Table Of Contents
Release Notes for Cisco 1700 Series Routers for Cisco IOS Release 12.3(4)XK4
Determining the Software Version
Upgrading to a New Software Release
New Software Features in Cisco IOS Release 12.3(4)XK
New Software Features in Release 12.3(4)T
Resolved Caveats - Cisco IOS Release 12.3(4)XK4
Resolved Caveats - Cisco IOS Release 12.3(4)XK3
Resolved Caveats - Cisco IOS Release 12.3(4)XK2
Resolved Caveats - Cisco IOS Release 12.3(4)XK1
Resolved Caveats - Cisco IOS Release 12.3(4)XK
Open Caveats - Cisco IOS Release 12.3(4)XK
Cisco IOS Software Documentation Set
Cisco IOS Release 12.3 Documentation Set Contents
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco 1700 Series Routers for Cisco IOS Release 12.3(4)XK4
August 8, 2007OL-5545-07
These release notes describe new features and significant software components for the Cisco 1700 series routers that support the Cisco IOS Release 12.3(4)T, up to and including Cisco IOS Release 12.3(4)XK4. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.3T located on Cisco.com.
For a list of the software caveats that apply to Cisco IOS Release 12.3(4)XK4, see the "Caveats" section and Caveats for Cisco IOS Release 12.3(4)T. The online caveats document is updated for every maintenance release and is located on Cisco.com.
Contents
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
System Requirements
This section describes the system requirements for Cisco IOS Cisco IOS Release 12.3(4)XK4 and includes the following sections:
•
•
Memory Requirements
Table 1 and Table 2 describe the memory requirements for the Cisco IOS feature sets supported by the Cisco IOS Cisco IOS Release 12.3(4)XK4 on the Cisco 1700 series routers.
Hardware Supported
Cisco IOS Cisco IOS Release 12.3(4)XK4 supports the following Cisco 1700 series routers:
•
•
•
•
•
•
•
The Cisco 1701, Cisco 1710, Cisco 1711, Cisco 1712, and Cisco 1721routers run data images only. The Cisco 1751, Cisco 1751-V, and Cisco 1760 routers run data or data-and-voice images, providing digital and analog voice support. The Cisco 1711 and Cisco 1712 routers run select IP Security (IPSec) Triple Data Encryption Standard (3DES) images only (the Cisco 1700 IOS IP/ADSL/IPX/AT/IBM/FW/IDS PLUS IPSEC 3DES, the Cisco 1700 IOS IP/ADSL/FW/IDS PLUS IPSEC 3DES, the Cisco 1700 Advanced Security, and the Cisco 1700 IOS ADVANCED ENTERPRISE SERVICES images).
For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 1700 series routers, which are available on Cisco.com at the following location:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1700/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Technical Documentation: Routers: Modular Access Routers: Cisco 1700 Series Routers: <platform_name>
Determining the Software Version
To determine which version of Cisco IOS software is currently running on your Cisco 1700 series router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number.
router> show versionCisco Internetwork Operating System SoftwareIOS (tm) C1700 Software (C1700-Y7-MZ), Version 12.3(4)XK4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)Synched to technology version 12.3(5.7)TUpgrading to a New Software Release
For general information about upgrading to a new software release, see Cisco IOS Software Releases 12.3 T Installation and Upgrade Procedures located on Cisco.com.
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features. Cisco IOS Release 12.3(4)XK supports the same feature sets as Releases 12.3 and 12.3(4)T, but Cisco IOS Release 12.3(4)XK includes new features supported by the Cisco 1700 series routers. Cisco IOS Release 12.3(4)XK4 is a rebuild of Cisco IOS Release 12.3(4)XK and includes only bug fixes, it does not include any new features.
Caution
Table 3 through Table 5, Part 2 list the feature and feature sets supported in the Cisco IOS Cisco IOS Release 12.3(4)XK4.
The tables use the following conventions:
•
•
•
Note
Table 5, Part 2 Feature List by Cross-Platform Feature Set for Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Routers
IPSec Preferred Peer
12.3(4)XK
No
Yes
No
1 This image is supported only on Cisco 1751, 1751-V, and 1760 routers.
New and Changed Information
The following sections list the new information about the Cisco 1700 series routers for Cisco IOS Release 12.3(4)XK. This information also applies to Cisco IOS Cisco IOS Release 12.3(4)XK1, Cisco IOS Cisco IOS Release 12.3(4)XK2, Cisco IOS Cisco IOS Release 12.3(4)XK3, and Cisco IOS Release 12.3(4)XK4.
New Software Features in Cisco IOS Release 12.3(4)XK
The following sections describe the new software features supported by the Cisco 1700 series routers for Cisco IOS Release 12.3(4)XK.
IPSec Preferred Peer
The IP Security (IPSec) Preferred Peer feature includes two sub-features—Set Peer with Default Option and IPSec Idle-Timer with Default Option.
Set Peer With Default Option
The IP Security (IPSec) Preferred Peer feature allows the user to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario.
