Table Of Contents
Caveats for Cisco IOS Release 12.2T
Resolved Caveats—Cisco IOS Release 12.2(15)T17
Resolved Caveats—Cisco IOS Release 12.2(15)T16
Resolved Caveats—Cisco IOS Release 12.2(15)T15
Resolved Caveats—Cisco IOS Release 12.2(15)T14
Resolved Caveats—Cisco IOS Release 12.2(15)T13
Resolved Caveats—Cisco IOS Release 12.2(15)T12
Resolved Caveats—Cisco IOS Release 12.2(15)T11
Resolved Caveats—Cisco IOS Release 12.2(15)T10
Resolved Caveats—Cisco IOS Release 12.2(15)T9
Resolved Caveats—Cisco IOS Release 12.2(15)T8
Resolved Caveats—Cisco IOS Release 12.2(15)T7
Resolved Caveats—Cisco IOS Release 12.2(15)T5
Resolved Caveats—Cisco IOS Release 12.2(15)T4
Resolved Caveats—Cisco IOS Release 12.2(15)T2
Resolved Caveats—Cisco IOS Release 12.2(15)T1
Open Caveats—Cisco IOS Release 12.2(15)T
Novell IPX, XNS, and Apollo Domain
Resolved Caveats—Cisco IOS Release 12.2(15)T
Caveats for Cisco IOS Release 12.2T
March 26, 2008
Cisco IOS Release 12.2(15)T17
OL-2333-04 Rev. Q3
This document lists severity 1 and 2 caveats and select severity 3 caveats for Cisco IOS Release 12.2T, up to and including Release 12.2(15)T17. Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 and severity 3 caveats are less serious.
Note
The first maintenance release of Cisco IOS Release 12.2T was renumbered from Release 12.2(1)T to Release 12.2(2)T. The set of features for Release 12.2(1)T is the same as that for Release 12.2(2)T. There was no change in the feature content of the release. The second maintenance release of Cisco IOS Release 12.2T is numbered 12.2(4)T, the third maintenance release of Cisco IOS Release 12.2T is numbered 12.2(8)T, the fourth maintenance release of Cisco IOS Release 12.2T is numbered 12.2(11)T, and the fifth maintenance release of Cisco IOS Release 12.2T is numbered 12.2(13)T. The sixth maintenance release of Cisco IOS Release 12.2T is numbered 12.2(15)T.
To improve this document, we would appreciate your comments. If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically at http://www.cisco.com/feedback/ or contact caveats-doc@cisco.com. For more information, see the "Documentation Feedback" section on page 648.
Contents
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
How to Use This Document
This document describes open and resolved severity 1 and 2 caveats and select severity 3 caveats.
•
•
Within the sections the caveats are sorted by technology in alphabetical order. For example, AppleTalk caveats are listed separately from, and before, IP caveats. The caveats are also sorted alphanumerically by caveat number.
If You Need More Information
Cisco IOS software documentation can be found on the web through Cisco.com. For information on Cisco.com, see the "Obtaining Documentation" section on page 647.
For more information on caveats and features in Cisco IOS Release 12.2 T, refer to the following sources:
•
•
•
•
•
Note
The most recent release notes document when this caveats document was published is Release Notes for Cisco IOS Release 12.2 T, for Cisco IOS Release 12.2(15)T8 on August 22, 2006.
Resolved Caveats—Cisco IOS Release 12.2(15)T17
Cisco IOS Release 12.2(15)T17 is a rebuild release for Cisco IOS Release 12.2(15)T. The caveats in this section are resolved in Cisco IOS Release 12.2(15)T17 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtmlMiscellaneous
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
Wide-Area Networking
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at:
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=enResolved Caveats—Cisco IOS Release 12.2(15)T16
Cisco IOS Release 12.2(15)T16 is a rebuild release for Cisco IOS Release 12.2(15)T. The caveats in this section are resolved in Cisco IOS Release 12.2(15)T16 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
NetFlow Feature Acceleration has been deprecated and removed from Cisco IOS. The global command ip flow-cache feature-accelerate will no longer be recognized in any IOS configuration.
If your router configuration does not currently contain the command ip flow-cache feature-accelerate, this change does not affect you.
The removal of NetFlow Feature Acceleration does not affect any other aspects of Netflow operation, for example Access-list processing. The features are separate and distinct.
