Table Of Contents
Caveats for Cisco IOS Release 12.2(33)SRA through 12.2(33)SRB6
Resolved Caveats—Cisco IOS Release 12.2(33)SRB6
Resolved Caveats—Cisco IOS Release 12.2(33)SRB5
Resolved Caveats—Cisco IOS Release 12.2(33)SRB4
Resolved Caveats—Cisco IOS Release 12.2(33)SRB3
Resolved Caveats—Cisco IOS Release 12.2(33)SRB2
Resolved Caveats—Cisco IOS Release 12.2(33)SRB1
Open Caveats—Cisco IOS Release 12.2(33)SRB
Resolved Caveats—Cisco IOS Release 12.2(33)SRB
Resolved Caveats—Cisco IOS Release 12.2(33)SRA7
Resolved Caveats—Cisco IOS Release 12.2(33)SRA6
Resolved Caveats—Cisco IOS Release 12.2(33)SRA5
Resolved Caveats—Cisco IOS Release 12.2(33)SRA4
Resolved Caveats—Cisco IOS Release 12.2(33)SRA3
Resolved Caveats—Cisco IOS Release 12.2(33)SRA2
Resolved Caveats—Cisco IOS Release 12.2(33)SRA1
Open Caveats—Cisco IOS Release 12.2(33)SRA
Resolved Caveats—Cisco IOS Release 12.2(33)SRA
Cisco IOS Software Documentation Set
Obtaining Documentation and Submitting a Service Request
Caveats for Cisco IOS Release 12.2(33)SRA through 12.2(33)SRB6
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in this section.
Because Cisco IOS Release 12.2SR is based on Cisco IOS Release 12.2, many caveats that apply to Cisco IOS Release 12.2 also apply to Cisco IOS Release 12.2SR. For information on severity 1 and 2 caveats in Cisco IOS Release 12.2, see the Caveats for Cisco IOS Release 12.2 document located on Cisco.com.
In this section, the following information is provided for each caveat:
•
Symptoms—A description of what is observed when the caveat occurs.
•
•
Note
Resolved Caveats—Cisco IOS Release 12.2(33)SRB6
Cisco IOS Release 12.2(33)SRB6 is a rebuild release for Cisco IOS Release 12.2(33)SRB. The caveats in this section are resolved in Cisco IOS Release 12.2(33)SRB6 but may be open in previous Cisco IOS releases.
•
Symptoms: A Cisco router may crash when you enter the clear ip route * command multiple times.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2S or Release 12.3 and that is configured for RIP.
Workaround: There is no workaround.
•
Symptoms: When the standby RP functions in SSO mode and you enter the no rtr reaction-configuration operation-number command, the standby RP is forced into RPR mode and the active RP cannot enter the configuration mode. The standby RP remains in the initialization mode. You must reload both the active RP and the standby RP to enable them to return into SSO mode.
Conditions: This symptom is observed on a Cisco 7304 when a probe is created automatically via the IP SLA "rtr mpls-lsp-monitor" commands and when you remove, reschedule, or reconfigure the probe via the no rtr operation-number, no rtr reaction-configuration operation-number, or no rtr schedule operation-number command.
Workaround: Do not use the CLI to make changes to the probe. Rather, make changes to the probe via the IP SLA "rtr mpls-lsp-monitor" commands.
•
Symptoms: The standby RP may reload when you enter the aps revert command.
Conditions: This symptom is observed on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRB.
Workaround: There is no workaround.
•
Symptoms: If AToM Tunnel Select feature is used, traffic does not flow.
Conditions: Occurs with software-based EoMPLS setup, using xconnect under switch virtual interface (SVI).
Workaround: Use one of the supported physical interface as core-facing line card. Supported line cards include SIP-200, SIP-400, SIP-600, FW2, PWAN2, ES20 and ES40.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed.
This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix CSCso04657 and CSCsg00102.
•
Symptoms: The following BIT-OUTOFRANGE error message and traceback information may be displayed:
1d21h: %BIT-SP-4-OUTOFRANGE: bit 127 is not in the expected range of 128 to 2175 -Traceback= 40D8A8B0 40D8ADFC 40512B4C 407A8118 40CC5838 404B5978 404B5C84term mConditions: Occurs on a Catalyst 6500 if an SNMP walker utility sends bridge port number 0 to the switch.
Workaround: Configure the SNMP walker utility to get MIB objects starting from bridge port number 1.
•
Symptoms: Crash seen when the following sequence of commands are configured on an interface:
1) ipv6 mld static/join-group <group> source-list <acl1>
2) ipv6 mld static/join-group <group> source-list <acl2>
and then a shut/no shut is performed on the interface:
<acl2> is not defined
Conditions: The problem will be seen when:
1)Applying the first static-join on one group and the second on another group.
2)Applying the joins strictly in the above order, such as applying the first static-join with a valid source-list ACL and second static-join on a different group with undefined source-list.
The problem will not happen if the source-lists are defined on a single-group or all the source-lists are already defined. The problem will be seen only with above conditions when the interface is in the process of "coming-up". In this case, if the interface is up before static-joins, then this particular problem will not be seen until the interface is flipped again.
Workaround:
1) Define the source-lists ACLs first before applying the static-joins.
2) In case, if we have to configure undefined ACLs, apply them first before applying the valid source-list ACL.
•
Symptoms: Router crashes.
Conditions: Occurs during IP SLA operation when the frequency is changed using the group schedule command.
Workaround: There is no workaround.
•
Symptoms: IPv4 eBGP session flaps when IPv6 address family is removed from VRF configuration. IPv6 eBGP session flaps when IPv4 address family is removed from VRF configuration.
Conditions: The problem only happens with Cisco IOS images that support "vrf definition" configuration.
Workaround: There is no workaround.
•
Symptoms: SIP-200 crashes several times due to a memory corruption with the following error messages:
Jun 14 16:07:26.239: %OIR-3-CRASH: The module in slot 2 has crashedJun 14 16:07:26.239: %OIR-6-REMCARD: Card removed from slot 2, interfaces disabled[...]Jun 14 16:07:49.494: %XDR-6-XDRIPCNOTIFY: Message not sent to slot 2/0 (2) because of IPC error queue flush. Disabling linecard. (Expected during linecard OIR)Jun 14 16:07:49.474: %OIR-SP-3-PWRCYCLE: Card in module 2, is being power-cycled off (Module not responding to Keep Alive polling)Jun 14 16:07:49.494: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Module not responding to Keep Alive polling)Jun 14 16:08:29.286: %CWAN_RP-6-CARDRELOAD: Module reloaded on slot 2/0Conditions: Occurs on a SIP-200 running Cisco IOS Release 12.2(33)SRA2 with an OC3 ATM SPA.
Workaround: There is no workaround.
•
Symptoms: Under the BGP router configuration mode, removing an address-family configuration and then immediately reapplying the same configuration may cause the standby RP of a dual-RP router to reload unexpectedly. Typically, the following configuration sync error will be reported:
Config Sync: Line-by-Line sync verifying failure on command: address-family ipv4 vrf NAME due to parser return error
Removing and replacing the RD configuration under a VRF may also trigger the same type of sync error behavior, although the command listed as failing line-by-line sync will be different.
Conditions: Removal of a BGP address-family configuration triggers background cleanup processing that occurs asynchronously after the command is entered by the user. The background cleanup runs on both the active RP and the standby RP, although the cleanup may happen at different times on the active and standby. Because such background processing does not usually run in lockstep on the two RPs, a window exists after entering an address-family deconfiguration command where the active RP and standby RP are not in the same state. If the user tries to reconfigure the address-family command before both RPs have completed processing and are again in the same state, line-by-line sync may fail and cause the standby RP to reload.
Workaround: The line-by-line sync error can be avoided by allowing adequate time for the standby RP to complete background processing and arrive in an identical state as the active RP. If configuration commands are applied when both RPs are in a consistent state, the configuration sync error will not occur and the standby RP will not reload. The background processing normally happens at 60-second intervals, so waiting 2 minutes between deconfig/reconfig attempts for the same command should prevent the issue in all cases.
The line-by-line sync error and standby RP reload should not cause any service impact, as only the standby RP is affected. The active RP remains fully functional and continues traffic forwarding as usual while the standby RP reloads.
•
Symptoms: A router running an IOS image may stop accepting incoming TELNET connections.
Conditions: Occurs when 20 or more VRFs are configured and they have incoming TCP connections arriving at the host for non-existing services from different VRFs.
Workaround: Use show tcp brief all command to view TCB that have local and foreign addresses as "*.*". Clear those entries using the following command clear tcp tcb address of the TCB.
Further Problem Description: When an incoming SYN is received for a non-existing service, for example to BGP port with BGP not configured, TCP leaks a TCB that has laddr and faddr as *.*. This TCB is usually reused for the next incoming connection.
However when VRFs are configured, such TCB can be reused only for that VRF. If there are several VRFs configured in the box, one TCB per VRF will be leaked. And there is a limit of 20 such "wild TCBs" in the system. So, once we reach the limit of 20, because we leak one per each different VRF, any connection request coming in will be denied.
•
Symptom: Excessive CPU usage occurs on a router configured for BGP multipath with several iBGP and eBGP peers.
Conditions: BGP TblVer is incrementing every 5 minutes, causing the BGP router process to use maximum CPU every 5 minutes.
Workaround: None
•
Symptoms: Tracebacks are seen.
Condition: Occurs when the T1 corresponding to a member link of a MLPPP bundle is unprovisioned while the link is still part of the bundle.
Workaround: Remove the member link from the MLPPP bundle and then unprovision the T1.
•
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link: /en/US/products/products_security_advisory09186a0080a90426.shtml
•
Symptoms: A router may reload after reporting SYS-3-OVERRUN or SYS-3-BADBLOCK error messages. SYS-2-GETBUF with `Bad getbuffer' error may also be reported.
Condition: Occurs when PIM auto-RP is configured and IP multicast boundary is enabled with the filter-autorp option.
Workaround: Configure IP multicast boundary without the filter-autorp option.
•
Symptoms: Intermediate System-to-Intermediate System (IS-IS) NSF may not work.
Conditions: Occurs when router is running a modular Cisco IOS image.
Workaround: There is no workaround.
•
Symptoms: A Cisco router running IOS or IOS Software modularity may not allow telnet connections when the device is configured to run an Embedded Event Manager (EEM) policy that contains actions that use the CLI. In addition CLI actions may not correctly wait for the prompt before going on to the next action or may not detect the prompt.
Conditions: The symptom of not allowing telnet connections can occur when the device has been configured with an EEM policy to run a CLI command. When that policy exits the input buffer of the VTY way not be cleaned up properly so the next connection opened on that VTY may simply show three user name prompts and exit.
The symptom of the CLI actions not waiting for the prompt can occur when using the CLI actions on a low-end system with a slower CPU. The system incorrectly checks for the prompt only 10 times and then assumes the prompt is blank instead of waiting for a valid prompt.
The symptom of CLI actions not matching against the prompt properly can occur if the prompt has been changed from the default.
When multiple EEM policies are triggered, they can use up all available VTY lines.
Workaround: There is no workaround.
Further Problem Description: If no VTY lines are available, the user will not be able to Telnet into the machine. Console access will not be affected.
This only affects customers using the Embedded Event Manager (EEM). It affects EEM applets and policies which interact with the CLI library. This was only seen on the MCP platform however.
Cisco IOS Release 12.2(33)SRA is not affected.
Cisco IOS Release 12.2(33)SRB1 and Cisco IOS Release 12.2(33)SRB2 are not affected. But Cisco IOS Release 12.2(33)SRB3 is affected.
Cisco IOS Release 12.2(33)SRC1 is not affected.
Cisco IOS Release 12.2(33)SXF is not affected.
Cisco IOS Release 12.2(33)SXH1 is affected. Cisco IOS Release 12.2(33)SXH2 is not affected.
•
Symptoms: A Cisco 7600-SSC-400 may not recover from a fabric error.
Conditions: The symptom is observed when an error is present in the fabric channel. The fabric errors can be observed by executing the command show platform hardware ssa fabric-monitor history.
Workaround: There is no workaround.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
* The configured feature may stop accepting new connections or sessions. * The memory of the device may be consumed. * The device may experience prolonged high CPU utilization. * The device may reload.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.
The advisory is posted at /en/US/products/products_security_advisory09186a0080a96478.shtml
•
Symptoms: A Cisco platform may reset its RP when two simultaneous write memory commands from two different VTY connections are executed.
Conditions: Occurs on a Cisco 7600 with Sup720. The symptom is intermittent and is related to the way NVRAM is accessed.
Workaround: There is no workaround.
•
Symptoms: Standby reloads with QoS configuration.
Conditions: Occurs when the active and standby are out of sync.
Workaround: There is no workaround.
•
Symptoms: Service policy counters stop updating after applying a service policy.
Conditions: The symptom is observed when applying service policy with ACL to virtual template. The policy-map counters become stuck at zero.
Workaround: Remove the policy and reapply.
•
Symptoms: A large number of interfaces (10,000 or more) in a VRF might lead to long boot-up times and CPU hogs.
Conditions: The symptom is observed if there is a large number of interfaces in a VRF.
Workaround: There is no workaround.
•
Symptoms: SSL VPN service stops accepting any new connections.
Conditions: A device configured for SSL VPN may stop accepting any new SSL VPN connections due to a vulnerability in the processing of new TCP connections for SSL VPN services. If debug ip tcp transactions is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed.
Workaround: There is no workaround.
•
Symptoms: Layer 3 traffic gets rate-limited to 100pps on toggling xconnect VFI on the VLAN interface.
Conditions: VLAN (SVI) interface is configured with IP address and routes L3 packets. If xconnect VFI is applied and removed, the traffic rate falls.
Workaround: Unconfigure and clear the VLAN.
•
Symptoms: Following reload, controllers come up, but interfaces stay down.
Conditions: A router with HA Sup720 and non-HA Sup32 is connected with 8xCHT1/E1 SPA, 1xCHSTM1 SPA and 4xCT3 SPA in a SIP-200. Upon reloading 8xCHT1/E1 SPA alone on both sides simultaneously, 6-7 interfaces go down and never come up. They show as up/up in line card but up/down in RP.
Workaround: There is no workaround.
•
Symptoms: The following error message may be seen:
%DUAL-3-INTERNAL: eigrp 4: Internal Error
Conditions: This symptom is seen when a PE-CE setup using site-of-origin (SoO) tags, in which an PE router that is running EIGRP can learn the same route both by EIGRP (from a CE neighbor) and also by redistribution.
The above error may be seen when EIGRP on the PE prepares to send information to a neighbor about a route learned from another neighbor (with no SoO tag), but before the information can be sent, the route is replaced by a redistributed route (with an SoO tag). The above error can be seen. This behavior is very dependent on the timing of this series of events.
Workaround: There is no workaround.
Further Problem Description: It is not clear what functional impact this may have, or whether the error message is purely a warning.
•
Symptoms: Updates are not being sent or withdrawn.
Conditions: This symptom occurs when a neighbor flaps an update-group in the process of updating group generation:
PE1------UUT----PE2
On UUT there are neighbors PE1 and PE2. If PE1 and PE2 are in same update group, the show ip bgp all update-group command will show that.
Now there are a lot of updates being formatted and sent in the process. The show ip bgp all replication command would show the messages which are enqueued for sending out for particular update groups. At this moment, one neighbor goes to idle and is not coming up, then the new updates will not be formatted until the neighbor comes up.
Workaround: 1) Remove the idle neighbors of the update-group and add again. 2) Clear the IP BGP neighbor that went idle.
•
Symptoms: Router may crash due to memory corruption:
*Apr 7 12:32:14: %SEC-6-IPACCESSLOGRP: list 111 denied pim 0.0.0.0 -> <removed>, 1 packet*Apr 7 12:32:29: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 680A5374 data 680A79A4 chunkmagic FFFFFFFF chunk_freemagic 0 - Process= "Mwheel Process", ipl= 0, pid= 274, -Traceback= 0x6169C450 0x60102E78 0x601031E4 0x61D418E4 0x61D4230C 0x61CF1A48 0x61D1280C 0x61D05FE4 0x61D0E9FCchunk_diagnose, code = 1chunk name is PIM JP GroupQConditions: This symptom occurs when PIM is enabled on an interface and access- list logging is enabled.
ip pim sparse-dense-mode
access-list 98 deny any log
Workaround: Remove access-list logging.
•
Symptoms: A router running Cisco IOS may experience alignment errors which are generated for every packet received on the serial interfaces and cellular interfaces. A Cisco 7600 Series router or a Cisco 6500 Series router may reload if this occurs when the traffic rate is high on a PA-POS-1OC3 installed in an Enhanced FlexWAN or similar interface.
Conditions: This is seen when netflow (ip route-cache flow or ip flow ingress) is configured on a serial interface.
Workaround: Disable netflow if possible.
Further Problem Description: A router that shows the alignment error rather than crashing can experience a significant performance impact, as every packet received on the serial interface will need to go through alignment correction.
•
Symptoms: The router may crash as the rxError on the active slowly increases after every few minutes. The supervisor may have a bad local fabric channel message.
Conditions: The symptoms are observed on a Catalyst 6000 supervisor module that is a SUP720 and is running Cisco IOS Release 12.2(18)SXF12a. There is no user traffic in the system, so the traffic that causes the rxError can only be the heartbeat packet or the diagnostic packet.
Workaround: Disable GOLD diagnostic tool on switches. If the two tests "TestFabricSnakeForward" and "TestFabricSnakeBackward" are disabled from running as HM tests, this issue should not be seen.
•
Symptoms: MSFC crashes with Red Zone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: There is no workaround.
•
Symptoms: Ethernet Connectivity Fault Management (CFM) packets are dropped instead of being forwarded to the Ethernet Virtual Circuit (EVC).
Conditions: This was observed under normal conditions. An EVC is configured on a SIP-400 with a SPA-5x1GE. The interface is configured for one EVC for a specific VLAN. Coming into that interface was CFM traffic from another switch.
Workaround: Reload the router.
•
Symptoms: A router crashes after a long RSA key string is entered.
Conditions: This symptom is observed when a very long hex string is entered.
Workaround: Break the entry into shorter strings.
•
Symptoms: ATM OC48 cell packing: No throughput for high traffic over few VCs.
Conditions: When running packed cell relay over MPLS (PCRoMPLS) with an OC-48 ATM SPA (line rate traffic divided evenly over 2 subinterface PVCs), throughput instantly goes to 0%. Once this occurs, all throughput remains blocked (even for reduced traffic levels) until the SPA is reloaded.
Workaround: A traffic level of 75% of OC-48 line rate or less divided evenly over two PVCs does not trigger the failure. Also, traffic divided evenly over more than 6 PVCs (even at an aggregate of 100% of line rate) does not trigger the problem.
•
Symptoms: IP multicast traffic drops every 100 seconds.
Conditions: Traffic drops periodically on all output interfaces after stateful switchover (SSO).
Workaround: There is no workaround.
•
Symptoms: ESM20 line card may crash while booting up.
Conditions: Occurs intermittently with a scaled topology.
Workaround: There is no workaround.
•
Symptoms: When duplicate BGP router-id is received, BGP process does not clear the router-id correctly.
Conditions: Occurs when duplicated BGP router-id is received
Workaround: Enter the clear ip bgp command.
•
Symptoms: PE-CE performance degradation of 80% on initial convergence.
Conditions: Occurs when BGP and VPNv4 are configured.
Workaround: There is no workaround.
Further Problem Description: Performance is not affected after initial convergence.
•
Symptoms: When polling the IP SLA Ethernet MIB, the switch returns an incorrect value for "Destination to Source positive jitter Sum2." Instead, the switch returns the value for "Source to Destination positive jitter Sum2".
Conditions: The symptom is observed when the IP SLA Ethernet MIB is polled.
Workaround: There is no workaround.
•
Symptoms: BGP does not generate updates for certain peers.
Conditions: BGP peers show a neighbor version of 0 and their update groups as converged. Out queues for BGP peers are not getting flushed if they have connection resets.
Workaround: There is no workaround other than entering the clear ip bgp * command.
•
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at /en/US/products/products_security_advisory09186a0080a904cb.shtml
•
Symptoms: A DFC or SP module can crash when fast reroute (FRR) is enabled and there are some interface flaps or events that can cause change in FRR primary or backup path.
Conditions: Occurs when while internal statistics gathering is taking place while one of the following happens:
* primary path FRR cutover
* primary path's interface flaps
* FRR configuration is changed
Workaround: Avoid FRR configuration changes.
•
Symptoms: Router crashed when removing a policy attached to a VLAN interface with a route map and access lists attached.
Conditions: Occurred on a Catalyst 4500 running Cisco IOS Release 12.2(46)SG. The device may reload unexpectedly due to a software-forced crash. Defect also affects other platforms and releases of Cisco IOS.
Workaround: There is no workaround.
•
Symptoms: Unidirectional traffic is dropped when the PBR is configured with "set vrf" option between global and VPN routing/forwarding (VRF).
Conditions: Occurs under the following scenario:
- When PBR is configured with "set vrf" option between global and VRF
- The router is running Cisco IOS Release 12.2(33)SRC1.
Workaround: Configure the PBR with "set vrf" option among VRFs.
•
Symptoms: An ISAKMP SA is not deleted as expected after removing the RSA key.
Conditions: The issue is seen when the user tries to clear the ISAKMP SAs by issuing the clear crypto session command on an IKE SA that has multiple IPSEC SAs.
Workaround: Use the clear crypto sa and clear crypto is commands.
•
Symptoms: A router may unexpectedly reload.
Conditions: The symptom is observed specifically with a configuration of Enhanced Interior Gateway Routing Protocol (EIGRP) that is used to redistribute BGP routes. Plain EIGRP is not affected.
Workaround: Do not use EIGRP to redistribute BGP.
•
Symptoms: When the L3VPN prefix uses a tunnel with fast reroute (FRR) protection, there is traffic loss during reoptimization.
Conditions: Not all prefix in the VRF will observe this issue. This is seen only when there are more than 250,000 prefixes.
Workaround: There is no workaround.
Further Problem Description: Traffic loss during re-optimization can be due to faster tunnel cleanup also. It is advisable to configure mpls traffic-eng reoptimize timers delay cleanup <seconds> to fine tune the cleanup according to the topology.
•
Symptoms: Router may incorrectly drop non TCP traffic. TFTP and EIGRP traffic can be impacted as seen in CSCsv89579.
Conditions: Occurs when the ip tcp adjust-mss command is configured on the device.
Workaround: Disable ip tcp adjust-mss on all interfaces. Note that this may cause higher CPU due to fragmentation and reassembly in certain tunnel environments where the command is intended to be used.
•
Symptoms: IPv6 address of loopback interface set as passive under Intermediate System-to-Intermediate System (IS-IS) router process is not present in IS-IS database.
Conditions: Issue is seen when loopback interface is set as passive under router IS-IS configuration and the IPv6 address of the interface is only added afterwards. If the passive-interface command is used when the loopback interface already has its IPv6 address configured, issue is not seen.
Workaround: After the IPv6 address is configured under the affected interface, remove and add the passive-interface configuration under the router IS-IS process.
•
Symptoms: Following a processor switchover in route processor redundancy (RPR) plus mode, the SM-1CHOC12/T1-SI card on the channelized serial interfaces goes down.
Conditions: Occurs after the processor switchover in RPR plus mode.
Workaround: Use hw-module reset to solve the issue.
•
Symptoms: Device may reload while querying the CISCO-IETF-IP-FORWARD (IPv6) MIB.
Conditions: SNMP must be configured on the device, and the querier must be aware of the appropriate community to use. Further, there must exist multiple IPv6 global routing tables on the device. This will only be the case if VRFs have been configured with the "vrf definition" command, and that vrf has the IPv6 address family configured, and if that VRF is applied to an interface and global IPv6 addresses configured. This can be confirmed by the existence of multiple tables marked "global" in the output of the "show ipv6 table" command.
Workaround: Exclude the CISCO-IETF-IP-FORWARD from queries.
Further problem description: Ensure that SNMP is configured so that it can only be accessed by authorized users.
•
Symptoms: The M(andatory)-Bit is not set in Random Vector AVP, which is a must according to RFC2661.
Conditions: This symptom is observed with Egress ICCN packet with Random Vector AVP during session establishment.
Workaround: There is no workaround.
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•
Summary: Cisco's VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.
This response is posted at http://www.cisco.com/warp/public/707/cisco-sr-20081105- vtp.shtml
•
Symptoms: Configuring Bidirectional Forwarding Detection (BFD) for a Border Gateway Protocol (BGP) neighbor that is established on a subinterface will cause the BGP session to go down.
Conditions: Occurs on a Cisco 7600 router with BGP session established on a subinterface and the subinterface is configured in "native vlan" mode while the configured BFD session is in ECHO Mode.
Workaround: Configure subinterface in "non-native" mode.
•
Symptoms: A provider-edge (PE) router configured to run Multicast VPN (MVPN) will not install an alternate MDT next-hop on a route that is learned through an OSPF sham-link.
Conditions: The symptom is observed when two PEs are configured to run MVPN and create a sham-link between them. Remote routes that are learned through the sham-link will not have an MDT tunnel.
Workaround: There is no workaround.
•
Symptoms: BGP updates may not be sent out.
Conditions: The symptom is observed when neighbors are flapped in a large- scale scenario.
Workaround: There is no workaround.
•
Symptoms: Due to TestLoopback diagnostic failure on RSP supervisor, the interface is placed to err-disable state.
Conditions: This is seen when the interface is configured as RJ45 and with speed between 10 to 100mbps.
Workaround: Configure the speed on RJ45 interface `auto' negotiation and execute the diagnostic test TestLoopback to get the port out of err-disable.
•
Symptoms: Traffic is not passed through an Ethernet Virtual Circuit (EVC) service instance.
Conditions: Occurs after configuring EVC (Ethernet Virtual Circuit) service instance. The show platform efp-client command shows no output.
Workaround: There is no workaround.
•
Symptoms: When traffic engineering (TE) and fast reroute (FRR) is configured between the stitching router and provider edge (PE), traffic fails.
Conditions: Occurs when pseudowire stitching is configured.
Workaround: Do not enable FRR between these routers.
•
Symptoms: Protocol Independent Multicast (PIM) neighborship is not established with SIP600 over R-VPLS.
Conditions: Occurs when more than one VC on different VLANs exists with SIP600 links as core-facing and one of the VLANs configured with PIM.
Workaround: There is no workaround.
•
Symptoms: Layer 2 forwarding on other modules breaks when SIP-400 interface running eBGP and GRE flaps
Conditions: Occurs on a SIP-400 with SPA-2X1GE running BGP and GRE tunnels. Interface flaps on other modules are unable to resolve ARP or maintain routing neighbors. Issue seen on Supervisor 720 and Cisco 6748 CFC ports.
Workaround: Reload the chassis.
•
Symptoms: OSPF between two customer sites over H-VPLS network with SIP600 as core facing card in the hub router fails to come up.
