Table Of Contents
Resolved Caveats—Cisco IOS Release 12.3(5f)
Resolved Caveats—Cisco IOS Release 12.3(5e)
Resolved Caveats—Cisco IOS Release 12.3(5d)
Resolved Caveats—Cisco IOS Release 12.3(5c)
Resolved Caveats—Cisco IOS Release 12.3(5b)
Resolved Caveats—Cisco IOS Release 12.3(5a)
Resolved Caveats—Cisco IOS Release 12.3(5)
Resolved Caveats—Cisco IOS Release 12.3(3i)
Resolved Caveats—Cisco IOS Release 12.3(3h)
Resolved Caveats—Cisco IOS Release 12.3(3g)
Resolved Caveats—Cisco IOS Release 12.3(3f)
Resolved Caveats—Cisco IOS Release 12.3(3e)
Resolved Caveats—Cisco IOS Release 12.3(3c)
Resolved Caveats—Cisco IOS Release 12.3(3b)
Resolved Caveats—Cisco IOS Release 12.3(3a)
Resolved Caveats—Cisco IOS Release 12.3(3)
Novell IPX, XNS, and Apollo Domain
Resolved Caveats—Cisco IOS Release 12.3(1a)
Resolved Caveats—Cisco IOS Release 12.3(1)
Novell IPX, XNS, and Apollo Domain
Obtaining Documentation and Submitting a Service Request
Resolved Caveats—Cisco IOS Release 12.3(5f)
Cisco IOS Release 12.3(5f) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5f) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
Symptoms—A description of what is observed when the caveat occurs.
•
•
Basic System Services
•
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
IP Routing Protocols
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
Miscellaneous
•
Symptoms: The makefile is missing the ik9s-mz image list for the Cisco AS5350 gateway.
Conditions: This symptom has been observed for the Cisco AS5350 and AS5400 platforms.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5e)
Cisco IOS Release 12.3(5e) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5e) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
Conditions: User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
Symptoms: Retransmissions may not be sent to all RADIUS servers in a server group.
Conditions: This symptom is observed when an active RADIUS server in a server group is declared dead and when the server group already contains some dead RADIUS servers. In this situation, the retransmission attempt is not made to all the dead RADIUS servers in the server group but only to the server that is just declared dead. This is not proper behavior: retransmissions should be sent to all the dead RADIUS servers.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: The show controllers t1 slot/port command may show only the current interval.
Conditions: This symptom is observed on a Cisco 7200 series when FDL is configured.
Workaround: There is no workaround.
Further Problem Description: When FDL is configured, the router updates the MIB data after checking for a valid local and remote MIB data interval that it receives from the T1 port adapter. During the remote MIB update, and if the received data interval is invalid, the router clears both the remote and the local data instead of clearing only the remote data and starting again.
IP Routing Protocols
•
Symptoms: A Cisco 1600 series crashes with an "Unexpected exception to CPU vector 2" error.
Conditions: This symptom is observed when stateful NAT is configured with the redundancy in command.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Miscellaneous
•
Symptoms: Traceback messages are seen on a Cisco AS5400 origination GW (OGW). The tracebacks are reproducible.
Conditions: This symptom is observed when running tests with an E1R2 interface.
Workaround: There is no workaround.
•
Symptoms: A NAS crashes when stress scripts are running and when bulk calls are made.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5800 that are configured for T1 when scripts run that enter the shutdown command followed by the no shutdown command on controllers in digital callers and the clear modem all command in analog callers. The NAS is stressed with both analog and digital calls made from a traffic generator that sends 20 packets per second and the scripts run every 10 minutes.
Workaround: There is no workaround.
•
Symptoms: All SWIDBs may be used.
Conditions: This symptom is observed when PPPoA sessions flap continuously.
Workaround: There is no workaround.
•
Symptoms: IMA link status sticks in NE usable/usable while showing FE active/active.
Conditions: This happens when connecting an IMA module in a Cisco 3640 to a third party vendor switch.
Workaround: Administratively shut down the link and then bring it back.
•
Symptoms: On a Cisco 7500 series, all PVCs may suddenly enter the down state and remain in this state for about two minutes before they come back up. During the DLCI down state, the subinterface does not go down and no notifications are observed in the message log.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with an RPS4+ or an RSP8 and that runs the rsp-jsv-mz image of Cisco IOS Release 12.2(12i). In addition, the router is configured with an 8-port serial port adapter and an HSSI port adapter, is configured for Frame Relay, and has more than 450 PVCs/DLCIs. Note that the symptom may be platform-independent and may also occur on other Cisco platforms in a similar configuration.
Note
Workaround: There is no workaround.
•
Symptoms: When the Cisco IOS Firewall CBAC is configured, the router seems to have a software-forced reload caused by one of the inspections processed.
Conditions: This symptom is observed when the router is part of a DMVPN hub-spoke with a Cisco VoIP phone solution deployed on it and the router is connected to the central office over the Internet. The Cisco VoIP phone runs the SKINNY protocol.
Workaround: There is no workaround.
•
Symptoms: When a T.38 fax failure occurs, for example because a call is disconnected, a Cisco AS5400 may incorrectly generate the following message in its log:
%DSM-3-DSP_TIMEOUT: DSP timeout on channel <channel specific information> T38 Codec Switch Failed or Timed outConditions: This symptom is observed when there is no real failure in the codec download. The symptom may occur when a disconnect from the telephony side occurs while the Cisco AS5400 is in the middle of a codec download.
Workaround: There is no workaround.
•
Symptoms: A software-forced reload may occur on an MGCP gateway that uses embedded messages in the MGCP protocol.
Conditions: This symptom is observed on a Cisco platform that functions as an MGCP gateway and is caused by the MGCP embedded message processing.
Workaround: There is no workaround.
•
Symptoms: %ALIGN-3-SPURIOUS and %ALIGN-3-TRACE messages may appear in the logs of a router, and the output of the show align command shows that some spurious memory accesses are recorded.
Conditions: This symptom is observed on a Cisco 7500 series when a dLFIoATM interface on the router flaps.
Workaround: There is no workaround. However, the capabilities and performance of the router are not affected.
•
Symptoms: The MGCP default setting for a minimum jitter buffer size is 4 ms; this setting degrades the voice quality until you configure the setting to be different via the mgcp playout command. It has always been this way in IOS, but MGCP has been using a fixed MGCP playout buffer instead of a dynamic buffer even though it was configured to use dynamic. During some recent IOS changes, it now uses dynamic playout buffer.
Conditions: This symptom is observed under normal operating conditions.
Workaround: Configure the nominal MGCP default setting for the minimum jitter buffer size to be the same as for H.323 and SIP gateways so that the setting for each individual gateway does not need to be changed via the mgcp playout command.
•
Symptoms: A Cisco router accepts an incoming plaintext that matches the crypto map that is applied to an interface. The packet should be rejected because is should have been encrypted.
Conditions: This symptom is observed when all the following conditions occur:
–
–
–
Workaround: Ensure that all interfaces have fast switching and CEF switching either enabled or disabled.
•
Symptoms: A software-forced crash may occur on a gatekeeper that processes an incoming call.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that runs Cisco IOS Release 12.2(15)T13 and occurs only when a GKTMP server is configured for LRQ triggering.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Symptoms: A Cisco Access server that terminates virtual-profile calls with per-user access control lists (ACLs) does not remove all per-user ACLs when calls are terminated. This situation may cause the memory of the access server to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco access server that runs a Cisco IOS Release that contains the fix for CSCee01688.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at /en/US/products/products_security_advisory09186a00807cb0fd.shtml contain fixes for this issue.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
•
Symptoms: Spurious memory accesses occur on a gatekeeper during RAS communication for H.323 voice calls.
Conditions: This symptom is observed when the gatekeeper sends an LRQ for a voice call.
Workaround: There is no workaround.
•
Symptoms: When the calling number or the called number or both contains the * character, for example *67#1234567890, the call is rejected by the gateway and is released with cause code 63 (service or option not available). In the debugs the following message is generated before call is released:
H225Lib::is_valid_e164_number: Number has non-supported IA5 character - * cch323_ras_arj_notify:calledConditions: This symptom is observed on a Cisco platform that functions as a gateway in an H.323 VoIP network and that runs Cisco IOS Release 12.3(6c) or another release that contains the fix for CSCee07037. The symptom occurs only in gatekeeper-routed call scenarios, that is, RAS-based call flows.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee07037. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
The symptom does not occur with other characters such as #.
Workaround: There is no workaround.
•
Symptoms: When you perform a stress test on a Cisco 7200 series that processes H.323 voice calls, the following error message and traceback may be generated:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6241A498 reading 0x94 %ALIGN-3-TRACE: -Traceback= 6241A498 6241C788 623EB0F8 623ED694 00000000 00000000 00000000 00000000 DGK7201#Conditions: This symptom is observed when you make approximately 40 calls per second and when the directory gatekeeper (DGK) loader constantly sends LRQs to the DGKs to query a route server to obtain routes. Note, however, that the router continues to process calls normally.
Workaround: There is no workaround.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml.
•
Symptoms: A router may reload unexpectedly while you disable label distribution protocol (LDP) on an interface.
Conditions: This symptom is observed on a router that has several interfaces that are configured for LDP when you disable LDP on all interfaces and when there is still one open TCP connection that is passively used by LDP while you disable LDP on the last interface.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Wide-Area Networking
•
Symptoms: A spurious memory access may occur on a Cisco router that is configured for PPP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5).
Workaround: There is no workaround.
•
Symptoms: With PPP multilink over ATM configured in Cisco IOS, the router may reload with a bus error.
Conditions: This symptom is observed when the PPP over ATM link goes down and is removed from the multilink bundle.
Workaround: Increasing the keepalive interval or retry count, or disabling keepalives altogether, may help to avoid the problem by making it less likely that the PPP over ATM session goes down during periods of instability in the ATM network.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Resolved Caveats—Cisco IOS Release 12.3(5d)
Cisco IOS Release 12.3(5d) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5d) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Information about a port adapter (PA) may be missing from the output of a show diag command.
Conditions: The show diag command for the affected controller will display similar information:
PA Bay 0 Information:
Fast-Ethernet PA, 1 ports, 100BaseTX-ISL
EEPROM format version 0
HW rev 0.00, Board revision UNKNOWN
Serial number: 00000000 Part number: 00-0000-00The problem is related to a timing issue and is not always reproducible.
Workaround: There is no workaround. On the other hand it does not impact the functionality of the router.
•
Symptoms: A "%SYS-2-LINKED: Bad enqueue ....." error message may be seen in the syslog of an LNS right after traffic is send through a PPP multilink bundle that is establish via an L2TP session on the LNS. This message is also seen when multilink PPP fragments are switched or when multicast packets are replicated.
Certain packet buffers (particle clones) are eventually depleted, and multilink fragmentation stops working when all particle clones are exhausted. You can monitor the availability of particle clones by entering the show buffers | begin Particle Clones: EXEC command; the command does not produce any output if no more particle clones are available.
Conditions: This symptom is observed when multilink is configured on a virtual template that is handling the VPDN sessions or when multicast packets are switched.
Workaround: When L2TP multilink calls are terminated, disable multilink fragmentation by entering the ppp multilink fragment disable interface configuration command on the virtual template.
•
Symptoms: A serial interface on a Cisco 7500 series may stop transmitting traffic and may report the following VIP crashes:
%MDS-2-LC_FAILED_IPC_ACK: RP failed in getting Ack for IPC message of size 84 to LC in slot 2 with sequence 1007, error = timeout
%RSP-3-RESTART: interface Serial3/0/0:0, not transmitting
%VIP2-3-MSG: slotX VIP-3-SVIP_CYBUSERROR_INTERRUPT: A Cybus Error occurred. %VIP2-1-MSG: slotX CYASIC Error Interrupt register 0x4000000
%VIP2-1-MSG: slotX DMA Transmit Error
%VIP2-1-MSG: slotX CYASIC Other Interrupt register 0x100
%VIP2-1-MSG: slotX QE HIGH Priority Interrupt
%VIP2-1-MSG: slotX QE RX HIGH Priority Interrupt
%VIP2-1-MSG: slotX CYBUS Error Cmd/Addr 0xD00FF3AConditions: This symptom is observed on a Cisco 7500 series running Cisco IOS Release 12.3(5a). This symptom is not observed in Release 12.1(8c).
Workaround: There is no workaround.
•
Symptoms: Attributes 42 and 43 may be of value "zero" in Connection STOP records.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5850 that run Cisco IOS Release 12.3 or Release 12.3(4)T4 when a TCP-clear call is disconnected by the caller. For call disconnects by the NAS, the values are proper.
Workaround: There is no workaround.
•
Symptoms: After a VIP crashes, a FIB-3-FIBDISABLE error message due to an IPC timeout may occur for all the slots of the VIP.
Conditions: This symptom is observed on a Cisco 7500 series after the VIP crashes and before the VIP recovers. The FIB-3-FIBDISABLE error message is generated for all the slots of the VIP, causing dCEF switching to become disabled.
Workaround: There is no workaround. You can reenable dCEF by entering the clear cef linecard command.
Interfaces and Bridging
•
Symptoms: A Cisco 7500 series may show a %SYS-3-CPUHOG error message when an ATM link on the router is flapped.
Conditions: This symptom is observed only when there are a lot of VCs on the ATM interface and when the VIP is oversubscribed.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series may leave ATM PVCs up when the ATM interface is shut down.
Conditions: This symptom is observed on a Cisco 7500 series that has a PA-A3 when the CPU utilization of the VIPs is high.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: Address Resolution Protocol (ARP) may not be triggered for an inside-local address destination after the outside-to-inside translation is performed correctly, causing packets to be dropped because the adjacency remains gleaned.
Conditions: This symptom is observed on a Cisco router when the Multi-VRF feature is configured and when you configure a customer edge (CE) router to perform Network Address Translation (NAT).
Workaround: Perform a ping from the router to the CE router to trigger ARP and to populate the adjacency table.
•
Symptoms: A router may reload unexpectedly because of a bus error when it accesses a low address during the translation of TCP port 514.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5) and that is configured for Network Address Translation (NAT).
Workaround: Prevent the translation of TCP port 514.
•
Symptoms: A Cisco router that is configured for SIP NAT may not be able to process authentication messages from a third-party SIP gateway that performs SIP proxy authentication.
Conditions: This symptom is observed in a Call Hold/Resume procedure.
Workaround: There is no workaround.
•
Symptoms: T.38 fax calls between a Cisco router and a third-party gateway may fail.
Conditions: This symptom is observed when two third-party gateways are connected via a Cisco router that runs SIP NAT. The T.38 fax calls fail from one of the third-party gateways to the Cisco router and vice versa.
Workaround: There is no workaround.
•
Symptoms: When the debug ip pim auto-rp command is enabled on a Cisco 7500 series, the router crashes when it receives an AutoRP message.
Conditions: This symptom is observed on a Cisco 7500 series that runs the rsp-isv-mz image of Cisco IOS Release 12.2(15)T7 or 12.2(15)T9. The symptom may also occur in other releases of Release 12.2 T, or in Release 12.3 or Release 12.3 T.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Connectivity difficulties may occur when Virtual Private Network (VPN) routing/forwarding (VRF) packets follow the global routing table instead of the VRF table.
Conditions: This symptom is observed on a low-end Cisco router that runs Cisco IOS Release 12.2(7a) or another release when the global address space in the router overlaps with the VRF address that is configured on a VRF interface of a connected PE router. The VRF interface of this PE router may be unreachable but end-to-end connectivity may not be affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a voice gateway may reload unexpectedly after a series of calls that include call transfers and diverted calls have been processed.
Conditions: This symptom is observed on a Cisco 2621XM and Cisco 3640 when you use a third-party vendor protocol convertor to translate and provide a tunnel for Digital Private Network Signaling System (DPNSS) traffic over Q Signaling (QSIG). The symptom is not platform specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco Service Selection Gateway (SSG) router may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router when Cisco Express Forwarding (CEF) is enabled and access list configurations on the router are changed.
Workaround: Disable CEF.
•
Symptoms: A cbus complex (which will bring down all the interfaces on the box for some time but the router will not reload) may be observed on a Cisco router when the following message appears on the serial interface:
%RSP-3-RESTART: interface Serial8/1/0/23:23, not transmittingConditions: This symptom occurs specifically on a Cisco 7500 series router when Multilink PPP (MLP) is configured on the serial interface and distributed Cisco Express Forwarding (dCEF) switching is enabled.
The problem occurs when multilink member links flap. It may be after a single flap or multiple flaps.
Workaround: There is no workaround.
Further Problem Description: The time-frame associated with Interfaces being down tied to a cbus complex depends on the number of VIPs/IPs (time taken for microcode download) and the type of PAs (time taken for VIP reload) present in those VIPs. All the interfaces will be come back up without any manual intervention.
•
Symptoms: On an ASBR-PE, the TFIB may be missing a forwarding entry for a prefix that is learnt from a PE.
Conditions: This symptom is observed on an "ABSR-co-located PE" (that is, an ASBR that also functions as a PE router) when the PE functionality is removed by deconfiguring VRF, for example, by entering the no ip vrf vrf-name command.
Since this is a timing issue, it may occur in Cisco IOS Release 12.0 S, 12.2 S, 12.2 T, and 12.3.
Workaround: There is no workaround.
•
Symptoms: A Cisco Media Gateway Control Protocol (MGCP) gateway may be unregistered by a Cisco CallManager.
Conditions: This symptom is observed on a Cisco router that functions as a gateway and that runs Cisco IOS Release 12.2 T, Release 12.3, or Release 12.3 T when the T1 channel-associated signaling (CAS) and PRI backhaul is configured.
Following is an example of the sequence of events that cause the symptom to occur:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Workaround: Do not use MGCP. Rather, use H.323.
•
Symptoms: The amount of free memory on a router decreases as the memory that is held by the Simple Network Management Protocol (SNMP) engine process increases. The decrease in the amount of free memory can be verified by examining the output of the show proc mem | i SNMP privileged EXEC command.
Conditions: This symptom is observed when SNMP is used to attempt to set values in the LDP-MIB, TE-MIB, or VPN-MIB.
Workaround: Avoid using SNMP to set values in the MIBs. Use the CLI on the router to set the values needed.
•
Symptoms: A 1-port E3 serial port adapter (PA-E3) may fail to recover to the "up/up" state even when the original cause of the failure is corrected.
Conditions: This symptom is observed on a Cisco 7500 series.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface of the PA-E3.
•
Symptoms: Users fail to authenticate on a Cisco router when the CiscoSecure authorization (CSAuth) service module fails on a primary Access Control Server (ACS).
Conditions: This symptom is observed on a Cisco router when the CSAuth services fail on the primary ACS server. When the primary ACS server is unavailable because CSAuth services stop, the ACS server returns the "Authserver is Down" error message but the router does not detect this message and fails to submit the authentication CSAuth request to the secondary server.
Following is an example of the current server configuration:
aaa group server tacacs+ group-name
server x.x.x.x
server y.y.y.y
aaa authentication ppp default group group- nameWorkaround: If there are only several servers in a group, the servers may be inserted in separate groups and those groups may be included as separate methods. For example:
aaa group server tacacs+ group-name-1
server x.x.x.x
aaa group server tacacs+ group-name-2
server y.y.y.y
aaa authentication ppp default group group-name-1 group-name-2•
Symptom: Cisco IOS software may accept and process a "RESPONDER LIFETIME" notify message before it has processed a "Main Mode 6" message. (A "RESPONDER LIFETIME" notify message is sent by a headend router to a remote device to facilitate the synchronization of Internet Key Exchange (IKE) rekeying.)
Conditions: This symptom is observed when a "RESPONDER LIFETIME" notify message arrives before a "Main Mode 6" message. IKE packets can arrive out of order because IKE relies on User Datagram Protocol (UDP) as the transmission protocol.
Workaround: If the remote device functions as Easy VPN Client, configure the device to operate in "auto connect mode" to prevent you from having to reinitiate the connection manually.
Alternate Workaround: Ensure that the IKE peers have matching lifetimes. Doing so makes the "RESPONDER LIFETIME" notify message unnecessary and prevents Cisco IOS software from sending this message.
•
Symptoms: Analog recEive and transMit (E&M) ports may become stuck intermittently. When the symptom occurs, the following error message is displayed:
%C542-1-NO_RING_DESCRIPTORS: No more ring descriptors on recEive And transMit 3/0/1. Msg id=48, Len=38In addition, the output of the show voice call summary EXEC command indicates that the voice-port state is "EM_PARK_IDLE."
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.2(15)T5 and that has an analog E&M port to connect to a PBX. Note that the symptom does not occur in Release 12.2(15)T1. The symptom may occur in Release 12.3.
Workaround: Reload the Cisco gateway.
•
Symptoms: Spurious memory accesses may occur on a router.
Conditions: This symptom is observed on a Cisco router that runs Routing Information Protocol (RIP).
Workaround: There is no workaround.
•
Symptoms: A VIP may reload when an SSO occurs on an RP.
Conditions: This problem occurs intermittently when distributed MLP is configured on the router.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for quality of service (QoS) may reload unexpectedly because of a segmentation violation (SegV) exception.
Conditions: This symptom was observed on a Cisco 2600 series that runs the c2600-telco-mz image of Cisco IOS Release 12.3(1a). This can be seen on other IOS-based routers.
Possible Workaround: Disable QoS.
•
Symptoms: When configuring QoS on a Cisco 7200 series, the router may reload with a bus error. Specifically, the bus error occurs after having entered the no class name command on subinterfaces.
Conditions: This symptom is observed on a Cisco 7200 series that runs the c7200-jk9s-mz image of Cisco IOS Release 12.2(17a). The symptom may also occur in other releases. This behavior is associated to the use of "payload-compression" and Weighted Random Early Detection (WRED) configurations.
Workaround: There is no workaround.
•
Symptoms: A FlexWAN or VIP in which a channelized port adaptor such as a PA-STM1 or PA-MC-8TE1+ is installed may reload continuously.
Conditions: This issue is seen when distributed LFI is configured on channelized serial interfaces and heavy traffic (close to line rate) occurs on these interfaces.
Workaround: There is no workaround.
•
Symptoms: A buffer leak may occur in the Multilink PPP (MLP) header pool on a Versatile Interface Processor (VIP). The speed of the leak depends on the rate of traffic that is flowing between the interface of the VIP and the interface on the other end. The leak may eventually cause memory allocation failures (MALLOCFAIL) on the VIP and may result in memory fragmentation.
Conditions: This symptom is observed on a Cisco 7500 series when all of the following conditions are present:
–
–
–
–
Workaround: Stop the leak by removing fancy queueing from the VIP interface.
Alternate Workaround: Move the MLP interfaces to a different VIP that does not have an interface that performs fancy queueing.
•
Symptoms: A Cisco AS5300 may reload unexpectedly while voice extensible markup language (VXML) is being processed.
Conditions: This symptom is observed when Cisco AS5300 is configured with four E1 interfaces. The symptom does not occur when the Cisco AS5300 is configured with only two E1 interfaces.
Workaround: There is no workaround.
•
Symptoms: FXO ports on a Cisco IAD2420 may cease to process inbound and outbound calls because a voice port is stuck in the "FXOGS_PARK" state.
Conditions: This symptom is observed on a Cisco IAD2420 voice gateway with FXO ports that runs Cisco IOS Release 12.2(15)T8, 12.3, or 12.3 T. The FXO ports are connected to the PSTN.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected voice port.
•
Symptoms: A router may reload with a bus error.
