices instead of PCs, then the issue is not seen
•
Symptoms: Acct-Session-Id attribute received in CoA message is decoded incorrectly.
Conditions: When session ID is less than 8 hex characters, the decoded value is incorrect.
Workaround: There is no workaround.
•
Symptoms: Following error message is seen:
%SIP200_MP-4-PAUSE: Non-master CPU is suspended for too long
Conditions: This is seen when fragmentation is configured under PVC and either that configuration is changed or PVC state changes.
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: Occurs while unconfiguring class-default.
Workaround: There is no workaround.
•
Symptoms: Switch virtual interface (SVI)-to-SVI Layer 3 ping is failing.
Conditions: Occurs when SVI (VLAN) is configured with IP address on both ends.
Workaround: There is no workaround.
•
Symptoms: Port is shut down, and following error message is displayed:
%SYS-DFC3-2-LINKED: Bad enqueue of 191C92B4 in queue FD9EAD0 -Process= "SCP Hybrid process"
Conditions: Problem is seen with Cisco 7600 running Cisco IOS Release 12.2SRD image with Port-channel configured and the member-link used is a ES+ Linecard interface.
Workaround: There is no workaround.
•
Symptoms: With a subinterface or software Ethernet Over MPLS (EoMPLS) configured for a single tag, QinQ traffic with outer VLAN tag matching the configuration, but with full-range of inner tag is dropped.
Conditions: All QinQ traffic with the outer tag matching the configured tag on subinterface is dropped.
Workaround: Use scalable EoMPLS, which provides a versatile range of VLAN matching and has the required properties as expressed in this defect.
•
Symptoms: Traffic is lost for local forwarding between two EVCs in a VRF.
Conditions: Occurs when VRF includes attachment circuits which are defined as EVCs. Each EVC is configured on separate bridge-domain and separate IP subnet. Forwarding between remote PEs works properly but local traffic between the EVCs breaks.
Workaround: Keep the EVC on different NPs on the ES40 or replace EVC and bridge domain configuration by sub-interfaces.
•
Symptoms: 6148A-GE-TX module resets due to keep-alive failures.
Conditions: Excessive errors and micro link flaps on a port.
Workaround: There is no workaround.
Further Problem Description: This is a rare problem triggered by misbehavior of a 10Base-T hub when a FastEthernet host is connected to it.
•
Symptoms: If TAL subscribers attempt to logon when the Cisco ASR 1000 series router RADIUS service download requests a time-out, some sessions will get stuck in "Attempting" state during user/service authorizations. Once 200 sessions are stuck in this state, no subscriber will be able to login until all the sessions (those that are active and those that are stuck in "Attempting" state) are manually cleared using the clear subscriber session all command.
Conditions: The symptom is observed when TAL subscribers attempt to logon while the Cisco ASR 1000 series router RADIUS service download requests a time-out.
Workaround: Use the clear subscriber session all command to manually clear all sessions. This may be, however, service disruptive and impractical in a production network.
•
Symptoms: Multicast Open Shortest Path First (OSPF) Bidirectional Forwarding Detection (BFD) packets are corrupted when going out of ESM20 interface on an Ethernet Over MPLS (EoMPLS) setup.
Conditions: When sending a multicast OSPF database descriptor (DBD) packets or multicast ping packets to the 224.0.0.5 address and the packet size grows above a certain size (108B) in the payload, a specific byte of multicast packet traversing the EoMPLS link is corrupted.
Workaround: There is no workaround.
•
Symptoms: Dead Peer Detection (DPD) packets are not sent following loss of ISAKMP SA and IPSec in UP-NO-IKE state.
Conditions: Occurs when DPD is configured and ISAKMP SA is deleted independently of IPSec SAs
Workaround: Manually clear the crypto session to create a new ISAKMP SA.
•
Symptoms: Policy-map counters are not updated after online insertion and removal (OIR), and shaping is not happening.
Conditions: Occurs after OIR under bi-directional traffic.
Workaround: Remove the service-policy in both affected device and peer and then re-attach to update counters.
•
Symptoms: ES-20 line card repeatedly resets.
Conditions: Occurs when fabric sync failure occurs on ES-20.
Workaround: Enter the following command: test scp linecard keepalive disable.
•
Symptoms: An Error message that includes "IXP-MAP-QOS" is displayed on the supervisor. Occurs when an Ethernet flow point (EFP) interface is recreated or deleted and when online insertion and removal (OIR) is performed on a SPA with an EFP interface on SIP-400.
Conditions: Occurs only when there is a EFP policy on a Gig V2 SPA on SIP-400.
Workaround: There is no workaround. The issue does not impact functionality.
•
Symptoms: Bus error crash at an invalid address.
Conditions: The symptom is observed when running Cisco IOS Release 12.2(31)SB with SSS configured.
Workaround: There is no workaround.
•
Symptoms: If number of hours for statistics is increased to 10 or more after the probe is initially run and then restarted, system crashes with memory corruption
Conditions: Occurs when the probe is started with the hours of statistics less than 10 and then re-started with the hours of statistics greater than 9.
Workaround: There is no workaround.
•
Symptoms: When running Network Load-balancing (IGMP-mode) in VLANs with PIM enabled and static ARP entries for unicast IP to layer-2 multicast address, packet duplication will occur.
Conditions: This symptom occurs when sending unicast (non-multicast) IP packets with multicast layer-2 destinations.
Workaround: Use non-IGMP NLB modes (unicast or multicast with static macs) or use IGMP snooping querier instead of PIM on NLB SVIs.
•
Symptoms: Router crashes.
Conditions: Occurs when configured with BGP damping and default IPv4 unicast address-family is deleted.
Workaround: Do not delete the default IPv4 unicast address-family.
•
Symptoms: Different IPs are seen on the same session between Active and Standby PRE cards and the number of in-use IP addresses on Standby is more than that on the Active.
Conditions: The symptom is observed with the frequent connect/disconnect of sessions and when IP addresses are allocated from the local pool.
Workaround: Reload the Standby card frequently.
•
Symptoms: Configuring no negotiation auto on Gigabit interface of 2xGEv2 SPA reduces duplex on interface to half. This causes traffic drop if traffic is bi-directional.
Conditions: Occurs when "media-type" configured on Giginterface as "SFP".
Workaround: There is no workaround.
•
Symptoms: When the SAMI module is booted up, CEF is disabled by default in the PPCs. If a PPC is configured for ISG, no static IP sessions (L2-connected or L3-routed) can come up. Even after enabling CEF, static IP sessions still do not come up. If the PPC(s) or SAMI gets reloaded after enabling CEF and writing the configurations into memory, sessions will come up.
Conditions: When installing/configuring a new SAMI card for ISG, static IP sessions will not come up if CEF was disabled on bootup.
Workaround: Since the issue happens only when CEF was disabled on bootup, enabling CEF, doing a write memory, and then reloading the PPC will avoid this issue.
•
Symptoms: Routes do not appear in Routing Information Base (RIB) of a VRF.
Conditions: Occurs with the following configuration:
- Customer has IPv6 static route in VRF X.
- Customer has configured BGP to import routes from VRF X into VRF Y.
- BGP is apparently importing the VRF X route into VRF Y as requested
- the routes are not showing up in VRF Y RIB
Workaround: There is no workaround.
•
Symptoms: CPUHOG occurs in SNMP ENGINE, immediately followed by a crash.
%SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (91/87),process = SNMP ENGINE.
Conditions: Querying cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable in CISCO-CAT6K-CROSSBAR-MIB with invalid channel index may trigger this problem. The valid channel index range for the cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable are (0..1)
Regular snmp mibwalk on those 2 tables will not cause this problem.
Workaround: Avoid MIB querying on cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable with any specific invalid channel index. Instead just do regular SNMP MIBwalk on cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable should be safe and work fine.
•
Symptoms: When configuring ATM or ima-group under controller T1/E1, the SNMP MIB does not populate the corresponding ATM interface. Because of this defect, ANA application is unable to model it correctly.
Conditions: Problem exists on Cisco 7600 running Cisco IOS Release 12.2(33)SRC.
Workaround: There is no workaround.
•
Symptoms: Router crashes while querying for cvpdnTemplateActiveSessions.
Conditions: Occurs if the vpdn-template name is long.
Workaround: There is no workaround.
•
Symptoms: On configuring HDLCoMPLS on SPA-8XCHT1/E1 SPA with 7600-SIP-400. traffic stops flowing from that interface.
Conditions: Occurs when Xconnect is configured.
Workaround: There is no workaround.
•
Symptoms: Connectivity Fault Management (CFM) packets are not transparently passed through scalable EoMPLS setup with SIP400 on the access side.
Conditions: This happens when CFM is disabled after enabling it
Workaround: Perform an online insertion and removal (OIR) on the line card.
•
Symptoms: ASR crashes and reboots when RSIM sends VSA 1 command with wrong format.
Conditions: VSA 1 format string has a colon which should not be there.
vsa cisco generic 1 string "qos-policy-out:=remove-class(sub, (class-default, voip))"
Workaround: There is no workaround.
•
Symptoms: Dead Peer Detection (DPD) does not trigger a new IKE session if the previous IKE session fails.
Conditions: Occurs when using on-demand DPD.
Workaround: Manually clear the IKE session to trigger a new IKE.
•
Symptoms: When there are more than 8000 DHCP sessions on a Cisco 7600 ISG, a few dangling sessions are sometimes observed.
Conditions: This symptom occurs when there are more than 8000 DHCP sessions on a Cisco 7600 ISG. ISG is configured as a DHCP relay.
Workaround: Clear the sessions using the clear ip subscriber dangling command.
•
Symptoms: Policy-maps configured with random detect can cause unnecessary packet drops.
Conditions: When an output policy-map is applied on SIP400 on Cisco IOS Release 12.2(33)SRD, and if class-maps are configured with "random detect", drops may occur even if the traffic is lower than the configured bandwidth percentage. If "random detect" is removed, drops is no longer seen. Also, this issue is seen only with low-speed interfaces. In this particular customer case, Gigabit Ethernet interface was configured in FastEthernet mode (speed 100mbps)
Workaround: There is no workaround.
•
Symptoms: Sup720 crashes during ISIS adjacency flapping.
Conditions: When an ISIS adjacency is flapping, issuing the command show isis topology triggered the crash. However, this observed only once in customer network
Workaround: There is no workaround.
•
Symptoms: Router fails on a forced switchover to the standby supervisor card. The standby supervisor card tries to come online but encounters a crash and goes into ROMMon. To recover from this state the router requires a power cycle.
Conditions: Occurs on Cisco 7600s running Cisco IOS Release 12.2(33)SRD2 and SRD2a and using non-Cisco SFPs.
Workaround: Avoid non-Cisco SFPs or use a different release of Cisco IOS.
•
Symptoms: Subscriber upstream traffic stops flowing after an online insertion and removal (OIR) is performed on a line card, or when a pair of shut/no shut commands is entered when IP sessions are brought up on main interface. For ES+ line cards, the problem can be seen even for Port-Channel main interface and all non-access sub-interfaces.
Conditions: This defect is seen only when the main interface fails to get the same hidden VLAN allocated to it prior to line card OIR (or while entering shut/no shut commands).
Workaround: There is no workaround.
•
Symptoms: MPLS-TE configuration leads to router crash due to online insertion and removal (OIR).
Conditions: MPLS-TE sessions coming up/down during OIR may lead to router crash.
Workaround: There is no workaround.
•
Symptoms: When relaying to multiple servers, from an unnumbered interface, the Cisco IOS DHCP relay sends packets to all servers, even for packets where the client in a RENEWING state unicasting to attempt to reach a single server.
ARP entries are retained for all OFFERed addresses, even if the client ultimately is using a different address. These extra ARP entries persist for several hours.
Conditions:
1. When relaying a DHCP packet on an unnumbered interface, and the DHCP client is in a renewing state (as determined by the fact), send it to the DHCP server that allocated the address so that we do not end up giving the client a new address, which would then interrupt the user sessions.
2. When the client is in any other state, or if we do not get a response from the DHCP server, send to all helper-addresses.
Workaround: There is no workaround.
Further Problem Description: Only retain an ARP entry for the address that the DHCP client acknowledges. Do not retain addresses offered by DHCP servers that the client did not use in the ARP table.
•
Symptoms: Free memory is going down because SSS Manager is growing.
Conditions: This symptom is observed on a Cisco 7600 that is used for ISG and that is running Cisco IOS Release 12.2(33)SRC3 under high network activity.
Workaround: There is no workaround. Reload the router to free memory.
Further Problem Description: The speed of the memory leak depends on the network activity. The more stress on the router, the faster the leak.
•
Symptoms: Unit under test crashes under heavy traffic when online insertion and removal (OIR) is performed on a SIP400.
Condition: Occurs with huge Layer 2 and Layer 3 protocol configuration and SIP400.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7301 router crashes with "protocol pptp" configured.
Conditions: The symptom is observed with a Cisco 7301 router when "protocol pptp" is configured.
Workaround: There is no workaround.
•
Symptoms: No Layer 4 Redirect (L4R) traffic is reaching the portal.
Conditions: Occurs if there is a sub-interface on the port facing the portal.
Workaround: There is no workaround.
•
Symptoms: Packet drop occurs when show version, show run, and write memory commands are issued.
Conditions: Packet drop will be observed as input errors accounted as overruns. The rate of packets being dropped will be proportional to the rate of traffic.
Workaround: There is no workaround.
•
Symptoms: Router crashes on applying/removing priority from service map.
Conditions:
1. Configure priority in class default. Apply it on EVC on ES20 line card.
2. Remove priority from class default.
3. Now, either removing or applying priority causes the router to crash.
Workaround: There is no workaround.
•
Symptoms: Attempting an auto proxy logon causes a crash.
Conditions: This crash is seen only with auto proxy service download.
Workaround: If services are activated by CoA service logon, this issue will not be seen.
Further Problem Description: Attempting authentication of the proxy service causes a crash with traceback in description when the user profile is similar to:
simulator radius subscriber 1 framed protocol ppp service framed authentication rouble-auto password cisco vsa cisco 250 Aproxy_service;proxy_user;welcome vsa cisco generic 1 string "accounting-list=default" !
•
Symptoms: Active supervisor may crash if standby supervisor resets for any reason.
Conditions: This can happen if a interface level event happens around the same time of standby supervisor reload. The timing window is extremely small for the bug to happen.
Workaround: There is no workaround.
•
Symptoms: After supervisor forces switchover several times, a router two hops away has wrong ISIS topology and ISIS routing table.
Conditions:
1. Incremental shortest path first (ISPF) enabled in ISIS.
2. set-overload-bit on-startup in ISIS.
3. Supervisor force switchover several times
Workaround: Disable ISPF in ISIS.
•
Symptoms: Policy-map not applied at SIP400 in dLFI over ATM case after performing shut/no shut of the interface.
Conditions: Occurs after performing shut/no shut on the interface.
Workaround: Perform an online insertion and removal (OIR) on the SIP400.
•
Symptoms: We will see the traffic loss when there is a cut-over in the Spatial Reuse Protocol (SRP) ring.
Conditions: There should be HWEoMPLS configured in the system. Ingress card should be DFC card (not a supervisor card), and core-facing card should be SRP card.
Workaround: Either we use the supervisor card as ingress card, or we need to write to EARL adjacency on the line card using the test mls cef adjacency command.
•
Symptoms: Polcy-based routing (PBR) stops working after stateful switchover (SSO). All traffic that should be policy-routed is dropped instead.
Conditions: This usually happen after several switchovers between supervisors. Usually problem occurs after about 10 switchovers, however, it could happen after first one.
Workaround: Remove and add policy on the interface.
•
Symptoms: BGP modifies next-hop of the route owned by other protocol in Routing Information Base (RIB).
Conditions: Occurs when other protocol route is best in RIB due to lower admin distance, and BGP trys to add the route to RIB.
Workaround: Enter the clear ip routex.x.x.x command.
•
Symptoms: The show mls qos module command is not relevant for ES+ line cards and produces invalid output.
Conditions: Occurs during normal operation.
Workaround: Do not use the show mls qos module for ES+ line cards.
•
Symptoms: Path attribute memory leak is found when there is some path attribute churn in the network.
Conditions: The symptom is seen only when there are idle peers on the router.
Workaround: Unconfigure the idle peers.
•
Symptoms: A Cisco IOS platform can crash when authorizing Radius profiles. The issue is due to an invalid terminal sync change that updated the incorrect enumeration structure, leading to one enumeration having 1 too many entries and another one too few.
When parsing the "protocol" or "service" field, the AAA code may walk beyond the boundaries of a string array associated with the above mentioned enumerations. This will cause platforms such as the Cisco ASR to crash.
Conditions: This crash has been observed on a Cisco ASR1004 (RP2) that is running the Cisco IOS-XE version Cisco IOS Release 12.2(33)XNC1t.
Workaround: This crash will occur if an invalid protocol or service field is provisioned in a Cisco VSA. However, even when valid protocols or services are used, it is possible that certain enumeration walking code may also trigger a crash. However, Cisco has not been able to validate that situation. As a consequence, when using branches such as Cisco IOS Release 12.2(33)SB or Release 12.2XNC, without this fix, it is critical that no invalid Cisco VSA be used.
•
Symptoms: Relay information option is not verified in the downstream DHCP packets.
Conditions: This happens only when option 82 insertion is configured at the interface configuration mode.
Workaround: Configure option 82 in global configuration mode.
•
Symptoms: Following error message is displayed:
SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/0 - rpc timeout error after fpd upgrade.
Conditions: This error usually seen following reload of the SPA after FPD upgade of SPA.
Workaround: Perform an online insertion and removal (OIR) of SPA. If that does not work, then reload line card.
•
Symptoms: Following reload or reseat of Protect LC in ADM TRuepointR 6400, SPA-2OC3-POS/SIP400/SRD2 reports "Received Alarm: L-AIS" on the PROTECT port of a 1+1 APS group when an inline SONET analyzer attached to same wire reports no L-AIS is present on the wire.
Conditions: L-AIS is recovered by an STE via looking for K2 = 0x07 for 5 consecutive frames.
A Cisco POS interface with "pos ais-shut" will transmit L-AIS when interface is shutdown. Without "pos ais-shut" the interface continues to send valid SONET frames toward the STE/LTE.
Workaround: Remove/reinsert the cable on CPE to clear the alarm.
•
Symptoms: Port-channel on interface of ES+, a line card reload causes memory leak on "RPC pagp_switch_sp2mp" and "QM_VLOU_MAP". It loses about 748 bytes per policy-map attached on interface.
Conditions: Occurs on a Cisco 7600 series router with policy-map configured on port channel interface.
Workaround: There is no workaround.
•
Symptoms: The console gets stuck when the show arp command is executed and "esc" is pressed to stop viewing the whole output.
Conditions: The symptom is observed with 512 ARP sessions on the system and set term len equal to 20.
Workaround: There is no workaround.
•
Symptoms: In ES+ line cards with link daughter card versions less than .200, there is a possibility of the line card crash when an SFP module is removed and inserted.
Conditions: Occurs under normal operating conditions.
Workaround: There is no workaround.
•
Symptoms: Router crashes with max-entries of NAT translations limit imposed.
Conditions: With ip nat max-entries limit <> configured and greater than limit number of flows passed through the NAT router, crash is seen when the above limit configuration is removed and a large amount of translations are created.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 SPA-1XCHSTM1/OC3 SPA does not use the configuredn etwork-clock source as the reference for the T1/E1.
Conditions: The SPA-1XCHSTM1/OC3 SPA is configured to use the internal clock for timing of the T1/E1. The network-clock is configured on the Cisco 7600 to use the reference from an ATM OC3 interface.
Workaround: There is no workaround.
•
Symptoms: When configuring an OSPF sham-link between two PEs also used for multicast VPN, RPF check for the source of a multicast stream points to the physical interface used by the sham-link instead of the tunnel.
Conditions: Configure two PEs to run MVPN and create a sham-link between them. Remote routes that are learned through the sham link will not have an MDT tunnel.
Workaround: There is no workaround. Prefixes must be learned through i-BGP.
•
Symptoms: Policy map with multiple MAC ACL filters matches only the traffic with the first MAC ACE in the ACL.
Conditions: Occurs on a Cisco 7600 series router with ES+ linecard, and with policy map with MAC ACL configured on ES+ linecard interface.
Workaround: There is no workaround.
•
Symptoms: Resilient Ethernet Protocol (REP) will not converge if REP is configured over switchport and vlan dot1q tag native is enabled.
Conditions: In this case, the REP PDUs will be sent as tagged packets.
Workaround: There is no workaround.
•
Symptoms: Hierarchical service policy is not attached to multilink on SIP-200
Conditions: When the hierarchical service-policy is applied on the interface on sip1 or sip2, it is rejected.
Workaround: There is no workaround.
•
Symptoms: If a ES+ port is configured as switchport trunk and the Cisco 7600 is supposed to route the traffic between the vlans carried in the trunk, routing is not happening.
Conditions: Occurs when ES+ ports are configured as switchports, such as follows:
interface GigabitEthernet2/2
switchport
switchport trunk allowed vlan 666,777
switchport mode trunk
Workaround: Use EVC instead of switchport, such as follows:
interface GigabitEthernet2/2
no switch
service instance 10 ethernet
encapsulation dot1q 666
rewrite ingress tag pop 1 symmetric
bridge-domain 666
!
service instance 20 ethernet
encapsulation dot1q 777
rewrite ingress tag pop 1 symmetric
bridge-domain 777
•
Symptoms: If the link flaps on a multilink bundle, or if the CE router is hard reset, when the bundle comes back up, it will not pass traffic until all but one of the interfaces of the bundle are removed.