Conditions: This is seen with traffic engineering (TE) and fast reroute (FRR) TE/FRR setup in the hub, and when TE tunnels have dynamic path option set.
Workaround: Perform a shut/no shut on the core-facing SIP600 interface.
•
Symptoms: After reloading, NetFlow stops working and the output of show ip interface shows "IP Routed Flow creation is disabled in netflow table"
Conditions: This condition is seen on WAN main interfaces of a Cisco 7600 running Cisco IOS Release 12.2(33)SRB3 and can also be seen on Cisco IOS Release 12.2(33)SRC2.
Workaround: Remove and reconfigure NetFlow on the affected interfaces.
•
Symptoms: A Cisco 7600 PE router fails to redistribute a VRF prefix into BGP after the prefix or path to it flaps. The PE router will indicate the prefix being redistributed into BGP but the prefix will not get installed into the BGP table until the prefix is cleared:
PE2#PE2#sh ip route vrf foo 10.5.5.5Routing Table: fooRouting entry for 10.5.5.5/32Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 10Redistributing via bgp 666Advertised by bgp 666 metric 10 match internal external 1 & 2Last update from 10.45.45.2 on Ethernet1/0, 00:00:56 agoRouting Descriptor Blocks:* 10.45.45.2, from 10.5.5.5, 00:00:56 ago, via Ethernet1/0Route metric is 20, traffic share count is 1PE2#PE2#sh ip bgp vpnv4 vrf foo 10.5.5.5% Network not in tablePE2#Conditions: The PE router redistributing the given prefix must have a sham-link configured for the given VRF and an alternate path to the prefix must exist once the primary (sham-link) is down.
Workaround: Use the following command: clear ip route vrf vrfname <prefix>.
Further Problem Description: This problem is seen only in Cisco IOS Release 12.2(33)SRB. Cisco IOS Releases 12.2(33)SRC/SRD, etc. are not affected.
•
Symptoms: RP configured inside a NAT not shown on test device outside the NAT.
Conditions: Entering the show ip pim rp mapping command fails to display the RP.
Workaround: There is no workaround.
•
Symptoms: ISSU does not work from Cisco IOS Release 12.2(33)SRD to Cisco IOS Release 12.2(33)SRB5.
Conditions: When ISSU is performed from Cisco IOS Release 12.2(33)SRD image to 12.2(33)SRB5 image, ISSU is not working because of a default command introduced in 12.2(33)SRD.
Workaround: There is no workaround.
•
Symptoms: The error message %SYS-2-CHUNKBOUNDSIB and traceback are seen.
Conditions: The symptoms are observed when the show running- config/write memory command is issued.
Workaround: There is no workaround.
•
Symptoms: E1 and SonetVT layers are down even though serial (Upper Layer) ifOperStatus is UP.
Serial1/0/0.1/2/1/1:1 ifOperStatus.156 = up(1)E1 1/0/0.1/2/1/1 ifOperStatus.157 = lowerLayerDown(7TU 1/0/0.1/2/1/1 ifOperStatus.158 = down(2)tug 3-2 tug 2-1 e1-1:chgrp1AU-4 1, TUG-3 2, TUG-2 1, E1 1 (C-12 1/2/1/1) is up156 Se1/0/0.1/2/1/1:11500512KUP UP157 E1 1/0/0.1/2/1/102.05MUP <blank>158 TU 1/0/0.1/2/1/102.05MUP downConditions: Occurs on serial interfaces of SPA-1XCHSTM1/OC3.
Workaround: There is no workaround.
•
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
•
Symptoms: After online insertion and removal (OIR) of the SPA or line card holding the active Automatic Protection Switching (APS) interface, there are two active interfaces for the same APS group. During OIR, the old inactive interface becomes active and the OIRed interface also comes back up as active. The OIR interface should come up as inactive.
Conditions: The problem is seen only on ATM SPAs and is seen with both SR-APS and MR-APS configurations.
Workaround: In the case of a manual OIR, this can be prevented by entering the force APS switchover command before performing an OIR on the active.
When OIR happens due to other reasons and the problem is seen, perform a shut/no shut on one of the interface.
•
Symptoms: When "no aaa new-model" is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure "no aaa new-model", configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
•
Symptoms: Unicast flooding occurs for all traffic destined to VLAN SVI. MAC address for the VLAN SVI is being learned dynamically.
Conditions: Changing the VLAN SVI configuration from IP to XCONNECT and back without shutting down the interface will result in the router MAC being learned dynamically instead of being installed as static. Normal aging occurs on the dynamic MAC, resulting in unicast flooding if the MAC is removed from the MAC address table.
Workaround: Perform a shut/no shut on the affected VLAN SVI.
•
Symptoms: A Cisco 7600 may crash when a distribute-list is deleted.
Conditions: Crash occurs when removing a distribute-list from EIGRP. The distribute-list was one of many that was sharing the same route-map and access-list. The crash only happens when multiple protocols have the same direction distribute-list configured on the same interface, as in the following example:
router eigrp 10
network 10.0.0.0
distribute-list 49 out Ethernet1/2.10
router rip
network 10.0.0.0
default-metric 2
distribute-list 49 out Ethernet1/2.10
Workaround: There is no workaround.
•
Symptoms: Traffic out of a Frame Relay subinterface on a Cisco 7600/Enhanced Flexwan/CT3 stops randomly during normal operation. Some traffic is still going through, with delays of 5+ seconds seen using ICMP echo requests with large timeout.
Conditions: Occurs when an outbound QoS service-policy is configured on the DLCI.
Workaround: Remove the service-policy and re-add it to temporarily restore normal traffic flows.
•
Symptoms: In the pseudowire stitching configuration, if fast reroute (FRR) is enabled for link or node protection at the tunnel stitching router, then end-to-end connectivity is broken.
Conditions: Problem happens only if a Cisco 7600 is the stitching-point router and has MPLS Fast Reroute enabled.
Workaround: Disable FRR at the stitching point.
•
Symptoms: The SP crashes when the device receives an IP address from the DHCP server. The following error message is displayed:
Signal = 11 Vector = 0x1400
Conditions: Occurs on a Cisco Catalyst 6500 with RSP720-3C-GE when the ip verify source vlan dhcp-snooping is enabled.
Workaround: There is no workaround.
•
Symptoms: New DHCP clients are not able to get IP address from DHCP server via DHCP relay on the router. Existing clients are unable to renew their IP addresses
Other Symptoms:
1.1 When we're trying to display DHCP bindings with "show ip dhcp binding" command the following message is observed:
% The DHCP database could not be locked. Please retry the command later.1.2 Command "ip dhcp database" disappeared from the running configuration.
1.3 Output of "show run" is delayed.
1.4 Output of "debug ip dhcp events" show the following when a new DHCP packet is received:
DHCPD: dhcpd_receive_packet: unable to lock semaphore to check for pre-existing bindings could not lock se. DHCPD: dhcpd_timer_process could not lock semaphore. DHCPD: dhcp_server_receive could not lock semaphore.2.1. This bug may also cause DHCP Snooping failure. In this case, the output of the show ip dhcp snooping database command constantly shows these lines:
Agent Running : Yes Delay Timer Expiry : 0 (00:00:00) Abort Timer Expiry : Not RunningConditions: Occurs when DHCP and/or DHCP Snooping database agent is configured to store bindings on a TFTP server, and then the database files are not present or are read-only for some time on TFTP server while the router tries to write to them.
Workaround: Before the issue occurs, there are three known alternatives to avoid this problem:
1. Either configure "length 0" for line console 0;
2. Or - log in via console at least once since router startup;
3. Or - use Cisco IOS Release 12.2(33)SRD but do not enable "debug tftp packet".
To fix the issue after it has occurred, connect to the router via console, press space bar to get rid of '--More--' prompt, then press enter to log in
•
Symptoms: A router configured with BGP and VPN import may crash.
Conditions: This is a hard to hit race condition. BGP imports a path from VRF-A to VRF-B. The following steps have to take place in exactly this order for the crash to occur: 1. The next-hop for the path has to become unreachable. 2. BGP has to re-evaluate the bestpath on the net in VRF-A and result in no-bestpath on the net (because there is no alternative path available). 3. RIB installation has to process the importing BGP net under VRF-B.
Step 3 will result in the crash. If, before step 3, the next-hop re-evaluation manages to process the net in VRF-B then it will clear the bestpath and there will be no crash. If, before step 3, the import code gets a chance to process the net it will clean-up the imported path from VRF-B and then there will be no crash.
Workaround: There is no workaround.
•
Symptoms: Cisco router may crash pointing to OSPF code because of low memory access.
Conditions: Crash is specific to the following scenario:
1. Neighbor router performs IETF NSF restart.
2. Software interface between routers is removed from configuration when NSF restart is undergoing, when grace LSA is present in the database of the helper router.
3. Helper router will crash 1 hour later during max-age procedure for grace LSA. Reason is that grace LSA is associated with interface, but that interface does not exist any more.
Workaround: If configuration changes need to be done during network changes, the following applies:
1) Shutdown OSPF interface
2) Check show ip ospf da. Can you see type-9?
- NO => good, remove interface
- YES => 'no shutdown' interface, wait for neighbor going FULL (type-9 will be flushed during sync)
3) Repeat Step 1.
•
Symptoms: When using denies in ACLs in crypto maps, the VPN SPA or VPN SM crashes.
Conditions: Occurs when configuration uses denies in ACLs with crypto maps that causes too many entries in the Ternary Content Addressable Memory (TCAM).
Workaround: Enter the crypto ipsec ipv4 deny clear command.
•
Symptoms: VPN-NUM in VLAN-RAM TCAM wrongly provisioned after reconfiguration of Layer 3 port-channel. This changes member link mapping, and VRF membership changes on Layer 3 port-channel. Also discrepancy in L3MGR info between RP and SP for affected port-channel/internal vlan representation observed.
Conditions: When the command channel-group <number> mode active is configured on the member link before the respective Port-channel is configured, this causes the member link interface to go admin down. When the port-channel is configured, the port-channel first comes up and then the member link. This may cause the port-channel to take up the same VLAN which was previously assigned to the member link. If this happens, the symptom is seen.
Workaround: One workaround is to configure the port-channel first and then activate the channel-group on the member link interface. Another workaround is to create a dummy interface so that it takes up the member link's previous VLAN and the port-channel will be assigned a new one, in which case this problem is not seen.
•
Symptoms: Traffic with aggregate label was forwarded in wrong VPN, causing the mis-forwarding, as the IP prefix was not present in the VPN routing/forwarding (VRF) table.
Conditions: Occurs under the following scenario:
1. Aggregate label should not be using the VPN CAM.
2. The recirculation VLAN has the wrong VPN number.
Workaround: Manually correct the wrong mls vlan-ram entry.
Further Problem Description: If there are multiple aggregate labels on a given VRF, there might be a chance of seeing this issue.
•
Symptoms: Following errors are seen:
%IDMGR-3-INVALID_ID: bad id in id_to_ptr (bad id) (id: 0xFFFFFFFF) -Traceback= 60476EBC 60477400 60491664 616C5834 616C7EEC 61AB72CC 61AC2E64 61AC2EBC 60FE4274 60FDEFA4 60FD4180 60FD4874 60FD4BBC 60FD275C 60FD27A0 60FC8F74Conditions: This has been seen on a Cisco 7200 after upgrading to Cisco IOS Release 12.2(33)SRC2.
Workaround: There is no workaround.
•
Symptoms: Memory leak occurs in "BGP Router" process. Memory used by this process increase every day while the number of routes is not increasing.
Conditions: This occurs on a provider edge (PE) router running Cisco IOS Release 12.2(31)SB or 12.2(33)SB. Problem is seen when VPN routing/forwarding (VRF) is showing important BGP activity.
Workaround: Reload the router to avoid reaching low memory conditions.
•
Symptoms: Cisco 7600 does not respond properly to Link Control Protocol (LCP) echo requests, causing PPP sessions to renegotiate between the router and non-Cisco devices.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRC2.
Workaround: Disable keep-alives on the non-Cisco device.
•
Symptoms: A connected prefix from the global routing table has a VPN routing/forwarding (VRF) interface as outgoing interface.
Conditions: This condition occurs after a clear ip route x.x.x.x for the prefix x.x.x.x.
Workaround: Shut the VRF interface, clear the prefix from the routing table, then no shut the VRF interface.
•
Symptoms: The ESM20G, 7600-ES20-GE3CXL, indicates Major error on show module.
Conditions: No special configuration conditions are needed to reproduce. The online diagnostics status indicates "Major Error". The major error can be observed following a forced switchover using the redundancy force-switchover command.
Workaround: No workaround known. Only reloading the router may cause the ESM20G to recover and pass online diagnostics.
•
Symptoms: When there are repeated link flaps on load-balanced paths for TAG to IP or TAG to TAG load balancing, memory leaks may occur.
Conditions: Occurs when link flaps in PE-CE or P-P or P-PE routers. The leak is proportional to the number of labels in the router.
Workaround: There is no workaround.
•
Symptoms: When we perform SNMP query (getmany) on cbQosPoliceStatsTable and cbQosREDClassStatsTable, CPU utilization reaches 99 % with a single SSH session. If we query cbQosPoliceStatsTable and cbQosREDClassStatsTable from 18 SSH sessions, CPU-HOG error message are seen
Conditions: Occurs with a large number of policies defined on a GigE subinterface (~4k).
Workaround: No workaround, other than stopping the query.
•
Symptoms: The following messages appear in the log after a reload:
Suspending service policy (policyname) on Multilink(#)bandwidth of 24.00% is not available (1.00%)bandwidth of 24.00% is not available (1.00%)bandwidth of 24.00% is not available (1.00%)bandwidth of 24.00% is not available (1.00%)Conditions: A Cisco 7600 running Cisco IOS Release 12.2(33)SRB2 and 12.2(33)SRB3 with Multilink interface configured for CBWFQ QOS policy will suspend policy and display error message similar to the above if service-policy is applied to Multilink interface at time of route loading.
Workaround: Load router with no service-policies applied and apply them after router is up.
•
Symptoms: When creating SPAN monitor sessions via SNMP Set (using Network Analysis Module GUI), the user can trigger a high CPU on the supervisor. This then stops the switch from passing traffic and from being accessible.
Conditions: Occurs under the following scenario:
1. Cisco 7600 running Sup720 and 12.2(33)SRB or SRC. The 7600 must have a service module (e.g. MWAM module or FWM) that take up a default SPAN reflector monitor session when powered on.
2. Set up another monitor session. The sup supports no more than two monitor sessions.
7600#show mon sess all
Session 1 --------- Type : Service Module Session Modules allowed : 1-9 Modules active : 3 BPDUs allowed : Yes
Session 2 --------- Type : Local Session Source Ports : Both : Gi9/47 Destination Ports : Gi9/48
3. When the user attempts to create a new monitor session with the same session number as the "Service Module Session" via SNMP, the creation fails, but breaks the logic to prevent any more SPAN sessions from being created.
4. Hence attempting to create a third monitor session is then allowed, and the High CPU is triggered.
Workaround: 1. Check from the command line if there is a monitor session used by the Service Module using the show monitor session all command.
2. If there is, do not attempt to create a new monitor session using the same session number.
OR
3. Create all monitor sessions on the supervisor from the CLI only.
Note: If the Service Module Session is not required, it can be removed with the no monitor session servicemodule command.
•
Symptoms: With mLDP over a P2P tunnel, traffic drops in multiple cases.
Conditions: The traffic drops when there is a change in path set entries, which can happen when you perform a shut and no shut the TE tunnel or toggle MPLS traffic-tunnel or use the clear mpls traffic-eng auto-tunnel command.
Workaround: There is no workaround.
•
Symptoms: A router configured with BGP may generate IPRT-3-NDB_STATE_ERROR log messages. An additional symptom when bgp suppress-inactive is configured is that the router CPU usage may get close to 100%.
Conditions: When both BGP and an IGP are advertising the same prefix, the error condition may occur. When in addition bgp suppress-inactive is configured high CPU usage by BGP may be seen.
Workaround: Removing the bgp suppress-inactive configuration should eliminate the high CPU problem. Removing either the BGP or IGP conflicting routes from the system should clear both symptoms.
•
Symptoms: Incoming traffic destined for Etherchannel is lost due to a configuration error on the ASIC of certain line cards.
Conditions: Occurs only if Etherchannel is configured across multiple line cards. Chassis contains 6516A and 6548-ge-tx line cards. Etherchannel members do not need to be on the these cards.
Workaround: Force switching mode to truncated threshold such that it stays in bus mode. Resetting the workaround will fix the line card experiencing the problem, but if the reset causes a switching-mode change from truncated to flow through and back to truncated, then any other line cards with the same ASIC will now experience the problem.
•
Symptoms: A device may reload because of a crash after the command clear ip route * is executed.
Conditions: The trigger for this issue is executing the clear ip route* command in the presence of a default route. If an RIP update is received by the router while the routing information base is being cleared, the update will be processed causing RIP to check the state of the default route in the routing information base. This combination has the potential to cause a crash.
The probability of the crash occurring is proportionate to the size of the routing table. The larger the routing table, the greater the chance of encountering the problem.
Workaround: It is recommended to avoid using the clear ip route * command. If the prefix in question is known, then use clear ip route <prefix> instead.
Further Problem Description: This problem was observed in Cisco IOS Release 12.2(33)SRC3. All Cisco IOS SR33-based images (SRB, SRC, SRD and SB33) are vulnerable to this problem. The problem will be seen only when using the clear ip route * command and is platform independent. Other commands like clear ip ospf, clear ip bgp, clear ip isis or clear ip route <prefix> are not vulnerable.
•
Symptoms: L3 traffic is blackholed after online insertion and removal (OIR) of Distributed Forwarding Cards (DFCs).
Conditions: After an OIR, some of the adjacencies (recirculation) may not be correctly programmed when they go online.
Workaround: Use the clear adjacency command to reprogram the adjacencies correctly. This will impact traffic on the router.
Further Problem Description: Use the show mls cef adjacency entry <x> detail command to diagnose. A display of "vlan=0" on recirculation adjacencies indicates this problem.
•
Symptoms: Packet leak is observed on Cisco 7200 router running Cisco IOS Release 12.2(33)SRC.
Conditions: Multicast packet is forwarded to the tunnel interface, causing memory leak. Even packet is dropped, memory leak is observed. Multicast data having less then 64 byte size is dropped at the driver. Leak is not happening with interface other then tunnel interface.
Workaround: There is no workaround.
•
Symptoms: Packet drops seen in the network when an IOS application sends full length segments along with TCP options.
Conditions: Issue is seen only in topologies where an IOS device is communicating with a non-IOS peer or with an IOS device with on which this defect has been fixed.
Workaround: Reset ip mtu.. to a lower value. Any value lower than the advertised MSS from the peer should always work.
•
Symptoms: When using encapsulation PPP on a POS SPA OC192POS-XFP in a SIP-600, the protocol comes up on both sides and IP Control Protocol (IPCP) is open for PPP. Pinging the remote side fails due to corruption of the PPP frame.
Conditions: Occurs when using encapsulation PPP on a POS SPA OC192POS-XFP
Workaround: Use High-Level Data Link Control (HDLC) encapsulation.
•
Symptoms: CE-to-CE ping for packet size less than 48 bytes fails or applications like telnet fail.
Conditions: Occurs with ATM SPA on SIP200. ATM PA on FW2 should be one of the CEs facing, while other PEe should be 7200
Workaround: There is no workaround.
•
Symptoms: With a topology like this:
CE | type 4 xconnect type 4 xconnect |-------------------- 7600 --------------- GSR -------------- CE SIP400 Sup720 Giga subif Giga subif
the packets above 1496 are not passing through end-to-end.
The MTU on the edge-facing interfaces is 1500, the one on the core-facing interfaces is 1600.
Conditions: The GSR on the other side seems not to have a similar behavior. The bug has been reproduced in Cisco IOS Release 12.2(33)SRB3 and SRC3.
Workaround: Increase the MTU on the edge-facing interface end-to-end
•
Symptoms: On a Cisco 7600-SIP-200 / SPA-2XOC3-ATM running the c7600s72033-adventerprisek9-mz.122-33.SRB4 image, an ATM interface may suddenly cease processing ingress packets resulting in all VC sharing the physical interface being shut down.
Conditions: Occurs when the ATM SPA interface is configured for LFI.
Workaround: There is no workaround.
•
Symptoms: Cisco 6500 crashes with Breakpoint exception, CPU signal 23.
Conditions: An attempt to free unassigned memory is seen before the crash:
00:01:25: %SYS-2-FREEFREE: Attempted to free unassigned memory at 50D9D260, alloc 40CC9960, dealloc 40CC9A90-Traceback= 41044F88 40CC9A98 40CC88C0 40CC20E4 40CCF5B0 406AF1AC 4069A834 4101848C 41018478Workaround: There is no workaround.
•
Symptoms: MPLS packets that need a swap label may get punted to CPU because the outgoing interface/label has wrong MTU value in hardware (MLS). Once the packet is punted to CPU, it is forwarded correctly, as Cisco Express Forwarding (CEF) in software has correct info. If the traffic rate is high, this causes high CPU.
-show mls status can confirm the MTU failure increasing.
-remote command switch show mpls platform vlan shows wrong MTU for outgoing interface.
-show mls cef mpls label X detail will show the MTU as 0.
-show mpls forwarding-table interface X detail shows good MRU value.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB5.
Workaround: Re-stating the mtu command or mpls ldp mtu ... does not make any difference. You need to either bounce the affected interface or reload the switch.
•
Symptoms: MAC security on ESM20 ports stop working after unrelated configuration changes are done to any other ports on the same ESM20.
Conditions: On ESM20 ports having service instances configured with MAC security on them, traffic stops flowing on those EVCs when unrelated configuration changes are done on other ports on that ESM20.
Workaround: Perform a shut/no shut on the affected port.
•
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
•
Symptoms: LACP L3 POCH members flap, getting unbundled and bundled back again.
Conditions: Global native VLAN tagging has to be enabled, and L3 POCH interface should have a sub-interface configured under it.
Workaround: Disable global VLAN tagging.
•
Symptoms: VPN routing/forwarding (VRF) traffic may experience packet loss after a supervisor switchover.
Conditions: Occurs on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB2 or Cisco IOS Release 12.2(33)SRC2.
Workaround: Apply an access-list with "permit ip any any" in one of the VRF interfaces, or force another switchover.
•
Symptoms: Router ID change results in the following error message:
%BGP-3-NOTIFICATION: sent to neighbor 1::1 passive 2/3 (BGP identifier wrong) 4 bytes 01000003
Conditions: Occurs after changing BPG router ID in a router running a release of Cisco IOS in which CSCsv20276 is a resolved defect.
Workaround: Enter the clear ip bgp command.
•
Symptoms: In rare conditions, when removing address-family in router RIP configuration just after importing large amount of routes in it, the router may crash on bus error.
Conditions: It was observed in the following context:
1) Supervisor 720 running Cisco IOS Release 12.2(18)SXF7. 2) 66K of routes were imported at that moment from BGP into RIP. 3) The address-family is removed.
Workaround: Wait a few minutes between the moment you create and import the routes in the address-family and the moment you remove it. Typically 3-5 minutes (depending on the number of routes, more delay may be needed).
•
Symptoms: In a router running BGP, the BGP process may hold increased amounts of memory over time without freeing any memory. This may also be seen from the output of show proc mem sort and in the output of show ip bgp sum or show ip bgp vpnv4 all sum and looking at the number of BGP attributes which may be increasing over time in relation to the BGP prefixes and paths which may remain roughly the same.
Conditions: Some BGP neighbors are not in established state and exchanging prefixes. The issue is observed on all platforms running the following releases of Cisco IOS:
-12.2(31)SB14
-12.2(33)SB1b
-12.2(33)SB2
-12.2(33.05.14)SRB
-12.2(33.02.09)SRC
-12.2(33)SRC3
-12.4(20)T2
-12.4(22)T1
-12.2(33)SXI or later releases.
Workaround: Remove the configuration lines related to the inactive neighbors (neighbors in Idle or Active states).
•
Symptoms: Flood of broadcast or multicast traffic on Virtual Private LAN Services (VPLS) VCs stops if the path changes from one interface to another interface.
Conditions: Cisco 7600 provider edge (PE) router running Cisco IOS Release 12.2(33)SRB and using ESM20 as the core-facing links providing multiple paths to reach the VC destination. Cisco IOS Release 12.2(33)SRC and 12.2(33)SRD are not affected.
Workaround: Choose one of the following options: 1) Perform a shut/no shut on the switch virtual interface (SVI).
2) Remove and add the neighbor from VFI on which the problem is seen.
•
Symptoms: Router crashes when we send multiple access packets for same username when configured for RADIUS Load Balancing (RLB).
Conditions: Occurs with the following topology
CLIENT----->RLB----->SERVER
Client sends multiple access retry packets to server and router crashes after a period of time. This issue will be seen in cases where multiple access requests are seen for the same username, and 60 seconds expire since the arrival of the first of such access requests, before an accounting start for the same username is seen.
Workaround: If RLB do not see multiple access packets we wouldn't see any crash.
•
Symptoms: For IPv6 adjacencies, MTU is incorrectly programmed.
Conditions: Occurs with simple IPv6/6PE setup.
Workaround: There is no workaround.
•
Symptoms: SPA-4XOC3-ATM can stop forwarding ingress traffic after cell packing timer is changed.
Conditions: Occurs when MPLS is configured over a tunnel interface and the cell packing timer is changed.
Workaround: There is no preventive workaround to this issue. Once the card is in the problem state, the FPGA is hung and to recover from this state, the SPA has to be reloaded.
•
Symptoms: Unable to create monitoring sessions using network analysis module (NAM) graphical user interface (GUI).
Conditions: Occurs when SNMPSet is used to create the sessions using portCopyTable.
Workaround: There is no workaround.
•
Symptoms: Multicast Open Shortest Path First (OSPF) Bidirectional Forwarding Detection (BFD) packets are corrupted when going out of ESM20 interface on an Ethernet Over MPLS (EoMPLS) setup.
Conditions: When sending a multicast OSPF database descriptor (DBD) packets or multicast ping packets to the 224.0.0.5 address and the packet size grows above a certain size (108B) in the payload, a specific byte of multicast packet traversing the EoMPLS link is corrupted.
Workaround: There is no workaround.
•
Symptoms: Dead Peer Detection (DPD) packets are not sent following loss of ISAKMP SA and IPSec in UP-NO-IKE state.
Conditions: Occurs when DPD is configured and ISAKMP SA is deleted independently of IPSec SAs
Workaround: Manually clear the crypto session to create a new ISAKMP SA.
•
Symptoms: ES-20 line card repeatedly resets.
Conditions: Occurs when fabric sync failure occurs on ES-20.
Workaround: Enter the following command: test scp linecard keepalive disable.
•
Symptoms: Router crashes.
Conditions: This issue is observed on a Cisco 7200 router running an internal build of Cisco IOS Release 12.2(33)SRB.
Workaround: There is no workaround.
