Guest

Cisco IOS Software Releases 12.3 Special and Early Deployments

Release Notes for the Cisco 3600 Series Modular Access Routers with Cisco IOS Release 12.3(11)YZ

 Feedback

Table Of Contents

Release Notes for Cisco 3600 Series Modular Access Routers with Cisco IOS Release 12.3(11)YZ

Contents

Inheritance Information

Introduction

Early Deployment Releases

System Requirements

Memory Recommendations

Supported Hardware

Determining Your Software Release

Upgrading to a New Software Release

Feature Support

Determining Which Software Images (Feature Sets) Support a Specific Feature

Determining Which Features Are Supported in a Specific Software Image (Feature Set)

New and Changed Information

New Hardware and Software Features in Cisco IOS Release 12.3(11)YZ1

New Software Features in Release 12.3(11)T

Limitations and Restrictions

Current MIBs

Supported MIBs

Field Notices and Bulletins

Caveats

Resolved Caveats for Cisco IOS Release 12.3(11)YZ2

Resolved Caveats for Cisco IOS Release 12.3(11)YZ1

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Feature Navigator

Cisco IOS Software Documentation Set

Documentation Modules

Release 12.3 Documentation Set

Service and Support

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Notes for Cisco 3600 Series Modular Access Routers with Cisco IOS Release 12.3(11)YZ


March 26, 2008
Cisco IOS Release 12.3(11)YZ2
OL-11412-02 Third Release

These release notes for the Cisco 3600 series routers describe the product-related enhancements provided in Cisco IOS Release 12.3(11)YZ. These release notes are updated as needed.

For a list of the software caveats that apply to Cisco IOS Release 12.3(11)YZ, see "Caveats" section. See also Caveats for Cisco IOS Release 12.3 T, which is updated for every maintenance release and is located on Cisco.com and the Documentation CD-ROM.

Use these release notes with Cross-Platform Release Notes for Cisco IOS Release 12.3 T located on Cisco.com.

Cisco recommends that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html.

Contents

These release notes describe the following topics:

Inheritance Information

Introduction

Early Deployment Releases

System Requirements

New and Changed Information

Limitations and Restrictions

Current MIBs

Field Notices and Bulletins

Caveats

Inheritance Information

Cisco IOS Release 12.3(11)YZ, an early deployment release, is based on Cisco IOS Release 12.3(11)T, which in turn is based on Cisco IOS Release 12.3. Cisco IOS Release 12.3(11)T is the first early deployment maintenance release of Cisco IOS Release 12.3 T and is based on the mainline Cisco IOS Release 12.3. Refer to Table 1 for more information.

All features in Cisco IOS Release 12.3(11)T are in Cisco IOS Release 12.3(11)YZ.

Table 1 References for the Cross-Platform Release Notes for Cisco IOS Release 12.3 T and Cisco IOS Release 12.3(4)T

Topic
Location

Determining the Software Version

Upgrading to a New Software Release

To view information about the topics in the left-hand column, click Cross-Platform System Requirements at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123reqs.htm

New and Changed Information (Feature Descriptions)

MIBs

Important Notes

To view information about the topics in the left-hand column for Cisco IOS Release 12.3 T, go to:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123newf.htm

Scroll down and click New Software Features in Cisco IOS Release 12.3(11)T, or MIBs, or Important Notes.

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

To view information about the topics in the left-hand column, go to:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/123docs.htm


Introduction

Cisco IOS Release 12.3(11)YZ supports the Cisco 3640, Cisco 3640A, Cisco 3661, and Cisco 3662 modular access routers.

The Cisco 3600 series is a family of modular, multiservice access platforms for medium and large-sized offices and smaller Internet Service Providers. With more than 70 modular interface options, the Cisco 3600 family provides solutions for data, voice, video, hybrid dial access, virtual private networks (VPNs), and multiprotocol data routing. The high-performance, modular architecture protects customers' investment in network technology and integrates the functions of several devices into a single, manageable solution.

Cisco extended the successful Cisco 3600 series with the Cisco 3660 multiservice access platform. The Cisco 3660 provides higher densities, greater performance, and more expansion capabilities. The additional power and performance of the Cisco 3660 platform enables new applications, such as packetized voice aggregation and branch office ATM access ranging from T1/E1 IMA to OC-3. The Cisco 3660 modular access routers consist of two router models: Cisco 3661 and Cisco 3662.

