Table Of Contents
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.3 XI
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.3(7)XI4
New Software Features in Cisco IOS Release 12.3(7)XI4
New Hardware Features in Cisco IOS Release 12.3(7)XI3
New Software Features in Cisco IOS Release 12.3(7)XI3
New Hardware Features in Cisco IOS Release 12.3(7)XI2
New Software Features in Cisco IOS Release 12.3(7)XI2
New Hardware Features in Cisco IOS Release 12.3(7)XI1
New Software Features in Cisco IOS Release 12.3(7)XI1
New Hardware Features in Cisco IOS Release 12.3(7)XI
New Software Features in Cisco IOS Release 12.3(7)XI
Multi-Processor Forwarding (MPF) for Broadband LAC
Deprecated and Replacement MIBs
Caveats for Cisco IOS Release 12.3 XI
Open Caveats—Cisco IOS Release 12.3(7)XI4
Resolved Caveats—Cisco IOS Release 12.3(7)XI4
Open Caveats—Cisco IOS Release 12.3(7)XI3
Resolved Caveats—Cisco IOS Release 12.3(7)XI3
Open Caveats—Cisco IOS Release 12.3(7)XI2
Resolved Caveats—Cisco IOS Release 12.3(7)XI2
Open Caveats—Cisco IOS Release 12.3(7)XI1
Resolved Caveats—Cisco IOS Release 12.3(7)XI1
Open Caveats—Cisco IOS Release 12.3(7)XI
Resolved Caveats—Cisco IOS Release 12.3(7)XI
Cisco IOS Software Documentation Set
Cisco IOS Release 12.3 Documentation Set Contents
Obtaining Technical Assistance
Contacting TAC by Using the Cisco TAC Website
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.3 XI
January 24, 2007
Cisco IOS Release 12.3(7)XI4
OL-6248-05
These release notes for the Cisco 7000 family describe the enhancements provided in Cisco IOS Release 12.3(7)XI4. These release notes are updated as needed.
For a list of the software caveats that apply to Cisco IOS Release 12.3(7)XI4, see the "Caveats for Cisco IOS Release 12.3 XI" section and Caveats for Cisco IOS Release 12.3. The caveats document is updated for every maintenance release and is located on Cisco.com and the Documentation CD-ROM.
Use these release notes with Cross-Platform Release Notes for Cisco IOS Release 12.3 located on Cisco.com and the Documentation CD-ROM.
Contents
These release notes describe the following topics:
•
MIBs
•
•
System Requirements
This section describes the system requirements for Cisco IOS Release 12.3(7)XI4 and includes the following sections:
•
•
Memory Recommendations
Supported Hardware
Cisco IOS Release 12.3(7)XI4 supports the following Cisco 7000 platforms:
•
•
For detailed descriptions of the new hardware features, see the "New and Changed Information" section.
Determining the Software Version
To determine the version of Cisco IOS software running on your Cisco 7000 family router, log in to the Cisco 7000 family router and enter the show version EXEC command. The following sample show version command output is from a router running a Cisco 7200 series software image with Cisco IOS Release 12.3(7)XI4:
Router> show versionCisco IOS Software, 7301 Software (c7301-I12S-MZ), Version 12.3(7)XI4, RELEASE SOFTWARE (fc1)Upgrading to a New Software Release
For general information about upgrading to a new software release, refer to Upgrading the Cisco IOS Software Release in Cisco Routers and Modems located at:
http://www.cisco.com/warp/public/732/
Feature Support
Cisco IOS software is packaged in feature sets that consist of software images that support specific platforms. The feature sets available for a specific platform depend on which Cisco IOS software images are included in a release. Each feature set contains a specific set of Cisco IOS features.
Caution
The feature set tables have been removed from the Cisco IOS Release 12.3 release notes to improve the usability of the release notes documentation. The feature-to-image mapping that was provided by the feature set tables is available through Cisco Feature Navigator.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or by feature set (software image). Under the release section, you can compare Cisco IOS software releases side by side to display both the features unique to each software release and the features that the releases have in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
For frequently asked questions about Cisco Feature Navigator, see the FAQs at the following URL:
http://www.cisco.com/support/FeatureNav/FNFAQ.html
Determining Which Software Images (Feature Sets) Support a Specific Feature
To determine which software images (feature sets) in Cisco IOS Release 12.3 support a specific feature, go to the Cisco Feature Navigator home page, enter your Cisco.com login, and perform the following steps:
Step 1
Step 2
Step 3
Note
Repeat this step to add additional features. A maximum of 20 features can be chosen for a single search.
Step 4
Step 5
Step 6
Step 7
Determining Which Features Are Supported in a Specific Software Image (Feature Set)
To determine which features are supported in a specific software image (feature set) in Cisco IOS Release 12.3, go to the Cisco Feature Navigator home page, enter your Cisco.com login, and perform the following steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
New and Changed Information
The following sections list the new hardware and software features supported by the Cisco 7000 family of routers for Cisco IOS Release 12.3 XI:
New Hardware Features in Cisco IOS Release 12.3(7)XI4
There are no new hardware features supported in Cisco IOS Release 12.3(7)XI4.
New Software Features in Cisco IOS Release 12.3(7)XI4
There are no new software features supported in Cisco IOS Release 12.3(7)XI4.
New Hardware Features in Cisco IOS Release 12.3(7)XI3
There are no new hardware features supported in Cisco IOS Release 12.3(7)XI3.
