Table Of Contents
Caveats for Cisco IOS Release 12.2(33)SRC through 12.2(33)SRE
Open Caveats—Cisco IOS Release 12.2(33)SRE
Resolved Caveats—Cisco IOS Release 12.2(33)SRE
Resolved Caveats—Cisco IOS Release 12.2(33)SRD3
Resolved Caveats—Cisco IOS Release 12.2(33)SRD2a
Resolved Caveats—Cisco IOS Release 12.2(33)SRD2
Open Caveats—Cisco IOS Release 12.2(33)SRD1
Resolved Caveats—Cisco IOS Release 12.2(33)SRD1
Open Caveats—Cisco IOS Release 12.2(33)SRD
Resolved Caveats—Cisco IOS Release 12.2(33)SRD
Resolved Caveats—Cisco IOS Release 12.2(33)SRC5
Resolved Caveats—Cisco IOS Release 12.2(33)SRC4
Open Caveats—Cisco IOS Release 12.2(33)SRC3
Resolved Caveats—Cisco IOS Release 12.2(33)SRC3
Open Caveats—Cisco IOS Release 12.2(33)SRC2
Resolved Caveats—Cisco IOS Release 12.2(33)SRC2
Open Caveats—Cisco IOS Release 12.2(33)SRC1
Resolved Caveats—Cisco IOS Release 12.2(33)SRC1
Open Caveats—Cisco IOS Release 12.2(33)SRC
Resolved Caveats—Cisco IOS Release 12.2(33)SRC
Caveats for Cisco IOS Release 12.2(33)SRC through 12.2(33)SRE
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in this section.
Because Cisco IOS Release 12.2SR is based on Cisco IOS Release 12.2, many caveats that apply to Cisco IOS Release 12.2 also apply to Cisco IOS Release 12.2SR. For information on severity 1 and 2 caveats in Cisco IOS Release 12.2, see the Caveats for Cisco IOS Release 12.2 document located on Cisco.com.
In this section, the following information is provided for each caveat:
•
Symptoms—A description of what is observed when the caveat occurs.
•
•
Note
This section consists of the following subsections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Open Caveats—Cisco IOS Release 12.2(33)SRE
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(33)SRE. All the caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD. This section describes only select open caveats.
•
Symptoms: A mismatched bandwidth may generate corrupt packets that are not detected in the hardware when CRC-16 is configured on the interfaces. The corrupt packets may cause the CPU usage of the RP to increase to 100 percent, and the corrupt packets may be dropped.
Conditions: This symptom is observed on a Cisco platform that is configured with a 2-port or 4-port clear channel T3/E3 SPA (SPA-2XT3/E3 or SPA-4XT3/E3) or 4-port channelized T3 (DS0) SPA (SPA-4XCT3/DS0) that is configured for T3 DSU Kentrox mode with a subrate bandwidth above 35,000 when the far-end is also configured for DSU Kentrox mode but with a mismatched bandwidth that is less than 35,000
Workaround: When you use DSU Kentrox mode, configure CRC-32 on the interfaces and configure the correct bandwidth before you enable the interfaces.
•
Symptoms: EzVPN hardware client will not attempt to connect to the same peer or the next peer after QUICK MODE failure during IKE.
Conditions: This symptom is observed when EzVPN hardware client remains in SS_OPEN state after the failure of QUICK MODE.
Workaround: Clear the EzVPN session.
•
Symptoms: Tracebacks seen on Cisco 7200 router.
Conditions: Occurs when SSH is used to connect to Distributed Link Fragmentation and Interleaving over Leased Lines (dLFIoLL) multilink IP address.
Workaround: There is no workaround.
•
Symptoms: When multiple transform set is configured to the crypto map, only the first transform set is configured to it. Remaining transform sets are truncated and not configured to it.
Conditions: Multiple transform sets have to be configured to the crypto map.
Workaround: There is no workaround.
•
Symptoms: A core dump may fail to write or write very slowly (less than 10KB per second).
Conditions: The symptom is observed when the cause of the crash is processor memory corruption. When this occurs, the corrupted memory pool cannot be used to write the core dump so it will likely fail. (IO memory corruption crashes should not have this problem.)
Workaround: There is no workaround.
•
Symptoms: Ingress IPv6 packet classification not working.
Conditions: Occurs only on MFR interface on Cisco 7600.
Workaround: Use sub-interface mode.
•
Symptoms: Cisco 7600 router processor may crash.
Conditions: Occurs when a large packet to be multicast is replicated in the router in software switching path, and there are multiple such packets being processed in quick succession.
Workaround: There is no workaround.
•
Symptoms: Traffic stops after a switchover.
Conditions: Occurs on DMFR on SIP-200 in a high-availability setup, following an online insertion and removal (OIR) and the redundancy force switchover command.
Workaround: Enter hw-module module <no> reset on the new active supervisor.
•
Symptoms: A Cisco 7600 RP may crash.
Conditions: May occur when the following commands are entered in succession:
* no router bgp [AS]
* no ipv6 unicast-routing
Workaround: There is no workaround.
•
Symptoms: Traffic is denied even though inbound ACL is configured on EVC on ESM20 to permit the traffic.
Conditions: Occurs after the inbound ACL is changed from Layer 3 to Layer 4.
Workaround: Reload the device.
•
Symptoms: A label swap operation might be wrongly performed and the expected label is not swapped.
Example:
Router#show mpls for label 20Local Outgoing Prefix Bytes Label Outgoing Next HopLabel Label or VC or Tunnel Id Switched interface20 142 10.0.0.1/32 10 Gi1/610.0.2.1103 10.0.0.1/32 20 Gi1/1 10.0.2.5Router#show mls cef mpls label 20Codes: + - Push label, - - Pop Label * - Swap Label, E - exp1Index Local Label Out i/fLabel Op455 20 184(*),142(+) Gi1/6 , 0000.dead.beef158(*),103(+) Gi1/1 ,0000.c0ff.ffeeWhere we see the label swap becomes a label imposition.
Conditions: This has been seen under following conditions:
1) A Cisco 7600 running Cisco IOS Release 12.2(33)SRB4.
2) Load balancing of the destination prefix needs to exist.
Workaround: Clear the route.
•
Symptoms: The router may crash.
Conditions: Configure a PVC range and before hitting exit/end, perform an online insertion and removal (OIR) operation. Exit from the range mode. After the card comes up, try to go into the range configuration mode.
Workaround: Do not OIR while configuring a new range VCS.
•
Symptoms: Bulk-sync failure due to servicing incompatibility while configuring ip nhrp responder Loopback and removing the loopback after stateful switchover (SSO).
Conditions: Observed on a Cisco 7600 router running Cisco IOS Release 12.2(32.8.24)REC186 image.
Workaround: There is no workaround.
•
Symptoms: IP address is not assigned to the client on VPN routing/forwarding (VRF) from the DHCP server.
Conditions: This happens when we configure ip dhcp test relay link-selection 50.0.0.2 and ip dhcp relay override giaddr link-selection on the realy1 and relay2 respectively.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 may crash after an online insertion and removal (OIR) operation.
Conditions: Occurs when MFR bundle is in SW mode and OIR is performed on CJ-PA.
Workaround: There is no workaround.
•
Symptoms: Lost fragments seen on multilink.
Conditions: Occurs when 12 members are added to a multilink on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: SIP-400 crashes at dev_ds26504_isr.
Conditions: SIP-400 will crash if connecting BITS port of SPA to a device which has mismatch in framing type configured on local end.
Workaround: Disconnect the port with a wrong framing type.
•
Symptoms: Slow memory leak occurs on Cisco Intelligent Services Gateway (ISG) during normal operations.
Conditions: Leak is observed if there is some error condition such as a mis-configuration in the user or service profile.
Workaround: There is no workaround.
•
Symptoms: When unidirectional Ethernet (UDE) is configured, UDLD configurations are nullified. On taking out UDE configs, the port should re-participate in UDLD. But is not happening here.
Conditions: The problem is seen if we configure udld port aggressive command.
Workaround: To use the global command udld enable.
•
Symptoms: Block overrun leading to crash. Issue is seen on the IT-SP-ISG system testbed with RSP720 and SIP-400 line cards. Issue is seen with scale sessions.
Conditions: The setup was running 24,000 PTA and 12,000 DHCP sessions with end-to-end traffic running.
Workaround: There is no workaround.
•
Symptoms: Packets are not routed across PPP over Frame Relay.
Conditions: Occurs during normal operations.
Workaround: There is no workaround.
•
Symptoms: The router crashes when a policy with fair-queue along with other queuing is attached to the port-channel sub-interfaces.
Conditions: This happens only with fair-queue + shaping + queue-limit is configured in the following order:
policy-map shape-llq-policyclass class-defaultshape average 80000 320 320random-detectfair-queuequeue-limit 10000 packets!Workaround: Configure in the following order:
policy-map shape-llq-policyclass class-defaultfair-queue------------------> configured fair-queue firstrandom-detect---------------->random-detect nextshape average 80000 320 320-------> shape-average nextqueue-limit 10000 packets-------------> queue-limit at last•
Symptoms: The parity errors are seen on a 4XOC3-ATM 1XOC3-ATM 1XOC12-ATM SPA while it is operational and plugged into SIP200 or SIP400 chassis with or without traffic running.
Conditions: No known conditions. Soft errors can happen any time due to environmental effects.
Workaround: There is no workaround.
•
Symptoms: In EMVPN scenario, high CPU utilization was observed when VPN routing/forwarding (VRF) select was used.
Conditions: This can be reproduced in any EMVPN scenario using VRF select.
Workaround: Stop using vrf select and use other means to configure EMVPN.
•
Symptoms: Multilink members go down on Cisco 7200 router.
Conditions: Occurs when members from second controller are added to multilink where first controller members are in the bundle.
Workaround: There is no workaround.
•
Symptoms: Without PMTU configured and the interface MTU is 1500 on the L2TPv3 uplinks, packets are not fragmented.
Conditions: Occurs with packets that require fragmentation between the L2TPv3 endpoints.
Workaround: There is no workaround.
•
Symptoms: MFR members are down.
Conditions: MFR members are stuck at add-sent when bundle moves from SW to HW.
Workaround: Perform a online insertion and removal (OIR) on the PA.
•
Symptoms: The show ip route vrf coke command has no framed route when applied to "ip-vrf".
Conditions: It happens when a framed-route attribute is downloaded from the AAA server and applied to "ip-vrf".
Workaround: To configure VRF in the user profile where template was used.
•
Symptoms: Tracebacks were seen while removing a port-channel.
Conditions: Occurs when port-channel is configured with "c-mac" bridge domain and port-channel is removed.
Workaround: Remove the "evcs" first before removing port-channel.
•
Symptoms: After executing no ip vrf <vrf>, the VRF may still be around, thus causing other VRF dependent CLI to be unconfigurable or lead to other unexpected behavior. One known issue is failed bulk sync, thus leading to unsuccessful switchover.
Conditions: This only affects MVPN setup.
Workaround: The user must unconfigure all VRF dependent CLI before removing VRF, otherwise it may lead to unsuccessful switchover or even crashes.
•
Symptoms: Cisco 7600 router with 12.2SRE software could reload when CFM D1 is configured.
Conditions: The issue is observed on a Cisco 7600 running Cisco IOS Release 12.2(33)SRE when an ingress LAN card is configured as a MIP with CFM D1.
Workaround: Use CFM D8 instead of CFM D1.
•
Symptoms: When a port-channel with MTP BD configuration (scaled to 1000) is removed and reconfigured, ES+ LC and SP crash.
Conditions: Port-channel with a member link should configured with multiple c-mac bridge-domains.
Workaround: Remove all EVCs or bridge-domains first, then remove the port-channel.
•
Symptoms: Multicast traffic is not forwarded across a Virtual Private LAN Services (VPLS) pseudowire.
Conditions: Occurs when ES20+ line card connects n-PE to CPE device. Problem occurs when bridge-domain VLAN is configured as L2 and IGMP snooping is enabled. For example:
interface Vlan100description VPLSno ip addressxconnect vfi HVPLSWorkaround: Disable IGMP snooping on the bridge-domain VLAN, or configure a routed pseudowire.
•
Symptoms: In some instances, when the Cisco 7600/RSP720/RP crashed and the core dump is configured to be created using FTP and RCP, the core dump recreation fails to complete.
Conditions: This symptom is observed in an MPLS VPN large topology network.
Workaround: There is no workaround.
•
Symptoms: When a large number of service groups are configured with multiple EVCs in them, the following anomaly can be observed. On doing online insertion and removal (OIR), some of the service groups (Layer 2 nodes) are configured in TMC which instead of in TMB. Before and after OIR output differs as below
Before OIR
*************Evee-dfc4#sh platform hardware qos np 0 queue resources np tm level groups entity ----------------------------------------------0 0 L4 4096/6 32768/16 0 0 L3 256/4 4096/6 0 0 L2 16/1 256/1 0 0 L1 32/1 32/1 ----------------------------------------------0 1 L4 4096/4081 32768/11732 0 1 L3 256/256 4096/4081 0 1 L2 8/1 256/256 0 1 L1 32/1 32/1 ----------------------------------------------0 2 L4 4096/3 32768/5 0 2 L3 256/2 4096/3 0 2 L2 8/1 256/2 0 2 L1 32/1 32/1After OIR
*************Evee-dfc4#sh platform hardware qos np 0 queue resources np tm level groups entity ----------------------------------------------0 0 L4 4096/6 32768/16 0 0 L3 256/4 4096/6 0 0 L2 16/1 256/1 0 0 L1 32/1 32/1 ----------------------------------------------0 1 L4 4096/1043 32768/2996 0 1 L3 256/67 4096/1043 0 1 L2 8/1 256/67 0 1 L1 32/1 32/1 ----------------------------------------------0 2 L4 4096/3041 32768/8741 0 2 L3 256/191 4096/3041 <<<<<<<<<<<<<<<<<<<<<<<<< 0 2 L2 8/1 256/191 <<<<<<<<<<<<<<<<<<<<<<<<< 0 2 L1 32/1 32/1Conditions: This happens with Ten Gigabit Ethernet interface and a large number of service groups and EVCs.
Workaround: One option is to keep scale below 250. Aside from that there is no workaround.
•
Symptoms: Pseudowires remain down when resetting the module after SSO.
Conditions: Occurs when module needs to be reset after SSO.
Workaround: There is no workaround.
•
Symptoms: Spurious memory access is seen while executing the command show memory dead after stateful switchover (SSO).
Conditions: MPLS needs to be configured.
Workaround: There is no workaround.
•
Symptoms: ES40 line card CPU remains high.
Conditions: The problem is seen only when you have scaled number of sessions (20,000 sessions) and while bringing up 2,000 sessions and tearing down 2,000 sessions simultaneously at 24 CPS rate.
Workaround: There is no workaround.
•
Symptoms: Standby is not coming up.
Conditions: When a distribute-list is configured, the ACL is created if it does not exist. Then remove the ACL, but the distribute-list configuration that ties to the ACL is not removed. Configure the IPv6 ACL configuration with the same ACL name. Save the configuration and reload it.
Workarounds:
1.
2.
Further Problem Description:
router bgp 100distribute-list sample inexitno ip access-list standard sampleipv6 access-list samplepermit any anywrite mem•
Symptoms: WS-X6704-10GE module running c6lc2-sp-m.122-33.SRC4 code may crash due to memory corruption.
Conditions: MPLS-TE Fast Reroute (FRR) should be enabled.
Workaround: There is no workaround.
•
Symptoms: Standby not coming up when snmp-server enable traps command is configured
Conditions: The Standby fails to reach Standby HOT when snmp-server enable traps is configured.
Workaround: Do not configure this command.
•
Symptoms: EoMPLS VC on TE tunnel does not comes up after switchover.
Conditions: Occurs after a stateful switchover (SSO).
Workaround: There is no workaround.
•
Symptoms: Bulk sync failure and high-availability router goes to RPR mode from SSO mode.
Conditions: Occurs when MVPN with MDT data is configured along with access-list option. If the access-list is removed and recreated with different type of ACL. In this condition if a forced switchover happens there will be a sync failure
Workaround: Remove the MDT data configuration and reload the router.
•
Symptoms: The pseudowire goes down when reapplying xconnect under a sub-interface.
Conditions: This happens when reapplying the xconnect to sub-interface which already has xconnect configured.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 high availability router goes to RPR mode from SSO when forced switchover is performed.
Conditions: Occurs when ip multicast vrf <vrf1> rpf select <vrf2> command is configured. Later if the vrf2 is deleted and a forced switchover is done, router goes to RPR mode.
Workaround: Create the "vrf2" again and remove the ip multicast vrf <vrf1> rpf select<vrf2> first, followed by save and reboot.
•
Symptoms: BGP Sessions are taking longer to come up in scale scenario.
Conditions: Occurs after reloading the router.
Workaround: There is no workaround.
•
Symptoms: Memory leak of AAA cursor.
Conditions: Install interface configuration using AAA on PPPoE session (such as lcp: interface-config).
Workaround: There is no workaround.
•
Symptoms: SIP200 CPU 1 crash as indicated below.
SLOT 4: Aug 16 14:42:52.115 KSA: %R4K_MP-3-CRASHED: CPU 1 has now crashed a total of 1 timesConditions: There is no specific trigger to this problem. It happens randomly and recovers on its own.
Workaround: There is no workaround.
•
Symptoms: In some instances, a Cisco 7600/SP crashed when all the VRFs in MPLS L2/L3 network are unconfigured.
Conditions: This symptom is observed in MPLS L2/L3 VPN scaled network when all the VRFs are unconfigured.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 ES+ interface will not accept policy map with "random-detect cos-based" statement.
Conditions: CLI configuration is rejected on main interface of an ES+ line card.
Workaround: There is no workaround.
•
Symptoms: After entering the EXEC command clear xconnect all, and then performing a Stateful Switchover (SSO) on the Cisco 7600, packets stop flowing via HDLC over Any Transport over MPLS (AToM) pseudowires.
Conditions: This symptom has been observed with Cisco IOS Release 12.2SRE.
Workaround: Enter clear xconnect all after switchover.
•
Symptoms: In show spanning-tree mst output, all links are in forwarding state.
Conditions: This happens with EVC bridge domain configuration if the ports have EVCs with encapsulation untagged or default configured. Happens only on ESM20 cards.
Workaround: Enable CFM globally using ethernet cfm enable.
•
Symptoms: Router may crash while unconfiguring QoS 2 level service policy from "frame relay" interface.
Conditions: Cisco 7200 Series Router Cisco IOS Release 12.2(33)SRE may crash while unconfiguring QoS 2 level service policy from Frame-relay interface and configuring frame-relay fragment end-to-end and pinging with large size packet.
Workaround: There is no workaround.
•
Symptoms: The mpls propagate-cos command may not function correctly on a Cisco 7600 router.
Conditions: This was observed on several Cisco 7600s running Cisco IOS Release 12.2(33)SRC.
Workaround: Remove and reapply the mpls propagate-cos command.
•
Symptoms: In a HA router, standby keeps on rebooting during switchover.
Conditions: This is seen when we configure RIP with a standard access-list in offset-list, followed by deleting the access-list and creating an IPv6 access-list with the same name.
Workaround: Avoid creating IPv6 access-list with the same name of an IPv4 named access-list.
•
Symptoms: In MPLS VPN scenario, if it happens that default route known via RIP in VRF is looping, route might stay in RIB.
Conditions: Issue observed in Cisco IOS Release 12.2(33)SRC4 and 12.2(33)SRC5.
Workaround: Clear VRF routing table of with the clear ip route vrf <name> * command.
•
Symptoms: On a Cisco 7600 router with a large number of VCs and VLANs, traffic stops forwarding traffic for several seconds while standby supervisor is booting.
Conditions: Occurs on a router running Cisco IOS Release 12.2(33)SRC4.
Workaround: There is no workaround.
•
Symptoms: The traceroute mac <src_mac> <dst_mac> command can cause a software crash on a Cisco 7600 router when configured with a large number of VLANs.
Conditions: This occurs on a Cisco 7600 router running Cisco IOS Release 12.2(33)SRC4.
Workaround: Do not use the traceroute mac <src_mac> <dst_mac> command. Use a specific VLAN ID when using this command.
•
Symptoms: If PVC Discover is configured, PVCs may not be discovered and some other VCs may disappear from interface.
Conditions: Occurs after a crash or online insertion and removal (OIR) operation.
Workaround: There is no workaround.
•
Symptoms: Router reloads due to watchdog timer expiration.
Conditions: Occurs on a Cisco 7301 running Cisco IOS Release 12.2(33)SRC4 image with Bidirectional Forwarding Detection (BFD) configured.
Workaround: There is no workaround.
•
Symptoms: Standby unit keeps reloading after forced switch-over.
Conditions: Occurs in redundancy system when user renames a call-home profile to an empty string using the rename command under call-home configuration submode.
Workaround: Do not rename a call-home profile name to empty string.
•
Symptoms: Some BGP prefixes are not advertised to their relevant BGP peers until a soft clear is done.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB6 and configured for MPLS VPN.
Workaround: There is no workaround.
•
Symptoms: Per-user ACL is not getting synced with standby.
Conditions: Occurs during normal operations. No specific trigger.
Workaround: There is no workaround.
•
Symptoms: After bringing up a port-channel that has been in err-disabled state, traffic stopped flowing in one VLAN.
Conditions: This has been observed on Cisco 7600 with ES20 module running Cisco IOS Release 12.2(33)SRC4.
Workaround: This issue can be solved by shut/no shut of the affected Vlan interface.
•
Symptoms: Multicast traffic is not forwarded after LACP switchover.
Conditions: For some port combinations on same line card or on different line cards in a port-channel case, multicast traffic does not flow after LACP switchover.
Workaround: Enter the clear ip mroute <option> command.
•
Symptoms: CPU usage goes to 100% with main offending process being "XDR mcast". In addition, output for show xdr linecard internal shows constantly increasing totals for Etherbridge domain MAC security.
Conditions: Seen in a topology that has numerous bridge-domain c-MAC instances configured on it.
Workaround: In some instances it has been seen that shutting the router's TFTP interface may reduce the CPU usage.
•
Symptoms: Traceback is seen when ISSU commit version is performed.
Conditions: Issue is seen with default configuration and under no traffic conditions.
Workaround: There is no workaround. Occurs only with ISSU.
•
Symptoms: Some commands with large outputs allow the use of ctrl-^ to stop the output before completion. This can cause a crash.
Conditions: Unknown at this time.
Workaround: Enter the no parser command serializer command.
•
Symptoms: If a port channel is enabled with standalone-disable and some non-default native VLAN, and if any peer bundled port is unbundled from the port channel, then the respective local port goes into "s" state as per the design. But when the peer port is bundled again, the local port does not recover from "s" state to "P" state.
Conditions: Port-channel standalone-disable and a non-default native VLAN need to be configured on the port-channel. The problem only happens if one of the port is put in suspended state.
Workaround: A shutdown, no shutdown is required to get the port bundled into the port-channel.
•
Symptoms: The system crashes if the port-channel is removed while it is serving data traffic.
Conditions: Port-channel is configured with the member links in it. The traffic is sent through the port-channel. If the port-channel is removed, the system sometimes crashes.
Workaround: There is no workaround.
•
Symptoms: Layer 2 protocols on MTP EVC do not get forwarded as data.
Conditions: Occurs when the l2protocol forward command is configured.
Workaround: There is no workaround.
•
Symptoms: LDP release messages were seen multiple times on a Cisco 7600 P3 router running Cisco IOS Release 12.2(33)SRD.
P3#
*Oct 19 04:00:29: %TIB-5-WDRAWTAG: 10.9.155.0/24, tag 18656; Withdrawn tag record has timed out.*Oct 19 04:00:30: %TIB-5-RELTAG: 10.9.155.0/255.255.255.0, peer 192.168.2.4:0; tag 18656; Unexpected LDP label release; specified label not in TIBConditions: At that time router was consuming 396,000 routes in CEF table, which was consuming 95% of memory.
Workaround: There is no workaround.
•
Symptoms: In a HA router during switch-over, standby keeps on rebooting.
Conditions: This issue happens when we configure a NULL route-map for redistribution under router IS-IS.
Workaround: Use a valid route-map name.
•
Symptoms: Traffic is not forwarded in LSM P2MP setup. This problem is seen after the router is booted up.
Conditions: The problem is seen in LSM P2MP setup where egress line card is different from ingress line card.
Workaround: The problem can be prevented by configuring tunnel mpls traffic-eng fast-reroute on the P2MP tunnel interface.
If the problem is still noticed, then it can be fixed by one of following steps.
1) Programming the FPOE table by using test fpoe index <index> value <value>.
2) Resetting ingress line card.
•
Symptoms: Error message stating "Can't install service policy with empty name" is displayed.
Conditions: When an invalid service policy is pushed from the DBS on to the VC, the error message is thrown and the policy on the VC does not fall to the default.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 router may fail to process ingress Link Integrity Protocol messages on MFR serial link members, which will disallow Multilink Frame Relay interfaces from enabling.
Conditions: Occurs on a Cisco 7600 router with SUP-720-3BXL and OSM CHOC12, and running Cisco IOS Release 12.2(33)SRC and 12.2(33)SRD. This issue happens when MFR serial members are configured on CHOC12 OSM but may also occur on other line cards.
Workaround: There is no workaround.
•
Symptoms: After upgrade, device has its T1 link go UP/Down after a period of normalcy.
Conditions: Occurs on a Cisco 7609 with a channelized SPA-4XCT3/DS0 on a SIP-200 and running Cisco IOS Release 12.2(33)SRD3.
Workaround: Problem is resolved with a flap of the service-policy on the T1, but issue will reoccur.
•
Symptoms: A Cisco 7600 HA router changes its state from SSO to RPR after a forced switchover with maximum timer configured under ODR.
Conditions: Timer basic is configure to maximum value 4294966. After saving the configuration followed by a forced switchover, the router moves to RPR state.
Workaround: There is no workaround.
•
Symptoms: Router crashes due to memory corruption during MPLS TE auto backup tunnel deletion.
Conditions: Caused by topology changes triggering backup tunnel deletion and RSVP hello mechanism.
Workaround: Gloablly, disable RSVP hello and enable BFD hello:
Router(config)#no ip rsvp signalling helloRouter(config)#ip rsvp signalling hello bfdPer MPLS TE enabled interface:Router(config-if)#no ip rsvp signalling helloRouter(config-if)#ip rsvp signalling hello bfd•
Symptoms: High CPU utilization occurs.
Conditions: Session churn.
Workaround: The following global configuration has helped in reducing CPU usage:
no parser command serializerip routing protocol purge interfaceFurther Problem Description: CPU usage will remain high under normal conditions given a constant churn rate of approximately 24 CPS coming up and down.
•
Symptoms: ES+/Combo card crashes when we remove member links of EVC port-channel.
Conditions: This issue is seen only with scaled configuration with 4,000 EVCs configured on the port-channel and HQoS policy-map is applied on each EVC. This issue is very inconsistent and is not seen with 1,000 EVCs on Port-channel and HQoS policy-map applied on it.
Workaround: There is no workaround.
•
Symptoms: Crash due to bus error seen with spurious memory access.
%ALIGN-1-FATAL: Illegal access to a low address<TIME> IST <DATE> addr=0x<LOW MEMORY ADDRESS>, pc=0x<STACK VALUE>, ra=0x<MEMORY ADDRESS>, sp=0x<STACK POINTER><TIME> IST <DATE>: TLB (store) exception, CPU signal 10, PC = 0x<STACK VALUE>Conditions: Normal conditions.
Workaround: There is no workaround.
