Guest

Cisco IOS Software Releases 12.3 Special and Early Deployments

Release Notes for the Cisco Home Agent Feature in Cisco IOS Release 12.3(14)YX14

 Feedback

Table Of Contents

Release Notes for the Cisco Home Agent Feature in Cisco IOS Release 12.3(14)YX14

Contents

Introduction

System Requirements

Memory Requirements

Hardware Supported

Software Compatibility

Determining the Software Version

Upgrading to a New Software Release

Upgrading a Home Agent Image

Upgrading HA Image From XW-based Image to 12.3(14)YX Image

Loading the IOS Image to MWAM

MIBs

Cisco IOS Feature Sets

Cisco Mobile Wireless Home Agent Software Features in Cisco IOS Release 12.3(14)YX14

Caveats

Open Caveats

Unresolved Caveats Prior to 12.3(14)YX14

Unresolved Caveats Prior to 12.3(14)YX9

Unresolved Caveats Prior to 12.3(14)YX5

Unresolved Caveats Prior to 12.3(14)YX4

Unresolved Caveats Prior to 12.3(14)YX3

Unresolved Caveats Prior to 12.3(14)YX2

Unresolved Caveats Prior to Cisco IOS Release 12.3(14)YX1

Unresolved Caveats Prior to Cisco IOS Release 12.3(14)YX

Unresolved Caveats Prior to Cisco IOS Release 12.3(14)YX

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF3

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF2

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF1

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF

Unresolved Caveats Prior to IOS 12.3(8)XW3

Unresolved Caveats Prior to IOS 12.3(8)XW2

Unresolved Caveats Prior to IOS 12.3(8)XW

Unresolved Caveats Prior to Cisco IOS Release 12.3(7)XJ1

Resolved Caveats

Resolved Caveats Prior to 12.3(14)YX14

Resolved Caveats Prior to 12.3(14)YX9

Resolved Caveats Prior to 12.3(14)YX7

Resolved Caveats Prior to 12.3(14)YX5

Resolved Caveats Prior to 12.3(14)YX4

Resolved Caveats Prior to 12.3(14)YX3

Resolved Caveats Prior to 12.3(14)YX2

Resolved Caveats Prior to Cisco IOS Release 12.3(14)YX1

Resolved Caveats Prior to Cisco IOS Release 12.3(14)YX

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF4

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF3

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF2

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF1

Resolved Caveats Prior to 12.3(11)YF

Resolved Caveats Prior to 12.3(8)XW3

Resolved Caveats Prior to 12.3(8)XW2

Resolved Caveats Prior to 12.3(8)XW1

Resolved Caveats Prior to Cisco IOS 12.3(8)XW

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Feature Modules

Cisco IOS Software Documentation Set

Documentation Modules

Release 12.3 Documentation Set

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for the Cisco Home Agent Feature in Cisco IOS Release 12.3(14)YX14


5 February 2009

Cisco IOS Release 12.3(14)YX14 is a special release that is based on Cisco IOS Release12.3, with the addition of enhancements to the Cisco Mobile Wireless Home Agent feature. The Cisco IOS Release 12.3(14)YX14 is a release optimized for the Cisco Mobile Wireless Home Agent Release feature on the Cisco 7206VXR router platform, and for the Cisco Multi-Processor WAN Application Module on the Cisco 6500 Catalyst switch platform, and the 7600 Internet router platform.

Contents

These release notes include important information and caveats for the Cisco Mobile Wireless Home Agent software feature provided in Cisco IOS 12.3(14)YX14 for the Cisco 7206 Series Internet Router, and the MWAM card on the 6500 Catalyst Switch and Cisco 7600 Series Router platforms.

Caveats for Cisco IOS Release 12.3 can be found on CCO at:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/tsd_products_support_series_home. html

Release notes for Cisco 7000 Family for Release 12.3T can be found on CCO at:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_release_notes_list.html

Release notes for the Cisco 6000 Family for 12.3T can be found on CCO at:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_release_notes_list.html

This release note includes the following topics:

Introduction

System Requirements

Upgrading to a New Software Release

Cisco Mobile Wireless Home Agent Software Features in Cisco IOS Release 12.3(14)YX14

Caveats

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

Introduction

The Cisco Mobile Wireless Home Agent (HA) maintains mobile user registrations and tunnels packets destined for the mobile to the PDSN/FA. It supports reverse tunneling, and can securely tunnel packets to the PDSN using IPSec. Broadcast packets are not tunneled. Additionally, the HA performs both static and dynamic home address assignment for the mobile. Home address assignment can be from address pools configured locally, through either DHCP, ODAP, or AAA server access.

System Requirements

This section describes the system requirements for Cisco IOS Release 12.3(14)YX14:

Memory Requirements

Hardware Supported

Software Compatibility

Determining the Software Version

Upgrading to a New Software Release

MIBs

Memory Requirements

Table 1 shows the memory requirements for the Cisco Mobile Wireless Home Agent Software Feature Set that supports the Cisco 7206 Series Internet Router, and the MWAM on the 6500 Catalyst Switch and Cisco 7600 Series Router. The table also lists the memory requirements for the IP Standard Feature Set (for the Cisco Mobile Wireless Home Agent).

Table 1 Memory Requirements for the Cisco 7206 Router, and the MWAM on the 6500 Catalyst Switch and 7600 Router

Platform
Software
Feature Set
Image Name
Flash
Memory
Required
DRAM
Memory
Required
Runs
From
Cisco 7206VXR Router NPE-400

Home Agent Software Feature Set

c7200-h1is-mz.123-14.YX14 c7200-h1ik9s-mz.123-14.YX14

20MB

512MB

RAM

Cisco 7206VXR NPE-G1

Home Agent Software Feature Set

c7200-h1is-mz.123-14.YX14 c7200-h1ik9s-mz.123-14.YX14

20MB

1 Gigabyte

RAM

Cisco 6500 Catalyst Switch

Home Agent Software Feature Set

c6svc5fmwam-h1is-mz

40MB

512MB

RAM

Cisco 7600 Internet Router

Home Agent Software Feature

c6svc5fmwam-h1is-mz

40MB

512MB

RAM


Hardware Supported

The Cisco IOS Release 12.3(14)YX14 is a release optimized for the Cisco Home Agent Release feature on the Cisco Multi-Processor WAN Application Module on the Cisco 6500 Catalyst Switch platform and the 7600 Internet Router platform.

For recommended hardware configuration, and for a complete list of supported interfaces on the 7200 platform, refer to the 12.3(14)YX14 Product Bulletin. If you require a different configuration you should consult with your Cisco representative before you order.

The recommended hardware configuration for the 12.3(14)YX Home Agent Release is based on a Catalyst 6500 or 7600 chassis with a SUP2/MSFC2, and 512 MB of DRAM.

A Cisco IPSec Services Module (VPNSM) is required for hardware support of IPSec. VAMII is used for 7200 and the Cisco IPSec VPN Services Module is used for 6500/7600.


Note The bandwidth point in the router should be almost equal in order to have high processing capability.


For a complete list of interfaces supported on 6500 and 7600 platforms, please refer to the on-line product information at Cisco.com home page. For hardware details on the 6500 and 7600 platforms, please refer to the Catalyst 6500 product specifications at http://www.cisco.com/en/US/products/hw/switches/ps708/index.html.

Software Compatibility

Cisco IOS Release 12.3(14)YX14 is a special release that is developed on Cisco IOS Release 12.3.

Cisco IOS Release 12.3(14)YX14 supports the same features that are in Cisco IOS Release 12.3, with the addition of the Cisco Home Agent Release feature.

Determining the Software Version

To determine the version of Cisco IOS software running on your router, log in to the router and enter the show version EXEC command:

Router#sh ver
Cisco IOS Software, MWAM Software (MWAM-H1IS-M), Version 12.3(14)YX, RELEASE SOFTWARE 
(fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco 
Systems, Inc.
Compiled Mon 25-Jul-05 15:24 by ssearch

ROM: System Bootstrap, Version 12.2(11)YS2 RELEASE SOFTWARE 

Router uptime is 5 hours, 28 minutes System returned to ROM by reload at 13:29:44 UTC Wed 
Mar 7 2001 System restarted at 23:15:39 UTC Mon Jul 25 2005 System image file is 
"svcmwam-c6is-mz"
Last reload reason: Unknown reason

Cisco MWAM (MWAM) processor with 473088K/32768K bytes of memory.
SB-1 CPU at 700MHz, Implementation 1025, Rev 0.2

Last reset from power-on
1 Gigabit Ethernet interface
511K bytes of non-volatile configuration memory.

Configuration register is 0x4
Router#

Upgrading to a New Software Release

The following sections provide details on how to upgrade your Cisco Mobile Wireless Home Agent:

Upgrading a Home Agent Image

Upgrading HA Image From XW-based Image to 12.3(14)YX Image

Upgrading the Supervisor Image

Upgrading the HA Image on MWAM

Changing Configuration on Home Agent in a Live Network

Loading the IOS Image to MWAM

Upgrading a Home Agent Image

To upgrade an image, you will need a compact flash card that has the MP partition from the current image or later, and a recent supervisor image. To locate the images, please go to the Software Center at Cisco.com (http://www.cisco.com/public/sw-center/).

To perform the upgrade perform the following procedure:


Step 1 Log onto the supervisor and boot the MP partition on the PC.

 router #hw-module module 3 reset cf:1 
Device BOOT variable for reset = cf:1 Warning:  Device list is not verified.
 >
 > Proceed with reload of module? [confirm] % reset issued for module 3
 >router#

Step 2 Once the module is online, issue the following command:

copy tftp: tftp file location pclc# linecard #-fs:

The upgrade file uses a special format that makes this process slow. The following example illustrates the upgrade process output:

router #copy tftp://172.31.219.33/images/c6svcmwam-c6is-mz.bin pclc#3-fs:
  Destination filename [c6svcmwam-c6is-mz.bin]?
  Accessing tftp://172.31.219.33/images/c6svcmwam-c6is-mz.bin...
  Loading images/c6svcmwam-c6is-mz.bin from 10.102.16.25 (via Vlan1):
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  [OK - 29048727/58096640 bytes]

  29048727 bytes copied in 1230.204 secs (23616 bytes/sec)
router #
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has started>
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Do not reset the module till upgrade completes!!>
  router #
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has succeeded>
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <You can now reset the module

Step 3 Boot the MWAM card back to partition 4, and you have an upgraded image.

router#hw-module module 3 reset


Upgrading HA Image From XW-based Image to 12.3(14)YX Image

If you are upgrading the Home Agent from a XW-based image to a 12.3(14)YX image, you first need to upgrade the SUP image from a SXB-based image to a SXE-based image.


Note We recommend that you upgrade to the Cisco IOS Supervisor Engine 720, Release 12.2(18)SXE3. For more information on the 12.2(18)SXE3 Supervisor image, please refer to the following URL: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00801c8339.html


After you upgrade the SUP image, you can then upgrade the HA image.

Upgrading the Supervisor Image

To upgrade the Supervisor image, perform the following procedure:


Step 1 Copy the SUP image to the disks (disk0: / slavedisk0:).

Step 2 Add the following command to the running config boot system disk0: SUP image name". Here is an example:

boot system disk0:c6k222-pk9sv-mz.122-18.SXD2.bin

Note This step may require you to unconfigure previously configured instances of this CLI in order to enable the image to properly reload.


Step 3 Perform a "write memory" so that running configuration is saved on both active and standby SUP.

Step 4 Issue reload command on the active SUP.

Step 5 Both active and standby SUP will reload simultaneously and come up with the SXD-based image.


Note Issuing the reload command on the active SUP will cause both the active and standby Supervisors to reload simultaneously, thus causing some downtime during the upgrade process.



Upgrading the HA Image on MWAM

To upgrade to the YF-based image on the MWAM, perform the following procedure:


Step 1 Bring down the active HA by issuing the hw-module module slot # reset cf:1 command. The standby HA will take over as the active HA. Log onto the supervisor and boot the MP partition on the PC.

router #hw-module module 3 reset cf:1
Device BOOT variable for reset = cf:1 Warning: Device list is not verified.
>

> Proceed with reload of module? [confirm] % reset issued for module 3
>router#

Step 2 Once the module is online, copy the YF image to pclc# slot file system by issuing the following command:

copy tftp: tftp file location pclc# linecard #-fs:

The upgrade file uses a special format that makes this process slow. The following example illustrates the upgrade process output:

router #copy tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin pclc#3-fs:
  Destination filename [c6svcmwam-c6is-mz.bin]?
  Accessing tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin...
  Loading images/c6svcmwam-c6is-mz.bin from 64.102.16.25 (via Vlan1):
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  [OK - 29048727/58096640 bytes]
  29048727 bytes copied in 1230.204 secs (23616 bytes/sec)
router #
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has started>
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Do not reset the module till upgrade completes!!>
  router #
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has succeeded>
  2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <You can now reset the module 

Step 3 Boot the MWAM card back to partition 4, and you have an upgraded image.

router#hw-module module 3 reset cf:4

Step 4 Verify that all the bindings opened with the active HA have synced with the processor with new image.

Step 5 Bring down the active HA with the XW-based image. The newly loaded YF-based HA will now become active.

Step 6 Perform steps 1 through 3 as described above.


Note The downgrade process is similar to the upgrade process, where the SUP image should be downgraded first followed by the HA image.



Note For SXD-based SUP images, if config-on-SUP mode is used on MWAM, the startup configuration is written on both the SUP and local file system. This will assist you in upgrading/downgrading the images without losing the HA configuration between XW and YF images.



Note The downgraded image always starts with config-local due to incompatibility, and so it must be explicitly configured again using config-on-sup upon every downgrade. Additionally, any further upgrades will start with the mode used by the same version the image used earlier, otherwise only follow the mode used by the old version.



Changing Configuration on Home Agent in a Live Network

If you need to change the working configuration on a Home Agent in a live network environment, perform the following procedure:


Step 1 Bring the standby HA out of service. An example would be to shut down the HSRP interface towards active HA.

Step 2 Make the necessary configuration changes on the standby HA, and save the configuration.

Step 3 Issue the reload command to bring the standby HA back into service.

Step 4 Bring the active HA out of service by shutting down HSRP interface. This will cause the standby to takeover as the active HA.

Step 5 Make the necessary configuration changes on the active HA, and save the configuration.

Step 6 Issue the reload command to bring the active HA back into service.


Note Some outage might occur regarding existing calls on the active HA being cleared forcibly.



Note Configurations on the active and standby should be the same for HA redundancy to work properly.


Loading the IOS Image to MWAM

The image download process automatically loads an IOS image on to the three processor complexes on the MWAM. All three complexes on the card run the same version of IOS, so they share the same image source. The software for MWAM bundles the images it needs in flash memory on the PC complex. For more information, refer to the Cisco Multi-processor WAN Application Module Installation and Configuration Note.

For more information on upgrading to a new software release, see the product bulletin Cisco IOS Software Upgrade Ordering Instructions located at:

http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm

MIBs

Old Cisco Management Information Bases (MIBs) will be replaced in a future release. Currently, OLD-CISCO-* MIBs are being converted into more scalable MIBs—without affecting existing Cisco IOS products or NMS applications. You can update from deprecated MIBs to the replacement MIBs as shown in Table 2.

Table 2 Deprecated and Replacement MIBs 

Deprecated MIB
Replacement

OLD-CISCO-APPLETALK-MIB

RFC1243-MIB

OLD-CISCO-CHASSIS-MIB

ENTITY-MIB

OLD-CISCO-CPUK-MIB

To be decided

OLD-CISCO-DECNET-MIB

To be decided

OLD-CISCO-ENV-MIB

CISCO-ENVMON-MIB

OLD-CISCO-FLASH-MIB

CISCO-FLASH-MIB

OLD-CISCO-INTERFACES-MIB

IF-MIB CISCO-QUEUE-MIB

OLD-CISCO-IP-MIB

To be decided

OLD-CISCO-MEMORY-MIB

CISCO-MEMORY-POOL-MIB

OLD-CISCO-NOVELL-MIB

NOVELL-IPX-MIB

OLD-CISCO-SYS-MIB

(Compilation of other OLD* MIBs)

OLD-CISCO-SYSTEM-MIB

CISCO-CONFIG-COPY-MIB

OLD-CISCO-TCP-MIB

CISCO-TCP-MIB

OLD-CISCO-TS-MIB

To be decided

OLD-CISCO-VINES-MIB

CISCO-VINES-MIB

OLD-CISCO-XNS-MIB

To be decided


Cisco IOS Feature Sets

The Cisco IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco IOS features.

Cisco IOS Release 12.3(14)YX14 supports the same feature sets as Cisco Release 12.3, with the exceptions that Cisco Release 12.3(14)YX14 includes the Cisco Home Agent feature. The Home Agent feature is optimized for the Cisco 7206 router, the Cisco 6500 Catalyst Switch, and the 7600 Internet Router.


Caution Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay due to United States government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

Cisco Mobile Wireless Home Agent Software Features in Cisco IOS Release 12.3(14)YX14

Support for Mobile Equipment Identifer (MEID)

Home Agent Accounting in a Redundant Setup

Packet count and Byte count in Accounting Records

Additional Attributes in the Accounting Records

Additional Accounting Methods—Interim Accounting is Supported.

VRF Mapping on the RADIUS Server

Home Agent Redundancy Enhancements

Geographical Redundancy

Redundancy with Radius Downloaded Pool Names

SNMP Traps to Track Utilization of Local IP Pool

Support for Supervisor 720 and 1GB MWAM in Supported Platforms

Mobile-User ACLs in Packet Filtering

IP Reachability

DNS Server Address Assignment

Mobile IP MIB Enhancements in SNMP, MIBs and Network Management

Mobile IPv4 Registration Revocation

HA Server Load Balancing

HA Accounting

Skip HA-CHAP with MN-FA Challenge Extension (MFCE)

VRF Support on HA

Hot-lining

Radius Disconnect

Conditional Debugging

Dynamic Home Agent Assignment

Virtual Networks

Home Address Assignment

Selective Mobile Blocking

On-Demand Address Pool (ODAP)

Mobile IP IPSec

Support for ACLs on Tunnel Interface

Support for AAA Attributes MN-HA-SPI and MN-HA SHARED KEY

3 DES Encryption

User Profiles

Mobility Binding Association

User Authentication and Authorization

HA Binding Update

Packet Filtering

Security

Caveats

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.