Conditions: This symptom is observed on a Cisco router that is configured for time-division multiplexing (TDM) hairpinning.
Workaround: There is no workaround.
•
Symptoms: An H.323 proxy may fail when a conference call between a PSTN user and IP phones users is initiated by an IP phone in a Cisco CallManager environment.
Conditions: This symptom is observed on a Cisco router that functions as a gatekeeper, that has the H.323 proxy enabled, and that runs Cisco IOS Release 12.3(5) in the following topology:
An IP phone connects to a Cisco CallManager that connects to the Cisco gatekeeper that has the H.323 proxy enabled. The Cisco gatekeeper connects to yet another gatekeeper that connects to a gateway that, in turn, connects to the PSTN.
All calls to and from the Cisco CallManager IP phone via the Cisco gatekeeper are proxied. The Cisco CallManager runs software version 3.3(3)SR3. The display IE delivery option is disabled in the H.225 trunk configuration in the Cisco CallManager administration web page. The H.225 trunk is controlled by one of the gatekeepers.
The symptom occurs in the following sequence of events:
1.
2.
3.
4.
5.
6.
7.
Workaround: Enable the "Display IE delivery" option in the H.225 trunk configuration Cisco CallManager administration web page.
Alternate Workaround: Disable the H.323 proxy on the Cisco gatekeeper.
•
Symptoms: An alignment error may cause a Cisco router to reload unexpectedly.
Conditions: This symptom is observed under rare conditions (an "extreme corner case") on a MIPS-based Cisco platform or on a Versatile Interface Processor (VIP), port adapter, or line card that contains a MIPS processor. The symptom is not release-dependent and may occur in all Cisco IOS releases.
Workaround: There is no workaround.
Further Problem Description: All Cisco 7500 VIPs and Cisco 7200 NPEs use MIPS- based processors. The following are additional platforms that use MIPS processors:
Cisco 2691, 3620, 3631, 3640, 3660, 3725, 3745, 4500, 4500-M, 4700, 4700-M, AS5300, AS5400, AS5450, AS5800 router shelf, AS5800 system controller (3640 based), 7120, 7140, UBR7100, UBR7200 - all NPEs, 7301, 7304, 7400, 6500 MSFC, 6500 MSFC2, 7600 MSFC, 7600 MSFC2, 10000, UBR10012, 12000 GRP, and most (if not all) 12000 line cards.
•
Symptoms: A Versatile Interface Processor (VIP) with an ATM port adaptor may reload unexpectedly.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) when the ATM interface is configured for Multilink PPP, Link Fragmentation and Interleave (LFI), and distributed Cisco Express Forwarding (dCEF).
Workaround: Disable LFI by entering the no ppp interleave command.
•
Symptoms: A Cisco voice gateway may use an incorrect codec payload value (that is different from the configured value) during media transmission after the call is transferred to a new endpoint.
Conditions: This symptom is observed on a Cisco voice gateway that runs Cisco IOS Release 12.2(15)T9 or Release 12.3 and that is configured to use H.323 as the VoIP protocol. The symptom occurs when the remote endpoint sends an H.245 EmptyCapabilitySet (ECS) message to initiate the call transfer (H.323 Version 4, Section 8.4.6) after the initial call establishment and then sends an H.245 OpenLogicalChannel (OLC) message before sending a new H.245 TerminalCapabilitySet (TCS) message.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a PE router may crash.
Conditions: This symptom is observed when traffic is switched through a multilink interface on which a QoS service policy is configured that includes a set command and when the multilink interface flaps (goes down and comes back up). The symptom occurs at random and depends on the traffic pattern. This applies only to non-distributed CEF platforms.
Workaround: There is no workaround.
•
Symptoms: Several prefixes for nonredistributed and connected interfaces in different VRFs may be partially bound to the same MPLS VPN label, causing traffic that is bound for one or more of these VRFs to be disrupted.
Conditions: This symptom is observed on a Cisco router after the VRF interfaces have flapped.
Workaround: Clear the routes in the VRFs in sequence.
•
Symptoms: A router may log a CPUHOG message that is caused by the CEF reloader process.
Conditions: This symptom is observed on a Cisco router when a VRF with more than 9000 routes is added to the configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series with a VIP that has any type of ATM port adapter (PA) may crash with a bus error (sig 10) upon bootup. The VIP will ultimately come on line and the services are not impacted thereafter.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3 when ATM subinterfaces on the PA are configured for any QoS queueing feature (for example, shaping, LLQ, WRED, CFWFQ, fair-queueing, etc.)
Workaround: There is no workaround.
Further Problem Description: This is a timing issue between ATM interfaces coming up and being fully configured (via IPC) for QoS on the PA. The higher the number of ATM subinterfaces/PVCs, the more likely is a chance that the router crashes. However, if only one subinterface/PVC is configured, there is still a potential problem; the router may not crash but QoS may not function.
•
Symptoms: A Versatile Interface Processor (VIP) on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) and that is configured for distributed Link Fragmentation and Interleaving over ATM (dLFIoATM) may reload.
Conditions: This crash occurs when all of the conditions below are present:
–
–
–
–
Workaround: Avoid local VIP switching to the dLFIoATM PVC.
•
Symptoms: On a Cisco IOS VoIP gateway, a memory leak may occur in the context of the H.323 process.
Conditions: This symptom is observed when there are low memory conditions and when translation rules are configured.
Workaround: Reload the gateway.
•
Symptoms: A router may reload due to a bus error when processing VTSP.
Conditions: This symptom is when the router is configured for voice.
Workaround: There is no workaround.
•
Symptoms: A router with VOIP configured may experience a memory leak in VTSP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(15)T10. The symptom may also occur in Release 12.3 and 12.3 T.
Workaround: There is no workaround.
•
Symptoms: An H.323 call across a Cisco IP-to-IP H.323 gateway (GW) may not work correctly.
Conditions: This problem is observed in the following topology:
A third party H.323 GW connects to a Cisco IP-to-IP H.323 GW (a Cisco 3660) that connects to a Cisco GW (a Cisco 2600 series) that, in turn, connects to an FXS phone.
Calls from the FXS phone to the third party GW do not work intermittently. The Cisco IP-to-IP H.323 GW runs Cisco IOS Release 12.3(5). This problem happens only when the Alerting and Connect messages are received by the IP-to-IP H.323 GW very quickly in succession and when the Connect message has a Facility element.
Workaround: There is no workaround.
•
Symptoms: DTS may not work properly on dot1q Fast Ethernet subinterfaces. Traffic is not shaped at the expected rate
Conditions: This problem is observed on a Cisco 7500 series that is configured as a PE router and that runs Cisco IOS Release 12.2(12i). The symptom may also occur in other releases.
Workaround: If this is an option, use ISL subinterfaces.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for Cisco's IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
Cisco has made free software upgrades available to address this vulnerability for all affected customers.
This vulnerability is documented by Cisco bug ID CSCee08584.
•
Symptoms: All VIPs in a Cisco 7500 series restart as a consequence of a Cbus complex that is triggered by a stuck output. Just before the output becomes stuck, IPC timeout errors occur.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) in a dLFIoATM environment.
Workaround: There is no workaround.
•
Symptoms: A file type sometimes becomes ASCII text when you enter the write memory command on an NRP2-SV. You can see the file type when you enter the show file info disk0:slotX/nrp2-startup-config command on the NSP, as in the following example:
NSP# shos file info disk0:slot5/nrp2-startup-config
disk0:slot5/nrp2-startup-config:
type is ascii text <<<<<Conditions: This symptom is observed on an NRP2-SV that is installed in a Cisco 6400 series that runs Cisco IOS Release 12.2(15)T9 or 12.3(6).
Workaround: There is no workaround.
•
Symptoms: A router may experience a memory leak when the LSR MIB is queried.
Conditions: This symptom is observed on a Cisco router running Cisco IOS Release 12.2(15)T10 but is software-independent.
Workaround: Disable the LSR MIB queries and reboot the device to reclaim the leaked memory.
•
Symptoms: A Cisco AS5400 may crash with a bus error at address 0xFFFFFFFF.
Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(6) only when facility messages are generated. The symptom may also occur on a Cisco 1700 series and Cisco 2600 series.
Workaround: There is no workaround.
•
Symptoms: When you change the Cisco IOS release from one release to another release, a router may reload because of a bus error.
Conditions: This symptom is observed when changing the Cisco IOS release from Release 12.2 to Release 12.3(6a).
Workaround: There is no workaround.
•
Symptoms: A Versatile Interface Processor (VIP) may reload, and the following error message may be logged:
%RSP-2-QAERROR: reused or zero link errorAfter the message has been logged, all VIPs in the router may reload.
Conditions: These symptoms are observed on a Cisco 7500 series that has dual RSPs installed, that runs Cisco IOS Release 12.2T, 12.3, or 12.3 T, and that has the service single-slot-reload-enable global configuration command enabled. The symptom occurs after the following events:
–
–
Workaround: There is no workaround.
•
Symptoms: TCCS clear-channel codec calls may not go through. The trunks may be up but the signaling information may not be communicated.
Conditions: This symptom is observed only when a medium complex codec is configured.
Workaround: Use a high complex codec, or use stun encapsulation for the D-channel.
•
Symptoms: A Cisco 7500 series with a multilink DLFI configuration may crash.
Conditions: This symptom is observed when an Ethernet packet is received on the RSP and is switched by the RSP to a DLFI multilink interface.
Workaround: There is no workaround.
•
Symptoms: A FlexWAN, enhanced FlexWAN, or Versatile Interface Processor that has a PA-MC-E3 or PA-MC-T3 installed may crash.
Conditions: This symptom is observed under rare conditions in a stress situation with dFLI and dCRTP configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series or MSFC2 with a FlexWAN module may spontaneously reload.
Conditions: This problem mainly occurs when there are multiple FR DLCIs or ATM PVCs attached to the same virtual-template interface or the same multilink virtual-access interface and when one of the following conditions occurs:
–
–
Workaround: There is no workaround.
•
Symptoms: A PPP session may stay down after a long series of link flaps.
Conditions: This symptom is observed when MLP/LFI is enabled on an ATM PVC.
Workaround: There is no workaround.
•
Symptoms: The following tracebacks can occur on a Route Processor (RP) console:
04:24:32: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x619B6AD8 reading 0x10 04:24:32: %ALIGN-3-TRACE:
-Traceback= 619B6AD8 60EC5764 60EC58D0 60EDAC74 6037C6A8 6037C694 00000000 00000000Conditions: This problem is seen when a dLFIoATM interface flaps on a Cisco 7500 platform.
Workaround: There is no workaround.
•
Symptoms: On an LFI over ATM interface, ping does not work.
Conditions: This occurs only when distributed LFI over ATM is configured on a Cisco 7500 platform.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A Cisco router that is configured for ISDN may reload unexpectedly and generate a "low stack for ISDN" error message.
Conditions: This symptom is observed when a high rate of bidirectional traffic occurs on the ISDN B channels. This problem occurred during a stress test.
Workaround: There is no workaround.
•
Symptoms: After a router has reloaded, an ISDN PRI interface may not reestablish the proper layer 2 state.
Conditions: This symptom is observed on a Cisco router that communicates via Media Gateway Control Protocol (MGCP) with a Cisco CallManager that runs Release 3.3(2)spC.
Workaround: Enter the no mgcp global configuration command followed by the mgcp global configuration command.
Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ISDN D channel.
•
Symptoms: A Call Control Block (CCB) may not be freed when a "suspend" message that was received in an incorrect state is not processed correctly because a CCB leak occurs after a Redundant Link Manager (RLM) flaps.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(15)T7 or Release 12.3 and that is a component of a Cisco PGW 2200 PSTN Gateway that functions in a nailed configuration.
Workaround: There is no workaround.
•
Symptoms: Dialer ping packets that are transferred via an asynchronous line may be dropped at the receiving end.
Conditions: This symptom is observed on a Cisco platform when the interface at the receiving end has the dialer map interface configuration command enabled.
Workaround: Do not enter the dialer map interface configuration command. Rather, enter the dialer string interface configuration command.
•
Symptoms: A parity error on a Versatile Interface Processor (VIP) card may cause other VIPs to go to a wedged state.
Conditions: This symptom is observed on a Cisco 7500 series router.
Workaround: There is no workaround.
•
Symptoms: Software interface description blocks (IDBs) may become exhausted after an interface flaps repeatedly.
Conditions: This symptom is observed under the following conditions:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When a call is not answered, no release cause value may be sent to the public switched telephone network (PSTN) leg and an incorrect release cause value of 102 may be sent to the voice over IP (VoIP) leg.
Conditions: This symptom is observed on a Cisco router that is configured for ISDN when a T301 timer expires. When a call is not answered, a release cause value of 19 ("No answer from user [user alerted]") should be sent to both legs.
Workaround: There is no workaround.
•
Symptoms: A Cisco router running a Cisco IOS image may crash because of a bus error when it accesses an invalid address (0x0B0D0B0D).
Conditions: This symptom is occasionally observed when an MLP bundle containing virtual-access PPP links goes down.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series Route Switch Processor (RSP) may crash while Multilink PPP (MLP) is running.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5), that is equipped with a VIP4-80 and PA-A3 ATM port adapters, and that is configured for distributed Link Fragmentation and Interleaving over ATM (dLFIoATM).
Workaround: There is no workaround.
•
Symptoms: An "ALIGN-3-SPURIOUS" spurious memory access and traceback may occur on a Cisco 7500 series.
Conditions: This symptom is observed in one of the following conditions:
–
–
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5c)
Cisco IOS Release 12.3(5c) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5c) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 42 -Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18Conditions: The symptom is observed on a Cisco 7513 that runs Cisco IOS Release 12.0(17)ST. The symptom may also occur on other Cisco 7500 series routers that run Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
Symptoms: A PC that is running Tactical Software DialOut/EZ (tacticalsoftware.com) may halt data transfer.
Conditions: This symptom is observed with Tactical Software DialOut/EZ that is running on a PC and a modem that is attached to a Cisco AS5300 that is running Cisco IOS software. The Cisco IOS software may lower the Data Set Ready (DSR) Data Carrier Detect (DCD) with a Clear To Send (CTS) message to the PC side. This causes the PC to halt data transfer.
Workaround: There is no workaround.
•
Symptoms: Protocol translation sessions that require RADIUS authentication may fail to propagate class-attribute or state-attribute information in subsequent authentication and accounting packets.
Conditions: This symptom is observed in Cisco IOS Release 12.2 T, 12.3, and 12.3 T.
Workaround: There is no workaround.
•
Symptoms: When you configure the Per VRF AAA feature by using a remotely defined customer template, a Virtual Home Gateway (VHG) may fail to parse authentication, authorization, and accounting (AAA) attributes that it receives in an Access-Accept response from a RADIUS server.
Conditions: This symptom is observed when the virtual-template interface is configured to support virtual-access subinterfaces and when the VHG functions under a heavy traffic load.
Workaround: Disable the virtual-access subinterfaces by entering the no virtual-template subinterface global configuration command.
Alternate workaround: Enter the ntp disable interface configuration command on the virtual-template interface.
•
Symptoms: The individual AAA periodic accounting update messages (Radius accounting messages with Acct-Status-Type=Watchdog) generated by an IOS gateway for each call leg (TDM and IP) of the same voice call may be sent to the Radius server more than 5 minutes apart due to the randomized timer algorithm used by the AAA message transmit function.
Conditions: The command aaa accounting update newinfo periodic is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco Catalyst 2950 experiences a memory leak in the CDP process.
Conditions: The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the global command no cdp run.
Interfaces and Bridging
•
Symptoms: When a Cisco router reloads, the ATM permanent virtual circuit (PVC) status remains inactive (INAC) even though the ATM subinterface is in an UP/UP state. The following message may also be displayed when you enter the debug atm errors privileged EXEC command:
ATM(ATMx/x/x):point-to-point interface does not have a VCDConditions: This symptom can occur on a Cisco router with a PA-A3 port adapter. The root cause is there were some physical line errors during reload which were causing carrier transition on PA-A3 interface which in turn caused this problem.
Workaround: Enter the no shutdown interface configuration command on the ATM interface.
Further Problem Description: This problem can be seen on router reload even without any traffic.
IP Routing Protocols
•
Symptoms: When the following Open Shortest Path First (OSPF) MIB tables are queried via snmpwalk, some interfaces may not be displayed:
–
–
–
Conditions: This symptom is observed on any Cisco platform that runs OSPF.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: When polling the cbQosREDClassStatsTable of the CISCO-CLASS-BASED- QOS-MIB, spurious memory accesses may occur on a Cisco 2600 series, Cisco 3600 series, or Cisco 7200 series. A Cisco 3640 router may also reboot. The spurious memory accesses may be reproduced when polling the above-mentioned table via Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, and Cisco 7200 series that run Cisco IOS Release 12.2(8)T, Release 12.3, or Release 12.3 T.
Workaround: Prevent the router from answering to queries on the cbQosREDClassStatsTable by implementing the following SNMP view in the router configuration:
snmp-server view qos internet included
snmp-server view qos 1.3.6.1.4.1.9.9.166.1.20.1 excluded
snmp-server community string view qos ro
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: When two or more phone calls (Foreign Exchange Office [FXO] or BRI) are set as "hold" and "hold," or "resume" is repeated by one of the calls, an input queue wedge may occur.
Conditions: This symptom is observed on a Cisco voice gateway that is running Cisco IOS Release 12.2(15)T1 and that has multicast for Music on Hold (MOH) configured.
Workaround: Enable Protocol Independent Multicast (PIM) on the voice gateway.
Alternate Workaround: Use unicast MOH.
Second Alternate Workaround: Reboot the router. Entering the clear interface EXEC command and the shutdown interface configuration command followed by the no shutdown interface configuration command does not clear the input queue wedge.
•
Symptoms: On a Cisco router, output queue packet drops may occur on the priority queue of an E1 serial interface on a 1-port multichannel E3 port adapter (PA-MC-E3), after which the E1 serial interface becomes congested.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.1(18)E. However, the symptom is not specific to the platform or the Cisco IOS software release but specific to the port adapter.
Workaround: Enter the tx-ring-limit interface configuration command to increase the value of the drivers that are transmitted on the queue. For additional information, refer to the document at the following location:
/en/US/tech/tk39/tk824/technologies_tech_note09186a00800fbafc.shtml
•
Symptoms: An interface of a Cisco router may not be able to receive traffic that is destined for an address that is configured on the router.
Conditions: This symptom is platform independent and occurs only when there is a route in a different VPN routing and forwarding instance (VRF) that is attached or connected to the interface. This may occur when the route has been exported from one VRF to another or when a static route in a VRF points to the interface.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml.
•
Symptoms: When a gateway that is in Media Gateway Control Protocol (MGCP) fallback mode reloads, no calls can be made, nor can calls be received. When the gateway comes up again, all controllers including a serial controller are automatically shut down. When you turn off auto configuration and reload the router again, you can make calls, but you still cannot receive calls.
Conditions: This symptom is observed on a Cisco 3700 series that functions as a gateway when all Cisco CallManagers (including the primary and the backup Cisco CallManager) are down, when the TFTP server is still up, and when the gateway is reloaded. This situation causes an E1 or T1 controllers to be shut down. This caveat is platform independent and may occur on another Cisco router that functions as a gateway.
Workaround: Enter the no shutdown controller configuration command on the affected E1 or T1 controller.
•
Symptoms: A Foreign Exchange Office (FXO) port on a Cisco 3600 series may lock up and not process any calls.
To determine if the port is locked up, enter the show voice port summary EXEC command and look for a port that is in the "up, up, idle, on-hook" state, as in the following example:
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
========= == ============ ===== ==== ======== ======== ==
2/0/0 -- fxo-ls up up idle on-hook yConditions: This symptom is observed when the port processes a moderate traffic load.
Workaround: Enter the shutdown port configuration command followed by no shutdown port configuration command on the affected port.
•
Symptom: A Cbus Complex may occur and the packet memory may be recarved, causing a temporary disruption in service.
Conditions: This symptom is observed on a Cisco 7500 series when you install an 8-port multichannel T1/E1 PRI port adapter (PA-MC-8TE1+) or an enhanced 2-port T1/E1 high-capacity port adapter (PA-VXC-2TE1+) and when you configure the port adapter via the command-line interface (CLI) for E1 or T1.
Workaround: There is no workaround. Try to install the port adapter during a maintenance window.
•
Symptoms: Subinterfaces that are not configured for policing may randomly drop packets.
Conditions: This symptom is observed when modular QoS CLI (MQC) class-based policing is configured on an Inter-Switch Link (ISL) subinterface and when there are other ISL subinterfaces that are not configured for policing.
Possible Workaround: Remove the quality of service (QoS) policy with class-based policing from the ISL subinterface.
•
Symptoms: Gateways may not be able to register with the gatekeeper.
Conditions: This symptom is observed when the security password is enabled on the gatekeeper.
Workaround: There is no workaround. If you remove the security password, there is no authentication.
•
Symptoms: A Cisco IAD2420 may reload unexpectedly when a watchdog timeout occurs in the voice telephony service provider (VTSP) process.
Conditions: This symptom is observed during normal processing of calls in the local-bypass mode.
Workaround: There is no workaround.
•
Symptoms: A terminating gateway rejects incoming Voice over IP (VoIP) calls that carry Field Compatibility Information (FDC) national calling party category (CPC) information in the generic transparency descriptor (GTD) message.
Conditions: This symptom is observed on an H.323 version 4 (V4) Cisco gateway that terminates T1 channel-associated signaling (CAS). Calls that originate from Signaling System 7 (SS7) and R2 trunks that carry national CPC vales are affected.
Workaround: There is no workaround.
•
Symptoms: A gateway does not send an H.225 progress (PROG) Information Element (IE) when it receives an ISDN call proceeding (callp) with a progress indicator (PI).
Conditions: This symptom is observed when an ISDN public switched telephone network (PSTN) switch returns a callp message with a PI IE in response to the setup message from the terminating gateway. The callp does not trigger any H.225 message from the terminating gateway to the originating gateway.
Workaround: There is no workaround.
•
Symptoms: An originating gateway (OGW) may incorrectly insert the calling number information element (IE) in an H.225 call setup message to the terminating gateway (TGW).
Conditions: This symptom is observed on a Cisco AS5400 that functions as an OGW. The symptom occurs only for calls from an H.323-Version 4 OGW to an H.323-Version 2 TGW when the following conditions are present:
–
–
–
Workaround: There is no workaround.
•
Symptoms: Incorrect tags may be imposed after a route has flapped.
Conditions: This symptom is observed on a Cisco router that functions in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error, and the following message appears:
PC 0x616F0B80, address 0x3C.Conditions: This symptom is observed on a Cisco 3660 router that has low memory.
Workaround: There is no workaround.
•
Symptoms: One-way audio may occur during a phone call: a user on the public switched telephone network (PSTN) side may not hear a Cisco IP SoftPhone user.
The output of debug command and sniffer traces do not indicate any packets drops, and when you listen to the sniffer trace, there seems to be two-way audio.
Conditions: This symptom is observed when the Cisco IP SoftPhone calls the PSTN via a Cisco VG200 series that runs Cisco IOS Release 12.2(15)T7, 12.3, or 12.3 T.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.2(11)T2.
•
Symptoms: A Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router that is running distributed Cisco Express Forwarding (dCEF) may have high memory usage and memory allocation failures when dCEF is disabled and then reenabled.
Conditions: This symptom is observed on a PE router that has a large number of VPN routes (over 30,000) in a VPN routing/forwarding (VRF) table when CEF is disabled and then reenabled.