Cisco Express Forwarding (CEF) supercedes the deprecated NetFlow Feature Acceleration.
Additionally, the following MIB objects and OIDs have been deprecated and removed from the netflow mib (CISCO-NETFLOW-MIB):
cnfFeatureAcceleration 1.3.6.1.4.1.9.9.99999.1.3
cnfFeatureAccelerationEnable 1.3.6.1.4.1.9.9.99999.1.3.1
cnfFeatureAvailableSlot 1.3.6.1.4.1.9.9.99999.1.3.2
cnfFeatureActiveSlot 1.3.6.1.4.1.9.9.99999.1.3.3
cnfFeatureTable 1.3.6.1.4.1.9.9.99999.1.3.4
cnfFeatureEntry 1.3.6.1.4.1.9.9.99999.1.3.4.1
cnfFeatureType 1.3.6.1.4.1.9.9.99999.1.3.4.1.1
cnfFeatureSlot 1.3.6.1.4.1.9.9.99999.1.3.4.1.2
cnfFeatureActive 1.3.6.1.4.1.9.9.99999.1.3.4.1.3
cnfFeatureAttaches 1.3.6.1.4.1.9.9.99999.1.3.4.1.4
cnfFeatureDetaches 1.3.6.1.4.1.9.9.99999.1.3.4.1.5
cnfFeatureConfigChanges 1.3.6.1.4.1.9.9.99999.1.3.4.1.6Resolved Caveats—Cisco IOS Release 12.2(15)T15
Cisco IOS Release 12.2(15)T15 is a rebuild release for Cisco IOS Release 12.2(15)T. The caveats in this section are resolved in Cisco IOS Release 12.2(15)T15 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Symptoms: Connected routes cannot be redistributed from one protocol to another.
Conditions: This symptom occurs on EIGRP routes when using the shut command followed by the no shut command.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Miscellaneous
•
Symptoms: In the RTSP server, the TCL IVR "media record" verb records in the RTSP server. After recording, "media play" plays the recorded audio-file from the RTSP server, and the playback voice quality is bad. (TCL is not the only script that can cause this problem. Another usage that can lead to the same symptom is the VXML script.)
Conditions: This symptom occurs when "media record" is the destination of the RTSP server with a codec of g711ulaw.
Workaround: Change the record codec from g711uLaw to g729r8, which appears to work fine.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at /en/US/products/products_security_advisory09186a00807cb0fd.shtml contain fixes for this issue.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
•
Symptoms: IPSec does not function when the ip route cache command is enabled.
Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(11)T3 but may be platform-independent.
Workaround: There is no workaround.
•
Symptoms: No traffic is sent from the Cisco 3825 router.
Conditions: This symptom occurs while running Cisco IOS Release 12.3(11)T3 if the traffic from a VPN going out through the global interface does not require encryption.
Workaround: Remove crypto map from the global interface.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
Wide-Area Networking
•
Symptoms: The CEF-Dialer feature fails to add an adjacency for a virtual-access1 CEF interface because the IP route is installed after the feature attempts to add the adjacency.
Conditions: This symptom is observed during a test on a Cisco router that runs Cisco IOS Release 12.3 or interim Release 12.3(10.3)T.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(15)T14
Cisco IOS Release 12.2(15)T14 is a rebuild release for Cisco IOS Release 12.2(15)T. The caveats in this section are resolved in Cisco IOS Release 12.2(15)T14 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 42
-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18Conditions: The symptom is observed on a Cisco 7513 that runs Cisco IOS Release 12.0(17)ST. The symptom may also occur on other Cisco 7500 series routers that run Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
Symptoms: A Cisco device reloads on receipt of a corrupt CDP packet. One possible scenario is:
Reloading a faulty Cisco IP conference station 7935 or 7936 may cause a connected Cisco switch or router to reload. A CDP message may appear on the terminal, such as the following one:
%CDP-4-DUPLEX_MISMATCH duplex mismatch discovered on FastEthernet5/1 (not half duplex), with SEP00e0752447b2 port 1 (half duplex).Conditions: This symptom is observed when an empty "version" field exists in the output of the show cdp entry * command for at least one entry.
Workaround: Disable CDP by entering the no cdp run global configuration command.