New Software Features in Cisco IOS Release 12.3(7)XI3
There are no new software features supported in Cisco IOS Release 12.3(7)XI3.
New Hardware Features in Cisco IOS Release 12.3(7)XI2
There are no new hardware features supported in Cisco IOS Release 12.3(7)XI2.
New Software Features in Cisco IOS Release 12.3(7)XI2
There are no new software features supported in Cisco IOS Release 12.3(7)XI2.
New Hardware Features in Cisco IOS Release 12.3(7)XI1
There are no new hardware features supported in Cisco IOS Release 12.3(7)XI1.
New Software Features in Cisco IOS Release 12.3(7)XI1
There are no new software features supported in Cisco IOS Release 12.3(7)XI1.
New Hardware Features in Cisco IOS Release 12.3(7)XI
There are no new hardware features supported in Cisco IOS Release 12.3(7)XI.
New Software Features in Cisco IOS Release 12.3(7)XI
The following new software features are supported by the Cisco 7000 family for Cisco IOS Release 12.3(7)XI:
Multi-Processor Forwarding (MPF) for Broadband LAC
Multi-Processor Forwarding (MPF) for Broadband LAC is a method of improving the performance of broadband features, specifically the Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC), by enabling forwarding on a second CPU on the Cisco 7301 router. The need to improve performance is important due to the rapid increase in broadband users. MPF for Broadband LAC significantly improves performance by three times that of a regular Cisco7301, without adding a new chassis.
MPF for Broadband LAC is accomplished by the second CPU running Fast Forwarding (FF) software to switch data packets. The FF software is bundled together with the Cisco IOS software image. When the Cisco IOS image is loaded, the second CPU is enabled by default. To disable fast forwarding on the second CPU, use the no ip mpf command. In addition, show ip mpf commands and a debug ip mpf command monitor forwarding on the second CPU and provide statistics.
The MPF for Broadband LAC feature requires the purchase of enabling software for the second CPU. You may purchase the enabling software when you purchase a new Cisco 7301 router, or you may purchase the enabling software as an upgrade. In both cases, the second CPU software is bundled in the Cisco IOS image and turned on by default. Contact your Cisco field representative or sales support team for more information.
MIBs
Current MIBs
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
Deprecated and Replacement MIBs
Old Cisco MIBs will be replaced in a future release. Currently, OLD-CISCO-* MIBs are being converted into more scalable MIBs without affecting existing Cisco IOS products or network management system (NMS) applications. You can update from deprecated MIBs to the replacement MIBs as shown in Table 6.
Caveats for Cisco IOS Release 12.3 XI
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.
This section contains only open and resolved caveats for the current Cisco IOS maintenance release.
All caveats in Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T are also in Cisco IOS Release 12.3(7)XI4.
For information on caveats in Cisco IOS Release 12.3, see Caveats for Cisco IOS Release 12.3.
For information on caveats in Cisco IOS Release 12.3 T, see Caveats for Cisco IOS Release 12.3 T, which lists severity 1 and 2 caveats and select severity 3 caveats and is located on Cisco.com and the Documentation CD-ROM.
Note
http://www.cisco.com/support/bugtools/.Because Cisco IOS Release 12.3(2)XB is the initial base release, there are no resolved caveats. For a list of the resolved caveats, refer to the next set of release notes for this release version.
Open Caveats—Cisco IOS Release 12.3(7)XI4
This section documents possible unexpected behavior by Cisco IOS Release 12.3(7)XI4 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
PPP is not establishing new sessions.
This issue may occur when a leak in ppp is handle in full virtual-access interfaces.
Workaround: Reload the box or use sub VAI's.
Resolved Caveats—Cisco IOS Release 12.3(7)XI4
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(7)XI4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7500 series router that is running LAN Emulation (LANE) and switched virtual circuits (SVCs) may experience a reload caused by a bus error, and the following error message may appear:
System returned to ROM by bus error at PC 0xXXXXXXXXThis issue is observed on a Cisco 7500 series router with a PA-A3-OC3MM ATM port adapter that is running Cisco IOS Release 12.2(15)T5 or a later release.
There are no known workarounds.
•
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml.
Open Caveats—Cisco IOS Release 12.3(7)XI3
This section documents possible unexpected behavior by Cisco IOS Release 12.3(7)XI3 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Using the external generating tool IXIA Explorer to bring up and tear down SSG sessions quickly, the PRE2 crashes with a Bus Error Exception. This problem occurs when the tool initializes the interface and quickly brings sessions back up while the old sessions are still cleared out.
There are no known workarounds.
•
The router unexpectedly reloads when removing a v-template from a router with active multi-cast interfaces running.
This issue occurs on any Cisco IOS release running multicast on v-template interfaces.
Workaround: Either remove multicast config from the v-template prior to v-template removal, or disable interaces prior to removing config.
•
PRE2 is not able to bring up additional PPPoA sessions when CPU running under stress.
This issue occurs when the CPU running under stress.
There are no known workarounds.
•
The following message is logged:
%GENERAL-3-EREVENT: C10KSSG: Null c10k_turbo_acl for old out ACL-Traceback= 60DBB7AC 60DBCE44 60DB670C 60DB6480 60DBB20C 60DB159C 60E09C68 60E09D4C 60E58434 60E585CC 608496AC 6085CD5C 6085CDD0 6084FD04 608559C8 60846C18This issue is observed when a SSG user with a SSG output access-list defined in its RADIUS profile disconnect the PPPoX session.
Workaround: Define the ACl on the router and refer to it in the user profile instead of defining the ACEs directly in the user profile.