Caveats for Cisco IOS Releases 12.2 can be found on CCO at http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_release_notes_list.html

The"Open Caveats" section lists open caveats that apply to the current release and might also apply to previous releases.

The "Resolved Caveats" section lists caveats resolved in a particular release, which may have been open in previous releases.


Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. You can reach Bug Navigator II on CCO at Software Center: Cisco IOS Software: Cisco Bug Toolkit: Cisco Bugtool Navigator II, or at http://www.cisco.com/support/bugtools.


Open Caveats

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX14:

CSCei86912—Router Reloads Unexpectedly While Issuing GD Commands

Router reloads unexpectedly while issuing GD command "sh mem debug leaks chunks" or "show memory debug leak"

This command is given on 5850 platform in MGCP TB. The Router was up for around 3 days and multiple stress tests were run on that. Noticed in high end platforms where memory utilization is more.

Workaround: no workaround at this point of time. Avoid configuring the above CLIs as they are debugging CLIs used to find memory leaks, and should not used during normal execution of the router.

CSCsx16742—Tracebacks While Executing show memory debugs leaks chunks on TELUS

When show memory debugs leaks chunks command is executed, tracebacks and CPUHOG messages were observed.

The problem occurs only when the show memory debugs leaks chunks command is executed. This is an CPU intensive command and causes the CPU-HOG message to display.

Workaround: none.

Unresolved Caveats Prior to 12.3(14)YX14

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX9:

CSCsi92411—%Incorrect range for SPI configuration

FHAE disappearance. Receiving message: "%Incorrect range for SPI configuration" when trying to add the ip mobile secure foreign-agent ip address spi decimal command back into the configuration after the command was automatically removed.

This condition occurs when the HA processes the revocation request messages incorrectly. The function returns NULL for invalid authspi which is received in Revoc ACK Msg from the FA and is assigned to the same *spi.

Workaround: reload the router and add the configurations back in, but the problem will occur again.

Unresolved Caveats Prior to 12.3(14)YX9

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX7:

CSCsh36963—Deregistration Fails to Occur when COA is Same as Home Address of MN

If you trigger a deregistration request that contains a COA equal to the Mobile node's home address, the Home Agent fails to delete the binding.

Workaround: none.

CSCsh47036—HA Sends Revocation ACK when the Rev Req is not Protected

The Home Agent accepts the revocation message when sent with no valid authenticator (like FHAE, IPSec), and sends the revocation acknowledgement back.

Workaround: enable FHAE or IPSEC configuration on the Home Agent.

CSCsh51169—Tracebacks Seen While Creating MIP Flows.

When you create MIP flows on a Cisco router running the h1is image, if the identification field timestamp in the RRQ differs from the Home Agent time, tracebacks are observed.

Workaround: enable the logging buffer to capture all debug logs and avoid tracebacks. The tracebacks occur because of the increase of debug logs on the console. If you enable the same debugs with buffering and no console, no tracebacks occur.

CSCsh61083—MobileIP Fails to Delete the Route to Virtual Network of MN

Mobile IP fails to delete the route to the MN virtual network, and prints the following error message

Jan 31 08:29:19.379: MobileIP: Delete Route failed for VirtNet GIAddr 70.1.1.2(255.255.255.255) (Error Code 0)

This issue is seen in a redundant HA setup when virtual network is configured, and assigns the addresses to the MN from the virtual network. This issue occurs when the active or standby HAs are reloaded, and a revocation request is sent from the FA.

Workaround: none.

Unresolved Caveats Prior to 12.3(14)YX5

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX4:

CSCsg30952—Incorrect number of Bindings in Standby Home Agent in Stress Condition

On a Cisco router running Cisco IOS 12.3(14)YX4 software acting as a standby Home Agent under high stress conditions, for the same NAI, multiple bindings are created on the standby HA.

This condition causes a higher number of bindings to be created on the standby HA, and only occurs under high stress conditions.

Workaround: none.

Unresolved Caveats Prior to 12.3(14)YX4

There were no new unresolved caveats in Cisco IOS Release 12.3(14)YX3.

Unresolved Caveats Prior to 12.3(14)YX3

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX2:

CSCsb91403—Traffic Through IPSEC Tunnel Drops When it is Established Over MIP Flow

Packets (ping traffic) are getting dropped when the IPSEC tunnel is established over MIP flow. This happens when IPSEC is enabled.

Workaround: without IPSEC, the ping works fine.

CSCse14405—MW HA: Spurious Memory Access When RRQ Received With Invalid NAI

Spurious memory access when RRQ received with invalid NAI. The RRQ dropped as expected. No other side effect will be seen.

Workaround: none.

CSCse14994 - HA Returns Invalid Response to SNMPwalk cmiHaRegMnIfDescription

The Cisco HA returns invalid response "Return packet too big" to SNMPwalk of cmiHaRegMnIfDescription and cmiHaRegMobilityBindingRegFlags.

Workaround: none.

Unresolved Caveats Prior to 12.3(14)YX2

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX1:

CSCsd73609: Unable to Open More Than 64K Bindings on HA With DHCP Address Allocation

Unable to open more than 64K bindings on a Home Agent with address allocation from DHCP.

The condition occurs when mobile hosts are allocated addresses from a DHCP server.

Workaround: do not use the DHCP server for address allocation, use local pools instead.

CSCsd78079: Framed IP address in interim update is 0.0.0.0

On a Home Agent running IOS version 12.3(14)YX, for a few sessions interim updates are sent with a framed IP of 0.0.0.0.

Workaround: none.

CSCsd79563: [R3.0] MIP UDP Tunneling - HA is not sending keep alive messages.

On a Cisco 7200 router running the 12.3(14)YX1 software, the "tunnel keep alive message" exchanges between the PDSN and the HA fail after three attempts, and the tunnel between the PDSN and HA is deleted.

This condition occurs nly when NAT UDP is configured.

Workaround: set the keep alive to maximum.

CSCsd80725: Memory Leak With Static/Dynamic Pool Downloaded from AAA

On Cisco router running the 12.3(14)YX image, there can be memory leak in the following scenarios:

The malloc_lite blocks leak when static/dynamic pool download from AAA.

If a dereg is received for a non-existent binding, spi is leaked.

Workaround: none.

Unresolved Caveats Prior to Cisco IOS Release 12.3(14)YX1

The following caveats are unresolved in Cisco IOS Release 12.3(14)YX:

CSCin98093—Memory leak of MN pool and spi in a particular scenario

On a Cisco Router running YX Home Agent software, there can be memory leak of 60 bytes in a particular scenarios.

The following conditions exist:

With load-sa configured.

When a de-registration is received for a non-existent binding, the memory for the SPI downloaded from AAA, is leaked

When static or dynamic pool name is received from AAA, Home Agent may leak the memory associated to this entry when the binding is deleted.

Workaround: none.

CSCsb17883—debug ip mobile host Produces no Output

On a Cisco router running the Home-Agent 12.3(14)YX software, relevant debugs do not appear when the debug ip mobile host command is enabled and a binding is created.

Workaround: enable the debug ip mobile command to print debugs related to the binding.

CSCsb47288—Output of the Mobile-IP Bindings of the Host Shows Wrong Pool Names

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX Home Agent Image, the output in the show ip mobile host command of mobile-ip bindings are shown with wrong pool names. The virtual-network of the host is also not displaying a proper value.

This occurs when pool name is downloaded from Radius server.

Workaround: none.

CSCsb51583—show ip mobile binding Output is not Clear When Bindings Are Deleted

On a Cisco router running the Cisco IOS 12.3(14)YX Home Agent Image, the show ip mobile binding command output of a large number of bindings is not clear when bindings are being deleted simultaneously.

This issue occurs only when a large number of bindings are opened, and are being closed, and only under rare conditions.

Workaround: Use the show ip mobile binding summary, the show ip mobile binding, or the show ip mobile binding nai commands.

CSCsb77957—After Re-Reg, Acct-Records are not Updated with New HA address

On Cisco 7200 series router running the HA Accounting feature, the accounting records should reflect the new HA Address when Re-registration occurs with the new HA. But with the current image, the accounting records (watchdog, stop) are not reflecting the new HA.

This occurs only when the Re-registration happens with new HA address.

Workaround: none.

CSCsb82045—All Bindings Do Not Get Synced on Active HA Reload with VRF Configuration

On a Cisco router running the Cisco IOS 12.3(14)YX Home Agent Image, all bindings do not get synced on reload of active HA as part of the initial bulk sync.

The issue is only seen when the ip mobile home-agent redundancy group virtual-network address addr command is configured. This is required for normal and bulk syncing of bindings for vrf users, and the addr here is the vrf subnet.

Workaround: Enable redundancy by configuring the ip mobile home-agent redundancy group command.

CSCsc79038—High CPU on Active HA After Second Switchover

On a Cisco router running 12.3(14)YX Home Agent (HA) images, high CPU is seen on active HA after second switchover.

This issue occurs only when periodic accounting and periodic syncing of counters is enabled and there are large number of bindings existent when switchover occurs and periodic accounting triggers.

Workaround: Use a VSA-based approach to assist the AAA server to get the correct byte counts per session. Or limit the number of bindings to a lower number, so that the number of periodic accounting messages generated is limited.

CSCsc47745—clear ip mob binding all load name Should Not Trigger Revocation

On a Cisco router running the Cisco IOS 12.3(14)YX Home Agent Image, issuing the clear ip mob binding all load standby group name command on the active HA with revocation enabled sends revocation to PDSN. This causes the binding getting deleted.

This issue occurs only when the revocation is enabled on both PDSN and HA.

Workaround: Do not issue the clear ip mob binding all load standby group name command when revocation is enabled.

CSCsc58847—Unable to open 235K bindings on Home Agent

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX Home Agent image, as part of regression test, opening of 235K bindings on Home agent at 166 cps failed. Only about 220K bindings come up. The remaining RRQs are dropped. Packets were dropped by MIP queue and also at UDP.

Workaround: none.

CSCsc61965—ip mobile realm @ VRF .... command vanishes after reload

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX Home Agent image, the ip mobile realm @ VRF .... command disappears after reload if the ha-ip address belongs to the physical address of the interface, and not HSRP or Loopback ip.

Workaround: none

CSCsc70012—Memory Leak on Home Agent When load-sa permanent is Configured

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX Home Agent image, a memory leak is observed on the Home Agent when load-sa permanent is configured.

This issue is seen only when load-sa is configured with permanent keyword so that security associations are cached even after binding deletion.

Workaround: do not configure load-sa with permanent keyword.

CSCsc72885—Active HA Not Sending the Switchover VSA When Specific CLI Used.

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX Home Agent image, the switchover indication is not sent after switchover by the new active HA.

This happens when Home-agent address is configured in HA using the ip mobile home-agent address ha address command.

Workaround: Remove the ip mobile home-agent address ha address command.

CSCsc74477—Switchover VSA not Sent if VRF Subnet Configured on home-agent redundancy Command

On a Cisco router running the Cisco IOS 12.3(14)YX Home Agent image, switchover VSA indicator was not sent in accounting records, if "VRF Subnet" address is configured on the ip mobile home-agent redundancy command.

This issue is not seen if a specific VRF address configured. This issue seen only if VRF subnet address configured to open multiple VRF flows with HA-Redundancy setup.

Workaround: none.

CSCsb78088—DDNS Update to Delete Getting Succeeded for "Non-Existing" DNS server

On Cisco router running Cisco IOS 12.3(14)YX HA software, Dynamic DNS update-Delete sent to a non-existing secondary DNS server is getting succeeded. This issue is not seen when a DNS Update-add is sent.

Workaround: none.

CSCsc25773—Connect-Progress Value in Accounting Watchdog Garbled after MIP re-reg

On Cisco router running Cisco IOS 12.3(14)YX HA software, Cisco-avpair (connect-progress=Call Up) sent in watchdog accounting packets carry different values before and after MIP Re-registration on the Home Agent and PDSN. This value "call up" should be sent in accounting watchdog even after MIP re-registration.

Workaround: none.

CSCsc41656—ICMP Unreachables Sent With Suppress Unreachable Config on HA

On a Cisco router running Cisco IOS 12.3(14)YX HA software, the ICMP unreachable message is sent from the HA even when "Suppress Unreachable" is configured on the box.

Workaround: none.

CSCsc62664—Mobile-user Acls May Drop Some Packets When Logging is Configured

On a Cisco router running Cisco IOS 12.3(14)YX HA software, if you specify the log option of the access-list command, packets are dropped towards the reflector and the ping fails.

Workaround: none.

CSCsb91776—Tunnel Counters Should be incremented For All Keep-Alive Messages

On a Cisco router running Cisco IOS 12.3(14)YX HA software, when NAT-PT is configured, the tunnel counters (both input and output) on the show ip mobile tunnel command do not get incremented for every keep-alive message sent from the PDSN to the HA going over the tunnel.

Workaround: none.

Unresolved Caveats Prior to Cisco IOS Release 12.3(14)YX

The following caveats are unresolved in Cisco IOS Release 12.3(11)YF3:

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

On a Cisco MWAM based module acting as Home agent and handling calls and traffic to simulate background load conditions, when a processor acting as active is forcibly made standby by shutting down the interfaceNULLIDB tracebacks appear of the processor on which the transition is made.

This condition occurs when the interface is shut, or the PI link flaps.

Workaround: none. There is no functional breakdown of Home Agent. This traceback does not have any effect on Home Agent functionality.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

Security-Association for the NAI is deleted when one of the flows are closed on the HA.

This symptom has been observed on a router that is running Cisco IOS release 12.3T under the following conditions:

Configure the load-sa config on the HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the Security Association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, a new security association is again invoked from AAA.

*The above symptom is seen for NAI-based users when multiple MIP flows are opened with same NAI but different home-addresses.

Workaround: none.

Unresolved Caveats Prior to Cisco IOS Release 12.3(14)YX

CSCee34368—Standby HA Reloads in this Scenario

A Cisco router running Home Agent R2.0 software and configured as Standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA.

This condition exists when the bindings on the standby HA are cleared after reloading the active HA.

This problem is very rare and was seen only once during testing.

Workaround: none.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of the standby HA goes down, when proxy DHCP allocation is configured.

This condition is observed when the standby HA's HSRP interface is shut down while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home Agent R2.0 Software, spurious memory access is observed on the standby HA while opening and closing of bindings using DHCP.

This condition exists when opening and closing Mobile IP bindings using DHCP, and the HA is configured with redundancy.

Workaround: none.

CSCef57953—Security Violation Counters Are Not Incrementing in HA

Security violation counters are not incrementing in a Cisco router running 12.3T R2.0 Release HA software.

This condition occurs when MNHA authentication failed for an invalid SPI value.

Workaround: none.

CSCef86760—Standby HA Reloads on Bindupdate from Active HA When Pre-emption is Configured

The standby Home Agent reloads on receiving a bind update from the active when pre-emption is configured

The reload is observed only after repeating the switchover more than once.

Workaround: none.

CSCef95682—PMIP Flow Does Not Open With HA-SLB (Directed Mode)

On Cisco router running Release 2.0 PDSN software, when Proxy MIP flow is opened in a setup with HA-SLB(Directed Mode), the flow does not come up as the destination address set in the RRP seems to be incorrect.

This symptom occurs when Proxy MIP flow is opened with HA-SLB operating on Directed Mode. This issue is not seen when HA SLB used in Dispatched mode for PMIP flow.

Workaround: none.

CSCeg00126—Security Violation on HA Without User Config Not Properly Recorded

Error condition for Registration request in the debug message is not reflecting the actual failure scenario.

Workaround: none.

CSCeg03745—Spurious Memory Access When Downloading SA With Command aaa-download

Spurious memory access is observed on the Home Agent when Security associations are cleared and downloaded using the ip mob sec aaa-download rate 10 command.

The traceback is seen only when using the aaa-download rate command.

Workaround: none.

CSCeg16482—Standby HA Does Not Get All SAs When the Interface in Shut/No Shut

The SA is not getting downloaded in standby HA.

This problem occurs under the following conditions:

when the HSRP interface on standby is shut

clearing the binding in standby HA

making the HSRP interface in standby up.

Workaround: do not shut the HSRP interface in the standby HA.

CSCeg22858—HA: Rejects MN Binding When MN is Unconfigured and Configured Again

When the MN NAI is unconfigured and configured again, the HA rejects the binding for that NAI.

This only occurs when the NAI is unconfigured and configured, and tries to register with HA.

This happens in local pool, static and DHCP address allocation schemes.

Workaround: do not unconfigure the NAI in HA for which the registration has to be made.

CSCin79571—HA Cannot Install SA for RRQ With Unknown Extension

The HA drops RRQ under following conditions:

RRQ has an unknown extension.

HA downloads MHAE Shared Key for the user from radius server in 3gpp2-mn-ha-shared-key format.

Workaround: ensure that the MN and FA do not send an unknown extension in RRQ.

CSCin79585—show run Displays Invalid Commands

When ip mobile home-agent nat traversal keepalive value is configured, the following configurations appear:

	ip mobile home-agent revocation traversal keepalive value 
	ip mobile home-agent nat traversal keepalive value 

This has no effect on revocation or NAT traversal feature behavior, but, when the HA is reloaded, revocation may get disabled.

Workaround: remove ip mobile home-agent revocation traversal keepalive value from the startup configuration, or reconfigure revocation manually on reload.

CSCin84300—HA Sends Weight Updates Only When home-agent dynamic-address is Configured

Cisco router running release 2.0 HA software and configured with DFP does not send weight updates when the ip mobile home-agent dynamic-address ip-addr command is not configured.

Workaround: configure the ip mobile home-agent dynamic-address ip-addr command.

CSCin84856—Binding Does Not Sync to SBY on Changing Config From Group to User

Binding does not sync to the standby HA when the configuration is changed from group to a single user.