Conditions: Occurs on a router running Cisco IOS Release 12.2(33)SRD2.
Workaround: There is no workaround.
•
Symptoms: System crash in L2TP. Following this, most of the L2TP setups fail.
Conditions: The symptom occurs at an L2TP control-plane event.
Workaround: Clear VPDN again or reload the router.
•
Symptoms: Following error message is displayed:
EARL_L2_ASIC-SP-4-L2L3_SEQ_ERR, EARL L2 ASIC #0: L2L3 Mismatch seq #0x507 and %CPU_INTF_FPGA-5-PAUSE_FAIL
After this message, router crashes.
Conditions: Occurs when sending large a amount of IPv4 packets towards FlexWAN2 with bad version in short span, such as >1000pkts at line rate.
Workaround: There is no workaround.
•
Symptoms: Bus error crash on SIP-600 SPA-10X1GE-V2.
Conditions: Crash is specific to SIP-600 when a applying QinQ configuration to the sub-interface of a GE.
Example:
interface GigabitEthernet1/0/0.1
encapsulation dot1Q XXX second-dot1Q XXX
Thus far, this has been seen on Cisco IOS versions based on 12.2(33)SRB and 12.2(33)SRD.
Workaround: Have verified that the SIP-400 with SPA-2X1GE and 7600-ES20-GE3CXL support QinQ with Cisco IOS Release 12.2(33)SRB3.
•
Symptoms: When the command passive-interface default is entered under router ISIS, the router reloads.
Conditions: Enter router ISIS configuration mode and enter the passive-interface default command. Router reloads.
Workaround: Configure a passive interface under router ISIS.
•
Symptoms: CEM circuit on Cisco 7600 CEoP SPA does not forward AIS alarm towards attachment circuit even though it is in "TDM Fault" condition as indicated by the output of show cem circuit detail. It also incorrectly shows the CEM circuit as being in "Packet loss" state.
Conditions: This happens only when CEM circuit is in "TDM Fault" condition.
Workaround: There is no workaround.
•
Symptoms: ES40 crashes continuously and powers down.
Conditions: Occurs when configuring default native VLAN on a subinterface with dot1q encapsulation.
Workaround: Remove the dot1q encapsulation configuration.
•
Symptoms: If show mpls forwarding with ownerowner command is issued in cases where none of the entries in a very large forwarding table match the specified owner, a CPUHOG error and traceback may occur.
Conditions: This problem would only occur in cases where a configuration generating a very large MPLS forwarding table existed.
Workaround: Do not issue this command for an owner that did not create any labels.
•
Symptoms: Serial interface in CH0C3 SPA in mode CT3 does not come up. SONET controller and the T3 controller are up, but T1 controller that is configured under T3 is down with LOF alarm.
Conditions: Occurs when configuring STS-1 in CT3 or CT3-E1 mode.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(33)SRD2a
All the caveats listed in this section are resolved in Cisco IOS Release 12.2(33)SRD2a. The caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD.
•
Symptoms: When coarse wavelength division multiplexing (CWDM) small form-factor pluggable (SFP) module of any wave length is inserted in the GE port or OC48 port, the SFP module is disabled and the following message is displayed:
%TRANSCEIVER-3-NOT_COMPATIBLE: SIP0/0: Detected for transceiver module in GigabitEthernet0/0/0, module disabledThe output of the show status command shows the following:
CE1#show hw-module subslot 3/3 transceiver 1 statusThe transceiver in slot 3 subslot 3 port 1 has been disabled because: the transceiver type is not compatible with the SPA.Conditions: This issue is seen with a new version of CWDM SFP in which the EEPROM programming has been changed. All releases prior to Cisco IOS Release 12.2(33)SRE and 12.2(33)SRD3 are incompatible with the new SFP version. For the Cisco ASR 1000, all software releases prior to 12.2(33)XNC release 3 and release 4 are affected.
Workaround: Issue is not seen with the older version of SFP.
•
Symptoms: In ES+ line cards with link daughter card versions less than .200, there is a possibility of the line card crash when an SFP module is removed and inserted.
Conditions: Occurs under normal operating conditions.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(33)SRD2
All the caveats listed in this section are resolved in Cisco IOS Release 12.2(33)SRD2. The caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD. This section describes only severity 1, severity 2, and select severity 3 caveats.
•
Symptoms: The negotiated IP address is not cleared from an asynchronous interface when a call ends, even though the IP address is returned properly to the IP peer pool.
Conditions: This symptom is observed when the peer is configured to dial in to the network access server (NAS) and to obtain an IP address through IP Control Protocol (IPCP) negotiations with the NAS. The NAS is configured with pools of IP addresses to be allocated to the peer when the peers generate a PPP call to the NAS. The NAS is also configured to authenticate the peer through RADIUS.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for Network Address Translation (NAT) may reload unexpectedly because of a software condition.
Conditions: This symptom can occur when the router translates a Lightweight Directory Access Protocol (LDAP) packet. NAT translates the embedded address inside the LDAP packet. This problem is strictly tied to NAT and LDAP only.
Workaround: There is no workaround.
•
Symptoms: Some virtual circuit (VC) information is missing in the Simple Network Management Protocol (SNMP) MIB object cAal5VccEntry from the output of the snmpwalk router configuration command. The ATM VCs 0/100, 0/200 and 0/500 exist on the router but are missing in the MIB.
Conditions: This symptom is observed on a Cisco 7513 router that is running a special image of Cisco IOS Release 12.2(15)T5. The symptom may also occur in other releases.
Workaround: Enter the show atm vc privileged EXEC command on the same device to obtain a complete list of all the VCs.
•
Symptoms: The output of serial interfaces on a PA-MC-8TE1 may become stuck after several days of proper operation.
Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(10a) and that has MLP configured on the serial interfaces of the PA-MC-8TE1.
Temporary Workaround: Perform an OIR of the PA-MC-8TE1 or reload the router until the symptom occurs again.
Further Problem Description: The symptom occurs during normal operation of the router. If many errors occur on the link, the symptom is more likely to occur.
•
Symptoms: If a user fails to successfully establish a SSH connection on the first attempt, subsequent attempts may also fail.
Conditions: Occurs when a Cisco router is configured to authenticate SSH connections using TACACS+. The rem_addr field in the TACACS+ header may be empty if the user does not successfully authenticate on the first attempt. This may cause authentication or authorization failures if rem_addr information is required by the TACACS+ server.
Workaround: Configure ipssh authentication-retries 0.
•
Symptoms: A router running Cisco IOS 12.4T may reload unexpectedly
Conditions: Occurs when BFD is configured and active.
Workaround: Disable the BFD feature.
•
Symptoms: A router may not allow the peak cell rate value on an interface that is bundled with more than one ATM T1 interface or more than one ATM E1 interface to be set to a value that is more than the bandwidth of one T1 ATM interface or one E1 ATM interface.
Conditions: Occurs on Cisco 3600 routers Cisco IOS Release 12.2(6.8)T2
Workaround: There is no workaround.
•
Symptoms: The Unavailable Seconds (UAS) that are displayed in the output of the show controllers serial slot/port command are incorrect. The display of the UAS starts only after 20 contiguous severely errored seconds (SES) instead of after 10 contiguous SES.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a PA-T3+ port adapter.
Workaround: There is no workaround.
•
Symptoms: Packets larger than 1526 bytes get dropped between supervisor and Cisco Multi-Processor WAN Application Module (MWAM) on a Cisco 7600.
Conditions: Drops were seen even after increasing MTU size.
Workaround: Reduce MTU on tunnel end systems, which increases fragmentation.
Further Problem Description: The problem is reproducible with extended pings of size 1527 bytes, which get dropped in direction SUP->MWAM as diagnosed with deb ip icmp.
•
Symptoms: A memory leak may occur in the "BGP Router" process.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(26)S6, that is configured for BGP, and that has the bgp regexp deterministic command enabled.
Workaround: Disable the bgp regexp deterministic command.
•
Symptoms: An Address Error exception occurs after Uninitialized timer in TPLUS process.
Conditions: This is a platform independent (AAA) issue. It may be seen with a large number of sessions while accounting is configured with a T+ server.
Workaround: Disable accounting, or use RADIUS accounting instead of a T+ server.
•
Symptoms: Router might unexpectedly reload during CNS configuration download.
Conditions: The downloaded configuration must disable the CNS configuration initial or partial for this crash to occur.
Workaround: Use static configuration and prevent configuration download from CNS server.
•
Symptoms: On Catalyst 6500 Series and Cisco 7600 Series, when certain service modules transmit packets to VLANs also used with Distributed EtherChannel (DEC), those packets may be dropped and lost. For further description, please review "Field Notice: FN-61935 - Catalyst 6500 Series and 7600 Series Service Module Incompatibility With Distributed EtherChannel and Packet Re-Circulation."
Conditions: The problem only happens when service cards are operating in crossbar-enabled mode.
Workaround: See the above referenced Field Note for several workarounds.
•
Symptoms: Standard communities are not set correctly by an outbound route-map.
Conditions: Occurs when route-map uses continue option.
Workaround: There is no workaround.
•
Symptoms: An IPv6 ping may fail when the atm route-bridged ipv6 command is enabled.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.3(22.13), interim Release 12.4(13.9), or Release 12.4(13b) and that is configured for QoS.
Workaround: There is no workaround.
•
Symptoms: While restarting the iprouting process, the system crashed at redzone corruption.
Conditions: Occurs following a switchover. The iprouting process should restart once the standby becomes active.
Workaround: There is no workaround.
•
Symptoms: When DHCP snooping is configured on a VLAN, the redirect access list programmed in TCAM permits a wide range of UDP ports from bootps/bootpc to 65xxx.
Conditions: UDP traffic to these destination ports (0x143, 0x243, 0xFF43) is being redirected to Route Processor (RP). If "ip dhcp snooping limit" is not configured, then RP CPU goes to 100%.
Workaround: There is no workaround.
•
Symptoms: Some of the 48 power over Ethernet ports of a line card cannot be configured as "power inline static" with the maximum power capacity, 15.4 watts, that a port can support.
Conditions: The number of supported ports depends on the power rating of the voice daughter board. One or more ports may not operate at maximum capacity.
Workaround: There is no workaround.
•
Symptoms: While configuring a mediation device (MD), if the MediationSrcInterface is set to loopback interface, traffic will cause MALLOC failures.
Conditions: Problem is seen when traffic rate is equal to or greater than 8000 packets per second.
Workaround: Do not use loopback0 as MD source interface.
•
Symptoms: Router displays following error message and reloads:
Jun 18 06:12:23.008: event flooding: code 10 arg0 0 arg1 0 arg2 0
%SYS-3-OVERRUN: Block overrun at E5D8310 (red zone 00000000) -Traceback= 0x6080CEB0 0x60982108 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-BLKINFO: Corrupted redzone blk E5D8310, words 6088, alloc 61FE2638, InUse, dealloc 80000000, rfcnt 1 -Traceback= 0x6080CEB0 0x609681D4 0x6098211C 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MEMDUMP: 0xE5D8310: 0xAB1234CD 0xFFFE0000 0x0 0x63894208 %SYS-6-MEMDUMP: 0xE5D8320: 0x61FE2638 0xE5DB2D0 0xE5D8144 0x800017C8 %SYS-6-MEMDUMP: 0xE5D8330: 0x1 0x0 0x1 0x64B53478%Software-forced reload
Conditions: Occurred on a Cisco 7200 running the c7200-ik9s-mz.124-7a.bin image.
Workaround: There is no workaround.
•
Symptoms: A router may crash when the clear ip bgp command is entered.
Conditions: Occurs on devices running BGP and configured as a route reflector client with conditional route injection configured.
Workaround: Unconfigure conditional route injection.
•
Symptoms: Under the BGP router configuration mode, removing an address-family configuration and then immediately reapplying the same configuration may cause the standby RP of a dual-RP router to reload unexpectedly. Typically, the following configuration sync error will be reported:
Config Sync: Line-by-Line sync verifying failure on command: address-family ipv4 vrf NAME due to parser return error
Removing and replacing the RD configuration under a VRF may also trigger the same type of sync error behavior, although the command listed as failing line-by-line sync will be different.
Conditions: Removal of a BGP address-family configuration triggers background cleanup processing that occurs asynchronously after the command is entered by the user. The background cleanup runs on both the active RP and the standby RP, although the cleanup may happen at different times on the active and standby. Because such background processing does not usually run in lockstep on the two RPs, a window exists after entering an address-family deconfiguration command where the active RP and standby RP are not in the same state. If the user tries to reconfigure the address-family command before both RPs have completed processing and are again in the same state, line-by-line sync may fail and cause the standby RP to reload.
Workaround: The line-by-line sync error can be avoided by allowing adequate time for the standby RP to complete background processing and arrive in an identical state as the active RP. If configuration commands are applied when both RPs are in a consistent state, the configuration sync error will not occur and the standby RP will not reload. The background processing normally happens at 60-second intervals, so waiting 2 minutes between deconfig/reconfig attempts for the same command should prevent the issue in all cases.
The line-by-line sync error and standby RP reload should not cause any service impact, as only the standby RP is affected. The active RP remains fully functional and continues traffic forwarding as usual while the standby RP reloads.
•
Symptoms: The ip nat inside source static network command does not have the <cr> option.
Conditions: This symptom is observed on a Cisco 7200 router that is loaded with Cisco IOS Release 12.4 or 12.4T.
Workaround: There is no workaround.
•
Symptom: Connectivity problems are observed for IPv6 client, which obtained IPv6 prefix via DHCP for Virtual Access interface, due to incorrect static routes in the routing table for the assigned IPv6 prefix.
Conditions: Occurs with IPv6 prefix delegation via DHCP, when client moves from one interface to another.
Workaround: None
Further problem description: When IPv6 prefix delegation assigns a prefix for Virtual Access interface, it creates a static route for the prefix in the routing table. When a client moves to a new interface, old binding and the old routes are retained, which causes the problem.
•
Symptoms: A Cisco router unexpectedly reloads with memory corruption after showing multiple "%SYS-2-INPUT_GETBUF: Bad getbuffer" messages
Conditions: Occurs during normal operation.
Workaround: There is no workaround.
•
Symptoms: "Total packets L3 Switched" counter does not include multicast packet count.
Conditions: Occurs always. "Total packets L3 Switched", includes packet switched by FIB, NetFlow and ACL only.
Workaround: There is no workaround.
•
Symptoms: A router may reload after reporting SYS-3-OVERRUN or SYS-3-BADBLOCK error messages. SYS-2-GETBUF with "Bad getbuffer" error may also be reported.
Condition: Occurs when PIM auto-RP is configured and IP multicast boundary is enabled with the filter-autorp option.
Workaround: Configure IP multicast boundary without the filter-autorp option.
•
Symptoms: Packets may be lost during rekey.
Conditions: Occurs because IPSec transit packets may trigger invalid SPI.
Workaround: There is no workaround.
•
Symptoms: A receive access control list (rACL) with large ACL is not applied on interface if is QoS configured.
Conditions: Occurs when rACL with large ACL is applied on an interface. It consumes over 60% of ternary content addressable memory (TCAM) space. If the rACL is applied a second interface with QoS, the configuration fails without displaying an error message.
Workaround: There is no workaround.
•
Symptoms: After shutting down a GRE tunnel interface, the active RP crashed and switchover took place. The following error message was displayed:
%ALIGN-1-FATAL: Illegal access to a low address 13:02:45 UTC Fri Jan 18 2008 addr=0xD, pc=0x7144A5A0, ra=0x7209FFF8, sp=0x5ABEE90 SLOT0:01:40:03: %DUMPER-3-PROCINFO: pid = 16409: (sbin/ios-base), terminated due to signal SIGBUS, Bus error (Invalid address alignment) SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: zero at v0 v1 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: R0 00000000 7A5FD854 EF4321F9 7A6452D0 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: a0 a1 a2 a3 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: R4 EF4321CD 0000000B 0000000B 00000000 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: t0 t1 t2 t3 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: R8 7CB96E10 00FDDBE0 00000000 EFFFFFFF SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: t4 t5 t6 t7 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: R12 00000000 F7E8E12F 00000000 00000000 SLOT0:01:40:03: %DUMPER-3-REGISTERS_INFO: 16409: s0Conditions: Occurred on a Cisco 7200 running an internal build of Cisco IOS Release 12.2SX.
Workaround: There is no workaround.
•
Symptoms: W2:setting ceExtSysBootImageList cause write memory to work incorrectly.
Conditions: Occurs after setting ceExtSysBootImageList to a new boot image from SNMP. The new boot image in running-config is not copied to startup-config. Instead, a variable "d" will be copied to startup-config after the write memory. The show bootvar command will show BOOT variable = d.
Example: bgl11-lab1-tftp1:/auto/sw/packages/snmpr/15.1.0.3/solaris2bin:3> bgl11-lab1-tftp1:/auto/sw/packages/snmpr/15.1.0.3/solaris2bin:3>getmany -v2c 10.64.68.138 public ceExtSysBootImageList ceExtSysBootImageList.2001 = disk1:s72033-adventerprisek9_dbg-vzsm47417test ceExtSysBootImageList.2017 = disk1:s72033-adventerprisek9_dbg-vzsm47417test bgl11-lab1-tftp1:/auto/sw/packages/snmpr/15.1.0.3/solaris2bin:4>setany -v2c 10.64.68.138 public ceExtSysBootImageList.2001 -o "disk1:" ceExtSysBootImageList.2001 = disk1: ------------------------------------------------ 7600-11-1# 00:02:56: %SYS-5-CONFIG_I: Configured from 10.64.71.240 by snmpWorkaround: There is no workaround.
•
Symptoms: Crash occurs at "ip_route_delete_common".
Conditions: Occurs under the following scenario:
1)A multicast BGP route exists.
2)A unicast BGP route exists for the same prefix.
3)Another route covered by the same majornet as the BGP route exists.
4)There are both iBGP and eBGP sources for the BGP prefix.
5)Redistribution of BGP routes into an IGP must be configured.
Topology change in network causes mBGP to switch from using the iBGP sourced route to the eBGP sourced route will cause the crash.
Workaround: If there are not both iBGP and eBGP sources for the same route the problem will not occur. If redistribution of BGP Into an IGP is not configured the problem will not occur.
•
Symptoms: When configuring ATM PVCs, under the PVC syntax you can provide a handle to describe the PVC. If this handle starts with "00" (zero zero) then the command will fail.
Conditions: The symptom is observed when configuring ATM PVCs and where the PVC handle starts with "00".
Workaround: Do not use handles that start with "00".
•
Symptoms: When PPP sessions are terminated, the standby NPE may crash. This is true for both PPP sessions that are terminated naturally (from the customer end), and those that are terminated prematurely (at the provider end due to a command such as clear pppoe sessions all).
Conditions: At present the conditions are unknown. It only appears to impact 12.2(31)SB10 and related releases.
Workaround: There is no workaround.
•
Symptoms: The router crashes when Independent Optimized Edge Routing (OER) is configured.
Conditions: Occurs when OER is configured.
Workaround: There is no workaround.
•
Symptoms: The line protocol of the serial interface keeps flapping.
Conditions: This symptom is observed after the Atlas BERT pattern is run on a fractional T1 (1 or 2 timeslots).
Workaround: Add/Remove the T1.
•
Symptoms: System running in crypto engine mode vrf with SVI interfaces that have crypto map attached and is in SSO redundancy mode may experience crash of the standby supervisor when the interface referenced by crypto map local address is modified.
Conditions: The system is in SSO redundancy mode, has SVI interfaces with crypto map configuration and running in "VRF mode".
Workaround: There is no workaround.
•
Symptoms: The commands given in the interface range command may not be synced to all interfaces configured in the range in the standby supervisor.
Conditions: Occurs when configuration commands are entered under interface vlan range command. They get attached to only the first VLAN in the range in the redundant supervisor. After switchover, traffic does not flow due to the missing VLAN configuration.
Workaround: There is no workaround.
•
Symptoms: CPUHOG and traceback messages seen for IP NAT ager process.
Conditions: Occurs when NAT is configured with dynamic translations greater than 27,000, and the NAT pool is exhausted. The following messages are seen:
05:13:43: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (19/13),process = IP NAT Ager. -Traceback= 40BA0994 40BA0F00 40B983A8 40B9852C 413C2B08 413C2AF4Workaround: There is no workaround.
•
Symptoms: The following error message may be seen:
%DUAL-3-INTERNAL: eigrp 4: Internal Error
Conditions: This symptom is seen when a PE-CE setup using site-of-origin (SoO) tags, in which an PE router that is running EIGRP can learn the same route both by EIGRP (from a CE neighbor) and also by redistribution.
The above error may be seen when EIGRP on the PE prepares to send information to a neighbor about a route learned from another neighbor (with no SoO tag), but before the information can be sent, the route is replaced by a redistributed route (with an SoO tag). The above error can be seen. This behavior is very dependent on the timing of this series of events.
Workaround: There is no workaround.
Further Problem Description: It is not clear what functional impact this may have, or whether the error message is purely a warning.
•
Symptoms: Etherchannel states for Link Aggregate Control Protocol (LACP) port-channels are inconsistent between active and standby, which could possibly affect traffic forwarding.
Conditions: Occurs while configuring several LACP port channels. This could be seen if LACP port channels are configured and the device is brought up in SSO mode.
Workaround: Once the standby is completely up in HOT state, perform a shut/no shut on the interfaces that are inconsistent.
•
Symptoms: A customer upgraded to Cisco IOS Release 12.0(32)Sy4, and now the customer is seeing a memory leak in the BGP process. The memory leak is happening with the BGP router process at the rcach chunk memory when the route map has a "continue" clause in the configuration.