First Alternate Workaround: Disable CDP on the specific (sub-)interface(s) whose corresponding neighbor(s) has or have an empty "version" field in the output of the show cdp entry * command.
Second Alternate Workaround: Disconnect the 7935 or 7936 phone, in the case of the specific symptom that is described above.
•
Symptoms: Depending upon configuration, issuing The show cdp entry * protocol command may cause a reload of the device.
Conditions: This symptom occurs on Cisco products that are speaking CDP with configurable interface MTU.
Workaround: Disable CDP, avoid issuing the command under given circumstances, or upgrade to a fixed version of software.
•
Symptoms: A Cisco router crashes with a POD request.
Conditions: This symptom is observed when a POD request is issued for an MLP call.
Workaround: There is no workaround.
Further Problem Description: This problem is seen in Cisco IOS Release 12.2T but not in Cisco IOS Release 12.3 and its child branches.
•
Symptoms: A Cisco device experiences a memory leak in the CDP process.
Conditions: The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the global command no cdp run.
IP Routing Protocols
•
Symptoms: A Cisco 1600 series crashes with an "Unexpected exception to CPU vector 2" error.
Conditions: This symptom is observed when stateful NAT is configured with the redundancy in command.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Voice ports on a router may be stuck in a seizure acknowledgement (SEIZURE-ACK) state.
Conditions: This symptom is observed for a number of calls on voice ports because some digits in the calls are not pulsed out.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command to clear the voice ports.
•
Symptoms: A Cisco router may reload if the show ip access- list access-list-name command is performed on an existing reflexive access-list.
Conditions: This symptom is observed on a Cisco 3620 router that is running Cisco IOS Release 12.2(13).
Workaround: There is no workaround.
•
Symptoms: The following tracebacks are seen on a voice router:
%DSM-3-NOEVENT: no free event structure available from dsm_ev_chunk_pool for DSM messageConditions: This symptom leads to dropped calls or DSP timeouts under high stress or high CPU.
Workaround: Reload the router.
•
A router that is running RIPng may crash after receiving a malformed RIPng packet causing a Denial of Service (DoS) on the device.
Such malformed packets can normally be sent locally. However, if "ipv6 debug rip" is enabled on a system then the crash can also be triggered remotely.
RIP for IPv4 is not affected by this vulnerability.
There is no workaround.
•
Symptoms: Traceback messages are seen on a Cisco AS5400 origination GW (OGW). The tracebacks are reproducible.
Conditions: This symptom is observed when running tests with an E1R2 interface.
Workaround: There is no workaround.
•
Symptoms: A NAS crashes when stress scripts are running and when bulk calls are made.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5800 that are configured for T1 when scripts run that enter the shutdown command followed by the no shutdown command on controllers in digital callers and the clear modem all command in analog callers. The NAS is stressed with both analog and digital calls made from a traffic generator that sends 20 packets per second and the scripts run every 10 minutes.
Workaround: There is no workaround.
•
Symptoms: All VIPs in a Cisco 7500 series restart as a consequence of a Cbus complex that is triggered by a stuck output. Just before the output becomes stuck, IPC timeout errors occur.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) in a dLFIoATM environment. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: When a T.38 fax failure occurs, for example because a call is disconnected, a Cisco AS5400 may incorrectly generate the following message in its log:
%DSM-3-DSP_TIMEOUT: DSP timeout on channel <channel specific information> T38
Codec Switch Failed or Timed outConditions: This symptom is observed when there is no real failure in the codec download. The symptom may occur when a disconnect from the telephony side occurs while the Cisco AS5400 is in the middle of a codec download.
Workaround: There is no workaround.
•
Symptoms: A software-forced crash may occur on a gatekeeper that processes an incoming call.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that runs Cisco IOS Release 12.2(15)T13 and occurs only when a GKTMP server is configured for LRQ triggering.
Workaround: There is no workaround.
•
Symptoms: A router that functions as a DHCP relay agent may drop DHCP packets that contain option 220. A client may not be able to receive an IP address. The following error message is displayed when the debug ip dhcp server packet command is enabled:
DHCPD: nonhierarchical subnet allocation is not supported in this image.Conditions: These symptoms are observed when option 220 is used differently by some DHCP clients and servers. (Option 220 is not yet standardized). A Cisco IOS DHCP server or relay agent uses option 220 as a subnet allocation option. This situation may cause problems for certain DHCP clients and servers that use a proprietary option 220 in DHCP packets; such packets may be dropped by a Cisco IOS DHCP server or relay agent.