This condition occurs when the ip mobile host nai command is initially configured for a group of users, and then unconfigured and changed to a single user.

Workaround: do not change the configuration from group to per-user.

CSCsa50710—aaa load-sa permanent Option Not Working

On a Cisco PDSN/Home agent running an R2.0 image, the security association for the MN is not stored permanently on the HA even though the aaa load-sa permanent option is configured for the nai on the HA.

This condition occurs when the security association for the MN is deleted on the HA on de-registration, even when the aaa load-sa permanent option is configured for the nai on the HA.

Workaround: none.

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF3

The following caveats are unresolved in Cisco IOS Release 12.3(11)YF2:

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

On a Cisco MWAM based module acting as Home agent and handling calls and traffic to simulate background load conditions, when a processor acting as active is forcibly made standby by shutting down the interfaceNULLIDB tracebacks appear of the processor on which the transition is made.

This condition occurs when the interface is shut, or the PI link flaps.

Workaround: none. There is no functional breakdown of the Home Agent. This traceback does not have any effect on Home Agent functionality.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

Security-Association for the NAI is deleted when one of the flows are closed on the HA.

This symptom has been observed on a router that is running Cisco IOS release 12.3T under the following conditions:

Configure the load-sa config on the HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the Security Association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, a new security association is again invoked from AAA.

*The above symptom is seen for NAI-based users when multiple MIP flows are opened with same NAI but different home-addresses.

Workaround: none.

CSCee34368—Standby HA Reloads in this Scenario

A Cisco router running Home Agent R2.0 software and configured as Standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA.

This condition exists when the bindings on the standby HA are cleared after reloading the active HA.

This problem is very rare and was seen only once during testing.

Workaround: none.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of the standby HA goes down, when proxy DHCP allocation is configured.

This condition is observed when the standby HA's HSRP interface is shut down while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home Agent R2.0 Software, spurious memory access is observed on the standby HA while opening and closing of bindings using DHCP.

This condition exists when opening and closing Mobile IP bindings using DHCP, and the HA is configured with redundancy.

Workaround: none.

CSCef57953—Security Violation Counters Are Not Incrementing in HA

Security violation counters are not incrementing in a Cisco router running 12.3T R2.0 Release HA software.

This condition occurs when MNHA authentication failed for an invalid SPI value.

Workaround: none.

CSCef86760—Standby HA Reloads on Bindupdate from Active HA When Pre-emption is Configured

The standby Home Agent reloads on receiving a bind update from the active when pre-emption is configured

The reload is observed only after repeating the switchover more than once.

Workaround: none.

CSCef95682—PMIP Flow Does Not Open With HA-SLB (Directed Mode)

On Cisco router running Release 2.0 PDSN software, when Proxy MIP flow is opened in a setup with HA-SLB(Directed Mode), the flow does not come up as the destination address set in the RRP seems to be incorrect.

This symptom occurs when Proxy MIP flow is opened with HA-SLB operating on Directed Mode. This issue is not seen when HA SLB used in Dispatched mode for PMIP flow.

Workaround: none.

CSCeg00126—Security Violation on HA Without User Config Not Properly Recorded

Error condition for Registration request in the debug message is not reflecting the actual failure scenario.

Workaround: none.

CSCeg03745—Spurious Memory Access When Downloading SAs With Command aaa-download

Spurious memory access is observed on the Home Agent when Security associations are cleared and downloaded using the ip mob sec aaa-download rate 10 command.

The traceback is seen only when using the aaa-download rate command.

Workaround: none.

CSCeg16482—Standby HA Does Not Get All SAs When the Interface in Shut/No Shut

The SA is not getting downloaded in standby HA.

This problem occurs under the following conditions:

when the HSRP interface on standby is shut

clearing the binding in standby HA

making the HSRP interface in standby up.

Workaround: do not shut the HSRP interface in the standby HA.

CSCeg22858—HA: Rejects MN Binding When MN is Unconfigured and Configured Again

When the MN NAI is unconfigured and configured again, the HA rejects the binding for that NAI.

This only occurs when the NAI is unconfigured and configured, and tries to register with HA.

This happens in local pool, static and DHCP address allocation schemes.

Workaround: do not unconfigure the NAI in HA for which the registration has to be made.

CSCin79571—HA Cannot Install SA for RRQ With Unknown Extension

The HA drops RRQ under following conditions:

RRQ has an unknown extension.

HA downloads MHAE Shared Key for the user from radius server in 3gpp2-mn-ha-shared-key format.

Workaround: ensure that the MN and FA do not send an unknown extension in RRQ.

CSCin79585—show run Displays Invalid Commands

When ip mobile home-agent nat traversal keepalive value is configured, the following configurations appear:

	ip mobile home-agent revocation traversal keepalive value 
	ip mobile home-agent nat traversal keepalive value 

This has no effect on revocation or NAT traversal feature behavior, but, when the HA is reloaded, revocation may get disabled.

Workaround: remove ip mobile home-agent revocation traversal keepalive value from the startup configuration, or reconfigure revocation manually on reload.

CSCin84300—HA Sends Weight Updates Only When home-agent dynamic-address is Configured

Cisco router running release 2.0 HA software and configured with DFP does not send weight updates when the ip mobile home-agent dynamic-address ip-addr command is not configured.

Workaround: configure the ip mobile home-agent dynamic-address ip-addr command.

CSCin84856—Binding Does Not Sync to SBY on Changing Config From Group to User

Binding does not sync to the standby HA when the configuration is changed from group to a single user.

This condition occurs when the ip mobile host nai command is initially configured for a group of users, and then unconfigured and changed to a single user.

Workaround: do not change the configuration from group to per-user.

CSCsa50710—aaa load-sa permanent Option Not Working

On a Cisco PDSN/Home agent running an R2.0 image, the security association for the MN is not stored permanently on the HA even though the aaa load-sa permanent option is configured for the nai on the HA.

This condition occurs when the security association for the MN is deleted on the HA on de-registration, even when the aaa load-sa permanent option is configured for the nai on the HA.

Workaround: none.

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF2

The following caveats are unresolved in Cisco IOS Release 12.3(11)YF1:

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

On a Cisco MWAM based module acting as Home agent and handling calls and traffic to simulate background load conditions, when a processor acting as active is forcibly made standby by shutting down the interfaceNULLIDB tracebacks appear of the processor on which the transition is made.

This condition occurs when the interface is shut, or the PI link flaps.

Workaround: none. There is no functional breakdown of Home Agent. This traceback does not have any effect on Home Agent functionality.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

Security-Association for the NAI is deleted when one of the flows are closed on the HA.

This symptom has been observed on a router that is running Cisco IOS release 12.3T under the following conditions:

Configure the load-sa config on the HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the Security Association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, a new security association is again invoked from AAA.

The above symptom is seen for NAI-based users when multiple MIP flows are opened with same NAI but different home-addresses.

Workaround: none.

CSCee34368—Standby HA Reloads in this Scenario

A Cisco router running Home Agent R2.0 software and configured as Standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA.

This condition exists when the bindings on the standby HA are cleared after reloading the active HA.

This problem is very rare and was seen only once during testing.

Workaround: none.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of the standby HA goes down, when proxy DHCP allocation is configured.

This condition is observed when the standby HA's HSRP interface is shut down while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home Agent R2.0 Software, spurious memory access is observed on the standby HA while opening and closing of bindings using DHCP.

This condition exists when opening and closing Mobile IP bindings using DHCP, and the HA is configured with redundancy.

Workaround: none.

CSCef57953—Security Violation Counters Are Not Incrementing in HA

Security violation counters are not incrementing in a Cisco router running 12.3T R2.0 Release HA software.

This condition occurs when MNHA authentication failed for an invalid SPI value.

Workaround: none.

CSCef86760—Standby HA Reloads on Bindupdate from Active HA When Pre-emption is Configured

The standby Home Agent reloads on receiving a bind update from the active when pre-emption is configured

The reload is observed only after repeating the switchover more than once.

Workaround: none.

CSCef95682—PMIP Flow Does Not Open With HA-SLB (Directed Mode)

On Cisco router running Release 2.0 PDSN software, when Proxy MIP flow is opened in a setup with HA-SLB(Directed Mode), the flow does not come up as the destination address set in the RRP seems to be incorrect.

This symptom occurs when Proxy MIP flow is opened with HA-SLB operating on Directed Mode. This issue is not seen when HA SLB used in Dispatched mode for PMIP flow.

Workaround: none.

CSCeg00126—Security Violation on HA Without User Config Not Properly Recorded

Error condition for Registration request in the debug message is not reflecting the actual failure scenario.

Workaround: none.

CSCeg03745—Spurious Memory Access When Downloading SAs With Command aaa-download

Spurious memory access is observed on the Home Agent when Security associations are cleared and downloaded using the ip mob sec aaa-download rate 10 command.

The traceback is seen only when using the aaa-download rate command.

Workaround: none.

CSCeg16482—Standby HA Does Not Get All SAs When the Interface in Shut/No Shut

The SA is not getting downloaded in standby HA.

This problem occurs under the following conditions:

when the HSRP interface on standby is shut

clearing the binding in standby HA

making the HSRP interface in standby up.

Workaround: do not shut the HSRP interface in the standby HA.

CSCeg22858—HA: Rejects MN Binding When MN is Unconfigured and Configured Again

When the MN NAI is unconfigured and configured again, the HA rejects the binding for that NAI.

This only occurs when the NAI is unconfigured and configured, and tries to register with HA.

This happens in local pool, static and DHCP address allocation schemes.

Workaround: do not unconfigure the NAI in HA for which the registration has to be made.

CSCin79571—HA Cannot Install SA for RRQ With Unknown Extension

The HA drops RRQ under following conditions:

RRQ has an unknown extension.

HA downloads MHAE Shared Key for the user from radius server in 3gpp2-mn-ha-shared-key format.

Workaround: ensure that the MN and FA do not send an unknown extension in RRQ.

CSCin79585—show run Displays Invalid Commands

When ip mobile home-agent nat traversal keepalive value is configured, the following configurations appear:

	ip mobile home-agent revocation traversal keepalive value 
	ip mobile home-agent nat traversal keepalive value 

This has no effect on revocation or NAT traversal feature behavior, but, when the HA is reloaded, revocation may get disabled.

Workaround: remove ip mobile home-agent revocation traversal keepalive value from the startup configuration, or reconfigure revocation manually on reload.

CSCin84300—HA Sends Weight Updates Only When home-agent dynamic-address is Configured

Cisco router running release 2.0 HA software and configured with DFP does not send weight updates when the ip mobile home-agent dynamic-address ip-addr command is not configured.

Workaround: configure the ip mobile home-agent dynamic-address ip-addr command.

CSCin84856—Binding Does Not Sync to SBY on Changing Config From Group to User

Binding does not sync to the standby HA when the configuration is changed from group to a single user.

This condition occurs when the ip mobile host nai command is initially configured for a group of users, and then unconfigured and changed to a single user.

Workaround: do not change the configuration from group to per-user.

CSCsa50710—aaa load-sa permanent Option Not Working

On a Cisco PDSN/Home agent running an R2.0 image, the security association for the MN is not stored permanently on the HA even though the aaa load-sa permanent option is configured for the nai on the HA.

This condition occurs when the security association for the MN is deleted on the HA on de-registration, even when the aaa load-sa permanent option is configured for the nai on the HA.

Workaround: none.

CSCsa54924—HA Does Not Clear Bindings on Interface Shut For Non-HSRP HA Address

A Cisco Home Agent (HA) does not clear bindings on the standby HA when the HSRP interface is shut.

This issue occurs under the following conditions:

a. HSRP interface is shut on standby HA

b. The HA address is not the hsrp address of the active-standby pair.

Workaround: clear the bindings manually when interface is shutdown.

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF1

The following caveats are unresolved in Cisco IOS Release 12.3(11)YF:

CSCed50040—Memory Leak While Opening 8000 MOIP Tunnels

On a Cisco 7200/7600 router running Home Agent R2.0 Software, a memory leak is observed on both active and standby HA while opening 8000 MOIP tunnels.

Workaround: none.

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

On a Cisco MWAM based module acting as Home agent and handling calls and traffic to simulate background load conditions, when a processor acting as active is forcibly made standby by shutting down the interfaceNULLIDB tracebacks appear of the processor on which the transition is made.

This condition occurs when the interface is shut, or the PI link flaps.

Workaround: none. There is no functional breakdown of Home Agent. This traceback does not have any effect on Home Agent functionality.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

Security-Association for the NAI is deleted when one of the flows are closed on the HA.

This symptom has been observed on a router that is running Cisco IOS release 12.3T under the following conditions:

Configure the load-sa config on the HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the Security Association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, a new security association is again invoked from AAA.

*The above symptom is seen for NAI-based users when multiple MIP flows are opened with same NAI but different home-addresses.

Workaround: none.

CSCee34368—Standby HA Reloads in this Scenario

A Cisco router running Home Agent R2.0 software and configured as Standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA.

This condition exists when the bindings on the standby HA are cleared after reloading the active HA.

This problem is very rare and was seen only once during testing.

Workaround: none.

CSCee37327—HA Reloaded Upon Clearing Bindings in this Scenario

On a Cisco 7200/7600 router running Home Agent R2.0 software, alignment and spurious memory errors occur and HA may reload when bindings are cleared after a stress test.

The errors are seen only when NAI related CLI (ip mobile host nai) is configured and unconfigured while mobiles are sending messages, traffic is flowing upstream through the sessions established by these nodes, and Change of Authorization messages are sent by the radius server.

Workaround: do not change the NAI related configuration for a mobile while sessions are being brought up or down.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of the standby HA goes down, when proxy DHCP allocation is configured.

This condition is observed when the standby HA's HSRP interface is shut down while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home Agent R2.0 Software, spurious memory access is observed on the standby HA while opening and closing of bindings using DHCP.

This condition exists when opening and closing Mobile IP bindings using DHCP, and the HA is configured with redundancy.

Workaround: none.

CSCef57953—Security Violation Counters Are Not Incrementing in HA

Security violation counters are not incrementing in a Cisco router running 12.3T R2.0 Release HA software.

This condition occurs when MNHA authentication failed for an invalid SPI value.

Workaround: none.

CSCef86760—Standby HA Reloads on Bindupdate from Active HA When Pre-emption is Configured

The standby Home Agent reloads on receiving a bind update from the active when pre-emption is configured

The reload is observed only after repeating the switchover more than once.

Workaround: none.

CSCef95682—PMIP Flow Does Not Open With HA-SLB (Directed Mode)

On Cisco router running Release 2.0 PDSN software, when Proxy MIP flow is opened in a setup with HA-SLB(Directed Mode), the flow does not come up as the destination address set in the RRP seems to be incorrect.

This symptom occurs when Proxy MIP flow is opened with HA-SLB operating on Directed Mode. This issue is not seen when HA SLB used in Dispatched mode for PMIP flow.

Workaround: none.

CSCeg00126—Security Violation on HA Without User Config Not Properly Recorded

Error condition for Registration request in the debug message is not reflecting the actual failure scenario.

Workaround: none.

CSCeg03745—Spurious Memory Access When Downloading SAs With Command aaa-download

Spurious memory access is observed on the Home Agent when Security associations are cleared and downloaded using the ip mob sec aaa-download rate 10 command.

The traceback is seen only when using the aaa-download rate command.

Workaround: none.

CSCeg16482—Standby HA Does Not Get All SAs When the Interface in Shut/No Shut

The SA is not getting downloaded in standby HA.

This problem occurs under the following conditions:

when the HSRP interface on standby is shut

clearing the binding in standby HA

making the HSRP interface in standby up.

Workaround: do not shut the HSRP interface in the standby HA.

CSCeg22858—HA: Rejects MN Binding When MN is Unconfigured and Configured Again

When the MN NAI is unconfigured and configured again, the HA rejects the binding for that NAI.

This only occurs when the NAI is unconfigured and configured, and tries to register with HA.

This happens in local pool, static and DHCP address allocation schemes.

Workaround: do not unconfigure the NAI in HA for which the registration has to be made.

CSCin79571—HA Cannot Install SA for RRQ With Unknown Extension

The HA drops RRQ under following conditions:

RRQ has an unknown extension.

HA downloads MHAE Shared Key for the user from radius server in 3gpp2-mn-ha-shared-key format.

Workaround: ensure that the MN and FA do not send an unknown extension in RRQ.

CSCin79585—show run Displays Invalid Commands

When ip mobile home-agent nat traversal keepalive value is configured, the following configurations appear:

	ip mobile home-agent revocation traversal keepalive value 
	ip mobile home-agent nat traversal keepalive value 

This has no effect on revocation or NAT traversal feature behavior, but, when the HA is reloaded, revocation may get disabled.

Workaround: remove ip mobile home-agent revocation traversal keepalive value from the startup configuration, or reconfigure revocation manually on reload.

CSCin84300—HA Sends Weight Updates Only When home-agent dynamic-address is Configured

Cisco router running release 2.0 HA software and configured with DFP does not send weight updates when the ip mobile home-agent dynamic-address ip-addr command is not configured.

Workaround: configure the ip mobile home-agent dynamic-address ip-addr command.

CSCin84856—Binding Does Not Sync to SBY on Changing Config From Group to User

Binding does not sync to the standby HA when the configuration is changed from group to a single user.

This condition occurs when the ip mobile host nai command is initially configured for a group of users, and then unconfigured and changed to a single user.

Workaround: do not change the configuration from group to per-user.

CSCsa44092—ODAP Standby Client Become Active When Active Client is in Active state

The standby ODAP client changes its state to active without any changes in the configuration either in active or standby ODAP clients.

The active client is in the active state when the standby client changes its state.

This condition is very rare. After a few open/close and reopening of bindings for MIP flow, this behavior was observed.

Workaround: none.

CSCsa44815—Standby HA Reloaded on Getting Info From DHCP Server After Shut/No Shut

The standby HA reloaded when the DHCP server interface connected to the standby HA (DHCP client) is shut and no shut.

This condition only occurs when the DHCP server interface is shut/no shut.

Workaround: do not shutdown the DHCP server interface.