•
Symptoms: Dead Peer Detection (DPD) does not trigger a new IKE session if the previous IKE session fails.
Conditions: Occurs when using on-demand DPD.
Workaround: Manually clear the IKE session to trigger a new IKE.
Resolved Caveats—Cisco IOS Release 12.2(33)SRB5
Cisco IOS Release 12.2(33)SRB5 is a rebuild release for Cisco IOS Release 12.2(33)SRB. The caveats in this section are resolved in Cisco IOS Release 12.2(33)SRB5 but may be open in previous Cisco IOS releases.
•
Symptoms: A Cisco router that is configured for Network Address Translation (NAT) may reload unexpectedly because of a software condition.
Conditions: This symptom can occur when the router translates a Lightweight Directory Access Protocol (LDAP) packet. NAT translates the embedded address inside the LDAP packet. This problem is strictly tied to NAT and LDAP only.
Workaround: There is no workaround.
•
Symptoms: DSCP value is not being preserved when the ingress packet is encapsulated with a GRE header. The DSCP value will be rewritten to 0 as the packet egresses the router.
Conditions: The router must be a tunnel endpoint and packets must be marked for this behavior to trigger.
Workaround: Configuring the mls qos marking ignore port-trust command will cause egress packets to be marked correctly.
•
Symptoms: A CPUHOG may occur.
Conditions: This symptom is observed with various routing commands, including the clear ip route command, in cases where more than 300,000 routes were learned via a single subnet.
Workaround: There is no workaround.
•
Symptoms: Some BGP routes are missing from RIB so packets cannot reach the destination.
Conditions: A connected route covers the BGP route in question, but the connected route is less specific than some other route that is also in the RIB. It leads to BGP to have some prefixes' nexthops inaccessible, and those prefixes are not installed in to RIB, therefore traffic is stopped.
Workaround: There is no workaround.
•
Symptoms: Multilink Point-to-Point Protocol (MLPPP) interfaces across Channelized SPA T1s may continuously flap.
Conditions: Occurs after repeatedly triggering shut/no shut on the MLPPP interfaces.
Workaround: Disable keep-alives across the MLPPP interfaces.
•
Symptoms: You cannot open a specific port on a Cisco IOS IP SLA responder.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(14)T1 when you attempt to open a specific port on the responder instead of using normal control protocol. The symptom may also occur in Release 12.4 or Release 12.4T.
Workaround: Use normal control protocol.
•
Symptoms: An access point may crash when you add or remove TACACS servers via the CLI.
Conditions: This symptom is observed on a Cisco router that has aaa accounting commands level default list-name group groupname command enabled.
Workaround: Disable the aaa accounting commands level default list-name group groupname command.
•
Symptoms: While restarting the iprouting process, the system crashed at redzone corruption.
Conditions: Occurs following a switchover. The iprouting process should restart once the standby becomes active.
Workaround: There is no workaround.
•
Symptoms: When an SVI is configured with VLAN ACL and Reflexive ACL and then an ingress policy-map is applied on the same SVI, SP TCAM in ingress is programmed correctly but DFC TCAM is programmed incorrectly.
Conditions: The symptoms are observed on a Cisco Catalyst 6000 Series Switch, or a Cisco 7600 series router that is running Cisco IOS Release 12.2SX, Release 12.2(33)SX, Release 12.2SR or Release 12.2(33)SR and that has a DFC line card.
Workaround: Entering the shutdown command on the VLAN followed by the no shutdown will bring the VLAN to the correct state.
•
Symptoms: When DHCP snooping is configured on a VLAN, the redirect access list programmed in TCAM permits a wide range of UDP ports from bootps/bootpc to 65xxx.
Conditions: UDP traffic to these destination ports (0x143, 0x243, 0xFF43) is being redirected to Route Processor (RP). If "ip dhcp snooping limit" is not configured, then RP CPU goes to 100%.
Workaround: There is no workaround.
•
Symptoms: Configuring EIGRP IPv6 may under certain circumstances cause the router to unexpectedly restart.
Conditions: This issue only applies to a configuration with EIGRP IPv6 configured on serial interfaces, such as Frame Relay hub and spoke or point-to-point serial interfaces. This problem does not affect LAN interfaces or those that use EIGRP IPv4.
Workaround: There is no workaround.
•
Symptoms: A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable.
This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.
The advisory is posted at /en/US/products/products_security_advisory09186a0080a0157a.shtml
•
Symptoms: Some of the 48 power over Ethernet ports of a line card cannot be configured as "power inline static" with the maximum power capacity, 15.4 watts, that a port can support.
Conditions: The number of supported ports depends on the power rating of the voice daughter board. One or more ports may not operate at maximum capacity.
Workaround: There is no workaround.
•
Symptoms: On Cisco 7600 routers, configuring a Switch Virtual Interface (SVI) with VRF may result in traffic on the VRF being dropped.
Conditions: This is a race condition at configuration time, so if VRF traffic works after the interfaces have been configured, then the problem is not present. Performing a shut/no shut" on the VLAN or base interface and/or switchport/no switchport on the base interface may cause the problem to appear.
This is fixed in Cisco IOS Release 12.2(33)SRC and later releases.
Workaround: Disable and re-enable switchport on the base interface. Also, shut/no shut the VLAN or base interface may cause the VRF traffic to pass again.
•
Symptoms: BGP session failed to establish between two multicast VPN peers.
Conditions: Occurs when one peer is configured using new MDT SAFI BGP command and the next peer is configured using older MDT VPNv4 command.
Workaround: There is no workaround.
•
Symptoms: Packets are not switched by Cisco Express Forwarding (CEF).
Conditions: Occurs under the default condition when ip cef is enabled, and packets are neither CEF- or process-switched.
Workaround: There is no workaround.
•
Symptoms: When the gateway for a default route is removed from the routing table, the default route is not removed and the following log message is seen:
00:04:35: %IPRT-3-RIB_LOOP: Resolution loop formed by routes in RIBConditions: A default route resolves on a non-recursive gateway, such as a gateway covered by a directly connected prefix. The interface transitions to down state and the connected route is removed. The default route should be removed from the RIB, but it is not.
Workaround: If the default route is a static route, then the configuration can be deleted and added again, which will correct the problem. For example:
no ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.1.1.1
•
Symptoms: A BGP neighbor may send a notification reporting that it received an invalid BGP message with a length of 4097 or 4098 bytes.
Conditions: The problem can be seen for pure IPv4 BGP sessions (no MP-BGP in use) when the router that is running the affected software generates a large number of withdraws in a short time period and fills an entire BGP update message (up to 4096 bytes normally) completely with withdraws. Because of a counting error, the router that is running the affected software can generate an update message that is 1 or 2 bytes too large when formatting withdraws close to the 4096 size boundary.
Workaround: The issue is not seen when multiple address families are being exchanged between BGP neighbors.
•
Symptoms: On Cisco 7600 routers, configuring Unicast Reverse Path Forwarding (Unicast RPF) for prefixes that are reachable via multiple paths may not set unicast RPF correctly on all paths.
Conditions: If unicast RPF is enabled on the first path, it will show up as being enabled on all paths in show mls cef ip <prefix>. If it is enabled on the first path and the unicast RPF configuration of other paths is changed, the unicast RPF for the prefix is not updated.
Workaround: There is no workaround.
•
Symptoms: The interface output rate (214 Mb/s) is greater than the interface line rate (155 Mb/s).
Conditions: This symptom is observed with a Cisco 7600/7500/7200-NPE400 and below. That is, PA-POS-2OC3/1OC3 (PULL mode).
Workaround: There is no workaround.
Further Problem Description: From the Ixia, packets are transmitted at 320 Mb/s. On the UUT (Cisco 7600), the outgoing interface (POS-Enhanced Flexwan) shows the output rate as 200 Mb/s. But the interface bandwidth is 155 Mb/s.
•
Symptoms: RP may crash with a bus error while trying to configure card type on a PA in a Flexwan while that PA/Flexwan is experiencing communication problems with the SUP.
Conditions: This is a rare issue which is only seen under certain circumstances when a configuration is attempted on a card which is itself experiencing communication problems with the rest of the chassis/reloading, crashing, etc.
Workaround: Avoid issuing the card type command while the PA/Flexwan is experiencing problems. If the card in question is experiencing hardware issues, the problem may also be avoided by replacing the card.
•
Symptoms: The number of packets that are queued inside a BW queue is more than its displayed queue-limit. In the output for show policy-map interface, you see that the child shaping class is buffering to a greater value than its displayed queue-limit.
Conditions: Occurs when HQOS policy map is applied on an EVC under ESM20 interface.
Workaround: There is no workaround.
•
Symptoms: When a service policy with "priority + Police cir percent x" is applied on a subinterface, it is not getting accepted for all of the percent values.
Conditions: When "police cir percent" conversion to cir value increases a certain range the policy is not getting accepted.
Workaround: There is no workaround.
•
Symptoms: The following error occurs:
%NETFLOW_AGGREGATION-4-OER_AGG_EXPORT_ERROR: OER Error receiving TT agg export packet on RPConditions: Errors may be seen on Cisco 6500 running as Optimized Edge Routing (OER) border router
Workaround: There is no workaround.
•
Symptoms: Multiple spurious fabric CRC error messages may be displayed on the console.
Conditions: Caused by incorrect handling of fabric CRC errors. This may result in spurious messages being printed and also results in unnecessary fabric re-sync.
Workaround: There is no workaround.
•
Symptoms: 4000 virtual-template (VT) takes high CPU during system load configuration.
Conditions: Occurs when 4000 VT interfaces are loaded from TFTP to running configuration.
Workaround: There is no workaround.
•
Symptoms: The following traceback occurs following a stateful switchover (SSO).
CWAN_SPA-3-POWER_CYCLE: Configuration mismatch occurred on Shared Port Adapter 2/0
Conditions: Occurred on a Cisco 7600 router running Cisco IOS Release 12.2SRB image with 8T1E1-SPA.
Workaround: There is no workaround.
•
Symptoms: Crash may happen under regular operations as well as when changes to QoS policies are being made.
Conditions: Occurs on a Cisco 7600 with enhanced FlexWAN module and PA-2T3+ with about 70 frame-relay PVCs in point-to-point topology.
Workaround: Shut the interface instance before applying/removing the policy.
•
Symptoms: PVC does not come up after removing vc-class from it.
Conditions: This issue happens only when vc-class with constant bit rate (CBR) is configured on the main interface, and another vc-class is applied to the VC. This occurs under the following scenario:
1.Boot the router afresh.
2.Apply a vc-class (class1) to the ATM interface.
3.Configure PVCs with the range command.
4.Apply another vc-class (class2) under the range-pvc configuration.
5.Remove the vc-class (class2) from under the range-pvc configuration.
After this step the PVCs are expected to come up having attributes of vc-class class1. The PVCs do not come up and stay in inactive mode.
Workaround: There is no workaround.
•
Symptoms: Platforms, such as the Cisco Catalyst 6500, are capable of dropping multicast traffic in hardware. However, in order to do so, they require that mroute entries be created by software. In the case of SSM mroutes on a first-hop router, software does not always create such entries and so this traffic cannot be dropped in hardware, resulting in high CPU utilization on the route-processor.
Conditions: This symptom will be encountered in the following scenario:
1. There are no receivers present for a given SSM (S,G) flow 2. (S1,G) has already been created 3. A directly-connected source (S2,G) starts sending traffic
That is, the first flow (S1,G) will be created and will be properly dropped in hardware if no receivers for that flow are present. Subsequent flows to the same group G will not be created and will impact the route-processor CPU.
Workaround: There are several possible workarounds to this issue:
1. Disable the mroute-cache on the incoming interface using the interface-mode command no ip mroute-cache. On platforms such as the Catalyst 6500, this will have no impact for hardware-switched flows.
2. Ensure that all SSM source traffic is sent to unique groups.
3. Ensure that receivers are present for all anticipated traffic.
•
Symptoms: Memory leak occurs in "Crypto IKMP" and "IPSEC key engine"
Conditions: Occurs on a WS-C6509-E running internal image s72033-advipservicesk9_wan-mz.NAT-D- 5
Workaround: There is no workaround.
•
Symptoms: SPA-2xOC3-POS is not seeing the correct K1/K2 bytes on working group 1 APS, when switching from Protect to Working port.
Conditions: This was observed in a lab environment with a Cisco 7604 router back to back with a Cisco 7206 router. Code tested Cisco IOS Release SRA1 and Cisco IOS Release SRA2.
Workaround:
1) Hw-slot reset on the SIP-400-SPA corrects the problem.
2) A shut/no shut on the protect interface corrects the problem.
•
Symptoms: The system crashes when configuration on the member ports of Layer-2 port-channel is changed.
Conditions: This happens mainly, when members are changed from switchport to no switchport, while LACP port-channel is established and LACP control packets are being exchanged between the peers. This situation rarely occurs.
Workaround: There is no workaround.
•
Symptoms: A router may crash after the command mpls traffic-eng backup-path tunnel is issued.
Conditions: The symptom is observed when a backup tunnel is configured on PLR, which is a mid point router for a protected primary tunnel.
Workaround: There is no workaround.
•
Symptoms: Router may crash when a sequence of commands are executed in quick succession.
Conditions: Occurs when a Border Gateway Protocol (BGP) neighbor belongs to a particular peer group and the following commands are entered in quick succession: * no neighbor a.b.c.d peer-group pgroup-name * no neighbor a.b.c.d description xyz If these commands executed quickly, such as when they are pasted into the interface, the router may crash.
Workaround: Use the no neighbor a.b.c.d peer-group pgroup-name command to remove the neighbor. This command removes the neighbor and eliminates the need for the second command.
•
Symptoms: Entering the dir stby-harddisk: command causes the active RP to reload.
Conditions: Occurs on a Cisco 7600 router.
Workaround: There is no workaround.
•
Symptoms: Routes and packets are lost.
Conditions: Occurs because NSF restart is not recognized by some of the neighbors after a router restarts.
Workaround: There is no workaround.
•
Symptoms: VPN client users using a certificate to connect to a Catalyst 6000 or Cisco 7600 with VPN blade fail to connect. IPSec negotiation fails during mode configuration.
Conditions: Conditions are unknown at this time.
Workaround: Preshared key authenticated VPN clients can connect without problem.
•
Symptoms: Egress traffic stops on AToM Cell Relay shaped VC configured on an OC3 SPA interface when the received load from the MPLS network exceeds the egress shaped rate.
Conditions: An AToM Cell Relay shaped VC is configured on an OC3 SPA interface in a SIP-400. The received load from the MPLS network exceeds the egress shaped rate.
Workaround: Configure an ingress MQC service policy to police the ingress traffic rate.
•
Symptoms: Router crashed while reconfiguring a three-level policy.
Conditions: Seen on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: Back-to-back ping fails after configuring "native" on subinterface.
Conditions: Initially ping works fine, but packets go out tagged, which should not be the case. On doing a shut/no shut on one sub-interface with native configured cause ping to fail since the side that was flapped starts sending untagged ping packets (which is the expected behavior). The remote side that has not been flapped, expects tagged packets.
Workaround: Do shut/no shut on both ends of the sub-interface.
•
Symptoms: Router may experience mwheel CPUHOG condition.
Conditions: This condition is observed on Cisco router while clearing all L2TP sessions when there are more than 2500 sessions with multicast traffic flowing on the sessions.
Workaround: There is no workaround.
•
Symptoms:
1. The No_Global bit (0x10) for MOI flag is incorrectly set for iBGP when it becomes best path.
router#show ip cef vrf <vrf name> x.x.x.x int [snip] MPLS short path extensions: MOI flags = 0x16 <-------MOI flags 0x10 is incorrectly set for iBGP when it becomes best path, correct flag should be 0x4, 0x5, 0x6 ... correct now.2. The No_Global bit (0x10) for MOI flag for iBGP path was incorrectly unset when eBGP becomes best path.
router#show ip cef vrf <vrf name> x.x.x.x int [snip] MPLS short path extensions: MOI flags = 0x5 <-------MOI flags 0x10 is incorrectly clear for ibgp path when eBGP becomes best path, correct flag should be 0x14, 0x15, 0x16... correct now.Conditions: This symptom sometimes happens after BGP path update.
Workaround: Issue the clear ip route vrf vrf name x.x.x.x/y command.
•
Symptoms: Crash occurs after clearing auto-tunnel backup by issuing the clear mpls traf-eng auto-tunnel backup command.
Conditions: Occurs with SSO and traffic engineering (TE) auto-tunnel feature enabled.
Workaround: There is no workaround.
Further Problem Description: Crash was seen on Active SP after issuing clear mpls tra auto-tunnel primary followed by clear mpls tra auto-tunnel backup command. This crash could happen with or without a SSO switchover before issuing those commands.
•
Symptoms: The VPNSPA may crash with an assert failure.
Conditions: The symptom is observed when B2B is configured and when creating 8000 remote access sessions.
Workaround: There is no workaround.
•
Symptoms: A line-by-line synchronization failure may occur and the standby RP may be reset.
Conditions: The symptoms are observed when a PVC is created on a P2P sub- interface, and when "exit" or "end" is not called.
Workaround: After creating a PVC on a P2P sub-interface, call "exit" or "end".
•
Symptoms: After shutting down a GRE tunnel interface, the active RP crashed and switchover took place.
Conditions: Occurred on a Catalyst 6000 running an internal build of Cisco IOS Release 12.2SX. Other versions of Cisco IOS Release 12.2S are also affected.
Workaround: There is no workaround.
•
Symptoms: Using the execute-on command on SUP to PPC may cause the device to hang in some cases.
Conditions: This happened when the SUP process is busy with CLI process, including the case where CLI-intensive management application is running.
Workaround: Open another Telnet session enter the same execute-on command. This will release the first hung execute-on.
•
Symptoms: When a non-DC router is removed from a DC enabled area and the area becomes DC enabled, some of the LSAs are not refreshed correctly with DoNotAge (DNA) bits set. Crash may happen when customer deploys iptivia probes in the network. Fixed in CRS.
Conditions: The symptom is observed when a router without DC capability is removed from a DC enabled area.
Workaround: Use the clear ip ospf command.
•
Symptoms: Crash occurs at "ip_route_delete_common".
Conditions: Occurs under the following scenario:
1)A multicast BGP route exists.
2)A unicast BGP route exists for the same prefix.
3)Another route covered by the same majornet as the BGP route exists.
4)There are both iBGP and eBGP sources for the BGP prefix.
5)Redistribution of BGP routes into an IGP must be configured.
Topology change in network causes mBGP to switch from using the iBGP sourced route to the eBGP sourced route will cause the crash.
Workaround: If there are not both iBGP and eBGP sources for the same route the problem will not occur. If redistribution of BGP Into an IGP is not configured the problem will not occur.
•
Symptoms: When configuring ATM PVCs, under the PVC syntax you can provide a handle to describe the PVC. If this handle starts with "00" (zero zero) then the command will fail.
Conditions: The symptom is observed when configuring ATM PVCs and where the PVC handle starts with "00".
Workaround: Do not use handles that start with "00".
•
Symptoms: BGP update is not sent after reloading opposite router or resetting module. Sometimes a BGP VPNv4 label mismatch also occurs between the routers because BGP update is not received.
Conditions: - This problem may occur once or twice out of 20 attempts. - This problem is apt to occur when MPLS-TE tunnel is enabled. - This problem may occur when entering either reload command, hw-module module X reset command or the clear ip bgp X.X.X.X command on the opposite router.
Workaround: There is no workaround.
•
Symptoms: When the optical RX level changes such that is out of the supported threshold or a mismatched combination of XFPs used at ends (eg: ZR to LR, SR to LR, etc.), then the line card CPU utilization becomes very high at the interrupt level. This greatly contributes to exhaustion of line card CPU resources and results in failure to process heartbeat keeaplives. As a result, line card is eventually reset by the SP to attempt recovery. Cause of the CPU being so frequently interrupted are the continuous interface state transitions which are triggered by the line card.
Passing CLIs to the line card fail:
7600#remote command module 2 sh proc cpu sortNo response from remote hostSP fails to receive heartbeat checks from the ES20 LC and eventually crashes
%CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 30 seconds [2/0]%CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 60 seconds [2/0]%CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 90 seconds [2/0]%CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 120 seconds [2/0]%CPU_MONITOR-SP-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 150 seconds [2/0]%OIR-3-CRASH: The module in slot 2 has crashedWhen unplugging the fibers, LC becomes responsive, but shows high CPU in interrupt:
7600#remote command module 2 sh proc cpu sort | e 0.00% 0.00% 0.00%CPU utilization for five seconds: 99%/96%; one minute: 36%; five minutes: 23%PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process124 59128 542 109092 2.19% 2.17% 2.30% 0 Vlan Statistics134 221872 1057 209907 0.42% 8.74% 10.38% 0 CFIB LC STATS Ta127 24072 3340 7207 0.18% 0.20% 0.17% 0 BW Stats Poll213 1628 177 9197 0.12% 0.07% 0.05% 0 sip10g Stats Bac173 7208 634 11369 0.12% 0.01% 0.00% 0 TCAM Manager pro193 1240 177 7005 0.12% 0.05% 0.05% 0 MFI LFD Stats Pr172 2488 373 6670 0.12% 0.08% 0.09% 0 QoS SP Process 104 440 87 5057 0.12% 0.04% 0.01% 0 xcvr RPC processConditions: Occurred on a Cisco 7600 router with a XFP-10GZR-OC192 housed in a ES20, where the optical fiber has its RX level out of the specified range for the given XFP being used. Problem exists in SPA driver code and can be seen on all line cards on which affected SPAs are supported.
Workaround: Verify the optical properties of the fiber using the sh hw-module subslot X/Y transceiver Z stat command. If out of range, replace with optical fibers for which the optical transmission properties are within the specified range for the given XFP being used.
•
Symptoms: Packets are not getting policed in MPLS cloud, causing the show policy-map int command to display incorrect counts. Conform and exceed actions are not being performed.
Conditions: Even though packets are getting classified correctly, policing is not working on those packets.
Workaround: There is no workaround.
Further Problem Description: Policing is not working in the MPLS cloud. Consider the following three scenarios:
1) When a service policy and MPLS are configured on the subinterface, policing works fine. 2) When a service policy and MPLS are configured on the main interface, policing works fine. 3) When a service policy is attached on the main interface and MPLS on the subinterface, policing does not work.
The first two cases work fine. It means if the MPLS feature and policy are on the main interface or the MPLS feature and policy are on the subinterface, policing works correctly. The problem is with the third case. Here, the MPLS feature is applied on the subinterface and policy on the main interface. If we do not have MPLS configured and we are receiving just IP packets, then all cases work fine. But MPLS packets are treated as IP packets.
•
Symptoms: INTR_MGR-DFC7-3-BURST: msg seen when PMAP is removed from subinterface.
Conditions: Occurs on a ES20 LC with subinterface having a HQoS policy applied. The steps are:
1) Remove the child policy from the parent class.
2) Remove the service-policy from the subinterface.
Workaround: Apply the service-policy again in the interface and remove the policy.
•
Symptoms: A route-map which is configured with both IPv4 and IPv6 for a BGP peer does not work as expected
Conditions: Observed after the route-map is modified to delete a sequence.
Workaround: Apply a fresh route-map
•
Symptoms: The router keeps reloading and complaining about unavailability of memory.
Conditions: This symptom is observed if the router is directly connected to a DHCP server or if an attack is made by flooding DHCP replies.
Workaround: There is no workaround.
•
Symptoms: Traffic is lost for up to 30 seconds on a static route with next hop over ATM interface.
Conditions: Occurs when next hop goes over an ATM interface.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS CA shows incorrect renew date (Jan 1 1979). Example:
Before restart Start Date:
1 Jan 2008 10:00:00 End Date : 1 Jan 2011 10:00:00 Renew Date : 1 Jan 2008 09:58:00After restart Start Date:
1 Jan 2008 10:00:00 End Date : 1 Jan 2011 10:00:00 Renew Date : 1 Jan 1970 08:00:00Conditions: Occurs when auto-enroll is enabled and the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: Link flaps and causes traffic loss as well as repeated route convergence on RP.
Conditions: Seen When ESM20 is reset. During stateful switchover (SSO), though not consistent. After a SSO switchover, we see a PORT_BOUNCED error message which indicates the cause of failure as the Consistency Check IDB was down.
Workaround: There is no workaround.
•
Symptoms: After stateful switchover (SSO), a traceback is seen.
Conditions: Occurs after SSO.
Workaround: There is no workaround.
•
Symptoms: A device may crash when the show clns interface command is issued on the wrong interface.
Conditions: The symptom is observed when there are a number (around 100 or more) CLNS interfaces on the device.
Workaround: There is no workaround.
•
Symptoms: With COPP configured, L2 traffic coming from VPLS SVI is punted to the RP and is subject to the control plane policy.
Conditions: The symptom is observed on a Cisco 7600 series router with both VPLS SVI and COPP configured.
Workaround: There is no workaround.
•
Symptoms: A router may crash after the command show ip bgp l2vpn vpls all prefix- list is issued.
Conditions: The symptom is observed when the show ip bgp l2vpn vpls all prefix-list command is used with a configured prefix-list.
Workaround: Use the show ip bgp l2vpn vpls all command.
•
Symptoms: A Catalyst 6000 line card may crash while attempting to free non-chunk memory.
Conditions: Occurs when MAC out-of-band synchronization is enabled in a distributed forwarding system
Workaround: There is no workaround
•
Symptoms: Router crashes when interfaces flap and the device is running the MetroE IPSLA feature.
Conditions: When the device is set to automatically start jitter/ping probes and the interfaces flap, it results in a crash when trying to re-create auto generated MetroE operations.
Workaround: There is no workaround.
•
Symptoms: An interface on ESM20G goes down.
Conditions: Occurs when the interface has a 50 EVC on it. Seen on router using rsp72043-adventerprisek9_wan_dbg-mz.srb_throttle_033008 image.
Workaround: A shut/no shut will correct the symptom.
•
Symptoms: BGP session goes idle.
Conditions: Occurs following a stateful switchover (SSO).
Workaround: There is no workaround.
•
Symptoms: The standby router may reset unexpectedly.
Conditions: The symptom is observed when removing the frame relay map on the active using the no frame-relay vc-bundle command. The issue occurs because the frame relay map is removed in active but not in standby due to a synchronization problem.
Workaround: There is no workaround.
•
Symptoms: When an MPLSoGRE tunnel is configured, and a packet is sent through the tunnel with the DF bit set in the outer IP header.
Conditions: The tunnel encapsulation should be removed by the other end of the tunnel. But when DF bit is set in the IP header, this decapsulation did not happen.
Workaround: There is no workaround.
•
Symptoms: At boot up router may crash with the following error messages:
%IPC-2-ONINT: Invalid operation at interrupt level: IPC blocking send request icc_send_request_internal: ipc_send_rpc_blocked failed, result 8Conditions: Occurs on Cisco 7600 configured with VRF-Lite aware PBR route-maps and running Cisco IOS Release 12.2SR or Cisco IOS Release 12.2SRC.