Further Problem Description: View the output of the show processes memory EXEC command to verify that the CEF process memory usage increases.
Workaround: Reload the router.
•
Symptoms: A Cisco 2691XM router that is configured as an H.323 gatekeeper may reload when the gatekeeper functionality is shut down and when the dynamic zone prefix gatekeeper configuration command is configured.
Conditions: This symptom is observed on a Cisco 2691XM that is running Cisco IOS Release 12.2(15)T5 or Release 12.3(2)T when the dynamic zone prefix gatekeeper configuration command is enabled by default on both the gateway and the gatekeeper, and when the following conditions occur:
–
–
For example:
This symptom is observed when the gateway and the gatekeeper have the following configurations (the same destination pattern and zone prefix):
Gateway configuration (with dynamic prefix registration enabled):
dial-peer voice 1 pots
destination-pattern 385....Gatekeeper configuration:
zone prefix zone-1 385 ....
gw-priority 10 GW1The symptom is not observed when the gateway and the gatekeeper have the following configurations (the destination pattern and the zone prefix are different):
Gateway configuration (with dynamic prefix registration enabled):
dial-peer voice 1 pots
destination-pattern 555....Gatekeeper configuration:
zone prefix zone-1 385....
gw-priority 10 GW1For information on how to disable dynamic zone prefixes, refer to the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09 186a00801541bc.html
•
Symptoms: An incorrect MAC encapsulation string in a Multiprotocol Label Switching (MPLS) forwarding table on a provider edge (PE) router causes traffic to go down.
Conditions: This symptom is observed on a cell-based Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) that rebuilds the MPLS forwarding table after traffic stops on a PE router.
Workaround: Enter the clear ip route network EXEC command on the PE router that has the traffic problem.
Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface command on the MPLS interfaces of the problem PE.
•
Symptoms: When multiple dial peers are configured with different translation rules that are used one the same call, the authentication, authorization, and accounting (AAA) accounting records do not show accurate information of the translated called number.
Conditions: This symptom is observed on a Cisco AS5350 and a Cisco AS5400 when the outbound dial peers have translation rules configured and when multiple dial peers are used for and outbound call because of dial-peer hunting. The symptom does not occur on a Cisco AS5300.
Workaround: Analyze the call by using the correct number that is contained in the gw-final-xlated-cgn vendor-specific attribute (VSA) that is part of the stop record for the RADIUS server.
Further Problem Description: When a universal gateway such as a Cisco AS5350 or Cisco AS5400 receives a call via time-division multiplexing (TDM), and this call needs to be forwarded via Voice over IP (VoIP), the universal gateway tries the first dial peer, which translates the called number and adds a prefix to it. When this call does not go through, the universal gateway tries a second dial peer via dial-peer hunting. This second dial peer translates the number and adds a different prefix to it.
There is a start and stop record for each dial peer:
–
–
Although the number is translated and properly sent, the AAA records are incorrectly populated.
•
Symptoms: There may be no memory for the expanded TFIB PSA. The label allocation may fail with error messages that are shown below and may be followed by a memory traceback.
%TAGCON-3-LCLTAG_ALLOC: Cannot allocate local tag
%TFIB-2-MEMORY: No memory for expanded TFIB PSA -Traceback=Conditions: This symptom is only observed on an MPLS-capable Cisco platform and only when the label space has been exhausted to the maximum level supported by the platform or is about to be exhausted (only a few hundred labels are available) and when the TFIB table is expanded further.
Workaround: Enter the mpls label range 16 101900 command at the conf-t level to avoid the error messages.
•
Symptoms: There may be a format difficulty when you save digital signal (DS) power-level information onto the NVRAM of a Cisco uBR900.
Conditions: This symptom is observed on a Cisco uBR900 that runs Cisco IOS Release 12.2(15)T7, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series pauses indefinitely in the middle of a link control protocol (LCP) negotiation. The PPP over ATM (PPPoATM) session receives a "Sending Acct Event [Reneg]" message and terminates the LCP phase. The remote peer renegotiates another PPP session and uses the same PPP ID. This causes a continuous LCP state for that user.
Conditions: This symptom is observed on a Cisco 7200 series that is configured for PPPoATM and that runs Cisco IOS Release 12.2(15)T9. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A router may reload when the police policy-map class configuration command is enabled under a policy map.
Conditions: This symptom has been observed rarely and is not easily reproduced.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5xx0 platform that is equipped with a particular third-party vendor E1/T1 framer may bring down the controller immediately upon receiving an alarm indication signal (AIS).
Conditions: This symptom is observed when noisy line conditions that last less than 2 seconds cause T1 links to go down or when outages or cable difficulties that last less than 2 seconds cause the controller to go down.
Workaround: There is no workaround.
•
Symptoms: The maximum MTU with a DF set across an L2TP MPLS VPN is 1460 while the physical layer MTU is 1500; any ping larger than 1460 may fail.
Condition: This symptom is observed on a LES platform such as a Cisco 3600 series or a Cisco 4500 series when the router performs MPLS operations and functions as an L2TP Network Server (LNS). The incoming MPLS packet is dropped while the router attempts to inject the packet into the L2TP tunnel.
Workaround: Traffic of packets between 1460 and 1500 bytes can be made possible by fragmenting the tagged packets before the transmission.
Enter the mpls mtu 1450 command on the router in the MPLS cloud before the MPLS packet reaches the router that injects the packet into the L2TP tunnel.
•
Symptoms: R2 International Telecommunication Union (ITU) base variants do not apply the correct mapping for the following two ISDN or ISDN User Part (ISUP) cause values (CVs):
–
–
Conditions: This symptom is observed on Cisco gateways that are configured with ISDN and Redundant Link Manager (RLM) and that have R2-ITU trunks.
Workaround: There is no workaround.
•
Symptoms: The node of a local Label Switch Controller (LSC) that is part of a Multiprotocol Label Switching (MPLS) cell-based network may observe the following symptoms:
–
–
–
–
–
–
Conditions: These symptoms are observed on the LSC of a Cisco MGX Route Processor Module (MGX-PRM-PR-512) that is running Cisco IOS Release 12.2(15) T4a.
Workaround: From the node of the local LSC that is observing the symptoms, enter the clear ip route network EXEC command.
•
Symptoms: A gateway that receives a mid-call invite message with a missing contact header may respond with a "400 Bad Request" message, causing the call to be terminated. This is improper behavior.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.2(15)T, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: Some PPP sessions may not come up and become stuck in the link control protocol (LCP) negotiation state.
Conditions: This symptom is observed on a Cisco 6400 series Node Route Processor (NRP). A list of the affected releases can be found at:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec49097. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.Workaround: There is no workaround.
•
Symptoms: A Cisco Session Initiation Protocol (SIP) gateway does not use calling information that is contained in the Remote-Party-ID header. A traceback may be observed and the following error is displayed in the output of the debug ccsip error privileged EXEC command:
sippmh_parse_remote_party_id: syntax error in Remote-Party -ID headerConditions: This symptom is observed on a Cisco SIP gateway that runs Cisco IOS Release 12.2(13)T, 12.3, or 12.3 T and occurs when the gateway receives an initial INVITE message with a Remote-Party-ID header that contains the "other" parameters in the header. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: An output wedge and drops may occur on the multilink interface of a Cisco 7200 series. The output of the show interfaces privileged EXEC command may display the following information:
.
.
.
Multilink3 is up, line protocol is up
.
.
.
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5526
Queueing strategy: fifo
Output queue: 31/40 (size/max)
.
.
.Conditions: This symptom is observed on a multilink interface that has two E1 interfaces in a multilink bundle when there is a low traffic rate.
Workaround: Use the physical interface without a multilink bundle.
•
Symptoms: Some virtual circuit (VC) information is missing in the Simple Network Management Protocol (SNMP) MIB object cAal5VccEntry from the output of the snmpwalk router configuration command. The ATM VCs 0/100, 0/200 and 0/500 exist on the router but are missing in the MIB.
Conditions: This symptom is observed on a Cisco 7513 router that is running a special image of Cisco IOS Release 12.2(15)T5. The symptom may also occur in other releases.
Workaround: Enter the show atm vc privileged EXEC command on the same device to obtain a complete list of all the VCs.
•
Symptoms: Tag entries may be missing on a Versatile Interface Processor (VIP).
Conditions: This symptom is observed on a Cisco 7500 series that has distributed Cisco Express Forwarding (dCEF) enabled.
Workaround: Enter the clear cef linecard user EXEC or privileged EXEC command.
•
Symptoms: When you enter the undebug all privileged EXEC command on a Cisco 3700 series, all traffic that passes through an encrypted generic routing encapsulation (GRE) tunnel may stop.
Conditions: This symptom is observed on a Cisco 3700 series that is configured with a GRE tunnel that is secured via IP Security (IPSec) and that is using Cisco Express Forwarding (CEF) switching.
Workaround: Reinitialize CEF switching by entering the no ip cef global configuration command followed by the ip cef global configuration command.
Alternate Workaround: Do not enter the undebug all privileged EXEC command. Rather, individually disable each debug command.
•
Symptoms: The output queue of a Gigabit Ethernet port may become stuck, preventing traffic from leaving the interface.
Conditions: This symptom is observed on the Gigabit Ethernet port 0/1 (gig0/1) of a Network Processing Engine NPE-G1 (NPE-G1) that is installed in a Cisco 7200 series.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
Alternate Workaround: Reload the router.
•
Symptoms: Hairpin voice calls that are made via recEive and transMit (E&M) wink on multiple channels may cause digital signal processors (DSPs) to time out. The output of the show voice dsp privileged EXEC command may show "-1" followed by "DSP_TIMEOUT."
Conditions: This symptom is observed on a Cisco IAD2420 series. The symptom does not occur with plain old telephone system (POTS) calls, nor does it occur on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.
Workaround: Enter the voice dsp allocation round-robin global configuration command.
•
Symptoms: A terminating gateway (TGW) that receives a group B backward signal 5 (B5 signal) from a terminating switch that is configured for R2 signaling may map the B5 signal to cause value 42 ("Switching equipment congestion") in the H.225 Release Complete message. This is improper behavior: the B5 signal should be mapped to cause value 1 ("Unallocated [unassigned] number").
Conditions: This symptom is observed on a Cisco platform that functions as a TGW.
Workaround: There is no workaround.
•
Symptoms: A gatekeeper that is configured for H.323 version 4 (H.323v4) may not insert service IDs in an Admission Rejection (ARJ) message to an H.323v4 gateway.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that receives service IDs from a route server but does not include the service IDs in the ARJ message to the H.323v4 gateway.
Workaround: There is no workaround.
•
Symptoms: When an originating gateway (OGW) receives an R2 Group II signal that is equal to 5 from an incoming E1 R2 trunk, the OGW may map this signal to a generic transparency descriptor (GTD) ISDN User Part (ISUP) calling party category (CPC) that is equal to 6. This is improper behavior: the R2 Group II signal that is equal to 5 should be mapped to a GTD ISUP CPC that is equal to 29.
Conditions: This symptom is observed on a Cisco AS5xxx platform that functions as an OGW with an R2 interface and that uses GTD for signaling transparency across an H.323 Voice over IP (VoIP) network.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when packets are tag switched.
Conditions: This symptom is observed when a Bridge-Group Virtual Interface (BVI) is created after the router has booted up, when IP packets are received through the BVI, and when these IP packets are forwarded as Multiprotocol Label Switching (MPLS) packets through another interface.
Workaround: Disable tag switching on the BVI interface by entering the tag-switching ip interface configuration command followed by the no tag-switching ip interface configuration command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: At 12 cps, the following message is displayed on a V4 gatekeeper:
ASSERT failed: line 9900 in file ../mm/gk/gk_rassrv_util.cConditions: This symptom is observed when an external server is using the GKTMP interface to communicate with the gatekeeper and when the gatekeeper is configured with "send-cisco-circuit-info."
Workaround: There is no workaround.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) network server (LNS) may not remove a per-user access control list (ACL) from the configuration. This situation may cause the memory of the LNS to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco router that functions as an LNS in a Large-Scale Dial-Out (LSDO) configuration when a per-user ACL is present in the RADIUS profile of the user.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
Symptoms: A router may reload unexpectedly after it attempts to access a low memory address.
Conditions: This symptom is observed after ACLs have been updated dynamically or after the router has responded dynamically to an IDS signature.
Workaround: Disable IP Inspect and IDS.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: In Cisco IOS software that is running Multiprotocol Label Switching (MPLS), a router may reload after accessing a freed Label Information Base (LIB) entry. When the symptom occurs, an error message similar to the following is likely to precede the reload:
%TIB-3-LCLTAG: 10.10.10.10/10.10.10.10, tag advert; unexpected tag state=13Conditions: This symptom is observed when a very uncommon timing of a Label Distribution Protocol (LDP) events occurs. The symptom may occur with LDP or Tagswitching Distribution Protocol (TDP).
Workaround: There is no workaround.
•
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
•
Symptoms: The show flash-filesystem EXEC command and the dir filesystem EXEC command may not work properly on a Cisco 2600XM, preventing you from seeing the flash images.
In addition, the copy destination url flash: EXEC command may fail when the erase option is not selected (that is, you type in no when you are asked if you want to erase the device). The copy destination url flash: EXEC command functions fine when you do select the erase option.
Conditions: These symptoms are observed on a Cisco 2600XM that is configured with a particular third-party vendor 16-MB SIMM. Note that the router is still functional with this SIMM; you can boot or reload the router, perform a TFTP download operation, and similar actions without any difficulty.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3600 series or Cisco 3700 series may not initialize correctly and report the following error message during startup:
%VPN_HW-1-INITFAIL: Slot 1: hifn7814_init_dsConditions: This symptom is observed on Cisco 3600 series and Cisco 3700 series that run Cisco IOS Release 12.3(6) and that use a Virtual Private Network (VPN) encryption and hardware advanced integration module AIM-VPN/EPII or an AIM-VPN/HPII. If the AIM is installed in slot 1, it fails to initialize.
Workaround: Install the AIM in slot 0 instead of slot 1.
•
Cisco Internetwork Operating System (IOS) Software releases trains 12.0S 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload.
The vulnerability is only present in certain IOS releases on Cisco routers and switches. This behavior was introduced via a code change and is resolved with CSCed68575.
This vulnerability can be remotely triggered. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS)
This advisory is available at
/en/US/products/products_security_advisory09186a008021b9b5.shtml•
Symptoms: An MFR interface does not forward traffic.
Conditions: This symptom is observed on a Cisco platform when traffic is forwarded outbound on the MFR interface.
Workaround: Flap the MFR interface.
•
Symptoms: An uncorrectable ECC parity error may occur on a Cisco 7200 series that is configured with an NPE-G1.
Conditions: This symptom is observed rarely when you enter the show sysctlr or the show tech command on the NPE-G1.
Workaround: Do not enter the show sysctlr or the show tech command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetConditions: This symptom is observed on a Cisco 7200vxr series that is configured with an NPE-G1 Network Processing Engine
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206VXR may reload when there is a high E1 PRI call load.
Conditions: This symptom is observed on a Cisco 7206VXR that runs the c7200-is-mz image of Cisco IOS Release 12.3(3) or Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: A provider edge (PE) router may reload when packets are forwarded while a remote Virtual Private Network (VPN) prefix is being reresolved.
Conditions: This symptom is observed when the MPLS VPN—Inter-AS—IPv4 BGP Label Distribution feature is configured for option 4, that is, for a non-VPN transit provider and a multi-hop external Border Gateway Protocol (eBGP) connection between route reflectors (RRs).
Workaround: For the exchange of PE loopback addresses between autonomous systems, do not use eBGP with IPv4 label distribution. Rather, configure redistribution into Interior Gateway Protocol (IGP) or static routes.
•
Symptoms: Interfaces of a serial port adapter may not be recognized.
Conditions: This symptom is observed on a Cisco 7200 series, Cisco 7500 series, and Cisco 7600 series that run Cisco IOS Release 12.3 or 12.3 T and that have any the following port adapters installed:
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: "Calling Party Number" is not seen in the ISDN setup message on the terminating gateway while verifying whether the remote party ID information is properly passed to the Q931 interface.
Conditions: This symptom occurs when there is calling party information coming from the SIP leg and privacy is not set.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: A leak may occur in the big buffers of a Cisco platform even when the platform receives a relatively low number of calls.
Conditions: This symptom is observed on a Cisco AS5300 that runs the c5300-js-mz image of Cisco IOS Release 12.1(21) or Release 12.3. The symptom may be platform independent.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A call from a remote client may be terminated at a Layer 2 Tunneling Protocol (L2TP) network server (LNS) that functions as a multihop node instead of being forwarded to a second LNS.
Conditions: This symptom is observed when the L2TP Tunnel Connection Speed Labeling feature is enabled in a multihop-node configuration in which an LNS functions as a multihop node that authenticates a user based on the connection speed of the user. When the connected Cisco Access Registrar (ARS) RADIUS server sends an Access-Accept message, the LNS should forward the L2TP session to a second LNS, but does not do so, causing the call to be terminated on the LNS itself.
Workaround: There is no workaround.
•
Symptoms: When a terminating gateway (TGW) receives an ISDN call proceeding (callp) message with a progress indicator (PI) information element (IE), ISDN may not create a generic transparency descriptor (GTD). This situation prevents the TGW from sending an H.225 message to the originating gateway (OGW).
Conditions: This symptom is observed when an ISDN public switched telephone network (PSTN) switch returns a callp message with a PI IE in response to a setup message from the TGW.
The proper behavior should be as follows:
When the TGW receives the callp message, ISDN creates the following GTD:
gtd msg = " CPG, PRN,isdn*,,NET5*,"With this GTD, the callp message triggers an H.225 progress message from the TGW to the OGW.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5b)
Cisco IOS Release 12.3(5b) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: When you reload a faulty Cisco IP Conference Station 7935, a Catalyst 4000 Supervisor Engine III or IV may reload. Before the supervisor engine reloads, the following message may be displayed:
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet5/1 (not half duplex), with SEP00e0752447b2 port 1 (half duplex).Conditions: This symptom is observed on a Cisco Catalyst 4000 Supervisor Engine III or IV that runs Cisco IOS Release 12.1(19)EW1. The symptom may also occur in other releases.
Workaround: Disconnect the Cisco IP Conference Station 7935 or disable Cisco Delivery Protocol (CDP) by entering the no cdp enable interface configuration command.
Miscellaneous
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Wide-Area Networking
•
Symptoms: A router may return to ROM monitor (ROMmon) because of a bus error at PC 0x6012F880, address 0x114. The log file may show the following information:
%ALIGN-1-FATAL: Illegal access to a low address addr=0x114, pc=0x6012F880, ra=0x6012F880, sp=0x61FF00B8
%ALIGN-1-FATAL: Illegal access to a low address addr=0x114, pc=0x6012F880, ra=0x6012F880, sp=0x61FF00B8
Unexpected exception, CPU signal 10, PC = 0x6012F880 -Traceback= 6012F880 6010CD54 6010D538 601369A0 600A19BCConditions: This symptom is observed on a Cisco AS5300 that runs Cisco IOS Release 12.3(5) and that is configured for ISDN PRI signaling.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5a)
Cisco IOS Release 12.3(5a) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The input queue of the Gigabit Ethernet (GE) interface of a SiByte processor complex on a Multi-processor WAN Application Module (MWAM) may become full, preventing traffic from being forwarded between the subinterfaces that are configured on the GE interface of the SiByte processor complex and a Multilayer Switch Feature Card (MSFC). Pings between these subinterfaces and the MSFC may fail.
Conditions: This symptom is observed on a MWAM that is running a Service Selection Gateway (SSG) application and that is installed in a Cisco Catalyst 6500 series or a Cisco 7600 series. The symptom occurs only when an authentication, authorization, and accounting (AAA) server failure occurs and this failure causes the AAA server to return messages that it has received from the SSG application on the MWAM back to the MWAN.
Workaround: Reset the MWAM.
•
Symptoms: A Cisco Virtual Home Gateway (VHG) may fail to download authentication, authorization, and accounting (AAA) attributes that contain remote virtual templates.
Conditions: This symptom is observed when the Per VRF AAA feature is configured by using a remotely defined customer template on a RADIUS server.
Workaround: There is no workaround.
•
Symptoms: Several tty lines may become stuck in the "Modem state: Carrier Dropped" state. You can verify this situation by entering the show line line-number EXEC command for an individual line. However, when you enter the show line EXEC command (that is, you do not enter a value for the line-number argument), the output shows that the same tty lines are active (that is, they are in the "*" state):
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int ...
5/00 Dig.mod. - DialIn - - - 78 0 0/0 - *
5/01 Dig.mod. - DialIn - - - 132 0 0/0 - I
5/02 Dig.mod. - DialIn - - - 32 0 0/0 - *
5/03 Dig.mod. - DialIn - - - 120 0 0/0 - A
5/04 Dig.mod. - DialIn - - - 130 0 0/0 - I
5/05 Dig.mod. - DialIn - - - 132 0 0/0 - IIn addition, both the output of the show users EXEC command and the output of the show caller EXEC command do not show a user or caller name or show an incorrect user or caller name. The output of the show caller EXEC command does show that the service is "TTY."
Conditions: These symptoms have been observed on a Cisco AS5850 in which an Universal Port Card 324 (UPC324) is installed. The UPC324 is configured for modem dialin with PPP and EXEC connectivity and for login authentication via a TACACS+ server.
Workaround: Reload the UPC324 by entering the hw-module slot shelf-id/slot-number reload privileged EXEC command. Note that doing so terminates all active modem calls.
IP Routing Protocols
•
Symptoms: A Cisco router that is configured for Network Address Translation (NAT) may reload unexpectedly because of a software condition.
Conditions: This symptom is observed when the router translates a Lightweight Directory Access Protocol (LDAP) packet.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A security association (SA) may fail to come up when you enter the correct extended authentication (Xauth) password on a PC that functions as a Virtual Private Network (VPN) client. When you enter the vpnclient connect profilename nocertpwd command on the PC, a connection to the remote peer is not established.
Conditions: This symptom is observed when you attempt to make a VPN connection from a PC to a Cisco router.
Workaround: There is no workaround.
•
Symptoms: An alignment traceback may occur when a router is configured for Multilink PPP over Frame Relay (MLPoFR) and weighted random early detection (WRED).
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3, Release 12.3 T, or Release 12.3 XA.
Workaround: Remove or modify the service-policy map to prevent WRED from running on MLPoFR interfaces.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetConditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-G1 and that is running Cisco IOS Release 12.2(14)S3. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: An enhanced route switch controller (eRSC) may reload unexpectedly during the bootup process. This symptom does not occur on an RSC (that is, a legacy RSC) but the boot Flash memory may become unusable during the bootup process. The following error messages may be displayed during the bootup process:
%Error: Flash disk0 bank 0 chip 0 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 bank 0 chip 1 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 bank 0 chip 2 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 bank 0 chip 3 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 initialization failedConditions: These symptoms are observed on a Cisco AS5850.
Workaround: There is no workaround.
•
Symptoms: Routing Information Protocol (RIP) may not send updates through an interface that is configured for Virtual Private Network (VPN).
Conditions: This symptom is observed on a Cisco router that has the router rip global configuration command enabled and on which the RIP router process is configured for VPN.
One of the few configurations in which the symptom is observed is a configuration in which the router has the passive-interface default router configuration command enabled. After the router has reloaded, when you enter the no passive-interface interface-type interface-number router configuration command on the interface that is configured for VPN, the symptom may occur.