•
Symptoms: Link flap/down of PA-MC-T3E3-EC interface.
Conditions: Occurs when changing encapsulation after reload.
Workaround: Perform a online insertion and removal (OIR) of the PA.
•
Symptoms: Very low rate of packet inputs compared to the rate of packet outputs.
Conditions: Occurred on a 7600-SIP-400 with a sub-module of SPA-4XOC3-ATM.
Workaround: Reset the entire 7600-SIP-400 module to clear the issue.
•
Symptoms: MPLS packets are software switched when port-channel interfaces are the MPLS interfaces. Affects tag-to-tag traffic.
Conditions: Issue is seen after the router is upgraded to Cisco IOS Release 12.2(33)SRD3. The MTU for the MLS CEF adjacency for the MPLS label is misprogrammed and shows up as 0. Should see "MTU failures" incrementing in show mls stat.
Workaround: Flap the interface.
•
Symptoms: Seeing traffic forwarding drop randomly in L3VPN P2MP testing when doing fast reroute (FRR) test. Tunnels are up, but hardware does not forward traffic.
Conditions: Occurs with L3VPN P2MP bud node router.
Workaround: There is no workaround.
•
Symptoms: When removing VRF configuration on remote PE, local PE receives withdraw message from remote PE to purge its MDT entry. However, local PE does not delete the MDT entry.
/// Topology ///
iBGP
<------------------->
12.2(33)SB7 12.0(27)S4a
1.1.1.1/32 2.2.2.2/32
PE1(UUT) ------------ PE2
PE1 receives MDT entry from PE1 and PE2.
Please focus a entry of "2.2.2.2/32" from PE2.
PE-1
------
PE1-PRE2#PE1-PRE2#sh ip bgp ipv4 mdt allBGP table version is 13, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:1 (default for vrf V1)*> 1.1.1.1/32 0.0.0.0 0 ?*>i2.2.2.2/32 2.2.2.2 0 100 0 ? <<<---- HERE*>i3.3.3.3/32 3.3.3.3 0 100 0 ?---To trigger the issue, vrf configuration is remove on PE2. You can see that PE2 sends withdraw message to PE1(1.1.1.1).
PE-2
------
PE2-PRE1#PE2-PRE1#PE2-PRE1#conf termEnter configuration commands, one per line. End with CNTL/Z.PE2-PRE1(config)#PE2-PRE1(config)#no ip vrf V1Tunnel interface was deleted. Partial configuration may reappear on reuse.% IP addresses from all interfaces in VRF V1 have been removedPE2-PRE1(config)#PE2-PRE1(config)#*Nov 9 12:29:35.447: %LINK-5-CHANGED: Interface Tunnel3, changed state to administratively down*Nov 9 12:29:36.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel3, changed state to downPE2-PRE1(config)#PE2-PRE1(config)#endPE2-PRE1#PE2-PRE1#*Nov 9 12:30:05.435: BGP(2): nettable_walker 2:1:1:2.2.2.2/32 no best path*Nov 9 12:30:05.435: BGP(2): 1.1.1.1 send unreachable 2:1:1:2.2.2.2/32*Nov 9 12:30:05.435: BGP(2): 1.1.1.1 send UPDATE 2:1:1:2.2.2.2/32 -- unreachable <<--- HERE*Nov 9 12:30:05.435: BGP(2): updgrp 1 - 1.1.1.1 enqueued 1 updates, average/maximum size (bytes) 45/45PE2-PRE1#PE2-PRE1#PE2-PRE1#sh ip vrfPE2-PRE1#---The MDT entry(2.2.2.2/32) is not deleted even if PE1 indeed receives withdraw message from PE2. "clear ip bgp *" would be needed to purge the MDT entry.
PE-1
------
PE1-PRE2#*Nov 9 12:29:34.323: BGP:from:3 to:4 update format 1:1:3.3.3.3/0 MDT grp 239.0.0.1 pfxptr->masklen 96*Nov 9 12:29:34.323: BGP:from:3 to:4 update format 1:1:1.1.1.1/0 MDT grp 239.0.0.1 pfxptr->masklen 96*Nov 9 12:29:34.323: BGP(4): 2.2.2.2 send UPDATE (format) 2:1:1:1.1.1.1/32, next 1.1.1.1, label 0, metric 0, path Local*Nov 9 12:29:34.323: BGP:from:3 to:4 update format 1:1:2.2.2.2/0 MDT grp 239.0.0.1 pfxptr->masklen 96*Nov 9 12:29:34.323: BGP(4): updgrp 1 - 2.2.2.2 updates replicated for neighbors:*Nov 9 12:30:05.799: BGP(4): 2.2.2.2 rcv UPDATE about 1:1:2.2.2.2/64 -- withdrawn, label 3 <<--- HERE*Nov 9 12:30:05.799: BGP: 2.2.2.2 Modifying prefix 1:1:2.2.2.2/64 from 4 -> 3 addressPE1-PRE2#PE1-PRE2#sh ip bgp ipv4 mdt allBGP table version is 13, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:1 (default for vrf V1)*> 1.1.1.1/32 0.0.0.0 0 ?*>i2.2.2.2/32 2.2.2.2 0 100 0 ? <<---- HERE*>i3.3.3.3/32 3.3.3.3 0 100 0 ?PE1-PRE2#PE1-PRE2#PE1-PRE2#clear ip bgp *PE1-PRE2#*Nov 9 12:31:22.043: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Down User reset*Nov 9 12:31:22.043: %BGP_SESSION-5-ADJCHANGE: neighbor 2.2.2.2 VPNv4 Unicast topology base removed from session User reset*Nov 9 12:31:22.043: %BGP_SESSION-5-ADJCHANGE: neighbor 2.2.2.2 IPv4 MDT topology base removed from session User reset*Nov 9 12:31:22.043: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Down User reset*Nov 9 12:31:22.043: %BGP_SESSION-5-ADJCHANGE: neighbor 3.3.3.3 VPNv4 Unicast topology base removed from session User reset*Nov 9 12:31:22.043: %BGP_SESSION-5-ADJCHANGE: neighbor 3.3.3.3 IPv4 MDT topology base removed from session User reset*Nov 9 12:31:22.555: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up*Nov 9 12:31:22.563: BGP(3): 3.3.3.3 rcvd UPDATE w/ attr: nexthop 3.3.3.3, origin ?, localpref 100, metric 0*Nov 9 12:31:22.563: BGP(3): 3.3.3.3 rcvd 1:1:3.3.3.3/32PE1-PRE2#PE1-PRE2#PE1-PRE2#sh ip bgp ipv4 mdt allBGP table version is 1, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incompleteNetwork Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:1 (default for vrf V1)* i3.3.3.3/32 3.3.3.3 0 100 0 ?---Conditions:
–
–
See the MDT SAFI document:
Workaround: There is no workaround.
•
Symptoms: RP crashed after executing no import ipv4 unicast map filter.
Conditions: BGP import events debugging is on with do debug ip bgp import event.
Workaround: Do not enable debug ip bgp import event or debug ip bgp import update.
•
Symptoms: Router gets into APS channel mismatch state.
Conditions: Observed with MGX connected as APS peer, when both MGX cards (active and standby) are reloaded simultaneously.
Workaround: Force APS switchover.
•
Symptoms: There is a risk to introduce inconsistency between hardware routing table (MLS CEF) and software table (IP CEF) in some VRFs. Some interfaces in affected VRF may also be seen as part of other VRFs.
Conditions: Occurs when modifying route-map sequence of a route-map applied to an interface with PBR VRF select.
Workaround: Enter the clear ip route vrf xxx * command. Or you can perform a shut/no shut on the affected subinterfaces.
•
Symptoms: There are MPLS TE tunnels from PE1/2 to P2 and from PE3/4 to P1 using load-sharing. Issue started once second multilink was configured between P routers. PE routers started to observe inconsistencies between MLS CEF and routing tables. Bogus MLS entries are created.
Conditions: This was found under the normal conditions on a Cisco 7600 router with SUP32 with PFC2 and MSFC2a. This router is PE and running Traffic Engineering tunnels to the core with load sharing configured. Two PPP multilinks are used in the core.
Workaround: Enter the clear ip route command to temporarily resolve the issue.
Resolved Caveats—Cisco IOS Release 12.2(33)SRE
All the caveats listed in this section are resolved in Cisco IOS Release 12.2(33)SRE. The caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD.
•
Symptoms: A Cisco 6500 and Cisco 7600 may rarely and unexpectedly reload with the following error message on the SUP:
%RPC-SP-2-FAILED: Failed to send RPC request online_diag_sp_request:get_rp_cpu_info.Conditions: This occurs very rarely when the MSFC or RP is too busy processing an event and can not respond to the RPC from the SUP. This is seen only on systems that run native Cisco IOS.
Workaround: There is no workaround.
•
Symptoms: It may take a long time for the IPSec router to detect that the CA server is down while trying to reach it for CRL retrieval.
Conditions: The symptom is observed on a LAN-to-LAN IPSec tunnel between two routers, where one router is configured for CRL checking.
Workaround: The situation may be slightly improved by lowering the "tcp synwait" value, for example: ip tcp synwait-time 5
•
Symptoms: Entering the debug ipv6 ospf lsa-generation may crash the router if LSA with max-age is generated.
Conditions: Occurs after clear ospfv3 proc along with debug ospfv3 lsa-gen enabled.
Workaround: Do not use this debug command.
•
Symptoms: A Cisco 10000 crashes at igmp-process:
Cisco IOS Software, 10000 Software (C10K2-P11-M), Version 12.3(7)XI2b, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Sat 08-Jan-05 16:25 by <software engineer>ROM: System Bootstrap, Version 12.0(20020314:211744) [REL-pulsar_sx.ios- rommon 112], DEVELOPMENT SOFTWAREr-pa068 uptime is 19 hours, 58 minutes System returned to ROM by RPR switchover at 19:03:47 MET Mon Jan 24 2005 System restarted at 19:07:22 MET Mon Jan 24 2005 System image file is "disk0:c10k2-p11-mz.123-7.XI2b"Conditions: This symptom is observed during 7xi2b monitoring.
Workaround: There is no workaround.
•
Symptoms: The implementation of IPv6 scope support in the Bootstrap Router (BSR) mechanism may cause interoperability problems.
Conditions: This symptom occurs because the specification of IPv6 scope support in the BSR mechanism has changed in the latest IETF draft:
http://www.ietf.org/internet-drafts/draft-ietf-pim-sm-bsr-05.txt
Workaround: Do not use IPv6 scope support in the BSR mechanism.
•
Symptoms: A Cisco 7200 series does not load an image and generates a traceback.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(1), that is configured with an NPE, and that has the L3 cache disabled. The symptom may also occur in other releases.
Workaround: Enable the L3 cache by entering the no l3 cache disable command.
•
Symptoms: Terminal window PPP clients may fail with Cisco Access servers.
Conditions: This symptom has been observed on Cisco AS5400 gateways and Cisco AS5800 servers.
Workaround: There is no workaround.
•
Symptoms: The CPU usage may be high, and an IGP (OSPF or IS-IS) adjacency may drop when PIM sparse mode (PIM-SM) stress traffic is being processed.
Conditions: This symptom is observed on a Cisco router that connects to a receiver and that has 60,000 (s,G) join messages. The symptom occurs when you enter the show ip mroute count command or when there is an abrupt increase in multicast groups.
Workaround: Do not enter the show ip mroute count command. Rather, enter the show ip mroute count terse command. Increase multicast groups gradually to avoid high CPU usage. In addition, the following actions may also help to alleviate the symptoms:
- Enter the ip pim register-rate-limit command on the first hop.
- Enter the ip pim fast-register-stop on the PIM-RP.
- Disable RP rate-limiting commands on the PIM-RP and first hop.
•
Symptoms: A router that is running Cisco IOS software may mistakenly fail a CRC check on files in NVRAM.
Conditions: This symptom has been observed with large files, such as large startup configurations.
Workaround: There is no workaround.
•
Symptoms: After configuring Multicast and applying the crypto map command, traffic can't go through from the second Ethernet interface to the same group. However, traffic goes through fine from the first Serial interface.
Conditions: The symptom has been observed in Cisco IOS interim Release 12.4 (5.13)T2.
Workaround: There is no workaround.
•
Symptoms: The vlan-id is not propagated in the NAS Port ID field when the PPPoE over VLAN call is up.
Conditions: The symptom is observed when using both configurations (main interface and sub-interface) for PPPoE over VLAN. The NAS Port ID value shows correctly while using the sub-interface configuration but incorrectly when using the main interface. The main interface used for PPPoE over VLAN is shown below:
interface Ethernet1/0 no ip address vlan-id dot1q 4 pppoe enable group global exit-vlan-config
The expected NAS Port ID is 1/0/0/4 but 1/0/0/0 is received.
Workaround: There is no workaround.
Further Problem Description: This will impact AAA as this information should be updated by PPP to AAA.
•
Symptoms: Border Gateway Protocol (BGP) next hop may fail after BGP neighbor send-label is configured.
Conditions: Occurs when Carrier support carrier(CSC) is used. If the EBGP session to one site goes down and up the PE doesn´t send the transport label information to the other site´s. It sends only the route with an imp-null label and so the CSC-CE has the route without a label in his cef-table.
This condition has been observed in routers running Cisco IOS Release 12.4(6)T4, 12.2(31)SB11 and 12.2(33)SRC1.
Workaround: Applying a route-map to the bgp neighbour with assigns a soo community to the prefix prevents this problem to occur.
•
Symptoms: Router crashes with a traceback decode showing a divide by 0 error.
Conditions: Occurs when a rate-based event is configured for a counter that has a value of 0, such as the following scenario:
1. The customer must be using a Cisco IOS Embedded Event Manager (EEM) rate-based Interface Event Detector (either applet or Tcl script). Rate-based means use of the "rate" keyword in the event specification statement.
2. The rate calculation is attempted after the counters are cleared and before any samples have been taken.
Workaround: There is no workaround.
•
Symptoms: A duplicate PIM register encapsulation tunnels may be created for a static rendezvous point.
Conditions: This symptom is observed on a Cisco router that is configured for IPv6 multicast when you configure a static rendezvous point after having disabled an embedded rendezvous point.
Workaround: Configure the static rendezvous points while the embedded rendezvous point is enabled and then disable the embedded rendezvous point.
•
Symptoms: The IPv6 PIM register encapsulation tunnel does not come up after a switchover. The PIM Register mechanism does not work for sources directly connected to the router.
Conditions: This symptom has only been observed when the ipv6 pim register-source global configuration command is configured.
Workaround: After switchover, unconfigure and re-configure the ipv6 pim register-source command.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: Multicast packets that traverse a Frame Relay virtual circuit (VC) bundle are dropped.
Condition 1: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0S.
Workaround 1: There is no workaround.
Symptom 2: Multicast packets that traverse a Frame Relay virtual circuit (VC) bundle are process-switched.
Condition 2: This symptom is observed with Cisco IOS Release 12.3.
Workaround 2: There is no workaround.
•
Symptoms: The standby supervisor in SSO mode system reloads.
Conditions: Setting stpxMSTInstanceEditVlansMap to a VLAN causes standby causes supervisor in SSO mode to reload.
Workaround: There is no workaround.
•
Symptoms: The backup configurations that are generated by the Archive feature may be truncated.
Conditions: This symptom is observed when you reload the router with the Archive feature enabled.
Workaround: Enter the privileged mode.
•
Symptoms: A Cisco 7200 series router reloads unexpectedly while configuring BGP access list.
Conditions: This symptom is observed on a Cisco 7206VXR (NPE-G1) processor (revision A). The following commands serve as an example that causes router to reload unexpectedly:
config t router bgp 100 neighbor EXTERNAL route-map MAP3 out address-family ipv4 multicast neighbor EXTERNAL route-map MAP3 out ! ip as-path access-list 1 deny ^$ ip as-path access-list 2 permit ^(700)+(_1123)|_2374$|^(_700)+(_2374)+ (_1123)+$ ip as-path access-list 3 permit _3400_ ip as-path access-list 4 permit ^(700)+(_3400)|_1123$|^700$|_23[0-9]$ ! route-map MAP3 permit 10 match as-path 1 ! route-map MAP3 deny 20 match as-path 2 ! route-map MAP3 permit 30 match as-path 3 ! route-map MAP3 permit 40 match as-path 4 set metric 300 endWorkaround: There is no workaround.
•
Symptoms: Core dump occurs.
Conditions: When running command show ip cef with feature lfd summary.
Workaround: Do not use this command.
•
Symptoms: The following BIT-OUTOFRANGE error message and traceback information may be displayed:
1d21h: %BIT-SP-4-OUTOFRANGE: bit 127 is not in the expected range of 128 to 2175 -Traceback= 40D8A8B0 40D8ADFC 40512B4C 407A8118 40CC5838 404B5978 404B5C84term mConditions: Occurs on a Catalyst 6500 if an SNMP walker utility sends bridge port number 0 to the switch.
Workaround: Configure the SNMP walker utility to get MIB objects starting from bridge port number 1.
•
Symptoms: Scan of a router when a DNS server is enabled can cause high CPU usage of the DNS process itself. Overall performance of the device can deteriorate to some extent.
Conditions: This symptom has been observed on a router when a DNS server is enabled when running Cisco IOS software from Cisco IOS interim Release 12.4 (11.1)T up to but not including Cisco IOS interim Release 12.4(13.08)T.
Workaround: The only way to rectify this situation is to reboot the device.
•
Symptoms: When a Demilitarized Zone (DMZ) port is configured on a router, autoinstall does not function.
Condition: This symptom is observed on a Cisco 830 series that runs Cisco IOS Release 12.4 or Release 12.4T when you use Fast Ethernet (FE) port 0, port 1, port 2, or port 3 instead of port 4 that is linked to the Ethernet 2 interface that is used as the DMZ port. The Ethernet 2 interface receives the IP address via DHCP, but because FE port 4 is in the down/down state, autoinstall does not function.
The following is an example of the configuration:
AUTOINSTALL: Ethernet2 is assigned <ip add 1> AUTOINSTALL: Obtain tftp server address (opt 150) <ip add 2>! interface Ethernet0 no ip address shutdown ! interface Ethernet2 ip address dhcp endWhen the symptom occurs, the output of the show ip interface brief shows the following:
Interface IP-Address OK? Method Status Protocol FastEthernet1 unassigned YES unset down down FastEthernet2 unassigned YES unset up up FastEthernet3 unassigned YES unset down down FastEthernet4 unassigned YES unset down down Ethernet0 unassigned YES unset administratively down down Ethernet2 <ip add 1> YES DHCP down downWorkaround: Use FE port 4 that is linked to the Ethernet 2 interface and that is used as the DMZ port.
Further Problem Description: For information about the DMZ port, see the Demilitarized Zone (DMZ) Port document:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide0 9186a0080235e23.html
•
Symptoms: A Cisco 10000 series may drop MPLS packets from an ingress interface.
Conditions: This symptom is observed on a Cisco 10000 series that runs Cisco IOS Release 12.2(28)SB or a later release after an FSU has occurred on a neighboring router.
Workaround: Enter the microcode reload pxf command on the Cisco 10000 series.
•
Symptoms: A Cisco c7206VXR NPE-G2 router with SA-VAM2+ card may cause router crash. After a period of time in operation, depending on the Cisco IOS version, the error message can be seen multiple times before crashing.
-Process= "Crypto Support", ipl= 4, pid= 154 -Traceback= 0x1408008 0xAE28 0x33387C 0x33544C 0x1A882D8 0x1A87DF8 0x2CCF9BC 0x2DD6900 0x782670Conditions: There is no specific trigger for this. It happens randomly.
Workaround: There is no workaround.
•
Symptoms: Traffic via ATM interface is software switched.
Conditions: The symptom is observed if the ATM interface has both IPv4 and IPv6 addresses configured.
Workaround: There is no workaround.
•
Symptoms: On a pseudowire that is configured on an OC-12 ATM interface, when you delete the oam-ac emulation-enable command, enter the write memory command, and then initiate an SSO switchover, the new standby PRE continues to reboot because of a configuration mismatch with the new active PRE.
Conditions: This symptom is observed on a Cisco 10000 series when the new active PRE has the oam-ac emulation-enable command in its configuration but the new standby PRE does not, causing a configuration mismatch. The symptom may not be platform-specific.
Workaround: Reload the new active PRE, then remove the oam-pvc manage 0 command from its configuration.
•
Symptoms: A Cisco 7200P router crashes while removing an IPv6 Protocol Independent Multicast (PIM) bootstrap router (BSR) candidate from the configuration.
Conditions: This symptom is observed when the IPv6 PIM BSR candidate is unconfigured.
Workaround: There is no workaround.
Further Problem Description: After RP information is learned on all of the routers, delete the ACL first and then the BSR candidate.
•
Symptoms: Interface is reported by Optimized Edge Routing (OER) as being an invalid interface for sending an active probe.
Conditions: Occurs on an Optimized Edge Routing (OER) border router with an external interface defined as a tunnel interface (mGRE).
Workaround: There is no workaround.
•
Symptoms: Router experiences memory leak.
Conditions: Occurs when the router is a group domain of interpretation (GDOI) member and encrypts bulk rate multicast traffic. If the user enters the clear crypto sa command to delete all of the IPsec SAs, the memory leak occurs.
Workaround: Either avoid using multicast fast switch or do not manually clear bulk GDOI SAs.
•
Symptoms: When a bidir PIM, with no directly connected receivers, router has to change its RPF interface to the RP, multicast traffic could be lost for up to 60 seconds.
Conditions: This symptom occurs if the connection to the first RP is lost and the middle router changes its RPF for its bidir upstream interface. The middle router then restarts the election process on all DF interfaces, and purges the interface point in the leaf router out its OI @L. That interface will only get repopulated upon a periodic state refresh from the leaf router because the leaf router does not have an RPF change and therefore has no reason to send a triggered Join.
Workaround: There is no workaround.
•
Symptoms: MPLS LDP autoconfig functionality is broken in OSPF.
Conditions: This symptom is observed in the following two scenarios:
- When adding all areas via the mpls ldp autoconfig command and removing a specific area via the no mpls ldp auto area X command, LDP is disabled.
- If you disable LDP autoconfig completely and enable the mpls ldp autoconfig command for all OSPF areas, LDP does not come up until you enable the specific area X via the mpls ldp autoconfig area X command.
Workaround: Enable the specific area with the following command:
mpls ldp autoconfig area X
•
Symptoms: An alignment error may occur.
Conditions: This symptom is observed when using the v9 export protocol with Flexible Netflow.
Workaround: There is no workaround.
•
Symptoms: IGMP groups in the VRF not rejoined after executing cle ip mr vrf.
Conditions: This symtom observed on Cisco 7200 and 7600 platforms in Cisco IOS Release 12.2(32.8.11)SX96 and above.
Workaround: There is no workaround.
•
Symptoms: A router may reload when you unconfigure a sub-interface or loopback interface.
Conditions: This symptom is observed when IGMP is enabled in the interface which is being deleted and a multicast group is joined to the interface using ip igmp join-group group address command.
Workaround: The problem can be avoided when you delete a sub-interface or loopback interface after unconfiguring ip igmp join-group group address command from interface configuration mode and IGMP is disabled on the interface.
•
Symptoms: Router might crash if masklen and prefix have not been set and passed to CEF.
Conditions: Caused by the debug cef table.
Workaround: There is no workaround.
•
Symptoms: A router may exception while registering a corrupt eToken.
Conditions: This symptom is observed only when a particular corrupt eToken is inserted. This symptom has been observed only on a single eToken.
Workaround: Format the eToken.
•
Symptoms: Router crashes when the no ip nat outside command is removed while traffic is being processed.
Conditions: Occurs on a Cisco 7200 router that uses ACL as source.
Workaround: There is no workaround.
•
Symptoms: Router may crash due to bus error.
Conditions: Occurs when MVPN is configured.
Workaround: There is no workaround.
•
Symptoms: The standby supervisor might crash when portDuplex is set from "full" to "full" for an interface whose speed is configured as "auto".
Condition: It might occur when the interface speed is "auto" value.
Workaround: Do not set portDuplex object from "full" to "full" via SNMP when the interface speed has "auto" configured on the interface.
•
Symptoms: A Cisco IOS router may no longer be able to show the configuration or do other file operations because all of the file descriptors are in use by files opened by the Embedded Event Manager (EEM) Remote Procedure Call (RPC) Event Detector (ED) policies.
Conditions: This symptom is observed when a significant number of EEM RPC policies are executed. Each time a new EEM RPC session is started and then closed, a single file descriptor is left open.
Workaround: The only way to recover is to reload the Cisco IOS device.
Further Problem Description: The output of show file descriptors command can show you which file descriptors are open. Ones left open by EEM RPC will show a path of tmpsys:eem_rpc_n, where n is some integer. For example:
Router# show file descriptorsFile Descriptors:FD Position Open PID Path 0 0 0002 137 tmpsys:eem_rpc_1 1 0 0002 118 tmpsys:eem_rpc_0 2 0 0002 137 tmpsys:eem_rpc_1 3 0 0002 118 tmpsys:eem_rpc_0•
Symptoms: High CPU usage may occur when IPCP is being renegotiated. Eventually, the high CPU usage may cause buffers to be backed up, may cause error message to be generated, and may cause L2TP tunnels to be dropped.
Conditions: This symptom is observed on a Cisco router when clients renegotiate IPCP unnecessarily. You can verify this situation by enabling the debug ppp negotiation command or by configuring RADIUS authorization and then checking the virtual-access interface for the phrase "cloned from: AAA, AAA, ..." (that is, multiple instances of AAA) as identification.
Workaround: There is no workaround.
Further Problem Description: You can alleviate the situation somewhat by configuring the NCP Timeout to 15 seconds to disconnect clients that take a long time to renegotiate IPCP. You can also do the following:
–
–
–
–
•
Symptoms: The following traceback is seen:
%IPV6-3-INTERNAL: Internal error, Protocol <protocol>, decrement of zero ref countConditions: The traceback may be seen when the following conditions are met:
–
–
–
Workaround: There is no workaround.
•
Symptoms: The Bootstrap Router message (BSM), with RP information and holdtime of zero, creates a group-mapping state when the RP information does not exist.
Conditions: The symptoms are observed in internal negative testing in an IPv6 multicast environment. Trigger is when a packet with an RP holdtime of zero is sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router that is configured to run Embedded Event Manager (EEM) Remote Procedure Call (RPC) policies may leak memory when those policies are run.
Conditions: This only occurs when EEM RPC is configured and an EEM RPC TCL policy is executed.
Workaround: There is no workaround.
•
Symptoms: Router crashes when VRF is unconfigured.
Conditions: Router crashes when no ip vrf is executed. This is a platform independent issue. This issue is seen while using a script. Manually this issue is not seen.
Workaround: There is no workaround.
•
Symptoms: Tracebacks may be observed while rebooting the device.
Conditions: The symptoms are observed when there are no other SNMP CLI and SNMP-server manager is the first CLI to be configured.
Workaround: There is no workaround.
•
Symptoms: A memory leak may be observed on the standby node.
Conditions: The symptom is observed only when broadcast accounting is configured in the standby node. The memory leak is verified by using the show processes memory | i AAA ACCT command.
Workaround: There is no workaround.
•
Symptoms: Router crashes when show oer master traffic-class command is executed.
Conditions: It only happens when the one of the traffic-class being displayed has the mode monitor active configured.
Workaround: Use the older version of the CLI. The older version is show oer master prefix or show oer master appl.
•
Symptoms: When running MPLS with SSO on a Cisco 6500 or 7600 platform, a VLAN allocation error may be seen.