Workaround: There is no workaround.
•
Symptoms: The Route-Processor may sometimes crash on reset of the ES20 linecard.
Conditions: The symptom is observed when an ES20 card has ports as members of a port-channel.
Workaround: There is no workaround.
•
Symptoms: When all uplink ports on SUP are admin down and a no shut is entered on any of the two uplink ports, BFD sessions running on a different LC on the chassis begin flapping.
Conditions: This occurs whenever the first of two uplink ports is brought up.
Workaround: There is no workaround.
•
Symptoms: MTR (with multi-session capability) is enabled by default and cannot be disabled. Old CE routers do not understand the multi-session capability therefore they disconnect the BGP session with notification.
Conditions: The symptoms are observed when the MTR feature is enabled as default and when multi-session capability is sent in the default BGP peer.
Workaround: There is no workaround.
•
Symptoms: WS-6708 is reset due to diag failure.
Conditions: Occurs when traffic level is high. Traffic could be multicast bi-directional or L2 feature.
Workaround: Disable health monitoring tests on the WS-6708
Further Problem Description: When traffic is running, 6708 card gets reset due to TestFabricCh0Health HM test failures. The card will continuously reset with these messages:
May 6 13:32:09.915 EDT: %PIM-5-NBRCHG: neighbor 10.252.3.130 DOWN on interface Port-channel10 non DRMay 6 13:32:09.307 EDT: %CONST_DIAG-SP-6-HM_TEST_SP_INFO: TestFabricCh0Health[3]: last_busy_percent[8%], Tx_Rate[894], Rx_Rate[2454]May 6 13:32:09.307 EDT: %CONST_DIAG-SP-2-HM_MOD_RESET: Resetting Module 3 for software recovery, Reason: Failed TestFabricCh0HealthMay 6 13:32:09.307 EDT: %OIR-SP-3-PWRCYCLE: Card in module 3, is being power-cycled off (Diagnostic Failure)•
Symptoms: Traffic may not flow on an encapsulation untagged EVC after an OIR.
Conditions: The symptom is observed on an EVC on a physical port with encapsulation untagged, when the linecard is OIR. It is specific to EVC on the ES20 linecard.
Workaround: Reapply the configuration on the specific interface.
•
Symptoms: eBGP sessions (with 200 VRF) on PE-CE keep flapping when sending traffic rate at 200 frames per second (FPS). At 50FPS they are stable.
Conditions: Occurs when PE is connected to test device that is emulating 200 CE farms.
Workaround: Perform a shut/no shut on the interface of the PE facing CE.
•
Symptoms: When an RP's CPU memory is almost all consumed (by BGP and/or other processes), repeated use of the show ip bgp summary command may cause a router to crash.
Conditions: The symptom is observed when memory is almost all consumed and the command show ip bgp summary command is used repeatedly.
Workaround: Upgrade to more memory.
•
Symptoms: The route target (RT) is not sent in BGP VPNv4 extended-community.
Conditions: This symptom may be observed with Cisco IOS Release 12.2(33)SB when the router uses BGP VPNv4 update to send MDT information to the peer, which does not support IPv4 MDT SAFI.
Workaround: There is no workaround.
•
Symptoms: Traceback may occur when TE tunnels are configured and after HA is done by script.
Conditions: The symptom is observed on a Cisco 7600 series router and when TE tunnels and dot1q are configured on a CE-facing interface. This issue is only seen when HA uses a script.
Workaround: There is no workaround.
•
Symptoms: Split-horizon may not work correctly for a Layer 2 Protocol Tunnelling (L2PT) packet received from a VPLS VC.
Conditions: The symptom is observed on a Cisco 7600 PE router that is running VPLS and L2PT. The issue causes the L2PT packets to be sent back to the MPLS cloud on the other VPLS VC that is part of the same VFi, despite split- horizon being present. When there are multiple Cisco 7600 PE routers in the VPLS with similar configurations, there may be a loop of L2PT packets between the PEs.
Workaround: Avoid using L2PT with VPLS.
Alternate Workaround: Use Cisco IOS Release 12.2(33)SRA6.
•
Symptoms: A VPN routing/forwarding (VRF) static route pointing to a next hop in global table is not installed in RIB after a reload of a Cisco 7600.
Conditions: The device is running Cisco IOS Release 12.2(33)SRB3 with single Supervisor. The interface in global table the next hop is reachable through, is a Ten Gigabit subinterface with ip vrf receive <vrf name> and policy routing enabled.
Workaround: Apply the VRF static route after the reload.
•
Symptoms: Cannot ping Hot Standby Routing Protocol (HSRP) virtual address when active on ES20 card.
Conditions: This symptom is observed on a Cisco 7600 series router with SUP720, ES20 and running Cisco IOS Release 12.2(33)SRB3.
Workaround: There is no workaround.
•
Symptoms: EOAM monitoring of CRC errors may not work with 6148A-RJ45 and 6148- FE-SFP linecards.
Conditions: The symptom is observed when packets with errors are received. It is seen with 6148A-RJ45 and 6148-FE-SFP linecards.
Workaround: There is no workaround.
•
Symptoms: If either the command vlan-id dot1aq vlan-id or the command vlan-range dot1aq start-vlan-id end-vlan-id is configured on a main interface which is also configured for routing, and an ARP packet is sent to the router on the configured VLAN, then the router may send an ARP reply with a VLAN ID of zero.
Conditions: The symptoms are seen on a router when the command vlan-dot1q vlan-id is configured on a GigabitEthernet interface and encapsulation dot1q vlan- id is configured on a FastEthernet interface.
Workaround: Change the router's (CE) configuration to use a sub-interface for the vlan-id instead of using the vlan- dot1q vlan-id command on the main interface. With a sub-interface configured on the router, we can verify that the ARP packets are sent with proper VLAN ID.
•
Symptoms: A Cisco IOS device configured for an Embedded Event Manager (EEM) Tool Command Language (TCL) policy that uses the TCL CLI library may have the policy hang if the devices hostname is longer than 20 characters long.
Conditions: If the device is configured with a TCL policy that uses the cli_open TCL command and that device has a hostname longer than 20 characters the policy may hang.
Workaround: Reduce the size of the hostname.
•
Symptoms: On a LAN card if wrr-queue cos-map is changed on a port that is never up, some packets are dropped on another port.
Conditions: Occurs under the following scenario:
1.) WRED is disabled in the port that is sending traffic.
2.) Configure wrr cos-map on another port that is never up.
Workaround: Configure wrr cos-map only after the port is no shut.
•
Symptoms: Once a packet buffer error is detected on a Pinnacle, traffic loss may occur after recovery.
Conditions: The symptom is observed after the first packet buffer error is detected. During the first error detection, some interrupts are not re- enabled, leading to problems detecting and correcting subsequent errors.
Workaround: Reload the affected module.
•
Symptoms: A VRF cannot be configured again when it is deleted by using the no ip vrf command.
Conditions: This symptom is seen only on VRFs with an MDT tunnel.
Workaround: There is no workaround.
•
Symptoms: When removing a subinterface on a Cisco 7600 series router, connectivity issues might occur on other subinterfaces that are part of the logical main interface.
Conditions: The symptom is observed on an ES20 linecard and with Cisco IOS Release 12.2(33)SRB3 and Release 12.2(33)SRC1. It is seen when the configuration requires double-tagging. With a back-to-back connection, a QinQ sub-interface is created on either side and an IP address is assigned. Then, another sub-interface with the same outer VLAN is created and then removed.
Workaround: Use the shutdown no shutdown command sequence to restore connectivity.
•
Symptoms: VRF may not get deleted if the VRF NAME size is 32 characters on a dual RP HA/SSO router.
Conditions: This symptom occurs when adding a VRF with 32 characters on a DUAL RP HA router. (In some releases a VRF name with more than 32 characters will get truncated to 32.) The following may occur:
- There may be a DATA CORRUPTION ERRMSG. - While deleting this 32 character length VRF, VRF will fail to get deleted completely with an ERRMSG on active.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 7600 configured for ATM Circuit Emulation (CEM) over MPLS, there are errors reported under the CEM circuit. This is observed using the show cem circuit command.
Conditions: The error is only observed when the core-facing interface has these characteristics:
- SVI i.e L2 (Bridge-domain and Switchport) - The physical interface is from a ES20 module
Workaround: Disable MAC address aging with the mac-address-table aging-time 0 command.
•
Symptoms: Cisco 7600 RP crashes when pseudo-wire is down for ATM over MPLS over GRE and when AAL0 encapsulation is used. The problem happens in customer-facing SIP-400 line card.
Conditions: Configure ATM AAL0 over MPLS over GRE, then bring the pseudo-wire down.
Workaround: There is no workaround.
•
Symptoms: After an Not-So-Stubby Area (NSSA) ABR reload, the default LSA may fail to generate on some NSSAs.
Conditions: The symptom is observed following a reload or other circumstances like interface flapping.
Workaround: Reconfigure the area as NSSA by the following command sequence: no area number nssa no- summary followed by area number nssa no-summary.
•
Symptoms: A single route loop whose gateway is covered by a default route remains in the RIB after a more specific route which resolves the gateway is removed. For example, the following routes may exist in the RIB:
S* 0.0.0.0/0 is directly connected, Ethernet1/0S 192.168.0.0/16 [1/0] via 192.168.1.2192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.0/24 is directly connected, Ethernet0/0L 192.168.1.1/32 is directly connected, Ethernet0/0192.169.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.169.1.0/24 is directly connected, Ethernet1/0L 192.169.1.1/32 is directly connected, Ethernet1/0If interface eth 0/0 goes down, then we have the following:
S* 0.0.0.0/0 is directly connected, Ethernet1/0S 192.168.0.0/16 [1/0] via 192.168.1.2192.169.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.169.1.0/24 is directly connected, Ethernet1/0L 192.169.1.1/32 is directly connected, Ethernet1/0and
Router#show ip route loop->default:ipv4:base 192.168.0.0/16 -> base 192.168.1.2 static 00:01:07 NIn this case the route:
S 192.168.0.0/16 [1/0] via 192.168.1.2should be removed from the RIB.
Conditions: The default route must be present in order for the above behavior to be considered wrong. If a default route is NOT present then the route
S 192.168.0.0/16 [1/0] via 192.168.1.2is a misconfiguration and must be corrected by altering the configuration. Until the configuration is corrected, the route will remain in the RIB and traffic covered by that route will be dropped.
Workaround: The one route loop can be removed from the RIB using the clear ip route command:
clear ip route 192.168.0.0Further Problem Description: In the absence of the default route removal of the one route loop can lead to oscillation, which would seriously degrade the performance of the router.
•
Symptoms: When "0.0.0.0/8 static route to null 0" is configured, the default gateway failover does not work. RIB is not updated.
Conditions: Occurs under the following scenario:
- Border Gateway Protocol (BGP) with two neighbors sending a default gateway.
- Static route "0.0.0.0/8 to null 0" is configured.
- Failover takes place and RIB is not updated.
Workaround: There is no workaround.
•
Symptoms: Traffic engineering (TE) tunnel reoptimization fails and tunnel stuck in "RSVP signaling proceeding".
Conditions: Occurs when explicit path with loose next hops and one of the next hops is still reachable and that next hops is a dead-end.
Workaround: Use strict next hop addresses.
•
Symptoms: A crash happens when the show ipv6 rpf x:x:x::x command is given.
Conditions: This symptom is observed only when there are more than 16 adjacencies for a single static route. The crash happens when the show ipv6 rpf command is given for this particular static route.
Workaround: There is no workaround. This problem occurs as long as there are more than 16 adjacencies for single static route even if some of them are not active.
•
Symptoms: Fast switching of multicast packets may not occur on the interface of a PE router. All multicast packets are forwarded in process switching.
Conditions: The symptom is observed after the interface is changed from a forwarding interface of one VRF to another VRF.
Workaround: There is no workaround.
•
Symptoms: HSRP virtual MAC is dynamic instead of static on a Cisco 7600 after a reload.
Conditions: HSRP is configured under a routed vlan-based pseudowire:
interface Vlan X ip address 10.0.0.1 255.255.255.0 standby 1 ip 10.0.0.254 xconnect x.y.z.w encapsulation mpls
Occurs when fast millisecond HSRP timers are used, and an HSRP interface delay is not configured.
Workaround: Perform a shut/no shut on the interface "vlan X". Or, as a preventive action, configure standby delay minimum 60 on the interfaces. Testing has shown that after a reboot the entry is installed correctly in the PFC/DFC.
•
Symptoms: Ping packets are blocked.
Conditions: Occurs after configuring split-horizon.
Workaround: There is no workaround.
•
Symptoms: Memory allocation fails. Sometimes neighbor relationship also drops.
Conditions: Happens after entering show mem command. After the system booted up, while the Cisco 7600 system was receiving the BGP routes, the command is entered. Upon hitting the space key to scroll the windows for two to three times. The following errors are displayed:
"%COMMON_FIB-3-NOMEM: Memory allocation failure for CEF: terminal fibs list in IPv4 CEF [0x08812F1C] (fatal) "Workaround: Enter the show mem sum command.
•
Symptoms: Router crashes.
Conditions: Occurs after entering no service dhcp.
Workaround: There is no workaround.
•
Symptoms: In some scenarios, UDLD packets received on a dot1q tunnel port in a VLAN where a Virtual Private LAN Services (VPLS) VFI is attached may be flooded to the VPLS VLAN without being processed locally. This may lead to port being err-disabled.
Conditions: Occurs when some port configured as dot1qtunnel port in the VPLS VLAN. It will not process the received UDLD packet on those tunnel ports and will instead send them to the VPLS. If the VLAN interface with the VFI is shutdown, UDLD is processed normally.
Workaround: Disable UDLD or enable spanning-tree in vfi vlan.
•
Symptoms: If APS is configured on a large number of channelized sub-interfaces associated with a single controller such that a single failure can cause all of these interfaces to failover at the same time, and RIP is configured to run over these interfaces, high sustained CPU usage will be seen following the failover and reconvergence time will be lengthy.
Conditions: Large number of APS protected interfaces fail over at the same time. RIP is the protocol running on those interfaces. IP addresses on all interfaces are covered by the same network statement.
Workaround: There is no workaround.
Further Problem Description: The length of the high CPU and reconvergence period will increase as the number of impacted interfaces increases.
The length of the high CPU and reconvergence period will also increase as the number of network statements which cover the IP addresses on the affected interfaces decreases i.e. it will be worst when a single classful network (e.g. 10.0.0.0) covers all interfaces, somewhat better when multiple classful networks are impacted.
•
Symptoms: Router crashed due to watchdog timeout in the virtual exec process.
Conditions: This was observed on a Cisco 7600 running Cisco IOS Release 12.2(33)SRB3 after a ATM sub-interface was removed.
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: Occurs if "ip vrf" is deleted from the configuration.
Workaround: Remove "ip vrf forwarding" from all interfaces in the VRF before removing the VRF.
•
Symptoms: Lawful Intercept (LI) may not work when accelerated LI feature is used and LI replication is being done by the supervisor card.
Conditions: Occurs on a Cisco 7600 configured with a RSP720 supervisor card.
Workaround: Use SIP400 as accelerated LI module.
•
Symptoms: Packets drop in the tail of MPLSoGRE tunnel.
Conditions: Occurs when an MPLSoGRE tunnel is configured, and a packet is sent through the tunnel with the DF bit set in the outer IP header.
Workaround: There is no workaround.
•
Symptoms: Routers running Cisco IOS Release 12.2(33)SRB4 experiencing high CPU usage.
Conditions: Occurs with high purge rate of 180/sec and above.
Workaround: There is no workaround.
•
Symptoms: After removing the "default-originate" configuration, the default-route is not withdrawn.
Conditions: Occurred on a router running Cisco IOS Release 12.2SR.
Workaround: Clear the session to remove the configuration.
•
Symptoms: A router hangs for a couple of minutes, then crashes anytime the clear ip bgp neighbor x.x.x in command is issued.
Conditions: This symptom occurs when a router crashes when the clear ip bgp neighbor x.x.x.x soft in command is issued when the following commands are configured for that neighbor (without route-map): 1) neighbor x.x.x.x soft-reconfiguration inbound 2) neighbor x.x.x.x weight 3) neighbor x.x.x.x filter-list in
If any one of the commands is not configured, then the router will not crash.
Workaround: Configure route-map instead of filter-list for inbound direction. For example: "neighbor x.x.x.x filter-list 1 in" replace with "neighbor x.x.x.x route-map name in"
where, route-map name permit 10 match as-path 1
•
Symptoms: In a Virtual Private LAN Services (VPLS) scenario with ESM20 as core facing interface, imposition traffic might fail.
Conditions: Occurs only when ports from Bay 1 are used as core facing interface.
Workaround: Reset the line card.
•
Symptoms: In a scenario where a Catalyst 6500 or Cisco 7600 performs DHCP snooping + DAI functionality and a second device acts as DHCP relay, it was observed that DHCP snooping database was not populated. DHCP snooping is configured in this case on the ingress VLAN (traffic from the DHCP clients) and the DHCP server can be reached on a different egress VLAN (DHCP requests are routed).
DHCP Replies from the server (DHCPOFFER and DHCPACK) are not snooped by the Catalyst 6500 or Cisco 7600 and so bindings are not established. Consequence is that clients will get their own IP Address but ARP Inspection will fail because bindings were not learned on the device.
Conditions: Occurs with DHCP Snoooping + DAI configured on a Catalyst 6500 or Cisco 7600 in a routed scenario (Ingress VLAN and Egress VLAN are different) and DHCP Relay performed by a different device.
Workaround: Configure DHCP Snooping on both client and server side VLANs. Problem is applicable to both Cisco IOS Release 12.2(18)SXF and Cisco IOS Release 12.2(33)SRB.
•
Symptoms: LSP ID change after stateful switchover (SSO) due to failure in signaling recovered label switched path (LSP).
Conditions: Occurs following a SSO switchover.
Workaround: There is no workaround.
•
Symptoms: When platform sampling is configured (MLS sampling), PFC/DFC flows are sampled, while RP flows are not.
Conditions: This leads to Netflow collectors that cannot be programmed for sampling configuration by engine ID to overestimate the RP-captured flows packet/byte counts.
Workaround: There is no workaround.
•
Symptoms: Imposition traffic on a Ethernet Over MPLS (EoMPLS) VC is dropped.
Conditions: Occurs if xconnect is configured on a EVC with switchport on another interface.
Workaround: There is no workaround.
Further Problem Description: When this problem happens the DMAC used by the imposition line card is that of the switchport interface instead of the router MAC address, causing the packet to be dropped.
•
Symptoms: All tagged packets on a hardware Ethernet Over MPLS (EoMPLS) VC is subjected to CoPP when the VC is down.
Conditions: Occurs if VC is brought down by flapping core facing interface.
Workaround: Remove the control-plane policy.
Further Problem Description: It is applicable to only port-mode hardware EoMPLS.
•
Symptoms: Connectivity works initially, but with adding one queueing service policy and then removing it from the interface, breaks the connectivity between the end points.
Conditions: Occurs on a DLFI link on ATM.
Workaround: Perform a shut/no shut on the interface.
Resolved Caveats—Cisco IOS Release 12.2(33)SRB4
Cisco IOS Release 12.2(33)SRB4 is a rebuild release for Cisco IOS Release 12.2(33)SRB. The caveats in this section are resolved in Cisco IOS Release 12.2(33)SRB4 but may be open in previous Cisco IOS releases.
Miscellaneous•
Symptoms: When you enter the atm pvp vpi interface configuration command on a Cisco 7206VXR, the router may reload unexpectedly and display the following error message:
%ALIGN-1-FATAL: Illegal access to a low address addr=0x40, pc=0x60202778, ra=0x60202780, sp=0x63BF1718Conditions: This symptom is observed on a Cisco 7206VXR that runs the c7200-js-mz image of Cisco IOS Release 12.3, 12.3 B, or 12.3 T and that is configured with a Network Processing Engine 225 (NPE-225).
Workaround: There is no workaround.
•
Symptoms: A router that is configured for HTTP and voice-based services may reload unexpectedly because of an internal memory corruption.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.3 T.
Workaround: There is no workaround. Note that the fix for this symptom prevents the router from reloading and enables the router to generate the appropriate debug messages. The internal memory corruption is addressed and documented in caveat CSCec20085.
•
Symptoms: A Cisco 7500 series that is configured for Hierarchical Queuing Framework (HQF) may reload unexpectedly because of a bus error.
Conditions: This symptom is observed when you attempt to print queue statistics for priority classes within the same layer of a policy map.
Workaround: There is no workaround.
•
Symptoms: When you enter the protocol ip protocol-address broadcast command on an ISP termination point, the command may not be applied to a connected CPE, preventing the CPE from populating its ARP cache and from properly forwarding traffic.
Conditions: This symptom is observed on a Cisco router that functions as an ISP termination point and that is configured for point-to-point ATM connections when a connected CPE is configured for multipoint-to-point ATM connections.
Reason: Command is not applied until VC recreated or bounced.
Workaround: Configure the protocol ip protocol-address broadcast command as part of a PVC configuration on the CPE.
Alternate Workaround: Configure the connection between the ISP termination point and the CPE as a multipoint-to-point ATM connection.
•
Symptoms: A Cisco 10000 series router may experience a CPUHOG condition.
Conditions: This condition is observed when there is an increase of more than 2000 sessions established.
Workaround: There is no workaround.
•
Symptoms: BGP convergence is very slow, and CPU utilization at the BGP Router process is always near 100 percent during the convergence at the aggregation router. This issue obviously shows the following tendencies:
1) The greater the number of component prefixes that belong to the aggregate- address entry, significantly slower convergence is seen at the aggregation router.
2) The greater the number of duplicate aggregation component prefixes for the aggregate-address entry, seriously slower convergence is seen at the aggregation router.
Conditions: Any release would be affected if "aggregate-address" is configured and routing updates are received every few seconds.
Workaround: Remove the "aggregate-address".
Further Problem Description: If you configure "aggregate-address" lines after BGP convergence has been achieved, the BGP process only holds about 60 or 80 percent of the CPU for about 1 minute. However, if you do peer reset after "aggregate-address" entries have been configured, the convergence time is about 32 minutes (it is about 6 minutes if "aggregate-address" entries are removed).
•
Symptoms: Bidirectional designated forwarder flaps, and packets are looped in the network for up to 20 seconds.
Conditions: Occurs when two bidirecitonal-enabled routers are servicing the last-hop receivers on 10 or more VLANs. There should be receivers on all 10 VLANs for a minimum of 1,000 groups. When the Reverse Path Forwarding (RPF) link of active designated forwarder (DF) is shut or when the link is brought back up, DF on the receiver VLAN needs to change from one box to another box. During DF-transition, the DF-election flaps and multicast packets are looped up to 20 seconds.
Workaround: Configure the mls ip multicast Stub command on the receiver VLANs on both boxes.
•
Symptoms: After configuring import ipv4 unicast map #name under ip vrf #name, all existing routes (except direct connected) under the VPN routing/forwarding (VRF) table disappear.
Conditions: Occurs when router is configured with MPLS, VRF, and import IPv4.
Workaround: There is no workaround.
•
Symptoms: In a MPLS Traffic Engineering Fast Reroute environment, if the line protocol on the protected link goes down due to mismatched keep-alives on the link (or too many collisions), the forwarding plane does not switch traffic for protected label switched paths (LSP) to their respective backups.
Conditions: Occur under the following scenario:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When configuring a serial interface or issuing show commands related to that serial interface, a router may incorrectly configure a different serial interface or may show output from a different serial interface in the router.
Conditions: The conditions under which the problem manifest itself are unknown, and appear to be random. The symptom exists only when using a channelized T3 card and configuring one of the T1's.
Workaround: A router reload clears the issue.
•
Symptoms: A router reloads unexpectedly because of malformed DNS response packets.
Conditions: This symptom is observed when you configure name-server and domain lookup.
Workaround: Configure the no ip domain lookup command to stop the router from using DNS to resolve hostnames.
•
Symptoms: On a Cisco router running Cisco IOS Release 12.0(32)S4 and configured with BGP and peer-groups, if the Fast Peering Session Deactivation feature is configured in the peer-group, the router automatically configures on the command a route-map with the same name as the peer- group.
Conditions: Occurs with the following configuration sequence:
RR#conf tEnter configuration commands, one per line. End with CNTL/Z.RR(config)#router bgp 65001RR(config-router)#neighbor rrs-client fall-over ?bfd Use BFD to detect failureroute-map Route map for peer route<cr>RR(config-router)#neighbor rrs-client fall-overRR#sh ru<snip>router bgp 65001neighbor rrs-client peer-groupneighbor rrs-client remote-as 20959neighbor rrs-client update-source Loopback0neighbor rrs-client fall-over route-map rrs-client <<<<<<<the route-map does not exist.Workaround: Configure the neighbor individually or use peer-templates.
•
Symptoms: A router may crash when you remove a configuration that consists of multiple instances of BGP and the ip access-list command.
Conditions: This symptom is observed on a Cisco router when you remove the configuration through a TFTP server.
Workaround: Do not use a TFTP server to remove a BGP configuration.
•
Symptoms: IPv6 routes that are redistributed via the redistribute connected address family configuration command may disappear after you have performed an OIR of an Enhanced FlexWAN line card.
Conditions: This symptom is observed on a Cisco 7600 series. Note that only IPv6 is affected, IPv4 works fine.
Workaround: Disable and then re-enable the redistribute connected address family configuration command.
•
Symptoms: ATM packets are dropped, CLNS ping fails and Intermediate System-to-Intermediate System (IS-IS) adjacencies do not come up.
Conditions: Occurs when set atm-clp is configured in service policy.
Workaround: Remove the set atm-clp command from the service policy on the output interface.
•
Symptoms: Disk access causes router to crash.
Conditions: Occurs after fsck execution.
Workaround: Format disk, which causes the data loss on the affected disk.
•
Symptoms: If an access control list (ACL) is used for a destination only prefix, a fatal error is declared and shuts down optimized edge routing (OER). For destination only traffic classes, prefix-list should be used, not ACL or access control entry (ACE).
Conditions: This behaviour is observed on Cisco IOS Release 12.4(11)T and later releases at this time.
Workaround: Use prefix list instead of ACL/ACE for destination only traffic classes. For example:
–
–
•
Symptoms: The router will crash when IPSec is established only in the case when both PKI and IKE AAA accounting are configured.
Conditions: This symptom occurs when PKI is configured, and the DN is used as the ISAKMP identity. The crash only occurs when the DN is not available, and the server tries to use the DN in the AAA accounting recording.
Workaround: Do not use this configuration combination (PKI, DN as ISAKMP identity and AAA accounting).
•
Symptom: MLPPP/MLFR ping failure on SPA-2/4CT3 or SPA-CH-STM
Conditions: MLPPP/MLFR configured on SPA-2/4CT3 or SPA-CH-STM
Workaround: Reload the SPA using hw-module subslot <slot>/<subslot> reload
•
Symptoms: A Traffic Engineering (TE) tunnel does not re-optimize to explicit path after an MTU change.