Workaround: There is no workaround.
•
Symptoms: A Cisco access server that terminates virtual-profile calls with per-user access control lists (ACLs) does not remove all per-user ACLs when calls are terminated. This situation may cause the memory of the access server to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco access server that runs a Cisco IOS Release that contains the fix for CSCee01688.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
Symptoms: Adding a large policymap with a number of classes, each with a set feature enabled, can cause a router to crash when there is traffic to each of the classes.
Conditions: This symptom occurs when adding a large policymap with a number of classes.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly while you disable label distribution protocol (LDP) on an interface.
Conditions: This symptom is observed on a router that has several interfaces that are configured for LDP when you disable LDP on all interfaces and when there is still one open TCP connection that is passively used by LDP while you disable LDP on the last interface.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Resolved Caveats—Cisco IOS Release 12.2(15)T13
Cisco IOS Release 12.2(15)T13 is a rebuild release for Cisco IOS Release 12.2(15)T. The caveats in this section are resolved in Cisco IOS Release 12.2(15)T13 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A Cisco router may reload when it performs Simple Network Management Protocol (SNMP) Notification Log MIB queries.
Conditions: This symptom is observed on all versions of Cisco IOS software.
Workaround: There is no workaround; however, the symptoms are not observed on a Cisco ONS 15530 or a Cisco ONS 15540 switch module because the symptoms have been resolved on these platforms.
•
Symptoms: A VIP crash can lead to a memory exhaustion situation on the RSP in turn leading to an RSP crash.
Conditions: This will happen more frequently on routers with a high idb count.
Workaround: There is no workaround.
•
Symptoms: Attributes 42 and 43 may be of value "zero" in Connection STOP records.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5850 that run Cisco IOS Release 12.3 or Release 12.3(4)T4 when a TCP-clear call is disconnected by the caller. For call disconnects by the NAS, the values are proper.
Workaround: There is no workaround.
•
Symptoms: An update to Cisco IOS changes the size of the control message of the jitter, UDP, or TCP probe, however, this change in size makes the updated version have an incompatible issue with the previous version.
The `RTT_FORMAT_FAIL' error may occur if the source and the target do not use the same versions of Cisco IOS.
Workaround: Ensure that both the source and the target use the same version of Cisco IOS.
•
Symptoms: After a VIP crashes, a FIB-3-FIBDISABLE error message due to an IPC timeout may occur for all the slots of the VIP.
Conditions: This symptom is observed on a Cisco 7500 series after the VIP crashes and before the VIP recovers. The FIB-3-FIBDISABLE error message is generated for all the slots of the VIP, causing dCEF switching to become disabled.
Workaround: There is no workaround. You can reenable dCEF by entering the clear cef linecard command.
IP Routing Protocols
•
Symptoms: A Cisco router may reload unexpectedly when you enter a show command that is related to IP multicast.
Conditions: This symptom is observed on a Cisco router that has remained at the "more" prompt for a long period of time.
Workaround: There is no workaround. If the user tries to avoid leaving a show command at a --More-- prompt for a long time, chance of running into this issue is very small. Also, if the router doesn't have directly connected receivers nor igmp join configured (e.g. core routers), this bug wouldn't cause any harm.
•
Symptoms: A Cisco router may reload when Border Gateway Protocol (BGP) is configured to carry Virtual Private Network version 4 (VPNv4) routes.
Conditions: This symptom is observed when VPNv4 import processing occurs simultaneously with a BGP neighbor reset, for example, when a VPN routing and forwarding (VRF) instance is configured and you enter the clear ip bgp * privileged EXEC command.
Workaround: There is no workaround.
•
Symptoms: When the debug ip pim auto-rp command is enabled on a Cisco 7500 series, the router crashes when it receives an AutoRP message.
Conditions: This symptom is observed on a Cisco 7500 series that runs the rsp-isv-mz image of Cisco IOS Release 12.2(15)T7 or 12.2(15)T9. The symptom may also occur in other releases of Release 12.2 T, or in Release 12.3 or Release 12.3 T.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Directly-connected neighbors may be displayed in the "Targeted Hellos" field in the output of the show mpls ldp discovery privileged EXEC, which is incorrect behavior. This situation does not impact routing functionality.