Conditions: The leak is seen when a "continue" statement is configured in a inbound/outbound route map.
Workaround: There is no workaround.
•
Symptoms: Resilient Ethernet Protocol (REP) state flaps after line card reset
Conditions: Occurs on routers running Cisco IOS Release 12.2(33)SRD with SIP600 ports configured as REP edge ports.
Workaround: There is no workaround.
•
Symptoms: Non-TCP traffic passing through the device is punted to the control plane policer. When Control Plane Policing (CoPP) is configured, the bridge result is changing to policy route because WCCP is being applied to all IP packets of a WCCP service.
Conditions: Both WCCP and CoPP must be enabled for this issue to occur.
Workaround: There is no workaround.
•
Symptoms: When there is a link flap or a reload, RSVP shows that the interface is down while actually the interface is up. Because of this, the tunnel may take a backup path even when the interface is up.
Conditions: Unknown at this time.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: MSFC crashes with Red Zone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: There is no workaround.
•
Symptoms: The no ip proxy-arp command that is configured under ISG enabled interface is not working.
Conditions: This symptom is observed on the ethernet interface, where an ip subscriber command is configured. Same interface allows disabling IP Proxy ARP with the no ip proxy-arp command, but the command is ignored.
Workaround: There is no workaround.
•
Symptoms: Customer mistakenly modified the service module SPAN session which caused high CPU on the switch. This caused the interface to flap, bringing down Hot Standby Routing Protocol (HSRP), Open Shortest Path First (OSPF) and other protocols resulting in an outage.
Conditions: Occurs when manipulating the service module SPAN session
LAB1(config)#monitor sess 1 source vl 2028% Session 1 used by service moduleLAB1(config)#no monitor sess servicemoduleLAB1(config)#do sh monSession 2
---------
Type : Local SessionSource Ports :Both : Gi2/2Destination Ports : Gi3/2LAB1(config)#monitor sess 1 source vl 2028LAB1(config)#do sh monSession 1
---------Type : Local SessionSource VLANs :Both : 2028Session 2---------Type : Local SessionSource Ports :Both : Gi2/2Destination Ports : Gi3/2Workaround: Do not modify or change the SPAN session related to the service module using the session number. Instead use no mon session servicemodule in order to remove the session.
•
Symptoms: When health monitoring (HM) diagnostic failure happens, call-home diagnostic messages are not out before platform action is taken.
Conditions: Call-home is subscribed to diagnostic alert group minor or major error and the gold policy is active. It only happens when the HM diagnostic test interval is small enough.
Workaround: Set the HM diagnostic test interval to be large enough, but there is no guarantee it will work in all test cases.
Further Problem Description: Because gold policy is last policy in EEM queue, it waits for call-home messages to send out before it executes. If gold policy continues to trigger on the next test failure after reaching the threshold when action notify flag is already false, it does not need to wait for call-home message to execute. It could crash the system before the call-home message for the last gold policy finishes.
Adding ACTION_NOTIFY TRUE condition to the gold policy will prevent the gold policy to continuously execute and consistent with call-home message triggering condition.
•
Symptoms: Downstream traffic will drop when we send IPv6 traffic over PPPoE sessions.
Conditions: Bring up a PPPoE session over L2TP tunnel for address negotiated by IPv6, then send downstream IPv6 traffic.
Workaround: There is no workaround.
•
Symptoms: Router crashed while clearing NAT translations.
Conditions: Occurred on a Cisco 7200.
Workaround: There is no workaround.
•
Symptoms: Junk value is seen in stand-by router.
Conditions: Junk value is observed in stand-by router when normal ATM PVC is created. After switch-over, junk value is seen in both active and stand-by routers.
Workaround: There is no workaround.
•
Symptoms: During periods of high IKE initial session establishment the, SPA may crash.
Conditions: Occurs with high number of simultaneous IKE sessions being established.
Workaround: There is no workaround.
•
Symptoms: Line card crashes recurrently with the "Address exception error".
Conditions: The issue is seen when entering the no shutdown command on the spatial reuse protocol (SRP) interface.
Workaround: There is no workaround.
•
Symptoms: ATM PA Interface with no cables connected shows up/up after forced redundancy.
Conditions: Occurred under the following scenario:
- No cables attached to Fast Ethernet or ATM interface.
- Issue no shut on interface.
- The show ip int brief command shows interface status up/protocol down.
- After redundancy force command is entered, interface shows up/up (no cables connected).
This affects Fast Ethernet interfaces and ATM interfaces on WS-x6582-2PA/PA-2FE-TX and PA-A3-OC3-MM. It does not affect Supervisor ports or Serial Interfaces.
Workaround: There is no workaround.
•
Symptoms: After stateful switchover (SSO) there may be loss of multicast packet delivery for 10 or more seconds.
Conditions: Occurs when multicast routing is enabled in the default mode.
Workaround: If there are no mStatic or mBGP routes, the following configuration will avoid the problem:
Router(config)#ip multicast rpf multitopology Router(config)#global-address-family ipv4 multicast Router(config-af)#topology base Router(config-af-topology)#use unicast base Router(config-af-topology)#•
Symptoms: QoS with Link Fragmentation and Interleaving (LFI) over ATM does not work.
Conditions: Occurs after a shut/no-shut on the ATM interface
Workaround: Reload the line card on both ends.
•
Symptoms: A router crashes after a long RSA key string is entered.
Conditions: This symptom is observed when a very long hex string is entered.
Workaround: Break the entry into shorter strings.
•
Symptoms: Creating a sub-interface may occasionally cause a traceback
Conditions: This may happen when configuring an ATM or SONET sub-interface.
Workaround: There is no workaround.
•
Symptoms: Router (SP) crash may happen upon deleting multiple VRFs or unconfiguring multiple MDTs.
Conditions: The crash is seen when trying to delete multiple MDTs at one time.
Workaround: Allow at least seconds after each MDT delete command or VRF delete command before issuing the next command.
•
Symptoms: ESM20 line card may crash while booting up.
Conditions: Occurs intermittently with a scaled topology.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 crashes due to memory corruption.
Conditions: Occurs when MLP+QoS is configured on a Cisco 7200 router. QoS policy is having bandwidth, change the BW parameter and flap the multilink using clear int multilink1 to see the crash.
Workaround: There is no workaround.
•
Symptoms: A Virtual Router Redundancy Protocol (VRRP) group configured on a VLAN interface flaps from the backup to the master state after stateful switchover (SSO) when the existing master is still available on the network. The group will flap back to backup a short period later.
Conditions: The problem only occurs when there are a large number of VLAN interfaces with a VRRP group configured on each interface and SSO is performed.
Workaround: Each of the VRRP groups can be configured with a larger VRRP advert timer value. Values should be varied depending on the setup, but a larger than default value is usually required.
•
Symptoms: Traceback occurs when VPN routing/forwarding (VRF) is deleted and then recreated.
Conditions: Occurs when multicast RP is configured under VPN routing/forwarding (VRF) first. When the VRF is deleted, some multicast data may still be locked and not deleted, causing the traceback when a new VRF is created and multicast RP is configured there.
Workaround: There is no workaround.
•
Symptoms: When "0.0.0.0/8 static route to null 0" is configured, the default gateway failover does not work. RIB is not updated.
Conditions: Occurs under the following scenario:
- Border Gateway Protocol (BGP) with two neighbors sending a default gateway. - Static route "0.0.0.0/8 to null 0" is configured. - Failover takes place and RIB is not updated.
Workaround: There is no workaround.
•
Symptoms: A Cisco Catalyst 6000 reports the following message and unexpectedly reloads:
%SYS-2-ASSERTION_FAILED: Assertion failed: "wccp_acl_item_valid(item,NULL)"
Conditions: This symptom is observed on a WS-C6509 that is running Cisco IOS Release 12.2(33)SXH2a.
A WCCP service is configured with a redirect-list referring to a simple ACL.
Workaround: Use an extended ACL as the WCCP redirect-list.
•
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at /en/US/products/products_security_advisory09186a0080a904cb.shtml
•
Symptoms: Error message seen after stateful switchover (SSO):
%CHKPT-4-NOMESSAGE: Message is NULL, (Cannot get data ptr)
Conditions: Occurs when Intermediate System-to-Intermediate System (IS-IS) NSF is configured.
Workaround: There is no workaround.
•
Symptoms: Some configurations are missing after a reload.
Conditions: This symptom is seen when a router reloads that results in missing configurations of "vrf selection source" under show run.
Workaround: There is no workaround.
•
Symptoms: A router intermittently runs into crashes in a large scale network with active PPPoEoA sessions.
Conditions: This symptom occurs when many active PPPoEoA sessions exist.
Workaround: There is no workaround.
•
Symptoms: A crash happens when the show ipv6 rpf x:x:x::x command is given.
Conditions: This symptom is observed only when there are more than 16 adjacencies for a single static route. The crash happens when the show ipv6 rpf command is given for this particular static route.
Workaround: There is no workaround. This problem occurs as long as there are more than 16 adjacencies for single static route even if some of them are not active.
•
Symptoms: Some of the route-maps configured for BGP sessions (eBGP) are not permitting the prefixes upon a router reload.
Conditions: The symptom is observed when a large number of route-maps for a BGP session are configured and the router is reloaded.
Workaround: Issue the command clear ip bgp * soft.
•
Symptoms: A software-forced crash occurs on the RP of a Cisco 7600 running Cisco IOS Release 12.2(33)SRB2.
Conditions: Occurs when the clear route-map counters <name> command is entered.
Workaround: Upgrade to Cisco IOS Release 12.2(33)SRC3 or later.
•
Symptoms: Router crashed when removing a policy attached to a VLAN interface with a route map and access lists attached.
Conditions: Occurred on a Catalyst 4500 running Cisco IOS Release 12.2(46)SG. The device may reload unexpectedly due to a software-forced crash. Defect also affects other platforms and releases of Cisco IOS.
Workaround: There is no workaround.
•
Symptoms: A crash occurs.
Conditions: The crash is caused by a ping across an ISATAP tunnel. The symptom is observed only in Cisco IOS Release 12.4(15)T7 on the Cisco 7200 (it is not known to affect other platforms), since the crash is dependent on the Cisco IOS memory map (which varies with each image).
Workaround: There is no workaround.
•
Symptoms: The EIGRP IPv6 process may incorrectly select a router-ID from the 127.0.0.0 address range.
Symptoms: The same router-ID may be selected on two separate Cisco routers configured for EIGRP IPv6. External prefixes advertised by one of the EIGRPv6 routers will be ignored by the receiving EIGRPv6 router due to the fact the routerID contained in the external data portion of the prefix matches the receiving routerID; a loop prevention method.
Workaround: Manually configure a router-ID under the EIGRP IPv6 process with router-id<address> command.
•
Symptoms: Line card MAC notification test fails when redundancy mode is changed from RPR to SSO or SSO to RPR. SIP-400 Bus Connectivity Test failed when the following commands are issued:
Conf t redundancy mode rpr
Conditions: The issue observed in the Fabric Hot Sync-enabled Sup720 and RSP720 routers Cisco IOS Release 12.2(33)SRC. In the problem state, Super Santa Ana (SSA) channels are out of sync. For example, show platform hard ssa status will display SSA channel status from the SSA based CWAN module console.
Workaround: There is no workaround.
•
Symptoms: MPLS Layer 3 VPN with HQOS on PA-A6-OC3 with 500 ATM PVCs crashes at PEs wth online insertion and removal (OIR).
Conditions: Perform a soft OIR of PE while entering the hw-module slot 5 start command to observe the crash.
Workaround: Configure with HQoS for 500 PVCs.
•
Symptoms: Occasionally a crash occurs after preemptive switchover with no traffic.
Conditions: Unknown. Issue is not reproducible on a consistent basis.
Workaround: There is no workaround.
•
Symptoms: The router crash when the default pppoe enable command is entered.
Conditions: Occurs with 4094 PPPoE sessions active. When the above command is used to disable PPPoE under Ethernet subinterface, the router crashes.
Workaround: There is no workaround.
•
Symptoms: When there is heavy traffic on the 10-GE SPA (that is, 80 percent or more of line rate), and the interface is shut/no shut, there is a low probability that the interface may become stuck and incorrectly send pause frames on the connected link, interrupting traffic flow. This is also seen on ES20 line cards with 10-GE ports. (CSCsx82439)
Conditions: This symptom is observed when the link is shut/no shut while there is a high level of traffic on the link. In case of ES20, it is also seen in case of line card reload.
Workaround: Add and remove auto-negotiation on the interface configuration to recover the link. In case of ES20, toggling flow-control recovers the interface.
•
Symptoms: A Cisco 10000 PRE will reload unexpectedly when a radius server which is marked as dead is removed from the configuration during authentication of sessions.
Conditions: The issue is seen when a RADIUS server is marked as dead. There are attempts to retry and access the server during its removal from the configuration.
Workaround: There is no workaround.
•
Symptoms: EBGP-6PE learned IPv6 labeled routes are advertised to IBGP-6PE neighbor by setting NH as local IP address.
Conditions: This symptom is observed on 6PE Inter-AS Option C with RR case.
Workaround: There is no workaround.
•
Symptoms: Queue wedges on one of the SP input queues. When the peer switch was sending VTP packets to the switch trunk interface where no vtp was configured, the interface input-buffer was filled up by the VTP packets. When the buffer is full, the interface is not be able to process any incoming control packets.
Conditions: Occurs when the trunk interface is configured no vtp and its peer interface is a has VTP enabled.
Workaround: Configure the peer with no vtp to prevent VTP packets being received on the other interface.
•
Symptoms: Slow synchronization of IP subscriber sessions from Active to Standby RP.
Conditions: This issue is observed only for a large number of IP subscriber sessions. While the traffic is flowing, if user manually requests to clear all the sessions and while that is processing the line card reboots, then standby RP can get into a state there are dangling sessions. This does not render the router useless, but increases the sync time from active to standby.
Workaround: There is no workaround.
•
Symptoms: An ISAKMP SA is not deleted as expected after removing the RSA key.
Conditions: The issue is seen when the user tries to clear the ISAKMP SAs by issuing the clear crypto session command on an IKE SA that has multiple IPSEC SAs.
Workaround: Use the clear crypto sa and clear crypto is commands.
•
Symptoms: A Cisco 7600 router with PA-A3-T3 port adapter in flexwan module WS-X6582-2PA could generate following error messages with tracebacks upon a mass ATM PVCs flap:
SLOT 2/0: %CWAN_ATM-3-VC_OR_PORT_ERR: Invalid VCD FF03 or Port: 0 -Traceback= 403E2200 403A8C1C 40344F88 40347FD0 403481B4 403C374C 401CD170Slot 2/0 is the slot the port adapter is installed.
Conditions: This seems to only occur when a large number of ATM PVCs flap, most likely from the service provider side.
Workaround: There is no workaround.
•
Symptoms: If APS is configured on a large number of channelized sub-interfaces associated with a single controller such that a single failure can cause all of these interfaces to failover at the same time, and RIP is configured to run over these interfaces, high sustained CPU usage will be seen following the failover and reconvergence time will be lengthy.
Conditions: Large number of APS protected interfaces fail over at the same time. RIP is the protocol running on those interfaces. IP addresses on all interfaces are covered by the same network statement.
Workaround: There is no workaround.
Further Problem Description: The length of the high CPU and reconvergence period will increase as the number of impacted interfaces increases.
The length of the high CPU and reconvergence period will also increase as the number of network statements which cover the IP addresses on the affected interfaces decreases i.e. it will be worst when a single classful network (e.g. 10.0.0.0) covers all interfaces, somewhat better when multiple classful networks are impacted.
•
Symptoms: When a router has many PPPoE sessions and the router is configured as an RP-mapping agent, the router crashes following a switchover.
Conditions: The symptom is observed when the router has 8000 PPPoE sessions and it is configured as an RP-mapping agent. Following a switchover, the issue is seen.
Workaround: Another router that does not have as many interfaces in the network should be configured as the RP-mapping agent.
•
Symptoms: After 30 minutes, MIB synchronization failure messages appear on primary RP. Secondary RP crashes.
Occurs under the following scenario:
1) Bringup 1 pppox session on the L2TP network server (LNS)
2) Pass bidirectional traffic through the LNS
3) After 30 minutes, MIB sync failures message appear on primary RP and secondary RP crashes.
Workaround: Enter the no snmp mib notification-log default command.
•
Symptoms: Router crashed due to watchdog timeout in the virtual exec process:-
%SYS-3-CPUHOG: Task is running for (128000)msecs, more than (2000)msecs (129/17),process = Virtual Exec. -Traceback= 40B5D8A8 40B5D984 40B5DA4C 40B5DB78 40B5DC6C 40C0E1BC 4125D3A8 4209FAEC 420AA5A0 4054C05C 420570D8 40575510 41257298 41257284 %SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Virtual Exec. -Traceback= 40B5D8C8 40B5D984 40B5DA4C 40B5DB78 40B5DC6C 40C0E1BC 4125D3A8 4209FAEC 420AA5A0 4054C05C 420570D8 40575510 41257298 41257284Conditions: This was observed on a Cisco 7600 with Supervisor 720 running Cisco IOS Release 12.2(33)SRB3 after a ATM sub-interface was removed.
Workaround: There is no workaround.
•
Symptoms: A standby SP may experience a memory leak in the mls-hal-agent process.
Conditions: This has been experienced on a Cisco 7600 router with dual SUP720s running either Cisco IOS Release 12.2(33)SRC or Cisco IOS Release 12.2(33) SRC1. The router is configured for multicast.
Workaround: There is no workaround.
•
Symptoms: ASR1000 Router crashes.
Conditions: Occurs if "ip vrf" is deleted from the configuration.
Workaround: There is no workaround.
•
Symptoms: An MSDP peer may flap randomly.
Conditions: The symptom is observed when the device is configured with logging host ip-address... or logging host ip-address.
Workaround: It has been observed that removing the "logging host" configuration helps in preventing the peer-flap: no logging host ip-address no logging ip-address
•
Symptoms: Pinging an interface fails.
Conditions: Occurs when unconfiguring xconnect on the interface.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: If running OSPF, stale routes may be installed in the RIB. Also wrong paths (inter-area vs. intra-area) are preferred.
Conditions: Occurs on a router running Cisco IOS Release 12.2(33)SRC1.
Workaround: There is no workaround.
•
Symptom: Router crashes due to memory corruption
Conditions: WAN router crashes when feature combination includes Frame Relay, EIGRP, GRE, QoS, and multicast are configured on WAN aggregation and branches.
The issue is seen only on PA-MC-2T3/E3-EC The issue is seen only when frame-relay fragment and service-policy is part of map-class frame-relay configs
Workaround: Have either frame-relay fragment or service-policy as part of map-class frame-relay configs
•
Symptoms: On the standby provider edge (PE) aggregation device, when label allocation fails, the box can crash upon retry.
Conditions: Occurs in redundancy mode in PE aggregation device configured for tunnel stitching.
Workaround: There is no workaround.
•
Symptoms: With unidirectional Ethernet (UDE) enabled on ES20 port, UniDirectional Link Detection (UDLD) gets disabled. But on converting the port from L3 to L2 (or vice versa) or on shut/no shut of interface, UDLD is enabled again on the interface. Once UDLD gets enabled, due to the UDE feature, the port is detected as unidirectional and put to err-disabled state.
Conditions: Occurs on ES20 ports configured for both UDE and UDLD.
Workaround: Disable UDLD on the port.
•
Symptoms: Acct-Time-Delay and Tunnel-Link-Stop records are missing from L2TP network server (LNS).
Conditions: Occurs when using radius server for authentication.
Workaround: There is no workaround.
•
Symptoms: Upon the first SSO switchover triggered with the redundancy force-switchover command, the traffic stops on the ATM N-to-1 VCC pseudowires configured with cell-packing in the direction from the MWR towards the 7600 SPA-4XOC3-ATM interface. Traffic recovers normally in the other direction.
Conditions: Occurs on a Cisco 7600 S-series equipped with dual SUP720-3BXL. The problem is seen only when cell-packing is enabled on the N-to-1 VCC pseudowires and when APS (MR-APS) is configured on the ATM OC3 interface of the Cisco 7600 SPA-4XOC3-ATM.
Workaround: Disable cell-packing on the ATM N-to-1 VCC pseudowires or alternatively disable APS on the SPA-4XOC3-ATM interface.
•
Symptoms: After removing the "default-originate" configuration, the default-route is not withdrawn.
Conditions: Occurred on a router running Cisco IOS Release 12.2SR.
Workaround: Clear the session to remove the configuration.
•
Symptoms: BGP as-override does not work properly on a PE to overwrite the AS in the AS4_PATH.
Conditions: When a 4 byte CE is peered to a 2 byte capable PE using AS 23456 and the command as-override is configured on the neighbor, the PE router does not override the AS in the AS4_PATH with its own AS number, mapped to 4 bytes.
Workaround: Use "allowas-in" on the CE.
•
Symptoms: Router crashes when scaling DHCP sessions on Cisco Intelligent Services Gateway (ISG).
Conditions: When the MCP-ISG is acting as DHCP Relay Agent or DHCP server, it crashes while large number of Layer 2-connected sessions are coming up.
Workaround: There is no workaround.
•
Symptoms: cdpCacheAddress(OID:1.3.6.1.4.1.9.9.23.1.2.1.1.4) MIB is not showing GLOBAL_UNICAST address.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
•
Symptoms: BGP neighbors that are configured with as-override and send-label (CsC) together may not work after an interface flap or service reset.
Conditions:
neighbor xxx as-override neighbor xxx send-labelWorkaround: Enter the "clear ip bgp * soft in" command.