Conditions: The TE tunnel is operating via explicit path. The MTU on outgoing interface is changed. OSPF is flapped, and it does not come up as there is MTU mismatch (MTU is not changed on peer router). Meanwhile the TE re- optimizes to a dynamic path-option as expected. Now the MTU is reverted back to the previous value, and the OSPF adjacency comes up. The TE tunnel does not re-optimize to explicit path. Manual re-optimization of the TE tunnel fails as well, and the TE tunnel sticks to the dynamic path.
Workaround: Enter the shutdown command followed by the no shutdown command on the particular interface.
•
Symptoms: IPv4 inconsistencies and %FIB-4-FIBXDRINV error message upon reset of line card
Condition: Problem observed on Cisco 7600 series router.
Workaround: There is no workaround.
•
Symptoms: There are two symptoms:
1. Label Distribution Protocol (LDP) is not installing the outgoing label in Label Forwarding Information Base (LFIB) for a directly-connected static route with null next-hop.
2. MPLS LFIB may not be updated following a quick LDP session flap. This may result in a "No Label" for outgoing label for the affected prefix.
Conditions: Issue seen only when LDP flaps in a short interval.
Workaround: There is no workaround to prevent the issue. To recover enter the clear ip route affected_prefix command will trigger an install of the outgoing label.
Further Problem Description: LDP should have the label from the next-hop neighbor, but it does not update the LFIB. To confirm this, show mpls ldp binding <prefix> <mask> detail should show a label received from the appropriate neighbor.
•
Symptoms: Crash due to a bus error after the show memory command is entered.
Conditions: Occurs on a WS-C6509-E running Cisco IOS Release 12.2(18)SXF8. It happens very rarely.
Workaround: Do not use the show memory command.
•
Symptoms: Using scp to copy files from disk to SSH server is extremely slow. It takes more than 2 minutes to get the prompt back after launching the command to copy a small file.
Conditions: This has been seen on a Cisco 7600 router running Cisco IOS Release 12.2(33)SRA4 or Cisco IOS Release 12.2(33)SRB.
Workaround: Use another form of copy.
•
Symptom: Interface counters on line cards may show incorrect packet input statistics in the output of the show interface command.
Conditions: Occurs when the "CEF LC IPC Backg" process causes the line card CPU to exceed 90%. This is seen when an unstable network causes excessive CEF updates.
Workaround: There is no workaround.
•
Symptoms: When using SNMP to poll IP SLA (SAA/RTR) information on a router, the device gets stuck on one value. This can cause the network management application to timeout or sometimes crash
Conditions: This problem is only happening when polling the CISCO-RTTMON-MIB via snmp get.
Workaround: Instead of SNMP, use the command-line interface to retrieve the information.
•
Symptoms: Router crashes during shutdown or deletion of interface.
Conditions: Occurs on interfaces on which IPv6 is enabled.
Workaround: There is no workaround.
•
Symptoms: A router that is running NHRP leaks memory when many incomplete cache entries are created. The incomplete cache entries can be verified by typing the show ip nhrp command and looking for "type incomplete". The memory leaked can be seen by examining the output of the show chunk command and looking for "NHRP Cache".
Conditions: This symptom could occur when traffic to nonexistent or non- responding addresses are forwarded by the router over the DMVPN/NHRP cloud.
Workaround: There is no workaround.
•
Symptoms: BGP sessions on a scaled setup, like 800 eBGP peers, can sometimes get into a situation where BGP sessions go into active state only to be cleaned up later and then start anew. The router could be perpetually in this race condition once this occurs, not allowing the router to establish BGP sessions.
Conditions: The problem was seen on a line card online insertion and removal (OIR) on a Cisco 7600 router.
Workaround: Use the clear ip bgp * to correct the problem.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb- radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
•
Symptoms: On a Cisco router, OSPF might go into a loop during SPF calculation, causing high CPU utilization and rendering the router inaccessible.
Conditions: This symptom occurs when router LSAs with a link metric disallowed by RFC 2328 are present in the network (note that Cisco routers do not originate such LSAs) and when the network is unstable (link flapping during the SPF calculation).
Workaround: To fix the problem, reload the router. To prevent the problem, manually configure a link metric according to RFC 2328.
Important Note: CSCsk36324 caused MPLS TE defect CSCsl18176 and has been backed out under defect CSCsl18176. A new fix for this issue will be committed under defect CSCsl32318.
•
Symptoms: A Cisco 7600 router running Cisco IOS Release 12.2(18)SFX6 may encounter a condition such that when intermediate system-to-intermediate system (IS-IS) and traffic engineering (TE) are configured, IS-IS should remove the native path from its local RIB and call RIB code to remove the path from global RIB but fails by either not passing the "delete" msg to RIB properly or RIB does not react when it received the "delete" call.
Conditions: The show mpls traffic-engineering tunnel command output may indicate "Removal Trigger: setup timed out" status.
Workaround: Perform a shut/no shut on the interface or change the metric temporarily to force an update with the tunnel mpls traffic-eng autoroute metric 1 command.
•
Symptoms: Walking entSensorThresholdTable of CISCO-ENTITY-SENSOR-MIB, with ES20 module in the chassis causes router to crash.
Conditions: Occurs when ES20 module is present during mibwalk.
Workaround: Create a view and exclude CISCO-ENTITY-SENSOR-MIB from that view.
•
Cisco IOS Software Multiprotocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml.
•
Symptoms: Traceback with the following message displayed:
PST: %COMMON_FIB-4-FIBNULLIDB: Missing idb for fibidb VRF_0_vlan1020 (if_number 132).Conditions: This traceback is seen after doing stateful switchover.
Workaround: There is no workaround.
•
Symptoms: Fabric Channel may not go into sync on bootup.
Conditions: Can occur in any enviornment, but error is only seen during bootup.
Workaround: There is no workaround.
•
Symptoms: Channel-group command disappears from the interface after reboot when channel-group is configured with outbound service policy.
Conditions: Happens only with QoS configuration.
Workaround: Reconfigure channel-group after bootup.
•
Symptoms: The snmp ifindex persist command is incorrectly enabled on some interfaces.
Conditions: This issue affects interfaces with similar interface descriptors. For example, if the command is enabled on Ethernet 0/1, it will be enabled on Ethernet 0/10 to Ethernet 0/19.
Workaround: There is no workaround.
•
Symptoms: Router may crash @ipflow_fill_data_in_flowset when changing flow version.
Conditions: Occurs when netflow is running with data export occurring while manually changing the flow-export version configuration from version 9 to version 5 and back to version 9 again.
Workaround: Do not change the netflow flow version while the router is exporting data and routing traffic.
•
Symptoms: Unable to write a large file when the file size is larger than the NVRAM size, even when service compress-config is enabled.
Conditions: Occurs when a large configuration file is copied to startup-config when the file is larger than the NVRAM size
Workaround: Copy the file to running-config and then issue the wr mem command.
•
Symptoms: Following switchover, state sync to standby for 2,000 layer 2 virtual circuits takes 4-5 minutes, during which CPU usage is also very high (99%).
Conditions: This was observed with 2,000 anything over MPLS (AToM) circuits configured for nonstop forwarding (NSF) and stateful switchover (SSO).
Workaround: There is no workaround.
•
Symptoms: The standby fails to come up in SSO. The following message is seen on the active:
%FILESYS-4-RCSF: Active running config access failure (0) <file size>Conditions: This symptom is observed when the router has a configuration greater than 0.5 megabytes.
Workaround: There is no workaround.
•
Symptoms: Configuration of the crypto connect vlan <x> command may fail when the command is applied to a dot1q subinterface.
Conditions: Occurs on a system with 7600-SIP-600 linecards and GE SPAs installed.
Workaround: There is no workaround.
•
Symptoms: Router experiences memory corruption.
Conditions: Unknown conditions. Appears to be random.
Workaround: There is no workaround.
•
Symptoms: Clock accuracy goes out of conformance when the reference clock is reverting from the secondary source to the primary after a switchover.
Conditions: Occurs when dual Circuit Emulation over Packet (CEoP) cards are receiving reference clock via each one's BITS-IN.
Workaround: There is no workaround.
•
Symptoms: When removing a subinterface from the configuration that contains an IP address that falls into the major net of the static route, the static route is no longer injected into the BGP table. Since the route is not in the BGP table, it is not advertised to any peers.
Conditions: This symptom is observed with auto-summary enabled in BGP. A static summary route is configured to null0 and is injected into the BGP table with a network statement.
Workaround: There are four possible workarounds:
1) Use an "aggregate-address" configuration instead of the static route to generate the summary.
2) Remove auto-summary from the BGP process.
3) Enter the clear ip bgp * command.
4) Remove and reconfigure the BGP network statement for the summary route.
•
Symptoms: The standby WS-SUP720-3BXL failed to boot into SSO mode because of MCL check failure with the FPD configuration command: upgrade fpd path sup-bootdisk:
Conditions: The problem happens when "sup-bootdisk:" is used as the FPD image package directory path argument in the upgrade fpd path pkg-dir-path configuration command for an active WS-SUP720-3BXL that supports "sup-bootdisk:" filesytem, but the same fiilesystem is not support by the standby WS-SUP720-3BXL.
Workaround: For systems that have a mixture of old and new WS-SUP720-3BXL, please do not use "sup-bootdisk:" as the filesystem in the upgrade fpd path pkg-dir-path configuration command, instead use the "sup-bootflash:" filesystem as this filesystem exist on both old and new WS-SUP720-3BXL.
Further Problem Description: The show module EXEC command can be used to identify the HW revision of the WS-SUP720-3BXL, if it does not have a version above 5.x then it won't have the support of the "sup-bootdisk:" filesystem.
•
Symptoms: Multicast tunnel not coming up after RPM change. A misconfiguration with overlapping networks causes the join to be rejected. This can be seen on the PIM neighbor list.
Conditions: There is a problem related to one of the hub card in rpm-xf.10 in forwarding PIM traffic from 2 PEs ( rpm-xf.13 & rpm-xf.11 ). After RP migration from AVICI to CRS we found that tunnels from PE in slot 13 were not coming up. PE in slot 13 was in consistently in registering mode. PE was not coming out of registering mode which was preventing the tunnels from coming up. For PE to come out of registering mode S,G state should be built from new RP down to PE. At this stage the CRS (RP) showed that S,G tree was establish at the RP. S,G tree was OK all the way down from CRS to the last hop (P in slot 10) connecting to the slot 13 PE. The P router in slot 10, which is directly connected to PE, showed that S,G state was established and PE facing interface was in OIL. But there were couple of discrepancies on the P in slot 10. There were no flags set on this P for the mroute of PE. In addition, we found that PE was not receiving any PIM traffic from the P in slot 10. This led to suspicion that although the P showed the correct S,G and OIL but is still not able to forward traffic to the PE. And this could be the reason for PE to remain in registering mode hence preventing the tunnels from coming up.
Workaround: Remove the following configurations:
a. rpm-xfh10-z135 - shut & remove interface Switch1.4073
b. rpm-xfh09-z134 - shut & remove interface Switch1.4073
c. rpm-xfp11-l172 - remove interface Switch1.3172
d. rpm-xfp13-z074 - remove interface Switch1.4074
e. rpm-xfp04-l171 - remove interface Switch1.3171
•
Symptoms: When polling the ENTITY MIB for the gigabit ports that are integrated in the RSP720, there is an issue with entPhysicalParentRelPos for those Gigabit ports. They are reporting the same value.
Conditions: Occurs on Cisco 7600 routers with the RSP720 card and running Cisco IOS Release 12.2(33)SRC and Cisco IOS Release 12.2(33)SRB1.
Workaround: There is no workaround.
•
Symptoms: A reload may occur when an anything over MPLS (AToM) VC is torn down. Bug triggered initial crash of SIP-400 in slot 4 & ES20 in slot 3. Both cards had to be powered down and reset from the console to recover.
Conditions: Occurs when AToM VC is setup and torn down later.
Workaround: There is no workaround.
Further Problem Description: The crash may occur when an event triggers access to a previously set up AToM VC. For example, the crash may occur when fast reroute (FRR) is configured on the tunnel interface and the primary interface is removed, such as in the following scenario:
pseudowire-class ER1_to_HR1_EoMPLS no preferred-path interface Tunnel501331 disable-fallback ! interface tunnel501331 shutdown ! no interface tunnel501331
•
Symptoms: Router will crash.
Conditions: Occurs with high traffic conditions where NetFlow has no free flows and multicast egress NetFlow is configured.
Workaround: Disable multicast egress NetFlow.
•
Symptoms: SNMPwalk fails with packet too big error on enterprises.9.9.492 in the OID tree.
Conditions: SNMPwalk failing with packet too big error.
Workaround: Exclude the cermScalarsGlobalPolicyName SNMP object using a view as shown below: snmp-server view testview internet included snmp-server view testview cermScalarsGlobalPolicyName excluded snmp-server community public view testview RO
•
Symptoms: Spurious memory access may occur at line card which cause SIP-400 to crash.
Conditions: May occur when attaching a service policy to any interface or removing the service policy.
Workaround: There is no workaround.
•
Symptoms: Dialer Cisco Express Forwarding (CEF) with IP accounting fails with packet counters returning zero for the member interface.
Conditions: This happens when ip accounting output-packets configured on NAS. The NAS is being checked for show adjacency detail which returns 0 packets and 0 bytes for the member interface.
Workaround: There is no workaround.
•
Symptoms: When a new class-map configuration is added to policy-map, packet (which belongs to another existing class) drop issue will be observed.
Conditions: Occurs on a Cisco 7600 router with ES20 and running Cisco IOS Release SW 12.2(33)SRB.
Workaround: There is no workaround.
•
Symptoms: A router might crash when the show idb command is issued.
Conditions: The crash is seen when the show idb command is issued after a large number of PPPoE sessions (for example, 6000 sessions) are initiated and cleared. The crash is seen with IPv6, but it is not seen with IPv4.
Workaround: There is no workaround.
•
Symptoms: When the number of VCs configured for out-of-band clock master are not continuous, the SPA might not generate packets for some of the clock master VCs.
Conditions: Occurs on the following hardware:
–
–
–
Workaround: Configure out-of-band clock master so that the number of VCs are continuous.
•
Symptoms: After a flap or disconnection/restoration of T1s, random Multilink bundles on Cisco 7606 running Cisco IOS Release 12.2(33)SRB2 are up, but traffic does not pass through it when working with a third-party device.
Conditions: Problem of interoperatibility when working third-party device, the problem is present with the flap of T1 lines. When the T1s are restored, there is a problem with the synchronization on the sequence numbers.
Workaround: Delete and reconfigure again the bundle or reset the linecard.
•
Symptoms: A Cisco 7600 running a Cisco IOS Release 12.2SR image might experience a small amount of packet loss (about 10-20 ms) during TE-FRR reoptimization. This happens only for EVC (Ethernet Virtual Circuit) or scalable Ethernet Over MPLS (EoMPLS) configurations with large number of traffic engineering (TE) tunnels.
Conditions: This issue happens only for traffic going over EVC or scalable EoM VCs when the box has scaled configuration, such as a large number of TE tunnels.
Workaround: There is no workaround.
•
Symptoms: You may observe a problem which the OSPF neighbor is down after switch-over in spite of using OSPF Non-Stop Forwarding (NSF).
Conditions: This occurs with the following conditions: - "nsf cisco" is only affected. If "nsf ietf", this problem does not occur. - You may observe this problem if the OSPF interface is "point-to-multipoint non-broadcast" or "point-to-multipoint". If the interface is "broadcast", this problem does not occur. - When this problem occurs after switch-over, DBD packet may not be exchanged between two neighbors. And the neighbor is down in spite of NSF.
Workaround: Change the OSPF config to "nsf ietf" and change the OSPF interface to "broadcast".
•
Symptoms: Output direction ACL does not work.
Conditions: Occurs when ip cef accounting is enabled on a MPLS enabled router doing tag disposition. If packets coming in are tagged, and they are going out of the router as untagged, the output IP ACL may not work.
Workaround: Reconfigure the static route or clear the route.
•
Symptoms: Enhanced-Flexwan crashes with cache error with MEM-CC-WAN-512M=, version "VI4DP647228EBK-MD" installed.
Example of Symptom:
Cache error detected! CP0_CAUSE (reg 13/0): 0x00004000 CPO_ECC (reg 26/0): 0x40000000 Data cache error CPO_BUSERRDPA (reg 26/1): 0xFFDFFFE0 CPO_CACHERI (reg 27/0): 0x200011C0 Tag address parity error Instruct cache index 0x0000008E CPO_CACHERD (reg 27/1): 0x840000A0 Multiple data cache errors External cache error Data cache index 0x00000005 CPO_CCHEDPA (reg 27/3): 0x09271600Interrupt exception, CPU signal 20, PC = 0xA0000100-Traceback= 40723DA8 406AF1B0 406B5BC8 406BAAF8 406BC200 406B4788 4072AA0C 4011D870 4012D204Conditions: This issue is seen under certain conditions, which are not fixed. No specific trigger.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 (RSP720-3C/CXL) may experience high CPU utilization from the moment (S,G) expires due to all outgoing interfaces are down.
Conditions: This symptom occurs when indirect-connected multicast source traffic arrives at PIM-RP router without any receiver on that group, a (*,G) state with NULL RPF interface and NULL OIL is created and used to forward the traffic. Because of NULL RPF, this (*,G) state cannot be installed in Cisco 7600 hardware. The multicast data packet is punting to CPU and causes high CPU utilization.
Workaround: Partial workaround is to apply RP rate-limiter with fib-miss option.
•
Symptoms: Polling cvpdnSessionAttrDevicePhyId from the CISCO-VPDN-MGMT MIB may show that multiple users are mapped to the same Virtual-Access SNMP ifIndex. This affects statistics collection or billing using IF-MIB counters.
Conditions: This symptom is observed when PPP renegotiates an existing PPP connection on a Virtual-Access interface.
Workaround: When possible, use RADIUS accounting for gathering statistics or billing.
•
Symptoms: The IPv6 Cisco Express Forwarding (CEF) table may be missing prefixes which are present in the IPv6 RIB.
Conditions: Occurs when CEF is disabled and re-enabled.
Workaround: Enter the clear ipv6 route * command.
•
Symptoms: Module's configuration not synchronized to standby supervisor if module resets while standby is booting up.
Conditions: This bug may be seen if linecard or SPA were to reset before standby reaches standby hot terminal state.
Workaround: Use redundancy reload peer to reset standby supervisor. On its next boot, configuration is synchronized to standby.
•
Symptoms: There is some probability of Cisco IOS bootup failures on the Cisco 7600-SSC-400.
Conditions: The failures are seen at cold temperature corners in testing. There are no failures reported from the field.
Workaround: There is no workaround.
•
Symptoms: Device crashes due to memory allocation issue.
Conditions: Observed on Cisco 7200, but this is not a platform-specific bug.
Workaround: There is no workaround.
•
Symptoms: Multilink PPP interface may cease passing traffic after one of the MLP group's member links receives an AIS from the TDM network.
Conditions: Problem occurs on a Cisco 7600/SUP-720/OSM/CHOC12/T1-S1 running the c7600s72033-adventerprisek9-mz.122-33.SRB2 image.
Workaround: Perform a shut/no shut of the multilink interface.
•
Symptoms: Unable to perform SNMPwalk of clcFdbVlanInfoTable.
Conditions: Occurs all the time.
Workaround: There is no workaround.
•
Symptoms: Standby reloads continuously when "MAXINT" is used with "int ran" to create logical interfaces using.
Conditions: Occurs in SSO mode.
Workaround: Avoid giving MAXINT as range.
Further Problem Description: At a stretch, only 1000 logical interfaces could be created through interface range. Due to some wrap-around problem, it was not showing error when MAXINT was given as option and starts creating these many interfaces which are much beyond the MAXINTERFACES supported by any existing platform. It will lead to MEMORY getting exhausted and different after effects as standby reload.
•
Symptoms: Router reloads after the show ip bgp ipv4 mdt vrf command is entered.
Conditions: Occurred on a Cisco 7600 router running Cisco IOS Release 12.2(33)SRB2. Occurs when the show ip bgp ipv4 mdt vrf command entered with the ip address option, such as show ip bgp ipv4 mdt vrf abc123 x.x.x.x.
Workaround: The reload can be avoided by not using the IP address option with the 'show ip bgp ipv4 mdt vrf' command. None of the other options available for this command will trigger a reload
•
Symptoms: A Cisco IOS device may crash with a data bus error exception and stack trace PC = 0xA0000100
Conditions: Device is running normal production traffic. Presence of malformed punted RP packets in this network caused the issue.
Workaround: There is no workaround.
•
Symptoms: With large number of label switched paths (LSP), the SSO recovery process may take longer than expected. Therefore sometimes not all traffic engineering (TE) LSPs can recover after SSO switchover.
Conditions: Occurs on when there is a large number of LSPs.
Workaround: There is no workaround.
•
Symptoms: BGP peers are struck with table versions of 0. BGP peers do not announce any routes to neighbors.
Conditions: Whenever the interfaces are flapped with online insertion and removal (OIR) multiple times, all of the BGP peers using such interfaces for peering connections encounter this issue.
Workaround: Delete and reconfigure the neighbor.
•
Symptoms: L2TP Start-Control-Connection-Reply (SCCRQ) and Start-Control-Connection-Reply (SCCRP) messages have incorrect setting of mandatory-bit for the receive window Size attribute-value pair (AVP). This may cause L2TP/VPDN sessions to fail to connect.
Conditions: Occurs in VPDN environments where the peer requires tight protocol adherence.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS device may crash with a data bus error exception and stack trace PC = 0xA0000100
Conditions: Device is running normal production traffic. Presence of malformed punted RP packets in this network caused the issue.
Workaround: There is no workaround.
•
Symptoms: Standby supervisor reloads after the interface configuration command no flow-sampler <name> is used to remove flow sampler map.
Conditions: Occurs on a Cisco 7606s with two RSP720-3C-GE configured for normal use with sampled NetFlow configured. To cause the issue, a sampler must be explicitly detached.
Workaround: There is no obvious workaround to the issue. To avoid the issue, avoid detaching the sampled NetFlow.
•
Symptoms: The RP will start showing IPC-5-WATERMARK: 988 messages pending in xmt for the port messages on the screen. The number of messages will change.
Conditions: The router has 275,000 i-BGP routes injected into the router. Among these routes, 100,000 are flapped continuously for one to one and half days. They are flapped every 10 sec. The problem needs at least a days worth of time of continuous flapping.
Workaround: Stop the route flap. Although the messages will keep coming, there is no impact on functionality. And they are bogus since they are originated from wrong count.
•
Symptoms: Packet loss when pinging an IP Address in a VPN routing/forwarding (VRF).
Conditions: This problem is seen on a Cisco 7600 after the VRF configuration on a port is rapidly changed, such as the following example:
interface gi3.1.88 ip vrf forwarding aaaa ip vrf forwarding bbbbWorkaround: Delete the VRF with no ip vrf forwarding aaaa before changing the VRF under the interface.
Further Problem Description: The VLAN RAM, which stores the VRF ID, is programmed wrong when this issue is seen. This causes packet loss or packets to be punted to the RP to resolve the conflict
•
Symptoms: FlexWAN line card crashes in Cisco 7600 chassis.
Conditions: Occurs when bre-connect is configured on an ATM PVC.
Workaround: There is no workaround.
•
Symptoms: Router crashes due to bus error. The crash is seen after repeatedly removing virtual-template interfaces under ATM.
Conditions: The crash is seen under the following conditions.
1) Bringing up nearly 3k PPPoE and PPPoEoA sessions.
2) Configuring no interface virtual-template <no> under ATM interfaces.
Repeating Step 2 continuously will cause a crash.
Workaround: There is no workaround.
•
Symptoms: SNMP object entPhysicalVendorType returns incorrect value.
Conditions: Occurs only on a Cisco 7603s.
Workaround: There is no workaround.
•
Symptoms: When the show interface command is entered , all of the Layer 2 swith port interfaces on ES-20 are shown with the same bridge MAC.
Conditions: Only seen on ES-20.
Workaround: There is no workaround.
•
Symptoms: Border Gateway Protocol (BGP) is unable to get route information after shut/no shut is performed on BGP neighbor on far-end.
Conditions: Issue is seen when BGP is used for IPv6 routing.
Workaround: This problem can be recovered by doing shut and no-shut again. Also, problem will not happen if you set network <prefix> at address-family on far-end router.
•
Symptoms: A Catalyst 6500 or a Cisco 7600 may reload unexpectedly.
Conditions: Occurs when NetFlow is configured on one of the following:
–
–
Workaround: Disable Netflow. This is done with the following commands: no ip flow ingress no ip flow engress no ip route-cache flow Enter the appropriate command for each sub-interface for which NetFlow is currently configured.
•
Symptoms: The line card displays memory allocation failure messages, and memory statistics indicate a continuous decline in free memory.
Conditions: When port mode or VC mode cell relay configuration is applied on an ATM interface, it is observed that after traffic switching for a long time (approximately 48 hours, depending on scale), the above problem occurs.
Workaround: There is no workaround.
•
Symptoms: A router may display the following error: %LINK-2-INTVULN: In critical region with interrupt level=0, intfc=ATM0 -Process= "IGMP Snooping Receiving Process"
Conditions: The symptom is observed when bridged traffic is passing to an MLPP interface.
Workaround: Disable IGMP snooping with the no ip igmp snooping command.
•
Symptoms: Upon reload of a DFC, traffic coming from the MPLS cloud might be dropped when the traffic is destined for a EoMPLS connection on a MUX-UNI
Conditions: This is seen on 12.2(33)SRB3 and 12.2(33)SRA3. The incoming module needs to be a DFC, and the egressing port needs to be a MUX-UNI. This does not happen to regular Ethernet Over MPLS (EoMPLS) connections.
Workaround: Perform a shut/no shut on the connection towards the MPLS network, then shut/no shut the VC.
•
Symptoms: Some of the initially shipped PWR-1500-DC power supplies in Cisco 7603S chassis have incorrect SNMP OID programmed in the IDProm. The vendorOID does not match with the CANA-assigned number in CISCO-ENTITY-VENDORTYPE-OID-MIB.my
Conditions: This is applicable for those power supplies for which the vendorOID is programmed as 193 and not as 194.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 router crashes at "pim_proxy_empty_rd."
Conditions: Customer seeing crash with decode during initial deployment of new Cisco 7600 router.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running the Border Gateway Protocol (BGP), the router may reload if BGP show commands are executed while the BGP configuration is being removed.
Conditions: This problem may happen only if the BGP show command is started and suspended by auto-more before the the BGP-related configuration is removed, and if the BGP show command is continued (for example by pressing the SPACE bar) after the configuration has been removed. This bug affects BGP show commands related to VPNv4 address family. In each case the problem only happens if the deconfiguration removes objects that are being utilized by the show command. Removing unrelated BGP configuration has no effect.