For information on new features and Cisco IOS commands supported by Cisco IOS Release 12.3(11)YZ, see New and Changed Information and Inheritance Information.

Early Deployment Releases

These release notes describe Cisco IOS Release 12.3(11)YZ for the Cisco 3600 series routers. Cisco IOS Release 12.3(11)YZ is an early deployment (ED) release based on Release 12.3(11)T, which in turn is based on Cisco IOS Release 12.3. Early deployment releases contain fixes to software caveats as well as support for new Cisco hardware and software features. Feature support is cumulative from release to release, unless otherwise noted.

System Requirements

This section describes the system requirements for Cisco IOS Release 12.3(11)YZ and includes the following sections:

Memory Recommendations

Supported Hardware

Determining Your Software Release

Upgrading to a New Software Release

Feature Support

Memory Recommendations

Table 2 lists the memory recommendations of the Cisco IOS feature sets for the Cisco 3600 series routers for Cisco IOS Release 12.3(11)YZ.

Cisco 3600 series routers are available with a 32-MB Flash memory card.

Table 2 Cisco Release 12.3(11)YZ Memory Recommendations for the Cisco 3631, Cisco 3640/3640A, Cisco 3661, and Cisco 3662 Routers 

Feature Set
Software Image
Recommended
Flash
Memory
Recommended
DRAM
Memory
Runs
From

Cisco 3640/3640A

IP Plus

c3640-is-mz

32 MB

96 MB

RAM

Enterprise Plus

c3640-js-mz

32 MB

128 MB

RAM

IP/FW/IDS Plus IPSEC 3DES

c3640-ik9o3s-mz

32 MB

128 MB

RAM

Enterprise/FW/IDS Plus IPSEC 3DES

c3640-jk9o3s-mz

32 MB

128 MB

RAM

Cisco 3660

IP Plus (Standard Feature Set)

c3660-is-mz

32 MB

128 MB

RAM

Enterprise Plus (Standard Feature Set)

c3660-js-mz

64 MB

128 MB

RAM

IP/FW/IDS Plus IPSEC 3DES

c3660-ik9o3s-mz

64 MB

128 MB

RAM

Enterprise/FW/IDS Plus IPSEC 3DES

c3660-jk9o3s-mz

64 MB

128 MB

RAM


Supported Hardware

Cisco IOS Release 12.3(11)YZ supports the following platforms:

Cisco 3640, Cisco 3640A

Cisco 3661, Cisco 3662

For detailed descriptions of the new hardware features, see the "New and Changed Information" section.

For a complete list of network modules and interface cards supported on Cisco 3600 series modular access routers, refer to the Cisco 3600 Series Relevant Interfaces and Modules table on Cisco.com at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_relevant_interfaces_and_modules.html


Note The "Cisco 3600 Series Relevant Interfaces and Modules" table referenced above is being updated to include the new products described in this release note.


For information about supported hardware for this platform and release, refer to the Hardware/Software Compatibility Matrix in the Cisco Software Advisor at the following location:

http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

Determining Your Software Release

To determine the version of Cisco IOS software running on the Cisco 3600 series routers, log in to the router and enter the show version EXEC command:

Router> show version
Cisco IOS Software, 3600 Software (C3640-SPSERVICESK9-MZ), Version 12.3(11)YZ1,  RELEASE 
SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2006 by Cisco Systems, Inc.

Upgrading to a New Software Release

For general information about upgrading to a new software release, see Cisco IOS Upgrade Ordering Instructions located at: http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm.

Feature Support

Cisco IOS software is packaged in feature sets that consist of software images that support specific platforms. The feature sets available for a specific platform depend on which Cisco IOS software images are included in a release. Each feature set contains a specific set of Cisco IOS features.

To improve the usability of the release notes documentation, Cisco IOS Release 12.3(11)YZ release notes no longer contains the feature set tables. The feature-to-image mapping that was provided by the feature set tables is available through Cisco Feature Navigator.

Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or by feature set (software image). Under the release section, you can compare Cisco IOS software releases side by side to display both the features unique to each software release and the features that the releases have in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

For frequently asked questions about Cisco Feature Navigator, see the FAQs at the following URL:

http://www.cisco.com/support/FeatureNav/FNFAQ.html


Caution Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to U.S. government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay because of U.S. government regulations. When applicable, the purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

Determining Which Software Images (Feature Sets) Support a Specific Feature

To determine which software images (feature sets) in Cisco IOS Release 12.3(11)YZ support a specific feature, go to the Cisco Feature Navigator home page, enter your Cisco.com login, and perform the following steps:


Step 1 From the Cisco Feature Navigator home page, click Feature.

Step 2 To find a feature, choose either Search by full or partial feature name or Browse features in alphabetical order. Either a list of features that match the search criteria or a list of features that begin with the number or letter selected from the ordered list appear.

Step 3 Select a feature from the left text box and click Add.


Note To learn more about a feature in the list, click Description.


Repeat this step to add additional features. You can choose a maximum of 20 features for a single search.

Step 4 Click Continue.

Step 5 From the Major Release drop-down menu, choose 12.3T.

Step 6 From the Release drop-down menu, choose the appropriate maintenance release.

Step 7 From the Platform Family drop-down menu, choose the appropriate hardware platform. All software images (feature sets) that support the features that you selected appear.


Determining Which Features Are Supported in a Specific Software Image (Feature Set)

To determine which features are supported in a specific software image (feature set) in Cisco IOS Release 12.3(11)YZ, go to the Cisco Feature Navigator home page, enter your Cisco.com login, and perform the following steps:


Step 1 From the Cisco Feature Navigator home page, click Compare/Release.

Step 2 In the "Find the features in a specific Cisco IOS release, using one of the following methods:" box, choose 12.3 T from the Cisco IOS Major Release drop-down menu.

Step 3 Click Continue.

Step 4 From the Release drop-down menu, choose the appropriate maintenance release.

Step 5 From the Platform Family drop-down menu, choose the appropriate hardware platform.

Step 6 From the Feature Set drop-down menu, choose the appropriate feature set. All features that are supported by the feature set (software image) that you selected appear.


New and Changed Information

New Hardware and Software Features in Cisco IOS Release 12.3(11)YZ1

There are no new hardware or software features in this release.

New Software Features in Release 12.3(11)T

For information regarding the features supported in Cisco IOS Release 12.3(11)T, refer to the Cross-Platform Release Notes and New Feature Documentation links at the following location on Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm 

This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:

Service & Support: Technical Documents: Cisco IOS Software: Release 12.3: Release NotesCross-Platform Release Notes (Cisco IOS Release 12.3(11)T) 

Limitations and Restrictions

There are no known limitations or restrictions in this release.

Current MIBs

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Supported MIBs

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

Field Notices and Bulletins

Field Notices—Cisco recommends that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/public/770/index.shtml. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/770/index.shtml.

Product Bulletins—If you have an account on Cisco.com, you can find product bulletins at http://www.cisco.com/warp/public/cc/general/bulletin/index.shtml. If you do not have a Cisco.com login account, you can find product bulletins at http://www.cisco.com/warp/public/cc/general/bulletin/iosw/index.shtml.

What's New for IOS—What's New for IOS lists recently posted Cisco IOS software releases and software releases that have been removed from Cisco.com. If you have an account on Cisco.com, you can access What's New for IOS at http://www.cisco.com/public/sw-center/sw-ios.shtml or by logging in and selecting Software Center: Cisco IOS Software: What's New for IOS.

Caveats

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only selected severity 3 caveats are included in the caveats document.

This section contains open and resolved caveats for the current Cisco IOS maintenance release.

All caveats in Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T are also in Cisco IOS Release 12.3(11)YZ.

For information on caveats in Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T, see Caveats for Cisco IOS Release 12.3 T. These documents lists severity 1 and severity 2 caveats and only selected severity 3 caveats, and are located on Cisco.com and the Documentation CD-ROM.

Caveat numbers and brief descriptions for Release 12.3(11)YZ are listed in this section.