"SP-STDBY: pm_get_standby_vlan:Cannot allocate VLAN"Conditions: This is seen when MPLS is enabled along with SSO HA.
Workaround: There is no workaround.
•
Symptoms: When v6 RP mappings with the same group range but with different mode (for example, bidir and sparse) are advertised to a bootstrap router (BSR), only one of the mappings is installed by the BSR.
Conditions: When multiple IPv6 RP mappings with the same group range (for example, bidir and sparse) as shown below:
–
–
The router installs only one of the mappings. The bidir mapping is installed in the above example.
Workaround: There is no workaround.
•
Symptoms: When a multicast packet is fast switched and the output interface is an MGRE tunnel, the router crashes if there is no CEF adjacency established for the tunnel.
Conditions:
1. When a multicast packet is fast switched to an MGRE tunnel output interface, the packet is switched by CEF. If CEF has not established an adjacency for the MGRE tunnel, the router will crash.
2. The crash can also happen if we do have CEF adjacency for the tunnel ( CEF only maintains unicast adjacency ) but we do not have the configuration of ip pim nbma in tunnel. In this case when we receive a Join we are adding midb->nexthop as group address if ip pim nbma is not configured so CEF does not have adjacency, and this will lead to a crash.
NOTE: It is mandatory to configure ip pim nbma in DMVPN . If it is not configured, when packet comes to Fast switching, CEF will find adjacency based on next hop which is not the correct input for adjacency.
Workaround: Disable fast switching on MGRE tunnel interfaces.
•
Symptoms: PXF crashes seen with TCAM parity errors.
Conditions: These crashes will happen when: 1. The parity error happens at an invalid entry. 2. Multiple parity errors happen within a very short time.
Workaround: There is no workaround.
•
Symptoms: A Cisco 10000 series router may reload unexpectedly during aggressive ISG PPPoA call bringup.
Conditions: The symptom is observed in system test on a Cisco 10000 series router that is running Cisco IOS Release 12.2SB.
Workaround: There is no workaround.
•
Symptoms: In an IPv6-over-IPv4 MGRE tunnel, disabling IPv6 Cisco Express Forwarding (CEF) without disabling IPv4 CEF results in dropped packets after decryption. Enabling debug crypto engine packet on the router helps verify the packet drops after decryption.
Conditions: The bug is seen if IPv6 CEF is disabled but IPv4 CEF enabled and when tunnel protection is enabled on the MGRE interface.
Workaround: If IPv6 CEF is disabled, disable IPv4 CEF also.
•
Symptoms: The active route processor displays the message %MCASTRED-3-BULKACKTIME and the standby route processor will timeout and reload during a bulk sync.
Conditions: Seen on an ASR-1000 configured for multicast With a medium/large scale config (thousands of VLANs). On reload the standby will sync correctly.
Workaround: Reducing the size of config will limit the risk of a timeout.
•
Symptoms: Router crashes while performing simultaneous operation in vc-class.
Conditions: Occurs on a Cisco 7200 running an internal version of Cisco IOS Release 12.4T. This may happen when the router is accessed from multiple terminals simultaneously, configuring the vc-class atm <WORD> command.
Workaround: Avoid simultaneous operation from multiple Telnet sessions on this configuration.
•
Symptoms: A Cisco router may reload unexpectedly when the DMVPN tunnel is bounced.
Conditions: The symptom is observed with Cisco IOS Release 12.4(11)T2. The information points to an SW issue when upon bouncing the DMVPN GRE tunnel the NHRP is automatically cleared which triggers the bus error crash.
Workaround: Clear the DMVPN session only using the following command (note: the static must be used to clear the individual session or all will be cleared): clear dmvpn session [peer {nbma | tunnel ip- address] [interface tunnel number] [vrf vrf- name] [static].
•
Symptoms: The router will crash if the routing instance has been removed and an instance-specific command is issued (e.g. shutdown, maxpaths, split horizon etc).
Conditions: The symptom is observed when removing an instance from either console or VTY while another console or VTY is still in router mode.
Workaround: Exit and re-enter router mode before issuing any instance- specific commands.
•
Symptoms: When standby boots up, deadlock could happen, causing the standby to crash. Also can happen when the call-home process is restarted on active, causing the active supervisor to crash.
Conditions: This problem depends on timing. Occurs after configuration changes could alter bootup timing.
Workaround: There is no workaround.
•
Symptoms: You may see ASR1000-WATCHDOG: Process = IP Background followed by Traceback message during system bootup.
Conditions: This happens when L2VPN is configured. It may be likely to occur when many interfaces are configured.
Workaround: There is no workaround.
•
Symptoms: MLPoFR with the member group interface as crackerjack PA (PA-MC-2T3-EC) is configured. On applying a simple policy along with RTP header compression virtual template, the connectivity breaks.
Conditions: This is seen across PA (PA-MC-2T3-EC) and on applying both header compression and QoS policy.
Workaround: There is no workaround.
•
Symptoms: CPU utilization peaks at 99% for a sustained period when issuing show run | inc ipv6 route.
Conditions: With a large scale configuration (thousands of VLANs), performing show run | inc ipv6 route causes CPU utilization to peak at 99% and various control plane functions such as SBC call setup may not function as expected.
Workaround: Redirect the show run command output to a file for post-processing.
•
Symptoms: In a high availability/stateful switchover (SSO) environment, when a switchover occurs, an established OSPFv3/BFD peer will flap.
Conditions: The environment in which this issue can be reproduced is one of an route processor (RP) SSO state along with the configuration of at least one OSPFv3 BFD client. A series of one or more RP/SSO switchovers will cause a BFD peer/link flap.
Workaround: The only workaround at this point is to not execute or trigger an RP/SSO switchover with any established OSPFv3 BFD peers.
•
Symptoms: On a catalyst 6500, mac entries might not get programmed correctly because the request to program the entries is stuck in a queue which is blocked by a purge request.
Conditions: The exact conditions are unknown but it has been seen on one particular router consistently. It might happen when a purge request is issued.
Workaround: There is no workaround
•
Symptoms: Fragmented multicast rekeys and pings are not acknowledged by a multicast receiver.
Conditions: Occurs when fragmented multicast packets are received on a multicast receiver interface with crypto map attached.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash when the no bba-group pppoe word command is issued from the VTY.
Conditions: This symptom is observed on a Cisco router when the bba- group pppoe word command is issued from the console and removed from VTY using the no bba-group pppoe word command. In this mode, when giving the command service profile "abcd refresh 2" in the console, the router will crash.
Workaround. There is no workaround.
Further Problem Description: The issue impacts device operations. This is a corner case issue, seen in an unusual sequence of testing. This issue is not seen on Cisco IOS Release 12.4(21).
•
Symptoms: QoS works fine with unicast packets over a GRE tunnel, but it does not work for multicast over GRE tunnels.
Conditions:
1. Apply a simple policing policy on a GRE tunnel.
2. Build an mroute table entry.
3. Send multicast traffic switched over the tunnel.
4. Verify the police functionality.
Workaround: There is no workaround.
•
Symptoms: The RP crashes when using Cisco IOS Release 12.2(33)SRC.
Conditions: The symptom is observed when using the command show ipc port.
Workaround: There is no workaround.
•
Symptoms: The ESR-HH-1GE card on a Cisco 10000 router may crash with the following message:
"%PXF_NICKEL-2-IB_ERR_SPR: IB Stuck Pause Request Error in slot X/Y"Conditions: The crash is seen on a Cisco 10000 platform that is running Cisco IOS Release 12.2(31)SBX. Previous Cisco IOS versions are potentially affected. Some known conditions that trigger this error are:
1. Continuously flapping the interface using shut and no shut of the ESR-HH-1GE interface.
2. Changing the MTU size (it is seen only on ATM based cards).
3. Continuously setting and resetting the negotiation using the negotiation auto and no negotiation auto commands on ESR-HH-1GE interface.
4. Most of the customer issues that trigger this error are not yet known.
Workaround: There is no workaround.
Further Problem Description: The "IB_ERR_SPR" indicates that the egress data path of the LC is stuck, and the only way to recover the path is to reset the LC. In most of the conditions explained above, the LC was only stuck for few seconds, and in those cases, the LC was unnecessarily reset. In this fix the IB_ERR_SPR handling is improved to avoid such LC resets.
•
Symptoms: Router crashes when the clear ip nhrp group command is used.
Conditions: Conditions are unknown at this time.
Workaround: Do not use this command.
•
Symptoms: In certain scenarios the IPv6 neighbor discovery and CEF entries get out of sync and as a result traffic for IPv6 cannot be forwarded.
Conditions: One known condition is to apply a service policy that classifies IPv6 packets.
Workaround: There is no workaround.
•
Symptoms: DBS enabled VCs are not syncing to standby RP. This issue is reproducible even with a single VC when the router is reloaded.
Conditions: This symptom is observed on a Cisco 10000 series router that is a HA setup with SSO mode configured.
Workaround: Resetting the standby will bring the VCs up.
Further Problem Description: This will effect the synchronization of PPP sessions to standby.
•
Symptoms: A Cisco 3845 router may crash when unconfiguring IPv6 nodes.
Condition: The symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4T. The traceback is produced after configuring the no ipv6 unicast-routing command.
Workaround: There is no workaround.
•
Symptoms: A client may not get a prefix when it has two relay agents on two interfaces of a single DHCP relay agent, with one of them being an unnumbered interface.
Conditions: The symptom is seen on a router that is running Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: Serials that are part of MLPPP/MFR remain in a down state. This issue can also happen for serial interfaces with PPP, FR and HDLC encap.
Conditions: This symptom is observed when T1/E1 controllers remain down. Trigger for this issue is not clear.
Workaround: There is no workaround.
•
Symptoms: Dynamic Multipoint VPN (DMVPN) shortcut tunnels may fail to get established on a DMVPN spoke running a phase 3 setup.
Conditions: Occurs in Cisco IOS Release 12.4(20)T.
Workaround: There is no workaround. However, data traffic would not be affected since the packets would take the spoke-hub-spoke path.
•
Symptoms: MAC L2TP clients failed to setup tunnel after L2TP network server (LNS) upgraded to Cisco IOS Release 12.4(19.18)T3.
Conditions: Occurs when Mac OS X 10.4 and Mac OS X 10.5 clients attempt to connect to a LNS running Cisco IOS Release 12.4(19.18)T3. image loaded.
Workaround: There is no workaround.
•
Symptoms: Router crashes when Flexible NetFlow for IPv6 is received and IPv6 fragmented packets are received.
Conditions: Flexible Netflow for IPv6 must be configured and fragemented IPv6 packets must be received.
Workaround: Deconfigure IPv6 Flexible NetFlow.
•
Symptoms: A router's memory may become corrupted, which can lead to a crash.
Conditions: This symptom is observed when Flexible NetFlow is configured with a record that has a large packet section in it, and it is applied to capture traffic.
Workaround: Configure Flexible NetFlow with a flow record that does not have a packet section in it.
•
Symptoms: An ATM interface that is configured with a large number of PVCs may exhibit PVC provisioning problems after repeated interface flaps. The VCC count on the ATM interface would increase by a random number once after each flap.
Conditions: This symptom is observed on a dual PRE2 system that is running Cisco IOS Release 12.2(31)SB12 code and operating in SSO mode.
Workaround: Router reload or PRE cutover.
•
Symptoms: Standby device configured for stateful switchover (SSO) continuously reloads.
Conditions: The reload occurs as soon as the standby and primary devices are loaded with stateful switchover (SSO) configuration.
Workaround: There is no workaround.
•
Symptoms: L2 entries are deleted and reinstalled periodically and needlessly even when L3 entry is associated with it.
The expected behavior is that with L3 multicast routing enabled, a L3 MSC GCE is mirrored to L2 MCAST GCE and the L2 entry is never cleared even when IGMP leaves are received or when source stops sending traffic. This is because the entry is associated with L3 entry, and L3 entry clearing process would take care of this removal of L2 multicast GCE/entry as well.
Conditions: When L3 multicast routing is configured and source-only entries are deleted.
Workaround: There is no workaround.
•
Symptoms: Router may crash.
Conditions: This symptom is observed when Flexible NetFlow is configured with a flow record that includes layer 4 fields and the flow monitor is applied to IPv6 traffic, and the traffic that FNF is monitoring has a payload length that does not allow us to reach the tranport header in the IPv6 packet.
Workaround: Configure Flexible NetFlow with a record that does not have any layer 4 (transport) fields.
•
Symptoms: Router crashes during traceback generation with a bus error.
Conditions: When CPUHOG occurs, traceback is generated. In some cases, it may lead to crash due to uninitialized internal data.
Workaround: There is no workaround.
•
Symptoms: None of the BFD sessions come up.
Conditions: The symptom is observed when BFD is configured with EIGRP for more than 32 VRFs.
Workaround: Bring the total VRFs on which BFD is configured for EIGRP to less than 32 and reload the router.
Further Problem Description: In EIGRP, each VRF is counted as a single BFD client whereas in other protocols, the BFD client count is shown as one per protocol. This limits the number of EIGRP/BFD sessions allowed to be configured.
•
Symptoms: There is a traffic drop after an SSO.
Conditions: The symptom is observed with high scaling, lots of VRFs, and a core with no load sharing. It is seen with two VRFs that are overloaded and slow due to the shared link.
Workaround: There is no workaround.
Further Problem Description: Use the graceful restart timer to increase the time that it takes the the initial and subsequent peers to come up, before doing bestpath calculations.
•
Symptoms: A memory allocation error shows (cause: memory fragmentation) when there is plenty of memory available.
Conditions: The symptoms are observed when configuring a large number of ACLs. The memory fragmentation issue is gone after removing the ACLs.
Workaround: There is no workaround.
•
Symptoms: An input wedge is observed on an interface, when multicast traffic is flowing.
Conditions: The symptom is observed in a DMVPN hub-spoke scenario with a point-to-multipoint (P2MP) GRE tunnel having tunnel protection configuration. When multicast traffic flows from hub to spoke through these tunnel interfaces, the incoming interface of the hub is getting wedged and even the ping to peer stops working.
Workaround: There is no workaround, other than reloading the router.
•
Symptoms: Session is not getting disconnected when the locally configured timers expire.
Conditions: Occurs while testing an internal build of Cisco IOS Release 12.4(22)T on the Cisco 7200.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 7200 series router that has a crypto map protecting GRE tunnel traffic, putting an inbound ACL to drop the decrypted, GRE- decapsulated IP traffic may not work. The traffic is not dropped as expected and there is no hit count on ACL/ACE (although permit ACE still works properly and receives hit counts).
Conditions: The symptoms are observed with the following conditions:
1. On a Cisco 7200 series router with K9 images.
2. Where a crypto map is applied on a physical interface protecting GRE tunneling traffic (47 host2host)
3. When "deny inbound ACL" is configured on the tunnel interface to drop the cleartext (the traffic will not be dropped as expected).
4. It occurs with certain configuration sequences, such as configure tunnel and crypto map. (If you bring up IPSec SA, then apply inbound ACL to the tunnel interface, then save the configuration at the start-up configuration and boot from there, the issue may not show up.)
5. This only affects inbound ACLs. Outbound ACLs are not affected
Workaround: Use an inbound crypto map ACL (ipsec-dACL) instead of a inbound ACL on tunnel in this senario. Inbound crypto map ACL sees the decrypted GRE packets, and it can drop the traffic properly. For example:
router#sh cry map Crypto Map "testtag" 10 ipsec-isakmp Peer = 10.0.0.8 Extended IP access list 101 access-list 101 permit gre host 10.0.0.9 host 10.0.0.8 Extended IP access check IN list imacl access-list imacl permit ahp any any access-list imacl permit esp any any access-list imacl deny gre any any access-list imacl permit ip any any Current peer: 10.0.0.8 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ proposal1: { ah-sha-hmac } , { esp-3des esp-sha-hmac } , } Interfaces using crypto map testtag: GigabitEthernet0/1Alternate workaround: Turn off CEF switching and use process switching.
•
Symptoms: A device reloads with a bus error and may display the following message: CMD: ' aggregate-address 224.0.0.0 224.0.0.0 attribute-map GCI-aggregations suppress-map Suppress-ESNAK' Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x60CDD444
Conditions: The symptoms are observed on a device configured with Border Gateway Protocol (BGP).
Workaround: There is no workaround.
•
Symptoms: Packets may be dropped.
Conditions: This symptom is observed if the core interface for AToM is a GRE tunnel.
Workaround: There is no workaround.
•
Symptoms: When a router interface is shut, the prefix attached to the interface is not advertised with infinite metric out the other interfaces.
Conditions: Occurs when route is configured for RIP for IPv6 (RIPng)
Workaround: There is no workaround.
•
Symptoms: When registering a multi-event Tool Command Language (TCL) policy in the Embedded Event Manager (EEM), the registration will fail with the following error message:
%HA_EM-6-FMPD_EEM_LOG_MSG: Register event failed: Only correlate and attribute statements are allowed within triggerConditions: The symptom is observed on all multi-event TCL policies in EEM 2.4 when the trigger block contains a closing brace that is by itself on a line. For example:
::cisco::eem::trigger { ::cisco::eem::correlate event e1 or event e2 or event e3 or event e4 ::cisco::eem::attribute tag e1 occurs 1 ::cisco::eem::attribute tag e2 occurs 1 ::cisco::eem::attribute tag e3 occurs 1 ::cisco::eem::attribute tag e4 occurs 1 }Workaround: Add a space to the beginning of the line with the closing brace of the trigger block:
::cisco::eem::trigger { ::cisco::eem::correlate event e1 or event e2 or event e3 or event e4 ::cisco::eem::attribute tag e1 occurs 1 ::cisco::eem::attribute tag e2 occurs 1 ::cisco::eem::attribute tag e3 occurs 1 ::cisco::eem::attribute tag e4 occurs 1 }Further Problem Description: This will not impact customer network and traffic.
•
Symptoms: When registering an Embedded Event Manager (EEM) Tool Command Language (TCL) policy that has multi-event correlation for just track objects, the EEM system may get into an inconsistent state where a previously registered TCL policy will not be triggered, unregistered, or reregistered. This is seen when the following error is printed while registering the problematic policy: Embedded Event Manager configuration: failed to register the event spec for policy all_track.tcl: requested function is not supported
Conditions: The symptom occurs only if the event manager server returns an error while trying to register an event. In this case the error is "function is not supported" because a multi-event TCL policy must have at least one event in the correlation statement.
Workaround: Do not try to register a policy that is unsupported.
•
Symptoms: Device Reloads after EIGRP adjacency changes.
Conditions: Occurs on a Cisco Catalyst 3560 running Cisco IOS Release 12.2(44)SE. This has been observed on several other devices also. At this stage, the root cause has not been found.
Workaround: There is no workaround.
•
Symptoms: Unable to attach a VC class to ATM sub-interface after unconfiguring mpls experimental 1.
Conditions: The symptom occurs with a Cisco 7200 series router.
Workaround: There is no workaround.
•
Symptoms: Router may experience dropped packets.
Conditions: Occurs when passive probing is configured with mode select-exit best. A prefix is rotated through all exits for holddown time to get passive performance on all exits. In doing so, if a link is already overloaded, putting prefix on the overloaded link can cause the performance to further deteriorate.
Workaround: There is no workaround.
•
Symptoms/Conditions: RPM-XF cards 9(active) and 11(standby) are in redundancy. When we reset the active card, we see that secondary card 11 comes up as active but primary card 9, instead of coming up as standby, is continuously rebooting, resulting in many crashinfo files being generated.
Workaround: There is no workaround.
•
Symptoms: MVRF name may get truncated if the VRF name is too long.
Conditions:VRF name itself can be as long as VRF_MAX_NAME (32). When its length is 32, MVRF name mvrf_string will be truncated.
Workaround: Use VRF name less than 32.
•
Symptoms: With MPLS over GRE enabled. There is a possibility where the RP could encounter a software exception resulting in a crash.
Conditions: With MPLS VPN enable over a tunnel (GRE in this case), and that the tunnel is configured to be associated with a user-configured VRF.
Workaround: There is no workaround.
•
Symptoms: With rsp720-10G in a S-chassis or 7604 chassis, sometimes on switchover, the traffic stops through sip400 or traffic loss is greater than 800Msec.
Conditions: rsp720-10G in a S-chassis or 7604 chassis and sip400/sip200 as linecard.
Workaround: No proper workaround. SIP400 module soft reset might help if traffic is stuck.
Further Problem Description:
•
Symptoms: SSH connection fails to establish after SSO with the following debug message on client side:
SSH2 CLIENT 0: RSA signature verification failed, status 524Conditions: This symptom occurs when a new RSA key is generated. The SSH server key is not updated on the standby. The show ip ssh command on the standby will show that SSH is enabled, but the SSH connection will fail to establish.
Workaround: Regenerate RSA key on the new active after SSO.
•
Symptoms: A PRE crash may occur when the ATM idle timer times out.
Conditions: This symptom occurs during the provisioning of a new ATM virtual circuit. An idle timeout may result in a PRE crash.
Workaround: There is no workaround.
•
Symptoms: When registering an Embedded Event Manager (EEM) policy in a scheduler class that has no threads allocated to it, EEM will produce the following error message:
%HA_EM-4-FMPD_NO_SCHED_THREAD: No threads are configured to service event classWhen attempting to unregister the policy, EEM may produce the following error and the policy will not be unregistered:
EEM configuration: failed to unregister the event spec for policy policyname: unknown event IDIn addition, a triggered event will not actually run once this problem is experienced.
Conditions: This symptom is observed in images with the fix for CSCsr46367 and support for different scheduling classes in the EEM server.
Workaround: First allocate some threads to the class, and then configure the policy in that class.
Further Problem Description: This problem affects both Tcl-based policies and applets.
•
Symptoms: A router crashes with the following error:
%SYS-6-STACKLOW: Stack for process NHRP running low, 0/6000Conditions: The symptom is seen on routers that are running Dynamic Multipoint VPN (DMVPN) when a routing loop occurs while an NHRP resolution request is received by the router. If the routing loop leads to a tunnel recursion (where the route to the tunnel endpoint address points out of the tunnel itself) the crash may be seen.
Workaround: Use PBR for locally-generated traffic to force the GRE packet out of the physical interface which prevents the lookup that can lead to the recursion. For example (note: the interfaces and IPs will need to be changed to the appropriate values):
interface Tunnel97 ... tunnel source POS6/0 ...interface POS6/0 ip address 10.2.0.1 255.255.255.252ip local policy route-map Force-GREip access-list extended Force-GRE permit gre host 10.2.0.1 anyroute-map Force-GRE permit 10 match ip address Force-GRE set interface POS6/0•
Symptoms: When the main ATM interface MTU has an explicit non-default value (something other than 4470), then the subinterfaces may not save (shown with the show run command) the explicit MTU configuration of the default (4470) even though the command is expected.
Conditions: The symptoms are observed only for the ATM MTU value 4470. This unexpected behavior is not seen for any other value (less than or more than 4470 within allowed ATM MTU values).
Workaround: Upon reload, manually (explicitly) configure MTU 4470. You can configure an IP MTU under the ATM interface instead of an ATM MTU.
•
Symptoms: Remove interface virtual-template, then reconfigure it IOS failed to create virtual-template interface
Conditions: Remove interface virtual-template
Workaround: Do not remove virtual-template interface
•
Symptoms: ISSU downgrade does not always work.
Conditions: Will see the following messages:
%RF-5-RF_RELOAD: Peer reload. Reason: RF Client BFD RF Client(146) notification timeout %REDUNDANCY-4-RELOADING_STANDBY: Reloading the Standby RP %RF-3-NOTIF_TMO: Notification timer Expired for RF Client: BFD RF Client(146)Workaround: There is no workaround.
•
Symptoms: When a user configures the exception flash all disk1:core1 command, the resulting coredump pathname becomes "disk1:core1:ram1-7206-2-coreiomem.Z". The presence of the ":" following core1 is bogus since ":" is a reserved character used to delimit device and partitions. And "core1" is not a valid partition identifier.
A reasonable interpretation of "core1" would be as an existing subdirectory, not as the first 5 characters of a core file name.
Conditions: Occurs when user configures the exception flash all disk1:core1 command.
Workaround: Copy the core dump to "disk1:" instead of "disk1:core1". Use "exception flash all disk1:"
•
Symptoms: The pppoe-client command is not accepted on ATM interfaces. Cisco IOS software will report "% Unrecognized command" when an attempt is made to configure it.
Conditions: This symptom is observed when an attempt is made to configure the pppoe-client command.
Workaround: Use pppoe_client as the command prefix followed by the normal pppoe-client configuration items.
•
Symptoms: When a router performs a failover, traffic may be interrupted to a small number of destinations. Interruption is dependant on the setting of the "ipv6 nd reachable-time" value and will occur within a few minutes of failover.
Conditions: The symptom is observed when the router is forwarding IPv6 packets to a large number of destinations and when the router has a very large number (several thousand) of ND cache entries. It occurs after the router performs an HA failover from primary to secondary.
Workaround: Set "ipv6 nd reachable-time" to a value of ten minutes or longer.
Further Problem Description: Traffic interruption is caused by IPv6 ND refreshing cache entries via NUD during HA failover convergence. If ND has a very large cache then the additional load of NUD during the convergence period may cause some cache refreshes to fail. This will result in traffic interruption.
•
Symptoms: CCM enums for client types have diverged between mcp_dev and other branches
Conditions: ISSU from MCP and other related brances
Workaround: There is no workaround.
•
Symptoms: Standby RP crashes.
Conditions: Occurs when a shut/no shut is performed on the subinterface with a anything over MPLS (AToM) VP configured.
Workaround: There is no workaround.
•
Symptoms: Error message with a traceback observed while configuring IPSec authentication/encryption for an IPv6 Open Shortest Path First (OSPF) process with no router-id.
Conditions: The error message is issued when authentication or encryption is configured for an OSPFv3 process that has not been able to obtain a router-id.
Workaround: Provide a loopback or other "up" interface with an IPv4 address, or use the router-id command to establish the OSPFv3 router-id before configuring OSPFv3 authentication or encryption.
•
Symptoms: Under certain conditions the RIP for IPv6 (RIPng) "Last Gasp" message (all metrics infinite) does not get sent.
Conditions: This is seen under high load or on routers with large numbers of interfaces.
Workaround: There is no workaround but routes will eventually time out.
•
Symptoms: A router may crash.
Conditions: The symptoms are observed when traffic is flowing and if the interface is shut then no shut.
Workaround: There is no workaround.
•
Symptoms: Crash seen @adj_switch_ipv4_generic_les on a Cisco 3800 router.
Conditions: This symptom is observed upon issuing the command no ip route 10.2.82.0 255.255.255.0 vlan1.
Workaround: There is no workaround.
•
Symptoms: Before this BGP aspath memory optimization, the memory consumption for aspath has increased. With this memory optimization, the memory consumption for aspath has reduced.
Workaround: There is no workaround.
•
Symptoms: Messages similar to the following are seen on switchover:
%ISSU-SP-3-NOT_FIND_MSG_SES: Can not find message session(0) to transform msg from receive side %XDR-SP-6-ISSUBADRCVTFM: Failed to rcv_transform message - slot RP (28), reason: ISSU_RC_MSG_SESSION_NOT_REGISTEREDConditions: The messages may be displayed during switchover from an active RP to a standby RP. The likelihood of appearance of the messages is dependent on the timing of the switchover and the configuration in use.
Workaround: There is no workaround.
•
Symptoms: Crash is seen when L2TP HA is configured with tunnel and session teardown scenario.
Conditions: When tunnels are cleared with clear vpdn tunnel comand when the tunnel/session are being established.
Workaround: There is no workaround.