Resolved Caveats—Cisco IOS Release 12.3(7)XI3
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(7)XI3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
An IPv6 PIM neighbor may be down after changing the PIM configuration.
This issue is observed when the no ipv6 pim command is entered on some subinterfaces of a physical Ethernet interface and when PIM is enabled on several subinterfaces of the same physical Ethernet interface. The issue affects both IPv4 and IPv6, and configurations with multicast and OSPF Hello messages.
There are no known workarounds.
•
During an initial boot of a Cisco 7301 that has a PA-MC-8TE1+ or PA-MCX-8TE1-M in bay 0, an unexpected reload may occur.
This issue may occur irrespective of whether a regular Cisco IOS software image or a boot software image is present in the bootflash filesystem.
Workaround: Powercycle the Cisco 7301 and reboot platform. The problem only surfaces during the initial boot of the platform.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
A Cisco router may unexpectedly reload if a PA driver attempts to convert an uncached iomem address to a cached iomem address.
This issue is observed on a Cisco 7200 series that is configured with an NPE-G1.
There are no known workarounds.
•
A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetThis issue is observed on a Cisco 7200vxr series that is configured with an NPE-G1 Network Processing Engine.
There are no known workarounds.
•
An NPE-G1 may displays an erroneous parity error message.
This issue is observed on a Cisco 7200 series when the NPE-G1 receives an ECC/bus error.
There are no known workarounds.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at /en/US/products/products_security_advisory09186a00807cb0fd.shtml contain fixes for this issue.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
•
A PXF exception may occur on a Cisco 7200 series that is configured with an NSE-1 or on a Cisco 7401 that has PXF enabled when either of these platforms function as an LNS.
This issue is observed when an L2TP session is established over a VLAN subinterface that has ISL encapsulation enabled and when traffic is processed on this subinterface.
Workaround: Disable PXF by entering the no ip pxf command.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Open Caveats—Cisco IOS Release 12.3(7)XI2
This section documents possible unexpected behavior by Cisco IOS Release 12.3(7)XI2 and describes only severity 1 and 2 caveats and select severity 3 caveats.
There are no known open caveats for Cisco IOS Release 12.3(7)XI2.
Resolved Caveats—Cisco IOS Release 12.3(7)XI2
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(7)XI2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
SSG only supports one class attribute rather than several of them, although a RADIUS client is supposed to put all class attributes that it receives in Access-Accept messages into Accounting-Request messages that it sends for a session. (See RFC2865/2866.)
This issue is observed on a Cisco platform that is configured as an SSG.
There are no known workarounds.
•
BGP update generation may enter a deadlock.
This issue is observed when the RR configuration is changed.
Workaround: Remove the BGP process and add it back.
•
Extra network Accounting STOP record may be seen when an Async call fails on authentication. These are unwanted records and should not be generated.
This issue is seen for an Async call on 5300-T1 platform running 12.3(5.8). This could be service affecting.
There are no known workarounds.
•
There is spurious memory access at atm_vcmode_subcommands.
This issue occurs under the low memory conditions.
There ar e no know workarounds.
•
A memory leak may occur in the "dead process" on a Cisco router, and memory allocation failures (MALLOCFAIL) may be reported in the processor pool. The authentication, authorization, and accounting (AAA) User Identifier (UID) database may leak about 200,000 bytes for each failed EXEC call or vty session because of internal errors during the initiation process.
This issue is observed when EXEC Accounting and Network Accounting are enabled and when a failure occurs during an EXEC call or a vty session. The reasons for the EXEC call failure or vty session failure could be low processor memory on the Cisco router, an internal message processing error, or a timeout during the prompting for a username and password.
Workaround: If this is an option, disable EXEC Accounting and Network Accounting.
Note
•
A Cisco router that functions as a PPPoX aggregator may crash because of a bus error.
This issue is observed in a highly scaled environment when many sessions are simultaneously established and torn down.
There are no known workarounds.
•
A Cisco router may crash when you perform and online insertion removal (OIR) of a line card.
This issue is observed when an interface on the line card is being configured through the CLI while the OIR of the line card removes the interface.
There are no known workarounds.
•
An SNMP trap configuration may be erased when you enter the snmp-server enable traps snmp global configuration command with any trap type followed by the snmp-server enable traps [syslog | entity] global configuration command.
This issue is observed on multiple Cisco platforms that run Cisco IOS Release 12.2 or Release 12.3.
For example, the symptom occurs when you enter the following configuration:
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps entity
Then you enter:
no snmp-server enable traps snmp authentication
no snmp-server enable traps syslog
or you enter:
no snmp-server enable traps snmp authentication
no snmp-server enable traps entity
At this point, the snmp-server enable traps snmp linkdown linkup coldstart warmstart command is no longer in the output of the show running-config command.
Workaround: Manually reconfigure the snmp-server enable traps snmp linkdown linkup coldstart warmstart command.
Alternate workaround: First enter the no snmp-server enable traps syslog command or the no snmp-server enable traps entity command before you enter the no snmp-server enable traps snmp authentication command.
•
This caveat consists, of six separate symptoms, conditions, and workaround, of which the first three apply to all Cisco IOS releases and the last three apply only to Cisco IOS Release 12.3 T:
Symptom 1:
There are three issues:
–
–
–
This symptom is observed when an application creates or opens a file without the "O_TRUNC:" mode, as in the following example:
show version | append disk#:Router#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#vtp file newSetting device to store VLAN database at filename new.Router(config)#^ZThere are no known workarounds.