Note If you have an account on Cisco.com, you can use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com by clicking the Log In button on the right side, go to the drop down menu on the top bar of the page and select Technical Support: Tools & Utilities: Software Bug Toolkit (under Troubleshooting Tools). Another option is to enter the following URL in your web browser or go to
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl


Resolved Caveats for Cisco IOS Release 12.3(11)YZ2

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCse68138  Issue in handling specific packets in VOIP RTP Lib

Multiple voice-related vulnerabilities are identified in Cisco IOS software,one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsi64851  %DATACORRUPTION-1-DATAINCONSISTENCY unterminated string in buffer

Symptom    Traceback is seen while configuring "incoming port" using a string [large value 238 characters] for "call filter match-list 1 voice". Trace shows unterminated string in buffer.

Conditions   Trace back is seen on executing "show log" after configuring "incoming port" using string of for "call filter match-list 1 voice".

Workaround   There is no workaround.

CSCsi74508 data inconsistency error in red_nvgen_params

Symptom    A Cisco IOS device may produce the following error when reading or writing the configuration:

%DATACORRUPTION-1-DATAINCONSISTENCY: write of 11 bytes to 10 bytes

Conditions   This symptom has been observed when reading or writing the configuration.

Workaround   There is no workaround.

CSCsi78118 Traceback seen at iphc_decompress. 

Symptom    A traceback may be generated at the "iphc_decompress" function.

Conditions   This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.13)T1 and that is configured for Internet Protocol Header Compression (IPHC). However, note that the symptom is not release-specific.

Workaround   There is no workaround.

CSCsi78162 SNASw %DATACORRUPTION-1-DATAINCONSISTENCY messages

Symptom    A router that has the SNASwitch feature enabled may generate several of the following messages along with tracebacks %DATACORRUPTION-1-DATAINCONSISTENCY: copy of xx bytes should be xx bytes

Conditions   This symptom is observed on a Cisco router that runs a Cisco IOS software image that contains the fix for caveat CSCsh87705. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh87705. Cisco IOS software releases that are not listed in the "First Fixe-in Version" field at this location are not affected.

Workaround: There is no workaround.

Further Problem Description: The messages do not affect the normal operation of the router in any way. The SNASwitch continues to function normally.

CSCsj06951  Traceback @ createCNF_file while configuring user-locale

Symptom    Traceback seen on terminal.

Conditions   When config user-locale and generate CNF file under telephony-service.

Workaround   There is no workaround.

CSCei52653  cipSecTunInOctets/cipSecTunOutOctets report zero

cipSecTunInOctets/cipSecTunOutOctets is report zero when using c1841-advsecurityk9-mz.123- 14.T2.bin.

CSCse05642  I/O memory corruption crash on as5850

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsj16292 DATACORRUPTION-1-DATAINCONSISTENCY: copy error

Symptom    Following an upgrade to Cisco IOS Release 12.2(18)SXF9, the following message may be displayed:

%DATACORRUPTION-1-DATAINCONSISTENCY: copy error

-Traceback=

Conditions   This message may appear as a result of SNMP polling of PAgP variables, but does not appear to be service impacting.

Workaround   There is no workaround.

CSCsb79076  MGCP RSVP enabled calls fails due to spurious error @ qosmodule_main 
%SYS-3-TIMERNEG errors and tracebacks are observed while making  MGCP RSVP calls 
on a analog (RGW) setups. 

Symptom    Observed in 12.4(3.9)T1 IOS version.

Workaround   There is no workaround.

CSCsj18014 Caller ID string received with extra characters CSCsf28840 dwind Crash due to configured peer type control vector

Symptom    A caller ID may be received with extra characters.

Conditions   This symptom is observed when caller ID is enabled on both routers and when the station ID and station name are configured on the FXS side.

Workaround   There is no workaround.

CSCsg16908  IOS FTP Server Deprecation

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCin95836  NHRP does not handle error conditions gracefully

The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS?? contains a vulnerability that can result in a restart of the device or possible remote code execution.

NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.

NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.

NHRP is not enabled by default for Cisco IOS.

This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.

CSCsf08998 MGCP stop responding after receiving malformed packet

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsg03449 Etherswitch module VLAN Trunking Protocol Vulnerabilities

Symptom   

VTP Version field DoS

Integer Wrap in VTP revision

Buffer Overflow in VTP VLAN name

Conditions   The packets must be received on a trunk enabled port.

Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:

VTP Version field DoS

Integer Wrap in VTP revision

Buffer Overflow in VTP VLAN name

These vulnerabilities are addressed by Cisco IDs:

CSCsd52629/CSCsd34759 -- VTP version field DoS

CSCse40078/CSCse47765 -- Integer Wrap in VTP revision

CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name

CSCsg03449 -- Etherswitch module VLAN Trunking Protocol Vulnerabilities. Cisco's statement and further information are available on the Cisco public website at: http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

CSCsh58082 SIP: A router may reload due to SIP traffic

Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP. There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.

Workarounds exist to mitigate the effects of this problem on devices which do not require SIP. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.

CSCse68355 Router crashed by malformed SIP packet

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsc64976 rbisarya HTTP server should scrub embedded HTML tags from cmd output

A vulnerability exists in the IOS HTTP server in which HTML code inserted

into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.

Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml

CSCek26492 Enhancements to Packet Input Path. 

Symptom    A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions   This Bug resolves a symptom of CSCec71950. Cisco IOS with this specific Bug are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround   Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCsg70474 IOS FW with h323 inspect crashes when malformed H.323 packets received

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCse05736 A router running RCP can be reloaded with a specific packet

Symptom    A router that is running RCP can be reloaded by a specific packet.

Conditions   This symptom is seen under the following conditions: - The router must have RCP enabled. - The packet must come from the source address of the designated system configured to send RCP packets to the router. - The packet must have a specific data content.

Workaround   Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

CSCef77013 Tighter parameter checking for ipv6

Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage on affected IOS and IOS XR devices, and may also result in a crash of the affected IOS device. Successful exploitation on an affected device running Cisco IOS XR will not result in a crash of the device itself, but may result in a crash of the IPv6 subsystem.

Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml

CSCsd81407 Router crash on receiving abnormal MGCP messages 

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCec12299 Corruption of ext communities when receiving over ipv4 EBGP session

Symptom    EIGRP-specific Extended Community 0x8800 is corrupted and shown as 0x0:0:0.

Conditions   This symptom is observed when EIGRP-specific Extended Community 0x8800 is received via an IPv4 EBGP session on a CE router. This occurs typically in the following inter-autonomous system scenario:

ASBR/PE-1 <----> VRF-to-VRF <----> ASBR/PE-2

Workaround   Use a configuration such as the following to remove extended communities from the CE router:

router bgp 1
 address-family ipv4 vrf one
 neighbor 1.0.0.1 remote-as 100
 neighbor 1.0.0.1 activate
 neighbor 1.0.0.1 route-map FILTER in
 exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!         
!         
route-map FILTER permit 10
 set extcomm-list 100 delete
! 
CSCsd85587 7200 Router crashes with ISAKMP Codenomicon test suite

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml .


Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle. shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


CSCsi60004 H323 Proxy Unregistration from Gatekeeper

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCse24889 Malformed SSH version 2 packets may cause processor memory depletion

Symptom    Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.

Conditions   This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.

Workaround   As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:

config t 

ip ssh version 1 end  

Alternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:

10.1.1.0/24 is a trusted network that 
is permitted access to the router, all 
other access is denied 
 
access-list 99 permit 10.1.1.0 0.0.0.255 
access-list 99 deny any  
line vty 0 4  
access-class 99 in 
 
end  

Further Problem Description: For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document: http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716ec2.html

For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document: http://www.cisco.com/warp/public/707/ssh.shtml

CSCse85200 Inadequate validation of TLVs in cdp 

Symptom    Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Conditions   Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround   Disable interfaces where CDP is not necessary.

CSCsg40567 Memory leak found with malformed tls/ssl packets in http core process

Symptom    Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions   This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround   Disable the ip http secure server command.

CSCsb12598 Router forced crash on receiving fragmented TLS ClientHello

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb40304 Router crash on sending repetitive SSL ChangeCipherSpec

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol

exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


Note Another related advisory has been posted with this advisory.This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd92405 Router crashed by repeated SSL connection with malformed finished 
message

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsg96319 reverse ssh eliminated telnet authention on VTY

Symptom    When a reverse SSH session is established with valid authentication credentials, anyone can obtain unprivileged Telnet access to a system without being authenticated. This situation affects only reverse SSH sessions when a connection is made with the

ssh -l userid :number ip-address command.