•
Symptoms: Line protocol going down with bridge-domain and OAM-PVC configuration.
Conditions: Issue is seen only with SIP-400 cards.
Workaround: There is no workaround.
•
Symptoms: ASR Router goes down.
Conditions: Occurs when when kron policy is configured and SCP is used.
Workaround: Use regular SCP.
•
Symptoms: When the IMA group statement under the atm3/0 T1 interface is removed, the other T1s will still remain up in the IMA group, but the PVC will become inactive. This symptom happens only when the ATM Bandwidth Dynamic statement is under the atm1/ima main interface. When removing the IMA group under atm3/1 without the ATM Bandwidth Dynamic statement under the atm3/ima0 interface, the PVC stays up on line.
Condition: This problem is seen in the Cisco 7206vxr with a npe-g1 or npe-400 with the 8-port PA IMA card PA-A3-8T1IMA. The problem is not see in Cisco IOS Release 12.3(28)M, but the problem is seen in Cisco IOS Release 12.4(6)T11 and 12.4(15)T6/T7 and also in Cisco IOS Release 12.4(20)T and 12.4(21)M.
Workaround: Re-add ima-group 0 back under the atm3/1 interface and then shut down the atm3/1 interface.
Further Problem Description: Steps to recreate the issue:
configure terminal int atm3/1 no ima-group 0 < take out int atm3/2 ima-group 0 int atm3/3 ima-group 0
atm3/ima0 atm bandwidth dynamic
atm3/ima0.1 ip address x.x.x.x pvc 1/101 vbr-nrt 4500 4500
The show atm vc will show the PVC as inactive.
•
Symptoms: If show bfd neighbor is issued on a router while BFD sessions on peer are flapping, it makes the router crash.
Conditions: When there is just one BFD session between peers with just one client and sessions begin to flap.
Workaround: There is no workaround.
•
Symptoms: Connectivity from a Dynamic Multipoint VPN (DMVPN) hub router to spokes may be lost due to a invalid Cisco Express Forwarding (CEF) adjacency.
If tunnel protection is configured on the hub, the traffic from hub to spokes will get dropped on the tunnel interface and the show interface tunnelx command will show the "Total output drops" counter incrementing.
This is intermittent and the problem will generally appear right after a reload of the router. It may not happen after some reloads of the router.
Conditions: Seen only on Cisco IOS Release 12.4(20)T and 12.4(22)T
Workaround #1: Disable/enable the tunnel mode: interface Tunnel30 no tunnel mode gre multipoint tunnel mode gre multipoint
Workaround #2: Remove the tunnel configuration and re-add it: no interface Tunnel30 interface Tunnel30 ip address 192.168.50.1 255.255.255.0 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 111 ip nhrp holdtime 900 tunnel source FastEthernet0/0 tunnel mode gre multipoint
•
Symptoms: A flow exporter that is configured for v9 may export corrupt data.
Conditions: This symptom occurs under the following configuration sequence:
- Create a flow exporter, but do not set any values within the exporter.
- Create a flow monitor, and apply the exporter to it.
- Apply the flow monitor to an interface.
- Configure the destination of the exporter.
Workaround: Configure the destination of the exporter before applying it to any flow monitors. Alternatively, remove the flow monitor from all interfaces and reapply it, which causes correct export packets to be sent.
•
Symptoms: EoMPLSoGRE Tunnel on a Cisco 1805 fails to forward packets after the the tunnel is established.
Conditions: Approximately the first 200 packets are forwarded, but then the router stops forwarding packets across the tunnel.
Workaround: There is no workaround.
•
Symptoms: Issue in ISDN call setup.
Conditions: This symptom is observed on a Cisco router when making a isdn test call.
Workaround. There is no workaround.
•
Symptoms: With IPbase image, standby reloads on configuring vrf definition or if the running configuration includes 6VPE configurations route-target, rd commands.
Conditions: This occurs on ipbase images which do not support 6VPE configurations. If the user tries to restore a configuration that includes VRF commands, the standby reloads continuously. If the user tries to configure vrf definition with ipbase image also, the problem will be seen.
Workaround: Remove the VRF configuration in the boxes that run IPbase images and the boxes come up fine.
•
Symptoms: Problem with IPv6 when deactivating and then reactivating VPN routing/forwarding (VRF).
One symptom is a message "Can't activate address-family `ipv6' "
Another aspect is a reference to tableid 10000000 that is reserved and should not apply to VRF.
Conditions: Occurs when using VRFs. The problem only occurs if IPv6 routing is used and then fully removed. When IPv6 is removed from the system, the IPv6 RIB goes away. One way of reactivating the IPv6 RIB is indirectly to create some VRFs. In that case, it is possible that the tableid 10000000 be allocated to a VRF, in which case the problem occurs.
Workaround: The path that leads to the problem consists in allocating the IPv6 RIB indirectly via VRFs installation. The problem only occurs at reactivations. There are thus a few ways to workaround:
–
–
•
Symptoms: The following tracebacks appeared on the active RP console during router boot up:
000131: *Nov 12 16:16:43.075 EST: %ISSU-3-FAILED_TO_ALLOC_UNDER_ENDPOINT: Can not allocate transport id(131072) control block.-Traceback= 1#04182c093c3bf3fa21a9ef089770e5a6 :10000000+5179E0 :10000000+518294 :10000000+515F3C :10000000+200F5DC :10000000+200E5C4 :10000000+1F78A0C 000132: *Nov 12 16:16:43.077 EST: %ISSU-3-ERP_CLIENT: For context ID 131072, Current context for ERP isn't available-Traceback= 1#04182c093c3bf3fa21a9ef089770e5a6 :10000000+5179E0 :10000000+518294 :10000000+515F3C :10000000+200E898 :10000000+1F78A0C 000133: *Nov 12 16:16:43.078 EST: %IPC-3-ISSU_ERROR: ISSU register peer failed failed with error code 0 for seat 20000-Traceback= 1#04182c093c3bf3fa21a9ef089770e5a6 :10000000+5179E0 :10000000+518294 :10000000+515F3C :10000000+1F78D5CConditions: The symptom will show up at boot up if the box has more than 10 ISSU endpoints. ISSU aware RP, SP, linecards all count as endpoints.
Workaround: There is no workaround.
•
Symptoms: Standby supervisor crashes during bootup.
Conditions: Occurs in Cisco IOS Release 12.2(46)SG, and possibly 12.(44)SG and 12.2(40)SG.
The crash occurs if the following commands are configured:
snmp mib notification-log globalsize 10000snmp mib notification-log globalageout 120snmp mib notification-log defaultWorkaround: Remove the above commands from the configuration.
•
Symptoms: A Cisco router running a version of code that contains the Embedded Event Manager (EEM) version 3.0 or EEM version 3.1 may:
–
–
–
–
–
–
–
Conditions: These occur in Cisco IOS and Cisco IOS software modularity versions that contain EEM version 3.0 and EEM version 3.1. EEM versions 2.4 and earlier are not affected. Users can check what version of EEM is in their image by using the show event manager version command that was introduced in EEM version 2.4.
Workaround: There is no workaround.
Further Problem Description: The EEM command to register a policy is:
event manager policy filename.tcl
This command has an option to specify a type of either system or a type of user. This option is designed to allow the user to specify which directory is searched when looking for the policy to register. If the user specifies a type of system, the system policy directory (hardcoded in the image) is searched for apolicy with the filename specified. If the user specifies a type of user, only the user policy directory (which must be configured with the event manager directory user policy device:directory command) is searched. If the user does not specify a type, first the user policy directory is searched and if no policy is found then the system policy directory is searched - this allows the user to override a system policy with a user policy and not have to specify a type of user.
The concept of which directories are searched when registering a policy is different from the concept of which run-type the policy is registered with. The run-type specifies the privilege level that the policy will execute with. System policies have full privileges. User policies are limited to the privileges of Safe-Tcl with a few exceptions that are covered in the EEM documentation. The run-type of the policy is determined by the following rules:
–
–
The problems described in this bug occur because of an implementation that jumbled these two concepts together.
•
Symptoms: Router crashes.
Conditions: Occurs while configuring serial interface for insufficient MTU.
Workaround: There is no workaround.
•
Symptoms: The standby RP in a Cisco 7600 series and some of its linecards may crash numerous times upon booting.
Conditions: Seen in a Cisco 7600 with dual RPs.
Workaround: There is no workaround.
•
Symptoms: When traffic engineering (TE) and fast reroute (FRR) are configured between a stitching router and provider edge (PE), Virtual Circuit Connection Verification (VCCV) ping fails.
Conditions: Occurs when pseudowire stitching is configured.
Workaround: Disable TE and FRR.
•
Symptoms: With 1600 pseudowires configured on Cisco 7600 as S-PE, when online insertion and removal (OIR) is performed on core interface, some of the pseudowires do not come up.
Conditions: The OIR of core interface creates this condition.
Workaround: There is no workaround.
•
Symptoms: Acct-Session-Id not getting created when unique-ident configured Conditions: Acct-Session-Id not getting created when radius-server unique-ident is configured in NAS Workaround: No workaround
•
Symptoms: On UBR10K platform, during PRE runversion of the ISSU upgrade process, the IPC connection between RP and cable line cards may take additional 1 sec to come up.
Conditions: Happens during PRE runversion.
Workaround: There is no workaround.
Further Problem Description:The problem is due to a race condition during IPC issu negotiation. When the PRE finishes ISSU negotiation, it sends the port registry response to the peer cable line card. The race condition happens when the response is received by the line card before the line card has declared ISSU negotiation is done. The response will be dropped, and resent in 1 second, causing the 1 second additional delay.
•
Symptoms: SWIDBs are not cleared, even after removing the subinterfaces. Deleted subinterfaces are considered to be inactive VCs which block the configuration of the maximum number of IDs on the interface.
Conditions: The symptom is observed when subinterfaces are created using the range pvc command. If the subinterfaces are deleted, this is not updated in the SWIDBs.
Workaround: Reload the router.
•
Symptoms: Catalyst 6500 always sends authentications to a known down ACS server. The show aaa server output also shows the ACS server up even with its LAN port shutdown. Therefore in a failover, the use of the secondary ACS server is delayed. The down ACS primary server appears to never be declared as down.
Conditions: Two ACS servers in a primary and backup scenario. When the primary is actively DOWN the Catalyst 6500 always tries to send authentications to it and should declare it as down and use the secondary ACS server. RADIUS messages are even showing up that the primary ACS server is available/connected even with no LAN connection.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 router is crashing while unconfiguring crypto IPSec tunnel with easyvpn client configurations.
Conditions: Crypto IPSec tunnel configured and then unconfigured.
Workaround: There is no workaround.
Further Problem Description: CIsco 7200 crashes while unconfiguring a virtual-template of type tunnel.
•
Symptoms: A crash is seen when show atm pvc <> command is excuted for a PVC where a VC class is attched with oam-pvc manage auto-detect.
Conditions: This issue is seen when a multipoint sub-interface is configured as point-to-point sub-interface, which throws the error message as expected. After repeated tries upon the show atm pvc router crashed.
Workaround: Do not configure multipoint subinterface as a point to point subinterface.
•
Symptoms: Device reloads after EIGRP adjacency changes.
Conditions: Occurs on a Cisco Catalyst 3560 running Cisco IOS Release 12.2(44)SE. This has been observed on several other devices also. At this stage, the root cause has not been found.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series router emits tracebacks.
Conditions: The symptom is observed when a service policy with netflow sampler is attached to a PVC.
Workaround: There is no workaround.
•
Symptoms: The atmPreviouslyFailedPVclTimeStamp returns a non-zero value when the VC is brought DOWN for the first time.
Conditions: This issue is seen on router that is running Cisco IOS Release 12.4(24)T.
Workaround: There is no workaround.
•
Symptoms: Range PVCs fail to come up on the interface when a VC-class with create-on-demand is detached from the ATM interface.
Conditions: The symptoms are observed when a VC-class with create-on-demand is detached from the interface.
Workaround: Remove create-on-demand from the VC-class instead of removing the VC-class itself.
•
Symptoms: Packet drops and/or delays are observed when sending traffic over a multilink bundle interface.
Conditions: This symptom may occur during periods of bursty traffic.
Workaround: Increase the amount of data that a multilink will queue to a member link at any given time using the interface configuration command ppp multilink queue depth qos (default = 2). This command may be configured on the serial interfaces or, if the interface is a multilink group member, it may be configured on the multilink interface. For example:
interface Multilink1 ppp multilink queue depth qos 3•
Symptoms: Encapsulation is not getting inherited from the VC-class for the final VC.
Conditions: The symptom is observed when changing encapsulation from the console without exiting from the applied encapsulation under VC-mode on a VTY session.
Workaround: Apply encapsulation from single terminal at the same time (either from console or from VTY).
Further Problem Description: Only the last VC is not getting updated with encapsulation.
•
Symptoms: A BR goes down on the learning cycle.
Conditions: The symptoms are observed when the inside BGP is learning configured:
conf t oer master learn no throughput no delay inside bgpWorkaround: Configure as follows:
conf t oer master learn throughput inside bgp•
Symptoms: ASR crashes in process "L2TP mgmt daemon" with the following error message:
%L2TUN-3-ILLEGAL: Failed to insert into socket DB %L2TP-3-ILLEGAL: B0D0B0D:_____:0000CF2C: ERROR: Unable to associate L2TP session with socket handleConditions: Observed in a ASR1002 when the platform functions as an L2TP Network Service (LNS)
Workaround: There is no workaround.
•
Symptoms: Router crashed after entering the show atm pvc <>/<> command.
Conditions: The issue is seen after configuring Layer 2 transport PVC.
Workaround: There is no workaround.
•
Symptoms: Router crashed due to bgp update while flapping BGP peers at remote side.
Conditions: Happens specifically on ASR platform.
The setup is an MVPN configuration with 100PEs and 1Unique MVRF per PE with 100 MVPN group and 1 MVPN source in each VRF. OSPF, iBGP, LDP, PIM SM is used in provides side and PIM SSM in customer side and ASR (PE) is configured as RP.
Workaround: There is no workaround.
•
Symptoms: WRED counters disappear after doing online insertion and removal (OIR) with DLFI over ATM.
Conditions: Configure DLFI over ATM and attach policy to VT with WRED. Perform a OIR, a WRED will disappear.
Workaround: Remove policy from VT and attach it
•
Symptoms: Unable to remove the grandchild policy from the child policy of a three-level policy.
Condition: The symptom is observed with a router that is loaded with Cisco IOS Release 12.4(24)T.
Workaround: There is no workaround.
•
Symptoms: When 3000 VCs with PW redundancy are configured in the system, some of the VCs may stay in the DOWN state after the system reload.
Conditions: It is seen with 3000 VCs on a RP2.
Workaround: Shut/no shut on the interface can clear the issue.
•
Symptoms: RF progression halts at "in progress to standby cold-bulk" on the standby RP during ISSU runversion.
Conditions: Should only be seen on dual RP/SP platforms during ISSU. Is also affected by timing of start of the CEF sync to the standby SP, so it doesn't happen for many sotware versions/configurations.
Workaround: Use an alternative upgrade method.
•
Symptoms: During the SSO, packet loss is more than expected
Conditions: AToM VC is UP , before SSO traffic was flowing fine, during SSO, for a few seconds, there was packet outage which again resumed. The outage was more than expected.
Workaround: There is no workaround.
•
Recent research (1) has shown that it is possible to cause BGP sessions to remotely reset by injecting invalid data, specifically AS_CONFED_SEQUENCE data, into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. For this bug to be triggered, an operator does not have to be actively using 4-byte AS support.
The root cause of this problem is the Cisco implementation of RFC 4893 (4-byte ASN support) - this RFC states that AS_CONFED_SEQUENCE data in the AS4_PATH attribute is invalid. However, it does not explicitely state what to do if such invalid data is received, so the Cisco implemention of this RFC sends a BGP NOTIFICATION message to the peer and the BGP session is terminated.
RFC 4893 is in the process of getting updated to avoid this problem, and the fix for this bug implements the proposed change. The proposed change is as follows:
"To prevent the possible propagation of confederation path segments outside of a confederation, the path segment types AS_CONFED_SEQUENCE and AS_CONFED_SET [RFC5065] are declared invalid for the AS4_PATH attribute. A NEW BGP speaker MUST NOT send these path segment types in the AS4_PATH attribute of an UPDATE message. A NEW BGP speaker that receives these path segment types in the AS4_PATH attribute of an UPDATE message MUST discard these path segments, adjust the relevant attribute fields accordingly, and continue processing the UPDATE message."
The only affected version of Cisco IOS that supports RFC 4893 is 12.0(32)S12, released in December 2008.
(1) For more information please visit:
http://www.merit.edu/mail.archives/nanog/msg14345.html
•
Symptoms: With discovered PVCs, stand-by crashes after SSO.
Conditions: PVCs are discoverd in the main-interface. In one of the VCs, service-policies are attached to mark the CLP. Packets were marked fine through the VCs, but after SSO the new active crashes. ILMI discovered PVC's from the switch are created as PVC-D in both active and standby. But, this PVC-D is not being updated properly on stand-by properly in internal data structure.
1) PVCs are discoverd in 7600-1
2) Policy-map is attached to one of the PVC, where atm map is created
3) trafic is sent from IXIA . 4) Do SSO, the new active crashes
Workaround: There is no workaround.
•
Symptoms: NVgen issue occurs with violate-action commands under policy-map class.
Conditions: When we configure violate-action commands with "police cir" and "exceed" under policy-map class, it is not reflected under show run output.
Workaround: Do not configure as a whole with policy cir and eceed command. configure as individual commands.
•
Symptoms: Show run command displays "Configuration buffer full message" message
Conditions: Show run command displays "Configuration buffer full message" message
Workaround: There is no workaround.
•
Symptoms: Traffic does not pass.
Conditions: The symptom is observed with a Cisco VPN Acceleration Module 2+ (VAM2+) originating traffic and with process switching.
Workaround: There is no workaround.
•
Symptoms: CLI help is not usable in global configuration mode.
Conditions: The symptom occurs with cns config notify diff configured in the router.
Workaround: There is no workaround.
•
Symptoms: When a RP switchover was performed, the booting standby RP was reset with a message of "AAA HA failure" and a few tracebacks thrown out.
Conditions: Tracebacks occur , when RP s/o is performed.
Workaround: There is no workaround.
•
Symptoms: Traceback is observed and the system may reboot, depending on the platform.
Conditions: The symptom is observed when the ESM filter is configured and contains an ios_config statement.
Workaround: Remove ios_config statements from ESM filter.
•
Symptoms: A session may go down one or more times before stabilizing in the up state.
Conditions: This symptom is observed when a BFD session is first coming up and the network is suffering from congestion.
Workaround: There is no workaround.
•
Symptoms: Policy-name remains unchanged after renaming.
Conditions: The symptom is observed only with an ATM interface.
Workaround: There is no workaround.
•
Symptoms: Ping replies have wrong source address.
Conditions: Occurs after switchover.
Workaround: There is no workaround.
•
Symptoms: Unable to delete the IPv6 DHCP pool.
Conditions: The symptom is observed after creating an IPv6 DHCP pool with a null string.
Workaround: Do not create the IPv6 DHCP pool with a null string.
•
Symptoms: PVCs associated with an F4 OAM VP remain in an "INAC" state after the interface flaps.
Conditions: The symptom is observed with F4 OAM management configured on a VP.
Workaround: Use the commands shut followed by no shut again.
•
Symptoms: AToM VC does not come up on flapping the interface with SSO.
Conditions: It happend when mpls label range is configured.
Workaround: There is no workaround.
•
Symptoms: BGP session getting flapped while doing ISSU runversion
Conditions: Configure the router with BGP, do loadversion, proceed with runversion and BGP session flapped here.
Workaround: There is no workaround.
•
Symptoms: Gigaword Accounting attributes not sent in the accounting record.
Conditions: Observed when the sessions input or output traffic goes beyond 2^32 bytes.
Workaround: There is no workaround.
•
Symptoms: Router crash seen at html_config_command.
Conditions: This issue is observed on a Cisco 7200 router running Cisco IOS Release 12.4(24.2)T.
Workaround: There is no workaround.
•
Symptoms: On a router configured with BGP VPNs, VRF removal may not work properly. VRF can remain in delete pending state or BGP may crash at a later time.
Conditions: The router must be configured with one or more VRFs and must have the BGP VPN address family enabled. The problem may be triggered by the deletion of a VRF from the router config through the no ip vrf or the no vrf definition commands. The issue is a race condition in the BGP code that deals with VRF net deletion and cleanup. Hitting the issue becomes more likely in large scale setups in terms of the number of configured VRFs and the number of nets in the BGP VPN table.
Workaround: To avoid the issue the user can make sure that all the nets in the BGP VPN table belonging to the VRF are deleted before issuing the VRF deletion command. To delete all the nets belonging to the VRF:
1) All BGP CE neighbor configuration for that VRF must be removed.
2) Any redistribution of routes into BGP for that VRF must be deconfigured.
3) The import route-targets for the VRF must be removed.
Following the removal of the config at least two minutes must elapse so that BGP can complete its cleanup. When no nets belonging to the VRF remain in the BGP table it should be safe to delete the VRF without the possibility of hitting this issue.
•
Symptoms: SAMI PPC crashes due to a SegV exception at the L2TP process.
Conditions: The symptom is observed under the following conditions:
1. L2TP communication down keeps more than 180 seconds between LAC and LNS.
2. Crash will occur where the communication down happens after about 17 seconds from receiving the last L2TP hello.
Workaround: Avoid sending L2TP hello at L2TP shutting down process by L2TP shutdown timer expiration. (For example, use l2tp tunnel timeout no-session 0. The command will teardown the session immediately when there is no session.)
•
Symptoms: A Cisco router might not successfully recreate a session on standby when Accounting and L4Redirect are installed.
Conditions: The symptom occurs with PPPoE sessions in HA scenarios where Accounting along with other ISG features are deployed.
Workaround: There is no workaround.
•
Symptoms: Multi-hop PPPoE relay is not working.
Conditions: The symptom is seen with Cisco ASR routers loaded with Cisco IOS Release 12.2XNC and configured with multi-hop PPPoE relay.
Workaround: There is no workaround.
•
Symptoms: Router crashes while deleting VRFs when many VRFs are configured and no router bgp is immediately followed by no ip vrf for all configured VRFs.
Conditions: Usually seen when many VRFs are configured. VRF deletion of all VRFs must immediately follow removal of the BGP router.
Workaround: Allow no router bgp to complete before issuing the no ip vrf commands, or allow the deletion of all VRFs to complete before issuing no router bgp.
•
Symptoms: Tracebacks are seen when create on-demand is configured on a VC class and when an OIR is performed on the ATM interface.
Conditions: This symptom occurs only if an OIR is performed when the configurations are made.
Workaround: There is no workaround.
•
Symptoms: Use of eigrp STUB feature in a <U>STUB Site</U> could result in routing loops, This issue relates to a network configuration we have not previously supported, therefore your customer should not be affected.
Workaround: There is no workaround. I your customer wishes to use this feature, then please move to an image with this fix
•
Symptoms: A router crashes in the presence of MQC samplers.
Conditions: The symptom is observed only when MQC samplers are applied to the interface, when the configurations are applied in a particular order.
Workaround: Use netflow random samplers.
•
Symptoms: ISIS neighborship may not get established if we use SIP-400 in core with local switching.
Conditions: SIP-400 as core.
Workaround: There is no workaround.
•
Symptoms: Modular IOS router may experience unexpected restart of process iprouting.iosproc if it is configured with two OSPF processes, one of processes redistributes another OSPF process and cost of interface covered by OSPF process being redistributed changes (either via configuration or dynamically on multilink/multichannel interfaces).
Conditions: Problem is specific to modular IOS. Problem is specific to the case of redistribution from OSPF into OSPF.
Workaround: Process restart will have no impact on transit packet forwarding if all routing processes were enabled with NSF.
•
Symptoms: The following message may be displayed when using software compression over PPP Multilink:
%SYS-2-MALLOCFAIL: Memory allocation of 1740 bytes failed from 0x2140A734, alignment 128 Pool: I/O Free: 38080 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "PPP Compress Input", ipl= 0, pid= 178, -Traceback= 0x23060470 0x214014DC 0x21401BFC 0x21402AD0 0x21407798 0x21F398B8 0x21F376B8 0x230CB274 0x230CB3D8Conditions: The symptom is observed when the input traffic rate is extremely high. It does not occur over low speed links (for example: ISDN B channels).
Workaround: Disable software compression.
•
Symptoms: Router crashes when detach/ attach a HQF at Fr map-class
Conditions: Seen with FRF.12 config.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6500 VSS switch may create the below log message upon failover of supervisors.
%COMMON_FIB-4-FIBNULLIDB: Missing idb for fibidb Port-channel5A (if_number 158). -Traceback= <snip>Conditions: Occurs when running Cisco IOS Release 12.2(33)SXI.
Workaround: There is no workaround.
•
Symptoms: Memory usage increases by about 10MB in processor memory as a result of creation of new checkpointing buffer pools. The result is that there is less free memory available for use for other purposes.
Conditions: This increase is of a fixed size, is seen immediately after boot and is not configuration dependent.
Workaround: This issue should not impact most customers unless they are reaching the very limits of free memory with their configuration, in which case a reduction in the scale of configuration would work around the problem, but may result in diminished features or scalability.
•
Symptoms: A router reloads occasionally after the command show buffers leak is repeatedly issued.
Conditions: The symptom is observed when issuing the show buffers leak command. It occurs only with certain patterns and scale of traffic and does not occur all the time.
Workaround: There is no workaround.
•
Symptoms: Traceback shows up when default interface command is entered.
Conditions: When ION image is running, and when ISIS is configured on the interface that is to be made to default.
Workaround: Remove ISIS first with "no ip router isis" command before "default interface" command is entered on the interface.
•
Symptoms: A Cisco 2800 series router may reload when configuring and unconfiguring cns config notify diff interval.
Conditions: The symptom is observed when configuring and unconfiguring cns config notify diff interval along with a call-router h323-annexg configuration.
Workaround: There is no workaround.
•
Symptoms: On an RP SSO, tunnels/sessions were lost.
Conditions: Bring up L2TP tunnels/sessions Perform an RP SSO.
Workaround: There is no workaround.
•
Symptoms: Ping to a tunnel's own address does not work on an IPIP tunnel.
Conditions: The symptom is observed when there are other tunnels in existence or forwarding traffic on the router, especially those using different types, such as IPv6-related.
Workaround: There is no workaround.
•
Symptoms: Several chunk element leakages are seen when the show memory debug leaks chunk command is entered.
Conditions: Occurs after a reboot.
Workaround: There is no workaround. Please ignore the leaks as they are false alarms.
•
Symptoms: The standby reloads.
Conditions: The symptom is observed with the command no snmp trap link-status which is being accepted under the virtual-template even though no virtual-template snmp is present in the global configuration mode. After switchover no virtual-template snmp is missing on the standby, and the standby reloads when doing the second switchover.
Workaround: There is no workaround.
•
Symptoms: Through-the-box traffic is dropped on the router (when the egress path is from the clear-text side to the encrypted side).
Conditions: The symptom is observed with Cisco IOS Release 12.4(20)T and with L2TP over IPSec with a front door VRF.
Workaround: Disable ip route-cache and ip route-cache cef on the clear-text interface (where the clear-text traffic comes from).
•
Symptoms: Tunnel-link-stop record is missing at LAC when clearing the session with clear pppoe all.
Conditions: With vpdn session accounting network configured at LAC and when clearing the session with clear pppoe all Tunnel-link-stop record is missing at LAC.