The natural order of the configuration is for the no passive-interface interface-type interface-number router configuration command to be enabled before the passive-interface default router configuration command. However, this situation prevents the interface from sending updates.
Workaround: After the router has reloaded and RIP is configured, enter the passive-interface default router configuration command. Then, enter the no passive-interface interface-type interface-number router configuration command for the interface that is configured for VPN.
•
Symptoms: The CPU usage on a Cisco AS5850 may be close to 100 percent with a moderate number of voice calls with any Voice over IP (VoIP) device that uses the User Datagram Protocol (UDP) checksum (for example, Cisco Analog Telephone Adapter [ATA] devices and the Cisco 7900 series IP phones).
Conditions: This symptom is observed on a Cisco AS5850 when VoIP devices that use the UDP checksum are installed in a client network as a VoIP gateway that uses the Session Initiation Protocol (SIP) and has the ip udp checksum dial-peer configuration command enabled. This causes the Cisco AS5850 to punt packets to the Route Switch Controller (RSC) and have high CPU usage at the RSC with only a moderate number of calls.
Workaround: Disable the UDP checksum option in the client network by entering the no ip udp checksum dial-peer configuration command. If this is not possible, there is no workaround.
•
Symptoms: Tracebacks may be generated on a Cisco router that runs a Cisco IOS k8 or k9 crypto image, or memory corruption may occur and the router may reload unexpectedly.
Conditions: These symptoms are observed during normal operation, but are more likely to occur when you enter the clear crypto sa EXEC command or when a crypto access control list (ACL) is configured while crypto traffic is flowing through the IP Security (IPSec) tunnel.
Workaround: There is no workaround.
•
Symptoms: An inverse multiplexing over ATM (IMA) interface may enter an endless loop when you enter the snmpwalk command for the ifStackStatus object.
Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS 12.2(16)B2, 12.3, or 12.3 T and that is configured with an 8-port ATM Inverse MUX E1 port adapter (PA-A3-8E1IMA).
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series that functions as a provider edge (PE) router may fail to receive an Internet Control Message Protocol (ICMP) echo message on a Multilink PPP (MLP) ingress interface.
Conditions: This symptom is observed on a Cisco 7500 series when Virtual Private Network (VPN) routing/forwarding (VRF) is configured on the MLP interface.
Workaround: There is no workaround.
•
Symptoms: It is not possible to change to the default value of 64 milliseconds (ms) when you enter the echo-cancel coverage voice-port configuration command.
Conditions: This symptom is observed when the following steps are taken to change to the default value (64) of the echo-cancel coverage voice-port configuration command.
–
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload unexpectedly when you perform a soft reset of the platform while a parser attempts to read an extensible markup language (XML) file that is downloaded from a call manager.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(1a) and that has the ccm-manager config global configuration command enabled.
Workaround: Create static dial peers.
•
Symptoms: A Cisco 3745 router may reload unexpectedly when an E1 or T1 line flaps.
Condition: This symptom is observed on a Cisco 3745 that runs a Cisco IOS c3745-jsx-mz image (which supports Cisco Express Forwarding [CEF]) when you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the E1 or T1 interface or when the E1 or T1 line becomes unstable.
Workaround: Disable auto-configuration by entering the no ccm-manager config global configuration command.
Wide-Area Networking
•
Symptoms: A network access server (NAS) that runs Microsoft CHAP (MS-CHAP) or Microsoft CHAP version 2 (MS-CHAPv2) may reload unexpected.
Conditions: This symptom is observed on a Cisco AS5400 that functions as a NAS but may be platform independent.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(5). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: "%SYS-2-LINKED" and "%SYS-3-MGDTIMER" messages may be displayed soon after you configure the Service Assurance Agent (SAA) echo probe:
%SYS-2-LINKED: Bad enqueue of 636539EC in queue 62E13470
-Process= "SAA Event Processor", ipl= 0, pid= 121
-Traceback= 6048E724 605A1AD4 605A171C 60B868F8 60B86AA4 60B95434 60B7B78C 60B7B8BC 60B95434 60B87280 60B95434 60B7D7B0 60B95434 60B7D740 60B7CA80
%SYS-3-MGDTIMER: Running timer, init, timer = 63653A3C.
-Process= "SAA Event Processor", ipl= 0, pid= 121
-Traceback= 60487B60 60487CA4 60487E00 605A1B0C 605A171C 60B868F8 60B86AA4 60B95434 60B7B78C 60B7B8BC 60B95434 60B87280 60B95434 60B7D7B0 60B95434 60B7D740Conditions: This symptom is observed on a Cisco 3600 series that runs Cisco IOS Release 12.2(13)T1 but may also occur in other releases.
Workaround: Disable the SAA echo probe by entering the no rtr operation-number global configuration command. For the operation-number argument, enter the ID of the echo probe.
•
Symptoms: A Route Switch Processor (RSP) that is acting as a slave may have complete packet switching activity interrupted for several minutes. This situation may cause the RSP to permanently pause.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2(12d).
Workaround: There is no workaround.
•
Symptoms: A Cisco 12000 series may reload, generate a crashinfo file, and then pause indefinitely.
Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(26)S and that is configured with the exception dump global configuration command.
Workaround: There is no workaround.
•
Symptoms: Performance difficulties may occur on a Cisco 7500 series master Route Processor (RP) when the slave RP reloads continually.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3 and that has dual Route Switch Processors (RSPs).
Workaround: There is no workaround.
•
Symptoms: The CPU utilization of a Cisco 7500 series Versatile Interface Processor (VIP) may reach 100 percent when the rate of the incoming traffic exceeds the bandwidth of the egress interface.
Conditions: This symptom is observed only with local switching, that is, it is observed only with traffic that enters through one interface of the VIP and that leaves through another interface of the same VIP.
Workaround: Reload the affected VIP.
•
Symptoms: A voice-enabled Cisco router or switch may reload when you use Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed on a Cisco IAD2420 series but may occur on any voice-enabled Cisco router or switch that has at least one analog voice port that is numbered 14, for example, voice-port 1/14.
Workaround: Disable SNMP.
•
Symptoms: You may not find the Versatile Interface Processor (VIP) index when you use Simple Network Management Protocol (SNMP) to monitor VIP CPU utilization. The PROCESS-MIB MIB does not return the correct value for the ENTITY-MIB index.
Conditions: This symptom is observed on a VIP that is installed in a Cisco 7500 series that runs Cisco IOS Release 12.2 T or Release 12.3.
Workaround: Enter the show controllers vip slot-number process cpu privileged EXEC command to monitor the CPU utilization for each VIP.
•
Symptoms: A router may reload when the asynchronous queue (async-queue) is not empty and you enter the show line async-queue or clear line async-queue EXEC command. The following error message appears:
%Software-forced reload Unexpected exception, CPU signal 23, PC = 0x6043BFC4Conditions: This symptom is observed when the async-queue is not empty and you enter the show line async-queue or clear line async-queue EXEC command. If the async-queue is empty, the router does not reload, and the show line async-queue or clear line async-queue EXEC commands work correctly.
Workaround: If the async-queue is not empty, enter the show line async-queue rotary-group and clear line async-queue rotary-group EXEC commands.
•
Symptoms: A Cisco router or switch may reload when it attempts to read the ifIndex information from an NVRAM file during the bootup process.
Conditions: This symptom is observed when the NVRAM file is corrupt.
Workaround: Disable the ifIndex persistence.
•
Symptoms: The order of the Service Assurance Agent (SAA) Response Time Reporter (RTR) schedule command options is incorrect in the output of the show running-config EXEC command. This situation may cause difficulties with third-party vendor software that configures and manages RTR probes.
Conditions: This symptom is observed on all Cisco platforms that run Cisco IOS Release 12.2(13)T1.
Workaround: There is no workaround.
•
Symptoms: Packets of a call fallback probe may be incorrectly marked with precedence 0.
Conditions: This symptom is observed on a Cisco router after you have set the precedence value for the call fallback probe to 5 by entering the call fallback jitter-probe precedence 5 global configuration command.
Workaround: There is no workaround.
•
Symptoms: Packets may be rejected when nontransparent text is received and the block check character (BCC) is 0x7f.
Conditions: This symptom is observed when a Cisco 1600 series runs in bisynchronous mode with the ASCII character set.
Workaround: There is no workaround.
•
Symptoms: The authentication, authorization, and accounting (AAA) user command authorization may fail via HTTP access.
Conditions: This symptom is observed when you attempt to log in via HTTP to a Cisco router that has both AAA user command authorization and HTTP server enabled.
Workaround: When AAA user command authorization is enabled, use a Telnet or console-port connection to access the router.
•
Symptoms: The voice busyout monitor Response Time Reporter (RTR) probe may not work.
Conditions: This symptom is observed on a Cisco router that has active voice ports to which a voice class is attached. Note that the busyout monitor inservice, interface, and subinterface work fine.
Workaround: There is no workaround.
•
Symptoms: The CPU utilization of a Cisco router may increase to 99 percent.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.3 T when you disable Media Gateway Control Protocol (MGCP) by entering the no mgcp global configuration command.
Workaround: There is no workaround.
EXEC and Configuration Parser
•
Symptoms: A Cisco router that is configured for ISDN services may reject the pri-group controller configuration command when this command is configured on the T1 or E1 controllers as part of the running configuration during the bootup process. This situation may cause the loss of custom configurations that are defined under the ISDN serial x/y:23 or serial x/y:15 interface. If the router is configured for ISDN voice operation, the ISDN voice-port assignment under the plain old telephone service (POTS) dial peers may also be lost.
Conditions: This symptom is observed when the isdn switch-type global configuration command appears in the running configuration after any pri-group controller configuration command under a T1 or E1 controller.
When the running configuration is saved to NVRAM and the router is reloaded, the router may reject the pri-group controller configuration command and display the "%ISDN switch-type must be set first" error message.
Workaround: Enter the copy startup-config running-config privileged EXEC command to reconfigure the pri-group controller configuration command on the ISDN serial x/y:23 or serial x/y:15 interfaces and any ISDN voice-port assignments under any POTS dial peer.
IBM Connectivity
•
Symptoms: A router may reload with a segmentation violation (SegV) exception, and the following error message appears:
%SYS-3-MGDTIMERConditions: This symptom is observed on a Cisco 2611 router. The symptom is specific to data-link switching (DLSw) Ethernet redundancy. Any other usage of DLSw does not affect this symptom.
Workaround: Do not use DLSw Ethernet redundancy. Use DLSw with transparent bridging support. In this case, you can have only one active DLSw router at a time per transparent Ethernet domain.
•
Symptoms: The focal point buffer may overflow as shown in the following messages:
SNA: MV_SendVector rc = 8001 SNA: Alert E14A3440 not sent, Focal point buffer overflowedIn the latter message the Alert ID (E14A3440) may vary.
Conditions: This symptom is observed on a Cisco router that has a Systems Network Architecture (SNA) physical unit (PU) that is defined with a focal point.
Workaround: Remove the SNA PU definitions from the router and configure them again.
•
Symptoms: After you have upgraded the Cisco IOS software image, a Cisco MGX Route Processor Module-PRemium (RPM-PR) may reboot continually, generate tracebacks, and generate crashinfo files.
Conditions: This symptom is observed on an RPM-PR that is configured as a provider (P) router in a Multicast Virtual Private Network (MVPN) environment when both the customer router and the core router are using the Protocol Independent Multicast (PIM)-Source Specific Multicast (SSM) protocol.
Workaround: Before you upgrade the Cisco IOS software image, save the configuration. Enter the clrsmcnf slot-id command on the Processor Switch Module (PXM). For the slot-id argument, enter the slot in which the RPM-PR is installed. Then, upgrade the Cisco IOS software image. After the RPM-PR has booted up, reload the configuration that you had saved before you upgraded the Cisco IOS software image.
•
Symptoms: A Cisco 2620 may reload because of a segmentation violation (SegV).
Conditions: This symptom is observed when you attempt to run X.25 (at packet level) over a Logical Link Control, type 2 (LLC2) (at frame level) from a third-party vendor workstation to the Cisco 2620.
Workaround: There is no workaround.
•
Symptoms: Ethernet redundancy may not function with Inter-Switch Link (ISL) trunking.
Conditions: This symptom is observed on a Cisco router or switch that is configured for data-link switching (DLSw) and Ethernet Redundancy (ER).
Workaround: There is no workaround.
•
Symptoms: Binary Synchronous Communications (Bisync) IP (BIP) may strip an extra data character from the beginning of the data packet before the data packet is sent to the host.
Conditions: This symptom is observed when nontransparent text is being processed.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for data-link switching (DLSw) may generate the following error messages and tracebacks:
%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "DLSw Peer Process", ipl= 0, pid= 81
-Traceback= 603BDCDC 603BEFC4 60AC5A24 60AC6E00 60AC4F54 60AB51D0 60AB4D04 60AB4 958 60223B44 60223B30
%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "IP Input", ipl= 0, pid= 29
-Traceback= 603BDCDC 603BEFC4 60AC5A24 60AC6E00 60AC4F54 60AB51D0 60ABCF44 603BD C28 60325EC0 60327C44 6035E49C 60346DCC 603452C8 603453C4 60345538 60223B44Conditions: This symptom is observed in a DLSw border peer network that uses DLSw priority peers. Note that the symptom does not affect the DLSw functionality.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: A Cisco 7500 series router may encounter a bus error when applying a crypto map on an FDDI interface.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2(11)T2, Release 12.2(13)T1, or Release 12.2 (13a). The symptom may also occur in other releases such as Release 12.0 S.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series may generate the following message on its console:
%VIP-3-BADMALUCMD: Unsupported MALU command 81/82Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0(23)S1.
Workaround: There is no workaround.
•
Symptoms: IP does not function on a third-party access server in a Token Ring topology.
Conditions: This symptom is observed when IP routing is configured on an access server in a Token Ring topology.
Workaround: There is no workaround.
•
Symptoms: The ifOutUcastPkts, ifOutOctets, and ifHCOutOctets Simple Network Management Protocol (SNMP) counters of a Fast Ethernet subinterface may not be incremented.
Conditions: This symptom is observed on a Cisco 7500 series when traffic is received from a serial interface in a Multiprotocol Label Switching (MPLS) network and when the Fast Ethernet subinterface is configured for dot1q encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco Route Switch Processor (RSP) that is configured as a bridge may not pass bridged traffic, regardless of the protocols that are configured on Ethernet interfaces. This situation can lead to a loss of connectivity.
Conditions: This symptom is observed on a Cisco RSP that is running a Cisco IOS rsp-jsv-mz image.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you enter the no encapsulation frame-relay interface configuration command for an interface.
Conditions: This symptom is observed when the interface is configured for interface fragmentation and payload compression.
Workaround: Configure the interface for map-class fragmentation.
•
Symptoms: A Cisco 7500 series that is configured as a bridge may not pass bridged traffic on a FDDI interface. This situation may lead to a loss of connectivity.
Conditions: This symptom is observed on Cisco 7500 series that runs a Cisco IOS rsp-jsv-mz image.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the FDDI interface.
•
Symptoms: A segmentation and reassembly (SAR) crash dump does not show valid debug information.
Conditions: This symptom is observed when there is a SAR crash and there are incorrect register dumps that are logged for SAR0 and SAR1.
Workaround: There is no workaround.
•
Symptoms: Packet-over-SONET (POS) interfaces on a 1-port POS OC-3c/STM-1 port adapter (PA-POS-OC3) that is installed in a Cisco 7200 series router that runs Cisco IOS Release 12.2(14)S3 may stop transmitting packets. The output packets counter stops incrementing.
Conditions: This symptom is observed when you reload the router with a queueing configuration on the POS interfaces.
Workaround: Remove the queueing configuration before you reload the router. Reapply the queueing configuration after the router has booted up.
•
Symptoms: The following error message appears on a Cisco router:
SYS-2-BADSHAREConditions: This symptom is observed on a Cisco 7200 series with an ATM port adapter (PA-A3) that is running Cisco IOS Release 12.2(15)B when the router is configured with 100 PPP over ATM (PPPoA) sessions and bidirectional traffic is sent across the ATM port adapter.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Cisco router or switch may reload unexpectedly when you enter the show ip eigrp neighbors EXEC command.
Conditions: This symptom is observed when you enter the show ip eigrp neighbors EXEC command immediately after you have entered the shutdown interface configuration command followed by the no shutdown interface configuration command for the interface that connects the router or switch to the neighbor.
Workaround: Wait for the neighbor list to be completely rebuilt before you enter the show ip eigrp neighbors EXEC command.
•
Symptoms: A Cisco router may reload unexpectedly because of a bus error at "ip_fast_accumulate_acctg."
Conditions: This symptom is observed on a Cisco router that has the ip accounting interface configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: A Border Gateway Protocol (BGP) next-hop router may not redistribute Virtual Private Network (VPN) routes.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0 S or Release 12.2 S.
Workaround: There is no workaround.
•
Symptoms: A ping may not be sent from the router that generates the ping.
Conditions: This symptom is observed when the ping originates from a Cisco router that has a virtual access interface as the only interface that is configured for IP.
Workaround: Configure IP on any physical interface of the router, in addition to the virtual access interface.
•
Symptoms: Cisco IOS software may cause a Cisco router that is configured for Next Hop Resolution Protocol (NHRP) to reload unexpectedly. When the router reloads, the console displays the following error message:
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = NHRP.Conditions: This symptom may occur on any Cisco router that is configured for NHRP.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you enter a show command that is related to IP multicast.
Conditions: This symptom is observed on a Cisco router that has remained at the "more" prompt for a long period of time.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when Border Gateway Protocol (BGP) is configured to carry Virtual Private Network version 4 (VPNv4) routes.
Conditions: This symptom is observed when VPNv4 import processing occurs simultaneously with a BGP neighbor reset, for example, when a VPN routing and forwarding (VRF) instance is configured and you enter the clear ip bgp * privileged EXEC command.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206VXR periodically reloads when Network Address Translation (NAT) is configured and L4 Internet Locator Service (ILS) Lightweight Directory Access Protocol (LDAP) entries are translated.
Conditions: This symptom is observed on a Cisco 7206VXR router with a Network Processing Engine (NPE-G1) that is running the c7200-is-mz image of Cisco IOS Release 12.2(16)B.
Workaround: There is no workaround.
•
Symptoms: Packet loss may occur about once per minute.
Conditions: This symptom is observed in an IP multicast environment when a router is directly connected to both a source and a receiver and when the shortest path tree (SPT) threshold is configured as infinite.
The packet loss occurs about once per minute because the (S,G) entry is deleted every minute, causing the hardware shortcut to be deleted and reinstalled.
Workaround: There is no workaround.
•
Symptoms: When both the VRF Aware NAT feature and the ip nat inside source static network global configuration command are enabled, the network may not be Virtual Private Network (VPN) routing/forwarding (VRF) aware. This situation may cause Network Address Translation (NAT) that is configured for one VRF instance to be applied to all other VRF instances.
Conditions: This symptom is observed on a Cisco 7206VXR router that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T and that functions in a Multiprotocol Label Switching (MPLS) VPN environment.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload if it is low on processor memory and Simple Network Management Protocol (SNMP) get operations are performed on Open Shortest Path First (OSPF) MIBs.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(8)YW, Release 12.2(8)YY, Release 12.2 T, Release 12.3, or Release 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A Reverse Path Forwarding (RPF) lookup may cause a Route Processor (RP) to reload because of a stack overflow.
Conditions: This symptom is observed on a Cisco 12000 series when there is a unicast routing loop and when a static multicast route (mroute) has been configured. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: When refresh reduction is enabled and a Cisco router has been operational for a long time, valid Resource Reservation Protocol (RSVP) messages that are received from a neighbor may be dropped when the message IDs have cycled through the entire number space once (that is, from 0 to 4,294,967,295) and then progressed up to 2,147,483,648 (0x80000000).
Conditions: This symptom is observed when a message ID number space begins at zero, increases up to 4,294,967,295 (32 bits), but then does not properly wrap back to zero, causing message IDs greater than 2,147,483,648 to be out of sequence, and to be dropped.
Note that a neighboring router is able to send Message IDs and properly wraps back from 4,294,967,295 to zero, but the receiving router that does not record the wrap event, causing the symptom to occur.
Workaround: There is no workaround.
•
Symptoms: Packets that are switched via process switching may cause high CPU utilization on a router.
Conditions: This symptom is observed in an IP multicast environment when the packets are sent from a virtual host interface (VIF) and are destined for a multicast address. The packets should be switched via fast switching.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when the tunnel interface is shut down or one of the following NHRP interface configuration commands under the tunnel interface is removed from the router's configuration:
–
–
–
Conditions: This symptom is observed on a Cisco 1600 series router that has Next Hop Resolution Protocol (NHRP) configured on a multipoint generic routing encapsulation (GRE) tunnel interface.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely because of a bus error, and the following error message may appear:
System returned to ROM by bus error at PC 0x60B5F1C0, address 0xEF4321E5Conditions: This symptom is observed on a Multiprotocol Label Switching (MPLS) provider edge (PE) router.
Workaround: There is no workaround.
•
Symptoms: An IP packet that is sent with an invalid IP checksum may not be dropped.
Conditions: This symptom is observed if the IP checksum is calculated with a decreased time-to-live (TTL) value. For example, in the situation where the IP checksum must be 0x1134 with a TTL of 3, if the packet is sent with an IP checksum of 0x1234 that is calculated by using a TTL value of 2, the packet is not dropped. In all other cases, packets with incorrect checksums are dropped.
Workaround: There is no workaround.
•
Symptoms: Enhanced Interior Gateway Routing Protocol (EIGRP) hello messages may be sent from a virtual-access interface when they should not be sent.
Conditions: This symptom is observed on a Cisco router that has the passive-interface default or passive-interface virtual-template interface-number router configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: You may not be able to configure the ip nat inside source list access-list-number pool name overload router configuration command because the pool keyword may not be accepted and the overload keyword may be missing.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T and that has the VRF Aware NAT feature enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when the Designated Forwarder (DF) interface is changed to an interface that is already in the Outgoing Interface list (O-list).
Conditions: This symptom is observed on a Cisco router that is configured for multicast Bidirectional PIM (Bidir-PIM).
Workaround: There is no workaround.
•
Symptoms: When you attempt to make a Session Initiation Protocol (SIP) call, Network Address Translation (NAT) may not properly modify the embedded address.
Conditions: This symptom is observed on a Cisco platform that has the NAT Support for SIP feature enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router or switch may reload unexpectedly when you enter the show ip igmp tracking detail EXEC command.
Conditions: This symptom is observed when the ip igmp explicit-tracking interface configuration command is enabled and the entries in the cache have expired.
Workaround: There is no workaround.
•
Symptoms: Routing Table Protocol (RTP) ports may not be opened for H.245 Network Address Translation (NAT) traffic to get back in.
Conditions: This symptom is observed on a Cisco platform when H.245 NAT processing for outgoing traffic is not invoked in a configuration with static NAT and Virtual Private Network (VPN) routing/forwarding (VRF) instances.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may generate continual tracebacks when you perform an online insertion and removal (OIR) of a line card.
Conditions: This symptom is observed when Internet Group Management Protocol (IGMP) and IP Protocol Independent Multicast (PIM) are enabled.
Workaround: Before you perform the OIR, disable IP PIM.
•
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml.
•
Symptoms: A Cisco device that functions as a spoke may reload.
Conditions: This symptom is observed when a spoke-to-spoke connection is terminated.
Workaround: Disable all spoke-to-spoke connections. If this is not an option, there is no workaround.