This bug is specific to MPLS-VPN scenarios (CSCsj22187 fixes this issue for other address-families).
Workaround: Terminate any paused BGP show commands before beginning operations to remove BGP-related configuration. Pressing "q" to abort suspended show commands, rather SPACE to continue them, may avoid problems in some scenarios.
•
Symptoms: Stale NFS entry left on ESM20G card when diagnostics is enabled.
Conditions: Occurs on Cisco 7609 ESM20G cards after the router is reloaded.
Workaround: Disable diagnostics and reset the line card.
•
Symptoms: Customer seeing multiple "%SIP200_SPIRX-3-SPA_INTERRUPT: SPA 0 - seq err, SPA Int status = 0x4" errors.
Conditions: Occurs under normal operating conditions.
Workaround: There is no workaround.
•
Symptoms: System crash or memory corruption occurs.
Conditions: Occurs when repeated linecard resets are seen in the device or repeated linecard online insertion and removal (OIR) operations are performed.
Workaround: There is no workaround.
•
Symptoms: On the 2432 platform UUT, the 'atm' option is missing in the 'mode' CLI when the T1 controller is being configured for ATM.
Conditions: The symptom is observed on the 2432 platform with a T1 controller.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 router may sometimes hang while performing configuration/deconfiguration stress tests
Conditions: Occurs on a Cisco 7600 router running Cisco IOS Release 12.2(33)SRB3.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7600 running configuration/deconfiguration tests repeatedly over time may crash.
Conditions: Unknown conditions.
Workaround: There is no workaround.
•
Symptoms: Malloc errors seen on enhanced FlexWANs with 256MB memory in RSP720 systems when another line card is inserted or powered up. FlexWAN I/O memory low watermark becomes very low while number of allocated IPC buffers grow in the hundreds.
Conditions: Seen only on RSP720, not seen on SUP720 systems. Routing table has 30,000 routes or more.
Workaround: There is no workaround.
Further Problem Description: Inserting or powering up a line card prompts the RP to send all info to all cards and FlexWAN bays in chassis. RSP720 sends info at higher rate than FlexWAN can immediately process, so hundreds of IPC buffers are allocated until its I/O pool is exhausted and malloc error reported. May not impact operation, but risk of memory fragmentation and other failures increase.
•
Symptoms: With eiBGP multipath, incoming labeled packets may get looped in MPLS core instead of getting forwarded to CE, causing traffic issues. The following symptom may be found:
–
Dec 17 07:44:46.734 UTC: %COMMON_FIB-3-BROKER_ENCODE: IPv4 broker failed to encode msg type 0 for slot(s) 0B -Traceback= 6044E470 60465864 6043BCFC 6043B570–
Mar 31 17:44:40.576 UTC: FIBrp_xdr: Table IPv4:<vrf name>, building insert event xdr for x.x.x.x/y. Sources: RIB Mar 31 17:44:40.576 UTC: FIBrp_xdr: Encoding path extensions ... Mar 31 17:44:40.576 UTC: FIBrp_xdr: - short ext, type 1, index 0 Mar 31 17:44:40.580 UTC: FIBrp_xdr: Getting encode size for IPv4 table broker FIB_FIB xdr Mar 31 17:44:40.580 UTC: - short path ext: len 12 Mar 31 17:44:40.580 UTC: - short path ext: len 24 Mar 31 17:44:40.580 UTC: - feat IPRM, len 12 Mar 31 17:44:40.580 UTC: => pfx/path 113 + path_ext 24 + gsb 8 + fs 16 = 161–
router#show mpls forward vrf <vrf name> x.x.x.x Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 937 No Label x.x.x.x/y[V] 0 drop <========= it is drop–
router#show ip cef vrf <vrf name> x.x.x.x int [snip] path_list contains at least one resolved destination(s). HW not notified path 70BFFC5C, path list 20E87B58, share 1/1, type recursive nexthop, for IPv4, flags resolved MPLS short path extensions: MOI flags = 0x16 <-------MOI flags 0x10 is incorrectly set (for ebgp path, correct flag should be 0x4, 0x5, 0x6 ..) correct now. [snip]Conditions: eiBGP multipath enalbed; iBGP path comes up first , then the eBGP path. Both eBGP & iBGP paths could be in MPLS forwardinging casuing the issue.
Workaround: Using the clear ip route vrf <name> x.x.x.x clears the issue.
•
Symptoms: Crash may occur after polling MPLS-LSR-MIB mplsInterfaceConfTable.
Conditions: MPLS-enabled tunnels exist in configuration and some are removed by doing no int tunnel<tunnelid>. If mibwalk of any object in mplsInterfaceConfTable is performed after that, this may result in crash.
Workaround: Remove MPLS configuration on tunnel with the no tunnel mode mpls traffic-eng command before entering the no int tunnel command.
Further Problem Description: It has been found this problem occurs when tunnel also contains the following config: tunnel mpls traffic-eng path-option 1 dynamic. Crash occurs only if image contains fix for CSCsm97259. Will see this message similar to the following before the crash:
Jun 3 11:53:59.955 PDT: %TIB-3-GENERAL: MPLS MIB subblock ifIndex corrupted for ifIndex: 46 - was: 1198404176; corrected•
Symptoms: In Ethernet Over MPLS (EoMPLS) enviroment after fast reroute (FRR) from interface on SIP600 to interface on SIP400 and re-optimization, traffic is blackholed from CPE device to core.
Conditions: This happen only after FRR from SIP600 module to SIP400 module. FRR between SIP400 does not experience this problem.
Workaround: There is no workaround.
•
Symptoms: Cisco 7600 series of router may reload twice when the router is booting up.
Conditions: This is a very rare occurrence. A Cisco 7600 series might reload while it is booting up. Additionally, spurious access might be seen when linecards are booting up. These messages have no impact on functionality or stability of the router.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router may unexpectedly reload when Forwarding Information Base (FIB) processes an adjacency for route that has many levels of recursion.
Conditions: This has only been seen after the following error message was displayed:
%COMMON_FIB-6-FIB_RECURSION: 10.10.10.1/32 has too many (8) levels of recursion during setting up switching infoWorkaround: Change static routes so they specify both the interface and next-hop instead of just specifying the next-hop. For example change:
ip route 10.0.0.0 255.255.255.255 192.168.1.1
to
ip route 10.0.0.0 255.255.255.255 GigabitEthernet1/0 192.168.1.1
This is particularly true when using eBGP between loopbacks to allow for multiple parallel links between the two eBGP peers, where one typically installs static routes for the eBGP peers address. Make sure these static routes have both interface and next-hop specified.
•
Symptoms: On Cisco 7600 routers, the switch processor may crash the router when BGP is configured in rare situations.
Conditions: This is a rare condition that can can most likely happen with L3VPN and BGP recursive routes configured when a network, routing, or link event occurs (e.g., link flap in the remote ends, routing flaps, etc). This issue may also require routes to be load-balanced over multiple links.
This issue only affects 12.2(33)SRB and 12.2(33)SRC and is fixed in 12.2(33)SRB4 and 12.2(33)SRC2 and later releases.
Workaround: There is no workaround.
•
Symptoms: Ethernet Out of Band Channel (EoBC) hang causes line card reset. EoBC might get stuck resulting in communication loss between RP/SP and line card. This will result in line cards getting reset. This is a very rare condition and is seen only once so far.
Conditions: Occurs during increased EoBC traffic due to convergence or link flap and is very rarely seen.
Workaround: This impacts only one CPU. A forced switchover will recover from this condition.
•
Symptoms: Intermediate System-to-Intermediate System (IS-IS) tries to access invalid memory address and may cause router to stop working.
Conditions: Occurs when a switch over happens and standby router becomes active.
Workaround: There is no workaround.
•
Symptoms: Port numbering is incorrect during SNMPwalk. For example, PORT 3/1/3 is displayed as 3/0/13.
Conditions: This is seen during SNMPwalk of ES20 line cards.
Workaround: There is no workaround.
•
Symptoms: System crashes due to I/O memory with the following error message:
"%ETSEC-3-RECOVER_TX: Interface EOBC0/0 TX workaround invoked"Conditions: This condition is caused by a lockup inside the Ethernet Out of Band Channel (EOBC) MAC. This problem is rarely seen.
Workaround: There is no workaround.
•
Symptoms: ETSEC freeze might cause router to crash due to memory depletion.
Conditions: There is a rare hardware issue, which might lock up ETSEC driver transmit. This condition has been observed only once.
Workaround: There is no workaround.
•
Symptoms: On Cisco 7600 routers, a possibility exists of various error messages being seen due to memory corruption.
Conditions: No known triggers. The error has never been reported on a Cisco 7600 router, only on Cisco 6000 routers.
Workaround: There is no workaround.
•
Symptoms: "%OIR-6-INSCARD" syslog event is not sent from the device following online insertion and removal (OIR).
Conditions: Occurs after a card has been inserted. "%OIR-6-INSCARD: Card inserted in slot x, interfaces are now online" syslog message should be sent, but is not.
Workaround: Use SNMP to trap "entconfigchange".
•
Symptoms: ES-20 ports are not properly modeled in CiscoActive Network Abstraction (Cisco ANA). Some ports snmp-presentation locations are shown incorrectly.
Conditions: The issue is seen when ANA is used to manage ES20 line card.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(33)SRB3
Cisco IOS Release 12.2(33)SRB3 is a rebuild release for Cisco IOS Release 12.2(33)SRB. The caveats in this section are resolved in Cisco IOS Release 12.2(33)SRB3 but may be open in previous Cisco IOS releases.
Miscellaneous•
Symptoms: A router that is configured with thousands of RIP routes may crash when multiple links flap.
Conditions: This symptom is observed on a Cisco router that is configured for RIP.
Workaround: There is no workaround.
•
Symptoms: Device crashes with a segmentation violation (SegV) exception.
Conditions: Occurs when the connect target_ip [login|513] /terminal- type value command is entered with a large input parameter to the terminal-type argument such as the following:
router>connect 192.168.0.1 login /terminal-type aaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Trying 192.168.0.1...Open
login:
*** System received a SegV exception ***
signal= 0xb, code= 0x1100, context= 0x82f9e688
PC = 0x61616160, Vector = 0x1100, SP = 0x833ae5a8Workaround: AAA Authorization AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
For a complete description of authorization commands, refer to the following links:
Configuring Authorization http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schathor.html
ACS 4.1 Command Authorization Sets http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/ user/SPC.html#wpxref9538
ACS 4.1 Configuring a Shell Command Authorization Set for a User Group http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/ user/GrpMgt.html#wp480029
Role-Based CLI Access The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. The following link provides more information about the Role-Based CLI Access feature:
Role-Based CLI Access http://www.cisco.com/en/US/netsol/ns696/networking_solutions_white_paper09186a00801ee18d.shtml
Device Access Control Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or Subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:
Infrastructure Protection on Cisco IOS Software-Based Platforms Appendix B-Controlling Device Access http://www.cisco.com/application/pdf/en/us/guest/products/ps1838/c1244/cdccont_0900aecd804 ac831.pdf
Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html
•
Symptoms: An extended ACL applied on an interface does not permit/deny traffic as expected on the standby after switchover.
Conditions: This symptom occurs when the user does ACL configuration using acl submode and types Ctrl-C. This causes the config mode to be exited on active, but the command line synced to standby is "\0". Nothing gets executed on standby, and the ACL submode exit handler is not called. If switchover happens, ACL configuration becomes out of sync.
This happens only at the first switchover. Subsequent switchovers do not show this issue.
Workaround: Avoid the use of Ctrl-C in the ACL submode, instead use Ctrl-Z or exit command.
•
Symptoms: There are two symptoms which are fixed by this bug.
Symptom 1: When the last peer of a peer-group that is defined in a vrf address- family is deleted, the peer-group configuration will also disappear if no policy is configured for the peer-group.
Condition 1: This symptom is observed in a customer configuration modification.
Workaround 1: Configure a policy for the peer-group such as a route-map.
Symptom 2: Peer-group that is used exclusively by IPv6 peers is activated under the IPv4 address-family.
sho configuration | b address-family ipv4
address-family ipv4
neighbor rr-server activate
neighbor RD-BGP-SOURCE activate
neighbor v6-rr-server activate <==
neighbor 10.1.1.1 peer-group rr-server
neighbor 10.1.1.2 peer-group rr-server
neighbor 192.168.1.1 peer-group RD-BGP-SOURCE
no auto-summary
no synchronization
exit-address-familyCondition 2: This symptom is observed when the v6 peer-group is activated under the IPv4 address family as soon as it is created.
Workaround 2: There is no workaround.
•
Symptoms: VTY or TTY sessions may hang after unsuccessful authentication attempts to an external AAA server. For a line that is still considered active, the output of the show line line-number command, shows the following:
Modem state: Ready, Carrier DroppedWhen you enable the debug tacacs command, the following debug statement is generated during the authentication failure:
No sock_ctx found while handling request timeout
Conditions: This symptom is observed on a Cisco platform when external authentication fails before the maximum authentication attempts are reached locally.
Workaround: When the symptom has occurred, reload the router to clear the hung VTY or TTY sessions. For a NAS with internal modems, you may be able to clear the hung VTY or TTY sessions by entering the clear port slot/port EXEC command.
To prevent the symptom from occurring, configure the maximum authentication attempts on the Cisco platform to be lower than the maximum authentication attempts on the external AAA server by entering the aaa authentication attempts login number-of-attempts global configuration command, in which the number-of-attempts argument is a value that is smaller then the maximum authentication attempts that are configured on the external AAA server.
•
Symptoms: The CPU usage may be high, and an IGP (OSPF or IS-IS) adjacency may drop when PIM sparse mode (PIM-SM) stress traffic is being processed.
Conditions: This symptom is observed on a Cisco router that connects to a receiver and that has 60,000 (s,G) join messages. The symptom occurs when you enter the show ip mroute count command or when there is an abrupt increase in multicast groups.
Workaround: Do not enter the show ip mroute count command. Rather, enter the show ip mroute count terse command. Increase multicast groups gradually to avoid high CPU usage. In addition, the following actions may also help to alleviate the symptoms:
–
–
–
•
Symptoms: After an SSO switchover has occurred, the following error message may be generated:
LSD-4-LABEL_RESOURCE: label range 16-524287 exhaustedConditions: This symptom is observed on a Cisco router that functions in an MPLS configuration under a heavy traffic load that causes bulk synchronization to take a relatively long time. The symptom occurs when there is label allocation between the "bulk-sync-done" state and the "Standby Hot" state.
Workaround: There is no workaround.
•
Symptoms: Site of Origin (SoO) filtering appears broken and allows unexpected entries.
Conditions: This symptom is seen during normal use.
Workaround: There is no workaround.
•
Symptoms: Reloading Gigabit Ethernet SPA causes a line card to crash.
Conditions: This symptom has been observed when the hw-module slot 0/0 reload command is entered and then the line card in slot zero crashed.
Workaround: There is no workaround.
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when templates are exported in the export pak, which is used only in version 9 version of exporting.
Workaround: Version 5 could be used for exporting.
•
Symptoms: There is a rare possibility that the console may stay with RP after the system crashes and does not switch to SP. If the system is not configured with autoboot, it might look like a hang state.
Conditions: This symptom happens when RP crashes first and then SP gets exception while creating crashinfo file. Not easily reproducible. Problem is seen after multiple switchover [Number of switchovers is not predictable].
Workaround: Router power recycle is required.
•
Symptoms: SIP200 may crash multiple times on executing the QoS test cases.
Conditions: This symptom occurs while configuring/unconfiguring different QoS features and running traffic for a while.
Workaround: There is no workaround.
•
Symptoms: Running the snmpwalk command on ifInOctets and some other ifMIB objects is not returning values for all the interfaces. The snmpget command is working fine.
Conditions: This symptom occurs when the hidden command no snmp- server sparse-table is configured.
Workaround: Configure hidden command snmp-server sparse- table.
•
Symptoms: When you attempt to update the startup configuration from a file but the boot commands are incorrect or you are unauthorized to enter the boot commands, a boot configuration error message should be displayed, but this does not occur.
Conditions: This symptom is observed on a Cisco router after the startup configuration has been updated by SNMP.
Workaround: Perform the following tasks:
1.
2.
3.
•
Symptoms: The primary becomes very slow when accepting CLI commands after the user executes rtr reset or any rtr command, which requires human interaction.
Conditions: This symptom happens when there is a SSO setup.
Workaround: Do not execute rtr commands, which require human intervention.
•
Symptoms: IGMP packets are rate limited when they arrive on a layer 3 port (routed port) and are sent to the route processor.
Conditions: The IGMP packets can be rate-limited if (1) IP-option rate limiter is configured using the mls rate-limit multicast ip-options pps packets-in- burst command, and IGMP packets contain router alert option. (2) FIB miss rate limiter is configured using the mls rate-limit multicast ipv4 fib-miss pps packets-in- burst command.
Workaround: Configure ports as switchports with an SVI instead of a routed port or increase rate limiter parameters to allow expected level of IGMP packets.
•
Symptoms: WS-x6148-FE-SFP shows incorrect value in CISCO-STACK-MIB::PortTable when SFPs are inserted.
PortType shows as e100baseEmpty when SFPs are inserted.
Conditions: This symptom occurs in Cisco 6500 that is running Cisco IOS Release 12.2(18)SXF with WS-x6148-FE-SFP card. Does not have support for the new 100BASE SFPs and there is no Functional impact.
Workaround: There is no workaround.
•
Symptoms: Native VLAN mismatch may not be detected when native VLAN is not consistent on two ends of 802.1Q trunk and native VLAN is not allowed on one end only. This is a case of misconfiguration, but it may result in a forwarding loop.
For example:
switch1(native=3)---802.1Q_trunk---(native=2)switch2
allowed vlans on switch1: 3,4
allowed vlans on switch2: 3,4If STP designated port is on the switch1 side, this misconfiguration may not be detected.
Conditions: This symptom occurs when misconfiguration is not detected.
Workaround: Correct misconfiguration. Make native VLAN consistent on both sides or at least allow VLAN 2 (native) on trunk on switch2.
•
Symptoms: OSPF and BGP change their state unexpectedly.
Conditions: This symptom is observed on a Cisco router when a modification of a shared access control list (ACL) that is called from more than 300 route maps causes a CPUHOG condition in the Virtual Exec Process.
Workaround: There is no workaround.
•
Symptoms: Multiple duplicate system error messages are seen.
Conditions: This symptom is observed when duplicate system ID is configured on multiple IS-IS instances in the same VRF.
Workaround: There is no workaround.
•
Symptoms: An MDT address-family session in a BGP environment may not come up between two PE routers. This situation prevents the tunnel interface from being shown in the output of the show ip pim vrf vrf-name neighbor command on one of the PE routers.
Conditions: This symptom is observed on PE routers that are configured for Multicast VPN and that have the following commands enabled:
address-family ipv4 mdt
neighbor neighbor-ip-address activate neighbor
neighbor neighbor-ip-address send-community extended
Workaround: Reconfigure the address-family ipv4 mdt command in the BGP environment.
•
Symptoms: The show policy-map interface command is not showing the exceeded and violated counters.
Conditions: This symptom happens only when trust is enabled in the policy-map.
Workaround: There is no workaround.
•
Symptoms: With PPP multilink configured on serial links on PA-MCX-8TE1, the following error message may be seen:
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0Conditions: With PPP multilink configured on serial links on PA-MCX-8TE1 and when traffic is flowing, the following error message may be seen:
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0Workaround: There is no workaround.
•
Symptoms: On a CSC-PE router with dual RPs, the following is seen on the standby RP:
1.
00:34:51: %FRR_OCE-STDBY-3-GENERAL: Primary interface number and OCE do not
match.
-Traceback= 42519710 4251A080 425010D4 4250176C 42527400 416E7DDC 416E83E8
416E9270 41768BD8 4194E404 421DCA90 41958978 41959080
00:34:51: %SYS-STDBY-2-CHUNKFREE: Attempted to free nonchunk memory, chunk
531555D8, data 531554E0.
-Process= "XDR LC Background", ipl= 2, pid= 131
-Traceback= 412EFB3C 412EFE8C 42519588 42527740 416E7DDC 416E83E8 416E9270
41768BD8 4194E404 421DCA90 41958978 419590802.
Conditions: This symptom occurs when performing an SSO switchover.
Workaround: There is no workaround.
•
Symptoms: PIM dense mode interoperability issues are seen with Cisco and third party boxes.
Conditions: This symptom is observed when PIM dense mode is in operation. After the multicast forwarder is decided, based on the assert mechanism, a prune is erroneously sent. Multicast stream ceases to flow.
Workaround: There is no workaround.
•
Symptoms: Standby reloads due to default ISIS metric maximum returns parser error.
Conditions: This issue is observed while configuring the ISIS metric maximum on an interface by using the isis metric maximum command and later changing it in to the default metric value.
Trigger: At this point, it will show the error, and the communication with the peer Supervisor has been lost then the standby reloads.
Workaround: There is no workaround.
•
Symptoms: After you have removed a loopback interface from the configuration on the primary RP while the same loopback interface is required as part of another configuration, for example, as an update source for a BGP neighbor, the standby RP does not reload successfully when you reset it.
Conditions: This symptom is observed on a Cisco router and occurs only in an HA environment.
Workaround: Remove all configurations that reference the loopback interface before you remove the loopback interface.
•
Symptoms: IPv6 multicast traffic fails to be forwarded after a second SSO failover.
Conditions: This problem is extremely intermittent with no discernible triggers.
Workaround: There is no workaround.
•
Symptoms: The new active supervisor engine may crash after an SSO switchover has occurred.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series switch and Cisco 7600 series router.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur on a line card, eventually causing IPC to fail.
Conditions: This symptoms is observed on a Cisco platform that is configured for NetFlow. The symptom affects distributed platforms only.
Workaround: There is no workaround.
•
Symptoms: Router crashes when reloading a VPNSPA blade.
Conditions: The problem shows after running all five devtests specific test suites. Running any one test suite will not cause this problem. The configuration generated by those test suites will not cause the problem either. The trigger of the combined actions is unknown at this point.
Workaround: There is no workaround.
•
Symptoms: A device running Cisco IOS may crash during processing of an Internet Key Exchange (IKE) message.
Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in IOS that use IKE include Site-to-Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE and GET VPN.
Workaround: Customers that do not require IPsec functionality on their devices can use the command "no crypto isakmp enable" in global configuration mode to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.
Further Information: This bug is triggered deep into the IKE negotiation, and an exchange of message between IKE peers is necessary.
If IPsec is not configured then it is not possible to reach the point in the IKE negotiation where the bug exists.
•
Symptoms: The following traceback appears in the standby after SSO switchover.:
"SP-STDBY: ltl_alloc_index_at: LTL index(0x80A) in the permanent region already allocated "Conditions: The problem happens every time after SSO switchover and when the new standby supervisor has come up. This problem happens specifically with respect to ICROIF indices.
Workaround: There is no workaround.
•
Symptoms: When you enter the shutdown command followed by the no shutdown command on the SONET controller of a 1-port channelized STM1/OC3 to DS0 SPA (SPA-1XCHSTM1/OC3), an extra flap occurs for T3 links that are configured on the SONET controller.
Conditions: This symptom is observed on a Cisco 7600 series.
Workaround: There is no workaround.
•
Symptoms: BFD adjacencies will not form for EIGRP neighbors over interfaces defined in VRFs.
Conditions: This symptom is seen in normal EIGRP/BFD configurations. This bug removes the restriction on using EIGRP/BFD over a VRF interface.
Workaround: There is no workaround.
•
Symptoms: After addition/deletion/modification of a VRF and the re-addition of associated configuration, it becomes apparent that the RIB is not being updated by BGP after reconvergence, and LDP neighborship is reestablished. As the RIB is not updated, neither is CEF. While BGP VPNv4 has the correct information, the RIB is empty of remote PE VRF subnets, and CEF has a default entry.
Conditions: This symptom is observed on Cisco 12000 series router that is running Cisco IOS Release 12.0(32)S6.
Workaround: Can be recovered by clearing BGP session.
•
Symptoms: IP SLA operations on a router that has a response time reporter (RTR) enabled may fail at the source. The UDP socket events are not received by the RTR responder process, and the UDP socket events are missing when a UDP packet is routed through a VRF.
Conditions: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.2SB. You can verify that the symptoms are occurring through any of the following commands:
–
–
–
Workaround: Use IP SLA operations without VRFs.
•
Symptoms: A route may flap continuously, and the CPU usage may be high continuously.
Conditions: This symptom is observed on a Cisco router that is configured with a static route loop.
Workaround: Do not configure a static route loop.
•
Symptoms: In a dual RP system that is running in SSO mode, standby could be reset by the active if some invalid commands followed by valid commands are executed.
Conditions: This symptom is seen in a dual RP system that is running in SSO mode. If invalid commands such as invalid interface commands are executed followed by valid commands, which are present in sub-configuration mode as well as in global configuration mode like the mpls ip command, which is present in interface configuration mode as well as in global configuration mode, then the standby could get reset by the active due to PRC failure on execution of such commands.
Workaround: Do not configure invalid commands followed by valid commands which are valid in multiple configuration modes.
•
Symptoms: A small memory leak may occur when ISPF is enabled. When you deconfigure OSPF, the following error message and traceback are generated:
%SYS-2-CHUNKPARTIAL: Attempted to destroy partially full chunk, chunk
30E3268.
-Process= "Exec", ipl= 0, pid= 3,
-Traceback= 0x69F968 0x813670 0x8137C4 0xD57928 0xD6A230 0xB37824 0xB38550
0x6E33F0 0x706EBC 0x7ABDD0 0x7ABDCCConditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for caveat CSCsb38978. A list of the affected releases can be found at http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsb38978 Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Do not configure ISPF.
•
Symptoms: When STP is configured on a Cisco Catalyst 6500 switch with Active and Standby SUP the show spanning tree command on the Standby SUP may show different information from that of Active SUP.
For example:
Active SUP xs6k3#sh spanning-tree
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address 0014.1bc4.c002
Cost 4
Port 259 (GigabitEthernet3/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address 0014.1bc4.f802
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ----------------------------
-
---
Gi3/3 Root FWD 4 128.259 P2p
Gi3/4 Altn BLK 4 128.260 P2p
xs6k3#
Spanning Tree info on Standby
------------------------------
xs6k3-sdby#sh spanning-tree
No spanning tree instance exists.
xs6k3-sdby#
Conditions: This condition is generic for Cisco IOS Release 12.2(18)SXF6 and earlier releases.
Trigger: This problem is due to the different load conditions on the Active and Standby SUP.
Impact: No spanning tree instance exists on standby.
Workaround: Manually reset Standby SUP to re-sync STP states from Active to Standby. However the STP states may digress again going forward.
Further Problem Description: This problem is due to the different load conditions on the Active and Standby SUP. Occasionally the Standby SUP may run ahead of Active SUP in terms of sync state. When there is a surge of activities on the Active SUP it may run behind the sync request/event coming from the Standby. When the sync event arrives too early the Active SUP drops the request due to wrong state/event combination and therefore the sync never happened and hence the discrepancy.