Workaround:
1. Use default accounting method list for Tunnel link:
conf t no aaa accounting network tlss start-stop group radius aaa accounting network default start-stop group radiusno vpdn session accounting network tlss vpdn session accounting network default end2. Configure session accounting to use named accounting method list:
Configure accounting for both session and tunnel link.
conf t interface Virtual-Template1 ppp accounting tlss end•
Symptoms: A router crashes when the TACACS+ server is configured/unconfigured when the telnet session is up.
Conditions: The symptom is observed when the single-connection option is used.
Workaround: Avoid using the single-connection option.
•
Symptoms: OSPFv3 sessions flap due to dead timer expiring.
Conditions: The devices are directly connected and are using subinterfaces on gig ports. The issue seems to be present after a reload on the box. The interface running ospfv3 does not join ff02::5 group.
Workaround: Shut/no-shut of the interface or a reload of the box fixes the issue. Removing and adding the OSPFv3 config on the interface will resolve the issue temporarily.
•
Symptoms: The WS-X4503+ supervisor reboots/reloads.
Conditions: This happens only when the default interface command is issued to the IOS HTTP server. The WS-X4503+ is the only supervisor affected. This occurs only when two WS-X4503+ supervisors are installed in a redundant configuration.
Workaround: Use the CLI to issue the default interface command on WS-X4503+ supervisors are installed in a redundant configuration.
Further Problem Description: The Cisco Network Assistant application communicates with network devices using HTTP or HTTPS. It sends the default interface command before applying a SmartPorts macro.
•
Symptoms: HQF policer policy with exceed action does not attach. Or, when execute exceed action is in an attached parent policy, policy is removed from the interface.
Conditions: This symptom is seen in a two level, two rate, two color policy.
Workaround: There is no workaround.
•
Symptoms: A standby, which is running Cisco IOS Release 12.2(31)SB, will crash while upgrading to Cisco IOS Release 12.2(33)SB, after using the command issu runversion.
Conditions: The symptom is observed while upgrading from Cisco IOS Release 12.2(31)SB to Cisco IOS Release 12.2(33)SB after using the command issu runversion and when there is one or more PPPoE sessions present.
Workaround: Ensure there are no PPPoE sessions present while upgrading.
•
Symptoms: The router crashes or hangs.
Conditions: The symptom is observed when executing the show filesystem command on any file system or when there is pending write to the filesystem that has earlier resulted in an error.
Workaround: There is no workaround.
•
Symptoms: A router may crash when using the show cef int command in parallel with removing per-user ACL via radius.
Conditions: The symptom is observed when using the show cef int command in parallel with removing per-user ACL via radius.
Workaround: There is no workaround.
•
Symptoms: Router crahses when removing the vpn service from the PVC.
Conditions: This symptom is observed on a Cisco router running IOS 12.2(33.01.23)MCP04 .
Workaround. Do not enable VPN service for PTA service.
•
Symptoms: Duplicate packets are sent for all traffic routed to a third-party vendor NLB server running in IGMP mode.
Conditions: The symptom is observed when PIM is enabled on the NLB server VLAN.
Workaround:
1. Use non-IGMP NLB modes (unicast or multicast with static MACs).
2. Use IGMP snooping querier instead of PIM on NLB SVIs.
3. If PIM is required on the NLB VLAN interfaces: apply inbound access-list to all PIM router interfaces in NLB VLAN permitting IP traffic to the local physical/virtual IPs and denying traffic with destination of local NLB subnet.
•
Symptoms: A multilink bundle which is under heavy packet load may cause the router to reload.
Conditions: The symptom is observed when an interface, which has just joined a multilink bundle, receives packets at a rate faster than the router can process them.
Workaround: There is no workaround.
•
Symptoms: ATM sub-interface goes down on flapping the primary pseudowire path.
Conditions: This is seen if ASR PE is connected to a 7200 CE Router;working fine between two ASR's.
Workaround: There is no workaround.
•
Symptoms: A router crashes upon deleting range PVCs with PPPoE sessions and with bandwidth configured through DBS.
Conditions: The symptom is observed when deleting the range PVCs with PPPoE sessions.
Workaround: There is no workaround.
•
Symptoms: On a PPP aggregator using dhcp-proxy-client functionality, in a situation where a PPP client session is torn down and then renegotiated within 5 seconds, the DHCP proxy client may send a DHCP RELEASE for the previous DHCP handle after the new DHCP handle (created as a result of new IPCP CONFREQ address 0.0.0.0) has accepted the same IP address allocation from the offnet DHCP Server. This results in the offnet DHCP server having no record of the lease as it exists on the PPP aggregator which causes future addressing conflicts.
Conditions: The issue appears to be Day 1, reported on a Cisco 7200/NPE-400 and 7200/NPE-G2 that is running Cisco IOS Release 12.4T, 12.4M, or 12.2SB.
Workaround:
1. Automated: Write a script to compare active leases on the PPP aggregator to active leases on DHCP server and if a lease is found only to exist on PPP aggregator, use the command clear interface virtual-access to recover.
2. Manual: use the command clear interface virtual-access.
Further Problem Description: The issue occurs because the DHCP client holdtime is static at 5 seconds and there are no IOS hooks to tie PPP LCP session removal and IPAM to suppress stale DHCPRELEASES waiting in queue for HOLDTIME to expire when the PPP user's virtual access interface changes.
Note: Use case fixed via CSCsy39667:
1A. PPP session with userid "jerry", VAI 100, and va_swidb "X" goes down. 1B. New PPP session with userid "jerry", VAI 100, and va_swidb "Y" is negotiated within 5 seconds of 1A.
Fix Overview: DHCP looks for match on PPP userid and VAI number (not va_swidb) to reclaim DHCP Lease.
Use-case still requiring a fix:
2A. PPP session with userid "jerry" and VAI 100 goes down. 2B. New PPP session with userid "jerry"' and VAI 200 is negotiated within 5 seconds of 2A.
•
Symptoms: A Catalyst 6500 Series Switch running Modular IOS release 12.2(33)SXI may fail to correctly free memory from the CEF background process, eventually leading to an unexpected reload.
Conditions: System runs Modular IOS release 12.2(33)SXI. CEF table consistency-check is configured.
Workaround: Disable the CEF table consistency-check (no cef table consistency-check ipv4)
Further Problem Description: show memory detailed ios-base allocating-process totals shows 'CEF background process' continually increasing in memory usage.
•
Symptoms: The router will display some traceback message.
Conditions: When the modular IOS image is running, and when ISIS is configured on sub-interface, and when ISIS is removed on router level with "no router isis " command.
Workaround: Remove ISIS at the interface level before removing ISIS at router level.
•
Symptoms: Sending non IOS traffic could cause a IOSD crash.
Conditions: If traffic is non IOS control packets this could cause a IOSD crash.
Workaround: There is no workaround.
•
SymptomS: ISG PPPoE sessions may lose their authenticated state if they receive Change of Authorization (CoA) for service swapping.
Conditions: After sending CoA pushes to deactivate an existing service and active new one to ISG PPPOE sessions, the sessions may change state from authenticated to connect. It means the sessions are already in logoff state. As a result, all Subscriber Service Switch (SSS) showings are empty.
Workaround: There is no workaround.
•
Symptoms: VCs under VP are recreated continously.
Conditions: VP is configured under main IMA interface with PCR as some value. Also there is a PVC on a IMA sub-interface. When we shut the sub-interface and then try to change PCR of VP or change it to "no-f4-mgmt" the VCs are recreated continously
Workaround: Do no shut of the sub-interface and then shut/no sh of the IMA interface. It should work.
•
Symptoms: Router reloads when running IPSec.
Conditions: The symptom is observed when packets decrypted by IPSec are process switched.
Workaround: There is no workaround.
•
Symptoms: IP IRDP packets from CE get stuck in the interface input queue.
Conditions: The symptom is observed with IP interworking in Ethernet over MPLS over GRE (EoMPLSoGRE) and keepalive enabled on the GRE tunnel. The packets get stuck in the interface input queue of the Xconnect interface.
Workaround: There is no workaround.
•
Symptoms: can result in dup packets on segment when mcast topo changes in multi-vendor environment. The debug ip pim command will show PIM(0): Received v2 Assert on Vlan1 from 192.168.1.1 PIM(0): Invalid host address 0.0.0.0
Conditions: When another router sends PIM assert with source address 0.0.0.0 and RPT bit set, PIM will reject it as an invalid source. Only happens when forwarding on shared tree as this is the only time per RFC 4601 when assert with source address 0.0.0.0 is valid.
Workaround: Ensure that PIM switches over to source tree(ie. do not use "ip pim spt-threshold infinity") or use pim mode w/o shared tree such as SSM.
•
Symptoms: ISSU with stateful switchover (SSO) may cause router to crash.
Conditions: Occurs on Cisco 7600 routers when SSO occurs between Cisco IOS Release 12.2(33)SRC4 and SRB5.
Workaround: There is no workaround.
•
Symptoms: A router crashes with the following message:
MET-DST: %SYS-2-INTSCHED: 'may_suspend' at level 7 -Process= "AAA SEND STOP EVENT", ipl= 7, pid= 230 -Traceback= 406ED098 406CEF8C 409E6A48 409E71F4 409E7CBC 406A1218 40875D20 40875D98 400E89F0 40180A78 406F2708 406F2A00 406E88A0 406D7AE4 406E7A14 406E3B08Conditions: The symptom is observed under normal operation.
Workaround: There is no workaround.
•
Symptoms: Router crash@nvgen_action on configuring 500 IPSec tunnels and write memory.
Conditions: Configuring 500 IPSec tunnels and write memory. Might be a scalability issue.
Workaround: There is no workaround.
•
Symptoms: The following error is logged:
%IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)
Conditions: Symptom observed in Cisco IOS Release 12.2(33)SRC in Cisco Intelligent Services Gateway (ISG) solution and with a very high rate of DHCP discoveries.
Workaround: There is no workaround.
•
Symptoms: Frame-relay DLCI is not released from interface in a certain configuration sequence.
Conditions: The symptom is observed on a Cisco router that is running Cisco IOS 12.4T images.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series router may crash with LFIoLL+QoS configurations.
Conditions: The symptom is observed when the slot for MCT3/MCTE1 is powerdown.
Workaround: Remove the QoS configurations from the multilink.
•
Symptoms: Router will reboot and also causes traceback output.
Conditions: This happens when running check syntax mode. In syntax mode, when a user enters the event manager applet submode and execute the no event manager applet xxx two times, this will cause the reboot. "xxx" is the applet name specified when the user enters the submode.
Workaround: Do not run the no event manager applet xxx command in check syntax mode.
•
Symptoms: Active RP's CPU% spikes by MLD process after reload and longevity Tests with 8K Vlans.
Conditions: This MLD CPU Spike is seen right after the Bootup when Active RP is Synching with Standby RP and also observed during long duration test with SNMP MIB Polling , SBC Dynamic calls , Show command load.
Workaround: During the Bootup case, workaround is to delay the Standby RP bringup using EEM or other methods untill all the DHCP users address are assigned and SBC Signalling Pinholes are established.
•
Symptoms: The following traceback and error message are displayed:
%IPRT-3-NDB_STATE_ERROR: NDB state error (BAD EVENT STATE) (0x0) 172.24.0.0/16, state 7, event 0->1, nh_type 1 flags 4 - Process= "RIP Router", ipl= 0, pid= 336 -Traceback= 407FFAA4 407FFFE8 40D97228 40D981F4 40D99FCC 40D9A110 40D94EF0 40D963A4 41107300 41107AB4 4110A67C 4110CF04Conditions: This symptom is observed when RIP is configured on a Cisco 10000 series router with PRE4 and is running Cisco IOS Release 12.2(34)SB2. The RIP holddown timer is set to "0". The GigE or Sonet controller on the Cisco 10000 series router that has RIP enabled is shut down.
Workaround: There is no workaround.
•
Symptoms: NSAP address family cannot be configured.
Conditions: The symptom is observed with the initial configuration.
Workaround: There is no workaround.
•
Symptoms: The standby router reloads continuously.
Conditions: In highly scaled environments the Checkpointing Facility may get permanently stuck to FLOW_OFF if the Standby Unit reloads when FLOW_OFF is asserted.
Workaround: Reload the standby unit after executing the following command at the CLI test checkpoint flow on.
Further Problem Description: Execute the following command at the active router console CLI and determine if the flow control state is set to OFF:
show checkpoint stat
•
Symptoms: Router crashes when trying to initiate a telnet client using an IPv6 address.
Conditions: The symptom is observed when ip telnet source interface is configured to point to an interface that has an IPv6 address configured on it. It does not matter which interface it is: gig0 or any other interface.
Workaround: Remove the ip telnet source interface configuration.
•
Symptoms: Command can not be removed from CLI view once it has been added. As a result this command will not be visible in other view. As an example, if the following commands are entered:
* commands exec include-exclusive show snmp user
* no commands exec include-exclusive show snmp user
The show snmp user portion will be missing from other view.
Conditions: Occurs on Cisco IOS Release 12.2(33)SRC3.
Workaround: There is no workaround.
•
Symptoms: Unable to attach a policy when a 100% bandwidth is assigned to that policy. The policy configures with bandwidth percent and priority percent. After changing the total percentage to 90% on that policy, it is attached on the interface. If you change that policy to 100%, it is still attached on the same interface.
Conditions: The symptom is observed only when "class-default" is configured with "priority percent". (It is not seen if "class-default" is configured by "bandwidth percent".)
Workaround: Configure the priority percent in the class-default so that total percentage is 90%. You can now attach the policy to the target successfully. Change the priority percent in the class-default so that total percentage is back to 100%.
•
Symptoms: A router may crash with memory corruption or with one of the two following messages:
%SYS-6-STACKLOW: Stack for process HQF Shaper Background running low, 0/6000 %SYS-6-STACKLOW: Stack for process PPP Events running low, 0/12000In the case of memory corruption, a corrupted block will be in an address range very close to process or interrupt level 1 stack (this information is available in the crashinfo file).
Conditions: The symptom is observed on routers running Cisco IOS Release 12.2SB when ALL of the following conditions are met:
1. The router is configured for VPDN/L2TP.
2. There is a mixture of PPPoVPDN and "MLP Bundle" users.
3. QoS service policy with queuing actions (bandwidth guarantee or shaper) is applied to virtual access interfaces for both types of users.
Here is a way to find out if there is normal PPP users or MLP users:
PPP User via CLI: Router#sh user | inc PPP.*00 [1-9] Vi4 user#wl-cp03-7k2#4 PPPoVPDN 00:00:00 30.3.0.47
MLP via CLI: Router#sh user | inc MLP.*00 [1-9] Vi8 user#wl-cp04-7k2#5 MLP Bundle 00:00:00 30.4.0.54
Workaround:
1. Allow only PPPoVPDN (i.e.: prevent "MLP Bundle" creation).
2. Disable QoS for "MLP Bundle" users or all users.
•
Symptoms: PRE crash caused by DHCP internal function.
Conditions: The symptom is observed when the router is running as a DHCP server.
Workaround: There is no workaround.
•
Symptoms: IOS crashes when Router has multiple interfaces configured with SPA-4XCT3/DS0/ SPA-2XCT3/DS0 SPA.
Conditions: Configure multiple channel groups on SPA-4XCT3/DS0 SPA and performing a soft/hard OIR SPA would crash the Router and the Router reloads.
Workaround: There is no workaround.
•
Symptoms: Tracebacks can be seen at default_ip_raw_enqueue function on a Nat box configured for multicasting using Vif interface.
Conditions: The above symptom is seen on a router loaded with 12.4(24.6)T8 ios release.
Workaround: No workaround.
•
Symptoms: Ping from LAN to LNS are not success after the pptp session establishment Conditions: This is observered while testing when clear vpdn counters tunnel pptp configured for image 12.4(24.6)T8 Work Around: Unknown
•
Symptoms: Memory leak in "SSS Manager" when churning CoA messages to turn off/on a parameterized QoS service.
Conditions: ASR1000 as PTA terminating PPPoEoQinQ sessions
Workaround: There is no workaround.
•
Symptoms: GLBP may provide BIA MAC instead of Virtual MAC for mobile users.
Conditions: The symptom is observed when IP Mobility and GLBP are configured.
Workaround: There is no workaround.
•
Symptoms: A software-forced crash occurs after a show user command is performed.
Conditions: The crash occurs after the user performs a show user command and then presses the key for next page. It is observed on a Cisco 3845 that is running Cisco IOS Release 12.4(21a).
Workaround: Do not perform a show user command.
•
Symptoms: The Tunnel0 interface used on a DMVPN hub is reporting "Tunnel0 is reset, line protocol is down" or no traffic is passing through this interface anymore.
The IKE and IPSec SAs may still be up, but only the decaps counters will be seen increasing, not the encaps counters.
Conditions: This symptom is observed on Cisco 2821 routers that are running Cisco IOS Releases 12.4(9)T7 or 12.4(15)T9. Other platforms and releases may be affected.
Workaround: Shutdown Tunnel0 and create interface Tunnel1 with the same configuration instead, if you cannot reload the router.
Otherwise reloading the router will resolve the issue. Do not configure another identical Tunnel interface in this case or you will run into CSCsl87438. If you reload the router at a later time, be sure to remove the duplicate Tunnel interface prior to the reboot.
•
Symptoms: Ping fails when NAT outside is enabled on UUT.
Conditions: The symptom is observed only with NAT outside (static, dynamic or overload).
Workaround: There is no workaround.
•
Symptoms: CPU utilization goes to 90% or above when PfR is configured with a large number of policy using fastmode and forced target.
Conditions: The problem is limited to a large number of forced target (greater than 500) and fastmode with probe frequency of 2-5 seconds. CPU usage progressively gets worse with the increase in number.
Workaround: Use longest-match targets instead of forced targets. Forced targets are configured under oer-map, and longest-match targets are configured under OER master. Forced targets are required only if the target does not belong to the destination subnet of the traffic-class being optimized.
•
Symptoms: Some LDP sessions go down after reloading the Router with EoMPLSoGRE Sessions
Conditions: Issue is seen with ~30 EoMPLSoGRE sessions or above with traffic running. Some of the LDP sessions go down after reloading the Router
Workaround: There is no workaround.
•
Symptoms: Accounting records do not show the correct username.
Conditions: The symptom is observed when account-logon (authentication) happens after failed Transparent Auto-Logon (TAL).
Workaround: There is no workaround.
•
Symptoms: Memory corruption is hypothetically possible.
Conditions: The memory corruption might be seen after issuing: clear ip bgp ... soft on a BGP session which includes a connector attribute.
Workaround: There is no workaround.
Further Problem Description: This problem was found by automated analysis tools, and has not been showing to have any real-world impact.
•
Symptoms: The router crashes when you try to attach a service policy with a policer to an interface.
Conditions: The symptom is observed when the service policy has a policer defined in it and when you try to attach that service policy to an interface.
Workaround: There is no workaround.
•
Symptoms: Crash when cdp is running on the interfaces.
Conditions: None. This is a rare issue.
Workaround: Disable cdp using 'no cdp run' global configuation command.
•
Symptoms: Crash occurs in mfib_db_table_is_downloadable().
This bug may be seen when the following config command is issued: no ipv6 multicast-routing
Conditions: This is a platform-independent bug and has been spotted on the ASR1k and the Cat6k(Earl8).
Workaround: There is no workaround.
•
Symptoms: When testing the HTTP PAI ENH feature to check whether PAI can handle the different password scenarios (given below) with and without AAA authentication, the test cases fail and show the error "Authentication to Privilege level 15 failed".
Conditions: The symptom is observed under the following different password scenarios:
1. EnableBlank_WithAAA: Test to verify that PAI can handle empty password values and use AAA enable password authentication.
2. EnableSecret_WithAAA: Ensure that PAI can handle password encryption and substitution. Use enable password authentication.
3. EnablePass_NoAAA: Verify that PAI can handle password encryption and substitution.
4. EnableSecret_NoAAA: Verify that PAI can handle password encryption and substitution.
5. SpaceEmbedded_Password: Ensure that PAI can handle a space in the password.
Workaround: There is no workaround.
•
Symptoms: The ISIS redistribution RIB has a stale route that is not removed after the original ISIS route is deleted when an interface is shut down. This can cause wrong ISIS database information and wrong routing information in the routing table.
Conditions: This symptom is observed when the router is an L1L2 router and the old ISIS route to be deleted after interface shutdown has a backup route from other routing protocols. If the ip routing protocol purge interface command is configured, the issue will not happen.
Workaround: Either configure the ip routing protocol purge interface command or enter the clear isis * command, which may resolve the problem temporarily.
•
Symptoms: Active RP's CPU% spikes by MLD process/PIM process after reload or switchover or interface state flapping.
Conditions: This MLD CPU Spike is seen right after the Bootup when Active RP is Synching with Standby RP. The PIM CPU Spike is seen when the interface state is changing. But again this two problem can be seen randomly.
Workaround: There is no workaround.
•
Symptoms: CPU utilization is high when there is a scaled configuration of more than 1000 interfaces and 100-pps traffic is being sent on UUT along with BGP and multicast traffic.
Conditions: This symptom is observed when several sessions are active and generating traffic.
Workaround: There is no workaround.
•
Symptoms: Router with dynamic NAT for unicast and multicast traffic crashes after deleting ip nat inside source list.
Conditions: Router crashes when there is unicast and multicast traffic and only when unicast and multicast traffic uses the same NAT rule.
Workaround: Use separate NAT rule for unicast and multicast traffic.
•
Symptoms: The router crashes when running a certain test case that reprovisions an AToM tunnel multiple times.
Conditions: The crash happens while reprovisioning an AToM tunnel with AAL5 encapsulation.
Workaround: There is no workaround.
Further Problem Description: A complex sequence of events with specific timing characteristics is required to hit this crash.
•
Symptoms: EzVPN clients are failing negotiation. This may cause the router to use the less-specific route.
Conditions: The problem can occur when 0/0 is configured as a destination and EXACT_MATCH is specified.
Workaround: There is no workaround.
•
Symptoms: An incorrect logic in doing increment comparisons for counters, such as interface resets will cause EEM policy to be triggered. That is, if there are any numbers in the interface resets counter and a "clear counters" is performed on the next EEM poll interval the command executes, which is not correct.
Conditions: This is seen in the latest 12.4(24)T. Most of the newer 12.4T images are also affected.
Workaround: There is no workaround.
•
Symptoms: Continuous packet send by BFD causing CPU hog.
Conditions: BFD enabled in router.
Workaround: Disable BFD.
•
Symptoms: The SBC SIP application is not VRF address aware.
Conditions: The symptom is observed when using an overlapping local IP address.
Workaround: Use a non-overlapping local IP address.
•
Symptoms: For pim sparse mode groups, no s,g would form in the network. This leads to traffic failures.
Conditions: Pim sm be configured in the network and traffic is being sent for the pim sm groups.
Workaround: Shut the upstream interface, remove the ip address, configure it again and do a no shut on the interface.
•
Symptoms: Users with level 15 privilege and a "view" cannot do a Secure Copy (SCP).
Conditions: The symptom is observed when a user with a "view" attempts to do an SCP.
Workaround: Remove view.
•
Symptoms: Frame relay client triggers reload of standby router Conditions:Occurs if lot of frame relay related configuration is present Workaround: No workaround
•
Symptoms: HSRP authentication applied to secondary addresses fails, generating the following syslog message:
%HSRP-4-BADAUTH: Bad authentication from 172.16.123.2, group 2, remote state Active
Conditions: The symptom is observed with HSRP authentication applied to secondary addresses. (HSRP authentication applied to primary addresses are unaffected.) It is seen with Cisco IOS Release 12.4(24)T and 12.2(33)SXI.
Workaround: Disable authentication on HSRP groups configured with secondary addresses.
•
Symptoms: HIGH CPU after MR APS switchover resulting in OSPF link flaps.
Conditions: Above symptom seen in Cisco routers with IOS image version 12.2(34)SB after APS switchover.
Workaround: There is no workaround.
•
Symptoms:G1 and G2 routers may crash.
Conditions: When MLP is configured on CJ-PA and OIR is done.
Workaround: There is no workaround.
•
Symptoms: The offered rate and bandwidth allocated for all the user classes are the same, although different percentages are configured. The output rate failed to guarantee its minimum bandwidth setting.
Conditions: The data rate for QoS bandwidth is not meeting its minimum requirement.
Workaround: There is no workaround.
•
Symptoms: The ISG will have dangling sessions if multiple CoA messages comes in while the ISG is making a CoA request.
Conditions: This occurs when ISG makes a CoA request but never receives a response. During that time, another CoA message comes in to disconnect the session. The session will never be disconnected.
Workaround: Clear the sessions manually.
•
Symptoms:The user configures multi-word string in the client-ID of ANCP neighbor configuration on ATM pvc using quotation marks. But, the quotation marks are not displayed in the client-ID. Hence, the ANCP configuration on the pvc disappears after router reboot.
Conditions: Configure a multi-word string in the client-ID of ANCP neighbor name.
Workaround: There is no workaround.
•
Symptoms: Modified QoS params are not reflected to atm vc in platform.
Conditions: If interface is shut and any VC QoS param is modified which triggers VC modification.
Workaround: Don't modify VC params in interface shut mode.
•
Symptoms: Console hangs with "system accounting" configured.
Conditions: The symptom is observed when "console login authentication" is configured with "AAA server group (Radius/Tacacs+)" and when the server is not reachable.
Workaround:
1. Configure local authentication: either local, line, or enable.
2. Wait until the system start timeout occurs.
•
Following are the symptoms of the issue. 1.ECC Erros
1.1 %ECC-3-SBE_HARD: Single bit *hard* error detected
1.2 %ECC-3-SBE_LIMIT: Single bit error detected and corrected
1.3 %ECC-SP-STDBY-3-SYNDROME_SBE_LIMIT: 8-bit Syndrome for the for the detected Single-bit error. 1.4 %C7600_MEM_ECC-2-MBE: Multiple bit error detected.
2. Card stuck before ROMMON prompt during re-boot
3. Crash while copying IOS images through TFTP to bootdisk.
4. Crashes due to memory corruption
5. TLB exception: ** Data TLB Error Exception ***
Conditions: There is no exact trigger but it could be seen with system booting, copying image from disk/tftp to disk, traffic etc.
Workaround: Upgrade ROMMON to SRD5 for RSP720 and SRD6 ROMMON for RSP720+10G.
•
Symptoms: Per-vrf dampening is not supported.
Conditions: Normal code flow.
Workaround: There is no workaround.
•
Symptoms: If a user configures 32K dual stack sessions on a PTA device(ASR1K) with another ASR1K as client using the "test pppoe" command, the client crashes with an IOS crash when 14K sessions come up on the PTA.
Conditions:Client crashes with "test pppoe" command while trying to bring up 16K dual stack sessions on a PTA device. Both PPPoE client and PTA are ASR1K routers.
Workaround:There is no workaround.
•
Symptoms: Prefixes may be unresolved or dropped if "non recursive accounting" is enabled.
Conditions: The prerequisites for this symptom to occur are:
1. Non recursive accounting is enabled (that is, ip cef accounting non-recursive is present in the configuration).
2. A recursive prefix (e.g.: BGP learned) is recursing over another prefix which is also recursive.
3. The second recursive prefix has multiple recursive paths, e.g.: multiple iBGP paths with maximum-paths ibgp 2.
4. None of the recursive prefixes are MPLS labeled.
Workaround:
1. Remove ip cef accounting non-recursive.
2. Disable iBGP multipath by configuring maximum-paths ibgp 1.
•
Symptoms: SNMP get for a single request ifInOctets or ifOutOctets, one request/second, shows counters increasing.