Conditions: This symptom is observed in an Any Transport over Multiprotocol Label Switching (AToM) environment and is platform independent.
Workaround: There is no workaround.
•
Symptoms: Peer fails to call network access server (NAS) if authentication, authorization, and accounting (AAA) configurations are missing.
Workaround: Configure the aaa new-model and aaa authorization commands.
•
Symptoms: A router may fail to handle the Label Withdraw if the Label Withdraw Message is received with a Forwarding Equivalence Class (FEC) type length value (TLV) and no Label TLV. The router may generate an error message that is similar to the following if a withdraw failure occurs:
%LDP-3-UNKNOWN_MPLS_APP: ldp label withdraw message from 10.1.1.1:0; list type 7; afam 1;Conditions: This symptom is observed on a Cisco router that is running Multiprotocol Label Switching (MPLS) and the Label Distribution Protocol (LDP).
Workaround: There is no workaround.
•
Symptoms: A digital signal processor (DSP) may time out on a Cisco IAD2420 series because of a Host Port Interface (HPI) error.
Conditions: This symptom is observed on a Cisco IAD2420 series that is running Cisco IOS Release 12.2(11)T4 every time a call is placed or received.
Workaround: Use the command-line interface (CLI) to issue the following command to the DSPs that have a timeout symptom:
[no] voice dsp waitstate ws dsp_id
where ws is in the range of 1 to 3 with 1 being the default and dsp_id is a 1-based DSP number. The recommended ws value to set in this particular case is 2. Do not set the ws value higher than 2. The issuance of the CLI command will not take effect until the next DSP reset occurs either through an automatic mechanism or through test commands.
•
Symptoms: A Cisco 3640 router running recent Cisco IOS Release 12.2T based images does not write a crashinfo file to flash upon suffering a crash.
Conditions: This problem is seen only when the crashinfo location that is configured via the exception crashinfo file command and the default crashinfo location (mostly bootflash:), both had insufficient space or some other reason for the crashinfo not being written.
Only when this occurs do we try to write into all remaining local storage media. Only in such a last effort if flash: were to be selected to dump the crash information, then flash may fail to write.
Workaround: If flash has sufficient space to collect crashinfo, configure exception crashinfo file flash: command explicitly rather than relying on the default configuration.
•
Symptoms: A 1-port High-Speed Serial Interface network module (NM-1HSSI) that is running Frame Relay traffic shaping (FRTS) and Frame Relay fragmentation 12 (FRF.12) may randomly stop functioning and does not recover on its own. This problem is not limited to FRF.12 and could also occur with other configurations.
Conditions: This symptom is observed on a Cisco 3600 router that is running Cisco IOS Release 12.2(11)T1 or Release 12.2(13a) but may also occur in other releases. In addition, the symptom may also occur on a Cisco 7200 series.
Workaround: Disabling FRF.12 fragmentation might help.
First Alternate Workaround: Enter the clear interface EXEC command on the affected interface.
Second Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: When a gateway starts up, Media Gateway Control Protocol (MGCP) restart in progress (RSIP) messages may not be sent for all available E1 interfaces, causing the call agent to be unaware of full circuit availability on the gateway and calls to be dropped. For example, of 15 available E1 interfaces, only one RSIP message is sent (generally but necessarily for the first E1 interface). After 20 minutes, another individual E1 RSIP message is sent followed by a wildcard RSIP message for the entire gateway. Every 10 minutes thereafter, two RSIP messages for individual E1s are sent. Up to 80 minutes may be required before stability is reached, causing calls to be dropped each time a delayed RSIP message is sent after the wildcard RSIP message has been sent.
Conditions: This symptom is observed on a Cisco AS5400 that is functioning as a gateway and that is running Cisco IOS Release 12.2(11)T5.
Workaround: There is no workaround.
•
Symptoms: A Cisco 6400 series Node Route Processor 2 (NRP2) may reload.
Conditions: This symptom is observed when the Cisco 6400 series NRP2 is running Cisco IOS Release 12.2(13)T1 and the Service Selection Gateway (SSG) is enabled.
Workaround: There is no workaround.
•
Symptoms: A router may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router if a VPN routing/forwarding (VRF) instance is deleted while the show ip vrf vrf-name EXEC command executes.