A fix is put in place to avoid this type of sync race condition between Active and Standby.
•
Symptoms: A standby Route Processor continuously reloads.
Conditions: This symptom is observed when the issu runversion command is executed in a redundant router.
Workaround: There is no workaround.
•
Symptoms: SAs are created by the crypto engine in the wrong subslot.
Conditions: The crypto engine <slot>/<subslot>, when used on a different subslot, does not have an effect.
For example, applying the crypto engine slot 2/1 command does not take effect (in the sense that the show command still displays that the old sub-slot 2/0 is in use instead).
BUT when the traffic is sent the output of the sh cry eli command shows that the SAs are created using the crypto engine at 2/1 as opposed to 2/0 as shown in the configuration. Also all the traffic is sent to crypto engine at 2/0, and no traffic reaches 2/1. There is packet drop shown in the crypto engine at 2/0 as "Invalid SA".
Workaround: Apply the no crypto engine slot/sub- slot command on the subslot on which it is to be disabled. Apply the crypto engine slot/sub-slot command on the new subslot on which this has to be enabled.
•
Symptoms: A Cisco RSP720 crash is experienced when BGP is established over SPA- 1XOC12-POS interface where the problem is seen in Cisco IOS Release 12.2(33) SRB2.
Conditions: This symptom is observed when BGP speaker is originating a prefix with an outbound routemap having routemap continue keyword and set as-path prepend in the routemap policy, under certain corner conditions, the router may reload.
Workaround: In the BGP route map policy, remove the routemap continue keyword and change the policy logic when it is used along with routemap set aspath prepend command. Note that once routemap continue is removed, please make sure that the polices are changed such that they are similar to the originally intended policy behavior.
•
Symptoms: This issue causes high CPU utilization.
Conditions: This issue occurs with PPPoE sessions. When bringing up 24000 sessions at a rate of 15/sec, the CPU is around 45%. When clearing all 24000 sessions and bringing them up again, the collection process suddenly is manifesting itself by generating a high CPU: it is taking up 50% of all the CPU. This issue is seen on the Cisco 10000 platform but may affect other platform also. This will likely happen all the time. This issue may cause operational impact due to high CPU utilization.
Workaround: There is no workaround. Issue the sh proc cpu command to see CPU utilization.
•
Symptoms: ISIS adjacencies may not be established.
Conditions: This symptom is observed on a Cisco 7600 series where the ISIS adjacency is configured to be established over an Ethernet Services (7600 ES20) line card with QinQ subinterfaces that are configured to support double-tagged packets when the default MTU size is 1500 bytes.
Workaround: Configure the MTU to be 1504 bytes.
•
Symptoms: The RP may crash during the boot process of the router.
Conditions: This symptom is observed on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRB and that is configured with QoS service policies.
Workaround: There is no workaround.
•
Symptoms: Stale routes are not flushed from the routing table after the stale path timer has expired during a graceful restart of a BGP session. As a result, all unwanted traffic continues to be processed by the router for those stale routes.
Conditions: This symptom is observed on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRB and that is configured for BGP graceful restart. The symptom occurs when, during the graceful restart of the BGP session, a non-established active session resets.
Workaround: Clear or restart the BGP process on the router to remove all stale routes.
•
Symptoms: A Cisco 7600 series router configured for EoMPLS VCs may fail to forward disposition traffic after a router reload.
Workaround: There is no workaround.
•
Symptoms: Some E1 channels may remain down after you have reloaded a router.
Conditions: This symptom is observed on a Cisco 7200 series that function as a PE router and that connects to a CE router. Both routers are connected through 1-port multichannel STM-1 (PA-MC-STM-1) port adapters and the framing no-crc4 command is enabled on all interfaces of both routers.
Workaround: Enter the shutdown command followed by the no shutdown command on the SONET controller of the PA-MC-STM-1 at the PE side to enable all interfaces to come up.
•
Symptoms: The Route Processor (RP) crashes.
Conditions: Some of the Protocol Independent Multicast (PIM) CLI commands are causing the active RP to crash. The crash happens only when these commands are configured while in control-plane policing subconfiguration mode. Normally, any global relevant configuration should automatically exit the subconfiguration prompt and also accept the command. In this case, the PIM command is rejected and the RP crashes. The same PIM commands work fine when entered under global configuration mode (where they belong) or under other subconfiguration modes.
Workaround: Use the exit command to exit the main configuration prompt before configuring PIM-related commands.
•
Symptoms: After a DCE Frame Relay subinterface is provisioned, traffic does not pass.
Conditions: This symptom is observed on a Cisco 10000 platform when the subinterface is shut down, the configuration is applied, and then the subinterface is brought back up. This is a problem for only Frame Relay DCE; DTE and NNI work okay.
Workaround: Configure the DLCI on the subinterface when it is not shut down.
•
Symptoms: A Traceback/CPUHOG message is observed on the active supervisor when the standby supervisor 720 is still booting up. This seems to be a transient issue that is seen at boot time.
*Mar 15 13:25:25.990: %SYS-SP-STDBY-3-CPUHOG: Task is running for (2000)
msecs, more than (2000)msecs (33645/33645),process = RFSS worker process.
-Traceback= 813700C 8136E6C 8137EE0 8412870 82A4668 8A61A40 8A632A8 829C28C
8291EF0
*Mar 15 13:25:29.271: %SYS-SP-STDBY-3-CPUHOG: Task is running for (2000)
msecs, more than (2000)msecs (33645/33645),process = RFSS worker process.Conditions: While switching from rpr to rpr-plus mode, the standby supervisor undergoes a restart, and a traceback is seen as reported by the submitter. But actually a traceback is seen at every startup not just during the mode switch. From the traceback decode, there is a double access to NVRAM through an 8-bit pointer, and this over a large NVRAM probably also causes a CPU Hog at the point of invocation of the function.
Workaround: There is no workaround.
•
Symptoms: An IGMPv3 mode 4 group report with empty source list {} gets translated incorrectly to a mode 6 group report when using an ssm-mapped source. Expected behavior would be to translate to a mode 5 group report.
Conditions: This symptom occurs when IGMPv3 mode 4 group report with empty source list {} is translated by static ssm-map.
Workaround: Avoid using empty source list {} by specifying source and therefore not needing SSM static mapping.
•
Symptoms: Devices running Cisco IOS may reload with the error message "System returned to ROM by abort at PC 0x0" when processing SSHv2 sessions.
If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will reload.
Conditions: This symptom occurs when SSHv2 is deployed.
Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with "ssh" removed from the list of permitted transports on VTY lines while in configuration mode. For example:
line vty 0 4
transport input telnet
endIf SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#xtocid14
More information on configuring ACLs can be found on Cisco's public website:
http://www.cisco.com/warp/public/707/confaccesslists.html
•
Symptoms: A CPUHOG message at the check heaps process is displayed when a large number of VRFs are configured. This may lead to BGP flapping.
Conditions: This symptom is observed when a large number of VRFs are configured on the box.
Workaround: Reduce the number of VRFs configured, if possible.
•
Symptoms: CPU utilization on the ES20 line cards is high with scaled EVC configurations with QoS.
Conditions: With scaled EVC QoS configurations on ES20 line cards with traffic, CPU utilization will be normally on the higher side. Below are the observed figures. - With 8,000 EVCs configured with QoS, CPU utilization on ES20 is around 35 to 50 percent. - With 16,000 EVCs configured with QoS, CPU utilization on ES20 is around 60 to 75 percent.
Workaround: There is no workaround.
•
Symptoms: The following message may appear on the console after a line card reset or OIR.
%UTIL-3-IDTREE_TRACE: PW freelist DB:Duplicate ID free ...Conditions: This symptom is observed when xconnects are configured on the line card interfaces and multiple RP switchovers have been performed.
Workaround: There is no workaround.
•
Symptoms: Shut down the interface. The router crashes
Conditions: Route-map test is configured with set ip next-hop verify-availability track option. If the interface configured for track option is shutdown, then the router crashes.
Workaround: There is no workaround.
•
Symptoms: A high CPU load occurs while prefixes are being learned or updated.
Conditions: This symptom is observed when a large number of unique recursive paths resolve through a short-mask prefix (for example, a default route); whenever a more specific prefix is inserted, these recursive paths are re- resolved.
Workaround: Ensure that the network has specific long-mask routes to the recursive next-hops.
•
Symptoms: After a switchover, sometimes an interface may not come up and the following message is displayed:
PM-STDBY-4-INT_FAILUP: GigabitEthernet3/3 failed to come up. No internal VLAN availableConditions: This symptom is observed after an SSO switchover and under rare conditions.
Workaround: There is no workaround.
•
Symptoms: A high CPU load occurs when prefixes are learned or updated.
Conditions: This symptom is observed when a large number of unique recursive paths resolve through a short-mask prefix (for example, a default route); whenever a more specific prefix is inserted, these recursive paths are re-resolved.
Workaround: Ensure that the network has specific long-mask routes to the recursive next hops.
•
Symptoms: Link flaps may be observed on a TenGigabitEthernet interface with XENPAK-10GB-LW under load.
Conditions: This symptom is observed under a high-traffic test scenario of over 9 Gb traffic rate through the xenpaks.
Workaround: The XENPAK-10GB-LW will not support over 9Gbps of traffic.
•
Symptoms: When an output QoS policy is configured on an ES20 service instance with "xconnect" or "connect" configured, the following messages will be seen:
00:02:43: %DFCWLC_QOS-DFC4-3-EXCEEDGUARTQRATE: DFC WAN Line Card Exceeded
Guaranteed Rates on interface - Update new queue rates: queue id 64 Cause:
0x00060018
00:02:43: %DFCWLC_QOS-DFC4-3-EXCEEDGUARTQRATE: DFC WAN Line Card Exceeded
Guaranteed Rates on interface - Update new queue rates: queue id 65 Cause:
0x00060018Conditions: When the total combined guaranteed rate on all service policies applied to an ES20 interface with EVCs exceeds the maximum bandwidth of the interface, the traffic on the EVCs (on which the policy is applied after the rate is exceeded) will be forwarded on a "best-effort" basis using the port's default forwarding queue.
Workaround: Do not configure output policies such that the bandwidth of the interface is oversubscribed.
•
Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.
Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.
•
Symptoms: Once a BGP neighbor is configured for shutdown using "neighbor <> shutdown" Cisco IOS CLI, a subsequent "no neighbor <> shutdown" does not bring up the BGP session with its peer.
Conditions: This symptom happens after a BGP neighbor is configured for shutdown using "neighbor <> shutdown" Cisco IOS CLI.
Workaround: Remove the neighbor using "no neighbor <> remote-as <>" Cisco IOS CLI and then add it again.
•
Symptoms: A Cisco 10000 router may encounter a memory leak in several functions (CEF: IP ICMP Ratelimit SB, CEF: Brkr Upda, CEF: IPv4 RPF and IPv4 FIB subblock).
Conditions: Unknown.
Workaround: Insert a secondary PRE.
•
Symptoms: After switch-over, the standby BOOT variable might not be present when issued the show bootvar exec command from console port.
Conditions: Steps to reproduce:
1.
2.
3.
4.
5.
Workaround: Make sure at least a "boot system ..." command exists on the running config.
•
Symptoms: A router that is running Cisco IOS Release 12.2(33)SRB2 will lose the configuration of maximum routes <value> warning-only upon reload.
Conditions: The issue is triggered by an inconsistency between the CLI and the nvgen: CLI knows about warning-only nvgen (running/startup config) knows about warn-only.
Workaround: There is no workaround. Use the command without the warning-only keyword.
Further Problem Description: In an SSO environment (with dual supervisors) this issue will stop the initial sync upon bootup and will stop the standby from booting.
The consistent correct keyword is warning-only.
•
Symptoms: The problem occurs when the encap on an interface is changed from FR to PPP/HDLC.
Conditions: Set encap FR on an interface. Then change the encap to PPP/HDLC. It is observed that the line protocol remains down.
Workaround: Reloading the SIP-200 module. Reloading the SPA.
•
Symptoms: When NetFlow attempts to access a FIB source that is not present in the FIB, the router may crash.
Conditions: This symptom is observed on a Cisco router that is configured with VLAN interfaces and virtual templates when a FIB source that is related to a virtual interface is not present in the FIB because of severe interface flaps.
Workaround: There is no workaround.
•
Symptoms: Some times on SSO switchover, the layer3 lacp channel does not come up and the following messages are seen on the standby.
*May 7 23:17:12.333 IST: %PM-STDBY-4-INT_FAILUP: Port-channel2 failed to come up. No internal VLAN availableConditions: This is a rare occurrence and happens in a corner case.
Workaround: Do a shut/no shut on the Port Channel.
•
Symptoms: The following message is seen: Config Sync: Line-by-Line sync verifying failure on command: switchport mode trunk due to parser return error
The standby supervisor is reset.
Conditions: This condition exists in Cisco IOS Releases 12.2SRB1 and 12.2SRB2.
1.
2.
no switchport
switchport
switchport mode trunk
or paste the following config:
no switchport
switchport
switchport nonegotiate
or paste the following config:
no switchport
switchport
switchport trunk allowed vlan noneWorkaround: Enter each line one at a time manually, rather than pasting multiple lines all at once.
•
Symptoms: Packets accidently go out TE FRR back up tunnel.
Conditions: This symptom occurs when FRR is enabled on TE tunnel under some circumstances.
Workaround: There is no workaround.
•
Symptoms: The RP processor is stacked in a process, and is not able to communicate with the SP. After a time without any notice form the SP, the RP processor decides to reload itself and SP.
You can see the following messages in the crash information from the SP and RP:
%Software-forced reload
Breakpoint exception, CPU signal 23,And this message several times in the log information for the RP:
%SYS-2-INTSCHED: 'idle' at level 2 -Process= "Net Input", ...
-Traceback= ...Conditions: This symptom is observed under dynamic PBR configuration.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6500 switch with WS-6704-10GE or SUP32-10GE cards using Xenpak transceivers may not enable the xenpak's transmitter upon module reload or live-insertion of the xenpak transceiver. As a result, the partner port reports that the link is down.
Conditions: This symptom occurs when the xenpak transceiver's transmitter might not get turned on upon xenpak live-insertion, or after the module is reloaded.
Workaround: Issuing shut/ no shut, will recover the interface.
This bug is resolved in: Cisco IOS Releases 12.2(33)SRC and later, 12.2(33)SRB3 and later, 12.2(18)SXF11 and later, 12.2(33)SXH and later, CatOS 8.6(4) and later, CatOS 8.7(1) and later releases.
Further Problem Description: A hardware race condition exists between the xenpak's TX_ON and RESET input pins. These signals are asserted each time the linecard is reloaded, and upon live-insertion of a xenpak transceiver. Variations in hardware timing within the xenpak transceiver itself sometimes causes the transceiver to incorrectly leave the transmitter disabled after exiting the reset state. This bug corrects the race condition and also insures that the driver meets the timing requirements set forth in the xenpak MSA.
•
Symptoms: MET leak is seen while running a large number of IPv4 and IPv6 mutlicast traffic.
Conditions: The MET leak is seen only when multiple join/leave, re-routing, and few RP address/replication mode change are done.
Workaround: There is no workaround.
•
Symptoms: The MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table, which may lead to traffic loss.
Conditions: This problem occurs under certain circumstances and timing conditions.
Workaround: When the symptom occurs, enter the clear ip route command for the prefix in the VRF.
•
Symptoms: Severe IPC message leaking or BADSHARE error messages are seen during system bootup, swichtover or OIR (LC, setup):
c6lc2-spdbg-5-dso-b.so+0x10FAC4: verrmsg
../os/logger.c:0
c6lc2-spdbg-5-dso-b.so+0x110168: errmsg
../os/logger.c:0
c6lc2-spdbg-15-dso-b.so+0x2B7A04: datagram_done
../os/buffers.c:0
c6lc2-spdbg-16-dso-b.so+0xC2DCC:
logger_icc_callback
../const/native-sp/logger_sp.c:0
c6lc2-spdbg-13-dso-b.so+0x57BD90:
icc_request_cb
../const/native/icc_request.c:0
c6lc2-spdbg-13-dso-b.so+0x57BE10:
icc_request_cb_new
../const/native/icc_request.c:0
c6lc2-spdbg-4-dso-b.so+0xB25BC: ipc_deliver_message
../ipc/ipc_server.c:0
c6lc2-spdbg-4-dso-b.so+0xB2BA8:
ipc_process_insequence_message
../ipc/ipc_server.c:0
c6lc2-spdbg-4-dso-b.so+0xB3794: ipc_process_message
../ipc/ipc_server.c:0
c6lc2-spdbg-4-dso-b.so+0xB3DF4: ipc_process_raw_pak
../ipc/ipc_server.c:0
c6lc2-spdbg-17-dso-b.so+0x4C870:
sb1250_eobc_process_rx
../const/sb-common/sb_common_eobc.c:0
c6lc2-spdbg-17-dso-b.so+0x4D0F8:
eobc_rx_interrupt
../const/sb-common/sb_common_eobc.c:0
c6lc2-spdbg-17-dso-b.so+0x50020:
sb1250_eth_callback
../src-sibyte/dev/sb_eth.c:0Workaround: There is no workaround.
•
Symptoms: There are two vpn-spa blades configured in redundancy group. Shutting down or reloading one of the blades takes the group into bad state, and traffic does not flow through the other blade.
Conditions: This symptom occurs when creating 1000 fvrf-ivrf-vti-eigrp tunnels, and two vpn-spa modules are configured in b2b group. Shutting down one of the SPAs or reloading it takes the group state to RECOVERY and stays there only.
Workaround: There is no workaround but after some time when one spa comes up, other one also comes up and b2b state becomes OPERATIONAL.
•
Symptoms: The following messages are seen in the log or on the router console following a Stateful Switchover (SSO):
%IPC-5-INVALID: Invalid dest port Dest Port 0x0 Session 0x0 Source 0x0
%MRIB_PROXY-2-MRIB_RP_FAILED_GET_IPC: RP failed allocating IPC buffer
which may lead to data loss or inconsistent MFIB statesConditions: This error is only seen on a router with ipv6 multicast-routing configured.
Workaround: The problem can be cleared by toggling ipv6 multicast routing off and back on using the [no] ipv6 multicast-routing config command.
Note
•
Symptoms: When the BGP session between a Route Reflector (RR) and PE router flaps, the RR may no longer send some routes to the PE router.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for caveat CSCsi85222. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi85222. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the clear ip bgp * all in command on the PE router to retrieve all routes from the RR.
•
Symptoms: Multicast-intact does not work with Cisco IOS Release 12.2(33)SRB.
Workaround: There is no workaround.
•
Symptoms: The crypto connect command on a channelized T3 WAN card (serial interface in the non-channelized mode) is lost after the chassis reload or on the WAN card reload.
Conditions: This symptom occurs with chassis reload with crypto connect command in the startup config for a serial interface. Reload of the WAN card with the crypro connect command configured on the serial interface.
Workaround: Reconfigure the crypto connect command.
•
Symptoms: A Cisco 12000 series router may crash unexpectedly.
Conditions: This symptom occurs only on Cisco IOS Release 12.0(32)SY0f.
Workaround: There is no workaround.
•
Symptoms: When you enter the shutdown command on an interface of an OC-192 SPA, the FRR traffic loss may last about 120 ms.
Conditions: This symptom is observed on a Cisco 7600 series that has a SIP-600 in which an OC-192 SPA is installed.
Workaround: There is no workaround.
Further Problem Description: When you physically remove the cable on the Cisco 7600 series, the FRR traffic loss may last only about 2-3 ms. Similarly, when you shut down the remote interface end, which is also a OC-192 SPA interface that is installed in a SIP-600 on a Cisco 12000 series, the FRR traffic loss may last only about 2-3 ms.
•
Symptoms: The router crashes because of heartbeat failure between RP and SP. The RP is spending 99% at the interrupt level trying to process MPLS packets that have been punted to the RP from EARL because the adjacency entry for tag2tag is dropped right after the core facing line card is reloaded.
Conditions: This symptom occurs after OIR the ES-20 line card.
Workaround: There is no workaround.
Further Problem Description: MPLS packets should never be processed when the incoming interface has xconnect, and MPLS is not enabled on the interface, which happens to be the case here.
The fix is to drop the packet in IBC code if the packet is an MPLS packet, and MPLS is not enabled on the interface.
•
Symptoms: A Cisco router may become unresponsive or reload unexpectedly when an Embedded Event Manager (EEM) Tool Command Language (Tcl) policy that has an invalid policy registration line is registered.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image later than Release 12.4(11)T when the policy registration line is malformed. This line may become malformed when the Tcl policy is saved with a program that inserts new lines at locations where you do not expect them.
Workaround: Before the policy is registered, inspect the policy by entering the more flashdevice:filename.tcl command to ensure that the script does not have a malformed event registration line.
•
Symptoms: On Cisco 7600 routers with a SIP-400 line card, packets with more than 1492 bytes may be dropped on the EoMPLS imposition path.
Conditions: This issue is seen on routers that are running Cisco IOS Release 12.2(33)SRB2. The issue is fixed in Cisco IOS Releases 12.2(33)SRB3 and 12.2(33)SRC. Ingress EoMPLS packets to the SIP-400 that are greater than 1492 bytes (but less than the 1500 byte MTU) may erroneously be dropped on the line card. The size of the imposition labels is incorrectly included in the MTU calculation causing the drops to occur in this situation.
Workaround: There is no workaround.
•
Symptoms: Packets "returned" from a WCCP appliance (web-cache) for further forwarding are always processed by the RP leading to elevated CPU usage.
Conditions: This symptom is observed on a Cisco 7600 series router for WCCP redirection and with "L2 return" being used to return traffic from the appliance to the router. Further the router must either be configured for outbound redirection (ip wccp <service> redirect out) or the appliance must have selected hash assignment.
Workaround: If the appliance is resident on its own subnet, apply the WCCP command ip wccp redirect exclude in to the appliance facing interface. Alternately use mask assignment and input redirection (ip wccp <service> redirect in).
•
Symptoms: The eBGP session for IPv4 does not come up.
Conditions: This symptom occurs when address family IPv4 is removed from VPN configuration. All corresponding eBGP configurations are automatically removed. The problem happens after everything is added back.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload when you configure or unconfigure an EEM policy.
Conditions: This symptom is observed only on a Cisco platform that runs a modular Cisco IOS software image when a syslog message is being generated while you configure or unconfigure the EEM policy.
Workaround: Do not configure or unconfigure an EEM policy while a syslog message is being generated.
•
Symptoms: Inherit peer-policy does not work after router reloads.
Workaround: There is no workaround.
•
Symptoms: After reloading a Cisco 7600 router that is running Cisco IOS Release 12.2(33)SRB1, the following error message is displayed:
%SIP200_MP-4-PAUSE: Non-master CPU is suspended for too long, from 0x4022F650(2) to 0x4022F6A0 for 329873 CPU cycles. -Traceback= <different tracebacks>Message are logged continuously.
Conditions: This symptom is observed on a Cisco 7600, SIP-200.
Workaround: There is no workaround, but there is no impact on user traffic.
•
Symptoms: Traffic stops over EOM ckt after SSO and followed by TE FRR cutover.
Conditions: The issue seen here is that after the SSO switchover at cat5 the local EOM label at cat5 gets changed and the same gets updated at cat2 for the corresponding VC correctly. Now, when the FRR cutover is performed at cat5, the local VC label gets changed for the second time and the same also gets updated at cat2 for the corresponding ckts. However the label push gets messed up at cat2, which results in EOM traffic loss from cat2 to cat5 but the other direction traffic passes fine. If the same FRR cutover is performed before the SSO switchover at cat5 then there will not be any problem. It is only after the SSO when this issue is observed. Please refer the enclosure BigDescription for more details.
Workaround: There is no workaround.
•
Symptoms: On a Cisco Catalyst 6500 series switch Sup720 that is running Cisco IOS Release 12.2(18)SXF7, if there is a port-channel with combination of non-fabric enabled and fabric enabled card (here WS-X6408 and WS-X6516) and this port-channel is configured as a trunk.
The traffic comes on port-channel trunk on one VLAN, gets source NATed on Sup720 and sent back on same port-channel on another VLAN.
The traffic gets dropped for the stream coming on one port of the channel in a VLAN and sent back on 2nd port on another VLAN. The issue is that the source index is not getting re-written after NAT, so the traffic gets dropped.
Note that if the traffic comes on one port of the channel and goes back on the same port, the packets get rewritten correctly. Partial packet loss.
Conditions: This issue happens only with Sup720 that is running Cisco IOS with port-channel member ports on WS-X6408 and WS-X6516 line cards.
Workaround: Shut one member of the port-channel, so that traffic comes one a port, gets NATed/routed and goes back on the same port on the switch. Or Use either fabric-enabled cards or non-fabric enabled card in the port-channel. DO NOT USE combination of non-fabric enabled and fabric enabled cards.
•
Symptoms: On a Cisco Catalyst 6500 system that is running Cisco IOS Release 12.2(18)SXF9 and DFC enabled line cards, approximately 90K memory will be held on each DFC when a redundancy force-switchover is issued. The memory is never released afterwards. This will happen each time a redundancy force-switchover (both RPR+ and SSO) is issued.
Conditions: This symptom only affects line cards with DFC daughterboards.
Workaround: There is no workaround.
•
Symptoms: A 100% traffic loss is observed from hub to all the spoke devices.
Conditions: This symptom occurs when hub and spoke topology with IPSEC when RRI (Reverse Route Injection) is configured on spokes and hub device the static routes to the spokes are not injected in the routing table of the hub.
Workaround: Manually configure the static routes on the hub router.
•
Symptoms: Link flaps may intermittently occur on TenGigabit Ethernet interfaces with certain Xenpak transceivers.
Conditions: This problem only occurs on 10GBASE-SR. As DOM is not supported for this Xenpak type by Cisco IOS, the interaction between the Xenpak DOM hardware and the Cisco IOS DOM polling mechanism may cause the link to flap.
Workaround: There is no workaround.
•
Symptoms: Only the last entry of "mpls static" and "moi" CLIs that are configured on active RP can get synced to slave RP.
Conditions: This issue is found on Cisco 7600 platform under SSO HA status.
Workaround: There is no workaround.
•
Symptoms: When an MFR interface is configured to autosense LMI, the interface may not recover when the T1 links go down or when the interface is wedged.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and a Cisco 7600 series router that are configured with an OSM-12CT3/T1 Optical Services Module.
Workaround: Configure the LMI type on both the DTE and the DCE. Also, entering the shutdown interface configuration command followed by the no shutdown interface configuration command on the MFR interface may correct the symptom.