Further Problem Description: Peers (neighbors) with a CsC (IPv4+label) BGP configuration with the as-override option should be separated into different dynamic update groups during the BGP update generation process. After the CSCef70161 fix in Cisco IOS Release 12.0(32)SY4, this is no longer the case; this CSCsu12040 fix enhances the CSCef70161 fix to handle the CsC (IPv4+label) case separately.
•
Symptoms: A router hangs for a couple of minutes, then crashes anytime the clear ip bgp neighbor x.x.x in command is issued.
Conditions: This symptom occurs when a router crashes when the clear ip bgp neighbor x.x.x.x soft in command is issued when the following commands are configured for that neighbor (without route-map): 1) neighbor x.x.x.x soft-reconfiguration inbound 2) neighbor x.x.x.x weight 3) neighbor x.x.x.x filter-list in
If any one of the commands is not configured, then the router will not crash.
Workaround: Configure route-map instead of filter-list for inbound direction. For example: "neighbor x.x.x.x filter-list 1 in" replace with "neighbor x.x.x.x route-map name in"
where, route-map name permit 10 match as-path 1
•
Symptoms: Traffic may not resume on ATM over MPLS (ATMoMPLS) connections.
Conditions: The symptom is observed when both ATMoMPLS and ATM over LS (ATMoLS) connections are on same card and a card reset is done.
Workaround: Reload the PXF.
•
Symptoms: When stateful switchover (SSO) is performed on a Cisco 7600, MPLS label allocation fails.
Conditions: Issues are seen on Cisco 7600 router. Occurs after performing the SSO. Also seeing CPU usage above 95% for 10-15 minutes.
Workaround: There is no workaround.
•
Symptoms: Router crashes when DHCPv6 is configured on the router.
Conditions: Router crashes when we remove the subinterface on which DHCPv6 PD request was configured.
Workaround: There is no workaround.
•
Symptoms: IGMP v3 reports are discarded.
Conditions: Occurs on Cisco 7200 router running Cisco IOS Release 12.4(20)T2.
Workaround: There is no workaround.
•
Symptoms: Flurry of DUP_IFINDEX messages are seen on standby.
Conditions: Occurs during bulk sync phase when standby is coming up.
Workaround: There is no workaround.
•
Symptoms: Not able to execute any commands under interface after running BERT tests.
Conditions: This issue is seen only after running SPA FPGA BERT tests and also when there is dual RP in chassis. With other BERT options, no issue is seen.
Workaround: There is no workaround.
•
Symptoms: Bootup diag test failures observed on 6816 card when multirouters are reloaded. Some ports were put in error disabled state.
Conditions: Failure triggered with random multirouters reloads (reload of CE1, PE1, Core1). Brief router info and config: IOS - 8/25 a76 Dual sup720 7606 6724 connected to remote 6724 (servicing vlans 2-2000) 6816 connected to remote 6816 (servicing vlans 2001-4000) sip600 (servicing vlans 1-4000 switchport)
Topology:
CE1----PE1----Core-1-----Core-2----PE2----CE2 Affected router is CE1.
Configuration: 4k VLANs, 6816 servicing VLANs 2001-4000 (switchports).
Workaround: Run the failing diag tests on demand.
Further Problem Description: Few bootup tests fail when on 6816 card when the multirouters are reloaded. On failure, the ports are put in error disabled state. Failure cause has been root caused to usage of reserved diag vlans in the configs. Please refer the link mentioned below.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/S1.html
switchport dot1q: Do not enable the reserved VLAN range (1006 to 1024) on trunks when connecting a Catalyst 6500 series switch running Cisco IOS software on both the supervisor engine and the MSFC to a Catalyst 6500 series switch running Catalyst software. These VLANs are reserved in systems running Catalyst software. If enabled, systems running Catalyst software may error disable the ports if there is a trunking channel between these systems
When the diag vlans (1006 to 1011, 4094 to 4089) are used, there could be diag failures at some random cases. Please do not enable the reserved vlans.
•
Symptoms: A router reloads.
Conditions: Under certain crypto configurations with NetFlow also configured, the router will reload when required to fragment CEF-switched traffic on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: A PRE-3 that is running Cisco IOS Release 12.2(31)SB code may encounter a Redzone overrun memory corruption crash.
Conditions: Unknown at this time.
Workaround: Turn off Auto IP SLA MPLS by entering the auto ip sla mpls reset command.
•
Symptoms: Renaming a directory gives error message.
Conditions: This happens on a Cisco router running Cisco IOS Release 12.4(20)T1.fc2 image
Workaround: There is no workaround.
•
Symptoms: When a private VLAN is configured on a VTPv3 server and then deleted, the update message on a peer VTPv3 client can cause a stack overflow for VLAN manager process and crash.
Conditions: Occurs in a Cisco 7600 running Cisco IOS Release 12.2(33)SRD.
Workaround: There is no workaround.
•
Symptoms: The line card reloads when a line card online insertion and removal (OIR) is performed. It does not happen consistently.
Conditions: This occurs when an empty policy is present.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reload.
Conditions: The symptom is observed specifically with a configuration of Enhanced Interior Gateway Routing Protocol (EIGRP) that is used to redistribute BGP routes. Plain EIGRP is not affected.
Workaround: Do not use EIGRP to redistribute BGP.
•
Symptoms: TCL scripts and policies attempting to work with open files and sockets simultaneously may not operate properly. One symptom is the vwait command may fail by reporting "would wait forever".
Conditions: Occurs when a TCL script opens both a file and a client or server socket simultaneously.
Workaround: Open and close files and sockets separately. Avoid having them open simultaneously.
•
Symptoms: BGP dampening under VPNv4 may cause router crash.
Conditions: Occurs when BGP dampening is enabled on VPNv4 address family, but not on individual IPv4 VRF<VRF-name>address-family.
Workaround: Enable the same set of BGP dampening on both the VPNv4 address family as well as all entries for IPv4 VRF address-family.
•
Symptoms: IF-MIB registration fails as there are no free ifIndex available.
Conditions: Occurs after an upgrade. Seen only in HA systems.
Workaround: There is no workaround.
•
Symptoms: Unable to configure pseudowire on virtual-PPP interface. Command is rejected with the following error:
Incompatible with ip address command on Vp1 - command rejected
Conditions: Occurs when IPv4 address or IP VPN routing/forwarding (VRF) has already been configured on the main interface.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 series router may fail to install some NetFlow entries even if NetFlow table utilization is low.
Conditions: Occurs while flows are ingressing on ES20 module.
Workaround: There is no workaround.
Further Problem Description: The show mls netflow table-contention detail command will show a heavy ICAM table utilization, while TCAM utilization is small.
Router#sh mls net table-contention detEarl in Module 1Detailed Netflow CAM (TCAM and ICAM) Utilization================================================TCAM Utilization : 0%ICAM Utilization : 98%Netflow TCAM count : 152Netflow ICAM count : 126Netflow Creation Failures : 388663Netflow CAM aliases : 0•
Symptoms: A router may crash due to bus error caused by an illegal access to a low memory address.
Conditions: This happens when a service-policy is applied to an interface, and then service-policy is removed under certain conditions.
One such condition is that "ip cef distributed" was configured on the router and the multi-link member flap triggered the service policy removal.
The problem is that, after the policy was removed, the packet path vector was not reset correctly and still trying to access the already-removed policy internally. When traffic flows, it will cause crash.
Workaround: For the above example, remove "ip cef distributed" from the configuration.
•
Symptoms: When the L3VPN prefix uses a tunnel with fast reroute (FRR) protection, there is traffic loss during reoptimization.
Conditions: Not all prefix in the VRF will observe this issue. This is seen only when there are more than 250,000 prefixes.
Workaround: There is no workaround.
Further Problem Description: Traffic loss during re-optimization can be due to faster tunnel cleanup also. It is advisable to configure mpls traffic-eng reoptimize timers delay cleanup <seconds> to fine tune the cleanup according to the topology.
•
Symptoms: VPDN redirect functionality does not work.
Conditions: Basic functionality is broken. No special condition is required.
Workaround: There is no workaround.
•
Symptoms: When account logon is done for a DHCP user, QoS policies defined in the user profile are not applied to the ISG session.
Conditions: A DHCP session is created. User performs account logon via SESM (not CoA). User profile has QoS polices defined. Session is authenticated but policies are not applied to the session.
Workaround: Perform account logon using CoA.
•
Symptoms: Unable to attach service policy to VT when bandwidth is configured in class default.
Conditions: Occurs when DLFI over ATM is configured while trying to attach service policy to VT when bandwidth is configured in class default.
Workaround: Configure bandwidth in user defined class and attach to VT.
•
Symptoms: Router crashes when an attempt is made to forward a packet out of an Auto-Template interface.
Conditions: This occurs when the interface's MTU is set to 0: Use the show interface Auto-Template X command to show the MTU.
Workaround: Configure a protocol MTU directly on the Auto-Template interface.
•
Symptoms: A Cisco 10000 series router may crash every several minutes.
Conditions: The symptom is observed with a Cisco 10000 series router that is running Cisco IOS Release 12.2(31)SB13.
Workaround: Use Cisco IOS Release 12.2(31)SB11.
•
Symptoms: More convergence time seen even with the carrier-delay msec 0 command configured.
Conditions: Occurs when carrier-delay msec 0 is configured on a gigabit interface.
Workaround: If excessive convergence time is observed even with the carrier-delay msec 0 command configured, enter the command again on the interface.
•
Symptoms: If connected routes are optimized using PfR, there will be a routing loop.
Conditions: This symptom can occur if, for some reason, PfR is learning connected routes or if the user has configured them.
Workaround: Create an oer-map with a prefix-list that contains the prefixes with the IP addresses of the connected routes (the next hops). Set the set observe mode in the oer-map.
•
Symptoms: Port-channel QinQ subinterface on ESM20 and SIP600 line cards do not pass traffic after router reload and line card reset.
Conditions: This condition is seen after router reload or member link line card reset. This is not seen when configuration is newly applied.
Workaround: To recover from the condition, perform a shut/no shut on the port channel main interface.
•
Symptoms: Traffic loss occurs in routed-PW interfaces.
Conditions: Occurs following router bootup with highly scaled VPN, PW, and SVI configuration.
Workaround: Perform a shut/no shut on SVI or on the failing interfaces.
•
Symptoms: IPv6/IPv6 Tunnel adjacency information is incomplete on the line card. This prevents IPv6/IPv6 multicast traffic on the tunnel.
Conditions: The symptoms are observed under normal operation.
Workaround: There is no workaround.
•
Symptoms: Router crashes due to critical software exception.
Conditions: Occurs on a Cisco ASR 1000 running Cisco IOS Release 12.2.
Workaround: There is no workaround.
•
Symptoms: With MLPPP configured on OSM, the following symptoms may be observed:
1. Line card might crash.
2. Links might flap.
3. Following error message from line card might be seen: "SLOT 9: Sep 14 13:48:48.479 CDT: %COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. Multilink1 linked to wrong idb R11_Mu1"
Conditions: Occurs on routers running various Cisco IOS Release 12.2SR releases. Performing a shut/no shut on the OSM (especially on the card containing MLPPP) interfaces might trigger this issue.
Workaround: There is no workaround.
•
Symptoms: Hot Standby Routing Protocol (HSRP) IPv6 configuration can be re-added to a VLAN by software after the configuration has been deleted.
Conditions: If Hot Standby Routing Protocol (HSRP) IPv6 is configured on a VLAN interface, and the VLAN interface is deleted, then the HSRP IPv6 configuration will reappear on the VLAN if the VLAN is later recreated. Once this occurs then there is no way to remove the HSRP configuration.
Workaround: Remove the HSRP configuration before deleting the VLAN.
•
SYMPTOM:
The Cisco IOS may experience high CPU utilization.
CONDITIONS:
ISAKMP is enabled.
WORKAROUND:
None.
FURTHER INFORMATION:
This issue can occur if the Cisco IOS device processes a malformed IKE message.
•
Symptoms: In a Virtual Private LAN Services (VPLS) scenario with ESM20 as core facing interface, imposition traffic might fail.
Conditions: Occurs only when ports from Bay 1 are used as core facing interface.
Workaround: Reset the line card.
•
Symptoms: In a scenario where a Catalyst 6500 or Cisco 7600 performs DHCP snooping + DAI functionality and a second device acts as DHCP relay, it was observed that DHCP snooping database was not populated. DHCP snooping is configured in this case on the ingress VLAN (traffic from the DHCP clients) and the DHCP server can be reached on a different egress VLAN (DHCP requests are routed).
DHCP Replies from the server (DHCPOFFER and DHCPACK) are not snooped by the Catalyst 6500 or Cisco 7600 and so bindings are not established. Consequence is that clients will get their own IP Address but ARP Inspection will fail because bindings were not learned on the device.
Conditions: Occurs with DHCP Snoooping + DAI configured on a Catalyst 6500 or Cisco 7600 in a routed scenario (Ingress VLAN and Egress VLAN are different) and DHCP Relay performed by a different device.
Workaround: Configure DHCP Snooping on both client and server side VLANs. Problem is applicable to both Cisco IOS Release 12.2(18)SXF and Cisco IOS Release 12.2(33)SRB.
•
Symptoms: LSP ID change after stateful switchover (SSO) due to failure in signaling recovered label switched path (LSP).
Conditions: Occurs following a SSO switchover.
Workaround: There is no workaround.
•
Symptoms: With L2TPv3 sessions configured on the active RP, the CPU on standby RP is being used to setup L2TPv3 sessions to peer. The standby keeps attempting to establish all L2TPv3 sessions, which obviously fail to establish, and hence it keeps on retrying forever. This is a waste of standby RP CPU, since there is no point in attempting to establish sessions with peer on standby.
Conditions: Occurs when L2TPv3 pseudowires are configured on a router with active and standby RPs.
Workaround: There is no workaround.
•
Symptoms: NSF restart may be terminated and OSPF NBR may flap during RP switchover. The debug ip ospf adj command shows the following message: OSPF: Bad request received.
Conditions: The symptoms are observed when the links are broadcast networks and the restarting router is DR. It is seen when "nsf cisco" is configured and when some neighbors finish OOB resync much sooner than others.
Workaround: Use the nsf ietf command.
Alternate workaround: Configure routers so that the restarting router is not DR (use ospf network type point-to-point or priority 0).
•
Symptoms: Router may incorrectly drop non TCP traffic. TFTP and EIGRP traffic can be impacted as seen in CSCsv89579.
Conditions: Occurs when the ip tcp adjust-mss command is configured on the device.
Workaround: Disable ip tcp adjust-mss on all interfaces. Note that this may cause higher CPU due to fragmentation and reassembly in certain tunnel environments where the command is intended to be used.
•
Symptoms: The show vpdn history failure command should show the history of session failures due to entering incorrect password, but it does not show any history.
Router#show vp hi fa % VPDN user failure table is emptyConditions: The problem was seen with Cisco 7201 running Cisco IOS Release 12.2(33)SRC1. No problem with Cisco IOS Release 12.4(4)XD9.
Workaround: There is no workaround.
•
Symptoms: If router is configured as follows:
router ospf 1 ...passive-interface Loopback0And later is enabled LDP/IGP synchronization using command
Router(config)#router ospf 1 Router(config-router)# mpls ldp sync Router(config-router)#^ZMPLS LDP/IGP synchronization will be allowed on interface loopback too.
Router#sh ip ospf mpls ldp in Loopback0 Process ID 1, Area 0 LDP is not configured through LDP autoconfig LDP-IGP Synchronization : Required < ---- NOK Holddown timer is not configured Interface is upIf the clear ip ospf proc command is entered, LDP will keep the interface down. Down interface is not included in the router LSA, therefore IP address configured on loopback is not propagated. If some application like BGP or LDP use the loopback IP address for the communication, application will go down too.
Conditions: Occurs when interface configured as passive. Note: all interface types configured as passive are affected, not only loopbacks.
Workaround: Do not configure passive loopback under OSPF. Problem only occurs during reconfiguration.
The problem will not occur if LDP/IGP sync is already in place and: - router is reloaded with image with fix for CSCsk48227 - passive-interface command is removed/added
•
Symptoms: TFTP from supervisor to ACE modules fail.
Conditions: Results in the inability to copy/upgrade images to standby ACE. This is due to moving all 127.x.x.x addresses in an internal VPN routing/forwarding (VRF), which causes TFTP to fail.
Workaround: ACE modules could fail-over to make standby as active and then FTP from the server directly.
•
Symptoms: Router may crash when "show tracking brief" is entered if one or more tracking object have been created using the Hot Standby Routing Protocol (HSRP) cli, such as standby 1 track Ethernet1/0.
Conditions: This does not occur if all tracking objects use the new track command as follows:
track 1 interface Ethernet1/0 line-protocol interface Ethernet 0/0 standby 1 track 1
Workaround: Use show tracking instead, or configure tracking with the new command.
•
Symptoms: IPv6 address of loopback interface set as passive under Intermediate System-to-Intermediate System (IS-IS) router process is not present in IS-IS database.
Conditions: Issue is seen when loopback interface is set as passive under router IS-IS configuration and the IPv6 address of the interface is only added afterwards. If the passive-interface command is used when the loopback interface already has its IPv6 address configured, issue is not seen.
Workaround: After the IPv6 address is configured under the affected interface, remove and add the passive-interface configuration under the router IS-IS process.
•
Symptoms: After Flex Link failover, connectivity may be lost. Configured VLANs might be pruned on active link, causing VLAN interface to go down.
Conditions: This usually happens after the second Flex Link failover.
Workaround: Remove the Flex Link configuration from the interface, then reconfigure it.
•
Symptoms: Cisco 7600 RP crashes while executing the copy tftp sup-bootdisk: command. A similar crash seen upon switchover
Conditions: Occurs when issuing a copy command from SP console on an RSP720.
Workaround: There is no workaround.
•
Symptoms: A crash may occur while applying QOS under an MFR interface.
Conditions: The symptoms are observed while applying QOS under an MFR interface on a PA-MC-2T3-EC in L2VPN.
Workaround: There is no workaround.
•
Symptoms: SIP400 may crash during Change of Authorization (CoA) push.
Conditions: Occurs on a SIP400 with ACL configurations on iEdge sessions and CoA push enabled.
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: Occurs when large number of remote end points try to connect to the gateway at the same time. The router may crash if "rsa-sig" is used as authentication method.
Workaround: There is no workaround.
•
Symptoms: When removing PA-MC-8TE1+ from the chassis, the router has an unexpected system reload. This reload happens when you remove the port adapter and the router is running the Cisco IOS bootloader image. Also happens when the port adapter is removed after the router finishes loading the Cisco IOS bootloader image and before it loads the complete Cisco IOS Software image.
Conditions: This occurs on a Cisco 7200 VXR NPE-G2 Series Routers on the Cisco IOS bootloader image from the Cisco IOS Release 12.4(4)XD.
Workaround: Remove PA-MC-8TE1+ when the complete Cisco IOS Software Image finishes loading.
•
Symptoms: "Acct-Input-Giga-word" and "Acct-Output-Giga-wor" attributes are missing in the Accounting request packets.
Conditions: The symptoms are observed when you send traffic that requires the giga word counters to be incremented.
Workaround: There is no workaround.
•
Symptoms: Protocol Independent Multicast (PIM) VPN routing/forwarding (VRF) neighbors not formed.
Conditions: Occurs after line card reload.
Workaround: Delete and add back the MVPN configuration.
•
Symptoms: In scaled conditions (8000 IP sessions) with SACL applied, line card memory leaks over a period of 4-5 hours. Sometimes this even results in a line card crash. The "Sacl Np Client" task occupies most of the CPU, and a large number of IP sessions (around 10% of 8k) will be in feature pending status, with ACL pending flag set.
Conditions: Occurs under scaled conditions with approximately 8000 IP sessions, with the same SACL applied to all IP sessions.
Workaround: There is no workaround.
•
Symptoms: Cisco router crashed while Intermediate System-to-Intermediate System (IS-IS) is coming up.
Conditions: Occurred only on a Cisco router running Cisco IOS Release 12.2(33)SRC2 with "mpls traffic-eng multicast-intact" configured under "router isis".
Workaround: Disable "mpls traffic-eng multicast-intact" configuration.
•
Symptoms: Following a processor switchover in route processor redundancy (RPR) plus mode, the SM-1CHOC12/T1-SI card on the channelized serial interfaces goes down.
Conditions: Occurs after the processor switchover in RPR plus mode.
Workaround: Use hw-module reset to solve the issue.
•
Symptoms: Memory leak occurs.
Conditions: Occurs during normal operations.
Workaround: There is no workaround.
•
Symptoms: Features requiring nas-port as a username determined by AAA (such as pre-auth) will not work on the standby device, causing standby sessions to be poisoned.
Conditions: AAA calculates the IP address of the best port, which is up and active. However, on the standby device, no interface is visibly active, resulting in a best IP address defining the router to be 0.0.0.0.
Workaround: There is no workaround.
•
Symptoms: Multicast rate-limiters stop working after a HA switchover.
Conditions: To see this issue you have to have a HA setup with multicast rate-limiters set. In order to see this issue the rate-limiters must have been set before the standby is booted. If the rate-limiters are set after standby is up in HOT state, the issue is not seen after switchover.
Workaround: Remove and reconfigure the rate-limiters.
•
Symptoms: After a router reload, the Flex Link configuration (switchport backup interface Po#) is lost.
Conditions: Occurs when a backup interface is a port-channel interface.
Workaround: There is no workaround.
•
Symptoms: Router crashes while adding flexible NetFlow.
Conditions: Occurred on a router running Cisco IOS Release 12.2(33)SRC1.