A new keyword default has been added to the set peer command to mark the first peer in a multiple set peer configuration as the default peer. This peer will then be retried in certain failure cases, before trying to connect to the next peer on the list.
If a failure is detected by dead-peer detection (DPD), the default peer will be tried once more before the next peer. If the default peer is unresponsive, failure via retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.
This feature is useful in a dial backup scenario in which traffic on a physical link stops due to a remote peer failure. DPD will indicate that the remote peer is unavailable, although that peer will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This allows the user to always give preference to certain peers in the event of failover. This is useful when the original failure is due to a connectivity issue through the network, rather than due to the failure of remote peer itself. If the remote peer has indeed failed, retransmits to that peer (this takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.
IPSec Idle-Timer With Default Option
The IPSec Idle-Timer With Default Option feature adds a new keyword default to the existing idle-time option on the cset security-association idletime command. When this feature is used in conjunction with the set peer command, the idling out of all connections to the current peer will close the connection to that peer, and ensures that the next time a connection is initiated, it will be directed to the default peer as specified in the set peer command. If default peer is not specified, the behavior in the event of connection timeout will be unchanged, that is, the current peer will remain the one that has just been idled out.
This feature can be used to help facilitate a failover to a preferred peer that may have previously been unavailable, but has now returned to service.
New Software Features in Release 12.3(4)T
For information regarding the features supported in Cisco IOS Release 12.3(4)T, refer to the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm
This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:
Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cross-Platform Release Notes (Cisco IOS Release 12.3(4)T)
Limitations and Restrictions
The following sections list the limitations and restrictions that apply for the Cisco IOS Release 12.3(4)XK. These limitations also apply to Cisco IOS Cisco IOS Release 12.3(4)XK1, Cisco IOS Cisco IOS Release 12.3(4)XK2, Cisco IOS Cisco IOS Release 12.3(4)XK3, and Cisco IOS Release 12.3(4)XK4.
IPSec Preferred Peer
The IPSec Preferred Peer feature has following limitations:
•
–
–
–
•
–
–
–
Caveats
Caveats describe unexpected behavior or defects in the Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.
Caveats in Cisco IOS Release 12.3(4)T are also in Cisco IOS Release 12.3(4)XK. For information on caveats in Cisco IOS Release 12.3(2)T, refer to the Caveats for Cisco IOS Release 12.3(4)T document. This document lists severity 1 and 2 caveats; the documents are located on Cisco.com.
Note
Resolved Caveats - Cisco IOS Release 12.3(4)XK4
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XK4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0ipv6 traffic-filter nofragments in!ipv6 access-list nofragmentsdeny ipv6 any <my address1> undetermined-transportdeny ipv6 any <my address2> fragmentspermit ipv6 any anyThis must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•
Symptom: The cisco.mgmt.cns.config-changed event message contains invalid XML. The element type cns is missing the matching end-tag </cns>.
Conditions: This may occur when the CNS config notify agent is configured by the cns config notify configuration command.
Workaround: There is no workaround.
•
Remote Authentication Dial In User Service (RADIUS) authentication can be bypassed on a device that is running certain Cisco IOS software releases and is configured with a fallback method of none. Devices that run other Cisco IOS software releases, are configured for other authentication methods or are not configured with a fallback method of none are not affected. Some configurations using RADIUS, none and an additional method also are not affected.
Cisco has made free software available to address this vulnerability. There are also workarounds available to mitigate the effects. More details can be found in the security advisory at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml
•
Symptoms: Although there are free tty lines, you cannot establish a Telnet connection, and a "No Free TTYs" error message is generated.
•
Symptoms: The BGP session is reset if a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length equal to or greater than 255.
•
Symptoms: CBAC sessions are left in sis-closing state due to out-of-order packet handling.
Workaround: None. Lowering the inspect FTP timeout or disabling CEF reduces exposure.
Fix: Bump certain out-of-order packets to process path for catch-up and then drop packets if this is unsuccessful.
•
Certain Cisco IOS software releases, when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are also workarounds available to mitigate the effects. More details can be found in the security advisory at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
–
–
–
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at:
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
See note for CSCef44699 above.
•
See note for CSCef44699 above.
•
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in certain versions of Cisco IOS software is vulnerable to a remotely exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Cisco has made free software available to address this vulnerability. There are also workarounds available to mitigate the effects. More details can be found in the security advisory at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
Resolved Caveats - Cisco IOS Release 12.3(4)XK3
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XK3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
Resolved Caveats - Cisco IOS Release 12.3(4)XK2
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XK2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a DoS attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
Cisco has made free software available to address this problem. Please see the advisory available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
See note for CSCef43691 above.
•
See note for CSCef43691 above.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
See note for CSCef43691 above.
Resolved Caveats - Cisco IOS Release 12.3(4)XK1
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XK1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool Processor, alignment 0-Process= "CDP Protocol", ipl= 0, pid= 42-Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml.