SNMP get two OIDs at the same time (ifInOctets and ifOutOctets or sysUptime, ...) shows counters increasing only every 5 seconds.
Conditions: 7300 running 12.2(31)SB14
Workaround: There is no workaround.
•
Symptoms: The ping from CE1 to CE2 fails when VLAN xconnect is provisioned, even though the session is up.
Conditions: The symptom is observed with Cisco IOS Release 12.4(20)T4.
Workaround: There is no workaround.
•
Symptoms: RP is observed to reload after 24hrs
Conditions: When 10k Sessions out of 23k sessions are flapped for 24hrs, RP is observed to reload and switchover is observed.
Workaround: There is no workaround.
•
Symptoms: A router may crash while doing an OIR of a PA-MC-E3.
Conditions: The symptom is observed with a Cisco 7200 series router that is running the 122-31.4.57.SB16 image, with frame-relay configurations and with the controller shut.
Workaround: There is no workaround.
•
Symptoms: Packets are getting SSS switched on the LAC towards LNS.
Conditions: The symptom is observed when bringing up any PPPoE or PPPoA session.
Workaround: There is no workaround.
•
Symptoms: MSDP SA is not received on an MSDP peer.
Conditions: The symptom is observed when the first hop router is also the RP.
Workaround: There is no workaround.
•
Symptoms:
1] On configuring an invalid reg expression like the one below under ip extcommunity-list and sh run the router crashes.
2] On configuring an invalid reg expression like the one below and then in the same extcommunity-list configure another reg expression the router crashes immediately.
Conditions: When an invalid reg expression like the one in the enclosures ")(*)(*&*&^*&^&^%&^%"
Workaround:
There is no workaround.
•
Symptoms: The write memory command used in parallel on two VTY sessions erases the standby NVRAM.
Conditions: The symptom is observed with Cisco IOS Release 12.2(33)SB, when performing parallel write memory commands on two different VTY sessions.
Workaround: Configure "nvbypass".
•
Symptoms: IOSD crashes when establishing PPPoE sessions with invalid configurations.
Conditions: The symptom is observed under the following conditions:
1. A Cisco ASR 1006 router used as a PPPoE server. 2. The configuration "sessions per-vlan throttle" is applied to a physical interface. 3. A PPPoE session is attempted on the interface.
Workaround: Remove "sessions per-vlan throttle" from the physical interface.
•
Symptoms: Router crashing with ospf_build_net_lsa
Conditions: While unconfiguring ospf configurations , router is carshing.
Workaround: There is no workaround.
•
Symptoms: Sometimes etherchannel member-link "UP" convergence time takes about 1sec.
Conditions: PAgP is used.
Workaround: There is no workaround.
•
Symptoms: Fragmented L2TP packets may be dropped when switched from an L2TP tunnel. The debug IP error will show the following:
IP-6-L2MCASTDROP: Layer 2 Multicast packet detected and dropped
Conditions: The symptom is observed when there is a Gigabitethernet/Ethernet link between PE routers.
Workaround: There is no workaround.
•
Symptoms: High CPU utilization on LFD main process during SSO.
Conditions: When having nearly 4k of VCs, High CPU utilization on LFD main process during SSO.
Workaround: There is no workaround.
•
Symptoms: Configure a vpn profile(template) cisco-avpair="template:ip-addr=10.10.10.10 255.255.255.255".
Bring up a PPPOE seeion from Client to LNS,call comes up and the virtual-access2.1 on the LNS fails to gets the template IP address 10.10.10.10.
Conditions: When running per vrf aaa script on Pi11r version image , configured vpn profile(template) cisco-avpair="template:ip-addr=10.10.10.10 255.255.255.255". has not applied to the virtual-access on the LNS.
Workaround: There is no workaround.
•
Symptoms: Configure policy-map to have small bandwidth attach this service-policy onto MFR interface which is in UP state, next shut down the MFR interface and modify the policy to take more bandwidth in the service-policy then standby resets.
Conditions: Configure policy-map to have small bandwidth attach this service-policy onto MFR interface which is in UP state, next shut down the MFR interface and modify the policy to take more bandwidth in the service-policy then standby resets.
Workaround: Configure less bandwidth in the service-policy then the crash will not happen.
•
Symptoms: A router crashes.
Conditions: The symptom is observed when configuring IPSec using the VTI and attaching the service policy to the tunnel interface, while enabling the physical interface and where the tunnel source in the tunnel interface is given as IP address of the physical interface. It is observed when the router is loaded with the c7200-adventerprisek9-mz.124-24.6.PI11r image.
Workaround: Use the physical interface instead of using the VTI for IPSec.
•
Symptoms: In Ascend IP Pool Management, the IP address is not allocated from the default pool during IPCP negotiation, if the pool is not defined explicitly for that client.
Conditions: The symptom is observed after the routers try to establish one PPPoE session, and one local pool is configured on NAS. When the client makes a call the IP address is not allocated from the default local pool on NAS.
Workaround: Define the pools explicitly and do not let the IP address be negotiated from any local default pool.
•
Symptoms: Memory corruption.
Conditions: The symptom is observed with an unaligned IP packet in an interrupted switch path.
Workaround: There is no workaround.
•
Symptoms: The registering flag gets set on Mroute entry. Register-Stop is not received from the RP.
Conditions: The symptom is observed when sending the data packets before the RP address interface comes up in RP. It is observed on a Cisco 7200 series router that is running the 12.4(24.6)PI11r image.
Workaround: There is no workaround.
•
Symptoms: Using a break action within a programmatic Embedded Event Manager applet causes the policy to exit.
Conditions: The symptom is observed when a break action is executed within a loop. For example:
action 001 foreach line $output "
" action 002 if $line eq "" action 003 break action 004 end action 005 puts "Made it here"After the break is executed, the policy aborts. The "Made it here" string is not printed.
Workaround: If possible, use "if ... goto" statements to get out of the loop without calling break. For example:
action 001 foreach line $output "
" action 002 if $line eq "" goto 004 action 003 end action 004 puts "Made it here"•
Symptoms: The memory occupied by the IP SLAs Sync Pro may gradually increase.
Conditions: The issue occurs when ICMP path jitter operation is configured on the router with invalid source address. Platform is sup720-3B with 12.2(33)SXI1 image.
Workaround: Configure the SLA operation with right source address.
•
Symptoms: IPv6 multicast traffic is process-switched on IPv6 RBE.
Conditions: IPv6 Cisco Express Forwarding (CEF) is enabled, however IPv6 multicast traffic is process-switched on IPv6 RBE interface.
Workaround: There is no workaround.
•
Symptoms: With a CJPA connected back-to-back to a Cisco 7200 series router with a NPE-G1 or NPE-G2, the NPE-G2 sometimes crashes when executing the command clear int range multilink 1 10 and the NPE-G1 gives spurious access for the same command.
Conditions: The symptoms are observed with a CJPA connected back-to-back to a Cisco 7200 series router with a NPE-G1 or NPE-G2 and when 14 multilinks are configured with two members each. Pagents are sending bi-directional traffic.
Workaround: Do not perform commands across all interfaces using interface range. Perform the commands one-by-one, manually.
•
Symptoms: A router crashes upon bringing up PPPoE sessions.
Conditions: The symptom is observed when AAA proposes a pool name but the pool is not defined on the NAS as well as the radius.
Workaround: Define the pool on the NAS or as a dynamic pool on the radius.
•
Symptoms: Router may crash with a Software forced crash.
Conditions: Under certain conditions multiple parallel execution of the <cmd>show user</cmd> command will cause the device to reload.
Workaround: It is possible to limit the exposure of the Cisco device by applying a VTY access class to permit only known, trusted devices to connect to the device via telnet, reverse telnet and SSH.
For more information on restricting traffic to VTYs, please consult:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml
The following example permits access to VTYs from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from everywhere else:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 1 permit host 172.16.1.2 Router(config)# line vty 0 4 Router(config-line)# access-class 1 inFor devices acting as a terminal server, to apply the access class to reverse telnet ports, the access-list must be configured for the aux port and terminal lines as well:
Router(config)# line 1 <x> Router(config-line)# access-class 1 inDifferent Cisco platforms support different numbers of terminal lines. Check your device's configuration to determine the correct number of terminal lines for your platform.
•
Symptoms: A device might crash with a bus error and the following error message:
%ALIGN-1-FATAL: Illegal access to a low addressConditions: The symptom is observed on a device that is running Cisco IOS Release 12.4(24)T1. Other releases may be affected (those running with the Common Classification Engine). The condition seems to be temporary and after a while it goes away.
Workaround: There is no workaround.
•
Symptoms: Memory corruption occurs when a user name is configured to a maximum length of 64 characters, as shown:
config# username <name of 64 characters> priv <0-15> password 0 <password>
Conditions: The symptom is observed if the user name is exactly 64 characters.
Workaround: Configure a user name of less than 63 characters.
Further Problem Description: When some configurations are added, modified, or deleted the show configuration id detail command prints information of last change time, changed by user, and changed from process. If the user name is very large (exactly 64 characters), then the "changed by user" field prints unwanted characters.
•
Symptoms: The tunnel stitching VC may go down resulting in traffic loss.
Conditions: The symptom is observed when the remote peer is changed with a different MTU, causing the tunnel stitching VC to go down. When the matching MTU is reconfigured, however, the tunnel stitching session does not come back up.
Workaround: There is no workaround.
•
Symptoms: Router crash with traceback 0x40A0D7E8 0x40A0C870 0x409D4DC4 0x4098E0AC 0x42655B74 0x40E3CE4C 0x40E3D634 0x40E3DAB8 0x40974B78 0x40974B5C
Conditions: While configuring ip dhcp pool TAL_DHCP_vrf_pool
Workaround: There is no workaround.
•
Symptoms: with L2pt and SPAN configuration in the same router the following error message might be displayed on 7609.
*Sep 1 15:56:08.175: %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet1/2 VLAN5. *Sep 1 15:56:08.175: %SPANTREE-SP-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/2 on MST0. Inconsistent local vlan.
Conditions: 1) RSPAN is configured on the 7609 2) STP BPDUs are being tunneled up to the 7609 via L2PT 3) L2PT is configured locally on the 7609
With these three conditions present in the network then it is possible to see the problem.
Workaround: Apply a VACL where the RSPAN session is sourced.
mac access-list extended block_l2tp_dmacdeny any host 0100.0ccd.cdd0 Ðß L2PT destination macpermit any anyvlan access-map block_l2tp 10match mac address block_l2tp_dmacaction forwardvlan filter block_l2tp vlan-list 5 Ðß insert rspan vlan. In this case it is 5•
Symptoms: WIth MSToEVC and N-PE redundancy enabled between two 7600 routers in a ring topology, the assigned root 7600 blocks its connection to the other 7600 due to a Dispute state.
Conditions: This issue is seen in a ring topology with MSToEVC and N-PE redundancy between two nodes. It occurs when there are valid active and backup MPLS-TE tunnels between the nodes. BPDUs travel across both tunnels, even though they should only traverse the primary, and cause the Dispute state.
Workaround: Disable the backup tunnel between the nodes, though this removes redundancy in case the link between the nodes fails.
•
Symptoms: When the router boots up, traffic won't flow for some of the EoMPLS VCs.
Conditions: When the router has more than 400 SCEoMPLS VC.
Workaround: Shutting and unshutting the core facing interface is the workaround for this issue.
•
Symptoms: Using the command default dest-ipaddr for udp-echo, udp-jitter, and tcp-connect causes a device to crash.
Conditions: The symptom is observed with the command default dest-ipaddr.
Workaround: Do not use the command default dest-ipaddr. This sets the address to 0.0.0.0, which is not valid.
•
Symptoms: A router crashes upon bringing up PPP sessions.
Conditions: The symptom is observed if IP pools are configured.
Workaround: There is no workaround.
•
Symptoms: After a RP switchover, the new active RP logs traceback many times, and all sessions/tunnels are torn down.
Conditions: LNS is configured with 16000 sessions/8000 tunnels (2 sessions per tunel), all sessions with Model D2 QoS. After a RP switchover, the new active RP logs traceback many times, and all sessions/tunnels are torn down.
Workaround: There is no workaround.
•
Symptoms: Autocommands configured on VTY line or user-profile are not executing while logging through VTY.
Conditions: The symptom is observed if the privilege level is not configured in the user profile.
Workaround: Explicitly configure user privilege in the user profile.
•
Symptoms: A C10K is experiencing nested crashes due to a corrupted program counter.
Conditions: This is seen on a C10K running 12.2(33)SB7 during normal operation.
Workaround: There is no workaround.
•
Symptoms: The router produces the message: %SYS-6-STACKLOW: Stack for process BGP Router running low, 0/9000 and reloads
Conditions: The message and reload are seen only when: 1. BGP is configured 2. BGP has learned about multiple networks 3. The command clear ip bgp is issued. It is best-documented with the command clear ip bgp * soft but could potentially be generated in response to more limited clear commands, or in response to the removal of BGP-related configuration.
This problem is only seen in images where CSCsz72142 is integrated.
Workaround: There is no workaround.
•
Symptoms: CDP is disabled and its neighbors are not seen on a CDP enabled QnQ ports after shut and no shut operation.
Conditions: This symptoms is observed on a L2 QnQ tunnel port. By default on L2 QnQ tunnel port, cdp is disabled. However cdp can enabled on QnQ port through cli command. After enabling the CDP on a QnQ port, a subsequent link down and link up (shut and no shut) of this QnQ port, results in disabling the CDP which is the default behavior.
Workaround: The work around to this problem is to configure the CDP (CDP enable)again after link up.
•
Symptoms: ES+ Linecard crashes on removing the channel-group configuration from the member-link which is in shut state.
Conditions: Customer would see this issue whenever the one of the member-link is down and the configurations are changed.
Workaround: Do "no shut" on the member-link before removing the channel-group configuation.
•
Symptoms: For VPLS Autodiscovered pseudowires using FEC129, the label release message is not understood by peer in Inter-Op tests with Alcatel-Lucent. This is because Cisco box is sending label release message in the format <AGI,LAII,RAII> whereas it should be <AGI,RAII,LAII>
Conditions: Delete the VFI or shut the attachment circuit to cause the label withdraw message to sent and correspondingly the peer will send label release message.
Workaround: There is no workaround.
•
Symptoms: IP Header Compression (IPHC) may not function for IP multicast packets.
Conditions: This symptom is observed when IPHC is enabled for IP multicast routing.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(33)SRD3
All the caveats listed in this section are resolved in Cisco IOS Release 12.2(33)SRD3. The caveats listed in this section are open in Cisco IOS Release 12.2(33)SRD.
•
Symptoms: A Cisco router may crash or may stop responding.
Conditions: This has been always seen with an atm interface only when a rate-limit command is enabled on the interface. The crash occurs when an interface that is configured with a rate-limit command is deleted by entering the no interface command and then reenabled by entering the interface command.
Workaround: Remove the rate-limit configuration from the interface before deleting the interface.
Further Problem Description: Happens under very specific circumstances and the crash is seen randomly.
•
Symptoms: The following CLASS-BASED-QOS-MIB counters are incorrect in output direction:
- cbQosCMPrePolicyByte64
- cbQosCMPostPolicyByte64
In input direction cbQosCMDropByte64 is incremented and is always equal to cbQosCMPrePolicyByte64.
Conditions: Hardware specific setup: SIP-600 and 10GE SPA.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 Series router or Cisco Catalyst 6500 Switch may unexpectedly reload due to bus error when running remote command switch show mmls met.
Conditions: Occurs when the device is doing multicast.
Workaround: Do not run the command.
•
Symptoms: Resilient Ethernet Protocol (REP) flaps due to excessive CPU utilization occurs.
Conditions: Occurs in a Resilient Ethernet Protocol (REP) segment if 4000 VLANs are configured on the router and if VLANs are allowed on a switchport.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may fail to access a flash card after formatting it, and the following error message is generated:
*** Emulating mis-aligned load at 0x80000190 PC = 0x8001179c ... succeeded
Conditions: The symptom is observed on a Cisco 7200 series, Cisco 7301, and Cisco 7500 series that run Cisco IOS Release 12.4(10) or Release 12.4(12) and occurs only when a flash card is accessed from the ROMmon prompt.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.4(8a) or an earlier release.
•
Symptoms: Under certain unusual circumstances, routes can go SIA in an EIGRP network and create transient routing loops.
Conditions: When the metric on an interface increases rapidly, the symptom can occur. This can happen with MANET interfaces as well as bundled interfaces (such as port-channels).
Workaround: There is no workaround.
•
Symptoms: The following symptoms all relate to the same root cause:
1. In syntax check mode, if there is a standby in SSO mode, the cts dot1x command does not work and the following error messages are displayed:
RouterRP(syntax-if)#cts dot1x %ERROR: Standby doesn't support this command ^ % Invalid input detected at '^' marker.
RouterRP(syntax-archive)#path disk0: %ERROR: Standby doesn't support this command ^ % Invalid input detected at '^' marker.
2. After a redundancy force-switchover, the applet configuration is lost and retains only the applet name. (This is done by configuring an applet on the main RP and switchover to the Standby by issuing a redundancy force-switchover. Issue the sh run command on the Standby which is now the main RP.) All the action statements are lost.
3. The Standby switch reloads by itself after going into the event manager applet configuration mode:
Config Sync: Line-by-Line sync verifying failure on command: event manager applet cli-test-01 due to parser return error
4. The Standby switch may also reload upon removing the command event manager applet:
RouterRP(config)#event manager applet 1 EEM: Applet 1 is currently being modified
OR
RouterRP(config)#no event manager applet 1 EEM: Applet 1 is currently being modified
Conditions: The symptoms are observed in syntax check mode, if there is a standby in SSO mode.
Workaround: There is no workaround.
•
Symptoms: The image name displayed in show version will be truncated to 64 characters if the image name is more than that.
Conditions: It occurs in High Availability (HA) setup.
Workaround: There is no workaround.
•
Symptoms: Shortly after replacing FlexWAN, SNMP queue starts to fill and SNMP queue full error message is printed:
%SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
Conditions: Occurs on a Cisco 7600 router running Cisco IOS Release 12.2(33)SRD1.
Workaround: Apply following view:
snmp-server view Flash iso included
snmp-server view Flash ciscoFlashMIB exclude
snmp-server view Flash ciscoFlashDevice exclude
snmp-server view Flash ciscoFlashPartitions exclude
snmp-server view Flash ciscoFlashPartitionTable exclude
snmp-server view Flash ciscoFlashPartitionEntry exclude
snmp-server community <name> view Flash RW
If this is not enough to get rid of SNMP queue full, reload the router so that the view applies at the router bootup.
•
Symptoms: Router crashes following a shut/no shut on the main interface.
Conditions: Occurs on a router running Cisco IOS Release 12.2SXH2a. IPv6 traffic must be flowing over the WAN interface for multiple IPv6 prefixes. The crash occurs when a shut/no shut is done on the main interface on which multiple subinterfaces have been configured and IPv6 routing is enabled.
Workaround: There is no workaround.
•
Symptoms: When there are two PA-2T3 cards on a VIP6-80 and hard loop one port on one PA-2t3, it causes the port on the second PA-2T3 card to flap. The impact of the issue is that the interface flaps once and it results in dropping of 6-7 packets.
Conditions: When we do a shut/no shut on a serial port, the other serial port on the same VIP might flap once.
Workaround: Put each PA-2T3 card on different VIP modules.
Further Problem Description: Any Cisco IOS release that incorporates CSCsj96781 will definitely see this bug. The other affected serial port can belong to the same PA (in case of two-port T3+ PA) or it can belong to a different PA on a different bay but on same VIP.
•
Symptoms: A Catalyst 6500 switch with an etherchannel spanning multiple DFC modules may drop packets for a certain MAC on egress. This happens when one of the DFCs carrying the etherchannel has an incorrectly programmed MAC address entry, pointing at the internal drop index.
Conditions: This only occurs in an asymmetric routing scenario, where frames are constantly egressing the etherchannel destined for certain MAC addresses, but frames are not consistently seen from those MAC addresses. This is often the case when Hot Standby Routing Protocol (HSRP) is running, and this particular switch is the HSRP standby.
Workaround: Through tweaking ARP and MAC address aging timers, this situation can be avoided. We recommend that the MAC address aging timer be set at least 3 times higher than the ARP timer for the VLAN interface.
The configuration for this is:
Switch(config)#mac-address synchronize
Switch(config)#mac-address aging-time 900
Switch(config)#interface Vlan360
Switch(config-if)#arp timeout 300
Further Problem Description: While a MAC address is in this condition, the following outputs will look like this:
Switch#show mac-address-table address 0000.0000.0001 all det
MAC Table shown in details ========================================
PI_E RM RMA Type Alw-Lrn Trap Modified Notify Capture Flood Mac Address Age Pvlan SWbits Index XTag ----+---+---+----+-------+----+--------+------+-------+------+--------------+----+------+------+------+---- Module 1: No No No DY No No Yes No No No 0000.0000.0001 0x3A 360 0 0x7FFF 0 Active Supervisor: No No No DY No No Yes No No No 0000.0000.0001 0x69 360 0 0x342 0
Here, we see that the MAC address is not present on Module 2, which it should be. On Module 1, we see that the index pointed to is 0x7FFF, which represents the internal drop index in the 6500. Also, we see the "Flood" bit is set to 'No'. In this condition, all frames egressing Module 1 for this MAC will be dropped. Had "Flood=Yes", the frames would be flooded instead of dropped, which is normal behavior.
•
Symptoms: Following reload, controllers come up, but interfaces stay down.
Conditions: A router with HA Sup720 and non-HA Sup32 is connected with 8xCHT1/E1 SPA, 1xCHSTM1 SPA and 4xCT3 SPA in a SIP-200. Upon reloading 8xCHT1/E1 SPA alone on both sides simultaneously, 6-7 interfaces go down and never come up. They show as up/up in line card but up/down in RP.
Workaround: There is no workaround.
•
Symptoms: When a downgrade is done from Cisco IOS Release 12.2(33)SB to Release 12.2(31)SB, the Standby that is loaded with Cisco IOS Release 12.2(31)SB fails to do config sync and keeps crashing.
Conditions: This symptom occurs when both Active and Standby are loaded with Cisco IOS Release 12.2(33)SB image with PPPOX (PPPoA or PPPoE) configurations. Standby is downgraded to Cisco IOS Release 12.2(31)SB. The standby loaded with Cisco IOS Release 12.2(31)SB fails to do configuration sync and keeps crashing after configuring issu loadversion command.
This is also seen in the case of an upgrade from Cisco IOS Release 12.2(31)SB* to Cisco IOS Release 12.2(33)SB image, after issu runversion command, when Active has Cisco IOS Release 12.2(33)SB and Standby has Cisco IOS Release 12.2(31)SB* image.
Workaround: For upgrade from Cisco IOS Release 12.2(31)SB* to Cisco IOS Release 12.2(33)SB image:
After issu runversion command, when Active has Cisco IOS Release 12.2(33)SB:
1) Configure the following:
router#configure terminal router(config)#redundancy router(config-red)#force-rpr 1
2) Cisco IOS Release 12.2(31)SB* becomes Standby and will crash once and then come up in RPR mode.
3)Do issu commitversion and Standby will come up with Cisco IOS Release 12.2(33)SB image.
For downgrade from Cisco IOS Release 12.2(33)SB to Cisco IOS Release 12.2(31) SB* image:
1) Configure the following on Active PRE Cisco IOS Release 12.2(33)SB:
router#configure terminal router(config)#redundancy router(config-red)#force-rpr 1
2) Do issu loadversion command, which causes Standby to go down and come up as Standby (Cisco IOS Release 12.2(31)SB*). The new Standby will crash once and then come up in RPR mode.
3) Do issu runversion command to make Standby as Active (Cisco IOS Release 12.2(31)SB*).
4) Do issu commitversion command and Standby will come up in Cisco IOS Release 12.2(31)SB*.
The force-rpr 1 command is removed from the configuration by now, since Cisco IOS Release 12.2(31)SB* image does not support this command.
•
Symptoms: A Cisco IOS device may reload with an address error or have alignment errors and tracebacks such as %ALIGN-3-SPURIOUS or %ALIGN-3-TRACE
Conditions: The symptoms are most likely to occur when the TACACS+ server (ACS) sends an "authentication error" when ACS is configured, or when a request timeout occurs. There may be other AAA or TACACS related conditions that cause the symptom.
Workaround: There is no workaround.
•
Symptom: Memory leak when remote PEs have more xconnects configured than UUT
Conditions: set session limit under vpdn-group and over subscribe sessions. Workaround: NA
•
Symptoms: A Cisco router might crash when debug condition portbundle ip 10.1.1.1 bundle 0 is configured.
Conditions: Occurs when this command is executed prior to configuring ip portbundle.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may ungracefully reload.
Conditions: The symptom is observed when the router is processing CoA RADIUS messages and when certain debugs are turned on.
Workaround: Disable all debugs.
•
Symptoms: PE-CE performance degradation of 80% on initial convergence.
Conditions: Occurs when BGP and VPNv4 are configured.
Workaround: There is no workaround.
Further Problem Description: Performance is not affected after initial convergence.
•
Symptoms: In very rare cases, a Cisco 10000 series router crashes with a log similar to:
%Software-forced reload Breakpoint exception, CPU signal 23, PC = 0x408FAFC0
Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support.
-Traceback= 408FAFC0 408F8B78 41990010 419910E0 41992DB8 42158AF4 41992EC0 41953F8C 41956C1C
(Note that the hex values of the traceback may be different.)
Conditions: The symptom is observed on a Cisco 10000 series router that is running Cisco IOS Release 12.2(33)SB1.
Workaround: There is no workaround.
Further Problem Description: The occurrence of the problem so far has been rare. The decode of the traceback points to a BGP issue. The confirmation of whether a crash is due to this bug in BGP or not can only be made after the traceback from the crash has been decoded by Cisco support engineers.
•
Symptoms: Redistributed routes are not being advertised after a neighbor flap.
Conditions: This symptom is observed if BGP is redistributing local routes and if there are multiple neighbors in the same update-group and then a neighbor flaps. For the flapped neighbor, some redistributed routes are not being advertised.
Workaround: Undo and redo the redistribution.
•
Symptoms: Changing any of the parameters of a route-map does not take effect.
Conditions: Occurs when using a BGP aggregate-address with an advertise map.
Workaround: Delete the aggregate-address statement and then put it back for the change to take effect.
•
Symptoms: A router configured with BGP import from the global IPv4 table into a VRF using the VRF configuration command import ipv4 unicast map ... may exhibit a brief traffic outage to destinations reached through the imported routes following a switchover.
Conditions: Global to VRF import must be configured under the VRF. Issue only affects Cisco IOS Release 12.29(33)SR releases.
Workaround: There is no workaround.
•
Symptoms: Memory leak can be seen on the LNS.
Conditions: The symptom is observed on the L2TP Network Server (LNS) when the PPP client does a renegotiation.
Workaround: There is no workaround.
•
Symptoms: Frame-Relay fragment output not seen when modifying the attached map-class.
Conditions: Occurs on a Cisco 7200 router.
Workaround: Detach and attach Frame-Relay fragment.
•
Symptoms: After multiple OIRs, memory gets fragmented in line card and at one stage the mallocs start failing.
Conditions: There is a higher chance of fragmentation when we have ATM OC3 SPAs in both the bays and huge configurations which eat up lot of memory.
Workaround: Reload the line card.