Workaround: There is no workaround.
•
Symptoms: Imposition traffic on a Ethernet Over MPLS (EoMPLS) VC is dropped.
Conditions: Occurs if xconnect is configured on a EVC with switchport on another interface.
Workaround: There is no workaround.
Further Problem Description: When this problem happens the DMAC used by the imposition line card is that of the switchport interface instead of the router MAC address, causing the packet to be dropped.
•
Symptoms: All tagged packets on a hardware Ethernet Over MPLS (EoMPLS) VC is subjected to CoPP when the VC is down.
Conditions: Occurs if VC is brought down by flapping core facing interface.
Workaround: Remove the control-plane policy.
Further Problem Description: It is applicable to only port-mode hardware EoMPLS.
•
Symptoms: IPv6 DMVPN tunnel does not work. IPv6 NHRP registration between Hub and Spoke fails.
Conditions: The symptoms are observed under normal operation.
Workaround: There is no workaround.
•
Symptoms: Send statistics from the show mpls l2 vc command are not displayed.
Conditions: Occurs on a PE when the other PE's core-facing link is flapped.
Workaround: Perform a shut/no shut on the SVI interface.
•
Symptoms: The group state of a slave group may unexpectedly change to Active after an RP switchover.
Conditions: The symptom is observed when HSRP multigroup is configured such that a slave group follows the state of a master group. If the HSRP group state is Standby, then the group state of the slave group may change to Active after an RP switchover.
Workaround: There is no workaround.
•
Symptoms: Internal VRF gets disabled at when the router boots up.
Conditions: Occurs after any failover or router start-up scenario
Workaround: Use the no platform ivrf disable to avoid the issue.
•
Symptoms: Router crashes when the shutdown command is used on an interface.
Conditions: Occurs when there are DHCPv6 bindings.
Workaround: There is no workaround.
•
Symptoms: The MLS shortcut for a user-traffic flow based on RADIUS Framed-IP (FIP) is not purged when the FIP sticky times out. RADIUS Load Balancing (RLB) sends out a purge request before deleting sticky and has no effect in deleting the MLS shortcut entry.
Conditions: Occurs on a device configured with RLB and FIP sticky idle timer and with MLS aging timer configured higher than the RLB FIP sticky idle timer.
Workaround: There is no workaround.
•
Symptoms: A router remains in the init_process state when parsing the configuration.
Conditions: The symptom is observed when an IPv6 multicast group joins without MLD configured. When the groups unjoin, the system suspends.
Workaround: Configure MLD.
•
Symptoms: In switches running Cisco IOS Release 12.2(33)SRC, high CPU may be seen on the SP/DFC due to NDE-IPv4 process. This may result in following unrelated problems:
- Corrupted file system(s)
- show running command may show "read error" etc.
- Continuous CPUHOGs automatically disabling Cisco Express Forwarding (CEF).
Log Messages reported:
%SYS-SP-3-CPUHOG: Task is running for (4000) msecs, more than (2000)msecs (2/0),process = NDE - IPV4.Conditions:
- Affects 12.2(33)SRC or later, but not earlier versions.
- Slow response to console commands.
- Netflow enabled on point-to-point interfaces
- High number of IPv4 routes learned via BGP.
Workaround: Downgrade to the latest release of 12.2(33)SRB. During high CPU condition, do the following:
1. Remove ALL interface level and global netflow configurations.
2. Configure global command: cef table output-chain build favor convergence-speed.
3. Re-apply global and interface level netflow configurations.
The cef table ... command mentioned above will stay in the configuration. This command should stop this issue from re-occurring.
•
Symptoms: Igmp-proxy reports for some of the groups are not forwarded to the helper. This causes members not to receive the multicast traffic for those groups.
Conditions: The problem is seen when the igmp-proxy router is receiving UDP control traffic. That is, the router is receiving any UDP control-plane traffic on any interface.
Workaround: There is no workaround.
•
Symptoms: On Cisco 7600 with RSP720-3C-10GE processor, if the SIP-400 is configured as Lawful Intercept (LI) service module after a line card online insertion and removal (OIR), the SIP-400 may not get selected as Lawful Intercept service module.
Conditions: Occurs when the SIP-400 is configured as Lawful Intercept service module on the Cisco 7600.
Workaround: After line card OIR, select the SIP-400 again as the LI service module using the command li-slot list <sip400 slot number>.
•
Symptoms: Intelligent Services Gateway (ISG) traffic from one user to another may fail if the packet needs to be processed by the RP in a Cisco 7600.
Conditions: Occurs when ISG is configured and packets are switched from one subscriber to a second subscriber.
Other symptoms : - Counters of packet transfer might show difference between user transferring between each other - Access-list might fail to block the packet
The 2 above symptoms will be seen when user are sending receiving on the same interface via the ISG
Workaround: There is no workaround.
•
Symptoms: NPE-G1 is crashing with "pppoe_sss_holdq_enqueue" as one of the last functions.
Conditions: Unknown.
Workaround: Entering the deb pppoe error command will stop the crashing.
•
Symptoms: Cisco router crashes when Open Shortest Path First (OSPF) neighbor is being configured in non-base topology and IP address of the neighbor does not fall into range of any existing interface.
Conditions: This crash will only occur when OSPF is configured to support multi-topology routing, and neighbor statements are used in the submode for a non-base topology.
Workaround: Configure the neighbor with this IP address in the base topology first.
•
Symptoms: Junk values are being displayed on the router when characters/commands are inputted. For example, enter "enable", it shows "na^@^@"; enter "show version", it shows "h ^v^@e^@^r^@^@^@^@^@".
Conditions: The symptoms are observed with Cisco IOS Release 12.4(23.2)T.
Workaround: There is no workaround.
Further Problem Description: The CLI function is not affected by the junk values.
•
Symptoms: The ip rip advertise command might be lost from the interface.
Conditions: This symptom occurs in any of the following three cases:
1. The interface flaps. 2. The clear ip route command is issued. 3. The no network <prefix> command and then the network <prefix> command are issued for the network corresponding to the interface.
Workaround: Configure the timers basic command under the address-family under rip.
•
Symptoms: The following system error message with "Out of IDs!" warning is seen with traceback:
%IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x0)
Conditions: This symptom is observed when flapping 24K sessions over 12K tunnel once, recreating this issue.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 NPEG2 router crashes while displaying the interface output for onboard gigabit ethernet using the show interface gig0/x command.
Conditions: Occurs when a CBWFQ QoS policy is attached to the onboard gigabitethernet interface.
Workaround: There is no workaround.
•
Symptoms: The M(andatory)-Bit is not set in Random Vector AVP, which is a must according to RFC2661.
Conditions: This symptom is observed with Egress ICCN packet with Random Vector AVP during session establishment.
Workaround: There is no workaround.
•
Symptoms: A LAC might terminate a tunnel unexpectedly.
Conditions: This symptom is seen when the tunnel password exceeds 31 characters.
Workaround: Use a shorter password if policy allows.
Further Problem Description: This is seen with Cisco IOS interim Release 12.2 (34.1.3)SB1. With a customer specific special based on Cisco IOS Release 12.2 (31)SB11, it allowed 64 characters.
•
Summary: Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds:There are no workarounds available for this vulnerability.
This response is posted at http://www.cisco.com/warp/public/707/cisco-sr-20081105- vtp.shtml
•
Symptoms: Link debounce down feature not working on RSP720-3C-10GE ports due to fast link feature.
Conditions: Occurs when link debounce is configured on RSP720-3C-10GE.
Workaround: Use "carrier-delay" instead.
Further Problem Description: On configuring link debounce, fast link, which is enabled by default and has no CLI, needs to go off but does not.
•
Symptoms: SXP is set up between two devices but fails to initialize.
Conditions: This symptom is observed when SXP is set up between two devices.
Workaround: There is no workaround.
•
Symptoms: Unable to configure PVC when connect command is configured.
Conditions: Occurs Cisco 7200 routers.
Workaround: There is no workaround.
•
Symptoms: Some static routes are not in the IP routing table state after a stateful switchover (SSO).
Conditions: This only occurs following a SSO event.
Workaround: Perform a shut/no shut of interface if the route does not come up automatically.
•
Symptoms: After the Resilient Ethernet Protocol (REP) topology is returned by the rep preempt command, MAC address table is not cleared.
Conditions: During internal testing, this occurred approximately 3 times out of 20.
Workaround: Use the clear mac-address-table dynamic command to clear the table.
•
Symptoms: Configuring Bidirectional Forwarding Detection (BFD) for a Border Gateway Protocol (BGP) neighbor that is established on a subinterface will cause the BGP session to go down.
Conditions: Occurs on a Cisco 7600 router with BGP session established on a subinterface and the subinterface is configured in "native vlan" mode while the configured BFD session is in ECHO Mode.
Workaround: Configure subinterface in "non-native" mode.
•
Symptoms: There are two ways to define VRFs when supporting the 6VPE feature: 1) ip vrf 2) vrf definition. The "vrf definition" configuration may take a much longer time to allow convergence between the PE and the CE than the "ip vrf" configuration.
Conditions: The symptoms are observed under the following conditions: - when the router boots up; and - when the issue has been seen using the "vrf definition" configuration; and - when the router has over 100,000 VPNv4 BGP routes; and - when a large number of VRFs are configured.
Workaround: Use the "ip vrf" configuration, if you have only IPv4 VRFs configured.
•
Symptoms: Traceback observed when the PPPoEoA session is brought up.
Condition: Occurs when the interface is not up.
Workaround: There is no workaround.
•
Symptoms: A provider-edge (PE) router configured to run Multicast VPN (MVPN) will not install an alternate MDT next-hop on a route that is learned through an OSPF sham-link.
Conditions: The symptom is observed when two PEs are configured to run MVPN and create a sham-link between them. Remote routes that are learned through the sham-link will not have an MDT tunnel.
Workaround: There is no workaround.
•
Symptoms: Infinite Loop occurs when doing MIB walk on cdot1agStackTable objects.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRD and configured with 10GE-XFP-SPA and SIP-600 configured for Distributed Forward. This problem is seen when "MIP/MEP" configured on Te1/0/0 interface and MIB walk is performed on cdotagStackTable objects.
Workaround: Do not configure "MIP/MEP" on Te1/0/0 interface.
•
Symptoms: BGP updates may not be sent out.
Conditions: The symptom is observed when neighbors are flapped in a large- scale scenario.
Workaround: There is no workaround.
•
Symptoms: PPPoE sessions over VLAN over ATM with process switch stuck at LCP stage.
Conditions: Occurs when the protocol pppovlan command is configured on ATM subinterface along with no ip cef. PPPoE sessions are not created.
Workaround: Use the ip cef command.
•
Symptoms: Due to TestLoopback diagnostic failure on RSP supervisor, the interface is placed to err-disable state.
Conditions: This is seen when the interface is configured as RJ45 and with speed between 10 to 100mbps.
Workaround: Configure the speed on RJ45 interface "auto" negotiation and execute the diagnostic test TestLoopback to get the port out of err-disable.
•
Symptoms: Traffic is not passed through an Ethernet Virtual Circuit (EVC) service instance.
Conditions: Occurs after configuring EVC (Ethernet Virtual Circuit) service instance. The show platform efp-client command shows no output.
Workaround: There is no workaround.
•
Symptoms: When traffic engineering (TE) and fast reroute (FRR) is configured between the stitching router and provider edge (PE), traffic fails.
Conditions: Occurs when pseudowire stitching is configured.
Workaround: Do not enable FRR between these routers.
•
Symptoms: A Cisco 7600 running Virtual Private LAN Services (VPLS) with QinQ tunnels is forwarding CDP/VTP packets from the tunnel interfaces across remote sites, even when L2TP is not enabled.
Conditions: Occurs with a VPLS setup with QinQ tunnel interfaces facing the customer edge.
Workaround: Use different domain names to avoid changes to VTP database.
•
Symptoms: Protocol Independent Multicast (PIM) neighborship is not established with SIP600 over R-VPLS.
Conditions: Occurs when more than one VC on different VLANs exists with SIP600 links as core-facing and one of the VLANs configured with PIM.
Workaround: There is no workaround.
•
Symptoms: Layer 2 forwarding on other modules breaks when SIP-400 interface running eBGP and GRE flaps
Conditions: Occurs on a SIP-400 with SPA-2X1GE running BGP and GRE tunnels. Interface flaps on other modules are unable to resolve ARP or maintain routing neighbors. Issue seen on Supervisor 720 and Cisco 6748 CFC ports.
Workaround: Reload the chassis.
•
Symptoms: OSPF between two customer sites over H-VPLS network with SIP600 as core facing card in the hub router fails to come up.
Conditions: This is seen with traffic engineering (TE) and fast reroute (FRR) TE/FRR setup in the hub, and when TE tunnels have dynamic path option set.
Workaround: Perform a shut/no shut on the core-facing SIP600 interface.
•
Symptoms: TCP sessions passing through a NAT router freeze.
Conditions: The NAT router is a Cisco 7600 with RSP720. NAT translation entries keep using syn-timeout (default = 60 sec) even after TCP three-way handshake is done. Use show ip nat translation verbose to check timer
Workaround: Use the ip nat translation syn-timeout command, which mitigates the problem to some extent.
•
Symptoms: After reloading, NetFlow stops working and the output of show ip interface shows "IP Routed Flow creation is disabled in netflow table"
Conditions: This condition is seen on WAN main interfaces of a Cisco 7600 running Cisco IOS Release 12.2(33)SRB3 and can also be seen on Cisco IOS Release 12.2(33)SRC2.
Workaround: Remove and reconfigure NetFlow on the affected interfaces.
•
Symptoms: A Cisco 7600 PE router fails to redistribute a VRF prefix into BGP after the prefix or path to it flaps. The PE router will indicate the prefix being redistributed into BGP but the prefix will not get installed into the BGP table until the prefix is cleared:
E2#sh ip route vrf foo 10.5.5.5Routing Table: foo Routing entry for 10.5.5.5/32 Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 10 Redistributing via bgp 666 Advertised by bgp 666 metric 10 match internal external 1 & 2 Last update from 10.45.45.2 on Ethernet1/0, 00:00:56 ago Routing Descriptor Blocks: * 10.45.45.2, from 10.5.5.5, 00:00:56 ago, via Ethernet1/0 Route metric is 20, traffic share count is 1 PE2# PE2#sh ip bgp vpnv4 vrf foo 10.5.5.5 % Network not in table PE2#Conditions: The PE router redistributing the given prefix must have a sham-link configured for the given VRF and an alternate path to the prefix must exist once the primary (sham-link) is down.
Workaround: Use the following command: clear ip route vrf vrfname <prefix>.
Further Problem Description: This problem is seen only in Cisco IOS Release 12.2(33)SRB. Cisco IOS Releases 12.2(33)SRC/SRD, etc. are not affected.
•
Symptoms: RP configured inside a NAT not shown on test device outside the NAT.
Conditions: Entering the show ip pim rp mapping command fails to display the RP.
Workaround: There is no workaround.
•
Symptoms: ISSU does not work from Cisco IOS Release 12.2(33)SRD to Cisco IOS Release 12.2(33)SRB5.
Conditions: When ISSU is performed from Cisco IOS Release 12.2(33)SRD image to 12.2(33)SRB5 image, ISSU is not working because of a default command introduced in 12.2(33)SRD.
Workaround: There is no workaround.
•
Symptoms: The error message %SYS-2-CHUNKBOUNDSIB and traceback are seen.
Conditions: The symptoms are observed when the show running- config/write memory command is issued.
Workaround: There is no workaround.
•
Symptoms: BGP peer fails to exchange the OPEN Message for negotiating capability when the neighbor router does not support any BGP capabilities.
Conditions: The symptom is observed when the neighbor router does not support any BGP capabilities and when the capability negotiation fails due to an SSO switchover.
Workaround: Configure "neighbor x.x.x.x dont-capability-negotiate". Issue the clear ip bgp * command when the issue occurs.
•
Symptoms: The ES20-GE3C/GE3CXL line card may crash if the explicit-path of an MPLS Traffic Engineering (TE) tunnel is changed so that it no longer goes out a core-facing port-channel interface.
Conditions: Seen only when the following conditions are met:
- Virtual Private LAN Services (VPLS) traffic passes over the MPLS Traffic Engineering tunnel.
- Traffic going out the tunnel initially goes over a port-channel interface.
- Five or more ports on the ES20 line card are used in the port-channel interface.
- The explicit-path specified avoids the port-channel interface
Workaround: Shut down the port-channel interface first before changing the tunnel's explicit-path.
•
Symptoms: E1 and SonetVT layers are down even though serial (Upper Layer) ifOperStatus is UP
Serial1/0/0.1/2/1/1:1 ifOperStatus.156 = up(1)
E1 1/0/0.1/2/1/1 ifOperStatus.157 = lowerLayerDown(7
TU 1/0/0.1/2/1/1 ifOperStatus.158 = down(2)
tug 3-2 tug 2-1 e1-1:chgrp1
AU-4 1, TUG-3 2, TUG-2 1, E1 1 (C-12 1/2/1/1) is up
156 Se1/0/0.1/2/1/1:11500512KUP UP
157 E1 1/0/0.1/2/1/102.05MUP <blank>
158 TU 1/0/0.1/2/1/102.05MUP down
Conditions: Occurs on serial interfaces of SPA-1XCHSTM1/OC3.
Workaround: There is no workaround.
•
Symptoms: TCLsh mode is not exited when the session is disconnected or times out. The next user to connect and authenticate is put in TCLsh mode.
Conditions: Occurs on high availability systems with an active and standby RP.
Workaround: Explicitly exit TCLsh mode rather than disconnecting or allowing the session to time out.
•
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
•
Symptoms: Entering the no ip routing or no router bgp xx command yields the following error message:
%IPRT-3-IPDB_DEL_ERROR: i_pdb delete error bgp, 4, 210074C8, 20E322E0, 0, 0 -Process= "IP RIB Update", ipl= 0, pid= 117, -Traceback= 0x61FD7F58 0x62005498 0x62006D24Conditions: Occurs when a large number of VRFs must be configured and BGP is also configured to support these VRFs, then a show command, such as show run, is issued shortly after the no ip routing or no router bgp command.
Workaround: There is no workaround.
•
Symptoms: Router reloads, and the following error is displayed:
SP: MACSEC: Assert failure: mat_rc >= BD_MAT_RET_SUCCESSConditions: Occurs when, for a given service instance, a secure entry is removed with mac security aging inactivity configured and mac security configured.
This can occur through the CLI via a command like clear ethernet service instance id id interface interface id mac table, or it can occur due to EFP shutdown.
If this occurs at the same time that the entry's aging timer expires, the reload may occur.
Workaround: There is no workaround if "aging inactivity" is required. This problem will not occur if mac security aging inactivity is not configured.
•
Symptoms: The router reloads with the following error:
SYS-6-BLKINFO: Corrupted redzone blk
Conditions: Occurs when the cns image is active, and a CNS image operation is in progress.
Workaround: There is no workaround.
•
Symptoms: Spurious access or crash seen on a router with a CEoP SPA, when bulk sync happens between RP and RPR.
Conditions: Occurs during regular bootup.
Workaround: There is no workaround.
•
Symptoms: Subsequent software releases are not backward compatible with Cisco IOS Release 12.2(33)SXI when performing an ISSU upgrade.
Conditions: Occurs with versions of Cisco IOS that are released after Cisco IOS Release 12.2(33)SXI.
Workaround: Instead of ISSU upgrade or downgrade, perform a regular image upgrade or downgrade.
•
Symptoms: After online insertion and removal (OIR) of the SPA or line card holding the active Automatic Protection Switching (APS) interface, there are two active interfaces for the same APS group. During OIR, the old inactive interface becomes active and the OIRed interface also comes back up as active. The OIR interface should come up as inactive.
Conditions: The problem is seen only on ATM SPAs and is seen with both SR-APS and MR-APS configurations.
Workaround: In the case of a manual OIR, this can be prevented by entering the force APS switchover command before performing an OIR on the active.
When OIR happens due to other reasons and the problem is seen, perform a shut/no shut on one of the interface.
•
Symptoms: SIP-400 crashes on RADIUS CoA push with Cisco Intelligent Services Gateway (ISG).
Conditions: Occurs on a SIP-400 configured for IP/PPPoE sessions and ACL configuration push from other router.
Workaround: There is no workaround.
•
Symptoms: When cbgpPeerCapsTable is queried, it does not return the results of VPNv4 neighbors.
Conditions: Configuration should have VPNv4 neighbors.
Workaround: There is no workaround.
•
Symptoms: A router may reload if PfR is enabled and the number of flows exceeds the size of the NetFlow cache. This is a stress condition.
Conditions: This symptom is observed when PfR is enabled (which also enables NetFlow).
Workaround: A possible workaround is to configure the following:
ip flow-cache timeout active 1
•
Symptoms: Clearing the SSH sessions from a VTY session may cause the router to crash.
Conditions: The symptom is observed when a Cisco 7300 series router is configured for SSH and then an SSH session is connected. If the SSH session is cleared every two seconds using a script, the symptom is observed.
Workaround: There is no workaround.
•
Symptoms: "Circuit-id-tag" and "remote-id-tag" attributes may be duplicated in packets sent to the RADIUS server.
Conditions: The symptom is observed with Cisco IOS Release 12.2(31)SB13.
Workaround: Use Cisco IOS Release 12.2(31)SB14.
•
Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure "no aaa new-model", configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
•
Symptoms: After performing a redundancy switchover (RPR+ mode), the ARP table is not correctly populated. Entering the clear ip arp or the clear arp-cache commands, then pinging the connected CE or PE causes an incomplete entry to be added to the ARP table.