Conditions   This symptom is observed only when the Reverse SSH Enhancement is configured. This enhancement is documented at the following URL:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804831b6.html

Workaround   Configure reverse SSH by entering the ip ssh port portnum rotary group command. This configuration is explained at the following URL:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#newq1

CSCsj66369 Traceback seen at rpmxf_dg_db_init

Symptom    Tracebacks seen while running metal_vpn_cases.itcl script

Conditions   A strcpy in the file 'rpmxf_dg_online.c' copies more bytes than the destination buffer size. Due to this we are getting data corruption tracebacks.

Workaround   There is no workaround.

CSCsj66513 Traceback detected at DNQueuePeers

Symptom    Traceback found at DNQueuePeers

Conditions   While verifying the variable digit length dialing numbers for "Type National" and "Type International" in the numbering plan to be accepted by the network-side by using functionality/isdn/isdn_dialPlan script.

Workaround   There is no workaround

CSCsj44099 Router crashes if DSPFARM profile description is 128 characters long. 

Symptom    A cisco c3800 router can experience a memory corruption resulting in a crash if the description field under the "dspfarm profile" configuration matches the maximum of 128 characters.

Conditions   During configuration of the dspfarm profile through the CLI, a description that is 128 characters will cause a memory copy problem. If the user tries to display the results of the configuration using "show dspfarm profile", the router will crash trying to display the output.

Workaround   To prevent this problem configure the dspfarm profile description with 127 characters or less.

CSCsj52927 DATACORRUPTION-1-DATAINCONSISTENCY message in show log

Symptom    DATACORRUPTION-1-DATAINCONSISTENCY messages are seen in `show log'.

Conditions   The messages are seen when when the router comes up.

Workaround   There is no workaround.

CSCdz55178 QoS profile name of more then 32 chars will crash the router 

Symptom    A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.

Conditions   This symptom is observed on a Cisco router that has a cable QoS profile with a name that has a length that is greater than 32 characters as in the following example:

cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C

00000000011111111111222222222333^

12345678901234567890123456789012|

|

PROBLEM

(Variable Overflowed).

Workaround   Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.

Resolved Caveats for Cisco IOS Release 12.3(11)YZ1

CSCek37177: The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

Workaround: There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCsd40334: Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

Workaround: There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd58381: Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

Workaround: There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsb93407: voice-h323 ealyon H323 port tcp 1720 still listening after call service stop

Symptoms: With H323 call service stopped, the router still listens on tcp port 1720 and completes connection attempts.

Conditions: After H323 is disabled using the configuration commands:

voice service voip 
h323
call service stop

Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document:

http://www.cisco.com/warp/public/707/tacl.html

For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document:

http://www.cisco.com/warp/public/707/iacl.html

For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper:"

http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml

CSCsc72722: ios-firewall ealyon CBAC - firewall resets TCP idle timer upon receiving invalid TCP packets

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsb11849: security ealyon CoPP: Need support for malformed IP options

Symptoms: CoPP policy configured to drop packets with IP options will ignore packets with malformed IP options

Conditions: CoPP configured to filter ip packets with IP options

Workaround: Do not use IP option ACL filtering with CoPP. Instead configure CoPP to filter ip packets by source or destination address.

CSCsb52717: mcast-vpn ealyon Watchdog timeout and crash caused by invalid MDT data group join packet

Symptoms: A Cisco router configured for multicast VPN may reload after receiving a malformed MDT data group join packet.

Conditions: Affects all Cisco IOS versions that support mVPN MDT.

Workaround: Filter out MDT Data Join messages from the router sending the malformed packet using a Receive Access Control List (rACL) feature. Note by doing this, the offending router will not be able to participate within the mVPN data trees.

The following example shows how to block malformed MDT Data Join messages that are sent from the device's IP addresses using a receive ACL:

!
ip receive access-list 111
!
access-list 111 deny udp host <ip address of router sending malformed join
request> host 224.0.0.13 eq 3232
access-list 111 permit ip any any
!

Note Ensure that the rACL does not filter critical traffic such as routing protocols or interactive access to the routers. Filtering necessary traffic could result in an inability to remotely access the router, thus requiring a console connection. For this reason, lab configurations should mimic the actual deployment as closely as possible. Cisco recommends that you test this feature in the lab prior to deployment. For more information on rACLs, refer to "Protecting Your Core: Infrastructure Protection Access Control Lists" at the following URL:
http://www.cisco.com/warp/public/707/racl.html.