•
Symptoms: A device running FTP to transmit the DHCP database may experience a file descriptor leak that results in errors such as:
ROUTER#show run
OR
ROUTER#show start Using XXXX out of XXXX bytes %Error opening nvram:/startup-config (Bad file number)
OR
ROUTER#dir nvram: Directory of nvram:/ %Error opening nvram:/ (File table overflow) XXXX bytes total (XXXX bytes free)
Conditions: Occurs when the router is configured to use FTP to transmit the DHCP database:
ip dhcp database ftp://XXXX:XXXX@X.X.X.X/XXXX
And the FTP server becomes unreachable. The file descriptor leak can be viewed in the output of show file descriptors:
ROUTER-B#show file descriptors File Descriptors:
FD Position Open PID Path 0 0 0302 145 ftp://X.X.X.X/DHCP 1 0 0302 145 ftp://X.X.X.X/DHCP 2 0 0302 145 ftp://X.X.X.X/DHCP 3 0 0302 145 ftp://X.X.X.X/DHCP 4 0 0302 145 ftp://X.X.X.X/DHCP 5 0 0302 145 ftp://X.X.X.X/DHCP 6 0 0302 145 ftp://X.X.X.X/DHCP 7 0 0302 145 ftp://X.X.X.X/DHCP 8 0 0302 145 ftp://X.X.X.X/DHCP 9 0 0302 145 ftp://X.X.X.X/DHCP <snip>
Workaround: Ensure that the FTP server does not become unreachable for more than 128 total minutes, as there are only 128 file descriptors. In the event that all 128 file descriptors are leaked, a reboot is required to recover.
•
Symptoms: PIM packets may be processed on interfaces which PIM is not explicitly configured.
Conditions: Unknown at this time.
Workarounds: Create an ACL to drop PIM packets to such interfaces.
•
Symptoms: When doing IP session on Layer 4 Redirect with VPN routing/forwarding (VRF) web logon scale test, subscriber tries to authenticate with 20 characters per second from test tool. MCP crashed into ROMMon
Conditions: Occurs only when test tool sends authentication at 20 characters per second
Workaround: There is no workaround.
•
Symptoms: High CPU on PM callback process on SP. Depending on the number of trunk links configured, the high CPU time increases exponentially with the number of trunk links.
Conditions: This occurs when VTP pruning is enabled and there are too many trunk links. High CPU on PM callback process is normal as the switch is pruning the VLANs. Problem only occur when there are too many trunk links and the high CPU last for too long and affects other layer 2 operations.
Workaround: Disable VTP pruning or reduce the number of trunk links. For phones, use mode access with voice VLAN configured if this configuration is supported by phone.
•
Symptoms: GRE tunnel terminates on switch where Server Load Balancing (SLB) is configured. Traffic to SLB VIP and real server fails and causes crash.
Conditions: Occurs on a router running Cisco IOS Release 12.2(33)SRC2. Router crashes and creates core dump while doing a telnet to a real server under NAT-configured server farm using GRE Tunnel.
Workaround: There is no workaround.
•
Symptoms: Router may reload when you unconfigure and then configure the ipv multicast-routing commands in quick succession.
Conditions: Occurs when these commands are entered in quick succession, such as with copy and paste.
Workaround: Allow for a delay when entering the commands ipv multicast-routing and no ipv multicast-routing.
•
Symptoms: System crashes while running online diags.
Conditions: The system may crash when there is a spike in CPU utilization or traffic in the system.
Workaround: There is no workaround.
•
Symptoms: BGP neighbors may experience increased flapping.
Conditions: Occurs when large number of BGP neighbors are configured with aggressive BGP hold-timer values.
Workaround: Increase the BGP hold-timer values beyond 10/30.
•
Symptoms: VTY session may get stuck after some extended pings are done and the CPU process may go high.
Conditions: The symptom is observed when an extended ping with CLNS is done and the command is left incomplete until the vty session times out.
Workaround: Issue can be prevented by not leaving the extended 'ping clns' command incomplete for long time in the vty session.
•
Symptoms: A router may write a crashinfo that lacks the normal command logs, crash traceback, crash context, or memory dumps.
Conditions: This might be seen in a memory corruption crash depending on precisely how the memory was corrupted.
Workaround: There is no workaround.
•
Symptoms: Routers using OSPF and MPLS Traffic Engineering may crash or operate incorrectly following changes to the configuration of MPLS-TE tunnel interfaces or OSPF. In some cases a configuration change will cause an immediate crash, while in others memory may be corrupted resulting in problems later.
Routers using MPLS-TE primary auto-tunnels are particularly vulnerable because those tunnel interfaces may be removed as the result of network topology changes as well as by modifying the running configuration.
Conditions: In order to be exposed to this problem, a router must have MPLS TE tunnel interfaces that are announced to OSPF. Systems that do not run OSPF, or which do not use MPLS-TE are not affected.
Systems that operate without "service alignment detection" enabled may crash when the following configuration commands are issued:
Global configuration mode:
* no interface tunnel <n> * no router ospf * no mpls traffic-eng auto-tunnel
Interface configuration mode:
* no ip unnumbered * no ip address
Exec mode:
* clear mpls traffic-eng auto-tunnel
Note that routers running modular IOS (ION) and IOS-XE do not have alignment detection enabled.
Regardless of the state of alignment detection, removing the last MPLS-TE tunnel interface to a destination can cause problems, as can removing auto-tunnel configuration. Removal of dynamically created auto-tunnel interfaces as a result of changes in the network topology has the same effect.
Note that routers using auto backup tunnels to provide fast reroute for static MPLS-TE tunnels do not have any extra exposure to this bug because while these backup tunnels may be removed due to topology changes, the static tunnel to the same destination will not be.
Normal UP/DOWN state changes of tunnel interfaces do not cause problems.
Workaround: To remove a MPLS-TE tunnel interface, first configure it down with the "shutdown" command in interface submode.
To remove an OSPF instance, first disable MPLS-TE for the instance by configuring "no mpls traffic-eng area <n>" in router ospf submode.
No workaround is available for MPLS-TE auto-tunnels.
•
Symptoms: When flapping a fiber, the link protocol comes up, but the line protocol does not.
Conditions: Occurs on links between SIP modules.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: Both active and standby supervisors crash.
Conditions: Occurs when Control Plane Policing (COPP) is configured and there are multiple session churns happening with PPPoE subscribers.
Workaround: There is no workaround.
•
Symptoms: With traffic flowing normally over a GRE tunnel terminating on the ES20 line card the module will crash when IPSec tunnel protection is enabled.<BR><BR>
Conditions: Occurs when tunnel endpoint is an interface on the ES20 line card.<BR><BR>
Workaround: This crash is seen only when GRE is accelerated by spa-ipsec-2g. If GRE is accelerated by the SUP, the crash does not happen. This is done by default in VRF mode without any other directives like "crypto engine mode gre vpnblade". To ensure the tunnel is adding "crypto engine gre supervisor" in the global configuration mode and on all the tunnels that are handled by ES20 for mpls recirculations.
As an alternative workaround, If the customer wants the GRE acceleration to be taken over by the spa-ipsec-2g. An ACL needs configured to drop all the plain unencrypted GRE traffic between a tunnel's source and destination ip addresses may also be effective if applied prior to configuring the "tunnel protection ..." command. However, this workaround may not scale in certain configurations.<BR><BR>
As a preventive precautionary measure. A safer practice would be to configure the Customer Edge device prior to configuring the Provider Edge. This configuration order should prevent this issue from occuring when adding IPSec Tunnel protection to GRE Tunnels.
•
Symptoms: Microflow policing fails to be removed or modified on port-channel subinterface.
Conditions: Occurs on a Cisco 7600 series router with port-channel subinterface configured for microflow policing, and the same policy configured on subinterface with encap VLAN as well as another subinterface without encap VLAN.
Workaround: There is no workaround.
•
Symptoms: BGP MDT session flaps when a router running Cisco IOS is interoperating with a router running Cisco IOS-XR and when withdrawal messages are sent by IOS to XR of previously advertised MDT prefixes.
Conditions: MDT prefixes need to be exchanged by IOS and XR routers. If a withdrawal message is exchanged subsequently for any reason then this problem is seen.
Workaround: There is no workaround.
•
Symptoms: Whenever MTU is configured under a port-channel with EVC (Ethernet Virtual Circuit), the MTU functionality does not work as expected.
Conditions: This happens only with Layer 3 port-channels.
Workaround: There is no workaround.
Further Problem Description: Whenever a member link is added to a port-channel, the member link's MTU is programmed to the jumbo MTU value (default 9216). Even when a custom MTU value is configured under port-channel, all the member links' MTUs are programmed with 9216.
•
Symptoms: The following messages appear in the log after a reload:
Suspending service policy (policyname) on Multilink(#)bandwidth of 24.00% is not available (1.00%)
bandwidth of 24.00% is not available (1.00%)
bandwidth of 24.00% is not available (1.00%)
bandwidth of 24.00% is not available (1.00%)
Conditions: A Cisco 7600 running Cisco IOS Release 12.2(33)SRB2 and 12.2(33)SRB3 with Multilink interface configured for CBWFQ QOS policy will suspend policy and display error message similar to the above if service-policy is applied to Multilink interface at time of route loading.
Workaround: Load router with no service-policies applied and apply them after router is up.
•
Symptoms: Crash in TCP.
Conditions: Happens when clearing a BGP neighbor. The trigger is uncertain and hard to reproduce.
Workaround: There is no workaround.
•
Symptoms: A policy-map is applied to an interface on ESM20G card and has a random-detect aggregate action configured in a class. If another class is added to the policy-map which has match statement as "match cos <cos-value>", this class gets added. Now if random-detect aggregate is removed from the previous class, an error message is dumped on screen :
'match cos' combined with other match statements at the same class level is not supported for this interface.
If random-detect action is added to this class, router crashes.
Conditions: Occurs with the following configuration:
policy-map PMAP_UPLINKS
class CMAP-RT-COS (match cos <vaue>)
class CMAP-BC-EXP
no random-detect aggregate
random-detect -----> (CRASH)
Workaround: Do not add a class-map with "match cos" filter to a policy-map which conflicts with other class-map filters.
•
Symptoms: Delay in bootup time of the line cards occurs during reload with diags enabled. Issue not seen when diags are disabled.
Conditions: There is no specific configuration or traffic combination that will trigger this issue. Issue seen with or without any Ethernet Virtual Circuit (EVC) configs or traffic conditions.
Workaround: Disable bootup diags or power down the 6748-GE-TX card
•
Symptoms: ATOM VC status is seen as down in standby RP and traffic loss is seen after switchover for 44 seconds.
Conditions:
1. Bring 6RU up (SSO) with 1 AToM VC, 1 AToM VP (Initial VC state: active:UP; standby:HOTSTANDBY)
2. Delete the AToM VC sub-int ('no int a2/2/0.122') and delete the AToM VP sub-int ('no int a2/2/0.1001')
3. Re-configure back the same AToM VC and VP configuration (VC state: Active:UP; Standby:DOWN for AToM VC)
4. If I do a force switchover ('redundancy force-switchover'). It will experience ~44 seconds of traffic lost for this VC.
Workaround: There are two work around for this issue:
1. Do not reconfigure the ATOM VC immediately after deleting a subinterface.
2. Do not copy and paste the ATOM VC configuration. Either do it manually step by step or copy the configuration from a file.
•
Symptoms: PKI daemon is stuck in DNS resolution attempt for the hostname used in the CDP.
Conditions: The when symptom is observed using name resolution for automatic actions taken by the router during non-interactive sessions (CRL download using name in CDP URI). Only applicable if 'ip domain-lookup' is enabled within the config
Workaround: There is no workaround.
•
Symptoms: When trying to configure a peer template using the command template peer-session S1_1 under router bgp 1 , it enters into UNKNOWN-MODE. Once there, we cannot get out of that mode and the router has to be rebooted.
Conditions: The bug is seen only in Cisco ION images. Cisco IOS images are fine. Following is an example:
ip39-1(config)#router bgp 1
ip39-1(config-router)#template peer-session S1_1
ip39-1(UNKNOWN-MODE)#?
% Unrecognized command
ip39-1(UNKNOWN-MODE)#end ^ % Invalid input detected at '^' marker.
Workaround: There is no workaround.
•
Symptoms: Device crashes upon entering command sh policy-map interface.
Conditions: Unknown at this time.
Workaround: There is no workaround.
•
Symptoms: Crash is seen when 1000 IP sessions identified by same MAC address are setup and torn down using Cisco Intelligent Services Gateway (ISG).
Conditions:
1. Setup 1000 IP sessions on ISG on one port. 2. Setup another 1000 sessions on second port with same MAC address range as in first port. 3. Ensure 1000 sessions are up. The other 1000 sessions setup request would be rejected as they are using the same MAC address as in step 1. 4. Clear the 1000 sessions using clear sss session all. 5. Repeat steps 2, 3, and 4 until crash is seen.
Note: This scenario is not supported and has been documented. Please refer to the Restrictions section on the following URL: http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_sub_aware_enet.html#wp1074579
Workaround: This is a negative test case and will never happen in practical setups as the MAC addresses will not overlap. Also the network topology should ensure that the same subscriber MAC address does not appear on more than one physical interface.
•
Symptoms: Virtual Private LAN Services (VPLS) unicast traffic not flowing over the VC when core-facing port is ESM20 line card.
Conditions: Core-facing port must be on the 9th slot or higher in a Cisco 7609 or Cisco 7613 chassis. Also the VC neighbor scale should be very high on that VPLS VLAN.
Workaround: Use slots lower than 9.
•
Symptoms: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Conditions: See "Additional Information" section in the posted response for further details.
Workarounds: See "Workaround" section in the posted response for further details.
•
Symptoms: Switch does not send TC trap if it is not a root bridge
Conditions: If switch is a root bridge, it generates TC trap when link goes both up and down. But if switch is not a root bridge, it generates TC trap only when link goes up.
Workaround: There is no workaround.
•
Symptoms: When relaying to multiple servers from an unnumbered interface, the DHCP relay sends packets to all servers, even for packets where the client is in a RENEWING state unicasting to attempt to reach a single server. ARP entries are retained for all offered addresses, even if the client is ultimately using a different address. These extra ARP entries persist for several hours.
Conditions: The symptom is observed under the following conditions:
1. When relaying a DHCP packet on an unnumbered interface and the DHCP client is in a renewing state (as determined by the fact that the packets are sent to the DHCP server which allocated the address so that we do not end up giving the client a new address, which would then interrupt the user sessions).
2. When the client is in any other state, or if we do not get a response from the DHCP server, the packets are sent to all helper-addresses.
Workaround: Use Cisco IOS 12.4T images.
Further Problem Description: Only retain an ARP entry for the address that the DHCP client ACKs. Do not retain addresses offered by DHCP servers which the client did not use in the ARP table.
•
Symptoms: The no l2tp tunnel authentication command does not work at LNS.
Conditions: This symptom happens when the VPDN group that is used has a virtual-template x.
Workaround: Configure the no l2tp tunnel authentication command under virtual template.
•
Symptoms: Following error message are seen when the frame-relay fragment <fragment size> command is configured under map-class attached to PVC:
% Fragment size 110 not supported. Supported fragment size are 128, 256 and 512. Rounding current fragment config to 128.
Conditions: This seen in distributed platforms (Cisco 7600) when fragment size configured is not 128, 256, or 512.
Workaround: Configure the fragment size as 128, 256 or 512
•
Symptoms: Memory leak is seen on configuring and unconfiguring "cem-group".
Conditions: Occurs when configuring and unconfiguring 4 "cem-groups" per controller.
Workaround: There is no workaround.
•
Symptoms: Crash occurs when BGP configuration is removed.
Conditions: BGP is checkpointing routes to the redundant RRP when the configuration change occurs. More likely to occur in a scaled setup.
Workaround: Do not enter the no router bgp command.
•
Symptoms: VPN routing/forwarding (VRF) transfer fails.
Conditions: Occurs when ISG is configured on the device.
Workaround: There is no workaround.
•
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
•
Symptoms: Any attempt to copy a file from a router to an FTP server will fail. The FTP error is "No such file or directory".
Conditions: This is only a problem with FTP and only when transferring to an FTP server. Transfers from an FTP server work as expected.
Workaround: Use a different file transfer protocol, such as TFTP.
•
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
•
Symptoms: When using Point-to-Point Tunnelling Protocol (PPTP) with RADIUS Accounting, there may be several "nas-error" and "lost-carrier" listed in accounting as the Acct-Terminate-Cause.
Conditions: The symptom is observed when using Cisco IOS Release 12.4T (Releases 12.4(15)T-12.4(22)T confirmed) and using PPTP with RADIUS Accounting in place.
Workaround: There is no workaround.
•
Symptoms: After SPA reload, the CHOC12-DS0 SPA may be transmitting B1/B2/B3 errors out. Remote side will detect SF BER, B1 TCA, B2 TCA, or B3 TCA alarms, or DS3 or DS1 alarms. The CHOC12-DS0 SPA will have SONET line REI, Path REI or DS3/DS1 RAI alarm.
Conditions: When the SPA boots up during temperature transition, the SPA transmit side could trigger B1/B2/B3 error detected by remote end. In a stable temperature environment, this problem is hard to reproduce. After SPA is booted up, the problem can not be reproduced even if temperature transits.
Workaround: A software workaround was released in Cisco IOS Release 12.2(33)SRD1 to reduce the issue. But in some SPAs, the problem may still happen. When the problem happens, reload the SPA.
•
Symptoms: Bulk sync fails.
Conditions: Occurs when the relay destination command is configured on the device.
Workaround: There is no workaround.
•
Symptoms: VPN routing/forwarding (VRF) traffic may experience packet loss after a supervisor switchover.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB2 or Cisco IOS Release 12.2(33)SRC2.
Workaround: Apply an access-list with "permit ip any any" in one of the VRF interfaces, or force another switchover.
•
Symptoms: In rare conditions, when removing address-familly in router RIP configuration just after importing large amount of routes in it, the router may crash on bus error.
Conditions: It was observed in the following context:
1) Supervisor 720 running Cisco IOS Release 12.2(18)SXF7. 2) 66K of routes were imported at that moment from BGP into RIP. 3) The address-family is removed.
Workaround: Wait a few minutes between the moment you create and import the routes in the address-family and the moment you remove it. Typically 3-5 minutes (depending on the number of routes, more delay may be needed).
•
Symptoms: Router crashes when BGP-IPv6 directly connected IBGP neighbors receives route with Link-local Nexthop.
Conditions: BGP sends IPv6 link-local address in following cases:
1) Directly connected eBGP neighbors
2) BGP Ipv6 neighbors connected using Link-local address
In case of this defect, testing device is advertising link-local nexthop for directly connected neighbor using global IPv6 address. Cisco router will never advertise link-Local nexthop.
Workaround: There is no workaround.
•
Symptoms: On a PPP aggregator using dhcp-proxy-client functionality, in a situation where a PPP client session is torn down and then renegotiated within 5 seconds, the DHCP proxy client may send a DHCP RELEASE for the previous DHCP handle after the new DHCP handle (created as a result of new IPCP CONFREQ Address 0.0.0.0) has accepted the same IP address allocation from the offnet DHCP Server. This results in the offnet DHCP server having no record of the lease as it exists on the PPP aggregator which causes future addressing conflicts.
Conditions: The symptom is observed on a Cisco 7200 (NPE-400) and 7200 (NPE-G2) that is running Cisco IOS Release 12.4 T, or 12.2 SB.
Workaround:
1. Automated: Write a script to compare active leases on the PPP aggregator to active leases on DHCP server. If a lease is found to only exist on the PPP aggregator, use clear interface virtual-access to recover.
2. Manual: use the command clear interface virtual-access.
Further Problem Description: This issue occurs because the DHCP client holdtime is static at 5 seconds and there are no IOS hooks to tie PPP LCP session removal and IPAM to suppress stale DHCPRELEASES waiting in queue for HOLDTIME to expire.
•
Symptoms: Copy to "slavedisk:" is failing with the following error:
Error writing slavedisk0:/rsp72043-adventerprisek9_dbg-mz.122-33.0.5.SRD (TF I/O failed in data-in phase)
Conditions: The issue is seen in RPR mode with Cisco IOS Release 12.2SR rsp720 image.
Workaround: Copy the file in SSO mode.
•
Symptoms: In extremely rare conditions, traffic loss might be observed through ws-x6704 modules equipped with DFC (DFC3b & 3bxl, DFC3a)
Conditions: To confirm that traffic loss might be related to this issue use the following command:
remote command module mod# show platform soft earl reset history
where <mod#> is slot number of the module experiencing traffic drops (ingress module)
cat6500#remote command mod 11 sh platform soft earl reset history
Num. of times patch applied : 156
Num. of times patch requested : 156
Time Reason InProgress Data
--------------+------------------------+------------+----------
5d20h Non-Earl Fatal error 0000 1701FFFFFFFFFFFF
5d20h Non-Earl Fatal error 0000 1701FFFFFFFFFFFF
5d20h Non-Earl Fatal error 0000 1700FFFFFFFFFFFF
5d20h Non-Earl Fatal error 0000 1700FFFFFFFFFFFF
For traffic loss to be related to this issue in above output one should see lines similar to above (most important is the last part i.e. 1701FFFFFFFFFFFF and 1700FFFFFFFFFFFF). There should be multiple lines like this and new lines might appear from time to time. Traffic loss would coincide with the appearance of new lines.
Workaround: There is no workaround other than upgrading to a release that has been fixed.
•
Symptoms: In a router running BGP, the BGP process may hold increased amounts of memory over time without freeing any memory. This may also be seen from the output of show proc mem sort and in the output of show ip bgp sum or show ip bgp vpnv4 all sum and looking at the number of BGP attributes which may be increasing over time in relation to the BGP prefixes and paths which may remain roughly the same.
Conditions: Some BGP neighbors are not in established state and exchanging prefixes. The issue is observed on all platforms running the following releases of Cisco IOS:
-12.2(31)SB14
-12.2(33)SB1b
-12.2(33)SB2
-12.2(33.05.14)SRB
-12.2(33.02.09)SRC
-12.2(33)SRC3
-12.4(20)T2
-12.4(22)T1
-12.2(33)SXI or later releases.
Workaround: Remove the configuration lines related to the inactive neighbors (neighbors in Idle or Active states).
•
Symptoms: On RSP720-10GE, VPNSPA always remains in INIT state.
Conditions: Unknown at this time.
Workaround: There is no workaround.
•
Symptoms: On a router in which MPLS Traffic Engineering (TE) is configured, toggling the router-id in the router configuration can cause the router to reload. For example, configuring "router ospf 100 mpls traffic-eng router-id loopback 0" quickly followed by "mpls traffic-eng router-id loopback 1" may trigger this symptom.
Conditions: It is necessary that "mpls traffic-eng tunnel automesh" is running in the OSPF area of the router, although automesh need not be configured on the affected router.
Workaround: There is no workaround.
•
Symptoms: With 2X1GE-V2 SPA on SIP400, when the interface connector changes from SFP to RJ45, the port failed to be up and it could no longer ping its partner.
Conditions: When the media-type of the 2X1GE-V2 interface is chanaged to RJ45 using the media-type rj45 command, the interface goes to down state. This issue is found in Cisco IOS Release 12.2(33)SRB, SRC, and SRD.
Workaround: Reload the router to bring up RJ45 ports.
•
Symptoms: Lawful intercept users are appearing in output from show run.
Conditions: Occurs in Cisco IOS Release 12.2(33)SRC.
Workaround: There is no workaround.
•
Symptoms: VLAN state unable to recover after shutdown by "mac-limit."
Conditions: Applicable for extended VLAN after MAC limit exceeded and action configured to shutdown.
Workaround: There is no workaround.
•
Symptoms: Traceback occur on SPA inside SIP-400.
Conditions: Occurs during online insertion and removal (OIR) of SPA.
Workaround: There is no workaround.
•
Symptoms: Connected route on port-channel sub-interface is not removed when port-channel is down.
Conditions: Happens when using /22 subnet. Does not happen when using /24 subnet.
Workaround: There is no workaround.
•
Symptoms: Sticky-ARP entries are refreshed forever even after the client is removed from the network.
Conditions: This issue is seen after an upgrade from Cisco IOS Release 12.2(33)SRB5 to Release 12.2(33)SRD1.
Workaround: There is no workaround.
•
Symptoms: Native GigE interfaces of a Cisco 7200 NPE-G2 router will not acknowledge reception of pause frames and will not stop its transmission in case of media-type RJ45.
Conditions: The symptom is observed with media-type RJ45 and with SFP with "no neg auto" configured.
Workaround: There is no workaround.
Further Problem Description: There are no issues with SFP with a "neg auto" configuration.
•
Symptoms: Option 82 is not appended in DHCP NAK packet by DHCP server.
Conditions: Not any specific condition.
Workaround: There is no workaround.
•
Symptoms: ISG subnet session feature if used in an environment where subscribers are connected to ISG interface on Layer 2 cloud, that is, ISG is the default gateway for the subscribers yet ISG subscribers interface is in routed mode, then adjacency to these connected subscribers is removed as soon as a subnet session is created and next hop is installed for these subscribers as the logical network id computed using the framed subnet mask received from AAA server as access accept radius attribute.
Conditions: This condition will occur for subnet session feature in scenario where ISG interface is defined under routed mode; however subscribers are connected over layer-2 cloud to this ISG interface, that is, ISG is the default gateway for these subscribers.
Workaround: There is no workaround if the subnet session feature has to be deliberately used in scenario as defined under conditions above. However this problem will not occur if the subscribers are one hop or more away from ISG.
Further Problem Description: ISG subnet session feature is used to group a number of sessions together using IP framed netmask attribute. The ISG subnet session feature can be used if ISG interface is defined under routed mode.
For example IP addresses belonging to a client say 192.168.0.68/24, 192.168.0.69/24, 192.168.0.70/24 and 192.168.0.70/24 can be grouped together under one ISG session if at the time of session creation a IP framed netmask 255.255.255.252 is returned in the access accept message from AAA server. The subscribers are one or more hop away from ISG interface (10.10.10.1/24)
The IP Framed Netmask attribute is used to compute the range of IP addresses to be grouped together under one ISG session. In example above, if a session is initiated firstly by IP address 192.168.0.69/24; then using IP Framed Netmask the computed range of IP addresses to be grouped together will be 192.168.0.68 to 192.168.0.71.
Now in a scenario where ISG interface is defined under routed mode though the subscribers are connected directly over Layer 2 cloud to ISG interface and Subnet Session is required to be used as a feature; then the stated problem under section Symptom above will occur.
Using example above and applying to this problematic scenario - the IP addresses of client 192.168.0.68/24, 192.168.0.69/24, 192.168.0.70/24 and 192.168.0.70/24 have to be grouped together under one ISG session using Subnet Session feature by returning a IP Framed Netmask 255.255.255.252 under Access Accept from AAA server, however the ISG interface (192.168.0.1/24) in this scenario is the default gateway to these Client IP end points.
Now as soon as the session is created and authenticated and Subnet Session feature is installed the next hop for these IP range 192.168.0.68 to 192.168.0.71 computed using IP Framed Netmask value 255.255.255.252 would be 192.168.0.68/30 resulting in traffic destined to all the range of IP addresses grouped under Subnet Session forwarded to 192.168.0.68/30 instead of using ARP to reach the IP end points directly.
•
Symptoms: In a rare event, router may crash in EIGRP code after a peer bounce and route removal.
Conditions: Crash seen during EIGRP route updates.
Workaround: There is no workaround.
•
Symptoms: Switch reports following messages:
CDL2 Read Error: Time out
CDL2 Write Error: Time out
Conditions: Occurs on a Catalyst 6500 switch running Cisco IOS Release 12.2(18)SXF.