Conditions: This is seen on Gigabit Ethernet, FastEthernet and POS interfaces. ATM and serial interfaces seem do not appear to be affected. This behavior is not seen with stateful switchover (SSO).
Workaround: There is no workaround.
•
Symptoms: A Cisco 10000 series router crashes. Traceback decode points to a function of bgp_vpn_impq_add_vrfs_cfg_changes.
Conditions: The symptom is observed while unconfiguring VRFs. It is most likely to be seen when 100 VRFs or more are unconfigured.
Workaround: There is no workaround.
•
Symptoms: An 0.0.0.0 binding with a 0 minute lease gets created and subsequently removed on the DHCP unnumbered relay.
Conditions: The DHCP client sends a DHCPINFORM with ciaddr set to its address, but giaddr is empty. The relay fills in giaddr with its IP address and the server replies to giaddr. Since the DHCPACK is in response to DHCPINFOM, the lease-time option is absent. Relay receives the DHCPACK and tries to process it normally leading to the route addition.
Workaround: There is no workaround.
Further Problem Description: This behavior can indirectly have a negative impact on the system by triggering other applications to be called because the routing table change is triggered by such DHCP requests. Examining "debug ip routing" for 0.0.0.0/32 reveals 0.0.0.0/32 route flapping.
•
Symptoms: Unicast flooding occurs for all traffic destined to VLAN SVI. MAC address for the VLAN SVI is being learned dynamically.
Conditions: Changing the VLAN SVI configuration from IP to XCONNECT and back without shutting down the interface will result in the router MAC being learned dynamically instead of being installed as static. Normal aging occurs on the dynamic MAC, resulting in unicast flooding if the MAC is removed from the MAC address table.
Workaround: Perform a shut/no shut on the affected VLAN SVI.
•
Symptoms: A Cisco 7600 may crash when a distribute-list is deleted.
Conditions: Crash occurs when removing a distribute-list from EIGRP. The distribute-list was one of many that was sharing the same route-map and access-list. The crash only happens when multiple protocols have the same direction distribute-list configured on the same interface, as in the following example:
router eigrp 10
network 10.0.0.0
distribute-list 49 out Ethernet1/2.10
router rip
network 10.0.0.0
default-metric 2
distribute-list 49 out Ethernet1/2.10
Workaround: There is no workaround.
•
Symptoms: When doing an SNMP walk on OLD-CISCO-IP-MIB when the routing table has several thousand prefixes, excessive CPU utilization occurs.
Conditions: The symptoms are seen only when there are several thousand prefixes in the routing table.
Workaround: Exclude the OLD-CISCO-IP-MIB from the SNMP walk. This MIB has been deprecated.
•
Symptoms: Intermittent traffic loss occurs on switch virtual interface (SVI) enabled with Virtual Router Redundancy Protocol (VRRP). Cannot ping VRRP IP address.
Conditions: Occurs with VRRP configured on SVI. Traffic loss/ping VRRP IP address failure seen sometimes on bootup.
Workaround: If VRRP mac-address is present as dynamic entry on bootup, this issue can be seen. Reconfigure VRRP as a workaround.
•
Symptoms: Cisco 7200 G2 router crashes when changing configuration of serial interfaces from PPP to SDLC and back to PPP, while running traffic.
Conditions: This is observed on a T3 link with 56 channel groups configured on a WAN aggregation device. All the serial interfaces have service-policy configured.
Workaround: Remove the service-policy before changing the encapsulation to SDLC.
•
Symptoms: When accounting is enabled for virtual private dial-up network (VPDN), there might be messages with termination cause "nas-error" and displaying impossible values in Acct-Input-Octets, Acct-Output-Octets, Acct-Input-Packets and Acct-Output-Packets.
This causes accounting to be unreliable.
Conditions: Occurs with Cisco IOS Release 12.4T and configured for PPTP/L2TP with accounting.
Workaround: There is no workaround.
•
Symptoms: If there are multiple EFPs with, for example encapsulation 100, same encapsulation on different interfaces and with different bridge-domains configured for Virtual Private LAN Services (VPLS), then if there is a topology change notification (TCN) received on one of the Ethernet Flow Points (EFPs) on one interface, then Label Distribution Protocol (LDP) MAC address withdrawals are sent for all the bridge domains on all the interfaces.
Conditions: Occurs when the network has EVCs on the L2-Access forwarding to VPLS core. Multiple Spanning Tree (MST) is running on the access VLANs.
Workaround: There is no workaround.
•
Symptoms: In the pseudowire stitching configuration, if fast reroute (FRR) is enabled for link or node protection at the tunnel stitching router, then end-to-end connectivity is broken.
Conditions: Problem happens only if a Cisco 7600 is the stitching-point router and has MPLS Fast Reroute enabled.
Workaround: Disable FRR at the stitching point.
•
Symptoms: Sending a NETCONF hello reply which contains a "session-id" element triggers an instant crash. The device will report a reload due to a bus error.
Conditions: This occurs when sending a hello reply which contains a session-id element. A hello without this element, one which only contains NETCONF capabilities, does not cause a crash.
Workaround: Send a NETCONF hello without a session-id element.
•
Symptoms: If Ethernet interface configured as Open Shortest Path First (OSPF) point-to-point network then adjacency is being established using only multicast packets. As a result routes calculated over the link do not have MAC address of next-hop's IP resolved prior to routes being installed into the routing table. This leads to delay for routes to become usable as lower-level protocols have to trigger MAC resolution. During short period of time traffic sent over the interface is lost when routes are just installed for the first time.
Conditions: Occurs when Ethernet interface is configured for OSPF point-to-point.
Workaround: Problem will self-correct because passing traffic triggers MAC address resolution.
•
Symptoms: ISSU upgrade to Cisco IOS Release 12.2(33)SRD did not put router into route processor redundancy (RPR) mode.
Conditions: Occurs when no service image-version efsu is enabled. During ISSU upgrade from Cisco IOS Release 12.2(33)SRB or SRC to Cisco IOS Release 12.2(33)SRD, the router incorrectly goes into stateful switchover (SSO). The correct mode is RPR because SSO ISSU from these releases to Cisco IOS Release 12.2(33)SRD is not supported.
Workaround: Remove the no service image-version efsu configuration by the default service image-version efsu and continue the upgrade process.
Further Problem Description: If any of the following Config, Exec or ROMMON variables are set, the SSO-based ISSU will not be blocked:
Config:
"no service image-version efsu",
"no service image-version compatibility",
Exec:
"issu image-version compatibility disable",
ROMMON variable:
RED_MODE = "RPR_PLUS'
RED_MODE_SSO
RF_REDUN_COMP = 1
When performing any ISSU upgrade from SRB/SRC to SRD, make sure none of the above overrides is set on the router. The service image-version efsu command detects the incompatibility and puts the router in RPR mode.
•
Symptoms: Cisco 7201 with Gi0/3 experienced communication failure.
Conditions: This problem does not occur with Gi0/0 or Gi0/2.
Workaround: Perform a shut/no shut on the Gi0/3. The problem will occur again.
•
Symptoms: BACKPLANE_BUS_ASIC-4-DEV_RESET error interrupts generated by SIP-400 module, causing traffic interruption.
Conditions: Occurs when PPPoE traffic ingresses a SIP-400 line card on a Cisco 7600 Series router running Cisco IOS Release 12.2SR.
Workaround: There is no workaround.
•
Conditions: On an ES-20, sometimes the interface configured as a promiscuous port does not forward the traffic to other community and isolated ports on the same private VLAN. The traffic on the promiscuous port is forwarded to all other community and isolated ports belonging to the same private VLAN. This is the expected behavior.
Condition: Sometimes using the CLI on the interface configured in the promiscuous mode switchport mode private-vlan promiscuous after switchport private-vlan mapping <primary vlan> <secondary vlans> can cause traffic to be dropped. The order of these CLIs should not matter.
Workaround: There is no workaround.
•
Symptoms: The SP crashes when the device receives an IP address from the DHCP server. The following error message is displayed:
Signal = 11 Vector = 0x1400
Conditions: Occurs on a Cisco Catalyst 6500 with RSP720-3C-GE when the ip verify source vlan dhcp-snooping is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco 10000 series router may crash at issu_print_memory while doing a loadversion.
Conditions: The symptom is observed on a Cisco platform, when enabling the debug command debug issu all in the router and doing a loadversion.
Workaround: Do not turn on ISSU debug.
•
Symptoms: An access-list with multiple ports in a single entry only programs the first port into TCAM. All subsequent ports are not processed according to the access-list entry.
For example, the following access-list should block both SSH (TCP port 22) and Telnet (TCP port 23), but Telnet is permitted.
ip access-list extended deny_ssh_and_telnet deny tcp any any eq 22 telnet permit ip any anyConditions: Occurs when there is an extended named access-list with multiple ports in a single access-list entry. This only applies to transit traffic since traffic destined to the router is process-switched and processed in software.
Workaround: There is no workaround.
•
Symptoms: New DHCP clients are not able to get IP address from DHCP server via DHCP relay on the router. Existing clients are unable to renew their IP addresses
Other Symptoms:
1.1 When we're trying to display DHCP bindings with "show ip dhcp binding" command the following message is observed:
% The DHCP database could not be locked. Please retry the command later.
1.2 Command "ip dhcp database" disappeared from the running configuration.
1.3 Output of "show run" is delayed.
1.4 Output of "debug ip dhcp events" show the following when a new DHCP packet is received:
DHCPD: dhcpd_receive_packet: unable to lock semaphore to check for pre-existing bindings could not lock se. DHCPD: dhcpd_timer_process could not lock semaphore. DHCPD: dhcp_server_receive could not lock semaphore.
2.1. This bug may also cause DHCP Snooping failure. In this case, the output of the show ip dhcp snooping database command constantly shows these lines:
Agent Running : Yes Delay Timer Expiry : 0 (00:00:00) Abort Timer Expiry : Not RunningConditions: Occurs when DHCP and/or DHCP Snooping database agent is configured to store bindings on a TFTP server, and then the database files are not present or are read-only for some time on TFTP server while the router tries to write to them.
Workaround: Before the issue occurs, there are three known alternatives to avoid this problem:
1. Either configure "length 0" for line console 0;
2. Or - log in via console at least once since router startup;
3. Or - use Cisco IOS Release 12.2(33)SRD but do not enable "debug tftp packet".
To fix the issue after it has occurred, connect to the router via console, press space bar to get rid of "--More--" prompt, then press enter to log in
•
Symptoms: A router may crash due to a bus error after displaying the following error messages:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error, %ALIGN-1-FATAL: Illegal access to a low address < isdn function decoded>Conditions: The symptom is observed on a Cisco 3825 router that is running Cisco IOS Release 12.4(22)T with ISDN connections.
Workaround: There is no workaround.
Further Problem Description: When copying the ISDN incoming call number for an incoming call from Layer2, the length of the call number was somehow exceeding the maximum allocated buffer size (80). PBX has pumped a Layer2 information frame with call number exceeding the maximum number length limit. It leads to memory corruption and a crash.
•
Symptoms: A router configured with BGP and VPN import may crash.
Conditions: This is a hard to hit race condition. BGP imports a path from VRF-A to VRF-B. The following steps have to take place in exactly this order for the crash to occur: 1. The next-hop for the path has to become unreachable. 2. BGP has to re-evaluate the bestpath on the net in VRF-A and result in no-bestpath on the net (because there is no alternative path available). 3. RIB installation has to process the importing BGP net under VRF-B.
Step 3 will result in the crash. If, before step 3, the next-hop re-evaluation manages to process the net in VRF-B then it will clear the bestpath and there will be no crash. If, before step 3, the import code gets a chance to process the net it will clean-up the imported path from VRF-B and then there will be no crash.
Workaround: There is no workaround.
•
Symptoms: Cisco router may crash pointing to OSPF code because of low memory access.
Conditions: Crash is specific to the following scenario:
1. Neighbor router performs IETF NSF restart.
2. Software interface between routers is removed from configuration when NSF restart is undergoing, when grace LSA is present in the database of the helper router.
3. Helper router will crash 1 hour later during max-age procedure for grace LSA. Reason is that grace LSA is associated with interface, but that interface does not exist any more.
Workaround: If configuration changes need to be done during network changes, the following applies:
1) Shutdown OSPF interface
2) Check show ip ospf da. Can you see type-9?
- NO => good, remove interface
- YES => 'no shutdown' interface, wait for neighbor going FULL (type-9 will be flushed during sync)
3) Repeat Step 1.
•
Symptoms: A Catalyst 6500 or Cisco 7600 router may not send back a BPDU with agreement flag in response to a proposal on its root port, causing slow convergence on the designated bridge.
Conditions: This is seen on Catalyst 6500 switches running any version of Cisco IOS Release 12.2(33)SXH. This is seen on Cisco 7600 routers running any version of Cisco IOS Release 12.2SR.
Workaround: The problem does not occur if debug spanning-tree event is enabled. This can be a suitable workaround in an environment with a small number of VLANs if the debug does not impact CPU usage.
•
Symptoms: SNMP messages are not seen.
Conditions: When the BRI interface is down on a remote router, and no ppp link reset is configured on device, SNMP trap message shows "down" instead of "keepalive failed".
Workaround: There is no workaround.
•
Symptoms: PBR stops working after stateful switchover (SSO). All traffic that should be policy routed is dropped instead.
Conditions: This usually happens after several switchovers between supervisors. Usually problem occur after about 10 switchovers, however, it could happen after first one.
Workaround: Remove and add policy on the interface.
•
Symptoms: A Cisco router crashes.
Conditions: This symptom is observed if the frame-relay be 1 command is issued under "map-class frame-relay <name>" configuration.
Workaround: There is no workaround.
•
Symptoms: When using denies in ACLs in crypto maps, the VPN SPA or VPN SM crashes.
Conditions: Occurs when configuration uses denies in ACLs with crypto maps that causes too many entries in the Ternary Content Addressable Memory (TCAM).
Workaround: Enter the crypto ipsec ipv4 deny clear command.
•
Symptoms: When a Cisco router is the Merge Point (MP) for a protected TE tunnel, and FRR is triggered, two things happen:
- The primary LSP goes down, and traffic is lost on the protected tunnel. - Any PLR that is downstream of the failure will lose its backup.
Conditions: When a competitor's router is a point of local repair (PLR) and a Cisco router is a merge point, then when FRR is triggered, the Cisco router drops the backup tunnel (in some cases immediately and in other cases after 3 minutes). This causes the primary tunnel that is protected by this backup to go down. The issue has been identified as related to the fact that session attribute flags (link/node protection desired) are being cleared by the competitor PLR when the Path is sent over the backup tunnel.
Workaround: There is no workaround.
•
Symptoms: The show policy-map interface command yields incorrect policer information.
Conditions: This problem affects only the reporting of policing statistics. It does not affect policer functionality. When police action is configured in a service-policy, the conformed rate displayed in show policy-map interface does not match with the class-map offered rate.
Workaround: There is no workaround.
•
Symptoms: VPN-NUM in VLAN-RAM TCAM wrongly provisioned after reconfiguration of Layer 3 port-channel. This changes member link mapping, and VRF membership changes on Layer 3 port-channel. Also discrepancy in L3MGR info between RP and SP for affected port-channel/internal vlan representation observed.
Conditions: When the command channel-group <number> mode active is configured on the member link before the respective Port-channel is configured, this causes the member link interface to go admin down. When the port-channel is configured, the port-channel first comes up and then the member link. This may cause the port-channel to take up the same VLAN which was previously assigned to the member link. If this happens, the symptom is seen.
Workaround: One workaround is to configure the port-channel first and then activate the channel-group on the member link interface. Another workaround is to create a dummy interface so that it takes up the member link's previous VLAN and the port-channel will be assigned a new one, in which case this problem is not seen.
•
Symptoms: Traffic with aggregate label was forwarded in wrong VPN, causing the mis-forwarding, as the IP prefix was not present in the VPN routing/forwarding (VRF) table.
Conditions: Occurs under the following scenario:
1. Aggregate label should not be using the VPN CAM.
2. The recirculation VLAN has the wrong VPN number.
Workaround: Manually correct the wrong mls vlan-ram entry.
Further Problem Description: If there are multiple aggregate labels on a given VRF, there might be a chance of seeing this issue.
•
Symptoms: A Cisco 10000 series router may crash at issu_print_memory while doing a loadversion.
Conditions: The active router crashes when doing load version with "debug issu all" turned on.
Workaround: Do not turn on ISSU debug.
•
Symptoms: Following errors are seen:
%IDMGR-3-INVALID_ID: bad id in id_to_ptr (bad id) (id: 0xFFFFFFFF) -Traceback= 60476EBC 60477400 60491664 616C5834 616C7EEC 61AB72CC 61AC2E64 61AC2EBC 60FE4274 60FDEFA4 60FD4180 60FD4874 60FD4BBC 60FD275C 60FD27A0 60FC8F74Conditions: This has been seen on a Cisco 7200 after upgrading to Cisco IOS Release 12.2(33)SRC2.
Workaround: There is no workaround.
•
Symptoms: The VPDN user does not take LNS-assigned IP addresses when using the DHCP pool.
Conditions: The symptom is observed whenever the DHCP server is unavailable or when the DHCP pool is exhausted.
Workaround: Use IP pool instead of DHCP pool.
•
Symptoms: Accounting start sent on DHCP OFFER rather than ACK.
Conditions: This issue can cause accounting irregularities if the DHCP process does not complete. For example, with active-active Cisco Intelligent Services Gateway (ISG) redundancy, two DHCP OFFERs will be sent, but only one will be accepted. Since accounting records are generated for both OFFERs, they will be duplicates of each other.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3845 router that is running Cisco IOS Release 12.4(13) may bounce the frames (which are not destined for itself) on the same interface that receives them.
Conditions: The symptom is observed if there is bridging configured on an ethernet subinterface in the following way:
ip cef ! bridge irb ! interface GigabitEthernet0/1 no ip address no sh ! ! interface GigabitEthernet0/1.100 encapsulation dot1Q 100 ip address x.x.x.x x.x.x.x no ip redirects no ip unreachables no ip proxy-arp ip rip advertise 10 ! interface GigabitEthernet0/1.509 encapsulation dot1Q 101 bridge-group 1Workaround: If the command bridge-group 1 is removed from the sub-interface, it will behave as expected.
•
Symptoms: Cisco 7600 router has multiple E1s that randomly flap.
Conditions: Occurs on a router with RSP720, SIP-200 and 8xCHT1/E1 SPA installed.
Workaround: There is no workaround.
•
Symptoms: With the traffic flowing between a promiscuous port and a port belonging to a community VLAN of the same primary VLAN, if the user adds or removes any other secondary VLAN under the same private VLAN using the following configuration under "int gi" for the promiscuous port.
Conditions: The issue was seen upon using the following CLI on the interface configured in the promiscuous mode.
switchport private-vlan mappingprimary-vlan add/removesecondary-vlan.
Workaround: There is no workaround.
•
Symptoms: The following error message is displayed:
%BACKPLANE_BUS_ASIC-4-DEV_RESET: Backplane Bus Asic reset, interrupt [0x062D]=0x0008
Conditions: Symptom reported by 7600-SIP-400 cards on 7600 Series Routers when PPPoE connections are terminated via the 7600-SIP-400 cards.
Workaround: There is no workaround.
•
Symptoms: FR-FR and FR-Ethernet connections configured for anything over MPLS (AToM) interworking do not work with the combination of SIP400 and channelized SPAs.
Conditions: Occurs with Frame Relay AToM configurations with SIP400 and channelized SPAs.
Workaround: There is no workaround.
•
Symptoms: When unsupported filter is added to global policy-map with only match-any as the filter, the router or line card might crash.
Conditions: Occurs when global policy map is attached to an interface.
Workaround: Detach service policy from interface before making changes.
•
Symptoms: Memory leak occurs in "BGP Router" process. Memory used by this process increase every day while the number of routes is not increasing.
Conditions: This occurs on a provider edge (PE) router running Cisco IOS Release 12.2(31)SB or 12.2(33)SB. Problem is seen when VPN routing/forwarding (VRF) is showing important BGP activity.
Workaround: Reload the router to avoid reaching low memory conditions.
•
Symptoms: Traffic may stop flowing on a T1 interface configured with Frame-relay encapsulation on online insertion and removal (OIR) of the SIP-400.
Conditions: The problem was observed on a Cisco 7600 router with Sup720 and SPA-1XCHOC12/DS0 installed in a SIP-400. The traffic may not recover on a T1 interface configured for Frame-relay encapsulation after an OIR of the SIP-400.
Workaround: Perform a software reset of the SIP-400 or reload of the router.
•
Symptoms: When sending packets that exceed specified MTU, packets are received as giants in PA-T1/E1 IMA card instead of being fragmented.
Conditions: It happens only after changing sub-interface MTU and after stateful switchover (SSO).
Workaround: Perform a shut/no shut on the main interface.
•
Symptoms: A Cisco 7600 SIP-400 with POS interfaces encapsulated with IETF frame-relay may incorrectly set 0x800 as Network Layer Protocol Identifier (NLPID) for hardware assisted multicast IP packets. The correct value is 0xCC.
Conditions:
A. IP unicast packets in hardware path do not have this problem.
B. IP multicast or unicast packets in software path do not have this problem.
C. Problem reproducible in Cisco IOS Release 12.2(33)SRA2, 12.2(33)SRA7, and 12.2(33)SRC2.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 does not respond properly to Link Control Protocol (LCP) echo requests, causing PPP sessions to renegotiate between the router and non-Cisco devices.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRC2.
Workaround: Disable keep-alives on the non-Cisco device.