CSCsa44954—MWAM Reloaded After Configuring DHCP Pool in ODAP Client

On a Cisco router running release 2.1 PDSN software and acting as an ODAP client, when the DHCP pool is configured and a subnet is being leased from the ODAP server, the client reloads.

This condition occurs when the DHCP pool is configured and is expecting a subnet from the ODAP server.

Workaround: none.

CSCsa44959—Both Active and Standby HA Got Reloaded Simultaneously With DHCP

On Cisco router running Release 2.1 HA software, both the active and standby HA got reloaded simultaneously when the clear ip dhcp subnet command was issued on the active HA immediately after closing the PMIP flows. This reload is not reproducible.

This behavior is seen only if the HA is configured for ODAP client redundancy. Under normal conditions, no issues seen.

Workaround: none.

CSCsa44961—Standby HA with DHCP Configs Reloaded During HSRP State-change.

On Cisco router running Release 2.1 HA software, the standby HA got reloaded when the HA is configured for DHCP. This reload is not reproducible.

This behavior is seen only if the HA is configured for ODAP Client redundancy.Under normal scenarios, no issues were seen.

Workaround: none.

Unresolved Caveats Prior to Cisco IOS Release 12.3(11)YF

The following Cisco Mobile Wireless Home Agent Release 2.0 caveats are unresolved in Cisco IOS Release 12.3(8)XW3:

CSCed50040—Memory Leak While Opening 8000 MOIP Tunnels

On a Cisco 7200/7600 router running Home Agent R2.0 Software, a memory leak is observed on both active and standby HA, while opening 8000 MOIP tunnels.

Workaround: none.

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

On a Cisco MWAM based module acting as Home agent and handling calls and traffic to simulate background load conditions, when a processor acting as active is forcibly made standby by shutting down the interface NULLIDB, tracebacks appear of the processor on which the transition is made.

This condition exists when the interface is shut or the PI link flaps.

Workaround: No known workaround exits. Any conditions that trigger the switchover will expose the tracebacks.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

The Security-Association for the NAI is deleted when one of the flows are closed on HA. This symptom has been observed on a router that is running Cisco IOS release 12.3T.

The following conditions exist:

Configure the "load-sa" config on HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the Security Association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, new security association is again invoked from AAA.

Workaround: none.

CSCee34368—Standby HA Crashed in this Scenario

A Cisco router running Home Agent R2.0 software and configured as Standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA.

This condition exists when the bindings on the standby HA are cleared after reloading the active HA.

This problem is very rare and was seen only once during testing.

Workaround: none.

CSCee37327—HA Reloaded Upon Clearing Bindings in this Scenario

On a Cisco 7200/7600 router running Home Agent R2.0 software, alignment and spurious memory errors occur and HA may reload when bindings are cleared after a stress test.

The errors are seen only when NAI related CLI (ip mobile host nai) is configured and unconfigured while mobiles are sending messages, traffic is flowing upstream through the sessions established by these nodes, and Change of Authorization messages are sent by the radius server.

Workaround: do not change the NAI related configuration for a mobile while sessions are being brought up or down.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of the standby HA goes down, when proxy DHCP allocation is configured.

This condition is observed when the standby HA's HSRP interface is shut down while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home Agent R2.0 Software, spurious memory access is observed on the standby HA while opening and closing of bindings using DHCP.

This condition exists when opening and closing Mobile IP bindings using DHCP, and the HA is configured with redundancy.

Workaround: none.

CSCee60087—Tracebacks Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home agent R2.0 Software tracebacks observed while opening bindings with DHCP.

This condition exists when opening and closing 30000 MOIP bindings with 30 calls/sec using DHCP, then opening 30000 MOIP bindings with DHCP and accounting configuration. Tracebacks are observed on the active HA after opening of bindings.

Workaround: none.

CSCee60490—Standby HA Crashed After Unconfig And Config Of IP Mobile Host

On a Cisco 7200/7600 router running Home agent R2.0 software, the standby HA crashed after unconfiguring and configuring ip mobile host.

Workaround: none.

CSCef86760—Standby HA Reloads on Bindupdate from Active HA When Pre-emption is Configured

The standby Home Agent reloads on receiving a bind update from the active when pre-emption is configured

The reload is observed only after repeating the switchover more than once.

Workaround: none.

CSCin70125—PDSN/HA Should Use Registration Revocation in MIPv4 Based on STC

On a Cisco PDSN/Home agent running R2.0 image, PDSN/HA does not use the STC attribute value received in the Access-Accept message from AAA to enable/disable registration revocation capability for the user. The revocation capability can be enabled/disabled for all sessions on the box using CLI.

Workaround: none.

CSCin79571—HA Cannot Install SA for RRQ With Unknown Extension

The HA drops RRQ under following conditions:

RRQ has an unknown extension.

HA downloads MHAE Shared Key for the user from radius server in 3gpp2-mn-ha-shared-key format.

Workaround: ensure that the MN and FA do not send an unknown extension in RRQ.

CSCin79585—show run Displays Invalid Commands

When ip mobile home-agent nat traversal keepalive value is configured, the following configurations appear:

	ip mobile home-agent revocation traversal keepalive value 
	ip mobile home-agent nat traversal keepalive value 

This has no effect on revocation or NAT traversal feature behavior, but, when the HA is reloaded, revocation may get disabled.

Workaround: remove ip mobile home-agent revocation traversal keepalive value from the startup configuration, or reconfigure revocation manually on reload.

Unresolved Caveats Prior to IOS 12.3(8)XW3

The following caveats are unresolved in Cisco IOS Release 12.3(8)XW2:

CSCed50040—Memory Leak While Opening 8000 MOIP Tunnels

On a Cisco 7200/7600 router running Home Agent R2.0 Software, a memory leak is observed on both active and standby HA, while opening 8000 MOIP tunnels.

Workaround: none.

CSCee16329—Tracebacks in HA on Performing Overnight Tests With SW Upgrade

On a Cisco MWAM module acting as Home Agent, when software upgrade is performed while background load is handled by MWAM module in a redundant setup tracebacks appear.

The tracebacks seem to interrupt the call processing and data processing capabilities of the MWAM on which the tracebacks appear.

Workaround: no known workaround exists. Attempts could be made to handle only small set of calls of about 20k calls in order to ensure all bindings as successfully transferred to standby HA (which has gone through s/w upgrade)

CSCee18252—Active and Standby HA Crashed While Flapping MOIP Bindings

On a Cisco 7200/7600 router running Home Agent R2.0 Software, during flapping of MOIP bindings, both active and standby HA are crashed.

This condition occurs when flapping of MOIP bindings at 100 bindings/sec for about 4 hours.

Workaround: none.

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

On a Cisco MWAM based module acting as Home agent and handling calls and traffic to simulate background load conditions, when a processor acting as active is forcibly made standby by shutting down the interface NULLIDB, tracebacks appear of the processor on which the transition is made.

This condition exists when the interface is shut or the PI link flaps.

Workaround: No known workaround exits. Any conditions that trigger the switchover will expose the tracebacks.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

The Security-Association for the NAI is deleted when one of the flows are closed on HA. This symptom has been observed on a router that is running Cisco IOS release 12.3T.

The following conditions exist:

Configure the "load-sa" config on HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the Security Association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, new security association is again invoked from AAA.

Workaround: none.

CSCee34368—Standby HA Crashed in this Scenario

A Cisco router running Home Agent R2.0 software and configured as Standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA.

This condition exists when the bindings on the standby HA are cleared after reloading the active HA.

This problem is very rare and was seen only once during testing.

Workaround: none.

CSCee37327—HA Reloaded Upon Clearing Bindings in this Scenario

On a Cisco 7200/7600 router running Home Agent R2.0 software, alignment and spurious memory errors occur and HA may reload when bindings are cleared after a stress test.

The errors are seen only when NAI related CLI (ip mobile host nai) is configured and unconfigured while mobiles are sending messages, traffic is flowing upstream through the sessions established by these nodes, and Change of Authorization messages are sent by the radius server.

Workaround: do not change the NAI related configuration for a mobile while sessions are being brought up or down.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of the standby HA goes down, when proxy DHCP allocation is configured.

This condition is observed when the standby HA's HSRP interface is shut down while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home Agent R2.0 Software, spurious memory access is observed on the standby HA while opening and closing of bindings using DHCP.

This condition exists when opening and closing Mobile IP bindings using DHCP, and the HA is configured with redundancy.

Workaround: none.

CSCee60087—Tracebacks Observed While Opening Bindings With DHCP

On a Cisco 7200/7600 router running Home agent R2.0 Software tracebacks observed while opening bindings with DHCP.

This condition exists when opening and closing 30000 MOIP bindings with 30 calls/sec using DHCP, then opening 30000 MOIP bindings with DHCP and accounting configuration. Tracebacks are observed on the active HA after opening of bindings.

Workaround: none.

CSCee60490—Standby HA Crashed After Unconfig And Config Of IP Mobile Host

On a Cisco 7200/7600 router running Home agent R2.0 software, the standby HA crashed after unconfiguring and configuring ip mobile host.

Workaround: none.

CSCef83013—Proxy DHCP: Home Agent Stops DHCP-Proxy Lease After One Iteration

The Home Agent stops DHCP-proxy lease after one iteration of active standby switchover for a Proxy Mobileip binding when dynamic address allocation is configured for the user.

Workaround: none.

CSCef86760—Standby HA Reloads on Bindupdate from Active HA When Pre-emption is Configured

The standby Home Agent reloads on receiving a bind update from the active when pre-emption is configured

The reload is observed only after repeating the switchover more than once.

Workaround: none.

CSCin79571—HA Cannot Install SA for RRQ With Unknown Extension

The HA drops RRQ under following conditions:

RRQ has an unknown extension.

HA downloads MHAE Shared Key for the user from radius server in 3gpp2-mn-ha-shared-key format.

Workaround: ensure that the MN and FA do not send an unknown extension in RRQ.

CSCin79585—show run Displays Invalid Commands

When ip mobile home-agent nat traversal keepalive 10 is configured, the following configurations appear:

	ip mobile home-agent revocation traversal keepalive 10 
	ip mobile home-agent nat traversal keepalive 10 

This has no effect on revocation or NAT traversal feature behavior, but, when the HA is reloaded, revocation may get disabled.

Workaround: remove ip mobile home-agent revocation traversal keepalive 10 from the startup configuration, or reconfigure revocation manually on reload.

CSCin81895—HA Does Not Change Tunnel When PATed Address and Port Changes

When the PATed address or port changes, the HA does not change the remote tunnel endpoint. As a result, subsequent traffic does not get encoded correctly.

Workaround: none.

Unresolved Caveats Prior to IOS 12.3(8)XW2

The following caveats are unresolved in Cisco IOS Release 12.3(8)XW1:

CSCed50425—Interface Drops on NPE-G1 Leading To Performance Hit on HA

On a 7200 VXR NPE-G1 functioning as Home Agent, significant drops are observed on Gigabit interface thereby causing a drop in performance of the product.

Workaround: none.

CSCed92442—New Session Hotlining Not Applied for PMIP Flows

On a Cisco router running Home Agent release 2.0, Proxy Mobile IP flow fails to come up for "New Session" Hot-lining.

Workaround: none.

CSCed94887—Process Received Unknown Tracebacks Found During RF Lost its Peer

Flapping of MOIP bindings, the RF lost its peer. After some time the process received unknown tracebacks were observed on console.

Workaround: none.

CSCee01788—Clearing the VRF Routing Table Should Not Delete the MN's address

Clearing the VRF routing table using the clear ip route command also deletes the route corresponding to the Mobile Node.

Workaround: do not clear IP routes using the clear ip route command.

CSCee18252—Active and Standby HA Crashed While Flapping MOIP Bindings

While opening and closing bindings on Home Agent (HA) at a high rate, both active and standby HAs reloaded.

The following sequence of events caused both the active and standby HAs to reload:

Flap large number of bindings at high rate.

After some time the active HA is reloaded from SUP.

Standby HA became active. Open MIP Bindings.

Old active HA became standby.

After some time both standby and active HA reloaded.

Workaround: none.

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

When a Home Agent is handling calls and traffic to simulate background load conditions, and a processor acting as active is forcibly made standby by shutting down the interface, NULLIDB Trace backs will appear.

Workaround: none.

CSCee22616—show ip mobile binding vrf summary Command Shows Incorrect Bind Count

The show ip mobile binding vrf summary command displays the wrong value under the following conditions:

Without VRF configuration, open a binding.

After the above step, configure VRF.

Clear the binding in HA.

Observe that the sh ip mob bin vrf sum command displays the wrong value.

Workaround: ensure that VRF configuration exists before opening bindings.

CSCee25439—Proxy DHCP: Active HA Reloads on Unconfig IP Address on HSRP Interface

The active HA reloads on unconfiguring the HSRP interface address, after opening a binding for a user with dhcp-proxy-client.

The following conditions exist

a. Bring up HA1. HA2 with Home Agent redundancy configured.

b. Configure Proxy DHCP client for a user for dynamic address allocation (with loopback configuration).

c. Bring up a flow for the user.

d. The binding comes up and both HAs are in sync.

e. Go to the interface where HSRP is configured on HA1 and configure no ip address.

f. HA1 crashes.

Workaround: unconfigure the HSRP interface IP address only if there are no active flows.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

Security-Association for the NAI is deleted when one of the flows are closed on HA under the following conditions:

Configure the load-sa configuration on the HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the security association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, new security association is again invoked from AAA.

Workaround: none.

CSCee31554—Miscellaneous Problems with ODAP Lease Renewal

Lease time is not in sync on the active and standby HAs. This will result in the active and standby HAs being out of sync.

The following conditions exist:

Open large number of bindings on active and standby HA

Reload active MWAM

Standby HA becomes active, and try to renew lease, some subnets are out of sync with server. Unable to renew lease. Server is deleting subnets after lease expiry. Because of this both active and standby bindings are deleted.

Additional issues causing subnet renewal problem after switchover include:

a. Bulk sync is started before the system clock is synchronized. Because of this, after the system clock is synchronized, there will be DHCP server bindings with inaccurate expiration timestamp.

b. When DHCP proxy client syncs the subnet leases, the client-id's may be different for subnet leases for the same poolname. This is because the client-id is derived from the router's hostname and in box-to-box redundancy, the hostname may differ between the two redundant units. DHCP subnet allocation server uses the client-id to identify binding, hence, incorrect client-id leads to DHCPNAK being sent from the subnet allocation server.

Workaround: avoid getting into the first condition by not switching over until the new active has a chance to renew the leases.

Once the first condition manifests itself, manually clear the affected subnet from the active and standby units.

CSCee32072—Subnets Are Not Synced on Standby ODAP Server After Reload

Subnets do not sync from Active ODAP server to standby, after standby is reload.

When you open a large number of bindings, the leased subnets are available on both active and standby ODAP servers. Reload the standby server using the reload command. After the standby comes back it is not synching subnets from active.

Workaround: none.

CSCee32075—Active and Standby HAs Keep Reloading by RF Induced One After Other

Both active and standby HAs keeps reloading with Redundancy Framework (RF) induced reload, one after the other. This behavior started after the active HA reloaded and preempted.

Workaround: none.

CSCee34368—Standby HA Crashed in this Scenario

The standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA. This problem is very rare and was seen only once during testing.

The bindings on the standby HA are cleared after reloading the active HA.

Workaround: none.

CSCee35970—Spurious Memory access when aaa user-password configured

Spurious memory access is seen when the ip mobile home-agent aaa user-password command is configured, and a user with default password "cisco" tries to down load a security association from AAA.

Workaround: use default password "cisco".

CSCee37245—CLI ip mobile secure aaa-download rate 100 Not Working

Security Associations are not downloaded when the ip mobile secure aaa-download rate 100 command is configured.

Workaround: do not use the ip mobile secure aaa-download rate 100 command on the HA image.

CSCee37327—HA Reloaded Upon Clearing Bindings in This Scenario

Alignment and spurious memory errors occur, and the HA may reload when bindings are cleared after a stress test as explained in the conditions below.

The errors are seen only when NAI related CLI (ip mobile host nai) is configured and unconfigured while mobiles are sending messages, traffic is flowing upstream through the sessions established by these nodes, and Change of Authorization messages are sent by the RADIUS server.

Workaround: do not change the NAI related configuration for a mobile while sessions are being brought up or down.

CSCee40397—Standby ODAP Server Reloading Without Any Preempt on Active Server

The standby ODAP server reloads without any Preempt configuration on active with RF interdev config.

The ODAP servers are configured with redundancy (HSRP and RF interdev configured). On reload of an active MWAM card, the standby processor will become active. After some time the current active server reloads without any preempt configured on original active processor.

Workaround: none.

CSCee43739—Bulk Synch Fails When One of the Redundant HAs is Upgraded to R2.0 Load

In a redundant HA setup, during an upgrade, when the standby HA is brought down with the new R2.0 load and brought back to service with the active HA still running the R1.2 load, bindings do not get synched to the HA with R2.0 load.

The active HA complains about unsupported VendorID in the BindInfo Request Bulk synch message sent by the standby HA, and sends back BindInfo Reply with unknown CVSE-Type error.

Workaround: upgrade when no active bindings are present.

CSCee48909—Hotlining is Not Enabled For a NAI with Static Address Allocation

Hot Lining is not enabled for a NAI-based MN with static IP address allocation.

If the ip mobile host command is configured with nai, instead of configuring realm and specifying static IP address allocation, as below, Hot-lining is not enabled for that host.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings with DHCP

On a Cisco router running Home Agent Release 2.0 Software in a redundant network, spurious memory access is observed on standby HA while opening and closing of bindings using DHCP.

The problem only occurs when IP address allocation is from DHCP.

Workaround: none.

CSCee60087—Tracebacks Observed While Opening Bindings with DHCP

On a Cisco router running Home Agent Release 2.0 Software "Null IDB" tracebacks are observed while opening bindings with DHCP.

The following sequence of actions lead to this issue:

Open large number of MOIP Bindings using DHCP.

Close all the bindings.

Reopen the bindings, with accounting configured using DHCP.

After opening of bindings Tracebacks observed on Active HA.

Workaround: none.