Workaround: Re-seat the X2 modules. It is highly recommended to do a complete diagnostic test on all modules.
•
Symptoms: Router crashes with memory corruption.
Conditions: Occurs when BFD is configured on 10GigE interfaces and constant link flaps.
Workaround: There is no workaround.
•
Symptoms: When using an ES-40 10GE linecard, if the MAC layer of the WAN connection goes down, but the optical PCS layer remains up, the ES-40 port will never realize the link is down and will instead always keep the interface Up/Up. 10G ports in the ES+ family of line cards do not take advantage of link fault signalling by peer.
Protocols relying on fast reconvergence, will not be able to take advantage of the 10G link fault signalling.
Conditions: This problem can occur on any 10GE interface on an ES-40 line card when the remote transceiver or repeater keeps the PCS layer up but takes the MAC layer down.
The Link layer detection algorithm for 10G ports in the ES+ does not consider a Remote Fault signalled by the peer end. Thus link will continue to show as Link-Up, even though the remote end MAC has experienced a RX FAULT and did not happen to switch off the laser
Workaround: There is no workaround except to rely on higher layer protocols that send hellos or keepalives to determine when the link goes down and reroute around the failure with those protocols. Line protocol will never go down when the PCS layer is up on an ES-40 line card.
•
Symptoms: A core dump may fail to write, with the following errors seen on the console:
current memory block, bp = 0x4B5400A0,
memorypool type is Exception
data check, ptr = 0x4B5400D0
bp->next(0x00000000) not in any mempool
bp_prev(0x00000000) not in any mempool
writing compressed ftp://10.0.0.1/testuncached_iomem_region.Z
[Failed]
writing compressed ftp://10.0.0.1/testiomem.Z
[Failed]
writing compressed ftp://10.0.0.1/test.Z
[Failed]
%No memory available
Conditions: This is only seen for memory corruption crashes when "exception region-size" is configured to a value that is not divisible by 4.
Workaround: The recommended setting for exception region-size is 262144 in newer images. In older images, where the maximum configurable value is 65536, use the maximum.
•
Symptoms: Downstream traffic stopped after delete/recover of sub-interface configuration while sessions are up.
Conditions: Occurred with the following configuration:
* L2access IP aggregation session
* ISG as DHCP relay
* No VPN routing/forwarding (VRF)
* TAL authentication
Workaround: There is no workaround.
•
Symptoms: Standby router reboots continuously and comes to the prompt only after second or third attempt.
Conditions: When the standby is booting up, during the startup bulk sync, Cat6k QoS Manager client will time out after 30 seconds (depends on load on the box). Due to stress QoS config, during bulk sync, the standby is taking more time, and this triggers active to reset the standby.
Workaround: There is no workaround.
•
Symptoms: STP network will not converge if the vlan dot1q tag native global command is enabled. BPDUs will not get transmitted over Virtual Private LAN Services (VPLS) pseudowire (PW).
Conditions: Occurs in a network with nPE redundancy, where the redundant PEs are connected through VPLS PW.
Workaround: Disable the vlan dot1q tag native command.
•
Symptoms: A router may reload unexpectedly.
Conditions: The symptom is observed when the router has Bidirectional Forwarding Detection (BFD) configured and is actively sending keepalives. The crash has multiple possible triggers:
- It can be triggered by certain show commands (show bootvar and show c7200 are known to cause the problem). The issue will not be seen on every invocation of the commands. It is a rare timing condition, so the probability of the crash increases as the commands are run more frequently. - It can also be triggered by large scale BFD deployments (hundreds of sessions on a single router).
Workaround: Unconfigure BFD.
•
Symptoms: The session ID changes between "interim" and "stop" accounting records.
Conditions: The symptom has been observed on Cisco IOS Release 12.2(31)SB12 with "radius-server attribute 44 extend-with-addr" in the configuration.
Workaround: Do not configure "radius-server attribute 44 extend-with-addr".
•
Symptoms: SPA-4XOC3-ATM can stop forwarding ingress traffic after cell packing timer is changed.
Conditions: Occurs when MPLS is configured over a tunnel interface and the cell packing timer is changed.
Workaround: There is no preventive workaround to this issue. Once the card is in the problem state, the FPGA is hung and to recover from this state, the SPA has to be reloaded.
•
Symptoms: DS3 interface on choc3/STM1 stops passing traffic.
Conditions: Occurs when a DS3 is oversubscribed.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS device may produce CPUHOG error messages and a watchdog timeout unexpected restart when running a Tool Command Language (Tcl) Embedded Event Manager (EEM) policy.
Conditions: This occurs when the EEM policy uses the Tcl puts command to print a very large amount of text.
Workaround: Do not use this command to print out a large amount of text.
•
Symptoms: The entPhysicalVendorType for Transceivers lists the vendortype of Port.
Conditions: Occurs during normal operation.
Workaround: There is no workaround.
•
Symptoms: A Cisco router running Cisco IOS Release 12.2(33)SRC1 may crash when removing the TE tunnel mode on a SIP600 or ES20 card.
Conditions: A tunnel bot uses the following script to remove tunnels:
interface Tunnel37025
no mpls ip
no tunnel mode mpls traffic-eng
exit
no interface Tunnel37025
In the transient time between removal of tunnel mode and removing the tunnel interface, packets are still moving through EARL.
Workaround: Shutdown the tunnel first, then complete the script:
interface Tunnel37025
shutdown
no mpls ip
no tunnel mode mpls traffic-eng
exit
no interface Tunnel37025
•
Symptoms: NAS-port-ID format reported by AAA accounting VS reply to a CoA account-query are different. Affects back-end server for billing functions.
Format send by AAA accounting records:
Apr 16 09:59:16.358: RADIUS: NAS-Port-Id [87] 25 "GigabitEthernet0/1.118:"
Format sent in reply to CoA Query:
Apr 16 10:03:49.149: RADIUS: NAS-Port-Id [87] 33 "nas-port:10.10.10.101:4/0/0/118"
Conditions: This behavior was observed in Cisco IOS Release 12.2(33)SB3.
Workaround: There is no workaround.
•
Symptoms: HQF is not getting cleaned after a policy with priority child class is removed from the "serial-vaccess" MLP interface. Also when removing the policy, an error message is seen:
qos-reg15-r5#config term
Enter configuration commands, one per line. End with CNTL/Z.
qos-reg15-r5(config)# no policy-map customer
please remove queuing feature from child policy first
qos-reg15-r5(config)#end
Conditions: The priority feature cleanup fails and prevents further service policy removal.
Workaround: There is no workaround.
•
Symptoms: A router may crash with BusError when sending an AccountingStop record.
Conditions: Just before the crash, the following error messages are seen:
%IDMNGR-7-ALLOCFAIL: Warning: Failed to allocate memory for keylist in event_init %IDMNGR-7-ALLOCFAIL: Warning: Failed to allocate memory for client request data in request_init
The system is configured for ISG-services.
Workaround: There is no workaround.
Further Problem Description: This was seen in a customer specific special based on Cisco IOS Release 12.2(31)SB13.
•
Symptoms: IPV6 traffic dropped over Virtual Private LAN Services (VPLS) cloud.
Conditions: VPLS core is configured. IPV6 end devices are PCs.
Workaround: When routers are used as end devices instead of PCs, then the issue is not seen
•
Symptoms: Acct-Session-Id attribute received in CoA message is decoded incorrectly.
Conditions: When session ID is less than 8 hex characters, the decoded value is incorrect.
Workaround: There is no workaround.
•
Symptoms: Following error message is seen:
%SIP200_MP-4-PAUSE: Non-master CPU is suspended for too long
Conditions: This is seen when fragmentation is configured under PVC and either that configuration is changed or PVC state changes.
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: Occurs while unconfiguring class-default.
Workaround: There is no workaround.
•
Symptoms: Switch virtual interface (SVI)-to-SVI Layer 3 ping is failing.
Conditions: Occurs when SVI (VLAN) is configured with IP address on both ends.
Workaround: There is no workaround.
•
Symptoms: Port is shut down, and following error message is displayed:
%SYS-DFC3-2-LINKED: Bad enqueue of 191C92B4 in queue FD9EAD0 -Process= "SCP Hybrid process"
Conditions: Problem is seen with Cisco 7600 running Cisco IOS Release 12.2SRD image with Port-channel configured and the member-link used is a ES+ Linecard interface.
Workaround: There is no workaround.
•
Symptoms: With a subinterface or software Ethernet Over MPLS (EoMPLS) configured for a single tag, QinQ traffic with outer VLAN tag matching the configuration, but with full-range of inner tag is dropped.
Conditions: All QinQ traffic with the outer tag matching the configured tag on subinterface is dropped.
Workaround: Use scalable EoMPLS, which provides a versatile range of VLAN matching and has the required properties as expressed in this defect.
•
Symptoms: Traffic is lost for local forwarding between two EVCs in a VRF.
Conditions: Occurs when VRF includes attachment circuits which are defined as EVCs. Each EVC is configured on separate bridge-domain and separate IP subnet. Forwarding between remote PEs works properly but local traffic between the EVCs breaks.
Workaround: Keep the EVC on different NPs on the ES40 or replace EVC and bridge domain configuration by sub-interfaces.
•
Symptoms: 6148A-GE-TX module resets due to keep-alive failures.
Conditions: Excessive errors and micro link flaps on a port.
Workaround: There is no workaround.
Further Problem Description: This is a rare problem triggered by misbehavior of a 10Base-T hub when a FastEthernet host is connected to it.
•
Symptoms: If TAL subscribers attempt to logon when the Cisco ASR 1000 series router RADIUS service download requests a time-out, some sessions will get stuck in "Attempting" state during user/service authorizations. Once 200 sessions are stuck in this state, no subscriber will be able to login until all the sessions (those that are active and those that are stuck in "Attempting" state) are manually cleared using the clear subscriber session all command.
Conditions: The symptom is observed when TAL subscribers attempt to logon while the Cisco ASR 1000 series router RADIUS service download requests a time-out.
Workaround: Use the clear subscriber session all command to manually clear all sessions. This may be, however, service disruptive and impractical in a production network.
•
Symptoms: Multicast Open Shortest Path First (OSPF) Bidirectional Forwarding Detection (BFD) packets are corrupted when going out of ESM20 interface on an Ethernet Over MPLS (EoMPLS) setup.
Conditions: When sending a multicast OSPF database descriptor (DBD) packets or multicast ping packets to the 224.0.0.5 address and the packet size grows above a certain size (108B) in the payload, a specific byte of multicast packet traversing the EoMPLS link is corrupted.
Workaround: There is no workaround.
•
Symptoms: Dead Peer Detection (DPD) packets are not sent following loss of ISAKMP SA and IPSec in UP-NO-IKE state.
Conditions: Occurs when DPD is configured and ISAKMP SA is deleted independently of IPSec SAs
Workaround: Manually clear the crypto session to create a new ISAKMP SA.
•
Symptoms: Policy-map counters are not updated after online insertion and removal (OIR), and shaping is not happening.
Conditions: Occurs after OIR under bi-directional traffic.
Workaround: Remove the service-policy in both affected device and peer and then re-attach to update counters.
•
Symptoms: ES-20 line card repeatedly resets.
Conditions: Occurs when fabric sync failure occurs on ES-20.
Workaround: Enter the following command: test scp linecard keepalive disable.
•
Symptoms: An Error message that includes "IXP-MAP-QOS" is displayed on the supervisor. Occurs when an Ethernet flow point (EFP) interface is recreated or deleted and when online insertion and removal (OIR) is performed on a SPA with an EFP interface on SIP-400.
Conditions: Occurs only when there is a EFP policy on a Gig V2 SPA on SIP-400.
Workaround: There is no workaround. The issue does not impact functionality.
•
Symptoms: Bus error crash at an invalid address.
Conditions: The symptom is observed when running Cisco IOS Release 12.2(31)SB with SSS configured.
Workaround: There is no workaround.
•
Symptoms: If number of hours for statistics is increased to 10 or more after the probe is initially run and then restarted, system crashes with memory corruption
Conditions: Occurs when the probe is started with the hours of statistics less than 10 and then re-started with the hours of statistics greater than 9.
Workaround: There is no workaround.
•
Symptoms: When running Network Load-balancing (IGMP-mode) in VLANs with PIM enabled and static ARP entries for unicast IP to layer-2 multicast address, packet duplication will occur.
Conditions: This symptom occurs when sending unicast (non-multicast) IP packets with multicast layer-2 destinations.
Workaround: Use non-IGMP NLB modes (unicast or multicast with static macs) or use IGMP snooping querier instead of PIM on NLB SVIs.
•
Symptoms: Router crashes.
Conditions: Occurs when configured with BGP damping and default IPv4 unicast address-family is deleted.
Workaround: Do not delete the default IPv4 unicast address-family.
•
Symptoms: Different IPs are seen on the same session between Active and Standby PRE cards and the number of in-use IP addresses on Standby is more than that on the Active.
Conditions: The symptom is observed with the frequent connect/disconnect of sessions and when IP addresses are allocated from the local pool.
Workaround: Reload the Standby card frequently.
•
Symptoms: Configuring no negotiation auto on Gigabit interface of 2xGEv2 SPA reduces duplex on interface to half. This causes traffic drop if traffic is bi-directional.
Conditions: Occurs when "media-type" configured on Giginterface as "SFP".
Workaround: There is no workaround.
•
Symptoms: When the SAMI module is booted up, CEF is disabled by default in the PPCs. If a PPC is configured for ISG, no static IP sessions (L2-connected or L3-routed) can come up. Even after enabling CEF, static IP sessions still do not come up. If the PPC(s) or SAMI gets reloaded after enabling CEF and writing the configurations into memory, sessions will come up.
Conditions: When installing/configuring a new SAMI card for ISG, static IP sessions will not come up if CEF was disabled on bootup.
Workaround: Since the issue happens only when CEF was disabled on bootup, enabling CEF, doing a write memory, and then reloading the PPC will avoid this issue.
•
Symptoms: Routes do not appear in Routing Information Base (RIB) of a VRF.
Conditions: Occurs with the following configuration:
- Customer has IPv6 static route in VRF X.
- Customer has configured BGP to import routes from VRF X into VRF Y.
- BGP is apparently importing the VRF X route into VRF Y as requested
- the routes are not showing up in VRF Y RIB
Workaround: There is no workaround.
•
Symptoms: CPUHOG occurs in SNMP ENGINE, immediately followed by a crash.
%SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (91/87),process = SNMP ENGINE.
Conditions: Querying cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable in CISCO-CAT6K-CROSSBAR-MIB with invalid channel index may trigger this problem. The valid channel index range for the cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable are (0..1)
Regular snmp mibwalk on those 2 tables will not cause this problem.
Workaround: Avoid MIB querying on cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable with any specific invalid channel index. Instead just do regular SNMP MIBwalk on cc6kxbarModuleChannelTable and cc6kxbarStatisticsTable should be safe and work fine.
•
Symptoms: When configuring ATM or ima-group under controller T1/E1, the SNMP MIB does not populate the corresponding ATM interface. Because of this defect, ANA application is unable to model it correctly.
Conditions: Problem exists on Cisco 7600 running Cisco IOS Release 12.2(33)SRC.
Workaround: There is no workaround.
•
Symptoms: Router crashes while querying for cvpdnTemplateActiveSessions.
Conditions: Occurs if the vpdn-template name is long.
Workaround: There is no workaround.
•
Symptoms: On configuring HDLCoMPLS on SPA-8XCHT1/E1 SPA with 7600-SIP-400. traffic stops flowing from that interface.
Conditions: Occurs when Xconnect is configured.
Workaround: There is no workaround.
•
Symptoms: Connectivity Fault Management (CFM) packets are not transparently passed through scalable EoMPLS setup with SIP400 on the access side.
Conditions: This happens when CFM is disabled after enabling it
Workaround: Perform an online insertion and removal (OIR) on the line card.
•
Symptoms: ASR crashes and reboots when RSIM sends VSA 1 command with wrong format.
Conditions: VSA 1 format string has a colon which should not be there.
vsa cisco generic 1 string "qos-policy-out:=remove-class(sub, (class-default, voip))"
Workaround: There is no workaround.
•
Symptoms: Dead Peer Detection (DPD) does not trigger a new IKE session if the previous IKE session fails.
Conditions: Occurs when using on-demand DPD.
Workaround: Manually clear the IKE session to trigger a new IKE.
•
Symptoms: When there are more than 8000 DHCP sessions on a Cisco 7600 ISG, a few dangling sessions are sometimes observed.
Conditions: This symptom occurs when there are more than 8000 DHCP sessions on a Cisco 7600 ISG. ISG is configured as a DHCP relay.
Workaround: Clear the sessions using the clear ip subscriber dangling command.
•
Symptoms: Policy-maps configured with random detect can cause unnecessary packet drops.
Conditions: When an output policy-map is applied on SIP400 on Cisco IOS Release 12.2(33)SRD, and if class-maps are configured with "random detect", drops may occur even if the traffic is lower than the configured bandwidth percentage. If "random detect" is removed, drops is no longer seen. Also, this issue is seen only with low-speed interfaces. In this particular customer case, Gigabit Ethernet interface was configured in FastEthernet mode (speed 100mbps)
Workaround: There is no workaround.
•
Symptoms: Sup720 crashes during ISIS adjacency flapping.
Conditions: When an ISIS adjacency is flapping, issuing the command show isis topology triggered the crash. However, this observed only once in customer network
Workaround: There is no workaround.
•
Symptoms: Router fails on a forced switchover to the standby supervisor card. The standby supervisor card tries to come online but encounters a crash and goes into ROMMon. To recover from this state the router requires a power cycle.
Conditions: Occurs on Cisco 7600s running Cisco IOS Release 12.2(33)SRD2 and SRD2a and using non-Cisco SFPs.
Workaround: Avoid non-Cisco SFPs or use a different release of Cisco IOS.
•
Symptoms: Subscriber upstream traffic stops flowing after an online insertion and removal (OIR) is performed on a line card, or when a pair of shut/no shut commands is entered when IP sessions are brought up on main interface. For ES+ line cards, the problem can be seen even for Port-Channel main interface and all non-access sub-interfaces.
Conditions: This defect is seen only when the main interface fails to get the same hidden VLAN allocated to it prior to line card OIR (or while entering shut/no shut commands).
Workaround: There is no workaround.
•
Symptoms: MPLS-TE configuration leads to router crash due to online insertion and removal (OIR).
Conditions: MPLS-TE sessions coming up/down during OIR may lead to router crash.
Workaround: There is no workaround.
•
Symptoms: When relaying to multiple servers, from an unnumbered interface, the Cisco IOS DHCP relay sends packets to all servers, even for packets where the client in a RENEWING state unicasting to attempt to reach a single server.
ARP entries are retained for all OFFERed addresses, even if the client ultimately is using a different address. These extra ARP entries persist for several hours.
Conditions:
1. When relaying a DHCP packet on an unnumbered interface, and the DHCP client is in a renewing state (as determined by the fact), send it to the DHCP server that allocated the address so that we do not end up giving the client a new address, which would then interrupt the user sessions.
2. When the client is in any other state, or if we do not get a response from the DHCP server, send to all helper-addresses.
Workaround: There is no workaround.
Further Problem Description: Only retain an ARP entry for the address that the DHCP client acknowledges. Do not retain addresses offered by DHCP servers that the client did not use in the ARP table.
•
Symptoms: Free memory is going down because SSS Manager is growing.
Conditions: This symptom is observed on a Cisco 7600 that is used for ISG and that is running Cisco IOS Release 12.2(33)SRC3 under high network activity.
Workaround: There is no workaround. Reload the router to free memory.
Further Problem Description: The speed of the memory leak depends on the network activity. The more stress on the router, the faster the leak.
•
Symptoms: Unit under test crashes under heavy traffic when online insertion and removal (OIR) is performed on a SIP400.
Condition: Occurs with huge Layer 2 and Layer 3 protocol configuration and SIP400.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7301 router crashes with "protocol pptp" configured.
Conditions: The symptom is observed with a Cisco 7301 router when "protocol pptp" is configured.
Workaround: There is no workaround.
•
Symptoms: No Layer 4 Redirect (L4R) traffic is reaching the portal.
Conditions: Occurs if there is a sub-interface on the port facing the portal.
Workaround: There is no workaround.
•
Symptoms: Packet drop occurs when show version, show run, and write memory commands are issued.
Conditions: Packet drop will be observed as input errors accounted as overruns. The rate of packets being dropped will be proportional to the rate of traffic.
Workaround: There is no workaround.
•
Symptoms: Router crashes on applying/removing priority from service map.
Conditions:
1. Configure priority in class default. Apply it on EVC on ES20 line card.
2. Remove priority from class default.
3. Now, either removing or applying priority causes the router to crash.
Workaround: There is no workaround.
•
Symptoms: Attempting an auto proxy logon causes a crash.
Conditions: This crash is seen only with auto proxy service download.
Workaround: If services are activated by CoA service logon, this issue will not be seen.
Further Problem Description: Attempting authentication of the proxy service causes a crash with traceback in description when the user profile is similar to:
simulator radius subscriber 1 framed protocol ppp service framed authentication rouble-auto password cisco vsa cisco 250 Aproxy_service;proxy_user;welcome vsa cisco generic 1 string "accounting-list=default" !
•
Symptoms: Active supervisor may crash if standby supervisor resets for any reason.
Conditions: This can happen if a interface level event happens around the same time of standby supervisor reload. The timing window is extremely small for the bug to happen.
Workaround: There is no workaround.
•
Symptoms: After supervisor forces switchover several times, a router two hops away has wrong ISIS topology and ISIS routing table.
Conditions:
1. Incremental shortest path first (ISPF) enabled in ISIS.
2. set-overload-bit on-startup in ISIS.
3. Supervisor force switchover several times
Workaround: Disable ISPF in ISIS.
•
Symptoms: Policy-map not applied at SIP400 in dLFI over ATM case after performing shut/no shut of the interface.
Conditions: Occurs after performing shut/no shut on the interface.
Workaround: Perform an online insertion and removal (OIR) on the SIP400.
•
Symptoms: We will see the traffic loss when there is a cut-over in the Spatial Reuse Protocol (SRP) ring.
Conditions: There should be HWEoMPLS configured in the system. Ingress card should be DFC card (not a supervisor card), and core-facing card should be SRP card.
Workaround: Either we use the supervisor card as ingress card, or we need to write to EARL adjacency on the line card using the test mls cef adjacency command.
•
Symptoms: Polcy-based routing (PBR) stops working after stateful switchover (SSO). All traffic that should be policy-routed is dropped instead.
Conditions: This usually happen after several switchovers between supervisors. Usually problem occurs after about 10 switchovers, however, it could happen after first one.
Workaround: Remove and add policy on the interface.
•
Symptoms: BGP modifies next-hop of the route owned by other protocol in Routing Information Base (RIB).
Conditions: Occurs when other protocol route is best in RIB due to lower admin distance, and BGP trys to add the route to RIB.
Workaround: Enter the clear ip routex.x.x.x command.
•
Symptoms: The show mls qos module command is not relevant for ES+ line cards and produces invalid output.
Conditions: Occurs during normal operation.
Workaround: Do not use the show mls qos module for ES+ line cards.
•
Symptoms: Path attribute memory leak is found when there is some path attribute churn in the network.
Conditions: The symptom is seen only when there are idle peers on the router.
Workaround: Unconfigure the idle peers.
•
Symptoms: A Cisco IOS platform can crash when authorizing Radius profiles. The issue is due to an invalid terminal sync change that updated the incorrect enumeration structure, leading to one enumeration having 1 too many entries and another one too few.
When parsing the "protocol" or "service" field, the AAA code may walk beyond the boundaries of a string array associated with the above mentioned enumerations. This will cause platforms such as the Cisco ASR to crash.
Conditions: This crash has been observed on a Cisco ASR1004 (RP2) that is running the Cisco IOS-XE version Cisco IOS Release 12.2(33)XNC1t.
Workaround: This crash will occur if an invalid protocol or service field is provisioned in a Cisco VSA. However, even when valid protocols or services are used, it is possible that certain enumeration walking code may also trigger a crash. However, Cisco has not been able to validate that situation. As a consequence, when using branches such as Cisco IOS Release 12.2(33)SB or Release 12.2XNC, without this fix, it is critical that no invalid Cisco VSA be used.
•
Symptoms: Relay information option is not verified in the downstream DHCP packets.
Conditions: This happens only when option 82 insertion is configured at the interface configuration mode.
Workaround: Configure option 82 in global configuration mode.
•
Symptoms: Following error message is displayed:
SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/0 - rpc timeout error after fpd upgrade.
Conditions: This error usually seen following reload of the SPA after FPD upgade of SPA.
Workaround: Perform an online insertion and removal (OIR) of SPA. If that does not work, then reload line card.
•
Symptoms: Following reload or reseat of Protect LC in ADM TRuepointR 6400, SPA-2OC3-POS/SIP400/SRD2 reports "Received Alarm: L-AIS" on the PROTECT port of a 1+1 APS group when an inline SONET analyzer attached to same wire reports no L-AIS is present on the wire.
Conditions: L-AIS is recovered by an STE via looking for K2 = 0x07 for 5 consecutive frames.
A Cisco POS interface with "pos ais-shut" will transmit L-AIS when interface is shutdown. Without "pos ais-shut" the interface continues to send valid SONET frames toward the STE/LTE.
Workaround: Remove/reinsert the cable on CPE to clear the alarm.
•
Symptoms: Port-channel on interface of ES+, a line card reload causes memory leak on "RPC pagp_switch_sp2mp" and "QM_VLOU_MAP". It loses about 748 bytes per policy-map attached on interface.
Conditions: Occurs on a Cisco 7600 series router with policy-map configured on port channel interface.
Workaround: There is no workaround.
•
Symptoms: The console gets stuck when the show arp command is executed and "esc" is pressed to stop viewing the whole output.
Conditions: The symptom is observed with 512 ARP sessions on the system and set term len equal to 20.
Workaround: There is no workaround.
•
Symptoms: In ES+ line cards with link daughter card versions less than .200, there is a possibility of the line card crash when an SFP module is removed and inserted.
Conditions: Occurs under normal operating conditions.
Workaround: There is no workaround.
•
Symptoms: Router crashes with max-entries of NAT translations limit imposed.
Conditions: With ip nat max-entries limit <> configured and greater than limit number of flows passed through the NAT router, crash is seen when the above limit configuration is removed and a large amount of translations are created.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 SPA-1XCHSTM1/OC3 SPA does not use the configuredn etwork-clock source as the reference for the T1/E1.
Conditions: The SPA-1XCHSTM1/OC3 SPA is configured to use the internal clock for timing of the T1/E1. The network-clock is configured on the Cisco 7600 to use the reference from an ATM OC3 interface.
Workaround: There is no workaround.
•
Symptoms: When configuring an OSPF sham-link between two PEs also used for multicast VPN, RPF check for the source of a multicast stream points to the physical interface used by the sham-link instead of the tunnel.
Conditions: Configure two PEs to run MVPN and create a sham-link between them. Remote routes that are learned through the sham link will not have an MDT tunnel.
Workaround: There is no workaround. Prefixes must be learned through i-BGP.
•
Symptoms: Policy map with multiple MAC ACL filters matches only the traffic with the first MAC ACE in the ACL.
Conditions: Occurs on a Cisco 7600 series router with ES+ linecard, and with policy map with MAC ACL configured on ES+ linecard interface.
Workaround: There is no workaround.
•
Symptoms: Resilient Ethernet Protocol (REP) will not converge if REP is configured over switchport and vlan dot1q tag native is enabled.
Conditions: In this case, the REP PDUs will be sent as tagged packets.
Guest