Symptom 2:
The show disk slot-number and dir disk slot-number commands may show inconsistent information (such as inconsistent file sizes) when multiple images are copied.
This symptom is observed when you make two copies of the image file to the disk by using two vtys and by entering the dir disk slot-number command at the same time.
Workaround: Do not enter the show disk slot-number and dir disk slot-number commands when multiple images are being copied.
Symptom 3:
There are two issues:
–
–
This symptom is observed when you rename a directory that consists of many subdirectories or files.
Workaround: Reload the router.
Symptom 4:
There are two issues:
–
–
This symptom is observed on a router that runs Cisco IOS Release 12.3 T after the router boots up.
There are no known workarounds.
5) Symptoms: There are two symptoms:
–
–
This symptom is observed on a router that runs Cisco IOS Release 12.3 T when an application or a CLI command overwrites a file on the disk.
Workaround: Reload the router.
Symptom 6:
A router that runs Cisco IOS Release 12.3 T unexpectedly reloads.
This symptom is observed when an application creates or opens a file without the "O_TRUNC" mode and attempts to delete the file, as in the following example:
show version | append disk0:redirect.out" and issuingdelete disk0:disk0:redirect.outWorkaround: Reload the router and delete the file.
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In UserService (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details.)
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
•
A LAC sends incorrect connection speed information in the L2TP setup message to the LNS, which in turn gets forwarded to the AR RADIUS server for authentication.
This issue is observed on a router that runs Cisco IOS Release 12.3(6.2)T2. The symptom may also occur in other releases.
There are no known workarounds.
•
TCP connections may be vulnerable to spoofed ICMP packets. A spoofed ICMP packet may cause the TCP connection to use a very low segment size for 10 minutes at a time.
This issue is observed when TCP connections are configured for PMTU discovery. Note that PMTU discovery is disabled by default on a router.
Workaround: Disable PMTU discovery.
•
A Cisco router may reload unexpectedly with a bus error when you enter the show caller command.
This issue is observed when PPP is configured on a router that runs Cisco IOS Release 12.3, 12.3(3)B1, or 12.3 T.
The issue is more likely to occur when the show caller output is lengthy, and particularly so if the output causes a ---More--- prompt.
The issue is also more likely to occur when there is a high rate of connection and disconnection of PPP sessions, for example, when an interface flaps.
There are no known workarounds.
•
A router may unexpectedly reload with a bus error with the same address:
System was restarted by bus error at PC 0x606B2BE4, address 0xB0D0C11Decodes indicate that a PPP problem may be the cause of the symptom.
This issue is not platform dependent and may occur with any type of IP PPP connection. This problem is also most likely occur when there is a high volume of call connections and disconnections, for example, when an interface carrying multiple calls flaps.
There are no known workarounds.
•
A Cisco router may reload unexpectedly when a bgp debug command is enabled.
This issue is observed on a Cisco router that runs Cisco IOS Release 12.0S, 12.2S, or 12.3T.
There are no known workarounds.
•
A Cisco router that is configured for SSG may unexpectedly reloads with a bus error.
This issue is observed on a Cisco router that is configured for SSG and that has PPP SSG users when there are IPCP renegotiations on an active PPP session and a new IP address is assigned to the session.
Workaround: Enter the ip address negotiated previous command on the client to prevent a new address from being assigned during the IPCP renegotiations.
•
All SWIDBs may be used.
This issue is observed when PPPoA sessions flap continuously.
There are no known workarounds.
•
A Cisco platform reloads because of a watchdog timer expiration.
This issue is observed on a Cisco platform that runs Cisco IOS Release 12.2(20)S2 or Release 12.3 under the following conditions:
–
–
–
Workaround: First detach the service policy from the PVC, then rename it and attach it again.
•
The router may not respond to valid PoD packets by disconnecting the user. Instead, the router will return a RADIUS-format packet with a Code of Disconnect-Request-NAKed (42 in decimal) and a Reply-Message attribute with a value set to the string "No Matching Session".
This issue occurs when you are using PoD to disconnect users and have aaa pod server ... auth-type all ... configured, and are using a PoD server which includes an EXACT copy of RADIUS attribute 151 from an earlier accounting request in the PoD packet.
Workaround: Either use a program to generate the PoD packets which knows to convert from an ASCII string of hexadecimal characters to a 32-bit number or Configure the router to ignore the value of attribute 151 in the PoD request by configuring aaa pod server ... auth-type all ignore session-key ...
•
During the reloading of a Cisco router with dual RSP8 processors, the following error message may be displayed:
%Error opening nvram:/startup-config (Device or resource busy)As a result, the configuration in NVRAM might not be applied. This issue is unlikely to occur outside a specific timing condition.
This issue is observed on a Cisco 7500 series router with dual RSP8 processors but is platform independent.
Workaround: Use boot config to redirect the config to slot/disk/bootflash.
•
A router that is configured for multicast routing may reload due to a bus error.
This issue is observed on a Cisco router that runs a Cisco IOS software release that contains the fix for CSCec80252. A list of the affected releases can be found at
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec80252 .Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
There are no known workarounds.
•
A child policy bandwidth calculation is wrongly mixed with the specified rate of an old parent policy.
This issue is observed after you have changed the configuration of a policy map in a hierarchical policy.
Workaround: Detach and reattach the policy map.