•
Symptoms: A Cisco router that processes external link-state advertisements (LSAs) may generate spurious memory access tracebacks or reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that runs Open Shortest Path First version 3 (OSPFv3).
Workaround: There is no workaround.
•
Symptoms: A retransmission counter may not be reset when a neighbor is terminated.
Conditions: This symptom is observed on a Cisco platform that is running Open Shortest Path First (OSPF) when the retransmission limit default (12 or 24) is added to the retransmission mechanism.
Workaround: Clear the OSPF process by entering the clear ip ospf process pid privileged EXEC command. Then, enter the limit retransmissions non-dc disable router configuration command.
•
Symptoms: A Cisco platform may not complete a reload procedure and may pause indefinitely.
Conditions: This behavior is observed on a Cisco platform that runs a Cisco IOS image when you enter the reload EXEC command.
Workaround: Power-cycle the Cisco platform.
•
Symptoms: A memory leak may occur in the "IP Input" process on a Cisco platform, and memory allocation failures (MALLOCFAIL) may be reported in the processor pool.
Conditions: This symptom is observed on a Cisco platform that is configured for Network Address Translation (NAT).
Workaround: There is no workaround.
•
Symptoms: A cable modem may reload unexpectedly with a segmentation violation (SegV) exception.
Conditions: This symptom is observed when you configure the cable modem for DHCP proxy with Network Address Translation (NAT) by entering the cable-modem dhcp-proxy nat interface configuration command.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you manually reload the router.
Conditions: This symptom is observed when the router is configured for Open Shortest Path First (OSPF).
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Multicast may be disabled on an interface of a Cisco 7500 series Gigabit Ethernet Interface Processor (GEIP) or GEIP plus (GEIP+).
Conditions: This symptom is observed when the Cisco IOS image is loaded and the configuration is added. The symptom does not occur when the configuration is added, saved, and then the Cisco IOS image is loaded.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: Interprocess communication (IPC) memory buffer difficulties may occur on a Gigabit Ethernet interface on a Cisco 7500 router after the output becomes stuck, and the following message may be displayed:
%RSP-3-RESTART: interface GigabitEthernet0/0/0, not transmitting Output Stuck on GigabitEthernet0/0/0Conditions: This symptom is observed on the Gigabit Ethernet interface of a Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: You may not be able to use the command-line interface (CLI) to disable a remote loopback request on the network.
Conditions: This symptom is observed when a remote loopback is initiated toward a Cisco AS5xx0 and the Cisco AS5xx0 responds to the remote loopback request.
Workaround: Enter the loopback network ignore controller configuration command on the T1 controllers.
•
Symptoms: A Cisco router may reload at the "rsp_ipfib_feature_switch" process when you enter the no ip cef global configuration command and the ip cef global configuration command in succession.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.1 T, 12.2, or 12.2 T and Resource Reservation Protocol (RSVP) over ATM while data traffic is traveling over switched virtual circuits (SVCs) that are established by RSVP.
Workaround: To deconfigure Cisco Express Forwarding (CEF) on a router that has RSVP over ATM reservations, remove the RSVP configuration from all ATM interfaces by entering the no ip rsvp bandwidth interface configuration command and then reenable CEF by entering the ip cef global configuration command, the ip rsvp bandwidth interface configuration command, and the ip rsvp svc-required interface configuration command.
•
Symptoms: When the MPLS VPN—Carrier Supporting Carrier—IPv4 BGP Label Distribution feature is enabled, you may be able to configure Label Distribution Protocol (LDP) and Border Gateway Protocol (BGP) with IPv4+ labels on the same Virtual Private Network (VPN) routing/forwarding (VRF) instance on the same router. This is an invalid configuration that may lead to errors.
Conditions: This symptom is observed on a Cisco 12000 series.
Workaround: There is no workaround. The fix for this caveat will prevent you from configuring the router in the way that is described in the symptoms.
•
Symptoms: A Cisco router may reload because of a segmentation violation (SegV) exception.
Conditions: This symptom is observed under the following circumstances:
–
–
–
–
Workaround: Configure prefragmentation.
Alternate Workaround: Clear the DF bit by entering the crypto ipsec df-bit clear global configuration command.
•
Symptoms: Pings that have designated forwarder (DF) bits set and packet sizes greater than 1496 bytes are dropped.
Conditions: This symptom is observed only on single-hop Multiprotocol Label Switching (MPLS) traffic-engineered (TE) tunnels.
Workaround: There is no workaround.
•
Symptoms: Packet transmission over a serial channel-group interface that is part of a backhaul trunk may be slow.
Conditions: This symptom is observed only on a channel-group interface and occurs irrespective of whether or not the interface is configured for Low Latency Queueing (LLQ) for large packet sizes.
Workaround: There is no workaround.
•
Symptoms: After a few weeks of normal operation, the interface on a Cisco PA- MC-8E1 begins flapping and finally pauses with the output queue stuck as follows:
Serial1/1:1 is up, line protocol is up
Encapsulation HDLC, crc 16, Data non-inverted
Keepalive set (120 sec)
Last input 00:00:03, output 04:14:23, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 21952
Queueing strategy: weighted fair
Output queue: 30/4000/64/21855 (size/max total/threshold/drops)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
43903807 packets input, 3646461183 bytes, 0 no buffer
Received 0 broadcasts, 321 runts, 0 giants, 0 throttles
5160 input errors, 4 CRC, 0 frame, 0 overrun, 0 ignored, 2945 abort
42026998 packets output, 2185017012 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
31 carrier transitions
no alarm present
Timeslot(s) Used:1-31, subrate: 64Kb/s, transmit delay is 0 flagsThe following traceback is observed in the log:
%LINK-4-TOOBIG: Interface Serial60:1, Output packet size of 1526 bytes too big
Traceback= 0x604007F8 0x604A927C 0x6084E4D4 0x6057425C 0x60CE921C 0x60CE55EC
%LINK-4-TOOBIG: Interface Serial20:1, Output packet size of 1526 bytes too big
Traceback= 0x604007F8 0x604A927C 0x6084E4D4 0x6057425C 0x60CE921C 0x60CE55ECConditions: This symptom is observed on a Cisco router that is configured with a PA-MC-8E1 interface.
Workaround: There is no workaround.
•
Symptoms: Transmit underruns or cyclic redundancy check (CRC) errors may occur on a serial interface on the motherboard of a Cisco router.
Conditions: This symptom is observed on the serial interface on the motherboard of a Cisco 3700 series.
Workaround: Do not use the WAN interface card (WIC) slot on the motherboard. Rather, use the serial interface on a 2-WAN card slot network module (NM-2W), a 1-port Fast Ethernet 2-WAN card slot network module (NM-1FE2W), or a 2-port Fast Ethernet 2-WAN card slot network module (NM-2FE2W).
•
Symptoms: When configuring Routing Information Protocol (RIP) version 2 on a Cisco router, tracebacks may be displayed.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: IP commands that are sent in the Cisco Networking Services (CNS) config-changed event output may contain an extra ip prefix.
Conditions: This symptom is observed on a Cisco router when you enter both ip global configuration commands and the cns config notify diff global configuration command to capture commands that change configuration for the config-changed event output.
Workaround: Enter the all keyword in the cns config notify global configuration command. This workaround is not valid when the only changes in the configuration occur in the config-changed event output.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
1.
Conditions: This symptom is observed when Virtual Private Network (VPN) routing/forwarding (VRF) forwarding is configured on the interfaces that flap.
Workaround: There is no workaround.
2.
Conditions: This symptom is observed when you perform an OIR of an interface that has a VRF configuration in which the connected route is learned via a network statement. The connected route is removed when you perform the OIR.
Workaround: Do not simultaneously enter the clear ip bgp * privileged EXEC command and perform an OIR.
•
Symptoms: A 1-port High-Speed Serial Interface network module (NM-1HSSI) that is running Frame Relay traffic shaping (FRTS) and Frame Relay fragmentation 12 (FRF.12) may randomly stop functioning and does not recover on its own.
Conditions: This symptom is observed on a Cisco 3600 router that is running Cisco IOS Release 12.2(11)T1 or Release 12.2(13a).
Workaround: Disable FRF.12 fragmentation.
First Alternate Workaround: Enter the clear interface EXEC command on the affected interface.
Second Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: The RADIUS "Acct-Session-Id" attribute may not be sent correctly.
Conditions: This symptom is observed in a Service Selection Gateway (SSG) configuration that is running Cisco IOS Release 12.2(15)T or a later release when you enter the ip route-cache flow interface configuration command on a virtual template. The symptom may also occur in other conditions.
Workaround: In the above-mentioned conditions, deconfigure the ip route-cache flow interface configuration command.
•
Symptoms: When the create on-demand command is enabled in any command mode for a permanent virtual circuit (PVC) and this PVC becomes active, the following message may be displayed:
%ATM-5-UPDOWN: Interface ATM3/0/0, Changing autovc 1/32 to UPAn "Auto VC" of this type becomes active when a cell is detected with the appropriate virtual channel identifier (VCI) and virtual path identifier (VPI). Before becoming active, the virtual circuit (VC) does not consume significant system resources or detract from system VC scalability. After a configurable period of inactivity, the VC may enter the "down" state with a similar message and free up system resources for other VCs.
With a large number of VCs (in the tens of thousands on some platforms), the churn rate of VCs (that is, VCs going up and down) may cause so many of these log messages that the console may become unusable and other important log messages may be missed. In extreme cases, the processing and displaying of these messages may consume significant processing cycles on the system CPU.
Conditions: These symptoms are observed when the create on-demand command is enabled in any command mode or when "Auto VCs" are active.
Workaround: Change the console logging level to a relatively high level to avoid the many "Auto VC" notification messages, which are level 5 notification messages. The console logging level must be reduced to level 4 (warnings) to avoid these messages. Because this is a relatively high logging level, the system log should be checked occasionally to ensure that no important messages are missed.
Note
•
Symptoms: A Cisco uBR905 or Cisco uBR925 router may lose the configuration of the crypto map map-name local-address interface-id global configuration command from its startup configuration.
Conditions: This symptom is observed when the router reloads and is related to the use of the Cable DHCP Proxy feature.
Possible Workaround: Set up a permanent lease for the loopback interface in the Dynamic Host Configuration Protocol (DHCP) server by using the "ethernet0" MAC address and assigning a fixed IP address on the DHCP server.
•
Symptoms: NetFlow may count the number of exported flows as less than the actual number of exported flows.
Conditions: This symptom is observed on a Cisco platform that has Parallel Express Forwarding (PXF) NetFlow enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may restart with a bus error if the following conditions are met:
–
–
–
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX 8850 Route Processor Module-PRemium (RPM-PR) may log the following traceback error:
%ATMPA-3-BADPARTICLE: Switch1: bad rx particle 0x61CA8040 flags 0x00000001 index 9937
Traceback= 6007968C 6008F404 60E844F0 60E815F4 60D80BF4 60D8E8A4 6009CF94 600B56ECConditions: This symptom occurs in the following configuration:
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco 2600 series router may pause indefinitely with a segmentation violation (SegV) exception.
Conditions: This symptom is observed on a Cisco 2600 series router with a 4- port voice Performance Monitor (PM) and a BRI voice daughter card that is configured for telephony service.
Workaround: There is no workaround.
•
Symptoms: The Simple Network Management Protocol (SNMP) agent may use 99 percent of the CPU bandwidth of a Route Processor (RP) for an arbitrarily long time (hours or days), without necessarily generating CPUHOG errors. This situation causes other processes on the router to fail because these processes do not receive the CPU bandwidth that they require. Consequently, the following difficulties may occur:
–
–
–
–
The output of the show snmp summary EXEC command may indicate that the number of requests is "N" while the number of replies that were sent is "N-1." The output of the show processes cpu | include SN EXEC command may indicate that the SNMP process uses 99 percent of the CPU bandwidth of the RP.
Conditions: These symptoms are observed when the MPLS-LSR-MIB MIB is enabled, when you query the mplsXCTable or a MIB walk occurs, and when there are more than 10,000 Multiprotocol Label Switching (MPLS) labels active. The symptoms are platform independent.
Workaround: Perform the following steps:
1.
2.
snmp-server view nolsrmib mplsLsrMIB exclude
snmp-server view nolsrmib iso include
3.
snmp-server community public view nolsrmib ro
4.
•
Symptoms: When interim accounting packets are sent by the Service Selection Gateway (SSG), the difference between the start time and the interim time may be as much as 60 seconds.
Conditions: This symptom is observed on all Cisco platforms and in all versions of Cisco IOS software when the ssg accounting interval seconds global configuration command is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco 6400 series Node Route Processor 2 (NRP2) may reload.
Conditions: This symptom is observed when the Cisco 6400 series NRP2 is running Cisco IOS Release 12.2(13)T1 and the Service Selection Gateway (SSG) is enabled.
Workaround: There is no workaround.
•
Symptoms: PPP over Ethernet (PPPoE) or PPP over ATM (PPPoA) sessions that go down may cause a leak of full virtual-access interfaces. The symptom is not observed with configurations that use virtual-access subinterfaces.
Conditions: This symptom is observed with PPPoE or PPPoA sessions that clear because of the PPP protocol going down (because of a termination request [TERMREQ] from a peer router or a PPP keepalive failure). The leaked virtual-access interfaces are not reused for new sessions. This results in the creation of new virtual-access interfaces for new sessions.
Workaround: There is no workaround.
•
Symptoms: When a Tributary Unit Alarm Indication Signal (TU-AIS) is inserted for an Engine 1 (E1) tributary on a channelized Synchronous Transport Module level 1 port adapter (PA-ChSTM1) on an SPE3, packet corruption occurs on the adjacent E1.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: When a large number (30,000) of established PPP sessions are terminated at the same time (for instance, when an interface is shut down), a Cisco router may exhaust its I/O memory, causing loss of other services such as the maintenance of Layer 2 Tunneling Protocol (L2TP) tunnels and the forwarding of authentication, authorization, and accounting (AAA) accounting requests to a RADIUS server. This situation occurs because a flood of AAA accounting STOP records are sent for the terminated sessions to the RADIUS server.
Conditions: This symptom is observed only when a large number of PPP sessions are active on the router and the RADIUS server is slow to respond, causing a backlog in the router of messages that are waiting to be transmitted or that are waiting for a response.
Workaround: Install the RADIUS server on a faster machine. Doing so may alleviate but not completely eliminate the symptom. There is no other workaround.
•
Symptoms: Two-way voice may be lost after a modify connection (MDCX) message is sent.
Conditions: This symptom is observed on a Cisco AS5850 that is configured for Real-Time Transport Protocol (RTP) hairpinning after a two-way voice call is established and an MDCX message with any parameter setting is sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway may reject a "subscribe" request with a "400" response, indicating a "Bad Request, Malformed/Missing Request Line."
Conditions: This symptom is observed when the Session Initiation Protocol (SIP) address in the Uniform Resource Identifier (URI) of the "subscribe" request does not contain a user portion.
Workaround: There is no workaround.
•
Symptoms: It may take a long time for an Internet Key Exchange (IKE) tunnel to be set up.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Virtual Private Network (VPN) acceleration module (VAM) or VAM2 for hardware encryption and that has the authentication rsa-sig ISAKMP policy configuration command configured.
Workaround: Use software encryption.
•
Symptoms: Packet loss may occur on a Cisco 7401.
Conditions: This symptom is observed on a Cisco 7401 that is running Cisco 12.2 B and that has Parallel Express Forwarding (PXF) enabled.
Workaround: Disable PXF.
•
Symptoms: A line card may reload after a Stateful Switchover (SSO) occurs.
Conditions: This symptom is observed on a Cisco 12000 router.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience a memory leak in IP input.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15) and that is configured for the Cisco Intrusion Detection System (IDS).
Workaround: Disable IDS.
Alternate Workaround: Disable the Domain Name System (DNS) signatures.
•
Symptoms: A Cisco router may not be able to access the Internet.
Conditions: This symptom is observed on a Cisco router when Unicast Reverse Path Forwarding (uRPF) is enabled.
Workaround: Remove the ip verify unicast source reachable-via rx interface configuration command.
•
Symptoms: When you enter the atm pvp vpi interface configuration command on a Cisco 7206VXR, the router may reload unexpectedly and display the following error message:
%ALIGN-1-FATAL: Illegal access to a low address addr=0x40, pc=0x60202778, ra=0x60202780, sp=0x63BF1718Conditions: This symptom is observed on a Cisco 7206VXR that runs the c7200-js-mz image of Cisco IOS Release 12.3, 12.3 B, or 12.3 T and that is configured with a Network Processing Engine 225 (NPE-225).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may fail to create an ATM virtual circuit (VC) and may display the following error message:
%ATM-3-FAILCREATEVC: ATM failed to create VC(VCD=3, VPI=1, VCI=35) on Interface ATM0/0, (Cause of the failure: vpi/vci pair already in use)Additional traceback messages may also be generated.
Conditions: This symptom is observed on a Cisco 3600 series or Cisco 7200 series that is configured with a 4-port T1 IMA network module (NM-4T1-IMA).
Workaround: There is no workaround.
•
Symptoms: Hardware compression may not function on a Cisco router that is configured with an Advanced Integration Module (AIM) for hardware compression, and the following error messages may be displayed:
%CAIM-1-HIFNERR: Caim 0: Hifn 9711 Errors reported: 9711 Status 0x848AC DMA status 0x80808098
%CAIM-6-SHUTDOWN: CompressionAim0 shutting down
%CAIM-6-STARTUP: CompressionAim0 starting upConditions: This symptom is observed on a Cisco 2600, Cisco 3600, or Cisco 3700 series that is configured for Multilink PPP (MLP) and ISDN. Note that software compression works fine.
Workaround: There is no workaround.
•
Symptoms: When an ATM link flaps or a remote ATM platform reloads, a Fast Etherchannel may fail and Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors that are connected via the Fast Etherchannel may be lost.
Conditions: This symptom is observed on a Cisco 7500 series that runs the rsp-pv-mz image of Cisco IOS Release 12.0(21)S5.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX 8850 Route Processor Module-PRemium (RPM-PR) may reset when a service-policy map is removed.
Conditions: This symptom is observed when a service-policy map is removed from multiple tag interfaces, or from a single tag interface, or from both.
Workaround: Shut down the tag interface before you remove the service-policy map.
•
Symptoms: When a Cisco IOS gateway loses communication with its Call Manager, Media Gateway Control Protocol (MGCP) failover to H.323 may not occur. The opposite incorrect behavior may also occur: the gateway works properly only in failover mode but not when registered to a Call Manager.
Conditions: These symptoms are observed on a Cisco IOS gateway when the ccm-manager config global configuration command is configured together with MGCP gateway fallback. The ccm-manager config global configuration command does not work properly in this situation.
Workaround: Disable the ccm-manager config global configuration command before you configure MGCP gateway fallback. Do not enable the ccm-manager config global configuration command while MGCP gateway fallback is enabled.
Note
•
Symptoms: When data is sent across an internal modem line, intermittent data loss may occur.
Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, or Cisco 3700 series that is configured with an 8- or 16-port analog modem network module (NM-8AM or NM-16AM) and that is configured for PPP encapsulation.
Workaround: Do not use PPP encapsulation. Rather, use Serial Line Internet Protocol (SLIP) encapsulation.
Alternate Workaround: Enter the no ppp microcode interface configuration command.
•
Symptoms: After a Cisco AS5850 router is reloaded, the first 911 call sends two KP tones to mark the beginning of the Automatic Number Identification (ANI) and the Digital Number Identification Service (DNIS) digits, instead of one KP tone.
Conditions: This symptom is observed after the Cisco AS5850 has been reloaded or after Media Gateway Control Protocol (MGCP) has been explicitly restarted by issuing the no mgcp router configuration command followed by the mgcp router configuration command. The symptom will not occur again until MGCP is restarted again.
Workaround: There is no workaround.
•
Symptoms: If a three-level hierarchy service policy is attached to two different interfaces and the policers are removed from the parent class, the policers for the child class are also removed.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7500 series.
Workaround: Detach the service policies from the interfaces, and reattach them.
•
Symptoms: A modem may become stuck in the active state while the call switching module (CSM) is in the idle state, as is displayed in the output of the show csm modem privileged EXEC command. The output of the debug modem csm privileged EXEC command displays the "failed to allocate a non-idle modem" message.
Conditions: This symptom is observed during peak call rate on a Cisco AS5xx0 that is configured for Resource Policy Management System (RPMS) and Signaling System 7 (SS7).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may generate a "SYS-2-GETBUF" message during the "Tag Input" process and may subsequently reload unexpectedly.
Conditions: This symptom is observed when the router fragments a Multiprotocol Label Switching (MPLS) packet.
Workaround: There is no workaround.
•
Symptoms: A large part of the startup configuration may be deleted.
Conditions: This symptom is observed when you load a boot image on a Cisco uBR905.
Workaround: There is no workaround.
•
Symptoms: A Cisco router pauses indefinitely when Cisco Express Forwarding (CEF) is disabled and there is traffic from one of the ports on a 16-port or 36-port EtherSwitch.
Conditions: This symptom is observed on a Cisco 3660 router or a Cisco 3700 series that is running Cisco IOS Release 12.3(1), that is configured with IP Security (IPSec), and that uses an Advanced Integration Module (AIM) card for encryption.
Workaround: Enable CEF globally.
Alternate Workaround: Disable the AIM card.
•
Symptoms: A Cisco Node Route Processor 1 (NRP-1), with 2000 PPP over Ethernet (PPPoE) over VLAN sessions, and the multi virtual terminal (VT) feature enabled, pauses indefinitely when sending traffic. CPU utilization reaches 100 percent, and the NRP-1 stops responding.
Conditions: This symptom is observed on a Cisco NRP-1 in heavy traffic.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS voice gateway may reload unexpectedly.
Conditions: This symptom is observed when an interactive voice response (IVR) prompt is simultaneously played out to multiple callers with streaming mode and the prompt server is delayed while the Cisco IOS voice gateway is under stress.
Workaround: Avoid placing the Cisco IOS voice gateway under stress for long periods of time.
Alternate Workaround: Disable the prompt streaming mode by entering the ivr prompt streamed none global configuration command.
•
Symptoms: After a Cisco router has reloaded, part of the configuration that is defined in the startup configuration may not show up in crypto maps.
Conditions: This symptom is observed on any Cisco platform that has an interface that requires a controller statement under the following conditions:
–
–
–
Workaround: After the router has reloaded, enter the copy startup-config running-config EXEC command.
•
Symptoms: An Any Transport over Multiprotocol Label Switching (AToM) virtual circuit (VC) may become stuck and not respond to changes in the state of its attachment circuit.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series or Cisco 7600 series that is configured for Ethernet over MPLS (EoMPLS) in VLAN mode.
Workaround: There is no workaround.
•
Symptoms: An IP version 6 (IPv6) link local address that has been manually configured by entering the ipv6 address ipv6-address link-local interface configuration command may disappear from the running configuration.
Conditions: This symptom is observed when you reload the Cisco platform on which the IPv6 link local address is configured or when a switchover between Route Processors (RPs) occurs on this platform.
Workaround: Reconfigure the IPv6 link local address.
Alternate Workaround: Manually configure the MAC address on the interface on which the IPv6 link local address is configured.
•
Symptoms: A Cisco AS5850 router may have high CPU usage in the IP input process because voice packets are punted from the line cards to the Route Switch Controller (RSC) card. To verify this symptom, enter the show interface type number stat EXEC command. The following output from the show interface command indicates that the entry for packets out (Pkts Out) in the "Distributed cache" field is 0.