CSCee60490—Standby HA Crashed After Unconfig and Config of ip mobile host

On a Cisco router running Home Agent Release 2.0 Software in a redundant mode, the standby HA reloads intermittently when unconfiguring and configuring ip mobile host command.

Workaround: none.

CSCee74444—Ignore-spi Option is Not Synched From Active to the Standby HA

In a redundant Home Agent network, the option to use RFC2002bis or RFC2002 style of authentication calculation (learned by the active HA on a per-PDSN basis) is not relayed to the standby HA.

Workaround: none.

CSCee79934—Cannot Remove tunnel route-map Command

When a routemap name is configured for mobile ip tunnels using the ip mobile tunnel route-map command, you cannot unconfigure the route-map using no ip mobile tunnel route-map.

Workaround: There is no workaround to unconfigure the route-map configuration. However, if the running-config with this CLI has not been saved to the memory, the router can be reloaded.

CSCin58815—HA Crashes While Processing 32 Byte Key in 3gpp2 Format

The HA reloads while processing 32-byte key in 3gpp2 format. Currently, the HA accepts MN-HA-SHARED-KEY or hex format key in Cisco Av-pair attribute of length 16 bytes only.

The expected behavior for other length keys in this format is to reject the RRQ.

Workaround: Use the MN-HA-SHARED-KEY of max 16 bytes

CSCef16369—Active HA Reloads on HA Failover Due to Interface Shutdown

In an Active-Standby configuration, where both active and standby has equal priority, after an active to standby transition, when a MIP flow is closed, the active HA reloads.

Workaround: none.

Unresolved Caveats Prior to IOS 12.3(8)XW

The following caveats were unresolved in Cisco IOS Release 12.3(7)XJ1, which was the release branch just prior to IOS 12.3(8)XW:

CSCed50425—Interface Drops on NPE-G1 Leading To Performance Hit on HA

On a 7200 VXR NPE-G1 functioning as Home Agent, significant drops are observed on Gigabit interface thereby causing a drop in performance of the product.

Workaround: none.

CSCed91609—Memory Leak While Opening And Closing IPSEC Bindings

When bindings are brought up and torn down on IPSEC tunnels for an extended periods of time using multiple iterations, a is seen.

Workaround: none.

CSCed92442—New Session Hotlining Not Applied for PMIP Flows

On a Cisco router running Home Agent release R2.0, Proxy Mobile IP flow fails to come up for "New Session" Hot-lining.

Workaround: none.

CSCed94849—RF-induced Lost Peer During Opening and Closing of MIP Bindings

When flapping (Open and Closing) of Mobile IP Bindings with ODAP, the RF lost its peer. This happens only under stressed conditions.

Workaround: configure path-retransmit, assoc-transmit timeouts to avoid this problem.

CSCed94887—Process Received Unknown Tracebacks Found During RF Lost its Peer

Flapping of MOIP bindings, the RF lost its peer. After some time the process received unknown tracebacks were observed on console.

Workaround: none.

CSCed95076—IPSEC Tunnel Goes Down After 5 Hours Even If Bindings Exist

When mobile IP bindings are opened over different tunnels, and each over IPSEC tunnel, if the router loaded with HA is left idle for around 5 hours, the IPSEC tunnel goes down.

Workaround: none.

CSCee01788—Clearing the VRF Routing Table Should Not Delete the MN's address

Clearing the VRF routing table using the clear ip route command also deletes the route corresponding to the Mobile Node.

Workaround: do not clear IP routes using the clear ip route command.

CSCee10809—ODAP HA Redundancy: Subnet Not Synced on Lease Expiry

When ODAP with HA redundancy is configured, the subnets on the Standby and Active may not match as observed from show ip dhcp pool.

Workaround: clear the mismatched subnets manually using clear ip dhcp pool pool-name subnet command.

CSCee16186—Crypto Map Removed in Interface Configuration on Linkstate Changes

When the interface configured with crypto map has interface link state changes (due to administratively shutting the interface, or link connectivity issues), crypto map is removed from the interface. The problem is observed when the ip mobile tunnel crypto map map-name command is configured.

Workaround: remove the ip mobile tunnel crypto map configuration.

CSCee18252—Active and Standby HA Crashed While Flapping MOIP Bindings

While opening and closing bindings on Home Agent (HA) at a high rate, both active and standby HAs reloaded.

The following sequence of events caused both the active and standby HAs to reload:

Flap large number of bindings at high rate.

After some time the active HA is reloaded from SUP.

Standby HA became active. Open MIP Bindings.

Old active HA became standby.

After some time both standby and active HA reloaded.

Workaround: none.

CSCee19678—Tracebacks on MWAM HA When Interface is Shut While Running Load Test

When a Home Agent is handling calls and traffic to simulate background load conditions, and a processor acting as active is forcibly made standby by shutting down the interface, NULLIDB Trace backs will appear.

Workaround: none.

CSCee22616—show ip mobile binding vrf summary Command Shows Incorrect Bind Count

The show ip mobile binding vrf summary command displays the wrong value under the following conditions:

Without VRF configuration, open a binding.

After the above step, configure VRF.

Clear the binding in HA.

Observe that the sh ip mob bin vrf sum command displays the wrong value.

Workaround: ensure that VRF configuration exists before opening bindings.

CSCee25439—Proxy DHCP: Active HA Reloads on Unconfig IP Address on HSRP Interface

The active HA reloads on unconfiguring the HSRP interface address, after opening a binding for a user with dhcp-proxy-client.

The following conditions exist

a. Bring up HA1. HA2 with Home agent redundancy configured

b. Configure Proxy DHCP client for a user for dynamic address allocation (with loopback configuration).

c. Bring up a flow for the user.

d. The binding comes up and both HAs are in sync.

e. Go to the interface where HSRP is configured on HA1 and configure no ip address.

f. HA1 crashes.

Workaround: unconfigure the HSRP interface IP address only if there are no active flows.

CSCee26364—MN SA Deleted on clear ip mobile binding CLI on HA

Security-Association for the NAI is deleted when one of the flows are closed on HA under the following conditions:

Configure the load-sa configuration on the HA and open multiple flows for same NAI.

Close one of the flows and subsequently, the security association for the NAI is deleted, even though the other MIP flow is active.

If any other new flow is opened, new security association is again invoked from AAA.

Workaround: none.

CSCee31554—Miscellaneous Problems with ODAP Lease Renewal

Lease time is not in sync on the active and standby HAs. This will result in the active and standby HAs being out of sync.

The following conditions exist:

Open large number of bindings on active and standby HA

Reload active MWAM

Standby HA becomes active, and try to renew lease, some subnets are out of sync with server. Unable to renew lease. Server is deleting subnets after lease expiry. Because of this both active and standby bindings are deleted

Additional issues causing subnet renewal problem after switchover include:

a. Bulk sync is started before the system clock is synchronized. Because of this, after the system clock is synchronized, there will be DHCP server bindings with inaccurate expiration timestamp.

b. When DHCP proxy client syncs the subnet leases, the client-ids may be different for subnet leases for the same poolname. This is because the client-id is derived from the router's hostname and in box-to-box redundancy, the hostname may differ between the two redundant units. DHCP subnet allocation server uses the client-id to identify binding, hence, incorrect client-id leads to DHCPNAK being sent from the subnet allocation server.

Workaround: avoid getting into the first condition by not switching over until the new active has a chance to renew the leases.

Once the first condition manifests itself, manually clear the affected subnet from the active and standby units.

CSCee32072—Subnets Are Not Synced on Standby ODAP Server After Reload

Subnets do not sync from active ODAP server to standby, after standby is reload.

When you open a large number of bindings, the leased subnets are available on both active and standby ODAP servers. Reload the standby server using the reload command. After the standby comes back it is not synching subnets from active.

Workaround: none.

CSCee32075—Active and Standby HAs Keep Reloading by RF Induced One After Other

Both active and standby HAs keeps reloading with Redundancy Framework (RF) induced reload, one after the other. This behavior started after the active HA reloaded and preempted.

Workaround: none.

CSCee34368—Standby HA Crashed in this Scenario

The standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA. This problem is very rare and was seen only once during testing.

The bindings on the standby HA are cleared after reloading the active HA.

Workaround: none.

CSCee35970—Spurious Memory access when aaa user-password configured

Spurious memory access is seen when the ip mobile home-agent aaa user-password command is configured, and a user with default password "cisco" tries to down load a security association from AAA.

Workaround: use default password "cisco".

CSCee37245—CLI ip mobile secure aaa-download rate 100 Not Working

Security Associations are not downloaded when the ip mobile secure aaa-download rate 100 command is configured.

Workaround: do not use the ip mobile secure aaa-download rate 100 command on the HA image.

CSCee37327—HA Reloaded Upon Clearing Bindings in This Scenario

Alignment and spurious memory errors occur, and the HA may reload when bindings are cleared after a stress test as explained in the conditions below.

The errors are seen only when NAI related CLI (ip mobile host nai) is configured and unconfigured while mobiles are sending messages, traffic is flowing upstream through the sessions established by these nodes, and Change of Authorization messages are sent by the RADIUS server.

Workaround: do not change the NAI related configuration for a mobile while sessions are being brought up or down.

CSCee40397—Standby ODAP Server Reloading Without Any Preempt on Active Server

The standby ODAP server reloads without any Preempt configuration on active with RF interdev config.

The ODAP servers are configured with redundancy (HSRP and RF interdev configured). On reload of an active MWAM card, the standby processor will become active. After some time the current active server reloads without any preempt configured on original active processor.

Workaround: none.

CSCee43739—Bulk Synch Fails When One of the Redundant HAs is Upgraded to R2.0 load

In a redundant HA setup, during an upgrade, when the standby HA is brought down with the new R2.0 load and brought back to service with the active HA still running the R1.2 load, bindings do not get synched to the HA with R2.0 load.

The active HA complains about unsupported VendorID in the BindInfo Request Bulk synch message sent by the standby HA, and sends back BindInfo Reply with unknown CVSE-Type error.

Workaround: upgrade when no active bindings are present.

CSCee48909—Hotlining is Not Enabled For a NAI with Static Address Allocation

Hot Lining is not enabled for a NAI-based MN with static IP address allocation.

If the ip mobile host command is configured with nai, instead of configuring realm and specifying static IP address allocation, as below, the Hot lining is not enabled for that host.

Workaround: none.

CSCee56692—Spurious Memory Access Observed While Opening Bindings with DHCP

On a Cisco router running Home Agent R2.0 Software in a redundant network, spurious memory access is observed on standby HA while opening and closing of bindings using DHCP.

The problem only occurs when IP address allocation is from DHCP.

Workaround: none.

CSCee59345—Basic HSRP Stops Working After Interface on Active SHUT

On a Cisco router running Home Agent software R2.0 in a redundant mode, HSRP operation stops working after changing interface on active HA into Shutdown state. When the HSRP interface on active HA is shutdown, the HRSP state of standby HA does not change to Active. The original active HA also still remains in the active state.

Workaround: none.

CSCee60087—Tracebacks Observed While Opening Bindings with DHCP

On a Cisco router running Home agent R2.0 Software 'Null IDB' trace backs are observed while opening bindings with DHCP.

The following sequence of actions lead to this issue:

Open large number of MOIP Bindings using DHCP.

Close all the bindings.

Reopen the bindings, with accounting configured using DHCP.

After opening of bindings Tracebacks observed on Active HA.

Workaround: none.

CSCee60490—Standby HA Crashed After Unconfig and Config of ip mobile host

On a Cisco router running Home agent R2.0 Software in a redundant mode, the standby HA reloads intermittently when unconfiguring and configuring ip mobile host command.

Workaround: none.

CSCee60979—Hotlined Packets Are Not Redirected When the Packet Size is Small

On Cisco router running Home Agent software release R2.0, for small sized data packet (example 36, 48 bytes), the packets do not get redirected even though the flow is actively hotlined.

This problem is observed only for small sized packets and is not seen if the packet is of size 100 or greater.

Workaround: none.

CSCee74444—ignore-spi Option is Not Synched From Active to the Standby HA

In a redundant Home Agent Network, the option to use RFC2002bis or RFC2002 style of Authentication calculation (learned by the active HA on a per-PDSN basis) is not relayed to the standby HA.

Workaround: none.

CSCin75665—Cannot Unconfigure And Re-configure mobileip route map

On Cisco router running Home Agent software release R2.0, Mobile IP route-map cannot be unconfigured and then re-configured using the ip mobile tunnel route-map command.

Workaround: none.

CSCin58815—HA Crashes While Processing 32 Byte Key in 3gpp2 Format

The HA reloads while processing 32-byte key in 3gpp2 format. Currently, the HA accepts MN-HA-SHARED-KEY or hex format key in Cisco Av-pair attribute of length 16 bytes only.

The expected behavior for other length keys in this format is to reject the RRQ.

Workaround: Use the MN-HA-SHARED-KEY of max 16 bytes

Unresolved Caveats Prior to Cisco IOS Release 12.3(7)XJ1

The following caveats are unresolved in Cisco Release 12.3(7)XJ:

CSCec80327—With NAI-based Debug Cond, AE Debugs Not Printed While Parsing RRQ

With NAI-based debug condition set, the debugs pertaining to Parsing of authentication extension in MIP RRQ are not printed.

The problem is observed when a NAI based condition is set to filter the debugs.

Workaround: either set the ip address based condition to filter debugs, or do not set any debug conditions.

CSCed24163—Standby Not Renewing Lease Time When Proxy DHCP is Configured

Once an active HA is reloaded, the standby HA is not able to renew the DHCP lease, and eventually the Mobile ip binding gets deleted on the HA.

On reload the active HA returns the address to the DHCP server. This happens after the standby renews the lease time, to which DHCP binding gets deleted from the Server; thus further renewals fail.

Workaround: none.

CSCed91609—Memory Leak While Opening and Closing IPSEC Bindings

When bindings are brought up and torn down on IPSEC tunnels for an extended periods of time using multiple iterations, memory leak of 0.8MB to 1MB is seen.

When 235k bindings are opened and closed, a memory leak of 0.8 MB is observed in each iteration. The 235k bindings are opened over 40 IPSEC tunnels (and 40 Mobile IP tunnels).

Workaround: none

CSCed94849—RF-induced Lost Peer During Opening and Closing of MIP Bindings

When flapping (Open and Closing) of Mobile IP Bindings with ODAP, the RF lost its peer. This happens only under stress conditions.

Workaround: to avoid this problem, configure path-retransmit and assoc-transmit timeouts.

CSCed94887—Process Received Unknown Tracebacks Found During RF Lost its Peer

Flapping of MOIP bindings, RF lost its peer. After some time, process received unknown tracebacks observed on console.

Workaround: none.

CSCed95076—IPSEC Tunnel Goes Down After 5 Hours Even if Bindings Exist

When an HA that has MobileIP bindings, opened over different Mobile IP tunnels and also over different IPSEC tunnels, is left idle for 5 hours, the IPSEC tunnel goes down while Mobile IP binding and tunnel still exist.

Workaround: none.

CSCee10809—ODAP HA Redundancy: Subnet Not Synced on Lease Expiry

When ODAP with HA redundancy is configured, the subnets on the standby and active may not match as observed from show ip dhcp pool.

Workaround: clear the mismatched subnets manually using the clear ip dhcp pool pool-name subnet command.

CSCee01788 —Clearing the VRF Routing Table Should Not Delete the MNs Address

Clearing the VRF routing table with the clear ip route command also deletes the route corresponding to the Mobile Node.

Workaround: Do not clear IP routes with the clear ip route command.

CSCee16186—Crypto Map Removed in Interface Configuration on Linkstate Changes

When an interface with crypto map has interface link state changes (for example, administratively shutting the interface, or link connectivity issues), crypto map is removed from the interface and the crypto map CLI is deleted from the interface. The crypto map command should not be removed from the interface.

Workaround: none.

CSCee18252—Active and Standby HA Reloads While Flapping MOIP Bindings

While opening and closing bindings on Home Agent (HA) at a high rate, both active and standby HAs reloaded.

The following sequence of events result in a reload of both Active and Standby HA:

a. Flap bindings at a high rate.

b. After some time Active HA is reloaded from SUP.

c. Standby HA became active. Opening MIP Bindings.

d. Old active HA became standby.

e. After some time, both the standby and active HA reloaded.

Workaround: none.

CSCee19678—Tracebacks on MWAM HA when interface is shut while running load test

When a Home Agent is handling calls and traffic to simulate background load conditions, and a processor acting as active is forcibly made standby by shutting down the interface, NULLIDB Trace backs will appear.

Workaround: do not shut the active interfaces, such as interface between the HA-FA, and the HA-RADIUS.

CSCee25439—Proxy DHCP: Active HA Reloads on Unconfig ip address on HSRP Interface

After you open a binding for a user with dhcp-proxy-client, the active HA reloads if you unconfigure the hsrp interface address.

The following conditions exist:

a. Bring up HA1 HA2 with Home Agent redundancy configured.

b. Configure Proxy dhcp client for a user for dynamic address allocation (with loopback configuration).

c. Bring up a flow for the user.

d. The binding comes up and both the HAs will be in sync.

e. Go to the interface where HSRP is configured on HA1 and configure no ip address.

f. HA1 crashes.

Workaround: Unconfigure the hsrp interface IP address only if there are no active flows.

CSCee22616—show ip mobile binding vrf summary Command Shows Incorrect Bind Count

The show ip mobile binding vrf summary command displays the wrong value under the following conditions:

Without VRF configuration, open a binding.

Configure VRF.

Clear the binding in HA.

Observe that the show ip mob bin vrf sum command displays the wrong value.

Workaround: ensure that VRF configuration exists before opening bindings.

CSCee26076— Binding Not Deleted When MN Address is Returned to Pool Due to DHCP Lease Expiry

When dhcp-proxy-client address allocation is used on lease expiry, although the address is returned back to the pool, the Mobile IP binding is not deleted.

Workaround: none.

CSCee26364— MN SA Deleted on clear ip mobile binding Command on HA

Security-Association for the NAI is deleted when one of the flows are closed on the HA.