Workaround: Do not enter the show ip vrf vrf-name EXEC command while any VRF is being deleted.
•
Symptoms: An ATM permanent virtual circuit (PVC) that is configured for autodetection of PPP over ATM (PPPoA) or PPP over Ethernet (PPPoE) protocols may drop the incoming PPPoA frames.
Conditions: This symptom may be triggered on a particular PVC, if the PPPoA session is brought up from the other end of the PVC, and if there is a change in the PVC state for any reason (for example, ATM Operation, Administration, and Maintenance [OAM] taking the VC down).
Workaround: Use one of the following workarounds: - Reconfigure the ATM PVC. - Do not use PPPoA or PPPoE autosensing. - Configure the PVC for either PPPoA or PPPoE.
Following is an example of the PVC configuration: interface atm 4/0.1 no pvc 4/43 pvc 4/43 ... If the VC is part of a range, first configure the pvc-in-range and then configure the encapsulation:
configure terminal
range pvc 6/43 6/1000 pvc-in-range 6/43 encapsulation aal5mux ppp virtual-Template 1
•
Symptoms: VLAN class of service (CoS) bits may not be set for outgoing Multiprotocol Label Switching (MPLS) packets, although the modular QoS CLI (MQC) may indicate so.
Conditions: This symptom is observed on a Cisco 7200 series or Cisco 7500 series that runs Cisco IOS Release 12.2, Release 12.3, or Release 12.3 B when CoS marking is applied to a VLAN subinterface. Note that traffic that is generated by the router itself receives the correct CoS for all classes.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload unexpectedly during a service-policy configuration.
Conditions: This symptom is observed when you attach a level 2 policy map as a child of a level 1 policy map and when the level 1 policy map is already attached to an interface.
Workaround: Create a level 3 policy map, and attach it to the interface.
•
Symptoms: On an ASBR-PE, the TFIB may be missing a forwarding entry for a prefix that is learnt from a PE.
Conditions: This symptom is observed on an "ABSR-co-located PE" (that is, an ASBR that also functions as a PE router) when the PE functionality is removed by deconfiguring VRF, for example, by entering the no ip vrf vrf-name command.
Since this is a timing issue, it may occur in Cisco IOS Release 12.0 S, 12.2 S, 12.2 T, and 12.3.
Workaround: There is no workaround.
•
Symptoms: Data packets may be punted to the process path when user logon and logoff activity occurs.
Conditions: This symptom is observed in all of the Service Selection Gateway (SSG) images of Cisco IOS software under heavy load conditions.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error if a quality of service (QoS) class map or policy map is renamed through modular QoS CLI (MQC) and a subsequent show memory EXEC command is issued.
Conditions: This symptom is observed in all Cisco IOS software releases on all Cisco platforms where the rename command is available under class map and policy map modes. It is observed in Cisco IOS Release 12.1 (14)E, Release 12.2(12) and later releases. This symptom is not observed in Release 12.1. The symptom occurs after a global class map or policy map is renamed and a subsequent show memory EXEC command is issued.
Workaround: Avoid use of the rename command. Remove and recreate the class map or policy map instead.
•
Symptoms: A Cisco router may reload when you enter the show policy-map interface EXEC command.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with a Frame Relay permanent virtual circuit (PVC) policy.
Workaround: There is no workaround.
•
Symptoms: On a Cisco router that is configured with a Multilink PPP (MLP) interface, the available processor memory may decrease rapidly because of a memory leak.
Conditions: This symptom is observed when the MLP interface flaps repeatedly.
Workaround: There is no workaround. You must resolve the cause of the flapping MPL interface.
Further Problem Description: A QoS configuration is the key to cause this memory leak. The problem will not happen without a QoS configuration. Note: If PPP multilink interleave is configured, then this configuration will trigger QoS memory allocation.
•
Symptoms: A 1-port E3 serial port adapter (PA-E3) may fail to recover to the "up/up" state even when the original cause of the failure is corrected.
Conditions: This symptom is observed on a Cisco 7500 series.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface of the PA-E3.
•
Symptoms: When configuring QoS on a Cisco 7200 series, the router may reload with a bus error. Specifically, the bus error occurs after having entered the no class name command on subinterfaces.