Router#show interface g6/0 stat
GigabitEthernet6/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 752 56786 25 3267
Route cache 0 0 3120 666090
Distributed cache 3019 644372 0 0
Total 3771 701158 3145 669357Conditions: This symptom is observed on a Cisco AS5850 that handles voice calls. The symptom is not observed on the Cisco AS5850 with modem calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may delay the transmission of the RADIUS Accounting-On message for too long.
Conditions: This symptom is observed on a Cisco router that is terminating PPP sessions. The delay in the transmission of the RADIUS Accounting-On message clears the accounting data related to the PPP sessions that are already up from the RADIUS server.
Workaround: Reset the PPP over X (PPPoX) clients that connected too early.
•
Symptoms: The same local label may be allocated to two different prefixes, which may be learned via two different routing protocols.
The Cisco Express Forwarding (CEF) entry for these two prefixes shows the same local label. Depending on how the route was learned, the local label in the Border Gateway Protocol (BGP) or Label Distribution Protocol (LDP) database may show the same label or two different labels for the two prefixes.
The Multiprotocol Label Switching (MPLS) forwarding table has only one entry that matches the last prefix that used the local label, and there is no entry for the other prefix. This situation may lead to a connectivity failure for the prefix that does not have an entry in the MPLS forwarding table.
Conditions: These symptoms are observed on a Cisco router that is configured with the MPLS VPN Carrier Supporting CarrieróIPv4 BGP Label Distribution feature and that has both BGP IP version 4 (IPv4) label distribution entries and LDP entries in the Routing Information Base (RIB).
The symptoms occur when a route is learned via both BGP IPv4 label distribution and Interior Gateway Protocol (IGP) (for example via Open Shortest Path First [OSPF] or Intermediate System-to-Intermediate System [IS-IS]), and the route that is learned via BGP IPv4 label distribution replaces the route that is learned via IGP in the RIB.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdx74321. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Ensure that the local label is reallocated for the first prefix that does not have an entry in the MPLS forwarding table:
–
–
•
Symptoms: A Cisco fax relay call does not go back into voice mode after a fax is sent. The fax call is transmitted successfully.
Conditions: The symptom is observed on a Cisco router when the call switches to fax and then back to voice.
Workaround: There is no workaround. The symptom is cleared with the next call.
•
Symptoms: A Cisco router that functions in a Multiprotocol Label Switching (MPLS) environment may reload unexpectedly with a bus error.
Conditions: This symptom is observed under rare circumstances when the router attempts to send an Internet Control Message Protocol (ICMP) packet that was triggered by an MPLS packet.
Workaround: There is no workaround.
•
Symptoms: A Cisco VG200 that has a transcoder and is configured with Cisco Conference Connection (CCC) has only one-way audio for certain callers.
Conditions: This symptom is observed under the following conditions:
–
–
–
–
–
Workaround: Use Cisco IOS Release 12.1(5)YH4.
•
Symptoms: Calls on an E1 controller within an STM-1 trunk card using Media Gateway Control Protocol (MGCP) and PRI backhaul may not come up.
Conditions: This symptom is observed with a STM-1 trunk card on a Cisco AS5850 that is running Cisco IOS Release 12.3 or Release 12.3 T.
Workaround: Configure a PRI group under the E1 controller after the system and the STM-1 card are up. If the system reloads, unconfigure the PRI group and add the group again.
•
Symptoms: A Cisco router intermittently experiences a high CPU load because of a Service Selection Gateway (SSG) timeout.
Conditions: This symptom is observed after a Cisco router is upgraded to Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: The Cisco IOS Firewall may open an access control list (ACL) for media channels in the reverse direction.
Conditions: This symptom is observed when a third-party vendor Session Initiation Protocol (SIP) is configured with a Cisco IP telephone on an inside network and an inbound call is made.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that terminates a PPP-over-ATM (PPPoA) connection may fail to send a PPP terminate request (TERMREQ) to its PPP peer when the PPPoA session is cleared by entering the clear interface virtual-access number EXEC command.
Conditions: This symptom is observed when per-user authentication, authorization, and accounting (AAA) attributes are downloaded when the PPPoA session initially comes up.
Workaround: When the PPPoA session comes up, ensure that "no per-user" AAA attributes are downloaded from the remote AAA server. If this is not an option, there is no workaround.
•
Symptoms: During a failover between Route Switch Controllers (RSCs), the IDSN User Adaptation Layer (IUA)/Stream Control Transmission Protocol (SCTP) links of the failed RSC are not restored properly on the active RSC. This situation prevents the D channel from being maintained between the gateway and the call agent after the RSC handover event.
Conditions: This symptom is observed when the handover-split mode is enabled on a Cisco AS5850 that is configured with IUA/SCTP as the transport mechanism.
Workaround: There is no workaround.
•
Symptoms: Use of the show version EXEC command still shows the L3 cache in use even though the configuration includes the cache L3 bypass diagnostic command-line interface (CLI) command and the MGX Router Processor Module (RPM-XF) has been reloaded.
Conditions: This symptom is observed on a Cisco RPM-XF when a no redundancy switchover is performed.
Workaround: Perform a 1:N redundancy switchover.
•
Symptoms: A Cisco router may reload when a subdirectory is created on an Advanced Technology Attachment (ATA) Flash disk.
Conditions: This symptom is observed when the ATA Flash disk space that is allocated to the subdirectory contains data from previously deleted files.
When a subdirectory is created or extended, it is given space on the ATA Flash disk. If this space contains zeros, the symptom does not occur. However, if the space was previously used, the space does contain data bytes from the previous file, and these data bytes may confuse the file system. This situation may cause the router to reload.
Workaround: Do not create subdirectories on the ATA Flash disk.
•
Symptoms: A Cisco router that has a quality of service (QoS) service policy attached to an interface may generate memory alignment errors or reload unexpectedly because of a bus error during normal operation.
Conditions: This symptom is observed when the policy map of the service policy has a set action configuration and when traffic is being processed.
Workaround: Remove the set action configuration from the policy map.
•
Symptoms: Traffic that leaves a subinterface of a Cisco 7401 may be forwarded to the Route Processor (RP). The output of the show pxf accounting summary user EXEC or privileged EXEC command indicates that the counter for the "output feature" is increasing.
Conditions: This symptom is observed when a Cisco 7401 boots up with a configuration that includes two subinterfaces of the same interface that are configured to forward traffic via the same access group.
Workaround: Remove the configuration that enables the subinterfaces to forward traffic via the same access group. After the router has booted up, reenable this configuration.
•
Symptoms: E1 R2 calls may fail on a Cisco router.
Conditions: This symptom is observed on a Cisco AS5850 router that is running Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: A call transfer from one local IP telephone to another local IP telephone may fail.
Conditions: This symptom is observed when a remote H.323 endpoint calls a Cisco IOS Telephony Services (ITS) IP telephone, as in the following call scenario:
1.
2.
3.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is performing tag imposition, it may reload because of a bus error.
Conditions: This symptom is observed when you create a new generic routing encapsulation (GRE) tunnel after the router has booted up and when GRE packets are received through this GRE tunnel and forwarded as Multiprotocol Label Switching (MPLS) packets.
Workaround: Enter the tag-switching ip interface configuration command followed by the no tag-switching ip interface configuration command on the newly-created GRE tunnel interface.
•
Symptoms: VLAN class of service (CoS) bits may not be set for outgoing Multiprotocol Label Switching (MPLS) packets, although the modular QoS CLI (MQC) may indicate so.
Conditions: This symptom is observed on a Cisco 7200 series or Cisco 7500 series that runs Cisco IOS Release 12.2, Release 12.3, or Release 12.3 B when CoS marking is applied to a VLAN subinterface. Note that traffic that is generated by the router itself receives the correct CoS for all classes.
Workaround: There is no workaround.
•
Symptoms: When the MPLS VPN Carrier Supporting Carrier feature is configured on a Cisco router, Label Distribution Protocol (LDP) may advertise a local label binding without installing an associated entry in the Multiprotocol Label Switching (MPLS) forwarding table. When peers of the Cisco router receive the advertised label binding and use the Cisco router as an MPLS next hop for the prefix for which there is no entry in the MPLS forwarding table, packet loss occurs.
Conditions: This symptom is observed when the prefix is advertised by both Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP).
Workaround: Deconfigure and then reconfigure BGP on the Cisco router.
First Alternate Workaround: Reset the BGP connections.
Second Alternate Workaround: Disable and then reenable IP over MPLS globally by using the no mpls ip global configuration command followed by the mpls ip global configuration command.
•
Symptoms: The name of an interface in the output of the show ip vrf interfaces EXEC command may be truncated to 22 characters.
Conditions: This symptom is observed on a provider edge (PE) router that has Virtual Private Network (VPN) routing/forwarding (VRF) configured on an interface when the name of the interface is longer than 22 characters.
Workaround: To display the full name of the interface, enter the show ip vrf EXEC command, that is, without the interfaces keyword.
•
Symptoms: A Node Route Processor 1 (NRP-1) on a Cisco 6400 series may reload.
Conditions: This symptom is observed on a Cisco 6400 series that is configured with a Fast Ethernet interface. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCin44735. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you attach a hierarchical quality of service (QoS) policy with a police feature.
Conditions: This symptom is observed when the router is configured with a Virtual Private Network (VPN) hardware accelerator module that has Low Latency Queueing (LLQ) enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS gateway that functions as a terminating endpoint may reload unexpectedly when a call is terminated by an interactive voice response (IVR) application.
Conditions: This symptom is observed when an IVR application attempts to bridge a delayed-media Session Initiation Protocol (SIP) call.
Workaround: There is no workaround.
•
Symptoms: The interfaceSpecificBillingId field in the admission request (ARQ) nonstandard message is not copied into in the location request (LRQ) nonstandard message.
Conditions: This symptom is observed on a Cisco gatekeeper (for example, a Cisco 2600 series, Cisco 3600 series, or Cisco 7200 series) when it receives ARQ nonstandard field information from a voice gateway.
Workaround: There is no workaround.
•
Symptoms: An IP Security (IPSec) hub router that has been reloaded may send traffic unencrypted instead of triggering an Internet Key Exchange (IKE) to negotiate new IPSec security associations (SAs), which can be verified in the output of the show crypto ruleset detail privileged EXEC command. This situation causes a spoke router to deny the unencrypted traffic from the IPSec hub router because security policy of the spoke router requires the traffic to be encrypted.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.2(15)T or Release 12.3 and that functions as an IPSec hub router that has nontrivial crypto maps and access control lists (ACLs) that are applied to one or more interfaces. The router has more than 100 maps in a map set; each map has a separate ACL; each ACL has two or three access control entries (ACEs).
The symptom does not occur with a simple crypto configuration.
Remote exploitation of this caveat is possible but opportunistic. Although an adversary may cause the router to reload, it cannot control the configuration of the router. There is some regularity as to which crypto maps will not be applied, but that is not guaranteed, and an adversary cannot control this situation. Furthermore, the spoke router or router at the far end will reject packets because they are not encrypted. This limits the usefulness of this vulnerability to an adversary.
The consequence of this caveat is a potential information disclosure. However, the information disclosure may be limited, depending on the underlying protocol. In a case in which some form of a handshake must be performed first, no information disclosure will occur: the spoke router or router at the far end will refuse to establish a session, so no actual data will be transmitted and no information disclosure will occur.
Workaround: To prevent the symptom from occurring, remove the configuration of the crypto map map-name local-address interface-id global configuration command from the affected crypto map set.
When the symptom occurs, remove the affected crypto map from the interface. Then, reconfigure the crypto map on the interface. Alternately, remove the ACL from the affected crypto map. Then, reapply the ACL to the crypto map.
•
Symptoms: The banner global configuration command in the Cisco Networking Services (CNS) config-changed event output may not be correctly formatted.
Conditions: This symptom is observed on a Cisco IOS platform when you enter the cns config notify diff global configuration command and the banner global configuration command.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module XF (RPM-XF) may not allow two partitions to share the same virtual path identifier (VPI) range.
Conditions: This symptom is observed when you configure two partitions with the same VPI range but with a different virtual channel identifier (VCI) range.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
1.
Condition 1: This symptom is observed when a RADIUS server performs EXEC authorization for users with service type 6 (administrative) and service type 2 (framed).
Workaround 1: There is no workaround.
2.
Condition 2: This symptom is observed on a Cisco NAS that runs Cisco IOS Release 12.3.
Workaround 2: There is no workaround.
•
Symptoms: The following symptoms may occur:
–
–
–
–
Conditions: These symptoms are observed when fax pass-through calls are placed to the following ATM adaptation layer 2 (AAL2) types:
–
–
–
–
–
–
–
–
The symptom may be specifically associated with g729br8.
Workaround: If the symptom is related to g729br8, select another codec. If you do not need to use any AAL2 codecs, configure IP or Frame Relay. If you do need to use g729br8 and the symptom is related to this codec, there is no workaround.
•
Symptoms: A Cisco router may pause indefinitely because of memory corruption.
Conditions: This symptom is observed on a Cisco router whenever the show atm svc [vpi/vci | name | interface atm interface-number] EXEC command or the show atm vc [vcd | interface interface-number] EXEC command is entered.
Workaround: There is no workaround.
•
Symptoms: Incorrect values may be returned for the ifInOctets IF-MIB object.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Processing Engine G1 (NPE-G1) when the ifInOctets counter is polled via Simple Network Management Protocol (SNMP) on a Gigabit Ethernet subinterface that is configured for 802.1q encapsulation.
Workaround: There is no workaround.
•
Symptoms: When the tx-ring-limit interface configuration command is used and the value is set at 3, packets are dropped.
Conditions: This symptom is observed on a Cisco router that is configured for quality of service (QoS) and that uses digital subscriber line (DSL) interfaces.
Workaround: Remove the tx-ring-limit 3 interface configuration command for non-QoS configurations. When a QoS configuration is required, use Cisco IOS Release 12.2(15)T or a later release, or use Release 12.3(1).
•
Symptoms: A Cisco 831 may reload unexpectedly when you enter the no ip urlfilter exclusive-domain {permit | deny} domain-name global configuration command.
Conditions: This symptom is observed when you attempt to deconfigure an exclusive domain without having first configured it. That is, you have not first entered the ip urlfilter exclusive-domain {permit | deny} domain-name global configuration command.
Workaround: There is no workaround.
•
Symptoms: When the CSAdmin or CSAuth services fail on a primary Access Control Server (ACS), authentication does not failover to the secondary server as it should.
Conditions: This symptom is observed on a Cisco ACS that acts as the primary server.
Workaround: Configure CSAuth.
•
Symptoms: When generic routing encapsulation (GRE) is protected with IP security (IPSec) by use of the tunnel protection router configuration command and the peer loses its security associations (SAs), the peer that lost its phase 2 SAs does not act upon invalid service profile identifier (SPI) events as it should. This symptom also occurs if the crypto policy is dynamically constructed and the peer loses its phase 2 SAs. This behavior could be tunnel protection for multipoint GRE (mGRE), dynamic crypto maps, crypto profiles for Layer 2 Tunneling Protocol (L2TP) traffic, or Easy VPN connections.
Conditions: This symptom is observed when the original delete notification is not sent because at that time there is no active Internet Key Exchange (IKE) SA between the peers. However, when a new IKE SA is subsequently established and traffic continues to be sent on the old SAs, the peer that does not have the phase 2 SAs still does not generate the necessary delete notifications.
Dead-Peer Detection (DPD) cannot cure either symptom and the tunnel remains unusable until either the SAs are cleared on the peer that has the phase 2 SAs or the SAs time-out normally.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is configured for both internal Border Gateway Protocol (iBGP) load balancing and Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN), incorrect MPLS labels may be installed. When one of the load-balancing links flaps, connectivity may be lost between the VPN sites.
Conditions: This symptom is observed in the Cisco IOS releases that are listed in the "First Fixed-in Version" field at the following location:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdy76273.
Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Disable iBGP load balancing.
•
Symptoms: In a non-RADIUS proxy mode, a Service Selection Gateway (SSG) does not include attribute 25 (class) in the host accounting packets. In RADIUS proxy mode, SSG functions correctly, and attribute 25 is included in the host and connection accounting packets.
Example of attribute 25:
RADIUS(00000000): Send Accounting-Request to 192.168.69.7:1813 id 21659/178, len 228
RADIUS: Class [25] 12
RADIUS: 31 34 30 34 39 36 32 37 31 30 [1404962710]
RADIUS: Service-Type [6] 6 Framed [2]Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2(16)B.
Workaround: There is no workaround when you are unable to use SSG in RADIUS proxy mode.
•
Symptoms: An Easy VPN tunnel may come up with an incorrect password that is configured on the Easy VPN server.
Conditions: This symptom is observed when you configure the right password and make the tunnel come up and then when you change the password on the Easy VPN server, disconnect the tunnel and once again establish the tunnel from the unity client. The tunnel will come up properly even when the wrong password is configured.
Workaround: Wait until all of the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) table is flushed, and try once again. The tunnel does not come up, and an error will be displayed.
•
Symptoms: When the integrated Signaling Link Terminal (SLT) functionality is running on a Cisco AS5350 or Cisco AS5400, the Signaling System 7 (SS7) links will not come into service. Using an SS7 analyzer indicates that Link Status Signal Units (LSSUs) are not being transmitted from the Cisco AS5350 or Cisco AS5400 to the SS7 network.
Conditions: This symptom is observed when the Cisco AS5350 or Cisco AS5400 is configured with a 2-, 4-, or 8-port PRI board that contains the D4 version of an MPC860 processor. You can verify the version of the MPC860 processor by entering the show chassis slot detail EXEC command. The symptom occurs when the board hardware version is version 4.0 or a later version.
Workaround: Install a PRI board with a board hardware version earlier than 4.0.
•
Symptoms: The timeouts ringing {seconds | infinity} voice-port configuration command is used to determine the value of the ring, no answer timer. The timer is limited by the H.323 timer when the call is using H.323. The timer will always be stopped on call cleanup procedures. The H.323 connect timer that is configured under the voice class h323 tag global configuration command is always started on the originating gateway after reception of an Alerting or Progress message. The default value is 180 seconds with a range of 60 to 360 seconds. Upon triggering this timer, the cleanup procedures for the call are invoked. If the ring, no answer timer exceeds the H.323 connect timer, it will have no affect.
Conditions: This symptom is observed for ISDN-H.323 calls.
Workaround: There is no workaround. The best solution is to configure the H.323 connect timer to the maximum value of 360.
•
Symptoms: A Cisco IAD2420 series may not collect digits properly. One number 2 may become two number 4s in the dialed digits that are detected by a voice telephony service provider (VTSP).
Conditions: This symptom is observed on a Cisco IAD2420 series that is interconnected via a digital interface to a BTS10200 softswitch that runs software release 3.5.1v01. When the Cisco IAD2420 series is rebooted and sends Restart in Progress (RSIP) messages to the call agent (CA), the trunks are automatically brought back into service. The symptom occurs when a PBX goes off-hook, then on-hook (without dialing digits), then off-hook again on the same channel, and then begins dialing.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module XF (RPM-XF) front card may reset because of a software exception.
Conditions: This symptom is observed rarely when the multi-virtual-circuit (Multi-VC) feature is enabled, when the Label Switch Controller (LSC) reloads or you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that is configured for Multiprotocol Label Switching (MPLS), and when routes flap.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series or Cisco 7600 series may generate the following error message on its console:
Invalid memory action (malloc) at interrupt levelConditions: This symptom is observed when you enter the clear counters EXEC command.
Workaround: There is no workaround.
•
Symptoms: A Service Selection Gateway (SSG) is unable to resolve a Domain Name System (DNS) query.
Conditions: This symptom is observed on a Cisco 6400 series router.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series that is configured for IP Security (IPSec) Virtual Private Networks (VPNs) and that has hardware acceleration enabled on a service adapter VPN Acceleration Module (SA-VAM) may reload because of a software condition.
Conditions: This symptom is observed on a Cisco 7200 series that has operated normally for a period of time.
Workaround: Enter the crl optional ca-trustpoint configuration command on the router.
•
Symptoms: When you attempt to load a Tool Command Language (Tcl) script by using the call application voice global configuration command, a Cisco gateway may reload.
Conditions: This symptom is observed when the Tcl script contains a nested procedure call.
Workaround: There is no workaround.
•
Symptoms: When a provider edge (PE) router that is running IP version 6 (IPv6) in a Multiprotocol Label Switching (MPLS) environment (also referred to as a 6PE router) is switching traffic, low performance may occur. The output of the show alignment EXEC command displays spurious memory accesses (one per packet) at a low address (around 17).
Conditions: This symptom is observed on the 6PE router when an IP version 4 (IPv4) output feature is configured on any interface or when an IPv4 input feature is configured on the MPLS interface that is used by 6PE traffic. Enter the show mpls interfaces [interface] [detail] privileged EXEC command, and check the output for the presence of the phrase "MPLS feature vector."
Workaround: Ensure that on the 6PE router, no IPv4 output feature is configured on any interface and that no input feature is configured on an MPLS interface on which 6PE traffic is traversing.
•
Symptoms: A linkUp trap may not be generated on a Cisco router.
Conditions: This symptom is observed on a Cisco 3600 series that runs Cisco IOS Release 12.2(17) but may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when a PPP over Ethernet over Ethernet (PPPoEoE) session is initiated.
Conditions: This symptom is observed on a Cisco Node Route Processor 2 (NRP-2).
Workaround: There is no workaround.
•
Symptoms: When two Media Gateway Control Protocol (MGCP) messages that specify the same MGCP endpoint are sent within moments of each other to a Cisco IOS MGCP gateway, the messages may be processed out of order or the first message may not be answered.
Conditions: This symptom is observed when the call agent sends a Modify Connection (MDCX) RecvOnly that is followed by a Notify Request (RQNT S) L/dl in quick succession.
Workaround: Ensure that there is only one command outstanding per MGCP endpoint. This is the recommendation of the Internet standard RFC 2705, and most MGCP call agents already follow this recommendation.
•
Symptoms: A Cisco router may pause indefinitely when the no telephony-service and no call-manager-fallback global configuration commands are continuously entered on the router.
Conditions: This symptom is observed in a test environment when the router is stressed by continuously entering the no telephony-service and no call-manager-fallback global configuration commands.
Workaround: Do not continuously enter the no telephony-service and no call-manager-fallback global configuration commands.
•
Symptoms: A Reliability, Availability, and Serviceability (RAS) server does not allocate the IP addresses to the dial-in clients when the user profile on the Access Control Server (ACS) contains a pool name "addr-pool=foo." If this pool is not defined locally, the subsequent request to the ACS fails.
Conditions: This symptom is observed on a Cisco RAS server that is running Cisco IOS Release 12.3(3) when the authorization profile contains an IP pool name that is not configured locally.
Workaround: Configure the IP address pool locally.
•
Symptoms: A voice connectivity test may fail.
Conditions: This symptom is observed on a Cisco 1751 router that is running the c1700-sv3y-m image of Cisco IOS Release 12.3(2)T. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 that is configured with two DS0 groups may select the DS0 group that is not defined on any plain old telephone service (POTS) dial peer for outgoing calls.
Conditions: This symptom is observed when one of the DS0 groups is already in use, causing the gateway to select the DS0 group that is not defined on a POTS dial peer.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds.
1.
Condition 1: This symptom is observed when you configure the CNS cns config notify diff global configuration command and you configure interface global configuration commands on the Cisco IOS device.
Workaround 1: There is no workaround if only the changes in the configuration are expected in the CNS configuration notify changed message.