The following conditions exist:

Configure the load-sa command on the HA and open multiple flows for same NAI.

Close one of the flows: subsequently, the Security Association for the NAI is deleted, even though the other mip flow is active.

If any new flow is opened, a new security association is invoked from AAA.

Workaround: none.

CSCee31554— ODAP Lease Renewal Out of Sync on Active and Standby

Lease time is not in sync on active and standby HAs. This causes the active and standby HAs to be out sync.

The following conditions exist:

Open 25 k bindings on active and standby HA.

Reload active MWAM.

The standby HA becomes active, and when it tries to renew lease, some subnets are out of sync with server, and are unable to renew lease. The server is deleting subnets after lease expiry, and thus both active and standby bindings are deleted

Workaround: none.

CSCee32072—Subnets Are Not Synced on Standby ODAP Server After Reload

Subnets do not sync from active ODAP server to standby, after standby is reloaded.

This condition exists when you open 25 k bindings. Leased subnets are available on both the active and standby ODAP server. Reload the standby server using the reload command. After the standby comes back up it is not synching subnets from the active.

Workaround: none.

CSCee32075—Active and Standby HA Keep Reloading by RF-induced, One After the Other

Both active and standby HAs keep reloading with RF-induced reload, one after the other. This behavior started after active HA reloaded and Preempted.

Workaround: none.

CSCee34368—Standby HA Crashed in this Scenario

The standby HA reloads when bindings are cleared while the standby exchanges HSRP state information with the active HA. This problem is very rare and was seen only once during testing.

The bindings on standby HA are cleared after reloading the active HA.

Workaround: none.

CSCee35970—Spurious Memory Access When AAA User-password Configured

Spurious memory access is seen when the ip mobile home-agent aaa user-password command is configured, and a user with default password "cisco" tries to download a security association from AAA.

Workaround: use default password "cisco".

CSCee37236—Unable to Unconfigure Non-Nai with Virtual-network CLI

Unconfiguring the ip mobile host command fails when configured for a Non-NAI user on a virtual-network. This condition arises only when you unconfigure the command specifying the whole CLI.

Workaround: use only a partial configuration (for example, no ip mobile host x.x.x.x to unconfigure the command.

CSCee37327—HA Reloaded Upon Clearing Bindings in This Scenario

Alignment and spurious memory errors occur and the HA may reload when bindings are cleared after a stress test.

The errors are seen only when the NAI-related ip mobile host nai command is configured and unconfigured while mobiles are sending messages, traffic is flowing upstream through the sessions established by these nodes, and Change of Authorization messages are sent by the RADIUS server.

Workaround: do not change the NAI related configuration for a mobile while sessions are being brought up or down.

CSCee37245—CLI ip mobile secure aaa-download rate 100 not working

Security Associations are not downloaded when the ip mobile secure aaa-download rate 100 command is configured.

Workaround: Do not use the ip mobile secure aaa-download rate 100 command on the HA image.

CSCee40397—Standby ODAP Server Reloading Without any Preempt on Active Server

The standby ODAP server reloads without any Preempt configuration on active with RF interdev configuration.

The ODAP Servers are configured with redundancy (HSRP and RF interdev configured). On reload of the active MWAM card, the standby processor will become active. After some time the current active server reloads without any preempt configured on original active processor.

Workaround: none.

CSCee43739—Bulk Synch Fails When One of the Redundant HA Upgraded to R2.0 Load

In a redundant HA setup during an upgrade, when the standby HA is brought down with the new R2.0 load and brought back to service with the Active HA still running R1.2 load, bindings do not get synched to the HA with R2.0 load.

The Active HA complains about unsupported VendorID in the BindInfo Request Bulk synch message sent by the Standby HA and sends back BindInfo Reply with unknown CVSE-Type error.

Workaround: upgrade when no active bindings are present.

CSCee52886—Proxy DHCP: Active HA Releases the DHCP Address on Standby Interface

The active HA releases the DHCP address for the binding when the HSRP interface of standby HA goes down (when proxy DHCP allocation is configured).

This condition is observed when the Standby HA's HSRP interface is shut down, while the active and standby has active Mobileip bindings with dynamic allocation using proxy DHCP.

Workaround: none

CSCin58815—HA Reloads While Processing 32 Byte Key in 3gpp2 Format

The HA reloads while processing 32-byte key in 3gpp2 format. Currently, the HA accepts MN-HA-SHARED-KEY or hex format key in "Cisco Av-pair" attribute of length 16 bytes only.

The expected behavior for other length keys in this format is to reject the RRQ.

Workaround: Use MN-HA-SHARED-KEY of max 16 bytes

CSCin72654— RRQs With Non-zero HA Addr Not Supported With SLB in Dispatched Mode

When HA-SLB operates in dispatched mode, it forwards MIP RRQs to the real HAs without changing the destination IP address. So when HAs receive RRQs with non-zero Home-agent address the destination IP address will be that of the SLB virtual server. The binding is established but the HA sends back an RRP with the destination ip address of the received packet as the home-agent address regardless of the home-agent address in the RRQ. So the tunnel is established between the FA and the vserver addr.

Subsequent re/de-registrations are sent to HA-SLB instead of the HA. The SLB drops the de- registrations as the lifetime is zero and can forward the re-registrations to some other HA. So the concerned HA may/will not get the re/de-registrations.

Workaround: Do not use HA-SLB in dispatched mode when the incoming RRQs have a non-zero home-agent address.

Resolved Caveats

The following caveats are resolved in Cisco Home Agent Release 12.3(14)YX14:

CSCsg00102

Symptoms: SSLVPN service stops accepting any new SSLVPN connections.

Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.

CSCsg40585—Memleak for Syncing Static Pool

On an MWAM running the Cisco Home Agent YX4 image (svcmwam-h1is-mz.20061013), a memleak occured on the standby Home-Agent while syncing the static pool.

This behaviour occurs for a NAI based MN with a static ip address configuration, when a static pool is downloaded from the AAA server.

Workaround: none.

CSCsk64158

Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.

Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.

CSCsk62253

Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:

1. Crafted HTTPS packet will crash device - Cisco Bug ID CSCsk62253.

2. SSLVPN sessions cause a memory leak in the device - Cisco Bug ID CSCsw24700.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml

CSCsl62913—Accounting fails with MIPLAC+Wimax AAA

On an active HomeAgent device running the Cisco 12.3(14) YX9 image, a memory leak occurs after a sequence of opening and closing of bindings when an accounting failure happens for MIP sessions.

Workaround: none.

CSCsl72425—Re-registeration fAilures After Switchover. Memory Chunk Leaks are Seen

Open 140k bindings on an active HA and make sure that the bindings are created on the standy-HA as well.

The active-HA entertains downlink traffic100 packets per sec.

Perform a switchover (reload of active HA), so the standby-HA takes over and becomes the active-HA.

After some time the bindings were dropped slowly because of registeration failures.

This is seen whenever the switchover is triggered, leaks can be observed in show memory debug leak chunks command ouput. Re-reg failures might be related to memory leak.

The leak is observed on current active-HA after switchover with 140k bindings during re-registration failure.

Workaround: none.

CSCsm00869—Memory Chunk Leaks Identified During QoS Stress Testing

Mobile SPI key is leaked after a long stress test.

Workaround: none.

CSCsm27071

A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:

The configured feature may stop accepting new connections or sessions.

The memory of the device may be consumed.

The device may experience prolonged high CPU utilization.

The device may reload. Cisco has released free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml

CSCso04657

Symptoms: SSLVPN service stops accepting any new SSLVPN connections.

Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.

CSCso38456—Standby Home Agent on Single MWAM Complex Crashes During Bind Update

During redundancy sync operation between the active and standby Home Agent, when a bind update operation is performed, the standby HA running on one of the processor complexes crashes.

This occurs on a Cisco IOS 12.3(14)YX7 Home Agent -h1is- image where the HA is standby.

Workaround: none.

CSCso89363—Mobile CDMA VSE List Memory Leak Seen in HA

A memory leak of MobileIP AAA Re IP Mobile CDMA VSE List

A memory leak is seen when 60K Qos, 8k MIP-LAC bindings which are new-session hotlined opened, traffic of 40 Mbps in uplink and 120Mbps in downlink is present, COA from AAA are received to change the bindings from hotlined to normal and normal to hotlined, after 10 hrs of duration.

Workaround: none.

CSCsu41324—Insufficient I/O Memory Issue on 300k with Tunnel Template

When the HA entertains more than 10k sessions with 1000 FA-HA tunnels, a memory leak is observed.

Workaround: none.

CSCsv04836

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.

CSCsv36572—Memory Leak on the Standby Home Agent

On a standby Home Agent loaded with the Cisco IOS 12.3(14) YX9 image, a memory leak is observed after a sequence of opening and closing of bindings

Workaround: none.

CSCsv38166

The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.

The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.

This vulnerability does not apply to the Cisco IOS SCP client feature.

Cisco has released free software updates that address this vulnerability.

There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.

This advisory is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.

CSCsv54728—Memory leak in MobileIP Standby

A memory leak is observed on the standby-HA during bindupates received with PER user in/out ACLs when the active-HA receives a RRQ for re-registration. The leak is observed on the standby HA when the active HA downloads the RADIUS filter-id [11] attribute for locally configured in/out ACLS.

The leak is observed on the standby HA when the active HA downloads filter-id[11] attribute or cisco-av-pair mobileip in/out acl attributes during authentication with AAA server.

Workaround: do not download either the filter-id or cisco-av-pair in/out acl attributes, if those values are not configured locally on the HA.

CSCsw21999—Memleak on Standby HA with Per User IN/OUT ACLs

Memory leak is observed on the standby-HA during bindupates received with PER user in/out ACLs when the active-HA received RRQ for re-registration. The leak is observed on the standby HA when the active HA downloads the RADIUS filter-id [11] attribute for locally configured in/out acls.

The leak is observed on the standby HA when the active HA downloads filter-id[11] attribute or "cisco-av-pair mobileip" in/out acl attributes during authentication with AAA server.

Workaround: do not download either the filter-id, or cisco-av-pair in/out acl attributes, if those values are not configured locally on HA.

CSCsw24700

Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:

1. Crafted HTTPS packet will crash device - Cisco Bug ID CSCsk62253.

2. SSLVPN sessions cause a memory leak in the device - Cisco Bug ID CSCsw24700.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml

The following PSIRT caveats are resolved and documented for Cisco IOS Release 12.3(14)YX14:

CSCse85652—HTTP Should Deny Access if No Enable Password Is Configured

The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.

One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both show and configure commands to be executed on the device through requests sent over the HTTP protocol.

Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.

If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.

For a Cisco IOS device to be affected by this issue all of the following conditions must be met:

An enable password is not present in the device configuration

Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled

No other authentication mechanism has been configured for access to the CiscoIOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System).

The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.

Workaround: Any of the following workarounds can be implemented:

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password.

Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism forany requests received. One option is to use the enable password or enable secret commands to configure an enable password.The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.

In order to configure an enable password by using the enable secret command, add the following line to the device configuration:

enable secret mypassword

Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled Cisco IOS Password Encryption Facts explains the differences between using the enable secret and the enable password commands to configure an enable password.

This document is available at the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml

Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default

Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an externalTACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided.

Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled AAA Control of the IOS HTTP Server which is available at the following link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality

Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:

no ip http server

no ip http secure-server

The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.

Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.

In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_http_web_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Customers are also advised to review the "Management Plane" section of the document entitled Cisco Guide to Harden Cisco IOS Devices for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

CSCsi13344—XSS in IOS HTTP Server

Two separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities have been reported to Cisco by two independent researchers.

The Cisco Security Response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

See the "Additional Information" section in the posted response for further details.

Workaround: see the "Workaround" section in the posted response for further details.

CSCsk69927—BGP Drops Routes After Invalid BGP Update Packets Received From Peer

All the BGP routes are dropped when IOS device receives BGP update with atomic-aggregate length as 254 (0xfe).

The topology consists of two eBGP peers with test traffic across the link.

The BGP process does not crash, and routes are not restored after the event.

Workaround: none

CSCsr74835—Incorrect Uses of sprintf() in tcp/telnet.c

There is a potential overflow of the destination buffer due to unspecified bounding length.

Workaround: none.

Resolved Caveats Prior to 12.3(14)YX14

There are no new resolved caveats in Cisco IOS Release 12.3(14)YX9.

Resolved Caveats Prior to 12.3(14)YX9

The following caveats are resolved in Cisco IOS Release 12.3(14)YX7:

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM)

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

Resolved Caveats Prior to 12.3(14)YX7

The following caveats are resolved in Cisco IOS Release 12.3(14)YX5:

CSCsh31802—Wrong Interger Type in SNMP Trap Message

SNMP Trap varbinds are being encoded as ASN.1 generic types, and not SNMP (application specific) Gauge32.

cIpLocalPoolStatFreeAddrs <-- encoded as Integer(0x02) not Gauge32(0x41)

cIpLocalPoolStatInUseAddrs <-- encoded as Integer(0x02) not Gauge32(0x41)

This condition exists in the v123_14_yx+throttle branch.

Workaround: none.

CSCsh66053—IP Pool Name and Threshold Value in % Not Seen in Traps

Customer request that the IP Pool Name and High and Low threshold values in percentage value (%) appear in the High and Low threshold trap that is generated.

Two additional varbinds are seen in cilpPercentAddrUsedHiNotif notification:

cIpLocalPoolChildIndex : IP Pool Name

cIpLocalPoolPercentAddrThldHi: High IP Local Pool threshold percentage value

Two additional varbinds will be seen in cilpPercentAddrUsedLoNotif notification:

cIpLocalPoolChildIndex : IP Pool Name

cIpLocalPoolPercentAddrThldLo: : Low IP Local Pool threshold percentage value

However, the CISCO-IP-LOCAL-MIB file has not been changed, as per the SNMP SMIv2 standard.

CSCsh78054—Length Field Missing in IP Local Pool Trap Message

IP Local Pool Trap messages for hi and low notification do not include the length field for the specific Pool name in each object of that trap, while SNMP Get/Walk includes the length field for the specific pool and is shown properly.

Workaround: configure the ip local pool command with high and low threshold values.

For example:

Router(conf t)#ip local pool pool-name ip-low ip-high threshold low high

Resolved Caveats Prior to 12.3(14)YX5

The following caveats are resolved in Cisco IOS Release 12.3(14)YX4:

CSCsd80725—Memory Leak with Static/Dynamic Pool Downloaded From AAA

The Cisco Mobile Wireless Home Agent has a problem of a slow memory leak when a static/dynamic pool is download from AAA, or if a deregistration is received for a non-existent binding.

Workaround: reload the Home Agent IOS when memory usage is very high.

CSCse14405—MW HA: Spurious Memory Access When RRQ Received With Invalid NAI

On the Cisco Mobile Wireless HA, a spurious memory access error might be seen if RRQ is received with invalid NAI.

The RRQ will dropped and no side effect is expected.

CSCse71962—Unnecessary Routing Entry Added to VRF Routing Table on HA

The Cisco Mobile Wireless HA adds routing entries for assigned home-agent subnet/default mask into the VRF table. This routing entry is not necessary to route MIP traffic, but causes the HA to route this whole subnet to tunnel interface.

This condition occurs when a MIP call is up.

Workaround: use static route.

CSCse97009— Class Attribute of Length 128 and Longer Cause Packet Looping

When a binding is created on a Home Agent deployed in active/standby redundent mode with accounting on, and the AAA server returns a class attribute of length 128 or more bytes during authentication/authorization, the following conditions occur:

The binding is not re-created on the standby Home Agent.

We observed a continous looping of packet between active and standby.

This condition occurs when

The Class attribute length is 128 or more octets

The Home Agents are deployed in active/standby redundency mode

Workaround: limit the length of the class attribute to 127 or less octets.

CSCsf00051— Traceback on HA with Running out of IDs with Memleak

On the Cisco Mobile Wireless HA, traceback on Out of ID is seen. There is a slow Memleak.

The Memleak occurs without HA accounting enabled, when a MIP session is opened and closed on the HA.

Workaround: with HA accounting enabled, this leak is not seen.

CSCsf11945— HA Reloads During Bulk Sync if debug ip mobile redundancy cli is Configured

On a Cisco router running Release 3.0 HA Software, the active HA reloads during a bulk sync if the debug ip mobile redundancy command is enabled.

This condition occurs only when debug ip mobile redundancy is enabled during a bulk sync.

Workaround: do not enable debug ip mobile redundancy.

Resolved Caveats Prior to 12.3(14)YX4

There were no new resolved caveats in Cisco IOS Release 12.3(14)YX3.

Resolved Caveats Prior to 12.3(14)YX3

The following caveats are resolved in Cisco IOS Release 12.3(14)YX2:

CSCsd50897— HA Redundancy Enhancement Support For Virtual Network

Ona Cisco router running 12.3(14)YX1 Mobile Wireless Home Agent software, HA binding is not able to sync to the secondary when you have the secondary VIPs subnet fall into the same as the primary.

This condition occurs whn there is a bind sync for virtual network and vrf.

Workaround: use a different subnet for the secondary.

CSCsd79563 —MIP UDP Tunneling - HA is not Sending Keep Alive Messages.

On a Cisco router running 12.3(14)YX1 Mobile Wireless Home Agent software, the exchange of tunnel keep alive messages between the PDSN and HA fails after three attempts, and the tunnels between PDSN and HA are deleted.

This condition only occurs when NAT UDP is configured.

Workaround: set the keep alive to maximum.

Resolved Caveats Prior to 12.3(14)YX2

The following caveats are resolved in Cisco IOS Release 12.3(14)YX1:

CSCsc62664: Mobile-User acls May Drop Some Packets When Logging is Configured

On Cisco router running the R3.0 HA software, if the "log" or "log-input" options are configured on an access-list entry used by the per-mobile-user ACL feature, then packets to or from the mobile user may be dropped, even if those packets may otherwise have been accepted by that ACL entry. When this occurs, the packets are dropped without actually checking against the ACL entry, and no logging occurs.

This condition occurs when the "log" or "log-input" option is configured on the ACL entry that would be applied to the mobile-user's packets.