•
Users are unable to authenticate using RADIUS, or accounting is not sent to the RADIUS server. In addition, when the debug radius command is entered, the following information is generated:
RADIUS(00000049): sending%RADIUS-3-NOSERVERS: No Radius hosts configured.RADIUS/DECODE: parse response no app start; FAILRADIUS/DECODE: parse response; FAILThe output of the show running-config command indicates that there are in fact RADIUS servers in the server group.
These issues are observed after following these steps:
1. Remove and recreate a server group that is still referenced by one or more method lists, by entering the following commands:
no aaa group server radius XXXXaaa group sever radius XXXXserver x.x.x.x...2. Allow one of these method lists to be used, causing a transaction to be sent to a RADIUS or TACACS+ server in the server group.
3. Remove and re-add the radius-server host ... command lines for all authentication-capable (or accounting-capable if this group is used for accounting) servers in this server group.
Workaround: Remove all RADIUS or TACACS+ server configurations, remove all RADIUS or TACACS+ server group configurations, and remove all method lists. Then, reconfigure all of them.
•
A router sends three access requests for one call session; the first request is the normal request, the second request has the right password but the wrong user name, and the third request comes just with the domain name as the user name.
This issue is observed with a call rate condition of above 20 calls per second and occurs randomly for a view call sessions only.
There are no known workarounds.
•
The radius-server attribute 4 NAS IP address attribute is not accepted.
This issue occurs when Radius attribute 4 is configure.
There are no known workarounds.
•
PPP sessions may get stuck in the TERMSENT state.
This issue is observed on a Cisco platform that has a high CPU utilization.
Workaround: Clear the underlying layer (VPDN, PPPoA, or PPPoE).
•
All SWIDBs may be used.
This issue is observed when PPPoE or VPDN sessions flap continuously.
There are no known workarounds.
•
SSG VPDN services and normal VPDN tunnels may not function together in some configurations.
This issue is observed when SSG is configured and when VPDN parameters are locally provisioned but VPDN tunnels are not established between the LAC and the LNS.
Workaround: Enter the aaa authorization network default group radius command.
•
Auto-logon services fro some PPP SSG users may not be active after the PPP session comes up.
The issue is seen when there are a large number of PPP sessions and more SSG PPP session are coming at a high rate.
The following error messages are seen with "debug ssg ctrl-error" is turned on:
SSG-CTL-ERR: Unable to add HostRoute in CEF table x.x.x.xSSG-CTL-ERR: host route addition failedThere are no known workarounds.
•
A CPU hog message is generated when you enter the show pppoe summary command.
This issue is observed when there are high-scaling unambiguous QinQ sessions and interfaces configured.
There are no known workarounds.
•
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml•
A router unexpectedly reloads when it attempt to access a TACACS+ server.
This issue is observed when the TACACS+ server is not up or unreachable.
Workaround: Ensure that the router accesses a valid TACACS+ server that is up and running.
•
The Cisco router unexpectedly reloads on clearing the PPPoEoA session when mqc with fair queue is configured on the atm vc and pulled policy is rejected.
There are no known workarounds.
•
SSG authentication and accounting requests sent with nas-port-type = Ethernet.
This issue occurs in Cisco IOS Release 12.3(7)XI1.
There are no known workarounds.
•
Cisco 7200 router with ATM PA-A3 might crash when ATM PA-A3 is OIR removed.
This issue happens when dynamic VC modification is enabled on the interface using the dbs enable command and the ATM PA-A3 is OIR removed.
Workaround: Without dbs enable, this problem does not happen.
•
A Fail to apply Service-Policy on a VC can be seen in case where qos configuration is dependent upon the DBS avpair, which is applied by AAA code after Policy avpair.
Workaround: AAA code apply DBS avpair before apply Policy avpair on the VC.
•
Spurious access messages may be seen after clear sss session command.
There are no known workarounds.
•
Show l2tun needs large contiguous memory (64MB/128MB) to display 16k/32k sessions.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.3(7)XI1
This section documents possible unexpected behavior by Cisco IOS Release 12.3(7)XI1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
Gige port does not establish link.
This issue occurs when the gige default value for autonegotiation is changed from "negotiation auto" to "no negotiation auto". This change in the default setting will cause gige ports that have established link with previous images to fail to do so.
Workaround: Add "negotiation auto" to the gige port configuration.
•
C10000 12.3-7.XI unexpected reloads.
This issue occurs when timing out all PPPoA sessions with DBS enable.
There are no known workarounds.
•
Broadband 128k queue config removes input policy from Virtual-Template cause CPUHOG traceback and reset output pxf queues.
This issue occurs when configuring 31.5k atm subint with output cbwfq policy and input police policy in Virtual-Template
There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.3(7)XI1
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(7)XI1. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
A Cisco 7204VXR that functions as an L2TP network server (LNS) may pause indefinitely because of a bus error when a user disconnects and then reconnects.
This issue is observed on a Cisco 7204VXR that is configured with a Network Processing Engine G1 (NPE-G1) under the following conditions:
–
–
There are no known workarounds.
•
A Cisco router may be reloaded if tacacs+ configuration is present in the startup config.
This issue occurs when TACACS+ configuration is present in the startup configuration.
There are no known workarounds.
•
A platform may reload when the aaa dnis map dnis-number authentication ppp group server-group-name command is entered.
This issue is observed when aaa dnis map commands are enabled.
There are no known workarounds.
•
The ESR 10000 could have its interface being reset if it experiences the CPUHOG. The CPUHOG could be the result of altering configurations with live sessions.