CSCsd28634: tcl-bleeding ealyon AAA command authorization can be bypassed via TCL scripts from ESS/ESM

Symptoms: Add functionality to disable ESM filter to execute Cisco IOS configuration commands. To prevent configuration commands being executed via ESM TCL fitlers, enter the global configuration command: no loggin esm config

Conditions: Prevents execution of the tcl script command ios_config from ESM filters.

Further Problem Description: As Tcl script modules contain executable commands, you should manage the security of these files in the same way you manage configuration files."

Workaround: Syslog filter modules can be written and stored as plain-text files or as precompiled files. Tcl script pre-compiling can be done with tools such as TclPro. Precompiled scripts allow a measure of security and managed consistency because they cannot be edited.

CSCsd92600: pki michaelr RSA keypair is renamed after reload causing Certificate usage to fail

Symptoms: After a reload, the router is unable to use its certificate to establish a VPN connection. If the peer is also a Cisco IOS router, debug crypto isakmp will show the following error during the negotiation:

ISAKMP:(...): signature invalid!

Conditions: Certificate based authentication is used in ISAKMP

Workaround: Re-enroll the router after the reload, to get a new certificate.

Further Problem Description: After the reload, show crypto key mypubkey rsa shows that the RSA keypair used is an old one (the one that was in use before the most recent enrollment) so it does not match the keypair that was used to obtain the current certificate.

The RSA keypair that should be used (the one that was used to obtain the current certificate) has been renamed with a # at the end. For example, before the reload, the rsa keypair is named router.domain.priv. After the reload, this key is now named router.domain.priv#, and there is another (older) keypair named router.domain.priv that does not match the certificate.

Related Documentation

The following sections describe the documentation available for the Cisco 2800 series routers. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and the Documentation CD.

Use these release notes with the documents listed in the following sections:

Release-Specific Documents

Platform-Specific Documents

Release-Specific Documents

The following documents are specific to Release 12.3 and apply to Cisco IOS Release 12.3(11)YZ. They are located on Cisco.com and the Documentation CD (under the heading Service & Support):

To reach the Cross-Platform Release Notes for Cisco IOS Release 12.3(11)T, click this path:

Technical Documents: Cisco IOS Software: Release 12.3: Release Notes: Cisco IOS  Release 12.3(11)T 

To reach product bulletins, field notices, and other release-specific documents, click this path:

Technical Documents: Product Bulletins 

To reach the Caveats for Cisco IOS Release 12.3 and Caveats for Cisco IOS Release 12.3(11)T documents, which contain caveats applicable to all platforms for all maintenance releases of Release 12.3, click this path:

Technical Documents: Cisco IOS Software: Release 12.3: Caveats 

Platform-Specific Documents

Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 3600 series routers are available on Cisco.com and the Documentation CD at the following location:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis3600/index.htm 

This URL is subject to change without notice. If it changes, point your web browser to Cisco.com, and click the following path:

Cisco Product Documentation: Access Servers and Access Routers: Modular Access Routers:  Series Integrated Services Routers: <platform_name>

Feature Navigator

Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Feature Navigator is available 24 hours a day, 7 days a week.

To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the Contact Database Administration group at cdbadmin@cisco.com. If you do not have an account on Cisco.com, go to http://www.cisco.com/register and follow the directions to set up an account.

To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor.

Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL:

http://www.cisco.com/go/fn 

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered printed versions.

Documentation Modules

Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. The Cisco IOS software documentation set is available on Cisco.com and on the Documentation CD-ROM.

On Cisco.com:

Products & Services: IOS Software: Cisco IOS Software Releases 12.3 Mainline: Technical Documentation: Master Indices

On the Documentation CD-ROM at:

Product Documentation: Cisco IOS Software: Cisco IOS Release 12.3: Configuration Guides and Command References

Release 12.3 Documentation Set

Table 3 describes the contents of Cisco IOS Release 12.3 software documentation set, which is available in both electronic and printed form.


Note You can find the most current Cisco IOS documentation on Cisco.com and the Documentation CD-ROM. These electronic documents may contain updates and modifications made after the hard-copy documents were printed.



Note Some aspects of the complete Cisco IOS Release 12.3 software documentation set might not apply to the Cisco 2800 router.