Workaround: as a partial workaround, use the ip access-list logging interval command, and configure a very large number for the logging interval. This will allow packets to be properly checked against the ACL entry, although logging will still not occur.

CSCsc61965: ip mobile realm @ VRF .... CLI vanishes After Reload

On a Cisco Home Agent running the Cisco IOS 12.3(14) YX Home Agent image, the ip mobile realm @ VRF command vanishes after reload if the ha-ip address belongs to the physical address of the interface, and not HSRP or Loopback IP.

Workaround: none.

CSCsd00096: ip mobile cdma ha-chap send attribute are not saved after reload

The following CLIs do not get saved after a reload:

ip mobile cdma ha-chap send attribute A1

ip mobile cdma ha-chap send attribute A2

ip mobile cdma ha-chap send attribute A3

Workaround: none.

CSCsb17883: debug ip mobile host Produces no Output

On a Cisco router running the Home Agent 3.0 software, relevant debugs do not appear when the debug ip mobile host command is enabled and a binding is created.

This issue occurs under all conditions.

Workaround: enable the debug ip mobile command to print debugs related to the binding.

CSCsc58847: Unable to Open 235K bindings on Home Agent

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX image, as part of system test, opening of 235K bindings on Home Agent failed. Only 222K bindings came up.

Workaround: none.

CSCsb51583: show ip mobile binding output is not ok when bindings are deleted

On a Cisco router running the Cisco IOS 12.3(14)YX image, show ip mobile binding output of a large number of bindings is not clear when bindings are being deleted simultaneously.

This condition only occurs when a large number of bindings are opened and are being closed.

Workaround: use the show ip mobile binding summary or show ip mobile binding or show ip mobile binding nai commands instead.

CSCsb91776: Tunnel Counters Should be Incremented for All Keep-alive Messages

On a Cisco router running Cisco IOS 12.3(14)YX image, when NAT-PT is configured, the tunnel counters (both input and output) on the show ip mobile tunnel command does not get incremented for every keep-alive message sent from the PDSN to the HA going over the tunnel.

Thsi condition only occurs when NAT-PT is configured on the HA.

Workaround: none.

CSCsc72885: Active HA Not Sending the Switchover VSA when Specific CLI Used

On a Cisco Home Agent running the Cisco IOS 12.3(14)YX Home Agent image, the switchover indication is not sent after switchover by the new Active HA.

This occurs when Home Agent address is configured in HA using the ip mobile home-agent address ha address command.

Workaround: remove the ip mobile home-agent address ha address command

CSCsa53304: HA Reloads When Opening 100K Bindings with DHCP Address Allocation

The HA reloads when opening bindings with DHCP address allocation.

This condition occurs when a large number of bindings are opened on the HA with IP address allocation from DHCP server.

Workaround: do not open bindings with IP address allocation from the DHCP server. Use local pools instead.

CSCsd16006: MWG-HA: Stale Routing Entries Cause Connectivity Problems

Stale routing entries are created on the HA when a mobile de-registers, or when handsoff. This affects routing mobile traffic.

This condition occurs when the NAT traversal feature is enabled and applied to mobile bindings.

Workaround: none.

CSCei21207: no ip mobile tunnel path-mtu-discovery DISAPPEARS AFTER RELOAD

The no ip mobile tunnel path-mtu-discovery command disappears after reload.

Workaround: none.

CSCsd64175: Home Agent Reloads When Opening a Binding With SA Configured Locally

On a Cisco router running the 12.3(14)YX1 software image, the Home Agent using locally configured security associations reloads when opening a binding.

This condition occurs when the Security Association is configured locally on the Home Agent.

Workaround: use AAA downloaded security associations on the Home Agent.

CSCsd69591: HA bulksync Fails During Failover

If a new mobile IP registration request is received during the bulksync procedure, the bulksync procedure is terminated. As a result, all bindings will not be synched to the standby.

Workaround: none.

CSCin69926: Redistribution of Mobile Routes to OSPF Not Working

Mobile routes added for Home Agent can not be progated by dynamic routing protocols (for instance, OSPF).

This condition occurs when the VRF mode of Home Agent is used, and dynamic routing is enabled on the box.

Workaround: configure static routes for IP addresses that are assigned to mobile nodes.

Resolved Caveats Prior to Cisco IOS Release 12.3(14)YX1

The following caveats are resolved in Cisco IOS Release 12.3(14)YX:

CSCsb11124

The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml

Resolved Caveats Prior to Cisco IOS Release 12.3(14)YX

The following caveats are resolved in Cisco IOS Release 12.3(11)YF4:

CSCei61732

Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

Cisco has made free software available that includes the additional integrity checks for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.

CSCei76358—os-boot Cleanup of User Interface Data

Through normal software maintenance processes, Cisco is removing deprecated functionality from the OS boot routine. These changes have no impact on system operation or feature availability.

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF4

The following caveats are resolved in Cisco IOS Release 12.3(11)YF3, and are listed according to system component:

CSCsa57446—On HA Radius Debugs Do Not Appear When Conditional Debugging is Enabled

Radius debug prints are not getting printed for Mobile IP sessions on HA.

This condition occurs when conditional debugging rule is configured.

Workaround: none.

CSCsb00278—Mobile Hosts Are Not Deleted on Standby HA When Bindings are Closed

Mobile hosts do not get deleted on the standby HA once bindings are closed. The standby HA shows a difference between the binding count and the host count.

Workaround: none.

MWAM

CSCeh67507—MWAM Processor Hangs, SR system Unavailable When Lot of Debugs Enabled

MWAM processor appears to be hung. However it does send out HSRP hellos now and then causing its peer to not takeover or cause RF induced reloads on peer (based on HSRP priority). So, SR system does not recover completely. Note that this affects the partner processors in the same complex as well.

This condition occurs when too many debug or error messages are printed.

Workaround: configure no logging console guaranteed to avoid lock up of the console, or the logger process hijacking the CPU.

NAT

CSCef50065—NAT Causes Spurious Memory Access Made at 0x80A3B064 Reading 0x36

Spurious memory accesses and tracebacks are generated on a Cisco 831.

This symptom is observed when NAT/PAT is configured.

Workaround: none.

CSCef97573—NAT: H225/H245 pak Cause Crash in ipnat_destroy_seqdelta

A router may reload with a bus error exception, the crashinfo file shows an address error (a load or instruction fetch), and there is a spurious access in the crashinfo file.

These symptoms are observed on a Cisco router that performs NAT on H.323 voice traffic.

Workaround: none.

CSCsb22290—NAT Overload Broken With CLI ip nat service fullrange udp port 500

When the user configures the ip nat service fullrange udp port number command, the port-allocation logic is broken. If a PAT port is taken the next-port logic fails.

The ip nat service fullrange CLI is only for specific customers, and the regular port-allocation logic is not affected. Only when this command is enabled are things broken as explained above.

Workaround: disable the ip nat service fullrange CLI if it is enabled.

Miscellaneous

CSCee45312—Radius Authentication Bypass When Configured With a None Fallback Method

Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.

Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.

Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.

Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.

More details can be found in the security advisory which posted at the following URL http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml

CSCef73460—ISA Card Not Detected in C7200 Router

An ISA encryption card is not activated when you boot the router.

This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(11)T or interim Release 12.3(11.4) and that is configured with an NPE-400. Note that the symptom does not occur when the router is configured with an NPE-G1.

Workaround: none.

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF3

The following caveats are resolved in Cisco IOS Release 12.3(11)YF2:

CSCef97018—VAM2: Authentication Error and Invalid packet Errors at High Stress

A Cisco 7200 router with VAM2 will display many output authentication errors and invalid packet errors.

This condition occurs under high stress and when QOS pre-classify is configured.

Workaround: Disable QOS or reduce the traffic rate.

CSCeg08326—MWAM: Mobile IP Tunnel Source and Destination Reported as UNKNOWN

A Cisco Home Agent router may report the tunnel source and destination, for a dynamically created Mobile IP-IP Tunnel, as "UNKNOWN" in the show interface command output.

Router# show interface t1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Interface is unnumbered. Using address of Ethernet0/0 (10.1.1.1)
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source UNKNOWN, destination UNKNOWN

Workaround: none.

CSCsb11124—SGBP Crafted Packet Denial of Service

The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtmlCSCeg17877—Common Crypto Engine Pak Cleanup

This DDTS is not a bug. The diffs for this DDTS provide functionality that is utilized by the fix for bug CSCeh14272.

Since CSCeh14272 needs to go into a throttle, CSCeg17877 will also need to go into a throttle.

(The commit moves duplicate functionality out of a pair of drivers into the common code for help with maintainability.)

CSCin86439—RR Sent When Bindings Are Cleared at Active HA Due to Interface Shut

Session gets cleared at PDSN due to revocation message from Cisco Home Agent. This can happen if the interface on active HA is shutdown.

This condition occurs when the HSRP interface on active HA is shutdown.

Workaround: none.

CSCin88514—Conditional Debugging Does Not Filter Certain Revocation Debugs

Conditional debugging does not filter revocation related debugs, when a revocation message is received on HA and the corresponding binding does not exist, or when a revocation message is received on PDSN/FA and the corresponding visitor table entry does not exist

Workaround: none

CSCsa46707—VAM2 Encryption Card Stops Encrypt/Decrypt Traffic After a Few Hours

An SA-VAM2 stops processing all packets.

This condition is observed sporadically on a Cisco 7200 series that is configured with an NPE-G1 when the SA-VAM2 is configured for AES 192 or AES 256.

Workaround: Reset the SA-VAM2 by entering the no crypto engine accelerator command followed by crypto engine accelerator command. If the symptom persists, disable the SA-VAM2 by entering the no crypto engine accelerator command. Doing so causes the router to switch to software encryption.

CSCsa54924—HA Does Not Clear Bindings on I/F Shut for Non-HSRP HA addr

The Home Agent (HA) does not clear bindings on standby HA when HSRP interface is shut.

This issue occurs under the following conditions:

a. HSRP interface is shut on standby HA

b. The HA address is not the hsrp address of the active-standby pair.

Workaround: clear the bindings manually when interface is shutdown.

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF2

The following caveats are resolved in Cisco IOS Release 12.3(11)YF1:

CSCin71283—Need Conditional Debugging Support for Resource Revocation

On a Cisco Home agent running the R2.0 image, conditional debugging support is not available for Registration Revocation feature.

Workaround: none.

CSCin85586—Protect ICMP Unreachable IP Mobile Debugs for Conditional Debugging

ICMP unreachable debug messages are seen on the Home Agent on mobile nodes for which conditional debugging is not enabled.

Workaround: none.

CSCsa44954—MWAM Reloaded After Configuring DHCP Pool in ODAP Client

On a Cisco router running release 2.1 PDSN software and acting as an ODAP client, when the DHCP pool is configured and a subnet is being leased from the ODAP server, the client reloads.

This condition occurs when the DHCP pool is configured and is expecting a subnet from the ODAP server.

Workaround: none.

CSCsa48683—MWAM Should Return cevC6xxxMWAMBlade When Queried for sysObjectID

The MWAM processor returns a sysObjectId of "ciscoWsSvcMWAM1" instead of "cevC6xxxMWAMBlade". Because of this, the network management station running RME 4.0 may not be able to identify the device successfully.

This condition occurs when the MWAM processor is running a Cisco IOS image 123(11)YF, or later.

Workaround: none.

Resolved Caveats Prior to Cisco IOS Release 12.3(11)YF1

The following caveats are resolved in Cisco IOS Release 12.3(11)YF:

CSCed65017—MWAM: Config CLI That Fail Batch Mode Copy Fail config-mode sup

Some configuration commands fail, do not operate properly, or cause dead memory when using batch mode config download or config-mode supervisor.

This problem occurs when the MWAM processor is configured for "supervisor" config-mode.

Workaround: use config-mode local on MWAM.

CSCee45296—MWAM Does Not Retrieve its Configuration From the Supervisor

When using config on supervisor with the MWAM, the processors are not able to retrieve their configurations from the supervisor.

This problem was first seen when using supervisor release 122-18.2.2.SX. This defect would be present in all future supervisor releases when mated with an MWAM IOS image that did not contain this fix.

Workaround: configure an arbitrary tftp-server (for example, tftp-server nvram:startup-config) on the supervisor. It does not matter what file you serve up, even one of the mwam configs. If you do serve up one of the MWAM configs, be sure to add the alias: "tftp-server bootflash:SLOTxPCy.cfg alias SLOTxPCy.cfg".

Supervisor release 122-18.2.2.SX changed the mechanism used by the MWAM processors to retrieve their configurations. This ddts changed the mechanism used by the MWAM processors to be compatible with the supervisor IOS change. This ddts is also backwards compatible with previous supervisor images.

CSCeg23873—TACACS+ Authorization Does Not Work For Mobile IP

Authorization for Mobile IP subscribers does not work using TACACS+.

Workaround: authorize using RADIUS or locally configured security associations.

CSCeg26637—Standby HA Crashed While Opening a Binding.

Removing the ip mobile host configuration command from the standby Home Agent may cause the agent to reload if registration requests are concurrently being received for those mobile hosts.

Workaround: deconfigure from the active home agent first.

CSCin84717—Standby HA Does Not Clear the Binding When Interface is Shut

The standby HA does not clear bindings when the HSRP interface on the standby is shut.

This problem occurs under the following conditions:

Open a binding.

Binding is open on both active and standby HAs

Shut the standby HSRP interface

Binding still exists on standby and is not cleared.

Workaround: Bindings on the standby HA cannot be cleared manually through CLI.

CSCin83939—All Bindings Do Not Get Synced With Reload of Active HA

If bindings are opened with finite lifetime, the active HA can not bulk sync 235k bindings to the standby HA.

Workaround: open bindings with infinite lifetime.

CSCin83952—inforeq and inforeply of IP Mobile CLI Are Not nvgened

The ip mobile redundancy command options inforeq and infreply, when configured, are not written into NVRAM.

Workaround: re-configure the ip mobile redundancy command with the inforeq and inforeply options, on every reload of the Home Agent.

Resolved Caveats Prior to 12.3(11)YF

The following Cisco Mobile Wireless Release 2.0 caveats are resolved in Cisco Release 12.3(8)XW3:

CSCed92442—New Session Hotlining Not Applied For PMIP Flows

On the Home Agent, Packet of Disconnect is enabled even if the STC value downloaded in the Access-Accept message has the value 2 for Proxy Mobile IP flows.

On the Home Agent, the Hotlining feature is not enabled for a new session Hotlining. When Hotlining is enabled in the Access-Accept message during the authentication phase for the Proxy Mobile IP flow, it is disabled.

This condition occurs only for Proxy Mobile IP flows.

Workaround: none.

CSCee18252—Active & Standby HA crashed while flapping MOIP Bindings

On a Cisco 7200/7600 router running Home Agent R2.0 software, during flapping of MOIP bindings both active and standby HA are crashed.

This condition occurs when flapping of MOIP Bindings at 100 bindings/sec for about 4 hours.

Workaround: none.

CSCef37978—Conditional Debugging Support for UDP Tunnel Debug Messages

When conditional debugging is enabled on HA and mobileip debugs are enabled, UPD tunneling related debugs are not filtered based on condition.

Workaround: none.

CSCef77084—Router Reload When ODAP is Deconfigured While Subnet Expires

In some rare timing scenario, the router may reload when the On Demand Address Pool is deconfigured while the subnet failed to be renewed.

Workaround: First, clear all subnets in the DHCP pool and ensure that all of them have been released. The ODAP may automatically request and receive another subnet after the last one has been released. At this time the DHCP pool can be deleted. The new subnet will automatically be released back to the subnet allocation server.

CSCef83013—Proxy Dhcp: Home Agent Stops DHCP-Proxy Lease After One Iteration

The Cisco Home Agent stops dhcp-proxy lease, after one iteration of active standby switchover for a Proxy Mobileip binding when dynamic address allocation is configured for the user.

This condition is seen after one iteration of active standby switch over.

Workaround: none.

CSCef89392—Issue With MIP Binding Sync With HA Redundancy

When the MIP flow is deleted and then the interface on HA is brought back up, the HA becomes active and updates its stale bindings to the standby HA.

This condition occurs when the interface on Active HA is shutdown and standby becomes active. And later, the interface is brought up to make this HA as active.

Workaround: Specify the HA IP address in the ip mobile homeagent address ha-ip-addr command. This will help clear the bindings when interface is shut on HA.

CSCin63246—MWAM-HA Assumes Challenge of 4-bytes From Client in CCoA Mode.

On the Cisco c6svcmwam-h1is-mz MWAM Home Agent image, when the HA receives MFCE (Mobile Foreign Agent Challenge Extension), the HA performs authentication using the CHAP challenge in MFCE. While sending Access-Request to AAA, the HA truncates the challenge to 4 byte value. This results in authentication failure.

Workaround: none.

CSCin81895—HA Does Not Change Tunnel When PATed Address and Port Changes

When NAT Traversal is enabled on Home Agent, and the NAT device in the path deletes the previous NAT mapping and allocates a new NAT mapping with a different source address and port number for a re-registration request from the mobile node, the Home Agent continues to tunnel traffic to old NAT mapping.

Workaround: none.

CSCin82739—Show Command to Display HHAE Info on Home Agent

The show ip mobile secure command is introduced in 12.3(8)XW3, and displays active standby home agent security associations. Here is the CLI and a sample output:

HA#show ip mobile secure ?

foreign-agent   Foreign agent security associations
home-agent      Home agent security associations
host                  Mobile host security associations
summary          Summary of SAs

HA#show ip mobile secure hom
HA#show ip mobile secure home-agent
Security Associations (algorithm,mode,replay protection,key):
30.0.0.30:
   SPI 100,  MD5, Prefix-suffix, Timestamp +/- 7,
   Key 'red'
HA#
HA#

CSCin83266—Virtual Mobile Routes Disappear From Routing Table on i/f shut/no-sh

On a Cisco router running HA R2.0 software, the mobile virtual network routes disappear after an interface is shut and no-shut.

The condition occurs when two HSRP groups are configured on two different interfaces and the non-HA interface is shut and no-shut.

Workaround: none.