This issue occurs when there are PPP SSG hosts logging into a service, and the SSG port-map feature has not been enabled. There can be a CPU hog when a large umber of PPP users connect to and disconnect from a service.
There are no known workarounds.
•
An Accounting Stop message is sent in case an Access Reject Message is not received from the radius Server, which is not applicable for all customer. The DDTS will fix this issue.
Workaround: If possible, configure Tunnel Link Acct with or without the possibility to disable "aaa accounting send stop-record authentication failure".
•
Raceback is seen towards the end of ssg link redundancy test cases.
This issue may occur under the following conditions:
–
–
–
There are no known workarounds.
•
Spurious Access is occurs when changing RADIUS address or addresses with live sessions. There are around 32K RFC1483 and PPPOE sessions configured and around 1000 sessions are active.
This may occur when changing RADIUS address or addresses with live sessions.
There are no known workarounds.
•
In a redundant system, the ifIndex-table is not written to the standby nvram: when a write command is issued on the primary. As a result, if a switchover occurs, the interface indices can be renumbered.
This issue occurs when using "snmp-server ifindex persist" in a redundant system.
Workaround: Explicitly copy the nvram:ifIndex-table from the primary to the stby-nvram:
•
The snmp-server host command only supports 1 host. Adding another host will overwrite the existing host. Also, the traps subcommand for snmp-server host does not show in the running configuration. However, traps are sent to the host if traps was entered in the host configuration.
When using the snmp-server host command to configure more than one host or to configure the host to receive traps.
There are no known workarounds.
•
CPU hog syslog messages are popping up when oids mibs from the CISCO-CLASS-BASED-QOS-MIB mib are polled.
There are no known workarounds.
•
When the Create-on-demand feature is configured over a range pvc on a point-to-point subinterface, the following may occur:
–
–
–
Workaround: Use Multipoint subinterfaces.
•
A Cisco router unexpectedly reloads when tunnel password is downloaded using the RADIUS.
This issue occurs under the following conditions:
–
–
Workaround: Configure password string to less than 64 bytes.
•
Autoprovisioning does not get enabled on the ATM interface.
This issue occurs when "create on-demand" is configured in a vc-class and the vc-class config is sourced to the ATM interface or PVCs.
Workaround: Configure "create on-demand" directly on the PVCs.
•
A MPF microcode module may have timing issues related to MPF <-> IOS packet handover when a VPDN session is flapped with traffic (the timing is not guaranteed to work when VPDN session is flapped with traffic).
There are no known workarounds.
•
The PVC becomes INACTIVE (MODIFYING) after the parameters for the PVC are changed.
If the QoS parameters associated with the PVC are changed, this defect is observed sometimes.
There are no known workarounds.
•
The following multiuser configuration error message is observed:
Unable to delete PVC 1/2660 on ATM5/0/0.110000. Possibly multiple users configuring IOS simultaneouslyWhen PVC configured as Auto VC is changed to normal PVC the above error message is observed.
There are no known workarounds.
•
After the router reloads, the un-configured p2p sub-interfaces appear in the running-configuration.
When range command is configured on p2p sub-interface and member PVCs associated with the range do not receive traffic after reload, their corresponding p2p sub-interfaces appear in the running configuration.
There are no known workarounds.
•
The "PVC creation failure" error message appears when the PVC that is part of range is changed from Auto VC to normal VC.
This issue occurs when the PVC range that is part of p2p sub-inteface is changed from Auto VC to normal VC. When this happens, the PVC creation failure message appears.
Workaround: The operator can delete the range and configure it again with normal VCs.
•
Auto VCs remain INACTIVE even when the traffic is received on them.
This issue occurs when VC-class is configured on Auto VC and the parameters of the VC-class are modified to trigger re-creation of the PVC then this problem is observed.
There are no known workarounds.
Open Caveats—Cisco IOS Release 12.3(7)XI
This section documents possible unexpected behavior by Cisco IOS Release 12.3(7)XI and describes only severity 1 and 2 caveats and select severity 3 caveats.
•
The router becomes unstable after a failure and the user will not be able to bring up more sessions and or copy configs.
There are no known workarounds.
•
When having large amount of PPPoE sessions in PTA or LAC, doing "show pppoe summary" can generate multiple CPUHOG tracebacks in the log.
This issue occurs when large amount of PPPoE sessions (62000) in the system.
There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.3(7)XI
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(7)XI. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
•
GRE implementation of Cisco IOS is compliant with RFC2784 and RFC2890 and backward compatible with RFC1701.
As an RFC compliancy this DDTS adds the check for bits 4-5 (0 being the most significant) of GRE header.
This issue does not cause any problem for router operation.
•
A unexpected reload can occur on a Cisco 1000 series and Cisco 6400 series with an atm interface.
This issue occurs when executing the show atm command.
There are no known workarounds.
•
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml.
•
Under specific circumstances the values reported by RADIUS attribute 46, acct-session-time are incorrect. It was reported by the customer in the following circumstances:
–
–
(config)#clock summer-time CEST recurring 1 Tue Sep 12:15 1 Tue Sep 13:30 60new session establishedRouter#sh clock12:14:59.218 MEZ Tue Sep 2 2003Router#sh clock13:15:05.175 CEST Tue Sep 2 2003logoutRADIUS debug --Acct-Terminate-Cause[49] 6 user-requestAcct-Session-Time [46] 6 4294963734Acct-Input-Octets [42] 6 120Acct-Output-Octets [43] 6 108This issue was reported for the NRP2 only. It was tested with the following image: c6400r-g4p5-mz.122-4.BX.bin in a testbed when testing accounting functionality.