Conditions: This symptom is observed on a Cisco 7200 series that runs the c7200-jk9s-mz image of Cisco IOS Release 12.2(17a). The symptom may also occur in other releases. This behavior is associated to the use of "payload-compression" and Weighted Random Early Detection (WRED) configurations.
Workaround: There is no workaround.
•
Symptoms: An H.323 proxy may fail when a conference call between a PSTN user and IP phones users is initiated by an IP phone in a Cisco CallManager environment.
Conditions: This symptom is observed on a Cisco router that functions as a gatekeeper, that has the H.323 proxy enabled, and that runs Cisco IOS Release 12.3(5) in the following topology:
An IP phone connects to a Cisco CallManager that connects to the Cisco gatekeeper that has the H.323 proxy enabled. The Cisco gatekeeper connects to yet another gatekeeper that connects to a gateway that, in turn, connects to the PSTN.
All calls to and from the Cisco CallManager IP phone via the Cisco gatekeeper are proxied. The Cisco CallManager runs software version 3.3(3)SR3. The display IE delivery option is disabled in the H.225 trunk configuration in the Cisco CallManager administration web page. The H.225 trunk is controlled by one of the gatekeepers.
The symptom occurs in the following sequence of events:
1. A PSTN user calls IP phone (IP phone 1).
2. The user of IP phone 1 answers the call and the call is connected with two-way audio.
3. The user of IP phone 1 presses the "conference" button and calls another IP phone (IP phone 2).
4. The user of IP phone 2 answers the call and the call is connected with two-way audio.
5. The user of IP phone 1 presses the "conference" button again.
6. The H.323 proxy fails, causing the PSTN to be disconnected from the conference call.
7. The conference call continues between the user of IP phone 1 and the user of IP phone 2.
Workaround: Enable the "Display IE delivery" option in the H.225 trunk configuration Cisco CallManager administration web page.
Alternate Workaround: Disable the H.323 proxy on the Cisco gatekeeper.
•
Symptoms: Several prefixes for non-redistributed connected interfaces in different VRFs may be partially bound to the same MPLS-VPN label, thus disrupting traffic bound to one or more of these VRFs.
Conditions: This symptom can occur on a Cisco router that runs Cisco IOS Releases 12.2, 12.2T, 12.0S, 12.3 after the VRF interfaces have flapped. The symptom may occur in all code levels of these releases.
Workaround: Clear the routes in the VRFs in sequence.
•
Symptoms: A router may log a CPUHOG message that is caused by the CEF reloader process.
Conditions: This symptom is observed on a Cisco router when a VRF with more than 9000 routes is added to the configuration.
Workaround: There is no workaround.
•
Symptoms: A gateway may send wrong resource availability information to a gatekeeper. The actual number of "used" and "free" channels that is shown in the output the show trunk group command does not match with the number that is shown in the output of the show call resource voice status and show isdn status commands.
This situation causes the gatekeeper to receive wrong information about the number of free circuits that the gateway has and may also cause the circuits of the gateway to be underutilized.
Conditions: This symptom is observed on a Cisco AS5300 but may not be platform dependent.
Workaround: There is no workaround.
•
Symptoms: DTS may not work properly on dot1q Fast Ethernet subinterfaces. Traffic is not shaped at the expected rate
Conditions: This problem is observed on a Cisco 7500 series that is configured as a PE router and that runs Cisco IOS Release 12.2(12i). The symptom may also occur in other releases.
Workaround: If this is an option, use ISL subinterfaces.
•
Symptoms: LC-ATM-enabled subinterface on a PE router stays in "not ready" state when viewing the LDP session to the LSC using the show mpls ldp discovery command. The shutdown interface command followed by the no shutdown interface command will not clear the problem when performed on either the LC-ATM subinterface on the PE or the Xtag interface on the connected LSC.
Conditions: The interface stays in "interface not LDP ready" state when there exists a stray LVC on the switch interface. The PE reaches this state after multiple LDP flaps.
Workaround: The condition may be cleared by entering the clear ip route prefix command where prefix is the local loopback address for the LC- ATM subinterface. This will cause all tailend LVCs on all LC-ATM subinterfaces to be torn down and re-established, causing a brief customer outage. This workaround should only be used if no alternate path exists for MPLS traffic towards this device (i.e., a redundant LC-ATM subinterface). After using this workaround, user should confirm that the expected number of LVCs has been re- established with the output of the
Guest