Further Problem Description: Following are the debugs:
lmi autosense on by default
interface MFR1
frame-relay intf-type dce
Debug frame lmi
MFR1(up): DCE LMI timeout
MFR1: Invalid LMI type 1
MFR1(down): DCE LMI timeout
MFR1: Invalid LMI type 1
MFR1: Invalid LMI type 1
MFR1(down): DCE LMI timeout
MFR1: Invalid LMI type 1
MFR1(down): DCE LMI timeout
MFR1: Invalid LMI type 1
MFR1: Invalid LMI type 2
MFR1(down): DCE LMI timeout•
Symptoms: The message CPU HOG will appear in the screen.
Conditions: This symptom occurs when a lot of interfaces are coming up/down at the same time. The syslog used to process 100 traps at one time, which causes CPU HOG
Workaround: The condition will not appear if there are comparatively less number of interfaces. Also, unconfigure the trap from sh run will prevent from this issue.
•
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.
Cisco has released free software updates that address this vulnerability.
Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml.
•
Symptoms: A sip400 line card on a Cisco 7600 has a large number (~8K) of EVCs configured on its interfaces. QoS service-policies are applied to all of the EVCs. When the line card is reloaded, only a subset of the configured EVCs come back up.
Conditions: The issue is only seen when QoS service-policies are applied to a scaled EVC configuration. The problem is limited to distributed platforms like the Cisco 7600.
Workaround: Reapply missing EVC configurations when the line card comes up.
Further Problem Description: The failure of some EVCs to come up is due to contention for resources between the interface and QoS modules. The fix balances CPU usage among the modules to prevent timeouts and other error conditions.
•
Symptoms: If a BGP keepalive message fails to be sent to a BGP peer because the transport link is down, the neighbor BGP peer does not accept any further keepalive packets even though TCP retransmits the failed message using a backup path. This eventually causes the BGP peer to go down because of holdtime expiration.
Conditions: This happens when TCP retransmissions occur on MPLS-enabled network. This is seen only when MPLS is configured on Catalyst 6500 or Cisco 7600.
Workaround: There is no workaround.
•
Symptoms: Issue copy file running-config results in Line-by-Line sync PRC error with cfg consists of CLI that trigger parser inexplicit exit, e.g controller T1 9/0/0.
Workaround: There is no workaround.
•
Symptoms: All traffic that needs to be processed by input on the SVI is dropped.
Conditions: Input queue wedge at the SVI.
Workaround: Reload router.
•
Symptoms: Double freeing of freed memory. Router reloads after authentication attempt fails on vty/console.
Conditions: While performing AAA accounting, the accounting structure was freed twice, which results in crash. The below CLI is configured aaa accounting send stop-record authentication failure, which sends a stop record for authentication failure.
Workaround: Remove aaa accounting send stop-record authentication failure, which will disable sending of the stop record at authentication failure.
•
Symptoms: The router may crash when the line card is booted.
Conditions: This problem is not easily reproducible. The problem may be experienced if there are heavy distribution traffic to the line cards.
Workaround: There is no workaround.
•
Symptoms: If an interface does not have IP address or IPv6 addresses, the passive-interface command will not be shown under "router ospf ...".
Conditions: This symptom is seen when running Cisco IOS Release 12.0S images or images from Cisco IOS Release 12.2SR.
Workaround: Configure either IP or IPv6 address for the interface.
•
Symptoms: When Egress Multicast replication mode is used on a Cisco 6500 platform with PFC3x, after the SSO switchover occurs, the new active supervisor SP may reload on MET reconstruction.
Conditions: This symptom is observed with Multicast Egress Replication and SSO redundancy mode.
Workaround: Do not use SSO HA in conjunction with Egress Multicast Replication Mode.
•
Symptoms: Switch crashes due to EIGRP.
Messages found: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)!
Conditions: This is seen on a Cisco 3560 router that is running Cisco IOS Release 12.2(40)SE.
Workaround: There is no workaround.
•
Symptoms: Shut of any LAN interface can cause the MAC address table to go bad, and all the traffic flowing through that VLAN may stop.
Conditions: The show mac-address-table dynamic command shows that all the MAC addresses are learned on the BCP trunk port which is WAN link.
Workarounds:
1.
2.
•
Symptoms: A Sip-600 may reload when an SSO switchover is performed.
Conditions: The problem is observed in a Cisco 7600 series router with redundant supervisor engines and a SIP-600 line card. The SIP-600 may reload when an SSO switchover is performed between the Active and Standby supervisor engines.
Workaround: There is no workaround.
•
Symptoms: If one interface has different passive interface configurations than other interface, parser return code will be inconsistent between HA routers, and standby router will reload.
Conditions: Set passive interface configuration under "router isis" or "router ospf". Set one interface with different passive interface configuration. Repeat these two config CLIs several times and then standby router will reload.
Workaround: Do not set an interface with different passive interface configuration in HA SSO mode.
•
Symptoms: On physical OIR removal followed by insert of line card into chassis, FIB errors may be seen on the Standby SUP console.
Conditions: This symptom will only happen if "module clear-config" is present in the configuration.
Workaround: Remove "module clear-config" from the configuration.
Further Problem Description: This command is not supported by ES20 or SIP-600 line cards.
•
Symptoms: After an SSO, LDP and BGP sessions might flap.
Conditions: This symptom happens only if the mpls ldp explicit- null command is enabled.
Workaround: Disable explicit-null for LDP.
Further Problem Description: This happens because MPLS MFI deletes the explicit-null label. This behavior will be fixed by another DDTS CSCsk28546.
This DDTS fix is to avoid freeing the global table reserved VLAN as long as MPLS is enabled in the box.
•
Symptoms: Stored configurations in the CMTS (stored in disk or in bootflash), when copied to the running configuration, the secondary PRE reloads.
Conditions: This symptom occurs when the stored configurations in the CMTS (disk or bootlfash) are copied to the running configuration.
Workaround: Remove the CLIs "auto-sync standard" and "no file verify auto" from the stored configuration.
•
Symptoms: A memory leak at atm_add_aal5_layer is observed.
Conditions: This symptom occurs when testing of ATM with a large number of subinterfaces configured.
Workaround: There is no workaround.
•
Symptoms: MFR LMI packets are consistently send through the serial interface that is associated with the MFR interface, instead of the MFR itself. You can verify this situation by enabling debugs:
debug frame-relay lmi debug packet ----> CPU sensitiveBecause of this situation, when the LMI type is changed to another type, out- of-sequence problems may occur at the remote end.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that are configured with an Optical Services Module (OSM).
Workaround: There is no workaround.
•
Symptoms: TCAM programming problem is encountered when PBR and NAT are involved.
Conditions: TCAM does not always get programmed properly when Policy Based Routing and NAT are present in the configuration.
Workaround: To restore service, follow these steps to force a TCAM adj recalculation:
Step 1: Remove PBR service policy from all VLAN interfaces which have PBR. Then reapply PBR policy on those impacted VLAN interfaces.
Step 1 is the preferred method to force a TCAM adj recalculation without triggering routing updates to the rest of the network. If the issue persists, then proceed to step 2.
Step 2: Shut/unshut the impacted VLAN interface and other VLAN interfaces that share the same PBR policy with the impacted interface.
Further Problem Description: Troubleshooting details: Follow these steps to identify a reoccurrence of the TCAM adj issue and identify the interfaces that are experiencing traffic interruption.
Step 1: Check what indexes are used in TCAM adj.
Step 2: Check the REDIRECT adjacency indexes in tcam interface for potentially affected VLANs and make sure it only has indexes which are listed in the TCAM adj output. You will have to check this for all interfaces configured with PBR.
sp#sh tcam int vlan <affected_VLAN> acl in ip de | inc indx:•
Symptoms: The error message "pm failed get pm mp semaphore" is seen on the shut/no shut of an interface.
Conditions: This message can be seen on any interface under stress if any line card in the system is under stress and takes more time to process commands from supervisor.
Workaround: There is no workaround.
Further Problem Description: Apart from the error message, shut/no shut takes two minutes, and the consoles freezes during this time.
•
Symptoms: Ports connected to newly installed ES20 line card will be up, while ES20 port shows admin down.
Conditions: Ports connected to newly installed ES20 line card will be up, while ES20 port shows admin down.
Workaround: Do not connect the fiber until ready to use.
•
Symptoms: RP crashes due to memory leak in I/O big buffers.
Conditions: This symptom is observed when flow export is configured with 127.0.0.x address
Workaround: Remove flow export configuration with 127.0.0.x address.
•
Symptoms: In a setup with 32k EVCs configured, when the standby is reloading mpls reserved labels are deleted in the active. Explicit-null getting deleted was affecting the 7600 platform because of the way recirculation is handled.
Conditions: The problem is triggered from active RP when standby is coming UP.
Workaround: There is no workaround
•
Symptoms: Crash is seen in generating RSA keys.
Conditions: This symptom happens before applying crypto map command.
Workaround: There is no workaround.
Further Problem Description: This problem is not seen on SUP730 or SUP32. It is only seen on RSP720. It is due to local variables that are used globally.
•
Symptoms: Starting release 12.2(33)SXH, DOM feature will not be supported on some transceiver types. The list of supported transceiver types can be obtained from a running switch using the command "show interface transceiver supported-list". This change has been made to handle cases where the DOM thresholds or operating values are inaccurate thereby resulting in bogus SNMP trap notifications.
Conditions: This issue is seen only with the following conditions:
1.
2.
Workaround: There is no workaround.
•
Symptoms: Increasing the IPSec anti-replay window size to extended replay window size (128-1024) by using the crypto ipsec security-association replay window-size [1024] command could cause the following error messages:
Aug 17 11:10:33 PDT%SPA-IPSEC-2G-4-ICPUPP13: slot 4/2 Policy check failed for pkt src:192.168.2.2 dst:172.16.2.84 proto:17 SA index:0x9307
and/or
Jul 28 23:53:16.276%SPA-IPSEC-2G-4-ICPUPP9: slot 9/2 Packet src:172.21.26.43 dst:10.1.69.209.109 seq num:0x6cc failed replay check last seq num:0x803fffff for SA:0xc6a4.
Workaround: Remove crypto ipsec security-association replay window- size [<extended replay window size ] and then reset the VPN SPA.
•
Symptoms: Traffic forwarding will be affected.
Conditions: This symptom is observed after resting the hw module, and the traffic in the E-gress (Imposition path) direction did not recover fully after the line card came up. In another instance all imposition traffic failed after card reset.
Workaround: A "clear ip ospf process" clears the problem.
•
Symptoms: Egress multicast replication stops working due to WCCP.
Conditions: This symptom is observed when WCCP feature is present, and Egress multicast replication mode is configured on Cisco Catalyst 6500 switches.
Trigger: When the WCCP service goes down.
Frequency: Always.
Root cause: Wrong service adjacency being updated when WCCP goes down.
Impact: This will impact Multicast Traffic Forwarding and egress multicast replication will not work.
Workaround: Switch to ingress multicast replication mode using the mls ip multicast replication-mode ingress command.
Issue Verification: The hardware programming shown via sh mls ip multicast group group-address and show mls cef ip multicast source source-address group group-address det looks correct, and the traffic counters for each is incrementing but a sniffer trace and the interface statistics taken on the downstream switch show no multicast data received.
•
Symptoms: Loss of traffic for more than 15 seconds after second cutover.
Conditions: This symptom occurs after performing two cutovers.
Workaround: There is no workaround. Traffic recovers after 15 seconds.
•
Symptoms: A %CBUS-3-CCBPTIMEOUT message is generation as part of an on-line insertion and removal operation.
Conditions: The message will generally be seen with OIRs for specialized equipment such as an IMA controller.
Workaround: There is no workaround. There is no operational impact.
Further Problem Description: The message arises from an attempt to synchronize some interface state information (specifically, the rate-interval). Synchronization is sometimes attempted when it is not possible to deliver a message. In all such cases, there is actually no need to do the synchronization so there is no impact to the router.
•
Symptoms: Several problems can be observed when using VPNs on routers related to the parsing of the ID payload of the client. Possible symptoms include:
–
–
In all these cases the ISAKMP negotiations do not work.
Conditions: This symptom occurs when using certificate based authentication with ISAKMP profiles.
Workaround: There is no workaround.
Further Problem Description: After enabling ISAKMP debugging you will see in the first case:
ISAKMP:(68001): processing SIG payload. message ID = 0 ISAKMP:(68001): signature invalid!or possibly
ISAKMP (0:13005): FSM action returned error: 2In the second case you will either see:
ISAKMP:(68001): processing ID payload. message ID = 0 ISAKMP (68001): ID payload next-payload : 6 type : 9 Dist. name parsing failed protocol : 17 port : 500 length : 185 ISAKMP:(68001):: UNITY's identity FQDN but no group info ISAKMP:(68001):: peer matches *none* of the profilesOr
00:03:18: ISAKMP (0:268435457): ID payload next-payload : 6 type : 9 Dist. name : protocol : 17 port : 500 length : 73
(Notice the empty "Dist. name" field)•
Symptoms: When 32k xconnect configs are copied to running config, RP and SP crash.
Conditions: This symptom is observed on a system that has two 20X1 and one 2X10GE. The configuration has both ingress policing and egress shaping on all 32k EVCs.
Workaround: There is no workaround.
•
Symptoms: The following traceback is seen on 7600 router.
On 1:Sep 6 07:59:47.879 PST: %C6K_PROCMIB-DFC1-3-IPC_TRANSMIT_FAIL: Failed to send process statistics update : error code = re-init
-Traceback= 2042B85C 2042BDA0 20CA9C08 20CA9C78 20CA9E28 20CA9F30Conditions: Stressful IPC conditions causing IPC messages to be dropped.
Workaround: There is no workaround.
•
Symptoms: Network RF client might take more time to complete RF_PROG_ACTIVE progression during switchover.
Conditions: When more than thousand interfaces are configured on a router.
Workaround: There is no workaround.
•
Symptoms: There is possible memory corruption during routemap deletion.
Conditions: This symptom occurs when BGP is running.
Workaround: There is no workaround.
•
Symptoms: On reload of chassis or SPA, copper ports do not come up when issuing no shut.
Conditions: Can occur with copper SFP ports on SIP-400, SIP-600 and ES20 20x1GE.
Workaround: Reload line card or SPA after port configuration is no shut.
•
Symptoms: The standby processor continuously reloads due to the failure of bulk sync.
Conditions: The IP address of the interface is configured with the same IP address as the HSRP virtual IP address. This is can be performed whilst the interface is in the shutdown state.
Workaround: The user must avoid sharing the interface IP address with the HSRP virtual IP.
•
Symptoms: A router will crash with SSO with the configurations attached in the show run command output.
Conditions: This symptom occurs with SSO.
Workaround: There is no workaround.
•
Symptoms: "Class-Default" counters are not accounted and missed in the show policy-map o/p.
Conditions: When SIP600 or ES20 are used as an MPLS/core facing interface for PXF based EoMPLS or VPLS, class-default counters are not updated.
Workaround: There is no workaround.
Further Problem Description: "Class-Default" counters are not getting updated in "show policy-map interface <>" output when we have a QOS policy attached to the interface.
•
Symptoms: The primary tail-end segment of the LS connection backed up PW remains inactive even after no-shut has been done.
Conditions: Shut/no-shut should have been done on the primary tail-end.
Workaround: There is no workaround.
•
Symptoms: When hierarchical QOS is configured and no queuing action is specified for a class, matching for that class fails to work.
Conditions: This symptom is only applicable when the class has no queuing actions specified.
Workaround: Add a queuing action to the class.
•
Symptoms: Packets with a source mac address beginning with 0xA100 may be dropped by SIP600 for VPLS and SVI based EOMPLS imposition.
Conditions: If CE originating traffic is originated with 0xA100 in the first two bytes of the source mac address the MPLS core facing SIP600 may drop the imposition traffic.
Workaround: 0xA100 is not a realistic mac address seen in real world configurations and as such does not pose an immediate risk.
•
Symptoms: This bug manifests itself as BGP packets ending up in the high priority extended headroom (as per SPD). The fix makes sure that such packets are placed in just the plain headroom and not the extended headroom.
•
Symptoms: OSPF-3-DBEXIST messages can be seen in the log.
Additionally OSPF neighbor may flap due too many retransmissions. In some cases the flapping may be permanent and occurs during refresh of the affected LSA (period 30 minutes).
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.2(33)SRB image. Other Cisco IOS versions are not affected. Router is an NSSA ABR. ABR originates two external type-5 LSAs which have conflicting link-state ID.
Workaround: Clear ip ospf process may clear OSPF dbase which may stop flapping.
More details: An example of the problematic environment: Under ospf router it is configured "redistribute static". Route to null is configured, for example ip route 10.0.0.0 255.255.0.0 null0. Type-5 LSA has LSA ID 10.0.0.0. There is the same route but with longer mask originated by ASBR in the NSS Area (type-7 external), for example 10.0.0.0 255.255.255.0. This route is translated to external type-5 LSA, and under normal circumstances should have also LSA ID 10.0.0.0. However so as not to conflict if LSA ID 10.0.0.0 already exists, this LSA should be originated with host bits set, it means LSA ID is 10.0.0.255.
These problems have been experienced if conflicting type-5 LSAs should be originated:
–
–
•
Symptoms: High CPU usage observed due to the "BGP Router" process when there are BGP remote neighbors that are not active. The problem happens when a couple of BGP neighbors are activated on the router and not configured on the peer router. Theoretically, It could also happen if for some reason some sessions just keep trying to get established but keep failing.
Conditions: This symptom occurs when there are inactive BGP neighbors.
Trigger: BGP trying to establish a TCP session but not getting an "Ack" from the other end.
Root Cause: This problem happens because BGP is busy trying to open an Active connection which fails since the peer does not have the corresponding neighbor configured for that Address Family. When we go through the heavy-duty reset processing, it leads to the high CPU usage.
Impact: High CPU usage.
Workaround: One of the following is a workaround to this issue:
–
–
–
•
Symptoms: The BGP session will be reset during the no neighbor max-prefix command (with single session).
Conditions: This symptom occurs when the BGP session will be reset unnecessarily during the no neighbor max-prefix command (with single session configuration). The issue is not observed with BGP multi-session.
Workaround: There is no workaround.
•
Symptoms: Uninitialized memory causes failures when LSP ping is performed.
Conditions: This error occurs when the allocated memory is non-zero.
Workaround: There is no workaround.
•
Symptoms: K1K2 values are not reflected correctly when the Tx cable on the protect channel on Cisco 7600 POS interface is pulled out or when there is any LRDI alarm.
Conditions: This symptom is observed on a Cisco 7600 series router that is running Cisco IOS Release 12.2(33)SRB.
Workaround: There is no workaround.
•
Symptoms: MPLS forwarding table is empty on standby RP.
Conditions: This symptom is seen after ISSU loadversion, or simply when standby RP is reloaded.
Workaround: There is no workaround.
•
Symptoms: Syslog displays password when copying the configuration via FTP.
Conditions: This symptom occurs when copying via FTP. The Syslog message displays the password given by the user as part of syntax of FTP copy.
Workaround: There is no workaround.
•
When applying large number (over thousands) of VRF configuration with BGP enabled to a router, you may observe that it takes longer time to complete the configuration. For example, when copying a large VRF configuration file into the running-config of a router, it will take longer time to transfer the configuration data.
There is no work around.
•
Symptoms: When SPA on one slot is shut, the other one takes over. If the Cheronia is reset after this, the router crashes.
Conditions: This symptom is seen under the following conditions:
1.
2.
3.
Workaround: There is no workaround.
Further Problem Description: Have two zambonis with redundancy configured between them. There are 500 vti tunnels, 500 IVRF and 1 FVRF configured. On shutting down the SPA in 1/1 slot, 1/0 takes over, and then on resetting the Cheronia, the router crashes.
The crash can be seen with just 1 tunnel, 1 IVRF and a FVRF.
Steps to reproduce:
1.
2.
3.
4.
•
Symptoms: When "no router bgp xx" is configured, the following error message may be seen and the router may crash:
%IPRT-3-BAD_PDB_HANDLE: Pdb handle error 1040000, 0000, 0, 00000000, 76E60000, 00 -Process= "IP RIB
Update", ipl= 0, pid= 248
-Traceback= 4062C0A0 40CB7E08 40CD10D8 40CD1924Conditions: This symptom is seen when BGP is enabled on a large number of VRFs and has a significant number of routes in each VRF.
Workaround: There is no workaround.
•
Symptoms: MIB fields related to high capacity error counters may be incorrect.
Conditions: If customer tracks high capacity error counters, they will be impacted.
Workaround: There is no workaround.
•
Symptoms: Core facing traffic may be dropped for vpls/eompls when using sip600/es20 as mpls core facing interface.
Conditions: When a sip600/es20 interface is included as an explicit path in a tunnel with multiple path options, traffic may be dropped when the path switches from one local interface to another, or when traffic switches from a non-local interface to a local interface when the egress path for the tunnel is changed.
Workaround: There is no workaround.
•
Symptoms: Line protocol and DLCIs flap on MFR interfaces after SSO switchover on a Cisco 7600 platform.
Conditions: The flap may occur for MFR interfaces which are LMI DTE and which do not have an explicit LMI type configured.
Workaround: Configure an explicit LMI type on MFR DTE interface rather than using autosense.
•
Symptoms: Security ACLs along with "ip unicast verify" CLI break Client traffic to real servers.
Conditions: Interface VLAN55 IP address 10.10.10.187 255.255.255.0 ip access-group 120 in ip access-group 121 out ip verify unicast source reachable-via rx allow-self-ping end.
The above CLIs are configured on the interface/VLAN to which the real Servers are connected.
Workaround: There is no workaround.
•
Symptoms: Router crashes when two or more users display Dynamic ARP Inspection log table at the same time with the show ip arp inspection log command.
Conditions: This symptom occurs when DAI is configured and new ARP requests are coming on the DAI configured interface.
Workaround: Do not display DAI logs simultaneously with the show ip arp inspection log command.
•
Symptoms: Router crashes when removing grand child policy.
Conditions: This symptom is seen in Cisco 7304 router.
Workaround: There is no workaround.
•
Symptoms: On doing line card reset on simple MLP bundles with traffic flowing, some of the multilink bundles drop the packets and do not recover after all the bundles come up.
Conditions: This symptom happens on a Cisco 7600 router on a simple MLP bundle with service policy attached. Class voice is defined and given 50 percent priority. It specifically occurs when links are added from different SPAs and traffic is flowing.
Workaround: Remove the service policy and reattach it.
•
Symptoms: The RP crashinfo reports the following:
%C6K_PLATFORM-2-PEER_RESET: RP is being reset by the SP
%Software-forced reload
Breakpoint exception, CPU signal 23, PC = 0x41CDA8E4Since the crash is triggered by the SP, the crashinfo in sup-bootflash logged the following:
%ALIGN-1-FATAL: Illegal access to a low address
addr=0x0, pc=0x40362F24, ra=0x40363000, sp=0x43A179F8
%ALIGN-1-FATAL: Illegal access to a low address
addr=0x0, pc=0x40362F24, ra=0x40363000, sp=0x43A179F8
TLB (store) exception, CPU signal 10, PC = 0x40362F24Conditions: This problem is seen at a customer site. Hardware and software version info is as follows: WS-SUP720-3B running Cisco IOS Release 12.2(18)SXF2. The trigger for the crash is unknown.
Workaround: There is no workaround.
If you are a customer running into this, please collect the following information and contact Cisco/TAC: sh tech crashinfo from sup-bootflash (for SP) and bootflash (for RP) log entries taken from the syslog server for 1 week period leading to the crash.
In the case notes, please include the following:
1.
2.
3.
•
Symptoms: %INTR_MGR-DFC3-3-BURST: Parsing Engine(X-Chip) [0]:Inbound Parser
Conditions: This symptom is seen during large SwEoMPLS configuration. It does not happen all the time.
Workaround: There is no workaround.
Further Problem Description: These errors occur for malformed mac notification packet sent from one line card to a sip-600 or es20g line card. An interrupt is logged because of problems with the IPv4 part of the data, but the mac information is still recorded. Packets are not lost with this error.
•
Symptoms: Crash is seen resetting cheronia or samboni.
Conditions: This symptom happens only to the RSP platforms, as tftpboot path is missing.
Workaround: There is no workaround.
•
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities.
Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
•
Symptoms: A crash is seen when we do FPD upgrade paralleL.
Conditions: This symptom is observed when there is a parallel FPD upgrade.
Workaround: Do a single FPD upgrade at a time.
•
Symptoms: IP Internetworking may not function on a Supervisor Engine 720. For example, traffic may not pass from an EoMPLS VC on a Gigabit Ethernet interface to a serial ATM interface.
Conditions: This symptom is observed on a Cisco 7600 series when a packet is recirculated, for example, because a service policy is attached to the core-facing interface. The symptom is not related to the specific core- facing line card, but the workaround is.
Workaround: Avoid recirculation of packet in direction from CE towards the core. For example, when service causes recirculation, service policy has to be removed from core interfaces.
•
Symptoms: Delay seen in forming of PIM Auto RP mapping. Whenever a link flaps, the graft messages are sent for faster convergence and since these get dropped over the MDT tunnel, there is a delay in convergence.
Conditions: On networks with mVPN deployment and PIM-DM in the core, an interface flap on the PE/CE router may cause delay in forming PIM auto-rp mapping.
The issue causes traffic black holing and affects the sources and receivers in the network, if the following conditions hold TRUE a. Network has MPVN deployment, and the path between source and receiver has to traverse through the MPVN cloud b. The issue is specific to 6500 and 7600 series routers, so there should be at least one 6500 or a 7600 decapsulating router (PE) present in the MPVN deployment, along the path between source and the receiver
Workaround: To migrate to PIM-SM. No functionality is affected and the fix for the same is available in SXI release through the commit of CSCsk80552
Further Problem Description: The PIM-DM graft messages, unlike other PIM-DM control packets are unicast packets. These packets when sent over the MDT tunnel, are encapped with multicast MAC address and an unicast IP address (Destination IP of the Tunnel), such packets are not replicated and are dropped.
•
Symptoms: When a line card has a power convertor failure, the line card will get power cycle without proper error message to indicate the failure.
Conditions: This symptom is caused by a hardware power convertor failure.
Workaround: This problem has been fixed, if the software detects the line card power convertor, and it will print/generate a syslog message to indicate the failure.
•
Symptoms: The UUT is not able to receive the large ICMP message.
Conditions: This symptom occurs on the s72033-adventerprisek9_wan_dbg-vz.122-32.8.11.SX117 image.
Workaround: There is no workaround.
•
Symptoms: L3 physical interface "input drop" counter in show interface x/y output is incrementing at the same pace as "overrun" counter. The definition of these two counters is completely different.
Conditions: In nutshell, "input drop" counter represents packets dropped by RP in software when input queue is full and RP throttles the interface. Overrun counter represents packets dropped in hardware due to lack of rx buffers in port asic.
At the moment, L3 physical interface "input drop" counter counts both software and hardware dropped packets, which is incorrect.
Workaround: There is no workaround.
Further Problem Description: Current PM counters handling code does not distinguish L2 Switchports from L3 Routed Ports. For each port on the system PM will coll
Guest