Alternate Workaround 1: Specify the all option for the cns config notify global configuration command.
2.
Condition 2: This symptom is observed when the diff option in the cns config notify global configuration command is selected and a new dynamic interface is created.
Workaround 2: There is no workaround.
•
Symptoms: A Cisco router may reload because of memory corruption.
Conditions: This symptom is observed on a Cisco 7200 series with a Network Service Engine 1 (NSE-1) processor board or a Cisco 7401 router that acts as a Layer 2 Tunneling Protocol session endpoint system. Parallel Express Forwarding (PXF) is turned on and the per-user rate limit configuration has been downloaded from an authentication, authorization, and accounting (AAA) server that has a high traffic rate (about 120 Mbps) and a high CPU load (about 70 percent). The symptom occurs as the sessions go up and down when the users log on and off.
Workaround: There is no workaround.
•
Symptoms: The effective call rate may be 75 percent of the expected call rate.
Conditions: This symptom is observed on a Cisco 10000 series that functions as an L2TP network server (LNS) that is enabled for PPP Termination Aggregation (PTA).
Workaround: There is no workaround.
•
Symptoms: A call setup failure may occur for high-delay links with a round-trip time greater than 300 milliseconds.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(16) but may also occur in other releases.
The call fallback subsystem hard-codes the amount of time it will wait for the response to probes to 300 milliseconds. The probes fail if the round-trip time is more than 300 milliseconds, even though the network is a high-bandwidth network.
Workaround: There is no workaround.
•
Symptoms: During an onramp fax call, a Cisco router may take up to 40 seconds to clear a channel.
Conditions: This symptom is observed on a Cisco 2600 series when the fax call was terminated during the fax negotiation. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A router that is configured with VPN routing and forwarding (VRF) aware IP security (IPSec) does not route packets in the given VRF; instead, the packets are routed using the default routing table.
Conditions: This symptom is observed on a Cisco router if Cisco Express Forwarding (CEF) is enabled, and if there is a subinterface configured with VRF aware IPSec and another subinterface configured with VRF.
Workaround: Turn off CEF switching on the IPSec aggregator.
•
Symptoms: When a Cisco AS5400 that functions as a gateway originates a Session Initiation Protocol (SIP) "invite" message for a voice call and receives a "200 OK" response to this message while it is processing a T.38 fax call, the gateway may send a "bye" message to terminate the established dialog for the voice call.
Conditions: This symptom is observed when the incoming voice call does not match a Voice over IP (VoIP) dial peer and the default fax protocol on the gateway is T.38.
Workaround: Configure an inbound VoIP dial peer that matches an initial incoming SIP "invite" message.
•
Symptoms: A Cisco platform that functions as a gateway may report a "destination out of order" cause code for a call that is disconnected in a normal way.
Conditions: This symptom is observed when an H.245 TCP connection close request reaches the gateway before the H.225 release complete message (RLC), which causes the gateway to assume that the H.245 connection is terminated and to tear down the call with a "destination out of order" cause code. This situation may occur with semirouted gatekeeper signaling, when the H.225 connection runs via a gatekeeper and the H.245 connection runs directly between the gateway and a third-party vendor endpoint. This situation may also occur when a race condition occurs between the connection close request and the RLC.
Workaround: Ensure that the third-party vendor endpoint sends an end session command (an H.245 message) before tearing down the H.245 connection.
•
Symptoms: A Label Distribution Protocol (LDP) session may not be established and may cause network connectivity problems (a ping may fail). The local LDP identifier is set to 0.0.0.0:0 instead of a valid identifier.
Conditions: This symptom is observed in Multiprotocol Label Switching (MPLS) configurations when LDP is enabled.
Workaround: Enter the no mpls ip router configuration command followed by the mpls ip router configuration command.
•
Symptoms: Packets that are received from the Multiprotocol Label Switching (MPLS) backbone by a provider edge (PE) router are not encrypted and are forwarded to the customer edge (CE) router. A traceback appears.
Conditions: This symptom has been observed on a Cisco 2650 router that is configured to terminate IP security (IPSec) tunnels with Virtual Private Network (VPN) routing and forwarding (VRF).
Workaround: There is no workaround.
•
Symptoms: After a Node Switch Processor (NSP) failover has occurred, Open Shortest Path First (OSPF) on the NSP may become stuck in the "INIT" state, even though OSPF is in the "FULL" state on the Node Route Processor 2 (NRP-2).
Conditions: This symptom is observed on a Cisco 6400 series that is configured with redundant NSPs.
Workaround: Reload the NRP-2.
•
Symptoms: The following traceback may appear during a fax call:
%HPI-3-FAILED_START: channel:1:15:25 DSP ID:0x1, failed mode 0 for service 26 -Traceback= 147434C 1483864 1580C40 160043C 1600E58 154B758 154C79C 14F2D34442E48 446F28Conditions: This symptom is observed on a Cisco 3810 after an upgrade from Cisco IOS Release 12.2(13) to Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload because of a software condition when an Internet Key Exchange (IKE) security association (SA) expires and certificates and Rivest, Shamir, & Adleman (RSA)-signature authentication are used for the SA.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T when the peer uses fully qualified domain name (FQDN) or user FQDN as the identity, but the certificate that it provides does not carry the FQDN or user FQDN.
Workaround: Use certificates that carry the FQDN or user FQDN.
Alternate Workaround: Configure the peer to send the identity as an IP address or Distinguished Name (DN).
•
Symptoms: A Cisco feature board may not come up after a system reload.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: Bulk updates on a Cisco router do not occur.
Conditions: This symptom is observed on a Cisco router if the configuration is downloaded from the auto configuration (auto_config) file on the Processor Switch Module (PXM).
Workaround: Switch over to a redundant Route Processor Module (RPM).
•
Symptoms: When an originating gateway (OGW) has the fax protocol t38 fallback none dial-peer configuration command enabled and the terminating gateway (TGW) is not configured for fax, a fax call fails, which is proper behavior. However, when Session Initiation Protocol (SIP) sends a negative acknowledgment (NAK) response to the "FAX_START" event that was sent by the voice telephony service provider (VTSP), the VTSP may continue to send "FAX_START" events, even after it has received the NAK response. This situation continues for a while before the fax call is finally disconnected.
Conditions: This symptom is observed when a SIP T.38 fax call is made between a Cisco AS5300 that functions as an OGW and another Cisco AS5300 that functions as a TGW.
Workaround: There is no workaround.
•
Symptoms: A start accounting request is not sent for a redundant dial peer when the primary dial peer fails.
Conditions: This symptom is observed on a Cisco AS5300.
Workaround: There is no workaround.
•
Symptoms: Software bus errors may occur at the "DEADBEEF" invalid address when you configure extended access control lists (ACLs) on a Cisco 7400 series, and the following error message may be displayed:
System returned to ROM by bus error at PC 0x6050CDBC, address 0xDEADBEFBConditions: This symptom is observed on a Cisco 7400 series that is running Cisco IOS Release 12.2(15)T2 but may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that uses RSA-SIG authentication for Internet Key Exchange (IKE) stops responding because of a watchdog timeout of the crypto certificate authority (CA) process.
Conditions: This symptom is observed if the watchdog timeout occurs when the router receives a sudden barrage of certificate revocation list (CRL) update requests from several peers simultaneously.
Workaround: Make sure that the CRL update requests from the peers are staggered.
•
Symptoms: All of the extended Multiprotocol Label Switching (MPLS) ATM (XTagATM) interfaces may flap on a label switch controller (LSC).
Conditions: This symptom is observed when an edge label switch router (LSR) resets or when ATM Services (AXSM) trunks flap.
Workaround: There is no workaround.
•
Symptoms: The output from the show diag EXEC command indicates that a voice interface card (VIC-1J1) is an unknown card.
Conditions: This symptom is observed on a Cisco router that has a VIC-1J1.
Workaround: There is no workaround.
•
Symptoms: There may not be an E1 R2 variant to support an interconnection with a PBX.
Conditions: This symptom is observed on a Cisco AS5400.
Workaround: There is no workaround.
•
Symptoms: In a T.38 fax relay test environment, the accounting records display an 8 second difference in the disconnection time between the IP leg and the telephony leg of the call.
Conditions: This symptom is observed when an originating fax machine loses power or its connection while a fax is being transmitted.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reserve the incorrect amount of bandwidth in the flow reservation procedure. This can lead to incorrect Call Access Control (CAC) calculations and voice quality problems.
Conditions: This symptom is observed on a Cisco router that is configured with Resource Reservation Protocol (RSVP) in order to perform CAC and provide quality of service (QoS) to the Voice over IP (VoIP) traffic.
Workaround: Use another QoS feature instead of RSVP.
•
Symptoms: Very high CPU utilization (up to 99 percent) may occur on a Cisco router when you enter the clear pppoe interface interface-type interface-number all privileged EXEC command.
Conditions: This symptom is observed on a Cisco router that is configured with a large number of subinterfaces (32,000) and PPP-over-Ethernet (PPPoE) sessions (16,000).
Workaround: There is no workaround.
•
Symptoms: While a bandwidth class is congested, there may be extra latency available for another bandwidth class that is not congested.
Conditions: This symptom is observed on an enhanced ATM OC-3 port adapter (PA-A3) that is installed in a Cisco 7500 series on which distributed Class-Based Weighted Fair Queueing (dCBWFQ) is enabled.
Workaround: There is no workaround.
•
Symptoms: A directory gatekeeper may reload unexpectedly.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper when it receives a "RESPONSE LRQ" message from a Gatekeeper Transaction Message Protocol (GKTMP) server with only "i" (destination carrier ID) information in the "J" (carrier information) tag.
Workaround: There is no workaround.
•
Symptoms: Any packets that are locally generated by a Route Processor (RP) or Route Switch Processor (RSP) may not be properly forwarded over a Multiprotocol Label Switching (MPLS) traffic engineering (TE) Fast Reroute (FRR) backup tunnel.
Conditions: This symptom is observed on any Cisco platform that has a distributed architecture such as a Cisco 7500 series and a Cisco 12000 series when the Cisco Express Forwarding (CEF) adjacency for the primary TE tunnel appears to be incomplete, as can be displayed in the output of the show adjacency type number EXEC command when you enter the primary TE tunnel interface for the type and number arguments.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may continue to send 64-bit counters in authentication, authorization, and accounting (AAA) records when it no longer should do so. These counters may also be invalid.
Conditions: This symptom is observed for certain TCP-Clear connections.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(17), later releases of Release 12.2, or Release 12.3. The interface of the router has an output service policy attached, and the bandwidth interface configuration command or the fair-queue interface configuration command is configured in the policy map attached by the service-policy router configuration command. The traffic is flowing through the interface at a fast rate. The router reloads under the following conditions:
–
–
–
In all three situations, a service policy that is configured with the bandwidth or fair-queue command is attached to the interface.
Workaround: Shut down the interface before issuing the above commands. Enable the interface again after issuing the commands.
•
Symptoms: If an originating gateway (OGW) advertises payload type 13 or 19 for comfort noise in Session Description Protocol (SDP) of an "Invite" message, and the terminating gateway (TGW) does not indicate its support in SDP of its response to the OGW, the OGW may continue to generate comfort-noise packets to fill up periods of silence.
Conditions: This symptom is observed when an outbound Voice over IP (VoIP) dial peer has voice activity detection (VAD) configured and when the OGW advertises payload type 13 or 19 in SDP of its "Invite" message.
Workaround: Disable comfort-noise generation on the OGW by entering the no vad dial-peer configuration command. However, doing so does not facilitate the negotiation of comfort-noise packet generation.
•
Symptoms: An outgoing Large Scale Dial-Out (LSDO) call may not be forwarded to other Stack Group Bidding Protocol (SGBP) members from a network access server (NAS) that has all of its trunks down.
Conditions: This symptom is observed on a Cisco NAS that is configured with SGBP, and that is running Cisco IOS Release 12.2(15)T2.
Workaround: There is no workaround.
•
Symptoms: Internet Key Exchange (IKE) fails if the crl optional ca-identity configuration command is configured on a Cisco router.
Conditions: This symptom is observed on a Cisco router that has IKE configured. If the crl optional command is changed to the crl mandatory command on an nsca-r1 trustpoint, IKE does not fail.
Workaround: Do not configure the crl optional command.
•
Symptoms: Public keys may be lost from a key ring on a Cisco router, preventing the command-line interface from parsing the configuration when the router boots up.
Conditions: This symptom is observed after the router has reloaded and when there are multiple Rivest, Shamir, & Adleman (RSA) public keys in the key ring.
Workaround: There is no workaround.
•
Symptoms: When an interdigit timeout occurs, an incoming call may be rejected when the translation rule for the called number is defined under a voice port or in the ephone-dn global configuration command.
Conditions: This symptom is observed when the incoming call is controlled by an interactive voice response (IVR) application. The symptom occurs because no outbound dial-peer matching is invoked when the translation of the called number fails when the interdigit timeout occurs.
Workaround: When the translation rule for the called number is defined in the ephone-dn global configuration command, there is no workaround. When the translation rule for the called number is defined under a voice port, define the "default.c.old" application on an inbound dial peer.
•
Symptoms: The Calling Line ID (CLID) and dialed number identification service (DNIS) information reported in the authentication, authorization, and accounting (AAA) accounting records for RADIUS as Calling-Station-ID and Called-Station-ID may not be accurate.
Conditions: This symptom is observed in a mixed dial-in and dial-out environment in which Large-Scale Dial-Out (LSDO) is used. Some LSDO accounting records contain the number of a different dial-in call. Some dial-in calls report the Called-Station-ID from a previous dial-out call as their Calling- Station-ID.
These symptoms are caused by the network access server (NAS) allocating the same AAA ID to different calls. The output from the debug radius privileged EXEC command sometimes shows the same AAA ID for both calls.
Workaround: There is no workaround.
•
Symptoms: An L2TP access concentrator (LAC) may stop processing Routing Information Protocol (RIP) updates on all its interfaces.
Conditions: This symptom is observed when you enter the show running-config privileged EXEC command for a large configuration.
Workaround: There is no workaround. After the output of the show running-config privileged EXEC command is displayed, the LAC continues to process RIP updates.
•
Symptoms: A Cisco voice gateway that has the voice translation-rule global configuration command enabled may not accept a correct translation rule and may generate a syntax error message. If the voice translation rule that is defined in the voice translation-rule global configuration command is accepted, it may incorrectly strip off the last character in the replacing string.
Conditions: This symptom is observed on a Cisco voice gateway that runs a Cisco IOS release that is listed in the "First Fixed-in Version" field at the following location:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb37190
Workaround: There is no workaround.
•
Symptoms: After a Cisco gateway reloads, only the first 24 channels initialize.
Conditions: This symptom is observed on a Cisco gateway that uses Media Gateway Control Protocol (MGCP).
Workaround: There is no workaround.
•
Symptoms: Not all of a MIB may be delivered over the CNS Event Bus.
Conditions: This symptom is observed when the MIB is large.
Workaround: There is no workaround.
•
Symptoms: A call setup to an IP network may be delayed or rejected.
Conditions: This symptom is observed when a Tool Command Language (Tcl) interactive voice response (IVR) application attempts to set up a call without specifying the incoming leg. A call setup without an incoming call leg results in an H.225 "setup" message or Registration, Admission, and Status (RAS) protocol admission message with zeros in the callIdentifier field.
Workaround: Set up a call with an incoming leg.
Alternate Workaround: Assuming that the generated globally unique identification (GUID) does not affect the billing system or the remote endpoint, enter the set callinfo TCL IVR API command to generate a new conference ID and call ID.
•
Symptoms: An incorrect virtual circuit (VC) disposition label may be generated, causing packets to drop.
Conditions: This symptom is observed when VC label attributes, such as a control word setting or a VC type, do not match on a pseudowire.
Workaround: Toggle the interface on which the pseudowire is configured by entering the shutdown interface configuration command followed by the no shutdown interface configuration command.
•
Symptoms: A Cisco AS5850 with a Synchronous Transport Module level 1 (STM-1) board cannot support a network access server (NAS) on more than 29 Engine 1 (E1) controllers.
Conditions: This symptom is observed on a Cisco AS5850 with an STM1 that is configured for use with the Media Gateway Control Protocol (MGCP). The STM1 has a total of 63 E1 controllers. The system correctly accepts the configuration up to 29 E1 controllers. Starting from the thirtieth E1, the system does not apply the extsig mgcp controller configuration command. The system accepts the command without giving an error message, but the command is not applied to the controller.
Workaround: There is no workaround.
•
Symptoms: The Media Gateway Control Protocol (MGCP) is too slow in acknowledging the delete connection (DLCX) parameter on a Cisco AS5400. The output of the show mgcp stat EXEC command indicates that the CreateConn rx counter is increasing.
Conditions: This symptom is observed when a DLCX is received on a Cisco AS5400 under a heavy call volume with calls on different slots but on the same port number and DS0 number.
Workaround: There is no workaround. The symptom will clear when the call volume decreases.
•
Symptoms: A dial-on-demand routing (DDR) connection via a 2-port serial WAN interface card (WIC-2T) may fail because data set ready (DSR) drops occur after a chat script completes successfully. PPP may fail to start on the router that you dial up from; the router that you dial in to may not receive any PPP packets.
Conditions: This symptom is observed when you dial out from a Cisco 3745 that runs Cisco IOS Release 12.2(15)T5 or Release 12.3.
Workaround: Enter the no ppp microcode interface configuration command on the interface of the WIC-2T that you dial out from.
•
Symptoms: When a spurious memory access occurs in a Cisco router, the CPU utilization may increase to 100 percent, all of which may be reported as interrupt processing time.
Conditions: This symptom is observed on a Cisco 831 and Cisco 837 that function in a Dynamic Multipoint Virtual Private Network (DMVPN) configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload unexpectedly during a service-policy configuration.
Conditions: This symptom is observed when you attach a level 2 policy map as a child of a level 1 policy map and when the level 1 policy map is already attached to an interface.
Workaround: Create a level 3 policy map, and attach it to the interface.
•
Symptoms: A Cisco router may reload with a "pppoa_set_error" when the PPP over ATM (PPPoA) context is freed (poisoned) while sessions are being established.
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2(15)T2. There are two situations in which this symptom can occur:
–
–
Workaround: There is no workaround.
•
Symptoms: A Systems Network Architecture (SNA) switch may fail to write the Physical Unit (PU) name in an "unbind" response, and internal buffer corruption may occur.
Conditions: This symptom is observed on a Cisco router that functions as an SNA switch when an "unbind" request is received and an "unbind" response is sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may display the following error message:
CNS XML Parser: Tag <config-pwd> not allowed as rootConditions: This symptom is observed when you perform an initial Cisco Networking Services (CNS) configuration. When you resynchronize a password in conjunction with the initial CNS configuration, the CNS configuration may not take and the router may not be able to connect to a Cisco IE2100 series.
Workaround: Do not perform an initial CNS configuration. Rather, configure the router manually.
•
Symptoms: When you enter the cns config initial global configuration command on a Cisco router, the connectivity may be interrupted.
Conditions: This symptom is observed when the cns config connect-intf global configuration command is enabled. When the symptom occurs, the existing configuration is overwritten by the configuration of the cns config connect-intf global configuration command.
Workaround: Disable the cns config connect-intf global configuration command before you enter the cns config initial global configuration command.
•
Symptoms: When you enter the cns image retrieve privileged EXEC command, the console EXEC prompt may be lost.
Conditions: This symptom is observed on a Cisco router when applications of an image server continually send information to the Cisco Networking Services (CNS) Image Agent. This situation causes the session to be permanently open and the console EXEC prompt to be permanently shut.
When you connect to the router via a Telnet port and disable the CNS Image Agent, you do not get the console EXEC prompt back, and a traceback is generated.
Workaround: If this is an option, shut down the server applications to enable the CNS Image Agent to reset itself when the session times out.
•
Symptoms: This caveat concerns a Cisco router that functions as a DHCP relay agent for DHCP clients that are connected via ATM or serial unnumbered interfaces and that adds host routes to all the DHCP clients on the unnumbered interfaces when the clients receive a new IP address. The router may reload unexpectedly when a database agent is configured to store these routes.
Conditions: This symptom is observed under very rare circumstances on a Cisco router that runs Cisco IOS Release 12.1 T, Release 12.2, or Release 12.2 T when the DHCP database agent attempts to write all route information to a server, the route timer expires, and the route is freed. In this situation, when the DHCP database agent accesses the freed route, the router reloads.
Workaround: Do not configure a database agent.
•
This caveat exhibits several symptoms, each of which has a distinct cause and workaround. All symptoms have the following precondition: The router is configured with the Per VRF AAA feature and is downloading information from a RADIUS server. The aaa authorization template global configuration command is used.
Symptoms 1: A Cisco router may return to ROM monitor (ROMmon) by bus error.
Conditions 1: This symptom occurs when a RADIUS server vendor-specific attribute (VSA) in a user profile is not fully parsed. This can happen if the RADIUS server VSA is malformed, or if the router is unable to allocate storage for one of many data structures associated with the method list, server group, or server.
Workaround 1: If VSA is malformed, correct the RADIUS user profile so that the RADIUS server VSA is correctly formatted. Permissible formats are:
Cisco:Cisco-Avpair = N: "aaa:rad-serv=A.B.C.D auth-port X acct-port Y
key Z retransmit V timeout W"
Cisco:Cisco-Avpair = :N: "aaa:rad-serv=A.B.C.D auth-port X
acct-port Y key Z retransmit V timeout W"
Cisco:Cisco-Avpair = "aaa:rad-serv#N=A.B.C.D auth-port X
acct-port Y key Z retransmit V timeout W"The following parameters must be present in order to ensure proper function:
–
–
The following parameters are optional, provided that a global default is configured on the router:
–
–
Symptoms 2: The router uses the retransmit value from the RADIUS server VSA as the timeout, and the timeout from the RADIUS server VSA as the number of retransmits.
Conditions 2: This symptom occurs any time the router receives a RADIUS server VSA containing the retransmit or timeout parameters or both.
Workaround 2: Either omit the retransmit and timeout parameters from the VSA, using the global defaults on the router, or swap the two values.
Symptoms 3: The show memory | inc AAA Server handle command will show a steadily increasing number of server handles allocated. Roughly 800 bytes will be consumed for each RADIUS server attribute parsed as part of a downloaded template. An additional roughly 900 bytes will be consumed for each downloaded template in Cisco IOS images which have CSCea85517 integrated. Eventually, all memory on the router will be consumed.
Conditions 3: This symptom occurs any time the RADIUS server VSA is used in a downloaded template to tell the router which RADIUS server to use.
Workaround 3: If you are using a Cisco IOS image which does not have CSCea85517 integrated, and the configuration of local templates is practical, then you can configure local templates instead of downloading them from a RADIUS server.