•
A router may reload unexpectedly because of a bus error when it accesses a low address during the translation of TCP port 514. This is observed on a Cisco router that runs Cisco IOS Release 12.3(5) and that is configured for Network Address Translation (NAT).
Workaround: Prevent the translation of TCP port 514.
•
When the undebug all privileged EXEC command is entered on a Cisco router, all traffic that passes through an encrypted generic routing encapsulation (GRE) tunnel may stop. This symptom is observed on a Cisco router that is configured with a GRE tunnel that is secured via IP Security (IPSec) and that is using Cisco Express Forwarding (CEF) switching.
Workaround: Reinitialize CEF switching by entering the no ip cef global configuration command followed by the ip cef global configuration command.
Alternate Workaround: Do not enter the undebug all privileged EXEC command. Rather, individually disable each debug command.
•
A router may reload unexpectedly after it attempts to access a low memory address.
Workaround: Disable IP Inspect and IDS.
•
Depending upon configuration, issuing the show cdp entry * protocol command may cause a reload of the device.
Workaround: Disable CDP, avoid issuing the command under given circumstances, or upgrade to a fixed version of software.
•
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS).
Cisco has made free software upgrades available to address this vulnerability for all affected customers.
An advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
•
When the Cisco IOS Firewall Context-Based Access Control (CBAC) is configured, the router seems to have a software-forced reload caused by one of the inspections processed.
Workaround: None.
•
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally. Services such as packet forwarding, routing protocols and all other communication to and through the device are not affected.
Cisco will make free software available to address this vulnerability. Workarounds, identified below, are available that protect against this vulnerability.
An advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
When large bursts of data are transmitted by a Cisco 1711 router to a WIC-1AM line, packets may be dropped due to data overruns between the router async line and the modem's control processor. As a result, data throughput may be reduced and applications may fail.
Workaround: Configure generic traffic shaping on the async interface to throttle down the rate at which Cisco IOS transmits data to the modem. Note that this will impair the modem's transmission rate. Example:
interface async 1fair-queuetraffic-shape rate 16000 8000•
The service-policy output command under async interface (WIC-AM) in Cisco 1700 router is removed when the router is reloaded.
Workaround: Configure the router again.
•
A Cisco device experiences a memory leak in the CDP process. The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the no cdp run global configuration command.
Resolved Caveats - Cisco IOS Release 12.3(4)XK
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XK and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
•
CPUHOG messages are displayed at the console for smaller platforms. Large platforms will not scale.
Workaround: Extend the maximum process execution time. Use the scheduler max-task-time XXX command, where "XXX" is the time in seconds.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Open Caveats - Cisco IOS Release 12.3(4)XK
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XK and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
When cns config notify diff is configured and ip host command is entered, then CNS configuration change event is sent.
Workaround: None.
•
•
When show cns event stats command is used after reloading the router, an unexpected application uses the event agent.
•
If the ImageID of a device is changed directly from the command line, it will generate an image-id-changed event. However, the server is currently not listening for this event. If the ImageID is changed in such a way, the device will be out of sync with the server, and the server may not be able to contact the device anymore.
Workaround: If the ImageID is changed from the console of the device, the user must manually go to the server graphical user interface (GUI) and update this value for the same device. Make sure that the DeviceName, ConfigID, and ImageID must all be the same at all times.
Related Documentation
The following sections describe the documentation available for the Cisco 1700 series routers. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, feature modules, and other documents.
Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and http://www.cisco.com/univercd/home/index.htm.
Use these release notes with these documents:
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.3 and are located on Cisco.com and http://www.cisco.com/univercd/home/index.htm:
•
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cross-Platform Release Notes
Note
•
•
As a supplement to the caveats listed in these release notes, see Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3 T, which contains caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T.
On Cisco.com at:
Products & Services: IOS Software: Cisco IOS Software Releases 12.3: Instructions and Guides: Release Notes: Release Notes for Cisco IOS Release 12.3, Part 5: Caveats
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Caveats
•
Platform-Specific Documents
These documents are available for the Cisco 1700 series routers:
On Cisco.com at:
Products and Solutions: Routers: Cisco 1700 Series Modular Access Routers
On http://www.cisco.com/univercd/home/index.htm at:
Product Documentation: Routers: Modular Access Routers: Cisco 1700 Series Routers
Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://tools.cisco.com/RPF/register/register.do
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. The Cisco IOS software documentation set is shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered the printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References
Cisco IOS Release 12.3 Documentation Set Contents
Table 6 lists the contents of the Cisco IOS Release 12.3 software documentation set, which is available in electronic form and in printed form if ordered.
On Cisco.com at:
Products and Solutions: Cisco IOS Software: Cisco IOS Releases 12.3: Instructions and Guides
On http://www.cisco.com/univercd/home/index.htm at:
Cisco IOS Software: Cisco IOS Release 12.3
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feed-back, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Use this document in conjunction with the documents listed in the "Related Documentation" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, Cisco Systems, Inc. All rights reserved..
Guest