•
Symptoms: Router crashes with "no bba-group pppoe".
Condition: Happens after unconfiguring "bba-group".
Workaround: There is no workaround.
•
Symptoms: IDs allocated from DHCP are leaked, causing the device to reload.
Conditions: Device is configured as Cisco Intelligent Services Gateway (ISG) DHCP with 24000 sessions flapping every 10-12 minutes.
Workaround: There is no workaround.
•
Symptoms: During health monitor failure, platform action was taken immediately but platform action should be taken from gold TCL policy.
Conditions: Occurs when health monitor test failure crosses failure threshold.
Workaround: There is no workaround.
•
Symptoms: If you have configured Netflow and also have "ip flow-cache mpls label-positions", you are very likely to run in a bus error crash with info similar to what is seen here:
%ALIGN-1-FATAL: Illegal access to a low address 10:28:28 UTC Sat Dec 20 2008 addr=0x1E, pc=0x61CB7180, ra=0x61CBA5C0, sp=0x65BCAF20%ALIGN-1-FATAL: Illegal access to a low address 10:28:28 UTC Sat Dec 20 2008 addr=0x1E, pc=0x61CB7180, ra=0x61CBA5C0, sp=0x65BCAF2010:28:28 UTC Sat Dec 20 2008: TLB (store) exception, CPU signal 10, PC = 0x61CB7180Conditions: Problem is platform independent but specific to IOS release. This problem is seen in 12.2(33)SRC1 and possibly affects 12.4T releases as well.
Workaround: Consider removing MPLS netflow configuration by removing the ip flow-cache mpls label-postion 1 command.
•
Symptoms: Unable to reuse a sub-interface as main-interface.
Conditions: Occurs when we configure no virtual-template subinterface when all of the Interface Descriptor Blocks (IDB) that platform supports are used as "subif-vaccess". No more "vaccess" can be created.
Workaround: Do not configure no virtual-template subinterface at run time. Check show vtemplate output. If there are more IDBs used by subinterface, then do not configure no virtual-template subinterface.
•
Symptoms: Supervisor reloads on configuring or verifying firewall farm commands.
Conditions: Occurs before and after compliance testing on the firewall farm commands.
Workaround: There is no workaround.
•
Symptoms: ES20 line cards crashing in a loop while using a anything over MPLS (AToM) VC with Cisco Intelligent Services Gateway (ISG).
Conditions: The issue is seen on all the ES20 cards installed in a Cisco 7609 router running Cisco IOS Release 12.2(33)SRC2.
Workaround: Manually shutdown the AToM interfaces and ISG interfaces to stop the crashes.
•
Symptoms: The BFD configuration may be lost from the interface/sub-interface upon a router reload or physical module of OIR.
Conditions: The symptom is seen when BFD is configured on an interface in certain multi-slot chassis.
Workaround: Ethernet interfaces seem immune to this problem. Certain platforms, such as the Cisco 10000 series router, are also immune.
•
Symptoms: No new sessions can come up using VPDN after a few days.
Conditions: The root cause is that we leak and run out of SSM switch IDs.
Workaround: There is no workaround.
•
Symptoms: Issuing no form of IPX configuration commands on an interface crashes the switch.
Conditions: Occurs when IPX routing is enabled on the device but not on the interface.
Workaround: Do not issue no form of IPX configuration commands on an interface where IPX is not enabled.
•
Symptoms: A connected prefix from the global routing table has a VPN routing/forwarding (VRF) interface as outgoing interface.
Conditions: This condition occurs after a clear ip route x.x.x.x for the prefix x.x.x.x.
Workaround: Shut the VRF interface, clear the prefix from the routing table, then no shut the VRF interface.
•
Symptoms: DPM on secondary Cisco Intelligent Services Gateway (ISG) does not clear its session despite the fact that a DHCP termination message is sent. Even though the binding is cleared, the session persists until the idle timeout expires or the session is manually cleared.
Conditions: Occurs when multiple DHCP relay agents are present between clients and DHCP server.
Workaround: The session may expire due to idle timeout or be manually cleared.
•
Symptoms: Traffic through multilinks drop in one direction as some bundles show lost fragments, causing input errors to increment. The SPA receives the required sequence after long time from the line card, and time out is less in SPA.
Conditions: Problem is seen when there are more member links in a bundle on SPA-1xCHOC12/DS0 bidirectional traffic is sent. Some bundles drop packets at ingress as lost fragments in one direction.
Workaround: There is no workaround.
•
Symptoms: The ESM20G, 7600-ES20-GE3CXL, indicates Major error on show module.
Conditions: No special configuration conditions are needed to reproduce. The online diagnostics status indicates "Major Error". The major error can be observed following a forced switchover using the redundancy force-switchover command.
Workaround: No workaround known. Only reloading the router may cause the ESM20G to recover and pass online diagnostics.
•
Symptoms: Under certain circumstances when a route entry containing a repair path is updated or deleted, the repair path may not be properly removed. This may result in the repair path being orphaned in memory consuming a 60 byte memory block.
Conditions: Occurs with mVPN/TE and multicast enabled on a BGP speaking router. All images based on Cisco IOS Release 12.2(33)SR may be impacted by this problem.
Workaround: There is no workaround.
•
Symptoms: When we perform SNMP query (getmany) on cbQosPoliceStatsTable and cbQosREDClassStatsTable, CPU utilization reaches 99% with a single SSH session. If we query cbQosPoliceStatsTable and cbQosREDClassStatsTable from 18 SSH sessions, CPU-HOG error message are seen
Conditions: Occurs with a large number of policies defined on a GigE subinterface (~4k).
Workaround: No workaround, other than stopping the query.
•
Symptoms: Ping across CE routers fails.
Conditions: Occurs when "bidir" is configured.
Workaround: There is no workaround.
•
Symptoms: Traffic flows with loopback on a Cisco 7200 router.
Conditions: Occurs when you shut the controller, configure loopback, then no shut the controller.
Workaround: There is no workaround.
•
Symptoms: A Cisco switch may reload after a VLAN is renamed.
Conditions: Occurred on a Catalyst 6500 running Cisco IOS Release 12.2(33)SXH3a and Cisco IOS Release 12.2(33)SXH4.
Workaround: There is no workaround.
•
Symptoms: A crash occurs with the following footprint:
10:08:22 EST Mon Jan 26 2009: Address Error (store) exception, CPU signal 10, PC = 0x4330E8E00x432DF9F0 ---> dlink_rmqueue+30 0x432DFAEC ---> dlink_dequeue+2C 0x40DF73BC ---> nrp_service_notification_queue+26C 0x40DF7D8C ---> network_redist_process+210Conditions: Occurs when a multicast protocol is configured on at least one interface. Intermediate System-to-Intermediate System (IS-IS) is configured to run on one of the interfaces on which the multicast protocol is enabled. For example:
interface TenGigabitEthernet1/1 ip address 10.10.1.21 255.255.255.252 ip router isis ip pim sparse-mode
IS-IS interface configuration is removed from the interface on which the multicast protocol is configured. If a unicast route owned by IS-IS changes shortly after the multicast interface configuration is removed, the crash may occur.
Workaround: The following multicast configuration can be used to avoid the risk of a crash:
Router(config)#ip multicast rpf multitopologyRouter(config)#global-address-family ipv4 multicastRouter(config-af)#topology baseRouter(config-af-topology)#use unicast base•
Symptoms: Crash occurs on Cisco 7206VXR/NPE-G1 running Cisco IOS Release 12.2(31)SB12.
Conditions: Occurs under general use. No error messages appear in logs.
Workaround: There is no workaround.
•
Symptoms: Many "IP ARP: Sticky ARP entry invalidated" syslog messages appear, and the RP reloads unexpectedly.
Conditions: This symptom is observed when a linecard is swapped while thousands of DHCP snooping bindings are present and the ip sticky-arp command is configured.
Workaround: Configure the no ip sticky-arp command.
•
Symptoms: An interface that has been error disabled by an OAM remote link failure will not be recovered even if OAM link failure error disable recovery has been configured.
Conditions: Occurs when Ethernet OAM is configured on the interface and a remote failure is detected.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: With mLDP over a P2P tunnel, traffic drops in multiple cases.
Conditions: The traffic drops when there is a change in path set entries, which can happen when you perform a shut and no shut the TE tunnel or toggle MPLS traffic-tunnel or use the clear mpls traffic-eng auto-tunne command.
Workaround: There is no workaround.
•
Symptoms: High CPU utilization occurs on the new active supervisor after a stateful switchover (SSO).
Conditions: Occurs when large numbers of logical interfaces (such as port-channel sub-interfaces or interface VLANs) are configured and earl policing policies applied (uflow policing or aggregate policing) on all the logical interfaces. The CPU utilization on the active supervisor aggravates on each switchover.
Workaround: There is no workaround.
•
Symptoms: A router configured with BGP may generate IPRT-3-NDB_STATE_ERROR log messages. An additional symptom when bgp suppress-inactive is configured is that the router CPU usage may get close to 100%.
Conditions: When both BGP and an IGP are advertising the same prefix, the error condition may occur. When in addition bgp suppress-inactive is configured high CPU usage by BGP may be seen.
Workaround: Removing the bgp suppress-inactive configuration should eliminate the high CPU problem. Removing either the BGP or IGP conflicting routes from the system should clear both symptoms.
•
Symptoms: Router crashes on trying to ping packet over SONET (POS) interface on CHOC12 SPA.
Conditions: The issue was seen on an internal build based on Cisco IOS Release 12.2(33)SRD. The problem does not occur in the released version of Cisco IOS Release 12.2(33)SRD, but this fix is required to correct an underlying programming error.
Workaround: There is no workaround.
•
Symptoms: Static NAT translations can fail after a reload or crash.
Conditions: The trigger seems to be a high number of static translations (~100 translations). Once the router is rebooted for any reason, the translations will fail.
Workaround: Remove and reapply static translations in the configuration.
•
Symptoms: A Cisco 6500 running Cisco IOS Release 12.2(33)SXH may encounter a bus error due to OSPF processes.
Conditions: Occurs when the device is configured for Open Shortest Path First (OSPF).
Workaround: There is no workaround.
•
Symptoms: Switched Port Analyzer (SPAN) is not capturing traffic in both directions. It only captures traffic in one direction.
Conditions: Occurs when running Cisco IOS Release 12.2(33)SRC or later and with a ES-20 card.
Workaround: Use another method of packet capture if possible. See VACL capture for details. Removing the SPAN configuration and reapplying it also helps in getting the feature working.
•
Symptoms: DHCP failed to get binding under IP as aggregation model with L2 access.
Conditions: Occurs with IP session with L2 access on a device configured for DHCP relay and VRF transfer.
Workaround: There is no workaround.
•
Symptoms: Executing the commands show ip bgp version recent 1 or show ip bgp version 1 from EXEC mode may cause the device to crash.
Conditions: The symptom is observed in affected images that have support for BGP.
Workaround: Use AAA command authorization to prevent the use of these commands.
Further Problem Description: A note regarding BGP Looking Glasses for IPv4/IPv6, Traceroute & BGP Route Servers:
Per http://www.bgp4.as/looking-glasses, BGP Looking Glass servers are computers on the Internet running one of a variety of publicly available Looking Glass software implementations. A Looking Glass server (or LG server) is accessed remotely for the purpose of viewing routing info. Essentially, the server acts as a limited, read-only portal to routers of whatever organization is running the lg server. Typically, publicly accessible looking glass servers are run by ISPs or NOCs.
Public Looking Glass servers running an affected version of Cisco IOS are specially susceptible to this bug because they provide unauthenticated public access to Cisco IOS devices. Because of this, operators of BGP Looking Glass servers are encouraged to use AAA to prevent execution of the commands mentioned above that are known to crash Cisco IOS.
•
Symptoms: The BGP aggregate-address command configured on active RP does not auto-sync to the running configuration of the standby RP.
Conditions: Occurs when BGP is configured on active/standby redundant RP system.
Workaround: Configure BGP aggregate-address and reboot the system, forcing both active and standby to load from startup configuration.
•
Symptoms: Connectivity between the multilink bundles is lost.
Conditions: Occurs upon configuration of DLFI over ATM and trying to clear the virtual-access created for multilink using the clear ppp interface virtual-access<no> command.
Workaround: There is no workaround.
•
Symptoms: Admin tag is being advertised by the neighbor router. This tag is not showing up in the local router. This causes route filtering based on admin tag to fail.
Condition: Occurred on a Cisco ASR1000 running Cisco IOS Release 12.2(33)XNB. Other devices and releases of Cisco IOS are affected.
Workaround: There is no workaround.
•
Symptoms: The delay value to destination computed is different between IPv4 and IPv6.
Conditions: Occurs when EIGRP for IPv6 is configured.
Workaround: There is no workaround.
•
Symptoms: Service-policy is not removed from gigabit interface.
Conditions: Occurs after you configure a gigabit interface as a switchport and then attach/detach a service-policy.
Workaround: In order to remove the service policy configuration, go into the mode where the policy was first configured and then unconfigure it.
•
Symptoms: Traffic through SIP400 stops or SIP400 displays minor error in show mod output.
Conditions: Seen sometimes on doing RPR+ switchover in a chassis that supports hot fabric synchronization.
Workaround: Reset the line card.
•
Symptoms: SPA-24CHT1-CE-ATM will remain out of service on a SIP-400 because of a missing API.
Conditions: This issue will be seen during boot up on a Cisco 7600 router with SPA-24CHT1-CE-ATM and SIP-400.
Workaround: There is no workaround.
•
Symptoms: The following commands executed from the console result in a device reload: write, copy running-config startup-config or show run.
Conditions: The symptom is observed when a large number of interfaces (200+) have been configured for RIPv6 and are active. Interfaces which are down will not contribute to the problem.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 10000 series router that is running Cisco IOS Release 12.2(28)SB11, the serial interface becomes stuck in an up/down state and the multilink interface in a down/down state. The debugs indicate:
Se7/0/0.10/17:1 PPP: Missed a Link-Up transition, starting PPP Se7/0/0.10/17:1 PPP: Updating buffered PPP packet Se7/0/0.10/17:1 PPP: Starting timer for fast-start Se7/0/0.10/17:1 PPP: Handle allocation failure
Conditions: The symptom is observed when new T1s are added to the router. The triggers are an SSO configuration and when the router runs for a long time. The new T1s cause a lot of flapping of links.
Workaround: Reload the router or perform a PRE failover on the Cisco 10000 series router.
•
Symptoms: After clearing the DHCP snooping bindings, renewing from the database and reloading the line card, snooping bindings are lost.
Conditions: Occurs when DHCP snooping is configured to store bindings in the database on the flash disk.
Workaround: There is no workaround.
•
Symptoms: All Layer 3 traffic is silently dropped on the ES40 line card after the module is reset.
Conditions: Occurs when Layer 2- and Layer 3-based Ethernet Virtual Circuits are configured on the ES40. This happens after an RSP fail over or when the module is reset using the hw-module module # reset command.
Workaround: Reload the router.
•
Symptoms: A device may reload because of a crash after the command clear ip route * is executed.
Conditions: The trigger for this issue is executing the clear ip route* command in the presence of a default route. If an RIP update is received by the router while the routing information base is being cleared, the update will be processed causing RIP to check the state of the default route in the routing information base. This combination has the potential to cause a crash.
The probability of the crash occurring is proportionate to the size of the routing table. The larger the routing table, the greater the chance of encountering the problem.
Workaround: It is recommended to avoid using the clear ip route * command. If the prefix in question is known, then use clear ip route <prefix> instead.
Further Problem Description: This problem was observed in Cisco IOS Release 12.2(33)SRC3. All Cisco IOS SR33-based images (SRB, SRC, SRD and SB33) are vulnerable to this problem. The problem will be seen only when using the clear ip route * command and is platform independent. Other commands like clear ip ospf, clear ip bgp, clear ip isis or clear ip route <prefix> are not vulnerable.
•
Symptoms: L3 traffic is blackholed after online insertion and removal (OIR) of Distributed Forwarding Cards (DFCs).
Conditions: After an OIR, some of the adjacencies (recirculation) may not be correctly programmed when they go online.
Workaround: Use the clear adjacency command to reprogram the adjacencies correctly. This will impact traffic on the router.
Further Problem Description: Use the show mls cef adjacency entry <x> detail command to diagnose. A display of "vlan=0" on recirculation adjacencies indicates this problem.
•
Symptoms: Packet leak is observed on Cisco 7200 router running Cisco IOS Release 12.2(33)SRC.
Conditions: Multicast packet is forwarded to the tunnel interface, causing memory leak. Even packet is dropped, memory leak is observed. Multicast data having less then 64 byte size is dropped at the driver. Leak is not happening with interface other then tunnel interface.
Workaround: There is no workaround.
•
Symptoms: Packet drops seen in the network when an IOS application sends full length segments along with TCP options.
Conditions: Issue is seen only in topologies where an IOS device is communicating with a non-IOS peer or with an IOS device with on which this defect has been fixed.
Workaround: Reset ip mtu .. to a lower value. Any value lower than the advertised MSS from the peer should always work.
•
Symptoms: SNMP engine consumes 100% CPU and device does not respond to SNMP polls.
Conditions: Occurs when ATM SPA subinterface counters, such as ifInOctets and ifOutOctets are being polled with multiple Varbinds in single SNMP PDU.
Workaround: There is no workaround.
•
Symptoms: Watchdog reset seen with combination of NPEG1+PA-POS-1OC3/PA-POS-2OC3.
Conditions: The symptom is observed on a Cisco 7200 series router and Cisco 7301 router with an NPEG1 processor.
Workaround: Change the MDL of operation to PULL using the command dma enable pull model.
•
Symptoms: Router crashes at "t3e3_ec_safe_start_push".
Conditions: The crash is seen immediately after removing the channel-group of the PA-MC-2T3/E3-EC card.
Workaround: There is no workaround.
•
Symptoms: When using encapsulation PPP on a POS SPA OC192POS-XFP in a SIP-600, the protocol comes up on both sides and IP Control Protocol (IPCP) is open for PPP. Pinging the remote side fails due to corruption of the PPP frame.
Conditions: Occurs when using encapsulation PPP on a POS SPA OC192POS-XFP
Workaround: Use High-Level Data Link Control (HDLC) encapsulation.
•
Symptoms: CE-to-CE ping for packet size less than 48 bytes fails or applications like telnet fail.
Conditions: Occurs with ATM SPA on SIP200. ATM PA on FW2 should be one of the CEs facing, while other PEe should be 7200
Workaround: There is no workaround.
•
Symptoms: When unconfiguring multicast distribution tree (MDT) and VPN routing/forwarding (VRF), SP crashes.
Conditions: The problem occurs on scale setup. When number of entries is large on PI multicast side, the PI process can get suspended during delete operation
Workaround: There is no workaround.
•
Symptoms: Router crashes
Conditions: Occurs during xconnect L2TP session configuration.
Workaround: There is no workaround.
•
Symptoms: A specific configuration of "ip casa" followed by a subsequent use of the command show running-config can cause the router to go into an infinite loop and hang.
Conditions: The symptom is observed when "ip casa" is configured and you enter into config-casa mode. The command show running-config will cause the router to hang.
Workaround: There is no workaround.
Further Problem Description: This issue is specific to the usage of ip casa. If you do not use casa, you are not vulnerable to the issue described here.
•
Symptoms: ATM PVP CLI become inaccessible to the command-line interface.
Conditions: The commands disappear after configuring l2transport VCs on ATM interface.
Workaround: Execute default on ATM interface before configuring any L2VC or L2VP.
•
Symptoms: CPU utilization goes high when a third session is allowed to be created through SNMP. Also occurs with applications that use SNMP to create sessions, such as NAM GUI.
Conditions: Perform the SNMPSet on the service module session (this will fail). Now try to create another local session via SNMPSets sequence.
Workaround: Use CLI to create the sessions.
•
Symptoms: Router crashes while configuring MAC addresses.
Conditions: Occurs when configuring MAC addresses under VT interface in "config-rite" mode.
Workaround: There is no workaround.
•
Symptoms: With a topology like this:
CE | type 4 xconnect type 4 xconnect |-------------------- 7600 --------------- GSR -------------- CE SIP400 Sup720 Giga subif Giga subifthe packets above 1496 are not passing through end-to-end.
The MTU on the edge-facing interfaces is 1500, the one on the core-facing interfaces is 1600.
Conditions: The GSR on the other side seems not to have a similar behavior. The bug has been reproduced in Cisco IOS Release 12.2(33)SRB3 and SRC3.
Workaround: Increase the MTU on the edge-facing interface end-to-end
•
Symptoms: Connectivity breaks on SPA based multilink bundles with ACFC/PFC configured when one of the member links go down.
Conditions: Occurs on a Cisco 7600. Multilink must be SPA based with ACFC/PFC configured. The output of show ppp multilink on the RP would show multilink in hardware.
Workaround: Adding back the link or bringing the link back up makes it work.
•
Symptoms: On a Cisco 7600-SIP-200 / SPA-2XOC3-ATM running the c7600s72033-adventerprisek9-mz.122-33.SRB4 image, an ATM interface may suddenly cease processing ingress packets resulting in all VC sharing the physical interface being shut down.
Conditions: Occurs when the ATM SPA interface is configured for LFI.
Workaround: There is no workaround.
•
Symptoms: The route-map functionality is broken with respect to BGP.
Conditions: Configure route-map and apply to BGP neighbor as an inbound/outbound policy and then reload the router. The route-map functionality will not work.
Workaround: There is no workaround.
•
Symptoms: DHCP snooping bindings are lost on a Cisco 6724 when online insertion and removal (OIR) is performed on the line card just after renewing the snooping bindings from database.