For example, if you had a template defined on your RADIUS server as:
example.com Password = "EXAMPLE"
Service-Type = Outbound,
Cisco:Cisco-Avpair = "aaa:rad-serv#1=a.b.c.d auth-port XXXX acct-port YYYY key ZZZZZ"
Cisco:Cisco-Avpair = :1:"aaa:rad-serv-vrf=examplevrf",
Cisco:Cisco-Avpair = "template:ppp-authen-type=chap"
Cisco:Cisco-Avpair = "template:ppp-authen-list=group 1",
Cisco:Cisco-Avpair = "template:ppp-author-list=group 1",
Cisco:Cisco-Avpair = "template:ppp-acct-list=start-stop group 1",
Cisco:Cisco-Avpair = "template:ip-vrf=examplevrf"
Cisco:Cisco-Avpair = "template:ip-unnumbered=Loopback 1"you would instead configure the following:
aaa authorization network default local
radius-server host a.b.c.d auth-port XXXX acct-port YYYY
aaa group server radius example_servers
server a.b.c.d
ip vrf forwarding examplevrf
aaa authentication ppp example_list group example_servers
aaa authorization network example_list group example_servers
aaa accounting network example_list group example_servers
template example.com
ppp authentication chap example_list
ppp authorization example_list
aaa accounting delay-start
aaa accounting send stop-record authentication failure
interface virtual-template 1
ip vrf forwarding examplevrf
ip unnumbered Loopback 1
ppp authentication chap
•
Symptoms: On a terminating PPP over ATM (PPPoA) interface, the input byte count may be incorrect when virtual-access subinterfaces are used. The input byte count on the physical interface is correct, but the reported value in the virtual-access subinterface is higher than it should be.
Conditions: This symptom is observed on a Cisco 6400 series node route processor (NRP) that is running Cisco IOS Release 12.3(1a) and that uses virtual-access subinterfaces.
Workaround: There is no workaround.
•
Symptoms: A device is unable to authenticate itself to the PPP peer using local authentication if the interface is not configured with authentication parameters (username and password).
Conditions: This symptom is observed if the peer requests that the device authenticate itself and the corresponding protocol configuration is not present on the interface (for example, ppp pap sent- username or ppp chap password). The session is not established.
Workaround: Enable ppp pap sent-username or ppp chap password on the interface.
Alternate Workaround: Use TACACS+ for mutual bidirectional authentication.
•
Symptoms: Network authorizations may fail for locally authenticated sessions.
Conditions: This symptom is observed for network authorizations for PPP sessions if the user is authenticated locally and the authorization method list contains the radius keyword.
Workaround: Use separate lists for local and RADIUS authorization.
•
Symptoms: An E1 PRI controller that is configured for 4-bit cyclic redundancy check (CRC-4) may not set the spare bits (SA4-SA7) in timeslot 0 to one when not in use. The network side expects a one on the spare bits and may treat this situation as an error condition.
Conditions: This symptom is observed on a Cisco ICS 7750 Multiservice Route Processor (MRP).
Workaround: Each time the MRP reboots, enter the framing no-crc4 controller configuration command followed by the framing crc4 controller configuration command on the E1 PRI controller.
•
Symptoms: Voice calls that use telephony channel associated signaling (CAS) may fail to complete. In the case of PRI telephony signaling, the voice calls do complete, but there is no audio path. In the latter case, both the calling and called parties hear dead air.
Conditions: These symptoms are observed on a Cisco 2600 or Cisco 2600XM voice gateway that has an AIM-ATM-VOICE-30 or AIM-VOICE-30 AIM module when the user tries to terminate voice calls on a T1/E1 voice WAN interface card (VWIC) that is inserted into an NM-2W Network Module (NM). All appropriate network clocking may be configured on the voice gateway, but the output of the show tdm connection aim 0 and show tdm connection slot 1 EXEC commands indicates that no Time Division Multiplexing (TDM) connections exist between the AIM VOICE card, the T1/E1 VWIC, and the NM- 2W.
Workaround: There is no workaround when the T1/E1 VWIC is installed on an NM- 2W. The VWIC must be installed on one of the Cisco 2600 or Cisco 2600XM WIC slots, and appropriate network clocking must be configured in order for voice services to work as expected.
•
Symptoms: The main High-Speed Serial Interface (HSSI) interface flaps when you enter the map-class frame-relay global configuration command on a subinterface.
Conditions: This symptom is observed only when map class contains both traffic shaping and Random Early Detection (RED).
Workaround: Use only traffic shaping under the map-class.
•
Symptoms: When you upgrade the Cisco IOS release on a Cisco MGX Route Processor Module-PRemium (RPM-PR) and the firmware on the Processor Switch Module (PXM), and you reload the RPM-PR, the startup configuration may disappear.
Conditions: This symptom is observed when you perform a major upgrade (for example, from Cisco IOS Release 12.1 to Release 12.2) and when, after the upgrade, you do not save the configuration before you add redundancy by entering the addred command.
Workaround: After the upgrade, save the configuration before you enter the addred command.
•
Symptoms: After you change the configuration on a Cisco router, a Voice over IP (VoIP) call may fail.
Conditions: This symptom is observed only for the DS0 controller group.
Workaround: After you have changed the configuration, reload the router.
•
Symptoms: A Cisco 7200 series router with a Network Processing Engine (NPE-G1) may pause indefinitely on bootup if there is no Compact Flash Card in the disk2: device slot.
Conditions: This symptom is observed only with an NPE-G1 on a Cisco 7200 series. It does not affect any other Cisco 7200 series NPE.
Workaround: Insert a Compact Flash Card into the disk2: device slot and power-cycle the router. The Compact Flash Card does not need to contain any particular files; however, a copy of the desired Cisco IOS image is recommended.
•
Symptoms: A Cisco Route Processor Module (RPM) may reload when the segmentation and reassembly (SAR) autorecovery feature is enabled and the oam-pvc manage 0 command is entered for the permanent virtual circuits (PVCs).
Conditions: This symptom is observed on an RPM that is enabled with the SAR autorecovery feature.
Workaround: Specify the Operation, Administration, and Maintenance (OAM) management frequency instead of using the oam-pvc manage 0 command.
•
Symptoms: In a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment, if you enter the ping vrf EXEC command toward the directly connected interfaces of a neighbor's provider edge (PE) router, the ping may fail.
Conditions: This symptom is observed when aggregate routes on Cisco routers are pinged.
Workaround: The ping will be successful if you select options when you enter the ping vrf EXEC command.
•
Symptoms: The Generic Transparency Descriptor (GTD) data that is printed to the console when the debug gtd events command is enabled may contain incorrect information for the channel-associated signaling (CAS) countries Thailand, China, Vietnam, and Venezuela. The incorrect values are the calling party category (CPC) (00 instead of 09), the unknown field compatibility (UFC) (222 instead of 221), and the backward call indicator (BCI) (BCI,u,u,u,n,n,y,n,n,n,n,u instead of BCI,y,f,u,n,n,y,n,n,n,n,u).
Conditions: This symptom is observed on a Cisco AS5400 in an R2 signaling environment with the following call-flow topology:
•
The symptom occurs when you configure the test environment for Thailand, China, Vietnam, or Venezuela, you configure CAS variants, and you make a call.
Workaround: There is no workaround.
•
Symptoms: A label may not be assigned for a peer provider edge (PE) router.
Conditions: This symptom is observed on a Cisco 7500 series and a Cisco 12000 series in a Virtual Private Network (VPN) configuration with multiple route reflectors (RRs) and label controlled ATM (LC-ATM) links between PE routers. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur when a Gatekeeper Transaction Message Protocol (GKTMP) server provides alternate endpoints.
Conditions: This symptom is observed on a Cisco router that functions as a gatekeeper.
Workaround: Do not use a GKTMP server to provide alternate endpoints. If you must use a GKTMP server, check the memory consumption of the gatekeeper regularly, and reload the router when the amount of free (processor) memory is low.
•
Symptoms: A Cisco router may reload when you enter the show ip cef non-recursive detail EXEC command.
Conditions: This symptom is observed when any show command attempts to display information about tag rewrite entries while the tag rewrite entries are being deleted by route updates.
Workaround: Do not enter any show command to display tag rewrite entries when many route updates occur.
•
Symptoms: A Cisco AS5850 may not be able to play a tone after two telephony legs have been unbridged.
Conditions: This symptom is observed under the following circumstances:
–
–
–
The TCL IVR script can instruct the incoming leg to play a busy tone to indicate that the outgoing call has failed. However, in this case, the IVR infrastructure has internally released the digital signal processor (DSP) when the legs are bridged to pass the inband alert signals. When the DSP is released, subsequent play-tone commands are ignored.
Possible Workaround: Ensure that the call disconnect message for the outgoing leg occurs before the alert event.
•
Symptoms: When the radius-server attribute 8 include-in-access-req global configuration command is entered on a RADIUS server, attribute 8 (Framed-IP-Address) is not included in the access request.
Conditions: This symptom is observed on a RADIUS server that is running Cisco IOS Release 12.2(15)T5.
Workaround: There is no workaround.
•
Symptoms: A Systems Network Architecture Switching Services (SNASw) router pauses indefinitely when a LOCATE variable is received from a third-party vendor platform. From the data link control (DLC) trace entry in the LOCATE field, the order in which general data stream (GDS) variables are received from the third-party vendor platform is different from what the SNASw router expects.
Conditions: This symptom is observed on a Cisco SNASw router that is attached to a third-party vendor platform.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 router with a channelized T3 port adapter (CT3) controller shows the incorrect D channel interface name.
Conditions: This symptom is observed on a Cisco AS5850 router that is configured with a CT3 controller and that is running Cisco IOS Release 12.3(2)T or Release 12.3(3).
Workaround: There is no workaround.
•
Symptoms: A router may reload if tunnel protection is configured on the interface tunnel and flow switching is enabled on the router.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(2.3a) when the tunnel protection ipsec profile name interface configuration command is configured on the interface tunnel and flow switching is enabled on the router.
Workaround: Disable flow switching on the interface tunnel.
•
Symptoms: A Media Gateway Control Protocol (MGCP) gateway may send Restart In Progress (RSIP) messages with a very low delay to a call agent (CA), and with a low delay between the RSIP messages. The delay may be much less than one second, which is the minimum value that is permitted by the MGCP standard. The resulting flood of RSIP messages may cause the CA to overload, and may prevent the overloaded CA from recovering.
Conditions: These symptoms are observed on a Cisco AS5400 that has not received a timely acknowledgement (ACK) response to a delete connection (DLCX) message that the Cisco AS5400 sent to the call agent (CA); an overloaded CA may send highly delayed responses.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series router that is running LAN Emulation (LANE) and switched virtual circuits (SVCs) may experience a reload caused by a bus error, and the following error message may appear:
System returned to ROM by bus error at PC 0xXXXXXXXXConditions: This symptom is observed on a Cisco 7500 series router with a PA- A3-OC3MM ATM port adapter that is running Cisco IOS Release 12.2(15)T5 or a later release.
Workaround: There is no workaround.
•
Symptoms: A virtual circuit (VC) between two provider edge (PE) routers may not come up.
Conditions: This symptom is observed after you have changed the VC ID in an Xconnect configuration.
Workaround: On both PE routers, delete the Xconnect configuration and reconfigure the Xconnect configuration with the new VC.
•
Symptoms: An Integrated Services Adapter (ISA) may reset and lose its security associations (SAs) or may reload unexpectedly.
Conditions: These symptoms are observed on a Cisco 7200 series that is configured with an ISA when packet memory buffer starvation occurs and when a buffer allocation failure occurs for the Internet Key Exchange (IKE) command path.
Workaround: Do not use an ISA. Rather, use a Virtual Private Network Acceleration Module (VAM).
First Alternate Workaround: Reduce the traffic volume.
Second Alternate Workaround: Remove the bottleneck for the egress packets.
•
Symptoms: Cisco IOS software may cause a Cisco router to reload unexpectedly when the router receives a malformed H.225 setup message.
Conditions: This symptom is observed on a Cisco 1700 series that runs Cisco IOS Release 12.2(13c). The symptom occurs when the following debug privileged EXEC commands are enabled:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When you enter the snmpwalk command for the CISCO-AAL5-MIB MIB via a permanent virtual circuit (PVC) bundle, the command output may not display the ATM adaptation layer 5 (AAL5) "entity-specific" information in the cAal5VccTable.
Conditions: This symptom is observed on a Cisco 7200 series router that runs Cisco IOS Release 12.2(15)T5 but may also occur in other releases. The symptom does not occur when you enter the snmpwalk command for the CISCO-AAL5-MIB MIB via a regular PVC.
Workaround: Log into the router and enter a show interfaces command to get the required information.
•
Symptoms: A standby Enhanced Route Switch Controller (ERSC) reloads when a multichannel STM-1 port adapter car is configured.
Conditions: This symptom is observed on a Cisco ERSC when the extsig mgcp controller configuration command is entered.
Workaround: Save the configuration and reload the router.
•
Symptoms: An outgoing label may not be installed in the Label Forwarding Information Base (LFIB) for an IP version 4 (IPv4) prefix.
Conditions: This symptom is observed when the prefix is learned via a Border Gateway Protocol (BGP) session. This situation may occur when the prefix is deleted in the Label Information Base (LIB) and not allocated to any local label binding.
Workaround: There is no workaround.
•
Symptoms: Backward explicit congestion notification (BECN) packets may be dropped by an Any Transport over Multiprotocol Label Switching (AToM) tunnel.
Conditions: This symptom is observed when you configure AToM in the network core, the network core contains Frame Relay interfaces, and BECN is enabled.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6000 series Supervisor 2 may reload unexpectedly because of a bus error.
Conditions: This symptom is observed when access control list (ACL) counters are sent from a line card to the Route Processor (RP) and when the ACL number is in the expanded range (that is, from 1300 to 1999 or from 2000 to 2699).
Workaround: There is no workaround.
•
Symptoms: When a preexisting Data Encryption Standard (DES) key is changed, the block of memory that holds the old key is not cleared before the memory block is returned to the heap.
Conditions: This symptom is observed when you change a preexisting DES key by entering the key config-key 1 string router configuration command, in which the string argument consists of eight characters.
Workaround: There is no workaround.
•
Symptoms: A gateway may respond to a Session Initiation Protocol (SIP) proxy server with a 302 message ("Moved Temporarily") to an incoming SIP call that is redirected to a telephone that does not answer ("call-forward, no answer").
Conditions: This symptom is observed on a Cisco 3640 router that functions as a SIP gateway when the incoming SIP call is redirected toward the public switched telephone network (PSTN) and when the gateway fails to receive the redirect information in the redirect information element (IE).
Workaround: Remove the incoming called number from the matching Voice over IP (VoIP) dial peer.
•
Symptoms: A Cisco router ignores an ISDN User Adaptation (IUA) 0x508 (REL-REQ) message that is sent by a third party call agent. The router does not act upon or reject the message by taking down ISDN Layer 3.
Conditions: This symptom is observed on a Cisco AS5850.
Workaround: There is no workaround.
•
Symptoms: Data packets may be punted to the process path when user logon and logoff activity occurs.
Conditions: This symptom is observed in all of the Service Selection Gateway (SSG) images of Cisco IOS software under heavy load conditions.
Workaround: There is no workaround.
•
Symptoms: Simple Network Management Protocol (SNMP) values that are retrieved by the snmpget command may be inconsistent compared to the SNMP values that are shown on an interface.
Conditions: This symptom is observed on a Cisco 12000 series that runs in a Multiprotocol Label Switching (MPLS) environment when you use SNMP to retrieve various counter values from a Packet-over-SONET (POS) interface.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running Multiprotocol Label Switching (MPLS), the Label Distribution Protocol (LDP) peer address table may become corrupted and cause the router to reload.
Conditions: This symptom may be observed in situations where three or more routers have advertised the same IP address in LDP address messages. This normally happens when routers have been misconfigured but in very rare circumstances may be done deliberately.
The circumstance can be recognized by the presence of the following error message:
%TAGCON-3-DUP_ADDR_RCVD: Duplicate Address 10.0.0.1 advertised by peer 10.2.2.2:0 is already bound to 10.1.1.1:0If only one such message is seen for a given IP address—10.0.0.1 in the above example—then only two routers have advertised the IP address, and only the second is being treated as a duplicate. At least one more such message should be seen if at least three routers have advertised the IP address in question.
Workaround: The symptom does not occur in typical configurations because duplicate addresses are not configured. If such a configuration is accidentally done, the failure may be avoided if the configuration is corrected before the LDP session to any of the involved peers goes down. If the configuration is deliberate, there is no workaround.
•
Symptoms: The CNS event agent does not detect when the connection to the server breaks.
Conditions: This symptom is observed when the CNS event agent service is configured by the cns event keepalive configuration command.
Workaround: There is no workaround.
•
Symptoms: A Parallel Express Forwarding (PXF) exception error message may be displayed, and the PXF processor may stop forwarding packets.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine 1 (NSE-1) and on a Cisco 7401 when PXF is enabled. The symptom occurs when traffic exceeds the configured quality of service (QoS) parameters and when the PXF processor drops packets, or when incoming IP traffic has a corrupted header.
Workaround: There is no workaround.
•
Symptoms: Routing Information Protocol (RIP) route updates may be lost.
Conditions: This symptom is observed on a Cisco 10000 series when you remove more than 10,000 sessions.
Workaround: There is no workaround.
•
Symptoms: A multilink interface may stop processing received packets.
Conditions: This symptom is observed on a Cisco 7500 series when Multilink PPP (MLP) is configured and when a lot of traffic is forwarded to the process-switching path.
Workaround: To clear the symptom, move the physical interfaces to a new multilink interface with a new interface number.
•
Symptoms: An outbound access control list (ACL) may drop downstream traffic that is destined to travel via IP to a Layer 2 Tunneling Protocol (L2TP) tunnel.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine 1 (NSE-1) and on a Cisco 7401. The symptom occurs when the routers are configured as L2TP network servers (LNSs) that are functioning as L2TP termination session endpoints, when PXF is enabled, and when an outbound ACL is configured on a virtual-template interface.
Workaround: Use an inbound ACL instead of an outbound ACL.
Alternate Workaround: Use an inbound ACL that is configured on a physical input interface.
•
Symptoms: Calls from a Cisco gateway to a third-party vendor platform work fine, but calls from the third-party vendor platform to the Cisco gateway do not go through. The output of the debug cch323 all privileged EXEC command shows the following information:
cch323_gw_process_read_socket: received msg for H.225
h225ParseData: Q.931 SETUP received on socket [1]H225Lib::h225RecvData: TPKT does not contain a whole message. Partial message will be ignored.
cch323_h225_receiver: parse error RXDATA_NONEConditions: This symptom is observed when the third-party vendor platform connects via a LAN to the Cisco gateway. The decode error is caused by the incorrect position of a "Sending Complete IE" in the received packet. The "Sending Complete IE" should be the first information element (IE), but it is not.
Workaround: There is no workaround.
•
Symptoms: Two routers that perform IP security (IPSec) with certificates fail to establish an Internet Security Association and Key Management Protocol (ISAKMP) tunnel, and the following error message may appear:
CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.0.1 is bad: CA request failed:Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(3).
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module (RPM-XF) reloads when the microcode reload pxf privileged EXEC command is entered.
Conditions: This symptom is observed when the Parallel Express Forwarding (PXF) firmware filename that is provided is not actually PXF firmware. The symptom does not occur with valid filenames.
Workaround: Make sure that the PXF firmware filename used in the command is valid.
•
Symptoms: A router may reload with a bus error if a quality of service (QoS) class map or policy map is renamed through modular QoS CLI (MQC) and a subsequent show memory EXEC command is issued.
Conditions: This symptom is observed in all Cisco IOS software releases on all Cisco platforms where the rename command is available under class map and policy map modes. It is observed in Cisco IOS Release 12.1(14)E, Release 12.2(12) and later releases. This symptom is not observed in Release 12.1. The symptom occurs after a global class map or policy map is renamed and a subsequent show memory EXEC command is issued.
Workaround: Avoid use of the rename command. Remove and recreate the class map or policy map instead.
•
Symptoms: When you enter the no ipv6 route global configuration command, an IP version 6 (IPv6) static route that is deleted by the command may not be deleted from the IPv6 routing table.
Conditions: This symptom is observed when two IPv6 static routes, each with a different administrative distance, point to the same destination.
Workaround: Enter the clear ipv6 route ipv6-prefix/prefix-length privileged EXEC command to delete the IPv6 static route from the IPv6 routing table.
•
Symptoms: A memory allocation failure may occur on compiled access control list (ACL) tables. There may be continued attempts to recompile the ACLs that fail.
Conditions: This symptom is observed when compiled ACLs are enabled by entering the access-list compiled global configuration command, and the total number of ACL entries is relatively large (over 1500 lines). Random or constantly changing traffic patterns may cause the compiled ACL tables to grow to the point at which memory fragmentation causes the memory allocation failure.
Workaround: Disable and then reenable the compiled ACLs by entering the no access-list compiled global configuration command followed by the access-list compiled global configuration command.
Alternate Workaround: Completely disable the compiled ACLs.
Second Alternate Workaround: ACLs may sometimes be rearranged to make the list shorter or less complex. This will reduce the memory requirements. Large ACLs used for Border Gateway Protocol (BGP) route prefixes may be converted to use a prefix list configuration instead.
•
Symptoms: A gatekeeper may not be able to bind a circuit ID to an H.323 ID.
Conditions: This symptom is observed when an H.323 gateway (or terminal) deregisters from a gatekeeper and then reregisters with the gatekeeper. After the gateway has reregistered with the gatekeeper, the gatekeeper no longer has the circuit ID of the gateway.
Workaround: Bind the circuit ID to the H.323 ID by entering the endpoint circuit-id h323id gatekeeper configuration command. (You must enter the endpoint circuit-id h323id gatekeeper configuration command, even though the command still exists under the gatekeeper configuration.)
•
Symptoms: An Internet Key Exchange (IKE) session may use certificate revocation list (CRL) configuration information from an incorrect trustpoint.
Conditions: This symptom is observed when you use CRLs and when the local trustpoint differs from the trustpoint that is used by a peer. In this situation, the IKE session uses the CRL configuration option ("crl optional, best effort") from the local trustpoint rather than from the trustpoint that is used by the peer.
Workaround: Use the same CRL configuration options for both trustpoints.
•
Symptoms: A Cisco Catalyst 4224 Access Gateway Switch may reload with a segmentation violation (SegV) exception when a Tool Command Language (Tcl) interactive voice response (IVR) script is used.
Conditions: This symptom is observed on a Cisco Catalyst 4224 Access Gateway Switch that is running Cisco IOS Release 12.2(15)T5, Release 12.3, or Release 12.3 B.
Workaround: There is no workaround.
•
Symptoms: The following error message may be displayed on the console of a Route Switch Processor (RSP):
%CBUS-3-CMDDROPPED: Cmd dropped,CCB 0xF800FFB0,slot 9, cmd code 24Conditions: This symptom is observed on a Cisco 7500 series when software compression is enabled on serial interfaces and dialer interfaces and when Cisco Express Forwarding (CEF) switching rather than distributed CEF (dCEF) switching is enabled. This situation causes software compression to occur on the RSP.
Because software compression is enabled on all the serial interfaces, the CPU utilization of the RSP becomes very high, causing commands to be dropped.
Workaround: Remove software compression from the serial interfaces.
•
Symptoms: When a Cisco router boots up, the following messages appear and the router is unusable:
Process= "MIPC Periodic Timer", ipl= 0, pid= 32
%PIF-3-READ_IMEM_ERROR: NULL response for READ_IMEM MIPC msg to, XPIF2 Process= "FDM Forwarding Stats Process", ipl= 0, pid= 35
%PIF-3-READ_PHY_ERROR: NULL response for PIF_PHY_REG_SEND_CMD MIPC msg to, XPIF2Conditions: This symptom is observed on a Cisco AS5850 gateway that has a Route Switch Controller (RSC) card with revision 8.9 or later, and that is running Cisco IOS Release 12.2(11)T4, Release 12.2(11)T9, Release 12.3(1), Release 12.3(1a), or Release 12.3(3a).
Workaround
Guest