There are no known workarounds.
•
A Cisco router configured for MPLS/VPN hub&spoke using the Half Duplex VRF feature does not install the per-user static routes (learned from AAA server) in the downstream VRF.
There are no known workarounds.
•
In case of a long period of Radius server unavailability and a very high rate of incoming calls, a Cisco access server may experience a shortage of I/O memory.
This issue prevents the AAA authentication from queueing any Radius packets if the amount of free I/O memory is less than five.
There are no known workarounds.
•
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by this issue.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
Cisco 12.2BX crashes in pppoa_set_event with DBS.
There are no known workarounds.
•
On a Cisco router running one of the latest IOS images, the output of "show interface description" is truncated, only 9 characters are displayed for Interface field which is the Interface indentifier.
There are no known workarounds.
•
PPP sessions are no longer accepted by a NAS. A PPP debug shows:
"IPCP: Peer address ... in use by ..."This issue occurs if all the following conditions are met:
–
–
–
Workaround: Unconfigure the ppp ipcp address unique command.
•
The router may run out of I/O memory and "show ssg service <servicename>" shows a large RefrenceCount.
This issue may occur on an SSG when the remote AAA server for a radius proxy service goes down for a long time and many users try to login to this service.
Workaround: Configure an alternate AAA server for the proxy service that responds when the primary AAA server is down.
•
Bringing up a BGP session with BGP MD5 authentication may be delayed considerably on a router.
This issue is observed on a Cisco router that runs Cisco IOS Release 12.2(15)BZ2, 12.3, or 12.3 T when MD5 authentication is enabled. The issue occurs when the router sends a SYNC ACK message that has a wrong total IP length field after a BGP session is initiated from a peer router.
The issue goes unnoticed without MD5 authentication and occurs because of a mishandling on TCP options such as MD5, WND-SCL, TS, and Selective-ACK.
There are no known workarounds.
•
During an initial boot of a Cisco 7301 that has a PA-MC-8TE1+ or PA-MCX-8TE1-M in bay 0, an unexpected reload may occur.
The issue may occur irrespective of whether a regular Cisco IOS software image or a boot software image is present in the bootflash filesystem.
Workaround: Powercycle the Cisco 7301 and reboot platform. The problem only surfaces during the initial boot of the platform.
•
The "show pppoe session | include <pattern>" took at least 30 minutes before seeing the result. RP CPU is running at 99% all the time with "Exec" running.
This is observed when large amount of sessions are active in the C10K PTA or LAC systems.
There are no known workarounds.
•
When the l2tp hidden command is configured on a Cisco 10000 series and when the call rate is above 40 calls/second, the Cisco 10000 series uses a wrong tunnel ID in communication with the LNS, which causes the L2TP tunnel to go down.
This issue is observed when there are about 1000 sessions and more than one outgoing L2TP tunnel on the Cisco 10000 series that functions as a LAC and that runs Cisco IOS Release 12.2(16)BX2. This issue may also occur in other releases.
There are no known workarounds.
•
The session duration time reported in accounting packets may be wrong.
This issue is observed when you enter the show aaa user all command; the session time recorded in the accounting stop record is incorrect. This issue is seen only when the aaa accounting session-duration ntp-adjusted command is enabled via the CLI.
Workaround: Avoid using the aaa accounting session-duration ntp-adjusted command.
There are no known workarounds.
•
Cisco router running IOS versions 12.3(7)T may display the configuration of individual virtual-access interfaces or sub-interfaces in the running-configuration if the EXEC command show running-config interface virtual-access is executed.
There are no known workarounds.
•
Router crashed due to watchdog timeout.
This issue occurs when a policy is applied to a large number of PPP sessions using the virtual-template, the removal of the service-policy from the configuration will cause the router to crash.
There are no known workarounds.
•
With a auto-vc configuration and range-pv, using a trace back may occur by changing a pvc to a different class-vc with a different UBR+ speed:
-Traceback= 60140330 6014048C 60C1DC28 601EB508 601EB600 601EE1A4 601EE20060356CB0 603588B0 603D20B8 603D209CAfterwards, the pvc could go in a block state and the router eventually crash.
There are no known workarounds.
•
Even with the snmp ifindex persist command configured the c10000 does not ensure that the same ifindex number is used after a reboot.
There are no known workarounds.
•
On a p2p subinterface where range pvc is created, if we do any "do <exec command>" we see it displayed or applied 1 + number of vc in the range.
There are no known workarounds.
•
SSG redirection configuration does not kick in. This problem is present in a EFT image that we are testing.
There are no known workarounds.
•
PPP users unable to login into services or PPP SSG user unable to login from SESM.
This issue occurs when the port-bundle host key feature is enabled on the SSG, if a PPP SSG user logs out and tries to re-login from SESM, the user logon or service logon will fail.
Workaround: Restart the PPP session and use will be able to login into services. relogin form SESM will also work if the port-map host-key feature is disabled.
•
IP address may be allocated from the incorrect VPN when DHCP proxy client requests an IP address from a DHCP server which supports the VPN information option.
This issue occurs when a DHCP server, which supports VPN information option (such as IOS DHCP server, CNR), uses the VPN information option to determine the address space for an address request. In the case of DHCP proxy client requesting an IP address for an interface which is configured with "ip vrf forwarding", no VPN information option is sent, causes the DHCP server to allocate an IP address from the global, default address space.