Conditions:
1) Bring up a snooping binding on a Cisco 6724 LC.
2) Make sure the binding has been written to the snooping database.
3) Clear the snooping binding by entering the clear ip dhcp snooping command.
4) Write the bindings from the database back to the snooping table by entering the renew ip dhcp snooping database command.
5) Ensure that the binding has been repopulated into the snooping table by entering the show ip dhcp snooping binding command.
6) Perform OIR on the line card.
7) When the line card comes up, it is seen that the snooping binding is not repopulated. It is lost.
Workaround: Send a fresh DHCP request from the client.
•
Symptoms: Calls fail intermittently with cause "47: no resource available" error.
Conditions: Occurs when router is under load test.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS routers crash when filter style is changed from fixed filter (FF) to wild card filter (WF).
Conditions: Occurs when FF style reservation is installed on an interface and is then modified to WF style without first removing the FF style reservation.
Workaround: Remove FF style reservation before configuring for WF style reservation.
•
Symptoms: Standby crashes on deletion of a port-channel.
Conditions: The problem is seen only when lacp fast-switchover is configured on the port-channel.
Workaround: Shut the port-channel before deleting it.
•
Symptoms: Cisco ASR crashes into ROMmon when doing DHCP renew from client PC when Cisco Intelligent Services Gateway (ISG) is configured as DHCP relay.
Conditions: Occurs when ISG is acting as DHCP relay and without port-bundle host key (PBHK) enabled.
Workaround: Disable ping using the ip dhcp ping packets 0 command.
•
Symptoms: ES40 line card crashes.
Conditions:
1) Have Port-channel with a service instance without encapsulation.
2) Have members across NPs.
3) Remove all the members related to 1 NP.
4) Add a member to the NP, which already has a member.
5) Line Card crashes.
Workaround: There is no workaround.
•
Symptoms: Service policy disappears from Multilink Frame Relay (MFR) interface.
Conditions: This is observed after MFR interface flaps.
Workaround: There is no workaround.
•
Symptoms: SIP reloads with the following error messages:
%C7600_PWR-SP-4-DISABLED: power to module in slot 2 set off (Module Failed SCP dnld)
%CWAN_RP-6-CARDRELOAD: Module reloaded on slot 2/0
Conditions: Occurs during switchover from slot6 to slot5 with RSP720.
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: Cisco 6500 crashes with Breakpoint exception, CPU signal 23.
Conditions: An attempt to free unassigned memory is seen before the crash:
00:01:25: %SYS-2-FREEFREE: Attempted to free unassigned memory at 50D9D260, alloc 40CC9960, dealloc 40CC9A90-Traceback= 41044F88 40CC9A98 40CC88C0 40CC20E4 40CCF5B0 406AF1AC 4069A834 4101848C 41018478Workaround: There is no workaround.
•
Symptoms: Unable to remove ACLs.
Conditions: Occurs on the ES20. The no form of the command does not work.
Workaround: Reload to recover.
•
Symptoms: ES20 cards crash due to an address error after a remote Label Distribution Protocol (LDP) session is shut. This is also seen when the remote router is reloaded.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRD.
Workaround: There is no workaround.
•
Symptoms: MPLS packets that need a swap label may get punted to CPU because the outgoing interface/label has wrong MTU value in hardware (MLS). Once the packet is punted to CPU, it is forwarded correctly, as Cisco Express Forwarding (CEF) in software has correct info. If the traffic rate is high, this causes high CPU.
-show mls status can confirm the MTU failure increasing.
-remote command switch show mpls platform vlan shows wrong MTU for outgoing interface.
-show mls cef mpls label X detail will show the MTU as 0.
-show mpls forwarding-table interface X detail shows good MRU value.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB5.
Workaround: Re-stating the mtu command or mpls ldp mtu ... does not make any difference. You need to either bounce the affected interface or reload the switch.
•
Symptoms: MAC security on ESM20 ports stop working after unrelated configuration changes are done to any other ports on the same ESM20.
Conditions: On ESM20 ports having service instances configured with MAC security on them, traffic stops flowing on those EVCs when unrelated configuration changes are done on other ports on that ESM20.
Workaround: Perform a shut/no shut on the affected port.
•
Symptoms: Router displays the following message:
SCP-SP-5-ASYNC_WATERMARK: 36152 messages pending in SCP async: LCP#4
If the number of pending messages keeps increasing, router may eventually crash.
Conditions: Occurs under the following scenario.
- With a switchport on ES20 - With more than few hundred allowed VLANs on ES20 trunk - If STP state on the switchports flaps.
The last condition is critical for the bug to occur.
Workaround: Prevent conditions leading to STP flaps.
•
Symptoms: All traffic through ES line cards stops after a RSP failover. The line cards are powered down and never recover.
Conditions: Occurs occasionally when a redundancy force-switchover is executed on a router containing ES line cards with an N-PE redundancy configuration that looks like the following under a VPLS VFI:
l2 vfi vfi101 manual
vpn id xxx
forward permit l2protocol all
Workaround: Reload the router. If this does not help, reduce the number of possible core-facing MPLS interfaces that the VPLS pseudowire could possibly take.
•
Symptoms: Packets leak from source to destination when PACL is configured and switchover is not complete.
Conditions: During switchover, and until TCAM is programmed, packets are L3 switched even if the PACL will drop them further. Also, when the PACL is changed, such as addition or removal of ACEs, some packets which are supposed to be dropped will leak to the destination.
Workaround: There is no workaround.
•
Symptoms: When a Cisco 7600 is connected to a different MST region and has a port with root guard configured on the MST boundary port, all VLAN interfaces flap each time a superior BPDU is received on this port. This behavior was observed with Cisco IOS Release 12.2(33)SRB4 and Cisco IOS Release 12.2(18)SXF14.
Conditions: It was observed in the following context:
1) The switch is connected to a different MST region 2) It has a port configured as root guard on MST region boundary
Workaround: Shut down blocked port or remove root guard configuration from the port and the VLAN interfaces stop flapping.
•
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
•
Symptoms: All traffic through ES line cards stops after a RSP failover. The line cards fail diagnostics and never recover.
Conditions: Occurs periodically when a redundancy force-switchover is executed on a router containing multiple RSPs and ES line cards.
Workaround: Reload the router.
•
Symptoms: MQC policy applied on ES+ interface may not work as expected. Occurs if too many unique bandwidth rates are configured and applied on same line card and on the interfaces belonging to same Network Processor.
Conditions: If more than 32 unique bandwidth rates are (defined in policy maps applied on same NP) configured, the policy map is accepted without error but may not work as intended.
Workaround: If multiple unique bandwidth rates are required, space the policy maps across interfaces based on different network processors.
•
Symptoms: LACP L3 POCH members flap, getting unbundled and bundled back again.
Conditions: Global native VLAN tagging has to be enabled, and L3 POCH interface should have a sub-interface configured under it.
Workaround: Disable global VLAN tagging.
•
Symptoms: After a reload, CPU on the router remains high and does not recover on its own.
Conditions: This issue was observed on a reload of a Cisco 7600 router with Supervisor 720. The system had a scaled configuration with a large number of VRF', sub-interfaces and some Virtual Private LAN Services (VPLS) PW. BGP and ISIS routing protocols were also in use. The high CPU is seen in the CEF background process.
Workaround: An SSO switchover or a system reload can clear the problem.
•
Symptoms: After stateful switchover (SSO), adjacency mismatch and traffic failure occur on ES20 sub-interfaces.
Conditions: This happens when egress QOS/ACL policy is configured on ES20 sub-interface.
Workaround: Perform a shut/no shut on the ES20 interface.
•
Symptoms: After removing "priority 30" from policy-map queuing_child, an attempt to add it back fails with the following message:
Configured Percent results in out of range kbps. Allowed range is 8-622000. The present CIR value is 6.
Conditions: Occurs with the following configuration:
Configure the following policy-map:Policy Map queuing_childClass ip_prec_1priority 30 (%)Class ip_prec_2bandwidth remaining 20 (%)Class ip_prec_3bandwidth remaining 30 (%)Class ip_prec_4bandwidth remaining 49 (%)Policy Map DestClass DestPolicy Map queuingClass class-defaultAverage Rate Traffic Shapingcir 5000000 (bps)service-policy queuing_childWorkaround: There is no workaround.
•
Symptoms: On occasion, a false positive is returned on a file system failure. File operation is deemed successful when, in fact, it has failed.
Conditions: This problem occurs when the file system device returns an error and the code follows the path in the file system buffer cache where the error is masked and converted to a success code. This problem is likely to show up if there is a device error during the write. The device error may be due to bad media or an OIR (although it is very unlikely during an OIR).
Workaround: There is no workaround.
Further Problem Description: This is possible during any file system operation where a file system device is unable to complete the operation and an error is returned. This error is not passed down to the file system stack but is converted to a success code. Other clients which are dependent on previous file system operations fail on successive file system calls and possibly result in a crash.
•
Symptoms: Router crashes at af_policer_get_class_drops.
Conditions: Router crashes while attaching policy under another policy.
Workaround: There is no workaround.
•
Symptoms: Router may reload under excessive netconf configuration.
Conditions: The following configuration commands, when configured repeatedly within a short period of time may cause the device to reload.
* netconf ssh
* netconf beep listener
Workaround: There is no workaround.
•
Symptoms: Users who can execute a show ip interface command can see that an LI tap is in progress.
Conditions: No specific conditions are necessary to trigger this problem.
Workaround: There is no workaround.
•
Symptoms: A PPP aggregator may erroneously remove a per-user static route downloaded from RADIUS when the first member link of a multilink group goes down.
Conditions: Issue observed on Cisco 7200/NPE-G1 running Cisco IOS Release 12.2(33)SRC3 and earlier SRC releases. Also occurs in Cisco IOS Release 12.2(33)SRD.
Workaround: Clear interface virtual-access (for the MLP bundle). You can also downgrade to Cisco IOS Release 12.2SB.
•
Symptoms: Interface default queue traffic is favored instead of the QoS applied to subinterface or EVC traffic.
Conditions: If there is a mix of QoS policy applied and not applied subinterfaces/EVCs on the main interface, the traffic on the subinterface/EVC without QoS can take the entire physical interface bandwidth, starving the QoS applied subinterface/EVC.
Workaround: Apply QoS policy on all the subinterface/EVCs on the main interface.
•
Symptoms: Entries for ABRs and ASBRs are missing from the OSPF route table. This results in inter-area and external routes being omitted from the Routing Information Base (RIB).
Conditions: The bug will only be seen when MPLS-TE tunnels are being used. Also, specifying non-default SPF timer values with timers throttle spf will increase the risk of hitting this bug.
Workaround: There is no workaround.
•
Symptoms: MPLS frames that need to be encapsulated into VRF GRE tunnel are punted to RP if the GRE tunnel requires MPLS imposition.
Conditions: This has been observed on Cisco 7600 provider edge (PE) routers in L3VPN environment.
Workaround: There is no workaround.
•
Symptoms: The show ip ospf border-router may cause a router to crash.
Conditions: Occurs if the border table is recalculated in a significant way while the output is being printed on the console. The risk of a crash is reduced if you avoid using the auto-more feature and allow the entire output to display at once.
Workaround: There is no workaround.
•
Symptoms: Console may hang.
Conditions: Occurs when the TACACS+ server is being used as AAA server and the single-connection option is configured.
Workaround: Remove the single connection option.
•
Symptoms: Device running Cisco IOS Release 12.2(33)SRD1 with SAA/SNMP crashes due to bus error.
Conditions: Occurs when an SNMP poll for IPSLA/SAA values is performed.
Workaround: There is no workaround.
•
Symptoms: The following TOS settings tests fail on ES+ card:
* TOS mapping from inner to outer IP header via ip tos reflect on PW class.
* TOS setting on outer IP header via ip tos value value.
* TOS setting via ingress MQC policy on IP subinterface with xconnect.
Conditions: Occurs on a ES+ card configured for L2TPv3.
Workaround: There is no workaround.
•
Symptoms: Router crash is seen during ISSU with mls qos enabled.
Conditions: Occurs when user does ISSU from Cisco IOS Release 12.2(33)SRC2 to SRC3 or from 12.2(33)SRD1 to later SRD release.
Workaround: Disable QoS globally using the no mls qos command.
•
Symptoms: Missing Intermediate System-to-Intermediate System (IS-IS) routes or routing loop occurs after the edge router reloads several times.
Conditions: Occurs when MT-IPv6 is running and fast convergence parameters are configured.
Workaround: Enter the clear isis * command on the affected router.
•
Symptoms: When FastEthernet SPA on SIP400 is used as the core-facing side, switch virtual interface (SVI)-based EoMPLS/VPLS traffic does not flow out of the pseudowires. Receiving Traffic on the pseudowire is fine.
Conditions: Occurs when FE spa on SIP400 is used as the core facing side for SVI-based EoMPLS/VPLS. All the imposition traffic is dropped.
Workaround: There is no workaround.
•
Symptoms: Router crashes when we send multiple access packets for same username when configured for RADIUS Load Balancing (RLB).
Conditions: Occurs with the following topology
CLIENT----->RLB----->SERVER
Client sends multiple access retry packets to server and router crashes after a period of time. This issue will be seen in cases where multiple access requests are seen for the same username, and 60 seconds expire since the arrival of the first of such access requests, before an accounting start for the same username is seen.
Workaround: If RLB do not see multiple access packets we wouldn't see any crash.
•
Symptoms: For IPv6 adjacencies, MTU is incorrectly programmed.
Conditions: Occurs with simple IPv6/6PE setup.
Workaround: There is no workaround.
•
Symptoms: When SIP-400 is configured as Lawful Intercept service module, after a line card online insertion and removal (OIR), the SIP-400 may not get selected as Lawful Intercept service module.
Conditions: Occurs when SIP-400 is configured as Lawful Intercept service module on a Cisco 7600.
Workaround: After line card OIR, select the SIP400 again as the LI service module using the command li-slot list <sip400 slot number>.
•
Symptoms: L2TP tunnel not coming up for ATM attachment circuit.
Conditions: The problem is seen on Cisco 7200 router running Cisco IOS Release 12.2(33)SRC.
Workaround: There is no workaround.
•
Symptoms: Packets are not getting in output policy.
Conditions: Occurs on ES+ card configured for L2TPv3.
Workaround: There is no workaround.
•
Symptoms: MPLS-TE tunnel label reallocation on midpoint router occurs while RSVP is gracefully restarting due to CPU switchover.
Conditions: Occurs on a Cisco 7600 that is configured as the midpoint router when the upstream node is a Cisco IOS-XR router. This does not happen if the upstream node is also a Cisco IOS router. Because of this label re-allocation, traffic downtime is ~100 msec
Workaround: There is no workaround.
•
Symptoms: DHCP binding in DHCP client may not work.
Conditions: Occurs after online insertion and removal (OIR) operation on a Cisco 7600 with SIP400 line card.
Workaround: There is no workaround.
•
Symptoms: The following error message is displayed:
%OSPF-4-NULL_PREV_LINKAGE with a traceback of:
errmsg(0x40636c28)+0x50
ospf_dlink_delink(0x40eda914)+0x3c
ospf_service_redist(0x40f2d03c)+0x428
ospf_router(0x40ee2f20)+0xa24
This error causes excessive CPU utilization, which causes the Supervisor or RSP to crash.
Conditions: Occurs after entering the clear ip ospf process command, especially in an environment that has multiple OSPF processes. Learning the same prefix with different processes can also cause this condition to occur.
In this case it was due to the fact that one process was configured with default-information originate always, causing an implicit redistribution. The other process was also learning a default route as E2.
Workaround: To avoid the issue:
- Clear ip ospf process on a process by process basis few min. apart.
- Shut/no-shut of the OSPF Process instead of the hard reset/clear
Reload is the only way to recover if the system has run into the issue already.
•
Symptoms: Multicast replicated packets get dropped at "SELENE".
Conditions: Occurs when ES+ card is in slot 1 and the port is 1/12.
Workaround: There is no workaround.
Open Caveats—Cisco IOS Release 12.2(33)SRD1
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(33)SRD1. All the caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD. This section describes only select open caveats.
•
Symptoms: Tracebacks observed when shut/no shut is performed multiple times on ATM-OC3 interface.
Conditions: Occurs on a router running Cisco IOS Release 12.2(33)SRD.
Workaround: There is no workaround.
•
Symptoms: For C7600 ES+XT Serial line cards, the TenGigaEthernet interface could report erroneous link up status while the link is actually down.
Conditions: This problem is observed with Cisco IOS Release 12.2(33)SRD1. The problem happens when the remote side changes to different transport mode under interface configuration.
Workaround: Every time the remote side changes its transport mode configuration, do a shutdown and no shutdown for the corresponding interface in the local side.
•
Symptoms: Supervisor does not return to SP Prompt after Service line card (SVCLC) tunneling.
Conditions: After doing a remote login switch from supervisor, we go into SUP SP prompt. Then Tunnel into LCP ROMMon through svclc console <slot> from SUP-sp to boot LCP. Once LCP starts booting, we should come back to SP prompt. This is not happening now.
Workaround: Type a ^C to get back to the SP prompt.
Resolved Caveats—Cisco IOS Release 12.2(33)SRD1
All the caveats listed in this section are resolved in Cisco IOS Release 12.2(33)SRD1. The caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD. This section describes only severity 1, severity 2, and select severity 3 caveats.
Miscellaneous•
Symptoms: A Cisco router that is configured for Network Address Translation (NAT) may reload unexpectedly because of a software condition.
Conditions: This symptom can occur when the router translates a Lightweight Directory Access Protocol (LDAP) packet. NAT translates the embedded address inside the LDAP packet. This problem is strictly tied to NAT and LDAP only.
Workaround: There is no workaround.
•
Symptoms: Some virtual circuit (VC) information is missing in the Simple Network Management Protocol (SNMP) MIB object cAal5VccEntry from the output of the snmpwalk router configuration command. The ATM VCs 0/100, 0/200 and 0/500 exist on the router but are missing in the MIB.
Conditions: This symptom is observed on a Cisco 7513 router that is running a special image of Cisco IOS Release 12.2(15)T5. The symptom may also occur in other releases.
Workaround: Enter the show atm vc privileged EXEC command on the same device to obtain a complete list of all the VCs.
•
Symptoms: The output of serial interfaces on a PA-MC-8TE1 may become stuck after several days of proper operation.
Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(10a) and that has MLP configured on the serial interfaces of the PA-MC-8TE1.
Temporary Workaround: Perform an OIR of the PA-MC-8TE1 or reload the router until the symptom occurs again.
Further Problem Description: The symptom occurs during normal operation of the router. If many errors occur on the link, the symptom is more likely to occur.
•
Symptoms: If a user fails to successfully establish a SSH connection on the first attempt, subsequent attempts may also fail.
Conditions: Occurs when a Cisco router is configured to authenticate SSH connections using TACACS+. The rem_addr field in the TACACS+ header may be empty if the user does not successfully authenticate on the first attempt. This may cause authentication or authorization failures if rem_addr information is required by the TACACS+ server.
Workaround: Configure ipssh authentication-retries 0.
•
Symptoms: A router running Cisco IOS 12.4T may reload unexpectedly
Conditions: Occurs when BFD is configured and active.
Workaround: Disable the BFD feature.
•
Symptoms: A memory leak may occur in the "BGP Router" process.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(26)S6, that is configured for BGP, and that has the bgp regexp deterministic command enabled.
Workaround: Disable the bgp regexp deterministic command.
•
Symptoms: Router might unexpectedly reload during CNS configuration download.
Conditions: The downloaded configuration must disable the CNS configuration initial or partial for this crash to occur.
Workaround: Use static configuration and prevent configuration download from CNS server.
•
Symptoms: While restarting the iprouting process, the system crashed at redzone corruption.
Conditions: Occurs following a switchover. The iprouting process should restart once the standby becomes active.
Workaround: There is no workaround.
•
Symptoms: When DHCP snooping is configured on a VLAN, the redirect access list programmed in TCAM permits a wide range of UDP ports from bootps/bootpc to 65xxx.
Conditions: UDP traffic to these destination ports (0x143, 0x243, 0xFF43) is being redirected to Route Processor (RP). If "ip dhcp snooping limit" is not configured, then RP CPU goes to 100%.
Workaround: There is no workaround.
•
Symptoms: Some of the 48 power over Ethernet ports of a line card cannot be configured as "power inline static" with the maximum power capacity, 15.4 watts, that a port can support.
Conditions: The number of supported ports depends on the power rating of the voice daughter board. One or more ports may not operate at maximum capacity.
Workaround: There is no workaround.
•
Symptoms: Self ping to SVI fails when VLAN configurations are removed and reapplied.
Conditions: Occurs when an interface is deleted and added again.
Workaround: There is no workaround.
•
Symptoms: While configuring a mediation device (MD), if the MediationSrcInterface is set to loopback interface, traffic will cause MALLOC failures.
Conditions: Problem is seen when traffic rate is equal to or greater than 8000 packets per second.
Workaround: Do not use loopback0 as MD source interface.
•
Symptoms: A router may crash when the clear ip bgp command is entered.
Conditions: Occurs on devices running BGP and configured as a route reflector client with conditional route injection configured.
Workaround: Unconfigure conditional route injection.
•
Symptoms: The ip nat inside source static network command does not have the <cr> option.
Conditions: This symptom is observed on a Cisco 7200 router that is loaded with Cisco IOS Release 12.4 or 12.4T.
Workaround: There is no workaround.
•
Symptom: Connectivity problems are observed for IPv6 client, which obtained IPv6 prefix via DHCP for Virtual Access interface,
Guest