Table 3 Cisco IOS Release 12.3 Documentation Set 

Books
Major Topics

Cisco IOS Configuration Fundamentals Configuration Guide

Cisco IOS Configuration Fundamentals Command Reference

Cisco IOS User Interfaces
File Management
System Management

Cisco IOS Bridging and IBM Networking Configuration Guide

Cisco IOS Bridging and IBM Networking Command Reference, Volume 1 of 2

Cisco IOS Bridging and IBM Networking Command Reference, Volume 2 of 2

Transparent Bridging
SRB
Token Ring Inter-Switch Link
Token Ring Route Switch Module
RSRB
DLSW+
Serial Tunnel and Block Serial Tunnel
LLC2 and SDLC
IBM Network Media Translation
SNA Frame Relay Access
NCIA Client/Server
Airline Product Set
DSPU and SNA Service Point
SNA Switching Services
Cisco Transaction Connection
Cisco Mainframe Channel Connection
CLAW and TCP/IP Offload
CSNA, CMPC, and CMPC+
TN3270 Server

Cisco IOS Dial Technologies Configuration Guide: Dial Access

Cisco IOS Dial Technologies Configuration Guide: Large-Scale Dial Applications

Cisco IOS Dial Technologies Command Reference,
Volume 1 of 2

Cisco IOS Dial Technologies Command Reference,
Volume 2 of 2

Dial Access
Modem and Dial Shelf Configuration and Management
ISDN Configuration
Signaling Configuration
Point-to-Point Protocols
Dial-on-Demand Routing
Dial Backup
Dial Related Addressing Service
Network Access Solutions
Large-Scale Dial Solutions
Cost-Control Solutions
Internetworking Dial Access Scenarios

Cisco IOS Interface Configuration Guide

Cisco IOS Interface Command Reference

LAN Interfaces
Serial Interfaces
Logical Interfaces

Cisco IOS IP Configuration Guide

Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services

Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols

Cisco IOS IP Command Reference, Volume 3 of 3: Multicast

IP Addressing
IP Services
IP Routing Protocols
IP Multicast

Cisco IOS AppleTalk and Novell IPX Configuration Guide

Cisco IOS AppleTalk and Novell IPX Command Reference

AppleTalk
Novell IPX

Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuration Guide

Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Command Reference

Apollo Domain
Banyan VINES
DECnet
ISO CLNS
XNS

Cisco IOS Voice, Video, and Fax Configuration Guide

Cisco IOS Voice, Video, and Fax Command Reference

Voice over IP
Call Control Signaling
Voice over Frame Relay
Voice over ATM
Telephony Applications
Trunk Management
Fax, Video, and Modem Support

Cisco IOS Quality of Service Solutions Configuration Guide

Cisco IOS Quality of Service Solutions Command Reference

Packet Classification
Congestion Management
Congestion Avoidance
Policing and Shaping
Signaling
Link Efficiency Mechanisms

Cisco IOS Security Configuration Guide

Cisco IOS Security Command Reference

AAA Security Services
Security Server Protocols
Traffic Filtering and Firewalls
IP Security and Encryption
Passwords and Privileges
Neighbor Router Authentication
IP Security Options
Supported AV Pairs

Cisco IOS Switching Services Configuration Guide

Cisco IOS Switching Services Command Reference

Cisco IOS Switching Paths
NetFlow Switching
Multiprotocol Label Switching
Multilayer Switching
Multicast Distributed Switching
Virtual LANs
LAN Emulation

Cisco IOS Wide-Area Networking Configuration Guide

Cisco IOS Wide-Area Networking Command Reference

ATM
Frame Relay
SMDS
X.25 and LAPB

Cisco IOS Mobile Wireless Configuration Guide

Cisco IOS Mobile Wireless Command Reference

General Packet Radio Service

Cisco IOS Terminal Services Configuration Guide

Cisco IOS Terminal Services Command Reference

ARA
LAT
NASI
Telnet
TN3270
XRemote
X.28 PAD
Protocol Translation

Cisco IOS Configuration Guide Master Index

Cisco IOS Command Reference Master Index

Cisco IOS Debug Command Reference

Cisco IOS Software System Error Messages

New Features in 12.3-Based Limited Lifetime Releases

New Features in Release 12.3T

Release Notes (Release note and caveat documentation for 12.3-based releases and various platforms)

 


Service and Support

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.