Workaround: Send VPN information option with the DHCP proxy client request if the interface is configured with "ip vrf forwarding".
•
The "possibly multiple users configuring IOS simultaneously" error message is seen when the router is reloaded and any PVC configuration is attempted to be changed.
The exact message is as follows:
Unable to create PVC 0/33 on ATM5/0/0.1.Possibly multiple users configuring IOS simultaneouslyFurther info about other user:Process id: 3, Process: OSPF Hello 8, TTY: 0, Location: ConsoleThis issue occurs when range pvc configuration is present in the startup-configuration file on the router and it is reloaded this message is seen when PVC configuration is attempted to change.
There are no known workarounds.
•
No SNMP linkup or linkdown trap is generated for a 1CHOC12/4CHSTM1 SONET layer when a controller goes up and down.
This issue is observed when monitoring a SNMP linkup or linkdown trap for a 1CHOC12/4CHSTM1 SONET layer.
Workaround: Monitor the controller status using the show controller sonet command.
•
Memory leaks occur on PTA or LAC when conducting PPPoA sessions. The leak size is consistent with the amount of sessions cycled in the system.
There are no known workarounds.
•
A permanent virtual connection (PVC) configuration is removed if a PVC fails when it is recreated.
This issue is observed on a Cisco 7500 series that has a Versatile Interface Processor (VIP). The PVC configuration may be removed if the VIP is carrying data traffic and the parameters of the virtual circuit (VC) class that is attached to the configured PVCs on the associated interface are modified.
There are no known workarounds.
•
IPCP may not come up when per-user virtual profile attributes are cloned from a remote AAA server.
This issue is observed after a number of sessions are brought up and torn down and when a cloning failure is observed on one or more sessions.
There are no known workarounds.
•
A nas-port attribute of an accounting record points to an SESM interface rather than to the interface of the host.
This issue occurs under rare race conditions where there are host route changes at the time of the host logon.
There are no known workarounds.
•
The radius-server vsa send cisco-nas-port command cannot be unconfigured.
This issue occurs when the radius-server vsa send command is configured.
There are no known workarounds.
•
When the VSA2 is omitted via the "no radius-server vsa send cisco-nas-port" Radius aaa packets are being sent malformed.
This issue occurs when radius-server vsa send is enabled and the no radius-server vsa send cisco-nas-port command is invoked.
The following lists the running configs that causes this issue to occur:
–
–
–
Workaround: Configure the radius-server vsa send cisco-nas-port command.
•
If the PVC is tried to be remove, the "Unable to delete PVC vpi/vci on ATMx/y. Possibly multiple users configuring IOS simultaneously" message appears.
This issue occurs if Auto VC is configured and is in INACTIVE state, or if the create on-demand command configured on this VC is removed.
There are no known workarounds.
Related Documentation
The following sections describe the documentation available for the Cisco 7000 family of routers. These documents consist of hardware and software installation guides, Cisco IOS configuration guides and command references, system error messages, feature modules, and other documents.
Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and the Documentation CD-ROM.
Use these release notes with these documents:
•
Release-Specific Documents
The following documents are specific to Cisco IOS Release 12.3 and are located on Cisco.com and the Documentation CD-ROM:
•
On Cisco.com at:
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Cross-Platform Release Notes
On the Documentation CD-ROM at:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.3: Release Notes: Cross-Platform Release Notes
•
Technical Documents
•
As a supplement to the caveats listed in "Caveats for Cisco IOS Release 12.3 XI" in these release notes, see Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3 T, which contains caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T.
On Cisco.com at:
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.3: Release Notes: Caveats
On the Documentation CD-ROM at:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.3: Caveats
Note
Platform-Specific Documents
These documents are available for the Cisco 7000 family of routers on Cisco.com and the Documentation CD-ROM:
•
•
•
•
On Cisco.com at:
Technical Documents: All Product Documentation: Core/High-End Routers
On the Documentation CD-ROM at:
Cisco Product Documentation: All Product Documentation: Core/High-End Routers
Feature Modules
Feature modules describe new features supported by Cisco IOS Release 12.3(7)XI4 and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only. Feature module information is incorporated in the next printing of the Cisco IOS documentation set.
On Cisco.com at:
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.3: New Feature Documentation
On the Documentation CD-ROM at:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.3: New Feature Documentation
Feature Navigator
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image.
Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the Contact Database Administration group at cdbadmin@cisco.com. If you do not have an account on Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account.
To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. The Cisco IOS software documentation set is shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered the printed versions.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.
On Cisco.com at:
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References
On the Documentation CD-ROM at:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.3: Configuration Guides and Command References
Cisco IOS Release 12.3 Documentation Set Contents
Table 8 lists the contents of the Cisco IOS Release 12.3 software documentation set, which is available in electronic form and in printed form if ordered.
Note
On Cisco.com at:
Technical Documents: Cisco IOS Software: Cisco IOS Release 12.3
On the Documentation CD-ROM at:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.3
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
The most current Cisco documentation is available on the World Wide Web at
Translated documentation can be accessed at
http://www.cisco.com/public/countries_languages.shtml.
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/public/ordsum.html
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco products documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
For your convenience, many documents contain a response card behind the front cover for submitting your comments by mail. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
The following sections provide sources for obtaining technical assistance from Cisco Systems.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:
P3 and P4 level problems are defined as follows:
•
•
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
Cisco.com registered users who cannot resolve a technical issue by using the TAC online resource can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
•
•
Guest