CSCin83952—Inforeq and Inforeply of Ip Mobile CLI are not Nvgened

When configured, the ip mobile redundancy command options inforeq and infreply are not written into NVRAM

Workaround: Re-configure the ip mobile redundancy command with the inforeq and inforeply options on every reload of the Home Agent.

CSCin83939—All Bindings Do Not Get Synced With Reload of Active HA

If bindings are opened with a finite lifetime, the active HA can not bulk sync 235k bindings to the standby HA.

Workaround: Open bindings with infinite lifetime.

Resolved Caveats Prior to 12.3(8)XW3

The following caveats are resolved in Cisco Release 12.3(8)XW2:

CSCee25439—Proxy DHCP: Active HA Reloads On Unconfig IP Address on HSRP Interface

The active HA reloads when you unconfigure the HSRP interface address after opening a binding for a user with dhcp-proxy-client.

The following conditions exist:

a. Bring up HA1, HA2 with Home Agent redundancy configured.

b. Configure Proxy dhcp client for a user for dynamic address allocation (with loopback configuration).

c. Bring up a flow for the user.

d. The binding come up and both the HAs will be in sync.

e. Now go to the interface where HSRP configured on HA1 and configure no ip address

f. HA1 crashes.

Workaround: unconfigure the HSRP interface IP address only if there are no active flows.

CSCee28326—HA Reloads on Executing show ip mobile host command

A Cisco 7200/7600 router running Home Agent R2.0 software may reloads when the show ip mobile host command is executed.

The security association needs to be downloaded from the RADIUS server when the binding is created. Additionally, the node that is currently being displayed using the show ip mobile host command is being deleted, then the Home Agent may reload.

This problem is very rare and was seen only once during testing.

Workaround: use the show ip mobile binding command to display the details of the host or binding.

CSCee31554—ODAP Lease Renewal Out of Sync on Active and Standby

On Cisco 7600 running HA Release 2.0 image, lease time is not sync on Active and Standby HA's. This will result into out of sync between Active and Standby HA.

Open 25 k bindings on active and standby HA reload active mwam standby HA become active, and try to renew lease, some subnets are out of sync with server. Unable to renew lease. Server is deleting subnets after lease expiry. Due to this both active and standby bindings are deleted

Workaround: none.

CSCee43739—Bulk Synch Fails When One of the Redundant HAs Upgraded to R2.0 Load

In a redundant Cisco Home Agent (HA) network, when the standby HA is upgraded from a R1.2 to R2.0 load, bindings do not get synched to the Standby HA.

This problem is only seen when the redundant HA with an R2.0 load tries to synch bindings from the HA with R1.2 load.

Workaround: upgrade when no active bindings are present.

CSCee91930—Proxy DHCP: Bind Deletion Info Needs to be Updated to Standby HA

Mobileip bind deletion information is not synced to the standby in lease expiry when Address allocation used is the dhcp-proxy-client.

This problem occurs when proxy DHCP is used, and the lease renewal fails to happen.

Workaround: none.

CSCef18987—POD Debugs Display NACK Error Message For a Valid POD Request

A Cisco PDSN running R2.0 S/W incorrectly displays a NACK message being sent even though it correctly sends an ACK message to RADIUS server in response to a POD request.

This condition occurs when the POD feature is enabled, and the PDSN receives a POD request from RADIUS server with only NAI and NAS-ID and no session identification attributes in it.

Workaround: none

CSCef19117—ip tcp adjust-mss Command Fails to Set Value For Outbound Packets

Cisco router configured with the ip tcp adjust-mss command may fail to set the value for outbound packets.

The command works on 12.3(7)T2 code, but fails on 12.3(8)T code. This issue has currently been seen on a 3700 router.

Workaround: disable cef.


Note Disabling cef can affect the router performance, however, this issue is not seen with cef disabled on the router.


CSCef29763—HA Redundancy Operation Fails For Dynamic Users With Local SA Config

A mobileip re-registration request is rejected in the following scenarios:

Bindings established on active and synched to standby

Failover happens

Re-registration request received by new active.

This condition occurs when the Home Agent is deployed in active-standby redundant mode.

Workaround: reload both active and standby at the same time.

CSCef50822—Sibyte HANG After Overnight High Rate of IPPDP Open/Close

The Sibyte processor can hang when RF induced reload occurs.

This condition occurs when the active and standby switchover is required, RF induces reload.

Workaround: none. Use the reload all command from PC to bring the processor back to normal state.

CSCef57825—Home Agent Redundancy Sync Issue For AAA Load-SA User

On a standby Home Agent mobileip binding is not synced after reconfiguration of ip mobile home-agent redundancy CLI.

This condition is observed for users with aaa load-sa configured

Workaround: use local authentication on home agent

CSCef59046—Reloaded By Bus Error When Issuing IP Mobile

The router reloaded by bus error when the customer issued no ip mobile host nai @xxx.xxx.xxx.xxx address pool local ha-pool interface FastEthernet x/x aaa command after configuring ip mobile host nai @xxx.xxx.xxx.xxx address pool local ha-pool interface FastEthernet x/x aaa.

Workaround: none.

CSCin80289—ip mobile home-agent unknown-ha Configuration Problem

On a Cisco HomeAgent router when the ip mobile home-agent command is configured with the unknown-ha option (along with another home-agent option), the show running command does not display the whole command line interface.

Workaround: configure the ip mobile home-agent unknown-ha command on a separate line and the remaining commands on a separate line.

CSCin81015—Access-group in ACLs Are Not Applied For UDP Tunnel

The ip access-group group in command, configured on tunnel template, does not get applied to mobileip tunnels, when UDP tunneling is used.

Workaround: use the ip access-group group out command instead.

Resolved Caveats Prior to 12.3(8)XW2

The following caveats were resolved in Cisco Release 12.3(8)XW1:

CSCin80483—Overlapping Physical Address of CPU in SiByte Causes Reload in HA

Cisco Cat6500/7600 MWAM platform running XW Home Agent (HA) image may reload while it is loading with startup configuration having large configurations (for example, ip localpool configurations).

Workaround: Unconfigure the local pool configuration from the startup configuration. This will help prevent the CPUs from reloading. However, with large configurations on MWAM after startup, the CPU can reload later when configured.

Resolved Caveats Prior to 12.3(8)XW1

The following caveats are resolved in Cisco Release 12.3(8)XW:

CSCee10809—ODAP HA Redundancy: Subnet Not Synced on Lease Expiry

When ODAP with HA redundancy is configured, the subnets on the standby and active may not match as observed from the show ip dhcp pool command.

Workaround: clear the mismatched subnets manually using clear ip dhcp pool pool-name subnet command.

CSCee16186—Crypto Map Removed in Interface Configuration on Linkstate Changes

When the interface configured with crypto map has interface link state changes (due to administratively shutting the interface, or link connectivity issues), crypto map is removed from the interface. The problem is observed when the ip mobile tunnel crypto map map-name command is configured.

Workaround: remove the ip mobile tunnel crypto map configuration.

CSCee60979—Hotlined Packets Are Not Redirected When the Packet Size is Small

On Cisco router running Home Agent software release 2.0, for small sized data packet (example 36, 48 bytes), the packets do not get redirected even though the flow is actively hotlined.

This problem is observed only for small sized packets and is not seen if the packet size is 100 or greater.

Workaround: none.

CSCee82340—Lifetime Value of the Mobileip Binding Gets Reset on Standby HA

In a redundant HA setup when standby HA come up and downloads the bind info from active HA, the Lifetime remaining on standby HA is reset back to the initial value. This leads to discrepancies in lifetime values on the active and standby HAs. This problem is seen when a bulksync happens between the standby and active HA.

Workaround: none.

CSCee06722—CPU Hog Observed While Mobile IP is Processing Mobile Bindings

On a Cisco 7200/7600 router running Home Agent Release 2.0 Software, CPU HOG is observed when synching of subnets from active to standby. The problem is observed in a redundant HA setup with a preempt configuration, and with address allocation from ODAP.

Workaround: none.

Resolved Caveats Prior to Cisco IOS 12.3(8)XW

The following caveats are resolved in Cisco Release 12.3(7)XJ1, which was the branch release just prior to the Cisco IOS 12.3(8)XW release:

CSCec80327 With NAI-Based Debug Cond, AE Debugs Not Printed While Parsing RRQ

On the Cisco HA image, with NAI based debug condition set, the debugs pertaining to parsing of authentication extension in MIP RRQ are not printed.

The above-mentioned problem is observed when a NAI-based condition is set to filter the debugs.

Workaround: The workaround is as follows:

a. Set the IP address based condition to filter debugs, or

b. Do not set any debug condition.

CSCed24163—Standby Not Renewing Lease Time When Proxy DHCP is Configured

Once the active HA is reloaded, the Standby HA is not able to renew the DHCP lease, and eventually the Mobile IP binding gets deleted on the HA.

On reload, the active HA returns the address to DHCP server. This happens after the standby renews the lease time due to which DHCP binding gets deleted from the Server. Thus further renewals fail.

Work around: none.

CSCee06278—Binding Not Cleared on Standby HA When Active Ha Receives POD Msg

The problem is seen on Cisco routers running Home Agent R2.0 software in a redundant network. When a binding is deleted on the active Home Agent due to receipt of Radius Disconnect message, it does not automatically delete the corresponding binding on standby Home Agent.

Workaround: none.

CSCee23500—Clearing Bindings on Active HA Do Not Get Synched to Standby HA

A Cisco router running the Home Agent in a redundant mode does not synch the bindings deleted due to clear command to the peer HRSP Home Agent.

Workaround: none.

CSCee26076—Proxy DHCP: MIP Binding Does Not Get Deleted on Lease Expiry and Address

On a Cisco MWG Home Agent running R2.0 image, when dhcp-proxy-client address allocation is used (on lease expiry), although the address is returned back to the pool, the Mobile IP binding is not deleted.

Workaround: none.

CSCee33437—Prefix Length NVSE Should Not be Added when ZECC Not in Use

Mobile nodes which can not ignore NVSE may fail initial registration because of the inclusion of a Prefix length NVSE.

Workaround: none.

CSCee49350—The HA Rejects RRQ When HA Address is Specified on Loopback Interface

Home Agent rejects Registration Request (RRQ) from mobile when Home Agent address is configured on Loopback interface and address allocation for the mobile is done from local pool.

Workaround: do not configure the Home Agent address as a Loopback address.

The problem is seen because configuring the Home Agent address under Loopback interface treats the redundancy setup in a peer-to-peer mode. In this mode, loop pool is not allowed for redundancy.

This issue is solved by adding a new mode active-standby variable in the ip mobile home-agent redundancy command.

CSCee58458—HA Should Support RFC 3002 Authenticator Extn on Per PDSN Basis

A Cisco router running the Cisco Home Agent (HA), always sends out Registration revocation message with Authentication extension (AE) as described in RFC 3012bis. The HA should be able to append the AE in RFC 3012 or RFC 3012bis format on a per PDSN basis.

Workaround: none.

CSCee59479—Standby HA Crashes When Processing bindupdate From Active Unit

In a redundant Home Agent network, the standby HA intermittently reloads while processing the Bindupdate from the active unit during sync process.

Workaround: none.

CSCee78149—Clock Summer-time not Synced To Processor While Clock Timezone Does

The clock summer-time configuration is not synced from supervisor to MWAM processor, while clock timezone is being synced alright. So, the timezone on the MWAM processor is wrong during daylight savings time.

This problem occurs when the clock summer-time command is configured on the supervisor.

Workaround: none.

CSCee82340—Lifetime Value of the Mobile IP Binding Gets Reset on Standby HA

In a redundant HA setup, when standby HA come up and downloads the bind info from Active, the lifetime remaining on Standby HA is reset back to the initial value. This leads to discrepancy in lifetime values on Active and standby HA.

This problem is seen when a bulk synch happens between the standby and active.

Workaround: none.

CSCee82344—Tracebacks seen while opening a PMIP session

Tracebacks, due to alignment error, can be seen on Home Agent while opening Proxy Mobile IP flows when ip mobile debugging is turned on.

The problem is observed only for Proxy Mobile IP flows and IP mobile debugging is turned on.

Workaround: do not enable IP mobile debugging.

CSCee82571—HomeAgent Reloads When Revocation is Triggered Without FHAE

The Cisco Home Agent reloads on receiving Registration Revocation message when the Revocation feature is enabled, but the Foreign Home (FH) Security Association (SA) is not configured.

Workaround: configure FH SA when enabling the registration revocation feature.

CSCee84947—Active HA Reloads Due To Corrupted Program Counter

In a redundant Home Agent network, the active HA reloads when the standby downloads mobileip bindings and security associations after it goes down and comes back up. The program counter gets corrupted and causes the Home Agent to reload.

Workaround: none.

CSCin72654—RRQs With Non-zero HA Addr Not Supported With SLB in Dispatched Mode

When HA-SLB operates in dispatched mode, it forwards MIP RRQs to the real HAs without changing the destination IP address. So, when the HAs receive RRQs with non-zero Home-agent addresses, the destination IP address will be that of the SLB virtual server.

The binding is established, but the HA sends back an RRP with the destination IP address of the received packet as the home-agent address regardless of the home-agent address in the RRQ. So the tunnel is established between the FA and the vserver address.

Subsequent re/de-registrations are sent to HA-SLB instead of the HA. The SLB drops the de-registrations as the lifetime is zero, and can forward the re-registrations to some other HA. So the concerned HA may or will not get the re/de-registrations.

Workaround: Do not use HA-SLB in dispatched mode when the incoming RRQs have a non-zero home-agent address.

CSCin73111—RRQ With Incorrect HA Field Requires Better Debug Msg

Requirement 1: When not using the unknown-ha CLI option, debug error message displayed for RRQ (where the Home Agent address is not right) is incorrect. Proper debug message needs to be printed under such conditions.

Requirement 2: In this case, the HA should return to the PDSN with "unknown HA" as the error code in RRP.

Workaround: none.

CSCin73113—Better Debugs for RRP and Options That Are Sent to be Printed

Better debug messages are required on the HA to display the details about the registration reply message contents and options sent back in the reply.

Workaround: none.

CSCin73831—Support for Resource Revocation with HA Redundancy

In the current implementation on R2.0 HA, Mobile IP Registration Revocation feature is not supported with HA redundancy. Support for the Resource Revocation feature with HA redundancy is required.

Workaround: none.

CSCin75173—Incorrect Value Sent for STC Attribute in Radius Access-Request

On a Cisco router running Release 2.0 Home Agent software, in rare situations, an incorrect value is sent for the STC attribute in a Radius Access-Request message, when RADIUS disconnect capability is enabled on PDSN.

Workaround: none.

CSCin74799—HA Should Support Hex Key of Length Less Than 16 Bytes

If configured in hex format, the MN-HA shared key should always be 16bytes long. A hex key with length less than 16 bytes results in authentication failure.

Workaround: Use key format as string instead of hex.

CSCin75572—HA should Enable/Disable POD Per Binding and Parse STC in Access-Accept

As per IS835C, the HA should provide enable or disable radius disconnect capabilities for a session based on the STC attribute value authorized for the user by the AAA. In the current implementation, the STC attribute received in the Access-Accept message from AAA is not used to enable or disable the radius disconnect capability per user. Currently, the capability can be enabled or disabled at the box level.

Workaround: none.

CSCin76846—unknown-ha Option Not Working on HA

The unknown-ha accept option in the ip mobile home-agent unknown-ha accept CLI is not working as expected. The Home Agent rejects the Mobile IP registration request (RRQ) with error code "Unknown HA", instead of accepting the RRQ.

Workaround: none.

Related Documentation

Except for feature modules, documentation is available as printed manuals or electronic documents. Feature modules are available online on CCO and the Documentation CD-ROM.

Use these release notes with these documents:

Release-Specific Documents

Platform-Specific Documents

Feature Modules

Cisco IOS Software Documentation Set

Release-Specific Documents

The following documents are specific to Cisco IOS Release 12.3(8)XW:

Cisco Mobile Wireless Home Agent at the following url:

http://www.cisco.com/en/US/products/ps5940/tsd_products_support_series_home.html

The following documents are specific to Release 12.3 and are located on Cisco.com:

Cross-Platform Release Notes for Cisco IOS Release 12.3

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_release_notes_list.html

Caveats for Cisco IOS Release 12.3 T

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_release_note09186a00804c24a1.html


Note If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. You can reach Bug Navigator at http://www.cisco.com/support/bugtools.


Product bulletins, field notices, and other release-specific documents on Cisco.com at:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/tsd_products_support_series_home.html

Platform-Specific Documents

Documentation specific to the Cisco 7206 Router is located at the following locations:

On Cisco.com at: http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html

Documentation specific to the Cisco 7600 Router is located at the following location:

On Cisco.com at: http://www.cisco.com/en/US/products/hw/routers/ps368/tsd_products_support_series_home.html

Documentation specific to the Cisco Catalyst 6500 Switch is located at the following location:

On Cisco.com at: http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home. html

Feature Modules

Feature modules describe new features supported by Release 12.3 and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only. Feature module information is incorporated in the next printing of the Cisco IOS documentation set.

On CCO at:

Technical Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.3: New Feature Documentation

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM, unless you specifically ordered the printed versions.

Documentation Modules

Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a corresponding command reference. Chapters in a configuration guide describe protocols, configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.

On CCO, two master hot-linked documents provide information for the Cisco IOS software documentation set.

On CCO at:

Technical Documents: Cisco IOS Software Configuration: Cisco IOS Release 12.3: Configuration Guides and Command References

Release 12.3 Documentation Set


Note You can find the most current Cisco IOS documentation on Cisco.com. These electronic documents may contain updates and modifications made after the hard-copy documents were printed.


On Cisco.com at:

http://www.cisco.com/en/US/support/index.html


Note Cisco Management Information Base (MIB) User Quick Reference is no longer published. If you have an account with CCO, you can find the current list of MIBs supported by Cisco. To reach the Cisco Network Management Toolkit, go to CCO, press Login: Technical Support: Software Center: Network Mgmt Software: Cisco Network Management Toolkit: Cisco MIBs.


Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/en/US/support/index.html

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)